赞
踩
/usr/sbin/security-switch --set custom --list exectl
这是安全中心的程序 /usr/sbin/ksc-defender
kysec_get /home/myb/ls
采用的是文件系统的xattr扩展属性-selinux也是在此维护的信息,然后acl中获取到进行判断
root@myb-kylinV10:/home/myb# strace kysec_get /home/myb/ls
execve("/usr/sbin/kysec_get", ["kysec_get", "/home/myb/ls"], [/* 24 vars */]) = 0
brk(NULL) = 0x1f3a000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/dev/cur_gl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=108151, ...}) = 0
mmap(NULL, 108151, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f603a03a000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libkysec.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\25\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=18704, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f603a039000
mmap(NULL, 2115416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6039c2b000
mprotect(0x7f6039c2f000, 2093056, PROT_NONE) = 0
mmap(0x7f6039e2e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f6039e2e000
close(3) = 0
open("/dev/cur_gl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libkysec_core.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\r\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=10288, ...}) = 0
mmap(NULL, 2105560, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6039a28000
mprotect(0x7f6039a2a000, 2093056, PROT_NONE) = 0
mmap(0x7f6039c29000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7f6039c29000
close(3) = 0
open("/dev/cur_gl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1868984, ...}) = 0
mmap(NULL, 3971488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f603965e000
mprotect(0x7f603981e000, 2097152, PROT_NONE) = 0
mmap(0x7f6039a1e000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c0000) = 0x7f6039a1e000
mmap(0x7f6039a24000, 14752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6039a24000
close(3) = 0
open("/dev/cur_gl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libkysec_log.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\17\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=10472, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f603a038000
mmap(NULL, 2105744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f603945b000
mprotect(0x7f603945d000, 2093056, PROT_NONE) = 0
mmap(0x7f603965c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7f603965c000
close(3) = 0
open("/dev/cur_gl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libsecurity.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\10\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=6072, ...}) = 0
mmap(NULL, 2101344, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6039259000
mprotect(0x7f603925a000, 2093056, PROT_NONE) = 0
mmap(0x7f6039459000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x7f6039459000
close(3) = 0
open("/dev/cur_gl", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libattr.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\20\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=18672, ...}) = 0
mmap(NULL, 2113744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6039054000
mprotect(0x7f6039058000, 2093056, PROT_NONE) = 0
mmap(0x7f6039257000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f6039257000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f603a037000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f603a036000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f603a035000
arch_prctl(ARCH_SET_FS, 0x7f603a036700) = 0
mprotect(0x7f6039a1e000, 16384, PROT_READ) = 0
mprotect(0x7f6039257000, 4096, PROT_READ) = 0
mprotect(0x7f6039459000, 4096, PROT_READ) = 0
mprotect(0x7f603965c000, 4096, PROT_READ) = 0
mprotect(0x7f6039c29000, 4096, PROT_READ) = 0
mprotect(0x7f6039e2e000, 4096, PROT_READ) = 0
mprotect(0x601000, 4096, PROT_READ) = 0
mprotect(0x7f603a055000, 4096, PROT_READ) = 0
munmap(0x7f603a03a000, 108151) = 0
brk(NULL) = 0x1f3a000
brk(0x1f5b000) = 0x1f5b000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=7675968, ...}) = 0
mmap(NULL, 7675968, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f6038901000
close(3) = 0
open("/sys/kernel/security/kysec/status", O_RDONLY) = 3
read(3, "2", 8) = 1
close(3) = 0
lstat("/home/myb/ls", {st_mode=S_IFREG|0777, st_size=126456, ...}) = 0
open("/sys/kernel/security/kysec/status", O_RDONLY) = 3
read(3, "2", 8) = 1
close(3) = 0
lgetxattr("/home/myb/ls", "security.kysec", "none:none:verified", 255) = 18
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 3), ...}) = 0
write(1, "/home/myb/ls: none:none:verified"..., 33/home/myb/ls: none:none:verified
) = 33
exit_group(0) = ?
+++ exited with 0 +++
root@myb-kylinV10:/home/myb#
kysec_set -n exectl -v unknown /home/myb/ls
kysec_set [-r] -n exectl/protect/userid -v 标记符号 file
-n identify:protect:exectl
-v \
for identify part, these values are valid:
secadm commands for secadm
audadm commands for auditadm
for exectl part, these values are valid:
unknown unknown files
original original system files
verified verified 3rd party files
kysoft software installer
trusted trusted files
for protect part, only readonly is valid
实际是查找可执行文件,然后设置标记,对应程序是 /usr/sbin/kysec-daemon
1、在 grub 引导阶段修改 grub 配置文件, 临时关闭麒麟安全机制:将 “security=kysec” 修改为“ security= ” , 即将安全配置选项置空。
在终端执行命令, 修改 grub 默认配置文件, 永久关闭麒麟安全机制:
$ vim /etc/default/grub
将GRUB_CMDLINE_LINUX_SECURITY=””修改为GRUB_CMDLINE_LINUX_SECURITY=”security= “
更新 grub 选项:
$ update-grub
*重启系统
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。