keys按键1

preview
试读
23页
android
需积分: 0 0 下载量 180 浏览量 更新于2022-08-03 收藏 81KB PDF 举报
【Android 操作系统中的 Kernel Key Retention Service】 Kernel Key Retention Service是Android操作系统中的一个核心组件,它允许在内核中缓存加密密钥、认证令牌、跨域用户映射等敏感信息,以便文件系统和其他内核服务可以方便地访问和使用。这个服务通过结构化的键(keys)来管理和存储这些数据。 ### Keyrings Keyring是一种特殊类型的键,它可以持有到其他键的链接,从而实现键的组合和管理。每个进程都有三个标准的keyring订阅,这使得内核服务能够搜索到与之相关的键。 ### 内核配置 要启用Kernel Key Retention Service,需要在内核配置中开启"Security options"/"Enable access key retention support" (CONFIG_KEYS)选项。 ### 权限控制 每个键都具有访问控制信息,这决定了哪些进程或服务可以访问它。权限检查通常涉及到键的描述(用于搜索键)、类型、过期时间和状态。 ### SELinux 支持 SELinux(Security-Enhanced Linux)是Android中的强制访问控制机制,它为Kernel Key Retention Service提供了额外的安全层,确保只有授权的上下文才能访问特定的键。 ### 新增的procfs文件 新的procfs文件(/proc文件系统)提供了一个接口,使得用户空间程序可以查看和交互内核中的键服务状态和信息。 ### 用户空间系统调用接口 用户空间可以通过特定的系统调用与内核进行交互,例如请求或更新键,以及进行权限验证。 ### 内核服务 内核服务如文件系统可以注册并使用特定的键类型,并且它们可以设置回调函数来处理键的请求和管理。 ### 访问payload内容 payload是键的一部分,可能包含加密数据或认证令牌等。访问payload内容需要遵循特定的规则和权限。 ### 定义键类型 键类型必须在内核中注册,由内核服务定义。一旦类型被移除,所有该类型的键都将失效。 ### 请求-键回调服务 当需要创建或查找键时,会触发请求-键回调服务。这个服务会根据键类型和描述找到合适的键,或者在找不到时创建新键。 ### 垃圾收集 为了保持内存的有效利用,系统会进行垃圾收集,清理不再使用的键。 Kernel Key Retention Service是Android安全架构的关键部分,它确保了敏感数据的安全存储和访问,同时通过权限控制和访问策略防止未授权的访问。这个服务的高效运行对于保护用户隐私和设备安全至关重要。了解和正确配置Kernel Key Retention Service是Android开发和系统安全管理的重要方面。
keys.txt
============================
KERNEL KEY RETENTION SERVICE
============================
This service allows cryptographic keys, authentication tokens, cross-domain
user mappings, and similar to be cached in the kernel for the use of
filesystems and other kernel services.
Keyrings are permitted; these are a special type of key that can hold links to
other keys. Processes each have three standard keyring subscriptions that a
kernel service can search for relevant keys.
The key service can be configured on by enabling:
"Security options"/"Enable access key retention support" (CONFIG_KEYS)
This document has the following sections:
- Key overview
- Key service overview
- Key access permissions
- SELinux support
- New procfs files
- Userspace system call interface
- Kernel services
- Notes on accessing payload contents
- Defining a key type
- Request-key callback service
- Garbage collection
============
KEY OVERVIEW
============
In this context, keys represent units of cryptographic data, authentication
tokens, keyrings, etc.. These are represented in the kernel by struct key.
Each key has a number of attributes:
- A serial number.
- A type.
- A description (for matching a key in a search).
- Access control information.
- An expiry time.
- A payload.
- State.
(*) Each key is issued a serial number of type key_serial_t that is unique for
the lifetime of that key. All serial numbers are positive non-zero 32-bit
integers.
Userspace programs can use a key's serial numbers as a way to gain access
to it, subject to permission checking.
1
keys.txt
(*) Each key is of a defined "type". Types must be registered inside the
kernel by a kernel service (such as a filesystem) before keys of that type
can be added or used. Userspace programs cannot define new types directly.
Key types are represented in the kernel by struct key_type. This defines a
number of operations that can be performed on a key of that type.
Should a type be removed from the system, all the keys of that type will
be invalidated.
(*) Each key has a description. This should be a printable string. The key
type provides an operation to perform a match between the description on a
key and a criterion string.
(*) Each key has an owner user ID, a group ID and a permissions mask. These
are used to control what a process may do to a key from userspace, and
whether a kernel service will be able to find the key.
(*) Each key can be set to expire at a specific time by the key type's
instantiation function. Keys can also be immortal.
(*) Each key can have a payload. This is a quantity of data that represent the
actual "key". In the case of a keyring, this is a list of keys to which
the keyring links; in the case of a user-defined key, it's an arbitrary
blob of data.
Having a payload is not required; and the payload can, in fact, just be a
value stored in the struct key itself.
When a key is instantiated, the key type's instantiation function is
called with a blob of data, and that then creates the key's payload in
some way.
Similarly, when userspace wants to read back the contents of the key, if
permitted, another key type operation will be called to convert the key's
attached payload back into a blob of data.
(*) Each key can be in one of a number of basic states:
(*) Uninstantiated. The key exists, but does not have any data attached.
Keys being requested from userspace will be in this state.
(*) Instantiated. This is the normal state. The key is fully formed, and
has data attached.
(*) Negative. This is a relatively short-lived state. The key acts as a
note saying that a previous call out to userspace failed, and acts as
a throttle on key lookups. A negative key can be updated to a normal
state.
(*) Expired. Keys can have lifetimes set. If their lifetime is exceeded,
they traverse to this state. An expired key can be updated back to a
normal state.
(*) Revoked. A key is put in this state by userspace action. It can't be
found or operated upon (apart from by unlinking it).
2
keys.txt
(*) Dead. The key's type was unregistered, and so the key is now useless.
Keys in the last three states are subject to garbage collection. See the
section on "Garbage collection".
====================
KEY SERVICE OVERVIEW
====================
The key service provides a number of features besides keys:
(*) The key service defines two special key types:
(+) "keyring"
Keyrings are special keys that contain a list of other keys. Keyring
lists can be modified using various system calls. Keyrings should not
be given a payload when created.
(+) "user"
A key of this type has a description and a payload that are arbitrary
blobs of data. These can be created, updated and read by userspace,
and aren't intended for use by kernel services.
(*) Each process subscribes to three keyrings: a thread-specific keyring, a
process-specific keyring, and a session-specific keyring.
The thread-specific keyring is discarded from the child when any sort of
clone, fork, vfork or execve occurs. A new keyring is created only when
required.
The process-specific keyring is replaced with an empty one in the child on
clone, fork, vfork unless CLONE_THREAD is supplied, in which case it is
shared. execve also discards the process's process keyring and creates a
new one.
The session-specific keyring is persistent across clone, fork, vfork and
execve, even when the latter executes a set-UID or set-GID binary. A
process can, however, replace its current session keyring with a new one
by using PR_JOIN_SESSION_KEYRING. It is permitted to request an anonymous
new one, or to attempt to create or join one of a specific name.
The ownership of the thread keyring changes when the real UID and GID of
the thread changes.
(*) Each user ID resident in the system holds two special keyrings: a user
specific keyring and a default user session keyring. The default session
keyring is initialised with a link to the user-specific keyring.
When a process changes its real UID, if it used to have no session key, it
will be subscribed to the default session key for the new UID.
If a process attempts to access its session key when it doesn't have one,
3
keys.txt
it will be subscribed to the default for its current UID.
(*) Each user has two quotas against which the keys they own are tracked. One
limits the total number of keys and keyrings, the other limits the total
amount of description and payload space that can be consumed.
The user can view information on this and other statistics through procfs
files. The root user may also alter the quota limits through sysctl files
(see the section "New procfs files").
Process-specific and thread-specific keyrings are not counted towards a
user's quota.
If a system call that modifies a key or keyring in some way would put the
user over quota, the operation is refused and error EDQUOT is returned.
(*) There's a system call interface by which userspace programs can create and
manipulate keys and keyrings.
(*) There's a kernel interface by which services can register types and search
for keys.
(*) There's a way for the a search done from the kernel to call back to
userspace to request a key that can't be found in a process's keyrings.
(*) An optional filesystem is available through which the key database can be
viewed and manipulated.
======================
KEY ACCESS PERMISSIONS
======================
Keys have an owner user ID, a group access ID, and a permissions mask. The mask
has up to eight bits each for possessor, user, group and other access. Only
six of each set of eight bits are defined. These permissions granted are:
(*) View
This permits a key or keyring's attributes to be viewed - including key
type and description.
(*) Read
This permits a key's payload to be viewed or a keyring's list of linked
keys.
(*) Write
This permits a key's payload to be instantiated or updated, or it allows a
link to be added to or removed from a keyring.
(*) Search
This permits keyrings to be searched and keys to be found. Searches can
only recurse into nested keyrings that have search permission set.
4
keys.txt
(*) Link
This permits a key or keyring to be linked to. To create a link from a
keyring to a key, a process must have Write permission on the keyring and
Link permission on the key.
(*) Set Attribute
This permits a key's UID, GID and permissions mask to be changed.
For changing the ownership, group ID or permissions mask, being the owner of
the key or having the sysadmin capability is sufficient.
===============
SELINUX SUPPORT
===============
The security class "key" has been added to SELinux so that mandatory access
controls can be applied to keys created within various contexts. This support
is preliminary, and is likely to change quite significantly in the near future.
Currently, all of the basic permissions explained above are provided in SELinux
as well; SELinux is simply invoked after all basic permission checks have been
performed.
The value of the file /proc/self/attr/keycreate influences the labeling of
newly-created keys. If the contents of that file correspond to an SELinux
security context, then the key will be assigned that context. Otherwise, the
key will be assigned the current context of the task that invoked the key
creation request. Tasks must be granted explicit permission to assign a
particular context to newly-created keys, using the "create" permission in the
key security class.
The default keyrings associated with users will be labeled with the default
context of the user if and only if the login programs have been instrumented to
properly initialize keycreate during the login process. Otherwise, they will
be labeled with the context of the login program itself.
Note, however, that the default keyrings associated with the root user are
labeled with the default kernel context, since they are created early in the
boot process, before root has a chance to log in.
The keyrings associated with new threads are each labeled with the context of
their associated thread, and both session and process keyrings are handled
similarly.
================
NEW PROCFS FILES
================
Two files have been added to procfs by which an administrator can find out
about the status of the key service:
(*) /proc/keys
5

剩余22页未读,继续阅读

资源推荐
资源评论
WaiyuetFung
  • 粉丝: 934
  • 资源: 316
上传资源 快速赚钱
voice
center-task 前往需求广场,查看用户热搜

最新资源