【免费】keys按键1资源-CSDN文库

需积分: 0 164 浏览量 2022-08-03 23:24:04 上传评论收藏 81KB PDF 举报

【Android 操作系统中的 Kernel Key Retention Service】 Kernel Key Retention Service是Android操作系统中的一个核心组件，它允许在内核中缓存加密密钥、认证令牌、跨域用户映射等敏感信息，以便文件系统和其他内核服务可以方便地访问和使用。这个服务通过结构化的键（keys）来管理和存储这些数据。 ### Keyrings Keyring是一种特殊类型的键，它可以持有到其他键的链接，从而实现键的组合和管理。每个进程都有三个标准的keyring订阅，这使得内核服务能够搜索到与之相关的键。 ### 内核配置要启用Kernel Key Retention Service，需要在内核配置中开启"Security options"/"Enable access key retention support" (CONFIG_KEYS)选项。 ### 权限控制每个键都具有访问控制信息，这决定了哪些进程或服务可以访问它。权限检查通常涉及到键的描述（用于搜索键）、类型、过期时间和状态。 ### SELinux 支持 SELinux（Security-Enhanced Linux）是Android中的强制访问控制机制，它为Kernel Key Retention Service提供了额外的安全层，确保只有授权的上下文才能访问特定的键。 ### 新增的procfs文件新的procfs文件（/proc文件系统）提供了一个接口，使得用户空间程序可以查看和交互内核中的键服务状态和信息。 ### 用户空间系统调用接口用户空间可以通过特定的系统调用与内核进行交互，例如请求或更新键，以及进行权限验证。 ### 内核服务内核服务如文件系统可以注册并使用特定的键类型，并且它们可以设置回调函数来处理键的请求和管理。 ### 访问payload内容 payload是键的一部分，可能包含加密数据或认证令牌等。访问payload内容需要遵循特定的规则和权限。 ### 定义键类型键类型必须在内核中注册，由内核服务定义。一旦类型被移除，所有该类型的键都将失效。 ### 请求-键回调服务当需要创建或查找键时，会触发请求-键回调服务。这个服务会根据键类型和描述找到合适的键，或者在找不到时创建新键。 ### 垃圾收集为了保持内存的有效利用，系统会进行垃圾收集，清理不再使用的键。 Kernel Key Retention Service是Android安全架构的关键部分，它确保了敏感数据的安全存储和访问，同时通过权限控制和访问策略防止未授权的访问。这个服务的高效运行对于保护用户隐私和设备安全至关重要。了解和正确配置Kernel Key Retention Service是Android开发和系统安全管理的重要方面。

资源详情

资源评论

资源推荐

keys.txt

============================

KERNEL KEY RETENTION SERVICE

============================

This service allows cryptographic keys, authentication tokens, cross-domain

user mappings, and similar to be cached in the kernel for the use of

filesystems and other kernel services.

Keyrings are permitted; these are a special type of key that can hold links to

other keys. Processes each have three standard keyring subscriptions that a

kernel service can search for relevant keys.

The key service can be configured on by enabling:

"Security options"/"Enable access key retention support" (CONFIG_KEYS)

This document has the following sections:

- Key overview

- Key service overview

- Key access permissions

- SELinux support

- New procfs files

- Userspace system call interface

- Kernel services

- Notes on accessing payload contents

- Defining a key type

- Request-key callback service

- Garbage collection

============

KEY OVERVIEW

============

In this context, keys represent units of cryptographic data, authentication

tokens, keyrings, etc.. These are represented in the kernel by struct key.

Each key has a number of attributes:

- A serial number.

- A type.

- A description (for matching a key in a search).

- Access control information.

- An expiry time.

- A payload.

- State.

(*) Each key is issued a serial number of type key_serial_t that is unique for

the lifetime of that key. All serial numbers are positive non-zero 32-bit

integers.

Userspace programs can use a key's serial numbers as a way to gain access

to it, subject to permission checking.

第 1 页

keys.txt

(*) Each key is of a defined "type". Types must be registered inside the

kernel by a kernel service (such as a filesystem) before keys of that type

can be added or used. Userspace programs cannot define new types directly.

Key types are represented in the kernel by struct key_type. This defines a

number of operations that can be performed on a key of that type.

Should a type be removed from the system, all the keys of that type will

be invalidated.

(*) Each key has a description. This should be a printable string. The key

type provides an operation to perform a match between the description on a

key and a criterion string.

(*) Each key has an owner user ID, a group ID and a permissions mask. These

are used to control what a process may do to a key from userspace, and

whether a kernel service will be able to find the key.

(*) Each key can be set to expire at a specific time by the key type's

instantiation function. Keys can also be immortal.

(*) Each key can have a payload. This is a quantity of data that represent the

actual "key". In the case of a keyring, this is a list of keys to which

the keyring links; in the case of a user-defined key, it's an arbitrary

blob of data.

Having a payload is not required; and the payload can, in fact, just be a

value stored in the struct key itself.

When a key is instantiated, the key type's instantiation function is

called with a blob of data, and that then creates the key's payload in

some way.

Similarly, when userspace wants to read back the contents of the key, if

permitted, another key type operation will be called to convert the key's

attached payload back into a blob of data.

(*) Each key can be in one of a number of basic states:

(*) Uninstantiated. The key exists, but does not have any data attached.

Keys being requested from userspace will be in this state.

(*) Instantiated. This is the normal state. The key is fully formed, and

has data attached.

(*) Negative. This is a relatively short-lived state. The key acts as a

note saying that a previous call out to userspace failed, and acts as

a throttle on key lookups. A negative key can be updated to a normal

state.

(*) Expired. Keys can have lifetimes set. If their lifetime is exceeded,

they traverse to this state. An expired key can be updated back to a

normal state.

(*) Revoked. A key is put in this state by userspace action. It can't be

found or operated upon (apart from by unlinking it).

第 2 页

keys.txt

(*) Dead. The key's type was unregistered, and so the key is now useless.

Keys in the last three states are subject to garbage collection. See the

section on "Garbage collection".

====================

KEY SERVICE OVERVIEW

====================

The key service provides a number of features besides keys:

(*) The key service defines two special key types:

(+) "keyring"

Keyrings are special keys that contain a list of other keys. Keyring

lists can be modified using various system calls. Keyrings should not

be given a payload when created.

(+) "user"

A key of this type has a description and a payload that are arbitrary

blobs of data. These can be created, updated and read by userspace,

and aren't intended for use by kernel services.

(*) Each process subscribes to three keyrings: a thread-specific keyring, a

process-specific keyring, and a session-specific keyring.

The thread-specific keyring is discarded from the child when any sort of

clone, fork, vfork or execve occurs. A new keyring is created only when

required.

The process-specific keyring is replaced with an empty one in the child on

clone, fork, vfork unless CLONE_THREAD is supplied, in which case it is

shared. execve also discards the process's process keyring and creates a

new one.

The session-specific keyring is persistent across clone, fork, vfork and

execve, even when the latter executes a set-UID or set-GID binary. A

process can, however, replace its current session keyring with a new one

by using PR_JOIN_SESSION_KEYRING. It is permitted to request an anonymous

new one, or to attempt to create or join one of a specific name.

The ownership of the thread keyring changes when the real UID and GID of

the thread changes.

(*) Each user ID resident in the system holds two special keyrings: a user

specific keyring and a default user session keyring. The default session

keyring is initialised with a link to the user-specific keyring.

When a process changes its real UID, if it used to have no session key, it

will be subscribed to the default session key for the new UID.

If a process attempts to access its session key when it doesn't have one,

第 3 页

keys.txt

(*) Link

This permits a key or keyring to be linked to. To create a link from a

keyring to a key, a process must have Write permission on the keyring and

Link permission on the key.

(*) Set Attribute

This permits a key's UID, GID and permissions mask to be changed.

For changing the ownership, group ID or permissions mask, being the owner of

the key or having the sysadmin capability is sufficient.

===============

SELINUX SUPPORT

===============

The security class "key" has been added to SELinux so that mandatory access

controls can be applied to keys created within various contexts. This support

is preliminary, and is likely to change quite significantly in the near future.

Currently, all of the basic permissions explained above are provided in SELinux

as well; SELinux is simply invoked after all basic permission checks have been

performed.

The value of the file /proc/self/attr/keycreate influences the labeling of

newly-created keys. If the contents of that file correspond to an SELinux

security context, then the key will be assigned that context. Otherwise, the

key will be assigned the current context of the task that invoked the key

creation request. Tasks must be granted explicit permission to assign a

particular context to newly-created keys, using the "create" permission in the

key security class.

The default keyrings associated with users will be labeled with the default

context of the user if and only if the login programs have been instrumented to

properly initialize keycreate during the login process. Otherwise, they will

be labeled with the context of the login program itself.

Note, however, that the default keyrings associated with the root user are

labeled with the default kernel context, since they are created early in the

boot process, before root has a chance to log in.

The keyrings associated with new threads are each labeled with the context of

their associated thread, and both session and process keyrings are handled

similarly.

================

NEW PROCFS FILES

================

Two files have been added to procfs by which an administrator can find out

about the status of the key service:

(*) /proc/keys

第 5 页

剩余22页未读，继续阅读

评论收藏

内容反馈

WaiyuetFung

粉丝: 906
资源: 316

keys按键1

评论0

最新资源

keys按键1

评论0

VB SendKeys语句详解

Simulation_模拟键盘_WPF模拟按键操作_sendkeys_按键组合_

unity模拟键盘按键输入

GPIO_KEY.rar_GPIO_GPIO key是什么_dsp的按键led_gpio_keys_按键

AutoKey_自动模拟按键

33 用计数器中断实现100以内的按键计数_51单片机_TheKeys_

Shortkeys_2.2.7.zip

phone_keys_model.rar_phone_proteus_手机按键_手机按键仿真

ADC_key.tar.gz_ADC 按键_linux adc keys

SendKeys-0.3_py27.exe

五向按键_keil_key_ThisIsIt_五向按键接口_stm32f4_

c# 钩子连发 按键事件 发送按键

Qml全局按键QmlKey.7z

VC 键盘HOOK，监测按键是否按下.rar

C#如何在后台捕捉按键

Comfort Keys Pro v7.0中文版(附注册码).rar

XsendKeys 重复按键工具

iron-a11y-keys-behavior:一种行为，可以使按键绑定获得更大的效果

Windows 快捷键管理工具 Comfort Keys Pro 7.4.1.0 中文多语免费版.zip

3568 Android 11 GMS包

适用于某音27.8版本64位的libsscronet.so

Xvideos.apk

AndroidStudio登录注册(Sqlite)

VisualGDB 5.6 R9//支持VS2008-VS2022

Android Studio 3.5下载安装包

最近很火植物大战僵尸杂交版2.08苹果+安卓+PC+防闪退工具V2+修改工具+高清工具+通关存档整合包更新

安卓期末大作业（AndroidStudio开发），垃圾分类助手app，分为前台后台，代码有注释，均能正常运行

安卓手表ADB实用工具箱

RE浏览器 RootExplorer.apk

最新资源

c# 钩子连发按键事件发送按键