keyctl我在理解如何运作,特别是功能方面有点困难request2。据我了解,request2将尝试搜索给定的字符串,如果找到则返回它。如果未找到,则调用应用程序,该应用程序将执行和/sbin/request-key描述的操作(如果适用)。/etc/request-key.d/*/etc/request-key.conf
然而,在测试过程中我遇到了一些问题。
[user@localhost ~]$ cat /etc/request-key.conf
###############################################################################
#
# Copyright (C) 2005 Red Hat, Inc. All Rights Reserved.
...snip...
###############################################################################
#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
#====== ======= =============== =============== ===============================
create dns_resolver * * /sbin/key.dns_resolver %k
create user debug:* negate /bin/keyctl negate %k 30 %S
create user debug:* rejected /bin/keyctl reject %k 30 %c %S
create user debug:* expired /bin/keyctl reject %k 30 %c %S
create user debug:* revoked /bin/keyctl reject %k 30 %c %S
create user debug:loop:* * |/bin/cat
create user debug:* * /usr/share/keyutils/request-key-debug.sh %k %d %c %S
negate * * * /bin/keyctl negate %k 30 %S
[user@localhost ~]$
创建一个调试循环,它将创建一个真正的密钥,keyctl print并生成正确的输出。
[user@localhost ~]$ keyctl request2 user debug:loop:test "loop test"
181348864
[user@localhost ~]$ keyctl show
Session Keyring
141395006 --alswrv 1000 1000 keyring: _ses
521399390 --alswrv 1000 65534 \_ keyring: _uid.1000
181348864 --alswrv 1000 1000 \_ user: debug:loop:test
691271691 --alswrv 1000 1000 \_ user: debug:test
[user@localhost ~]$ keyctl print 181348864
loop test
[user@localhost ~]$
创建另一个密钥,它将为每个创建一个调试条目request-key.conf。keyctl print正确打印密钥。
[user@localhost ~]$ keyctl request2 user debug:se-test "hello hello"
1061018025
[user@localhost ~]$ keyctl show
Session Keyring
141395006 --alswrv 1000 1000 keyring: _ses
521399390 --alswrv 1000 65534 \_ keyring: _uid.1000
1061018025 --alswrv 1000 1000 \_ user: debug:se-test
181348864 --alswrv 1000 1000 \_ user: debug:loop:test
691271691 --alswrv 1000 1000 \_ user: debug:test
[user@localhost ~]$
[user@localhost ~]$ keyctl print 1061018025
Debug hello hello
[user@localhost ~]$
创建一个不匹配任何其他规则的密钥,应创建一个负密钥。keyctl print触发 VMWare 中禁用的 CPU 强制重置。
[user@localhost ~]$ keyctl request2 user se:test "blah"
request_key: Required key not available
[user@localhost ~]$ keyctl show
Session Keyring
141395006 --alswrv 1000 1000 keyring: _ses
521399390 --alswrv 1000 65534 \_ keyring: _uid.1000
65104736 --alswrv 1000 1000 \_ user: se:test
1061018025 --alswrv 1000 1000 \_ user: debug:se-test
181348864 --alswrv 1000 1000 \_ user: debug:loop:test
691271691 --alswrv 1000 1000 \_ user: debug:test
[user@localhost ~]$ keyctl desc 65104736
65104736: alswrv-----v------------ 1000 1000 user: se:test
[user@localhost ~]$
[user@localhost ~]$ keyctl print 65104736
创建负调试密钥,keyctl print触发方式与上面相同。
[user@localhost ~]$ keyctl request2 user debug:negatetest negate
request_key: Required key not available
[user@localhost ~]$ keyctl show
Session Keyring
1018725144 --alswrv 1000 1000 keyring: _ses
478030378 --alswrv 1000 65534 \_ keyring: _uid.1000
799585275 --alswrv 1000 1000 \_ user: debug:negatetest
[user@localhost ~]$
[user@localhost ~]$ keyctl desc 799585275
799585275: alswrv-----v------------ 1000 1000 user: debug:negatetest
[user@localhost ~]$ keyctl print 799585275
在尝试读取(应该是)负密钥时,操作系统会自发关闭。
据我了解,负键无法读取,但是,立即关闭操作系统电源是预期的结果吗?
我得到的具体错误如下:
CPU 已被客户操作系统禁用。关闭或重置虚拟机。
request-key.conf我已经浏览了、keyctl(1)和的文档keyctl(2),但找不到任何东西。如果我错过了什么,请随时指出我相关的部分并 RTFM 我。
谢谢!