CN109684824B - Process permission configuration method and device - Google Patents
Process permission configuration method and device Download PDFInfo
- Publication number
- CN109684824B CN109684824B CN201811619949.4A CN201811619949A CN109684824B CN 109684824 B CN109684824 B CN 109684824B CN 201811619949 A CN201811619949 A CN 201811619949A CN 109684824 B CN109684824 B CN 109684824B
- Authority
- CN
- China
- Prior art keywords
- authority
- application
- resource manager
- acquiring
- parent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 455
- 230000006870 function Effects 0.000 description 37
- 238000004590 computer program Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a process permission configuration method and device, relates to the technical field of information, and avoids safety threat on an intelligent terminal used by a user after a newly created child process inherits the high permission of a parent process due to the fact that the child process inherits the high permission of the parent process, so that the safety of the intelligent terminal is ensured. The method comprises the following steps: firstly, when a child process needs to be created, judging whether an application with lower authority than a parent process exists in a currently running application process; if so, acquiring the authority of the application process; and finally, configuring the authority of the child process as the authority of the application process in the process of creating the child process by the parent process. The method and the device are suitable for configuring the process permission.
Description
The application is a divisional application based on a parent project process permission configuration method and device, wherein the application date of the parent project process permission configuration method and device is 2014, 12 and 29, the application number is 201410838120.9, and the publication number is CN 105809026A.
Technical Field
The present invention relates to the field of information technologies, and in particular, to a method and an apparatus for configuring process permissions.
Background
With the development of information technology, the functions of the intelligent terminal are more and more powerful. In order to ensure the safety of the intelligent terminal, the operating system has strict requirements on the authority of the application process, and particularly, the authority of the application process of a third party needs to be strictly controlled.
At present, when creating a child process according to an existing process creation manner, a Windows Application Programming Interface (Windows API) function is usually directly called to create the child process, and the created child process inherits a process permission of a parent process. However, when the parent process has a higher authority, the newly created child process also has a high authority, and for the newly created child process being the process of the uncontrollable third-party application program, the authority of the process of the third-party application program inherits the high authority of the parent process, so that the intelligent terminal used by the user has potential safety hazard.
Disclosure of Invention
In view of this, the present invention provides a method and an apparatus for configuring process permissions, and mainly aims to prevent a newly created child process from inheriting a high permission of a parent process, so as to ensure security of an intelligent terminal used by a user.
According to an aspect of the present invention, there is provided a method for configuring a right of a process, including:
when a child process needs to be created, judging whether an application with lower authority than that of a parent process exists in a currently running application process;
if so, acquiring the authority of the application process;
and configuring the authority of the child process as the authority of the application process in the process of creating the child process by the parent process.
According to another aspect of the present invention, there is also provided a device for configuring permissions of a process, including:
the judging unit is used for judging whether an application with lower authority than that of the parent process exists in the currently running application process when the child process needs to be established;
the acquiring unit is used for acquiring the authority of the application process if the application with the authority lower than that of the parent process exists;
and the configuration unit is used for configuring the authority of the child process as the authority of the application process in the process of creating the child process by the parent process.
By the technical scheme, the technical scheme provided by the embodiment of the invention at least has the following advantages:
the embodiment of the invention provides a method and a device for configuring process permission, which comprises the steps of firstly, judging whether an application with the permission lower than that of a parent process exists in a currently running application process when a child process needs to be created; if so, acquiring the authority of the application process; and finally, configuring the authority of the child process as the authority of the application process in the process of creating the child process by the parent process. Compared with the prior art that the permission configuration of the process is carried out by directly calling the Windows API function, the embodiment of the invention configures the acquired application process permission lower than the parent process as the permission of the child process, thereby avoiding the safety threat to the intelligent terminal used by the user after the newly created child process inherits the high permission of the parent process, and further ensuring the safety of the operating system.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 illustrates a method for configuring rights of a process according to an embodiment of the present invention;
fig. 2 illustrates a method for configuring rights of another process according to an embodiment of the present invention;
fig. 3 illustrates a permission configuration apparatus for a process according to an embodiment of the present invention;
fig. 4 shows a device for configuring rights of another process according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
An embodiment of the present invention provides a method for configuring a process permission, and as shown in fig. 1, the method includes:
101. when a child process needs to be created, whether an application with lower authority than that of a parent process exists in the currently running application process is judged.
The authority of the application process can be generally divided into a high authority, a medium authority and a low authority. The high authority is a management authority, and the process with the high authority can install the file into a 'Program Files' (folders) and write the file into a sensitive registry region; the middle authority is the user authority, and the process with the middle authority can create and modify files in a 'document' folder of the user and write the files into a registry area specified by the user; the low rights are untrusted rights. For example, if the authority of the parent process is high, it is determined whether an application with the authority of medium or low exists in the currently running application process.
102. And if so, acquiring the authority of the application process.
For example, if the authority of the parent process is a high authority, the application process with the authority of a middle authority or a low authority in the currently running application is acquired.
103. And configuring the authority of the child process as the authority of the application process in the process of creating the child process by the parent process.
For the embodiment of the invention, the permission of the child process is configured to the permission of the application process with the permission level lower than the parent permission, rather than directly using the permission of the parent process, so that the safety threat to the intelligent terminal used by a user can be avoided after the newly created child process inherits the high permission of the parent process, which is caused by the fact that the child process inherits the high permission of the parent process, and the safety of the intelligent terminal is ensured.
The method for configuring the authority of the process comprises the steps of firstly, judging whether an application with the authority lower than that of a parent process exists in a currently running application process when a child process needs to be created; if so, acquiring the authority of the application process; and finally, configuring the authority of the child process as the authority of the application process in the process of creating the child process by the parent process. Compared with the prior art that the permission configuration of the process is carried out by directly calling the Windows API function, the embodiment of the invention configures the acquired application process permission lower than the parent process as the permission of the child process, thereby avoiding the safety threat to the intelligent terminal used by the user after the newly created child process inherits the high permission of the parent process, and further ensuring the safety of the intelligent terminal.
Further, an embodiment of the present invention provides another method for configuring a right of a process, as shown in fig. 2, where the method includes:
201. and judging whether the operating system environment created by the current sub-process meets the preset conditions.
The operating system environment meeting the preset conditions can be an operating system of a version behind a microsoft Windows Vista operating system, such as a Windows7 operating system, a Windows8 operating system and the like, the management of the process and the control of the process permission of the operating systems of the versions are stricter than those of the operating system of the version before the Windows Vista, and the permission level of the process is definitely divided, so that the feasibility of the permission configuration method of the process provided by the embodiment of the invention is ensured.
202. If the operating system environment for creating the child process currently meets the preset conditions, when the child process needs to be created, whether an application with lower authority than that of the parent process exists in the currently running application process is judged.
The authority of the application process can be generally divided into a high authority, a medium authority and a low authority. The high authority is a management authority, and the process with the high authority can install the file into a 'Program Files' (folders) and write the file into a sensitive registry region; the middle authority is the user authority, and the process with the middle authority can create and modify files in a 'document' folder of the user and write the files into a registry area specified by the user; the low rights are untrusted rights. For example, if the authority of the parent process is high, it is determined whether an application with the authority of medium or low exists in the currently running application process.
For the embodiment of the present invention, step 202 may specifically include: and when a child process needs to be created, judging whether the authority of the resource manager process is lower than that of the parent process. Because the authority of the parent process is usually high authority and the resource manager is an application running in real time, the authority of the resource manager process is directly judged whether to be lower than the authority of the parent process, and the authority configuration efficiency of the process can be further improved.
203. And if so, acquiring the authority of the application process.
For the embodiment of the present invention, step 203 may specifically include: and if so, acquiring the process Token information of the application, and then acquiring the authority of the application process according to the process Token information of the application. The process Token information is used for identifying the privilege owned by the process, and the privilege owned by the process can reflect the authority of the process.
Further, if the application is in the process Token information, acquiring the process Token information of the application may specifically be: if the authority of the resource manager is lower than the authority of the parent process, acquiring process Token information of the resource manager; according to the process Token information of the application, the acquiring the authority of the application process may specifically be: and acquiring the authority of the process of the resource manager according to the process Token information of the resource manager.
For the embodiment of the present invention, if the permission is lower than the parent process, the acquiring of the process Token information of the resource manager may specifically be: and if the authority of the resource manager is lower than the authority of the parent process, acquiring process Token information of the resource manager by calling a first preset interface function. The first preset interface function may be a copy resource manager token DuplicateExplorerToken function. According to the process Token information of the resource manager, the acquiring of the authority of the process of the resource manager may specifically be: and acquiring the process permission of the resource manager by calling a second preset interface function according to the process Token information of the resource manager. The second preset interface function may be a gettokenintegrantlevel function for obtaining the integrity level of the token.
The duplicateexpresstoken function and the gettokeneegmentlevel function are sub-functions included in the function lowcreatepprocesses created by the embodiment of the present invention, and the parameter format of the function lowcreatepprocesses is set to be consistent with the parameter format of the standard Windows API function createpprocesses, so that the sub-function duplicateexpresstoken and the gettokeneegmentlevel function of the function lowcreatepprocesses can meet the parameter format requirement of the standard Windows API function, and thus, the permission configuration problem of the sub-process can be solved only by directly changing the createpprocesses to lowcreatepprocesses when necessary, and the permission configuration method of the process provided by the embodiment of the present invention can be ensured to have good compatibility and realizability with the existing operating system.
204. And configuring the authority of the child process as the authority of the application process in the process of creating the child process by the parent process.
For the embodiment of the invention, the permission of the child process is configured to the permission of the application process with the permission level lower than the parent permission, rather than directly using the permission of the parent process, so that the safety threat to the intelligent terminal used by a user can be avoided after the newly created child process inherits the high permission of the parent process, which is caused by the fact that the child process inherits the high permission of the parent process, and the safety of the intelligent terminal is ensured.
According to the other process permission configuration method provided by the embodiment of the invention, firstly, when a child process needs to be created, whether an application with permission lower than that of a parent process exists in a currently running application process is judged; if so, acquiring the authority of the application process; and finally, configuring the authority of the child process as the authority of the application process in the process of creating the child process by the parent process. Compared with the prior art that the permission configuration of the process is carried out by directly calling the Windows API function, the embodiment of the invention configures the acquired application process permission lower than the parent process as the permission of the child process, thereby avoiding the safety threat to the intelligent terminal used by the user after the newly created child process inherits the high permission of the parent process, and further ensuring the safety of the intelligent terminal.
As a specific implementation of the method shown in fig. 1 in the embodiment of the present invention, an embodiment of the present invention provides a device for configuring a right of a process, and as shown in fig. 3, the device may include: a judging unit 31, an acquiring unit 32 and a configuring unit 33.
The judging unit 31 is configured to, when a child process needs to be created, judge whether an application with lower authority than that of a parent process exists in the currently running application process.
An obtaining unit 32, configured to obtain the authority of the application process if there is an application whose authority is lower than that of the parent process.
A configuring unit 33, configured to configure, in the process that the parent process creates the child process, the authority of the child process as the authority of the application process acquired by the acquiring unit 32.
It should be noted that other corresponding descriptions of the functional units related to the apparatus for configuring a right of a process according to the embodiment of the present invention may refer to the corresponding descriptions in the method shown in fig. 1, and are not described herein again.
According to the permission configuration device of the process, provided by the embodiment of the invention, firstly, when a child process needs to be created, whether an application with lower permission than a parent process exists in a currently running application process is judged; if so, acquiring the authority of the application process; and finally, configuring the authority of the child process as the authority of the application process in the process of creating the child process by the parent process. Compared with the prior art that the permission configuration of the process is carried out by directly calling the Windows API function, the embodiment of the invention configures the acquired application process permission lower than the parent process as the permission of the child process, thereby avoiding the safety threat to the intelligent terminal used by the user after the newly created child process inherits the high permission of the parent process, and further ensuring the safety of the intelligent terminal.
Further, as a specific implementation of the method shown in fig. 2 in the embodiment of the present invention, an embodiment of the present invention provides another apparatus for configuring a right of a process, and as shown in fig. 4, the apparatus may include: a judging unit 41, an acquiring unit 42 and a configuring unit 43.
A judging unit 41, configured to, when a child process needs to be created, judge whether an application with lower authority than that of a parent process exists in the currently running application process.
An obtaining unit 42, configured to obtain the authority of the application process if there is an application whose authority is lower than that of the parent process.
A configuring unit 43, configured to configure the authority of the child process as the authority of the application process acquired by the acquiring unit 42 in the process that the parent process creates the child process.
The acquisition unit 42 includes:
a first obtaining module 4201, configured to obtain process Token information of an application if the application has a lower authority than that of a parent process;
the second obtaining module 4202 is configured to obtain the authority of the application process according to the process Token information of the application obtained by the first obtaining module 4201.
The determining unit 41 is specifically configured to determine, when a process needs to be created, whether the authority of the resource manager process is lower than the authority of the parent process.
The first obtaining module 4201 is specifically configured to obtain the process Token information of the resource manager if the authority of the resource manager is lower than the authority of the parent process.
The second obtaining module 4202 is specifically configured to obtain the authority of the process of the resource manager according to the Token information of the process of the resource manager obtained by the first obtaining module 4201.
The first obtaining module 4201 is further configured to obtain, by calling a first preset interface function, process Token information of the resource manager;
the second obtaining module 4202 is further specifically configured to obtain the authority of the resource manager process by calling a second preset interface function according to the Token information of the resource manager process obtained by the first obtaining module 4201.
For the embodiment of the present invention, the parameter formats of the first preset interface function and the second preset interface function are the same as the parameter format in the Windows API interface function.
The judging unit 41 is further configured to judge whether the operating system environment currently created by the sub-process meets a preset condition.
It should be noted that other corresponding descriptions of the functional units related to the other permission configuration apparatus for process provided in the embodiment of the present invention may refer to the corresponding descriptions in the method shown in fig. 2, and are not described herein again.
According to the permission configuration device of the process, provided by the embodiment of the invention, firstly, when a child process needs to be created, whether an application with lower permission than a parent process exists in a currently running application process is judged; if so, acquiring the authority of the application process; and finally, configuring the authority of the child process as the authority of the application process in the process of creating the child process by the parent process. Compared with the prior art that the permission configuration of the process is carried out by directly calling the Windows API function, the embodiment of the invention configures the acquired application process permission lower than the parent process as the permission of the child process, thereby avoiding the safety threat to the intelligent terminal used by the user after the newly created child process inherits the high permission of the parent process, and further ensuring the safety of the intelligent terminal.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
It will be appreciated that the relevant features of the method and apparatus described above are referred to one another. In addition, "first", "second", and the like in the above embodiments are for distinguishing the embodiments, and do not represent merits of the embodiments.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. It will be appreciated by those skilled in the art that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of the method and apparatus for configuring rights of processes according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
The invention discloses a1, a process permission configuration method, comprising:
when a child process needs to be created, judging whether an application with lower authority than that of a parent process exists in a currently running application process;
if so, acquiring the authority of the application process;
and configuring the authority of the child process as the authority of the application process in the process of creating the child process by the parent process.
A2, the process permission configuration method as in a1, wherein if the process permission configuration method exists, the acquiring the permission of the application process includes:
if the application program exists, acquiring the process Token information of the application;
and acquiring the authority of the application process according to the process Token information of the application.
A3, the method for configuring authority of a process according to a1 or a2, wherein when a child process needs to be created, the step of determining whether an application with authority lower than that of the parent process exists in a currently running application process includes:
when a child process needs to be created, judging whether the authority of the resource manager process is lower than the authority of the parent process;
if so, acquiring the authority of the application process comprises:
if the authority of the resource manager is lower than the authority of the parent process, acquiring process Token information of the resource manager;
and acquiring the authority of the process of the resource manager according to the process Token information of the resource manager.
A4, the method for configuring process permission as described in A3, where, if the process permission is lower than the parent process permission, acquiring the process Token information of the resource manager includes:
if the authority of the resource manager is lower than the authority of the parent process, acquiring process Token information of the resource manager by calling a first preset interface function;
the acquiring the authority of the process of the resource manager according to the process Token information of the resource manager comprises:
and acquiring the process permission of the resource manager by calling a second preset interface function according to the process Token information of the resource manager.
A5, the permission configuration method of the process as A4, the parameter format of the first preset interface function and the second preset interface function is the same as the parameter format in the Windows API of the interface function.
A6, where the method for configuring authority of a process according to any one of a1-a5, when a child process needs to be created, the method for determining whether an application with authority lower than that of the parent process exists in a currently running application process further includes:
and judging whether the operating system environment created by the current sub-process meets the preset conditions.
The invention discloses a B7, a process permission configuration device, comprising:
the judging unit is used for judging whether an application with lower authority than that of the parent process exists in the currently running application process when the child process needs to be established;
the acquiring unit is used for acquiring the authority of the application process if the application with the authority lower than that of the parent process exists;
and the configuration unit is used for configuring the authority of the child process as the authority of the application process in the process of creating the child process by the parent process.
B8, the authority configuration device of the process as described in B7, the obtaining unit includes:
the first acquisition module is used for acquiring process Token information of an application if the application with the authority lower than that of a parent process exists;
and the second acquisition module is used for acquiring the authority of the application process according to the process Token information of the application.
B9, the authority configuration device of the process as described in B7 or B8,
the judging unit is specifically configured to judge whether the authority of the resource manager process is lower than the authority of the parent process when the process needs to be created;
the first obtaining module is specifically configured to obtain process Token information of the resource manager if the authority of the resource manager is lower than the authority of the parent process;
the second obtaining module is specifically configured to obtain the permission of the process of the resource manager according to the process Token information of the resource manager.
B10, right configuration means of the process as described in B9,
the first obtaining module is specifically configured to obtain, if the permission is lower than that of the parent process, process Token information of the resource manager by calling a first preset interface function;
the second obtaining module is specifically further configured to obtain the authority of the process of the resource manager by calling a second preset interface function according to the process Token information of the resource manager.
And B11, the method for configuring the authority of the process according to B10, wherein the parameter formats of the first preset interface function and the second preset interface function are the same as the parameter format in the Windows API of the interface function.
B12, the authority configuration device of the process as described in any one of B7-B11, the determining unit is further configured to determine whether the operating system environment currently undergoing sub-process creation meets preset conditions.
Claims (7)
1. A method for configuring authority of a process is characterized by comprising the following steps:
when a child process needs to be created, judging whether an application with lower authority than that of a parent process exists in a currently running application process;
if so, acquiring the authority of the application process;
configuring the authority of the child process as the authority of the application process in the process of creating the child process by the parent process; when a child process needs to be created, judging whether an application with lower authority than that of the parent process exists in the currently running application process comprises the following steps:
when a child process needs to be created, judging whether the authority of the resource manager process is lower than the authority of the parent process;
if so, acquiring the authority of the application process comprises:
if the authority of the resource manager is lower than the authority of the parent process, acquiring process Token information of the resource manager;
acquiring the authority of the process of the resource manager according to the process Token information of the resource manager;
if so, acquiring the authority of the application process comprises:
if the application program exists, acquiring the process Token information of the application;
and acquiring the authority of the application process according to the process Token information of the application.
2. The method of claim 1, wherein if the process is lower than the parent process, acquiring the Token information of the process of the resource manager comprises:
if the authority of the resource manager is lower than the authority of the parent process, acquiring process Token information of the resource manager by calling a first preset interface function;
the acquiring the authority of the process of the resource manager according to the process Token information of the resource manager comprises:
and acquiring the process permission of the resource manager by calling a second preset interface function according to the process Token information of the resource manager.
3. The method for configuring process permission according to claim 2, wherein a parameter format of the first preset interface function and a parameter format of the second preset interface function are the same as a parameter format in a Windows API interface function.
4. An apparatus for configuring authority of a process, comprising:
the judging unit is used for judging whether an application with lower authority than that of the parent process exists in the currently running application process when the child process needs to be established;
the acquiring unit is used for acquiring the authority of the application process if the application with the authority lower than that of the parent process exists;
the configuration unit is used for configuring the authority of the child process as the authority of the application process in the process that the parent process creates the child process; the judging unit is specifically configured to judge whether the authority of the resource manager process is lower than the authority of the parent process when the process needs to be created;
the first obtaining module is specifically configured to obtain process Token information of the resource manager if the authority of the resource manager is lower than that of the parent process;
and the second acquisition module is specifically used for acquiring the process permission of the resource manager according to the process Token information of the resource manager.
5. The process permission configuration device according to claim 4, wherein the obtaining unit includes:
the first acquisition module is used for acquiring process Token information of an application if the application with the authority lower than that of a parent process exists;
and the second acquisition module is used for acquiring the authority of the application process according to the process Token information of the application.
6. The authority configuration apparatus of process as claimed in claim 4,
the first obtaining module is specifically configured to obtain, if the permission is lower than that of the parent process, process Token information of the resource manager by calling a first preset interface function;
the second obtaining module is specifically further configured to obtain the authority of the process of the resource manager by calling a second preset interface function according to the process Token information of the resource manager.
7. The apparatus for configuring authority of process according to claim 6, wherein the parameter formats of the first preset interface function and the second preset interface function are the same as the parameter format in the Windows API interface function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811619949.4A CN109684824B (en) | 2014-12-29 | 2014-12-29 | Process permission configuration method and device |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811619949.4A CN109684824B (en) | 2014-12-29 | 2014-12-29 | Process permission configuration method and device |
| CN201410838120.9A CN105809026B (en) | 2014-12-29 | 2014-12-29 | The authority configuring method and device of process |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410838120.9A Division CN105809026B (en) | 2014-12-29 | 2014-12-29 | The authority configuring method and device of process |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109684824A CN109684824A (en) | 2019-04-26 |
| CN109684824B true CN109684824B (en) | 2021-09-03 |
Family
ID=56284186
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410838120.9A Active CN105809026B (en) | 2014-12-29 | 2014-12-29 | The authority configuring method and device of process |
| CN201811619949.4A Active CN109684824B (en) | 2014-12-29 | 2014-12-29 | Process permission configuration method and device |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410838120.9A Active CN105809026B (en) | 2014-12-29 | 2014-12-29 | The authority configuring method and device of process |
Country Status (2)
| Country | Link |
|---|---|
| CN (2) | CN105809026B (en) |
| WO (1) | WO2016107348A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112395611B (en) * | 2019-08-15 | 2024-01-30 | 奇安信安全技术(珠海)有限公司 | Process chain processing method, device and equipment |
| CN113407940A (en) * | 2021-06-21 | 2021-09-17 | 成都欧珀通信科技有限公司 | Script detection method and device, storage medium and computer equipment |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663321A (en) * | 2012-04-24 | 2012-09-12 | 百度在线网络技术(北京)有限公司 | Security enhancement system and method for software |
| CN102663318A (en) * | 2012-03-22 | 2012-09-12 | 百度在线网络技术(北京)有限公司 | Browser and client |
| CN102722559A (en) * | 2012-05-31 | 2012-10-10 | 奇智软件(北京)有限公司 | Method, device and system for controlling processes of abnormal pages |
| CN103530547A (en) * | 2012-07-02 | 2014-01-22 | 爱思爱(天津)高科技有限公司 | Method for logging into third-party application program through integrated authentication function based on Windows operating system |
| CN103605920A (en) * | 2013-11-10 | 2014-02-26 | 电子科技大学 | Method and system for dynamic application program safety management based on SEAndroid platform |
| CN103886249A (en) * | 2012-12-20 | 2014-06-25 | 腾讯科技(深圳)有限公司 | Method and device for executing processes under superuser right in system |
| CN103955468A (en) * | 2012-03-06 | 2014-07-30 | 北京奇虎科技有限公司 | Method and device for displaying documents based on browser |
| CN104156662A (en) * | 2014-08-28 | 2014-11-19 | 北京奇虎科技有限公司 | Process monitoring method and device and intelligent terminal |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8214398B1 (en) * | 2005-02-16 | 2012-07-03 | Emc Corporation | Role based access controls |
| CN101751287B (en) * | 2008-12-03 | 2013-01-09 | 北京天融信科技有限公司 | Method for executing operation under Windows without limitation of user right |
| JP5562143B2 (en) * | 2010-06-28 | 2014-07-30 | キヤノン株式会社 | Authority delegation system, authority delegation method, information processing apparatus, and program |
| US9209976B2 (en) * | 2010-10-29 | 2015-12-08 | Code Systems Corporation | Method and system for restricting execution of virtual applications to a managed process environment |
| KR101242127B1 (en) * | 2011-04-28 | 2013-03-12 | 주식회사 파수닷컴 | Computing device having a function of DLL injection and method for DLL injection |
| CN103020512B (en) * | 2012-11-26 | 2015-03-04 | 清华大学 | Realization method and control system for safe control flow of system |
| CN103544447B (en) * | 2013-05-30 | 2016-10-12 | Tcl集团股份有限公司 | A kind of method preventing confidential information from revealing based on Android system and terminal |
| CN104199711B (en) * | 2014-09-29 | 2018-02-13 | 北京奇虎科技有限公司 | The method and apparatus for establishing root authority |
-
2014
- 2014-12-29 CN CN201410838120.9A patent/CN105809026B/en active Active
- 2014-12-29 CN CN201811619949.4A patent/CN109684824B/en active Active
-
2015
- 2015-11-26 WO PCT/CN2015/095709 patent/WO2016107348A1/en active Application Filing
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103955468A (en) * | 2012-03-06 | 2014-07-30 | 北京奇虎科技有限公司 | Method and device for displaying documents based on browser |
| CN102663318A (en) * | 2012-03-22 | 2012-09-12 | 百度在线网络技术(北京)有限公司 | Browser and client |
| CN102663321A (en) * | 2012-04-24 | 2012-09-12 | 百度在线网络技术(北京)有限公司 | Security enhancement system and method for software |
| CN102722559A (en) * | 2012-05-31 | 2012-10-10 | 奇智软件(北京)有限公司 | Method, device and system for controlling processes of abnormal pages |
| CN103530547A (en) * | 2012-07-02 | 2014-01-22 | 爱思爱(天津)高科技有限公司 | Method for logging into third-party application program through integrated authentication function based on Windows operating system |
| CN103886249A (en) * | 2012-12-20 | 2014-06-25 | 腾讯科技(深圳)有限公司 | Method and device for executing processes under superuser right in system |
| CN103605920A (en) * | 2013-11-10 | 2014-02-26 | 电子科技大学 | Method and system for dynamic application program safety management based on SEAndroid platform |
| CN104156662A (en) * | 2014-08-28 | 2014-11-19 | 北京奇虎科技有限公司 | Process monitoring method and device and intelligent terminal |
Non-Patent Citations (1)
| Title |
|---|
| 基于进程的Web服务访问控制模型;李国辉 等;《计算机工程》;20070131;第33卷(第1期);第148-150页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105809026B (en) | 2019-02-01 |
| WO2016107348A1 (en) | 2016-07-07 |
| CN105809026A (en) | 2016-07-27 |
| CN109684824A (en) | 2019-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105335184B (en) | Application installation method and device | |
| CA2924845C (en) | Method and system for dynamic and comprehensive vulnerability management | |
| US11409884B2 (en) | Security profiling of system firmware and applications from an OOB appliance at a differentiated trust boundary | |
| EP3552098B1 (en) | Operating system update management for enrolled devices | |
| EP3493090B1 (en) | Control method and unit of mobile storage devices, and storage medium | |
| US9021055B2 (en) | Nonconforming web service policy functions | |
| WO2015058574A1 (en) | Method and apparatus for implementing push notification of extensive application program | |
| WO2013037528A1 (en) | Malware scanning | |
| KR20050039634A (en) | Application identity for software products | |
| WO2017088135A1 (en) | Method and device for configuring security indication information | |
| JP6038924B2 (en) | Networking function per process | |
| WO2015050588A2 (en) | Method and system for combining multiple applications into a single binary file while maintaining per process sandboxing | |
| WO2019051937A1 (en) | Method, apparatus and device for automatically configuring test machine, and storage medium | |
| WO2022078366A1 (en) | Application protection method and apparatus, device and medium | |
| CN104252594A (en) | Virus detection method and device | |
| CN109684824B (en) | Process permission configuration method and device | |
| US20180341770A1 (en) | Anomaly detection method and anomaly detection apparatus | |
| US11190403B2 (en) | Configuration management for co-management | |
| CN112651705B (en) | Mail processing method, device, equipment and medium | |
| CN102736924B (en) | Software installation method and device | |
| EP3188071B1 (en) | Application accessing control method and device | |
| US20140380472A1 (en) | Malicious embedded hyperlink detection | |
| CN109699030B (en) | Unmanned aerial vehicle authentication method, device, equipment and computer readable storage medium | |
| CN105809027B (en) | Permission control method and device for application program | |
| US20190188383A1 (en) | Method of Detecting Malware in a Sandbox Environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220727 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right |