CN113886835A - Method and device for preventing container from escaping, computer equipment and storage medium - Google Patents
Method and device for preventing container from escaping, computer equipment and storage medium Download PDFInfo
- Publication number
- CN113886835A CN113886835A CN202111198551.XA CN202111198551A CN113886835A CN 113886835 A CN113886835 A CN 113886835A CN 202111198551 A CN202111198551 A CN 202111198551A CN 113886835 A CN113886835 A CN 113886835A
- Authority
- CN
- China
- Prior art keywords
- container
- pid
- global
- host system
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 364
- 230000008569 process Effects 0.000 claims abstract description 326
- 238000004590 computer program Methods 0.000 claims description 12
- 238000001824 photoionisation detection Methods 0.000 claims description 8
- 230000004069 differentiation Effects 0.000 claims description 2
- 230000010354 integration Effects 0.000 claims description 2
- 238000012216 screening Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 7
- 230000007246 mechanism Effects 0.000 description 5
- 238000002955 isolation Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 244000035744 Hura crepitans Species 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/545—Interprogram communication where tasks reside in different layers, e.g. user- and kernel-space
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application relates to a container escape protection method and device, computer equipment and a storage medium. The method comprises the following steps: when the host system is in a container escape protection state and a process entering a kernel layer is a writing process, acquiring a global PID of the process, wherein the global PID of the process is a process PID of the process in the host system; when the process is determined to be a container process according to the global PID of the process and a pre-stored container global PID set, acquiring a service access directory corresponding to a container to which the process belongs; when the access object of the process is in the service access directory, allowing the process to be executed; and when the access object is not in the service access directory, prohibiting the execution process. The method can improve the safety of container escape protection.
Description
Technical Field
The present application relates to the field of computer security technologies, and in particular, to a method and an apparatus for preventing container escape, a computer device, and a storage medium.
Background
In recent years, with the rapid development of cloud computing, virtualization technology has become a popular technology accordingly. Hardware-based virtualization technologies are typically referred to as virtual machines, while operating system-based virtualization technologies are typically referred to as containers. For example: a hardware server can virtualize a plurality of virtual machines, and each virtual machine can virtualize a plurality of containers. Because the container has the advantages of being capable of isolating resources and avoiding mutual interference, and the like, a plurality of cloud users deploy the service application on the container. Numerous applications are difficult to avoid and have various loopholes, hackers can invade a container where the applications are located by using the loopholes, and escape to a host where the container is located by using the loopholes existing in certain versions of the container or unreasonable configuration of the container during starting, so that damage is caused to the host system.
However, in the conventional technology, it is mainly determined whether container escape occurs so as to take further protective measures by methods of the inconsistency between the current namespace of the process and the namespace pre-associated with the process, the fact that the operation object of the process exceeds the white list range of the file associated with the process, the fact that the system call of the process exceeds the authority range of the process, the fact that the parameter content in the system call of the process includes attack content, and the like. When the name space mechanism of the container is damaged, the name space is judged to be invalid, so that whether the container escapes or not can not be effectively judged; the fixed access file white list cannot meet the change of the actual service operation, and the judgment based on the process system call can affect the program performance.
Disclosure of Invention
In view of the above, it is necessary to provide a container escape protection method, device, computer equipment and storage medium, which can improve the safety of container escape protection.
The application discloses in a first aspect a method for protecting a container from escaping, the method comprising:
when the host system is in a container escape protection state and a process entering a kernel layer is a writing process, acquiring a global PID of the process, wherein the global PID of the process is a process PID of the process in the host system;
when the process is determined to be a container process according to the global PID of the process and a pre-stored container global PID set, acquiring a service access directory corresponding to a container to which the process belongs, wherein the service access directory is an access object directory obtained according to historical access data of the container, and the container global PID set comprises the global PID of each container currently running in a host system;
when the access object of the process is in the service access directory, allowing the process to be executed; and when the access object is not in the service access directory, prohibiting the execution process.
In some embodiments, the method further comprises:
before a host system enters a container escape protection state, acquiring historical access data of each container currently running in the host system, wherein the historical access data of each container comprises an access object of a container process in the container in a preset time period;
and obtaining the service access directory corresponding to each container according to the historical access data of each container.
In some embodiments, obtaining historical access data for each container currently running in the host system comprises:
acquiring all writing processes entering the kernel layer within a preset time period, and screening out container processes in each container from all writing processes according to the name space of each writing process in all writing processes;
and recording the access objects of the container process in each container to obtain the historical access data of each container.
In some embodiments, the method further comprises:
before the host system enters a container escape protection state, acquiring container identification information of each currently running container in the host system, and obtaining the global PID of each container according to the container identification information of each container, wherein the global PID of each container is the process PID of the initial process of the container in the host system;
and obtaining a container global PID set according to the global PID of each container, and storing the container global PID set to a memory of the host system.
In some embodiments, determining that the process is a container process according to the global PID of the process and a pre-stored container global PID set includes:
and obtaining a process tree corresponding to the global PID of the process, determining a process call chain where the process is located in the process tree, and determining that the process is a container process when the process call chain contains the global PID of any container in the container global PID set.
In a second aspect, the present application discloses a device for protecting a container from escaping, the device comprising:
the write process determining module is used for acquiring the global PID of the process when the host system is in a container escape protection state and the process entering the kernel layer is a write process, wherein the global PID of the process is the process PID of the process in the host system;
a container process determining module, configured to, when determining that the process is a container process according to the global PID of the process and a pre-stored container global PID set, obtain a service access directory corresponding to a container to which the process belongs, where the service access directory is an access object directory obtained according to historical access data of the container, and the container global PID set includes global PIDs of containers currently running in the host system;
the process access control module is used for allowing the process to be executed when the access object of the process is in the service access directory; and when the access object is not in the service access directory, prohibiting the execution process.
In some embodiments, the apparatus further comprises: the access directory acquisition module is used for acquiring historical access data of each container currently running in the host system before the host system enters a container escape protection state, wherein the historical access data of each container comprises an access object of a container process in the container in a preset time period; and obtaining the service access directory corresponding to each container according to the historical access data of each container.
In some embodiments, the apparatus further comprises: a container global PID set obtaining module, configured to obtain container identification information of each currently running container in a host system before the host system enters a container escape protection state, and obtain a global PID of each container according to the container identification information of each container, where the global PID of a container is a process PID of an initial process of the container in the host system;
and obtaining a container global PID set according to the global PID of each container, and storing the container global PID set to a memory of the host system.
A third aspect of the application discloses a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
when the host system is in a container escape protection state and a process entering a kernel layer is a writing process, acquiring a global PID of the process, wherein the global PID of the process is a process PID of the process in the host system;
when the process is determined to be a container process according to the global PID of the process and a pre-stored container global PID set, acquiring a service access directory corresponding to a container to which the process belongs, wherein the service access directory is an access object directory obtained according to historical access data of the container, and the container global PID set comprises the global PID of each container currently running in a host system;
when the access object of the process is in the service access directory, allowing the process to be executed; and when the access object is not in the service access directory, prohibiting the execution process.
A fourth aspect of the present application discloses a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of:
when the host system is in a container escape protection state and a process entering a kernel layer is a writing process, acquiring a global PID of the process, wherein the global PID of the process is a process PID of the process in the host system;
when the process is determined to be a container process according to the global PID of the process and a pre-stored container global PID set, acquiring a service access directory corresponding to a container to which the process belongs, wherein the service access directory is an access object directory obtained according to historical access data of the container, and the container global PID set comprises the global PID of each container currently running in a host system; when the access object of the process is in the service access directory, allowing the process to be executed; and when the access object is not in the service access directory, prohibiting the execution process.
In the method, the apparatus, the computer device, and the storage medium for protecting container escape disclosed in the above embodiments, when a host system is in a container escape protection state and a process entering a kernel layer is a write process, a global PID of the process is obtained, where the global PID of the process is a process PID of the process in the host system; when the process is determined to be a container process according to the global PID of the process and a pre-stored container global PID set, acquiring a service access directory corresponding to a container to which the process belongs, wherein the service access directory is an access object directory obtained according to historical access data of the container, and the container global PID set comprises the global PID of each container currently running in a host system; when the access object of the process is in the service access directory, allowing the process to be executed; and when the access object is not in the service access directory, prohibiting the execution process. The embodiment identifies the container process through the global PID of the process, limits the access of the container process to the host machine file through the service access directory, and can prevent the container process which is separated from the container isolation limitation from damaging the host machine file under the condition that the name space mechanism of the container is damaged, so that the safety of container escape protection is improved.
Drawings
FIG. 1 is a diagram of an environment in which the method of protecting against escape of a container may be used in some embodiments;
FIG. 2 is a schematic flow diagram of a method for protecting against escape of a container in some embodiments;
FIG. 3 is a flow diagram illustrating the business access directory retrieval step in some embodiments;
FIG. 4 is a block diagram of a container escape guard in some embodiments;
FIG. 5 is a block diagram of an alternative embodiment of a container escape guard;
FIG. 6 is a diagram of the internal structure of a computer device in one or more embodiments.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The method for preventing the container from escaping can be applied to the application environment shown in fig. 1. One or more containers 110, such as container 1, container 2, … …, container n, etc., may be provided inside the host 100, and each container 110 runs inside a respective container process. The host 100 may be implemented by an independent server or a server cluster composed of a plurality of servers, and in a rare case, a terminal may be used as the host 100.
In an actual application scene, a container can adopt a Docker container, the Docker is an open-source application container engine, developers can pack their applications and dependence packages into a portable mirror image and then distribute the image to any popular Linux or Windows operating system host, virtualization can be realized, the Docker completely uses a sandbox mechanism, and different containers do not have any interfaces; each Docker container stores PIDs of its internal parent and child processes in a tree structure.
Example one
In this embodiment, as shown in fig. 2, a method for preventing container from escaping is provided, which is described by taking the method as an example applied to the host 100 in fig. 1, and includes the following steps:
The host system is an operating system running on the host 100, such as Linux or Windows; the kernel layer refers to the kernel of the operating system, and in order to reduce the overhead of the operating system itself, in the design of the operating system, some hardware-closely related modules (such as interrupt handlers, device drivers, etc.), basic, common, and higher-frequency modules (such as clock management, process scheduling, etc.), and critical data structures are often independently separated, resident in the memory, and protected, and this part is generally referred to as the kernel of the operating system.
The global PID of the Process is a Process PID (Process Identification number) of the Process in the host system, that is, the global PID refers to a unique ID of the Process in the kernel of the host system and an initial namespace, that is, the initial namespace of the host system. Each process occurring in the host system corresponds to a PID of the initial namespace, referred to herein as a global ID, the global ID of any one process being unique throughout the host system. The container process in the container also corresponds to a local PID, and because each container has a specific name space, the PID allocated to a container process in a specific name space of the container process is the local PID of the container process, and the same local PID can also appear in other name spaces.
In a practical application environment, the host system may be in a container escape protection state or a non-container escape protection state. And under the container escape protection state, the host system starts the container escape protection function, and judges whether the process entering the kernel layer is a writing process.
Specifically, it is known that an operation instruction corresponding to each process generally includes operation type information and operation object information, and in a container escape protection state, a host system may determine, according to the operation type information, an operation type of a process entering a kernel, and when it is determined that a certain process is a write process, obtain a global PID of the process. For example, the operating system may intercept, by a hook technique, a process of writing a file or a folder by mkdir \ create, and the like, at the kernel layer, and then obtain a process descriptor of the intercepted write process, where the process descriptor is usually a task _ struct type data structure, and a field in the process descriptor includes all information related to one process. Each process has a process descriptor; the kernel layer may retrieve the global PID of the write process from the process descriptor.
In some embodiments, when the kernel layer determines that the process entering the kernel layer is not a write process, the process is allowed to execute.
And 204, when the process is determined to be a container process according to the global PID of the process and a pre-stored container global PID set, acquiring a service access directory corresponding to a container to which the process belongs.
The container process refers to a process occurring inside a container, the service access directory is an access object directory obtained according to historical access data of the container, and the container global PID set comprises global PIDs of all containers currently running in the host system.
In practical application, each container is assigned a process PID by the system at startup, the process PID is a global PID unique to the container, and what is included in the container global PID set is the global PID of each container currently running in the host system. A process within a container is assigned a local PID within the container space at startup, and at the system level, corresponds to a global PID. The process tree call chains corresponding to the global PIDs of all the processes in any container all contain the global PID when the container is started, and the processes in the container can still be identified through the global PID under the condition that a namespace mechanism of the container is damaged due to a vulnerability.
In some embodiments, determining that the process is a container process according to the global PID of the process and a pre-stored set of container global PIDs includes: and obtaining a process tree corresponding to the global PID of the process, determining a process call chain where the process is located in the process tree, and determining that the process is a container process when the process call chain contains the global PID of any container in the container global PID set.
Specifically, the host system determines whether the process is a container process according to the global PID of the process and a pre-stored container global PID set, and if the process is a container process, the host system obtains a service access directory corresponding to a container to which the process belongs. For example, after acquiring the global PID of the write process, the kernel layer of the host system sends the global PID of the write process to the application layer, the application layer acquires a process tree corresponding to the global PID of the process and determines a process call chain in which the process is located in the process tree, and the application layer determines whether the process call chain includes the global PID of any container in the container global PID set; if yes, judging the process as a container process; if not, the process is judged not to be the container process, and the process is allowed to be executed, so that the identification of the container process is realized.
Specifically, the host system judges whether the access object of the process is in the service access directory, and if so, the process is allowed to be executed; if not, the process is prohibited from being executed.
In some embodiments, as shown in fig. 3, the method further comprises:
Specifically, a kernel layer of a host system acquires all writing processes entering the kernel layer within a preset time period, and selects container processes in each container from all writing processes according to a name space of each writing process in all writing processes; and recording access objects of container processes in each container to obtain historical access data of each container, and storing the historical access data of each container to a memory of the host system. The historical access data of each container includes an access object of the container process in the container in a preset time period, that is, an access object directory of the container process in the container in the preset time period.
And step 304, obtaining a service access directory corresponding to each container according to the historical access data of each container.
Specifically, before entering the container escape protection state, the host system may intercept, by a hook technique, access processes such as mkdir \ create and the like for performing write operations on files or folders at the kernel layer, identify namespaces of the access processes, and store an access directory of the access processes to the memory if the access processes are container processes. After the host system learns a service period (the duration of the service period can be set by a user as required), the access directories of all the access processes in each container are deduplicated to obtain the service access directory corresponding to each container, and the service access directory corresponding to each container can provide a judgment basis for step 206.
In the above embodiment, the host system learns the historical access data of each container within a certain period of time to obtain the service access directory corresponding to each container, that is, the service access directory corresponding to each container is automatically obtained based on the historical access data of each container, rather than being set in advance by a user in the conventional technology, so that the flexibility is good, the security is ensured, and the probability of false interception can be reduced.
In some embodiments, the method further comprises:
before the host system enters a container escape protection stage, acquiring container identification information of each currently running container in the host system, and obtaining a global PID (proportion integration differentiation) of each container according to the container identification information of each container, wherein the global PID of each container is a process PID of an initial process of the container in the host system. And obtaining a container global PID set according to the global PID of each container, and storing the container global PID set to a memory of the host system.
Wherein the global PID of the container is the only global PID assigned by the system at the time of container startup.
Specifically, the host system may start a monitoring program at an application layer, obtain continuous IDs of all currently running dockers through a command docker ps, and obtain global PIDs of the CONTAINERs through a docker impact-f '{. state.pid } }' continuous command to determine a CONTAINER global PID set.
In the method for protecting the container escape, when the host system is in a container escape protection state and a process entering a kernel layer is a writing process, acquiring a global PID of the process, wherein the global PID of the process is a process PID of the process in the host system; when the process is determined to be a container process according to the global PID of the process and a pre-stored container global PID set, acquiring a service access directory corresponding to a container to which the process belongs, wherein the service access directory is an access object directory obtained according to historical access data of the container, and the container global PID set comprises the global PID of each container currently running in a host system; when the access object of the process is in the service access directory, allowing the process to be executed; and when the access object is not in the service access directory, prohibiting the execution process. The embodiment identifies the container process through the global PID of the process, limits the access of the container process to the host machine file through the service access directory, and can prevent the container process which is separated from the container isolation limitation from damaging the host machine file under the condition that the name space mechanism of the container is damaged, so that the safety of container escape protection is improved.
It should be understood that although the various steps in the flow charts of fig. 2-3 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2-3 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternating with other steps or at least some of the sub-steps or stages of other steps.
Example two
In one embodiment, as shown in fig. 4, there is provided a container escape guard comprising:
and a write process determining module 402, configured to, when the host system is in a container escape protection state and a process entering the kernel layer is a write process, obtain a global PID of the process, where the global PID of the process is a process PID of the process in the host system.
A container process determining module 404, configured to, when it is determined that the process is a container process according to the global PID of the process and a pre-stored container global PID set, obtain a service access directory corresponding to a container to which the process belongs, where the service access directory is an access object directory obtained according to historical access data of the container, and the container global PID set includes global PIDs of containers currently running in the host system.
A process access control module 406, configured to allow the process to be executed when the access object of the process is in the service access directory; and when the access object is not in the service access directory, prohibiting the execution process.
In some embodiments, as shown in fig. 5, the apparatus further comprises:
an access directory obtaining module 408, configured to obtain historical access data of each currently running container in the host system before the host system enters a container escape protection state, where the historical access data of each container includes an access object of a container process in the container within a preset time period; and obtaining the service access directory corresponding to each container according to the historical access data of each container.
In some embodiments, the access directory obtaining module 408 is specifically configured to obtain all write processes entering the kernel layer within a preset time period, and screen out container processes in each container from all write processes according to a namespace of each write process in all write processes; and recording the access objects of the container process in each container to obtain the historical access data of each container.
In some embodiments, as shown in fig. 5, the apparatus further comprises:
a container global PID set obtaining module 410, configured to obtain container identification information of each currently running container in the host system before the host system enters a container escape protection state, and obtain a global PID of each container according to the container identification information of each container, where the global PID of a container is a process PID of an initial process of the container in the host system; and obtaining a container global PID set according to the global PID of each container, and storing the container global PID set to a memory of the host system.
In some embodiments, the container process determining module 404 is specifically configured to obtain a process tree corresponding to the global PID of the process, determine a process call chain where the process is located in the process tree, and determine that the process is a container process when the process call chain includes the global PID of any container in the container global PID set.
Specific definitions of the container escape protection device can be found in the above definition of the container escape protection method, and are not described in detail here. The modules in the above-described container escape prevention apparatus may be implemented in whole or in part by software, hardware, and combinations thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
EXAMPLE III
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 6. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used for communicating with an external terminal through a network connection. The processor executes the computer program to implement a method for preventing container escape as described in the first embodiment.
Those skilled in the art will appreciate that the architecture shown in fig. 6 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
Example four
In this embodiment, a computer-readable storage medium is provided, on which a computer program is stored, which, when being executed by a processor, implements a method for protecting against container escape as described in the first embodiment above. It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A method of protecting a container from escaping, the method comprising:
when a host system is in a container escape protection state and a process entering a kernel layer is a writing process, acquiring a global PID of the process, wherein the global PID of the process is a process PID of the process in the host system;
when the process is determined to be a container process according to the global PID of the process and a pre-stored container global PID set, acquiring a service access directory corresponding to a container to which the process belongs, wherein the service access directory is an access object directory obtained according to historical access data of the container, and the container global PID set comprises the global PID of each container currently running in a host system;
when the access object of the process is in the service access directory, allowing the process to be executed; and when the access object is not in the service access directory, prohibiting the process from being executed.
2. The method of claim 1, further comprising:
before the host system enters the container escape protection state, acquiring historical access data of each container currently running in the host system, wherein the historical access data of each container comprises an access object of a container process in the container in a preset time period;
and obtaining a service access directory corresponding to each container according to the historical access data of each container.
3. The method of claim 2, wherein the obtaining historical access data for each container currently running in the host system comprises:
acquiring all the writing processes entering the kernel layer in the preset time period, and screening out container processes in each container from all the writing processes according to the name space of each writing process in all the writing processes;
and recording access objects of container processes in each container to obtain historical access data of each container.
4. The method of claim 2, further comprising:
before the host system enters the container escape protection state, acquiring container identification information of each container currently running in the host system, and obtaining a global PID (proportion integration differentiation) of each container according to the container identification information of each container, wherein the global PID of each container is a process PID of an initial process of the container in the host system;
and obtaining a container global PID set according to the global PID of each container, and storing the container global PID set to the memory of the host system.
5. The method according to any one of claims 1 to 4, wherein the determining that the process is a container process according to the global PID of the process and a pre-stored container global PID set comprises:
and acquiring a process tree corresponding to the global PID of the process, determining a process call chain where the process is located in the process tree, and determining that the process is a container process when the process call chain contains the global PID of any container in the container global PID set.
6. A device for protecting a container from escaping, the device comprising:
the write process determining module is used for acquiring the global PID of the process when the host system is in a container escape protection state and the process entering the kernel layer is a write process, wherein the global PID of the process is the process PID of the process in the host system;
the system comprises a container process determining module, a processing module and a processing module, wherein the container process determining module is used for acquiring a service access directory corresponding to a container to which a process belongs when the process is determined to be a container process according to a global PID of the process and a pre-stored container global PID set, the service access directory is an access object directory obtained according to historical access data of the container, and the container global PID set comprises global PIDs of all containers currently running in a host system;
the process access control module is used for allowing the process to be executed when the access object of the process is in the service access directory; and when the access object is not in the service access directory, prohibiting the process from being executed.
7. The apparatus of claim 6, further comprising:
the access directory acquiring module is used for acquiring historical access data of each container currently running in the host system before the host system enters the container escape protection state, wherein the historical access data of each container comprises an access object of a container process in the container in a preset time period; and obtaining a service access directory corresponding to each container according to the historical access data of each container.
8. The apparatus of claim 6, further comprising:
a container global PID set obtaining module, configured to obtain container identification information of each currently running container in the host system before the host system enters the container escape protection state, and obtain a global PID of each container according to the container identification information of each container, where the global PID of the container is a process PID of an initial process of the container in the host system;
and obtaining a container global PID set according to the global PID of each container, and storing the container global PID set to the memory of the host system.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1 to 5 are implemented when the computer program is executed by the processor.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111198551.XA CN113886835A (en) | 2021-10-14 | 2021-10-14 | Method and device for preventing container from escaping, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111198551.XA CN113886835A (en) | 2021-10-14 | 2021-10-14 | Method and device for preventing container from escaping, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113886835A true CN113886835A (en) | 2022-01-04 |
Family
ID=79002931
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111198551.XA Withdrawn CN113886835A (en) | 2021-10-14 | 2021-10-14 | Method and device for preventing container from escaping, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113886835A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114676424A (en) * | 2022-05-25 | 2022-06-28 | 杭州默安科技有限公司 | Container escape detection and blocking method, device, equipment and storage medium |
| CN115373798A (en) * | 2022-07-25 | 2022-11-22 | 国网新疆电力有限公司乌鲁木齐供电公司 | Intelligent Internet of things terminal container escape attack detection and defense method |
| CN116796331A (en) * | 2023-04-26 | 2023-09-22 | 之江奇安科技有限公司 | Automatic hook method for realizing process monitoring and whitelist mechanism in podman |
| CN116820668A (en) * | 2023-06-15 | 2023-09-29 | 北京小佑网络科技有限公司 | Container escape detection method and system based on fanotify |
| CN117407118A (en) * | 2022-07-08 | 2024-01-16 | 北京火山引擎科技有限公司 | Container operation control method, device, electronic equipment and readable storage medium |
-
2021
- 2021-10-14 CN CN202111198551.XA patent/CN113886835A/en not_active Withdrawn
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114676424A (en) * | 2022-05-25 | 2022-06-28 | 杭州默安科技有限公司 | Container escape detection and blocking method, device, equipment and storage medium |
| CN117407118A (en) * | 2022-07-08 | 2024-01-16 | 北京火山引擎科技有限公司 | Container operation control method, device, electronic equipment and readable storage medium |
| CN115373798A (en) * | 2022-07-25 | 2022-11-22 | 国网新疆电力有限公司乌鲁木齐供电公司 | Intelligent Internet of things terminal container escape attack detection and defense method |
| CN116796331A (en) * | 2023-04-26 | 2023-09-22 | 之江奇安科技有限公司 | Automatic hook method for realizing process monitoring and whitelist mechanism in podman |
| CN116796331B (en) * | 2023-04-26 | 2024-04-05 | 之江奇安科技有限公司 | Automatic hook method for realizing process monitoring and whitelist mechanism in podman |
| CN116820668A (en) * | 2023-06-15 | 2023-09-29 | 北京小佑网络科技有限公司 | Container escape detection method and system based on fanotify |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113886835A (en) | Method and device for preventing container from escaping, computer equipment and storage medium | |
| US11762986B2 (en) | System for securing software containers with embedded agent | |
| US10534915B2 (en) | System for virtual patching security vulnerabilities in software containers | |
| CN110851241A (en) | Safety protection method, device and system for Docker container environment | |
| US10462160B2 (en) | Method and system for identifying uncorrelated suspicious events during an attack | |
| US9239921B2 (en) | System and methods of performing antivirus checking in a virtual environment using different antivirus checking techniques | |
| US11947670B2 (en) | Malicious software detection based on API trust | |
| CN113051034B (en) | Container access control method and system based on kprobes | |
| CN107580703B (en) | Migration service method and module for software module | |
| CN105975328A (en) | Log file security auditing system and method based on security virtual machine | |
| CN112231726B (en) | Access control method and device based on trusted verification and computer equipment | |
| CN108334404B (en) | Application program running method and device | |
| CN111919198A (en) | Kernel function callback method and system | |
| CN110188574A (en) | A kind of the webpage tamper resistant systems and its method of Docker container | |
| CN113791865A (en) | Container security processing method and device, storage medium and processor | |
| US11861364B2 (en) | Circular shadow stack in audit mode | |
| CN109145536B (en) | Webpage tamper-proofing method and device | |
| CN107203410B (en) | VMI method and system based on system call redirection | |
| CN110990844B (en) | Cloud data protection method based on kernel, cloud server and system | |
| KR101503827B1 (en) | A detect system against malicious processes by using the full path of access files | |
| CN111382012B (en) | Backup method and device for MySQL cloud database, computer equipment and storage medium | |
| CN112241529A (en) | Malicious code detection method and device, storage medium and computer equipment | |
| CN106778235B (en) | Linux file operation control method and device | |
| US20180260563A1 (en) | Computer system for executing analysis program, and method of monitoring execution of analysis program | |
| US10809924B2 (en) | Executable memory protection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20220104 |