CN114003941B - Software authority control system and method based on Linux operating system - Google Patents

Software authority control system and method based on Linux operating system Download PDF

Info

Publication number
CN114003941B
CN114003941B CN202111615380.6A CN202111615380A CN114003941B CN 114003941 B CN114003941 B CN 114003941B CN 202111615380 A CN202111615380 A CN 202111615380A CN 114003941 B CN114003941 B CN 114003941B
Authority
CN
China
Prior art keywords
security
software
module
identifier
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111615380.6A
Other languages
Chinese (zh)
Other versions
CN114003941A (en
Inventor
徐建
徐叶
马桂才
杨诏钧
魏立峰
韩光
姬一文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kirin Software Co Ltd
Original Assignee
Kirin Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kirin Software Co Ltd filed Critical Kirin Software Co Ltd
Priority to CN202111615380.6A priority Critical patent/CN114003941B/en
Publication of CN114003941A publication Critical patent/CN114003941A/en
Application granted granted Critical
Publication of CN114003941B publication Critical patent/CN114003941B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/451Execution arrangements for user interfaces
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Human Computer Interaction (AREA)
  • Storage Device Security (AREA)

Abstract

The software authority control system and method based on Linux operating system, the user space includes visual authorization program module and visual security policy management tool, used for writing the authorization selection result of the user into the kernel space and displaying all software packages installed in the current operating system and their authority, and issuing the software authorization policy rule to the kernel space; the kernel space comprises a security subsystem hooks function module, a security file system module, a kernel policy management module and a security domain conversion module, wherein the security subsystem hooks function module is used for performing authority verification and security domain conversion on each software package based on the unique identity and the policy rule set by the user; the security domain conversion module is used for providing a security domain conversion interface; the security file system module is used for receiving an authorization selection result of a user; the kernel policy management module is used for receiving the software authorization policy rule. The invention has the advantages of simple operation, low maintenance cost, user friendliness and low performance overhead.

Description

Software authority control system and method based on Linux operating system
Technical Field
The invention relates to the field of basic security of a Linux operating system, in particular to a bottom layer security implementation method and system of a software authority control system.
Background
With the development of information technology, the importance of personal data privacy is more and more emphasized by people, the security technology of an operating system is more and more emphasized and concerned by people, and the traditional DAC access control can no longer meet the requirements of common users, because under the protection of the security authority system, once the root authority is illegally acquired, all authority and privacy data of the system are equivalently acquired. Therefore, more and more desktop operating systems provide security authority control systems based on MAC and RBAC for users, such as selinux, but because the original design of the desktop operating systems is designed for professional security departments and technicians and is not common users, the desktop operating systems have the characteristics of complex strategy configuration, high technical threshold, high maintenance cost, no friendliness to common users and the like, and the popularization and the use of selinux in common users are limited.
In the field of basic security of Linux operating systems, the most common software permission Control scheme is selinux, which is a security subsystem implemented by using Linux LSM security framework, is a Mandatory Access Control system (MAC), and is also a Role-Based Access Control system (RBAC). The method can carry out very accurate authority control on program behaviors by formulating the strategies related to the user, the role and the type. selinux mainly comprises modules such as a security policy manager of a kernel space, a security file system, an access vector cache, a hooks function, an object manager of a user space, a security tool and the like. selinux does not allow a default security policy, it formulates a security policy for each program in the system and its associated files by using security tools, and files without associated security tags are not allowed to be executed or accessed. All the policies established by the security tool are compiled into a binary policy file by the security tool, and the binary policy file is loaded into a security policy manager of the kernel when the system is started. And triggering a hooks function in the kernel in the software running process, and checking the software permission in the hooks function, thereby realizing the permission control of the software.
However, the existing selinux technology has the following disadvantages:
1. specialized design, not suitable for common users
selinux is a security system designed for security departments and operation and maintenance technicians, and the use experience of ordinary users is not considered in the original design. For example, we see one of the security policies selinux: an allow afs _ fsserver _ t afs _ logfile _ t file { open create get ioctl link lock map open read name set name answer write }. Only operating rights to the afs _ logfile _ t file type in this policy use as much as thirteen. These operation authorities are difficult to intuitively understand for ordinary users (such as ioctl lock map link unlink, etc.), and technical personnel skilled in Linux operating systems are required to fully understand the meanings of the operation authorities so as to design a proper authority control strategy.
2. Complicated operation and high maintenance cost
The strategy formulation process of selinux is complicated. Different types of different files of a software package are defined and policy rules, and complicated security domain conversion rules, various operation authority controls and the like are added, so that the policy rules of selinux are extremely complicated. For example, under the strict policy of selinux, the total number of policy rules is about 10 ten thousand, and the total amount of the huge rule configuration is difficult to be completely mastered even by professional linux server operation and maintenance personnel. Making the ordinary user prohibitive. Fig. 1 details a summary of strict policy rules for selinux in practical use, and the main data are listed as follows: 418 permissions, 1024 classifications, 4229 types, 113867 allow rules, 17951 Donteaudit rules, 9584 types of transformation rules. Moreover, any one of the rules needs to be modified, and many related rules need to be re-verified and tested, so that the authority control is ensured to be free from problems, and the maintenance workload is very huge.
3. Is not user-friendly
Due to the lack of a visual configuration tool, selinux sets the policy rules by using a command line policy configuration tool, and then searches whether the rules are correctly added by using a command line policy search tool, so that the operation is complex.
The configuration of selinux is also complicated when new software is installed. Since selinux needs to make a proper policy for each file of each software, if a user develops a new program or installs a program which is not in the selinux default policy, the user needs to make the policy of the new program and write the policy into a policy list by using a command line policy configuration tool, and the whole process needs to be operated by the user and has no automatic tool.
4. High system performance overhead
The performance overhead of the system after the selinux security subsystem is started up is significantly increased for several reasons:
(1) selinux uses a character string consisting of English words to name object tags, wherein the object tags comprise users, namely roles, types and levels, the English words of the users, the roles, the types and the levels in the object tags need to be converted into numbers of a data structure in a kernel, and the number and the size of the roles and the types are huge, so that a huge hash table needs to be established, and the searching efficiency is low.
(2) The total amount of the policies of selinux is too large, 10 ten thousand policy rules need to be loaded into a kernel and converted into a rule list, and therefore the hash table of the policy rules is huge. During each permission check, related rules need to be searched from a hash table of 10 ten thousand policy rules, permission verification is performed, and the searching efficiency is very low.
(3) The permission check condition is complex: the authority auditing rule is based on the combined action of the user, role, type, grade and quaternion, and has more input parameters and complex judging conditions.
(4) Security domain translation is complex: context conversion of the security domains also needs to follow the description of the policy rules, the current subject label and the current object label are used as input parameters, the policy rules are queried, the converted security domains are determined, the total number of security domain conversion rules is about 9000, and the searching efficiency is low.
Disclosure of Invention
In order to solve the defects of the prior art, the invention provides a software authority control system based on a Linux operating system, which comprises a user space and a kernel space,
the user space comprises a visual authorization program module and a visual security policy management tool, wherein,
the visual authorization program module is used for providing a visual dynamic authorization interface for a user and writing an authorization selection result of the user into a kernel space;
the visual security policy management tool is used for displaying all software packages installed by the current operating system and the authority thereof and issuing a software authorization policy rule to the kernel space;
the kernel space comprises a security subsystem hooks function module, a security file system module, a kernel policy management module and a security domain conversion module, wherein,
the security subsystem hooks function module is connected with the visual authorization program module of the user space and used for calling the out-of-core visual authorization program module through the kernel to guide the user to select an authorization strategy when meeting an authority application in the program running process; the system is used for performing authority verification and security domain conversion on each software package based on the unique identity of each software package in the application program and the policy rule set by the user;
the security domain conversion module is connected with the security subsystem hooks function module and used for providing a security domain conversion interface;
the security file system module is connected with the kernel policy management module and the visual authorization program module of the user space, and is used for receiving an authorization selection result of a user from the visual authorization program module and writing the authorization selection result into the kernel policy management module;
the kernel policy management module is simultaneously connected with a visual security policy management tool of the user space and used for receiving the software authorization policy rule from the visual security policy management tool;
the security file system module is simultaneously connected with the security subsystem hooks function module and used for transmitting data to the user through the security file system module when the security subsystem hooks function module calls the out-of-core visual authorization program module through the kernel to guide the user to select an authorization strategy.
Wherein, the unique identification of the software package comprises a subject security label and an object security label, wherein,
the main body safety label only comprises a main body software identifier or comprises the main body software identifier and a main body interpreter identifier simultaneously;
the object security label comprises an object software identifier, an object interpreter identifier, a device type identifier and a special file identifier; or comprises an object software identifier, a device type identifier and a special file identifier;
the software authority control method comprises the following steps that a host software identifier and an object software identifier are unique identifiers for conducting authority control on software; the subject interpreter identifier and the object interpreter identifier are used for providing correct security domain conversion rules in a scenario where general security domain conversion rules cannot be applied.
Wherein the security domain conversion module provides three security domain conversion rules:
a generic security domain translation rule for applying in case no interpreter identity is contained in the subject security label of the process;
a universal interpreter security domain conversion rule, which is used for applying under the condition that a main body security label of the process contains a universal interpreter identifier;
and the special interpreter security domain conversion rule is used for being applicable under the condition that the special interpreter identification is contained in the main body security label of the process.
Wherein, the authority of the software package comprises:
executing the authority to determine whether the user has the authority to run the corresponding software;
the networking authority is used for determining whether the corresponding software has the authority of connecting the Internet in the running process;
the device access authority is used for determining whether the corresponding software has the authority of accessing certain device in the running process;
file operation authority, which determines whether corresponding software has authority to operate a special file or directory in the running process.
The security file system module is connected with a visual security policy management tool of the user space, so that the visual security policy management tool can acquire or set each function state of the kernel space security subsystem through the security file system module.
The security subsystem hooks function module is simultaneously connected with the kernel process of the application software in the kernel space and used for providing a hook function to carry out authority verification on the application software when the kernel process of the application software needs authority verification, and allowing or refusing the kernel process of the application software to obtain related authorities.
The application software kernel process is connected with the application software user space and is used for providing an interface for system calling when the application software user space program realizes functions including but not limited to process starting, network connection, file access and equipment access.
The invention also provides a software permission control method, which comprises the following steps:
step S1: starting a program, and receiving a software authorization policy rule issued by a visual security policy management tool by a kernel policy management module;
step S2: in the starting process of the application program, initializing a related hook function by a security domain in a hooks function module of the security subsystem to read an object security label of the executable file, and completing the action of converting the object security label to a main security label according to a security domain conversion rule;
step S3: when kernel space of an application program judges that a program needs to inquire the authority, a security subsystem hooks function module calls an out-of-kernel visual authorization program module through the kernel to guide a user to select an authorization strategy, and a security file system module issues a strategy rule, which is acquired by the visual authorization program module and is set by the user for a running software package, to a kernel strategy management module;
step S4: the kernel policy management module stores the software authorization policy rules, the unique identity of each software package and the user-set policy rules corresponding to the unique identity in an access vector cache;
step S5: and the security subsystem hooks function module calls the kernel policy management module interface to perform related authority verification, and calls the security domain conversion module interface to realize security domain conversion.
The software permission control system and method based on the Linux operating system are simple to operate, low in maintenance cost, friendly to users and low in performance overhead, and are convenient and quick permission control system and method suitable for common users.
Drawings
FIG. 1: the strict policy rules abstract of selinux in the prior art.
FIG. 2: the invention discloses a software architecture block diagram of an authority control system.
Detailed Description
In order to further understand the technical scheme and the advantages of the present invention, the following detailed description of the technical scheme and the advantages thereof is provided in conjunction with the accompanying drawings.
Based on various problems in the prior art, the invention provides a software permission control system based on a Linux operating system, and the general idea is to use a visual security policy management tool in a user space by using an LSM security subsystem architecture at an inner core layer so as to provide a set of simple, convenient, easy-to-use and efficient permission control method and system based on MAC and RBAC.
The invention is developed based on the following conception:
simplifying a host-guest security domain: and (3) taking the software packages as a basis for dividing roles, allocating a unique identification (SID) to each software package, and taking the SID as a unique identifier for authority verification.
Simplifying the software authorization rule: the system operation authority is embodied as: and the authority types are easily understood by users, such as execution authority, networking authority, device access authority, file operation authority and the like. The unique identification (SID) is used for making the strategy rule of the software package, thereby greatly simplifying the strategy rule.
Thirdly, automatically converting the security domain into rules: by utilizing the characteristics of parent-child processes, process groups and the like which are specific to Linux, the general security domain conversion rule is realized, and security domain conversion rule entries do not need to be added in the policy rule. Meanwhile, for the richness and complexity of an operating system and a program, security domain conversion under some special scenes is controlled through interpreter identification in the object tag.
Fourthly, optimizing user experience: by using the visual security policy management tool, the user can conveniently carry out unified authorization management on the own software package, and add and delete related rights to the specified software package. By adding a hook function in the software package installation management program, the automatic distribution of the Software Identification (SID) of the newly installed software package and the automatic generation of the object label can be realized. And guiding a user to set the authority state of the newly installed software in a mode of popping up a dynamic authorization interface of the software through a visual authorization program. The user experience of the whole system is very simple and easy to use.
Fig. 2 is a block diagram of a software architecture of a software permission control system based on a Linux operating system according to the present invention: the software permission control system comprises a user space and a kernel space, wherein when a user space process is started, connected with a network, accessed by a file or accessed by equipment, and the like, kernel space resources are accessed through system call, and then when a certain permission is obtained in the kernel space, a hook function of a hook function module of the security subsystem is called to carry out permission verification. The user space comprises a visual authorization program module and a visual security policy management tool, the kernel space comprises a security subsystem hooks function module, a security file system module, a kernel policy management module and a security domain conversion module, and the functions and the mutual coordination relationship of the modules are detailed as follows.
Visual security policy management tool
The visual security policy management tool displays all software packages installed in the current operating system and the authorization states of the corresponding execution authority, networking authority, equipment access authority and file operation authority in an interface display mode, and a user can complete authorization or authorization cancelling action on the software packages by selecting action through a simple interface switch. And the visual security policy management tool issues a software authorization policy rule to the kernel policy management module through a kernel internal and external communication mechanism.
Different from the design of refining and specializing the authority by selinux, the software authorization strategy rule provided by the invention has the following appearance of software authority according to the service function:
and (3) executing the authority: whether the user has the right to run the software.
Networking authority: whether the software has the authority of connecting the Internet or not in the running process.
Device access rights: whether the software has the authority to access certain equipment in the running process or not can be further refined into the refined function authority such as the camera equipment access authority, the microphone equipment access authority, the loudspeaker equipment access authority, the screen capture authority and the like according to the service function.
File operation authority: whether the software has the authority to operate a special file or a directory in the running process. According to the service function, the file operation authority can be further refined into the operation authority of basic software and basic library files which influence the system starting and safe operation. Customized function rights such as operation rights for a user privacy directory.
In a preferred embodiment of the invention, the visual security policy management tool adopts QT to realize human-computer interaction, the interface displays the software name, the software icon and the authority authorization state, and a user can open or close a certain authority of certain software through the operation of a switch button. And storing the software identifier and the authorization policy rule thereof by adopting sqlite3, and issuing the software authorization policy rule to the kernel policy management module by adopting a netlink communication mechanism.
Second, visual authorization program module
The visual authorization program module has the function of providing a visual dynamic authorization interface and prompting a user what authority the current program needs to apply. The user may select the options of reject, allow this time, etc. When a software process of the kernel space calls a certain authority audit hook function of the security subsystem, if the authority is set to be an inquiry mode, a visual authorization program module of the user space is called to prompt a user to carry out authorization selection, and a result selected by the user is written into an access vector cache of the kernel policy management module through the security file system module, so that the authorization state of the software is updated.
In a preferred embodiment of the invention, the visual authorization program module adopts QT to realize a human-computer interaction interface, provides a user software authorization selection option, and adopts a secure file system as a communication means to issue a software authorization strategy selected by a user to the kernel strategy management module.
It should be noted that, the visual security policy management tool and the visual authorization program module of the present invention are both used for writing the software authorization policy rules, and are both written into the vector cache of the kernel policy management module, and the difference is that the visual security policy management tool actively issues the software policy when the system is started, and the issued policy may be allowed, blocked, or queried. The visual authorization program module prompts a user to apply a certain authority through a visual authorization program module pop-up box by the kernel space in an inquiry mode when software needs to apply a certain authority during running, so that the user can select whether to authorize or not, and the visual authorization program module is passive.
Third, kernel policy management module
The kernel policy management module has the functions of receiving a software authorization policy rule issued by a user space visual security policy management tool, receiving a policy rule set by a user through a visual authorization program module and a security file system module, and providing an interface for verifying software authorization for a security subsystem hooks function module. In the starting process of an operating system, a visual security policy management tool of a user space issues a software authorization policy rule set by a user, and a kernel policy management module stores the data in an access vector cache after receiving the data. In the running process of the software process, a hooks function of the security subsystem is triggered, and in the hooks function of the authority audit, the access vector cache is inquired to determine whether the process has the authority.
In a preferred embodiment of the invention, the kernel policy management module constructs the access vector cache by adopting the hash lookup table, provides an interface for verifying and setting the software permission, and improves the query efficiency.
Fourth, the homeks function module of the safe subsystem
When the system is started for the first time, the application programs in the whole system are scanned in a full disk mode by using a software package management program, an identity mark is distributed to each application software package and written into a security file label in the file expansion attribute, and an interpreter mark is also written at the stage. The software package installed in the subsequent use process of the user calls an interface provided by a visual security policy management tool, allocates a unique identity and writes the unique identity into an object security label of a file through a software package management program in the process of installing the software package.
The special security module of the invention is registered in the hooks function module of the security subsystem, and the functions of authority verification, security domain conversion and the like are carried out in each hook function.
Specifically, after the system application program is started, the security subsystem hooks function module reads the security file tag through the security domain related function, and completes the conversion from the object security tag to the subject security tag according to the security domain conversion rule. And calling a security domain conversion module interface to realize security domain conversion during security domain conversion.
The unique identity in the label corresponds to the authority set by the user and is used as a basis for authority verification of the software.
Specifically, when the kernel process of the application software needs permission verification, the security subsystem hooks function module calls a kernel policy management module interface to acquire the identity and authorization policy rules of the software package, performs relevant permission verification based on the hook function, and allows or rejects the kernel process of the application software to acquire relevant permissions.
And the security subsystem hooks function module is simultaneously connected with the visual authorization program module in the user space and used for calling the out-of-core visual authorization program module through the kernel to guide the user to select an authorization strategy when meeting the permission application in the program running process.
The unique identification of each software package includes a subject security label and a subject security label, wherein,
the object security tag is composed of the following four parts:
the system comprises an object software identifier, an object interpreter identifier, a device type identifier and a special file identifier.
The Software Identification (SID) takes the software package as a basic unit, divides roles, and allocates a unique identification to each software package as a unique identification for authority control.
The interpreter identifies: in a special scenario where a general security domain conversion rule cannot be applied, an interpreter identifier needs to be added for correctly performing security domain conversion, and the interpreter identifier is divided into a general interpreter identifier and a special interpreter identifier, which are described in detail below in the related description of the security domain conversion module.
Device type identification: and for a special device node file, adding a device type identifier, and enabling software to access the device node file only by corresponding device access authorization.
And (3) special file identification: for files with special operation control requirements, special file identifiers are added, and software can operate the special files only by corresponding special file operation authorization.
The device type identifier and the special file identifier are used as security identifiers of pure object files, and the pure object files are different from the executable program files: the executable program object file can be operated and loaded into a host process, and the pure object file is not an executable file and cannot become the host process. The pure object file exists for the purpose of being accessed by the subject.
For example: the picture may be accessed by a picture viewer process. We print a special file identifier on a picture, which means that a software program needs to acquire the special file identifier authority to access the picture, and print a device type identifier on a device node, for example, we print a camera type identifier on a device node file, so that a software program can access the device node file only by acquiring the camera access authority. Therefore, the kernel policy management module writes that the picture viewer (corresponding SID) can view the special file identifier of the picture. When the picture viewer process really accesses a file with a picture special file identifier, the hook function of the kernel security subsystem hooks function module, which is checked with the file access authority, can inquire whether the SID has the picture viewing authority.
The subject security tag is comprised of two parts: a subject software identification, a subject interpreter identification.
And (3) identifying the main software: and indicating the software identifier to which the process main body belongs, wherein the process authority is determined by the policy rule corresponding to the main body software identifier.
The subject interpreter identifies: indicating which interpreter type the process subject belongs to, the difference in interpreter types determines that subject security domain translation follows different translation rules.
In a preferred embodiment of the present invention, the hooks function module of the security subsystem specifically implements corresponding functions through the following hook functions:
realizing bprm _ set _ crops hook function to convert security domain context;
realizing a file _ permission hook function, and performing special file operation permission examination and equipment file permission examination;
realizing a mmap _ file hook function, and performing execution permission verification;
and realizing socket _ sendmsg and socket _ recvmsg hook functions and carrying out networking permission examination.
Security domain conversion module
The security domain conversion module has the function of providing a security domain conversion interface for the hooks function of the security subsystem to call at a place where security domain conversion is required, and can be divided into three different security domain conversion rules according to different interpreter identifiers in the main security label of the process:
(1) general security domain translation rules: if the main security label of a process does not contain an interpreter identifier, the security domain conversion of the process is applicable to a general security domain conversion rule, and the conversion rule forms a series of generally applicable general security domain conversion rules by analyzing the inheritance relationships of a series of ids, such as a process id, a process group id, a parent process id, a process group id of a parent process, a parent process id of a process group, and the like.
(2) Generic interpreter security domain translation rules: if the host security label of one process contains the universal interpreter identifier, the security domain conversion of the process is applicable to the universal interpreter security domain conversion rule, and the rule uses the software identifier in the security label of the currently loaded object executable file as the host software identifier after the security domain conversion.
(3) Special interpreter security domain translation rules: if a particular interpreter identification is included in the subject security label for a process, then the security domain translation for that process applies to the security domain translation rules for that particular interpreter. There may be multiple special interpreter types whose security domain translation rules may be different. For example, the main body of the virtual machine process may be classified into a special interpreter identifier type, and when such a process loads a software program running in the virtual machine, the security domain needs to be converted into a software identifier of the software program, so as to implement authority control on the software program. The special point is that the path of the program file loaded by the virtual machine is usually virtualized and does not represent the real absolute path of the program file in the host system (for example, when the windows program is run in the Linux operating system in a virtualized manner, the path of the object executable file is usually C:/program files/xxx/xxx.exe, and does not represent the real absolute path of the object executable file in the Linux operating system), so that the absolute path of the software program in the host needs to be restored by specifically analyzing the mapping relationship between the path of the virtual machine and the path of the host, so as to obtain the object tag of the executable file, and implement the conversion of the security domain. In the present invention, the real absolute path of the executable file is restored by parsing the environment variables of the process, extracting information from cwd, cmdlene, or some environment variables (e.g., XX _ button) specific to the virtual machine.
Sixth, safety file system module
The security file system module realizes the following functions of security file system initialization, security file system file creation and file read-write hook function registration. The main function of the security file system module is to realize data transfer of user space and kernel space. The visual security policy management tool of the user space can acquire each functional state of the kernel space security subsystem through the security file system module, and can set each functional state of the kernel space security subsystem. The visual authorization program module can write a certain software authorization policy rule into an access vector cache of the kernel policy management module through the security file system module.
And when the security subsystem hooks function module needs a user to make an authorization selection, calling an extranuclear visual authorization program module through a call _ usermodehellpere method to provide a user authority selection interface, but transmitting detailed data of specific authority application to the visual authorization program module through a security file system module, wherein the detailed data comprises information of an authorized software package name, a SID (security identifier), which authority is applied and the like.
In a preferred embodiment of the present invention, the secure file system module:
1) the status file is created by the securityfs _ create _ file function. The user space visualization security policy management tool obtains and sets the security subsystem functional state by operating the status file.
2) Creating an auth file through a securityfs _ create _ file function, and writing software authorization into an access vector cache of a kernel policy management module by operating the auth file through a user space visualization authorization program.
In the embodiments of the present invention, examples of the corresponding examples of each embodiment are as follows:
one example of a host-object security tag:
one example of a subject security tag of the present invention: software identification and interpreter identification;
an example of an object security tag of the present invention: software identification, interpreter identification, equipment type identification and special file identification.
The definition of each field is as follows:
software identification: describing the software identifier by a uint32_ t type integer, which is specifically defined as follows: 0 is an invalid value, 1-10 are reserved for kernel use, and 11 or more are sequentially allocated to the software program.
The interpreter identifies: the interpreter id is described by a uint8_ t type integer, which is specifically defined as follows: 0 is general program type, 1 is general interpreter type, 2 is virtual machine interpreter type, and more than 3 are reserved.
Device type identification: the device type identifier is described in a uint8_ t type integer. The specific definition is as follows: 0 is an invalid value, 1 is a camera device type, 2 is a microphone device type, 3 is a loudspeaker device type, 4 is a graphic drive device type, 5 is a USB storage device type, and more than 6 are reserved.
And (3) special file identification: describing the special file type identifier by a uint8_ t type integer, which is specifically defined as follows: 0 is an invalid value, 1 is a user directory, 2 is a document directory, 3 is a picture directory, 4 is an audio directory, 5 is a download directory, 6 is a desktop directory, 7 is a configuration file directory, 8 is a system library directory, 9 is a system log directory, 10 is a system guide directory, and more than 11 are reserved.
Second, an example of software permissions
An example of the software authority of the invention is divided into the following types: the system comprises an execution authority, a networking authority, a camera access authority, a loudspeaker access authority, a microphone access authority, a graphic device access authority, a USB storage device access authority, a user directory operation authority, a document directory operation authority, a picture directory operation authority, an audio directory operation authority, a download directory operation authority, a desktop directory operation authority, a configuration file directory operation authority, a system library directory operation authority, a system log directory operation authority and a system guide directory operation authority.
Each weight bit consists of two bits: 00 is no authority, 01 is authorized, 10 is authorized for inquiring user, and 11 is reserved value.
Third, an example of a security domain translation module
General security domain translation rules:
1) when the pid of the process is equal to the process group id, or the parent process of the process is 1, or the parent process id of the process is equal to the parent process id of the process group id, using the software identifier in the object security tag of the loaded executable file as the software identifier in the subject security tag of the process;
2) when the parent process id of the process is equal to the process group id of the process, or the process group id of the process is equal to the process group id of the parent process of the process, the software identifier in the main body security label of the process inherits the software identifier in the main body security label of the parent process of the process.
Generic interpreter security domain translation rules: and if the host security label of the parent process of the process contains the interpreter identifier, the process directly uses the software identifier in the object security label of the loaded executable file as the software identifier in the host security label.
Virtual machine type special interpreter security domain conversion rules: and if the host security label of the parent process of the process contains the virtual machine type interpreter identifier, the process uses the software identifier in the object security label of the executable file operated by the virtual machine as the software identifier in the host security label. One method for converting the virtual machine executable file path to the real absolute path of the host system is as follows: the method comprises the steps of analyzing the environment variable field of the process, finding cwd and cmdlene two environment variables, wherein the value of cmdlene is the virtualized executable file path (such as C:/Program Files/xxx/xxx.exe) in the virtual machine, the value of cwd is the running directory (/ home/xxx/vm/xxx/xxx /) of the executable file in the host system, and the absolute path of the executable file in the host system can be completely restored by using the suffix xxx.exe of the cmdlene and all or part of the path of cwd. Thereby obtaining the software identification of the object tag of the executable file.
As will be understood from the above embodiments, the present invention significantly improves the following aspects over selinux right control systems:
1. simplifying policy settings
The strategy rule of the invention takes the software identification as the only identification set by the strategy rule, and the authority is embodied into several types of execution authority, equipment operation authority, networking authority and file operation authority according to the service function, so that the user can easily understand the connotation and conveniently set the authority strategy rule of a certain software.
The security domain conversion rule is divided into a general security domain conversion rule, a general interpreter security domain conversion rule and a special interpreter security domain conversion rule. The generic security domain conversion rules and the generic interpreter security domain conversion rules can be used as software default security domain conversion rules in most cases. Only in case of failure of the default security domain conversion rule, a special interpreter identifier is set, and a special security domain conversion rule is designed. At present, special interpreter security domain conversion rules already include special scenes such as virtual machines, so that the conversion rules need to be designed again only under the condition that the existing special interpreter security domain conversion rules are invalid. This greatly reduces the possibility that the user needs to set the security domain conversion rules himself, thereby simplifying the policy setting of the security domain conversion rules.
Compared with the strict policy of selinux, the total amount of the policy rules of the invention is controlled to be about 2000-.
2. User experience friendly
According to the method, the software authority is managed through a visual security policy management tool of a user space, and the functional state of the kernel security subsystem is displayed.
According to the invention, the hook function is added into the software package management program, so that the automatic distribution work of the software identifier of the newly installed software is realized, and the manual intervention of a user is reduced.
The method guides the user to carry out authorization operation on the new installation software through the visual authorization program, and has the advantages of simple and convenient user operation and low learning cost.
3. The system performance cost is small
The invention adopts the following measures, compared with selinux, the invention reduces the system performance overhead:
(1) simplifying the policy rules, reducing the total amount: the total amount of the strategy rules of the invention is about 1/20 of selinux, and the software identification is used as the unique identification for searching, thereby improving the searching efficiency of the strategy rules and reducing the performance overhead;
(2) the security domain conversion rules are simplified: the invention adopts a mode of combining a generally applicable general security domain conversion rule with a security domain conversion rule under a special scene. In most cases, programs adopt general security domain conversion rules as default conversion rules, and in few cases, programs need to design special security domain conversion rules. By the scheme, security domain conversion rules are greatly reduced, the time for searching the policy rules is saved, and the performance overhead is reduced.
Although the present invention has been described with reference to the above preferred embodiments, it should be understood that the scope of the present invention is not limited thereto, and those skilled in the art will be able to make various changes and modifications without departing from the scope of the present invention.

Claims (8)

1. The software authority control system based on the Linux operating system comprises a user space and a kernel space, and is characterized in that:
the user space comprises a visual authorization program module and a visual security policy management tool, wherein,
the visual authorization program module is used for providing a visual dynamic authorization interface for a user and writing an authorization selection result of the user into a kernel space;
the visual security policy management tool is used for displaying all software packages installed by the current operating system and the authority thereof and issuing a software authorization policy rule to the kernel space;
the kernel space comprises a security subsystem hooks function module, a security file system module, a kernel policy management module and a security domain conversion module, wherein,
the security subsystem hooks function module is connected with the visual authorization program module of the user space and used for calling the out-of-core visual authorization program module through the kernel to guide the user to select an authorization strategy when meeting an authority application in the program running process; the system is used for performing authority verification and security domain conversion on each software package based on the unique identity of each software package in the application program and the policy rule set by the user;
the security domain conversion module is connected with the security subsystem hooks function module and used for providing a security domain conversion interface;
the security file system module is connected with the kernel policy management module and the visual authorization program module of the user space, and is used for receiving an authorization selection result of a user from the visual authorization program module and writing the authorization selection result into the kernel policy management module;
the kernel policy management module is simultaneously connected with a visual security policy management tool of the user space and used for receiving the software authorization policy rule from the visual security policy management tool;
the security file system module is simultaneously connected with the security subsystem hooks function module and used for transmitting data to the user through the security file system module when the security subsystem hooks function module calls the out-of-core visual authorization program module through the kernel to guide the user to select an authorization strategy.
2. The Linux operating system based software privilege control system of claim 1, wherein:
the unique identification of the software package comprises a subject security label and an object security label, wherein,
the main body safety label only comprises a main body software identifier or comprises the main body software identifier and a main body interpreter identifier simultaneously;
the object security label comprises an object software identifier, an object interpreter identifier, a device type identifier and a special file identifier; or comprises an object software identifier, a device type identifier and a special file identifier;
the software authority control method comprises the following steps that a host software identifier and an object software identifier are unique identifiers for conducting authority control on software; the subject interpreter identifier and the object interpreter identifier are used for providing correct security domain conversion rules in a scenario where general security domain conversion rules cannot be applied.
3. The Linux operating system based software privilege control system of claim 2, wherein: the security domain translation module provides three security domain translation rules:
a generic security domain translation rule for applying in case no interpreter identity is contained in the subject security label of the process;
a universal interpreter security domain conversion rule, which is used for applying under the condition that a main body security label of the process contains a universal interpreter identifier;
and the special interpreter security domain conversion rule is used for being applicable under the condition that the special interpreter identification is contained in the main body security label of the process.
4. The Linux operating system based software privilege control system of claim 2, wherein: the rights of the software package include:
executing the authority to determine whether the user has the authority to run the corresponding software;
the networking authority is used for determining whether the corresponding software has the authority of connecting the Internet in the running process;
the device access authority is used for determining whether the corresponding software has the authority of accessing certain device in the running process;
file operation authority, which determines whether corresponding software has authority to operate a special file or directory in the running process.
5. The Linux operating system based software privilege control system of claim 1, wherein: the security file system module is simultaneously connected with a visual security policy management tool of the user space, so that the visual security policy management tool can acquire or set each function state of the kernel space security subsystem through the security file system module.
6. The Linux operating system based software privilege control system of claim 1, wherein: and the security subsystem hooks function module is simultaneously connected with the kernel process of the application software in the kernel space and is used for providing a hook function to carry out authority verification on the application software when the kernel process of the application software needs authority verification, and allowing or refusing the kernel process of the application software to obtain related authorities.
7. The Linux operating system based software privilege control system of claim 6, wherein: the application software kernel process is connected with the application software user space and is used for providing an interface for system calling when the application software user space program realizes functions including but not limited to process starting, network connection, file access and equipment access.
8. A software permission control method is characterized by comprising the following steps:
step S1: starting a program, and receiving a software authorization policy rule issued by a visual security policy management tool by a kernel policy management module;
step S2: in the starting process of the application program, initializing a related hook function by a security domain in a hooks function module of the security subsystem to read an object security label of the executable file, and completing the action of converting the object security label to a main security label according to a security domain conversion rule;
step S3: when kernel space of an application program judges that a program needs to inquire the authority, a security subsystem hooks function module calls an out-of-kernel visual authorization program module through the kernel to guide a user to select an authorization strategy, and a security file system module issues a strategy rule, which is acquired by the visual authorization program module and is set by the user for a running software package, to a kernel strategy management module;
step S4: the kernel policy management module stores the software authorization policy rules, the unique identity of each software package and the user-set policy rules corresponding to the unique identity in an access vector cache;
step S5: the security subsystem hooks function module calls a kernel policy management module interface to perform related authority verification, and calls a security domain conversion module interface to realize security domain conversion;
in step S2, the subject security label includes only the subject software identifier, or includes both the subject software identifier and the subject interpreter identifier;
the object security label comprises an object software identifier, an object interpreter identifier, a device type identifier and a special file identifier; or comprises an object software identifier, a device type identifier and a special file identifier;
the software authority control method comprises the following steps that a host software identifier and an object software identifier are unique identifiers for conducting authority control on software; the subject interpreter identifier and the object interpreter identifier are used for providing a correct security domain conversion rule under the scene that a general security domain conversion rule cannot be applied;
the security domain conversion rule completes the conversion action from the object security label to the host security label through the following three conversion rules:
a generic security domain translation rule for applying in case no interpreter identity is contained in the subject security label of the process;
a universal interpreter security domain conversion rule, which is used for applying under the condition that a main body security label of the process contains a universal interpreter identifier;
and the special interpreter security domain conversion rule is used for being applicable under the condition that the special interpreter identification is contained in the main body security label of the process.
CN202111615380.6A 2021-12-28 2021-12-28 Software authority control system and method based on Linux operating system Active CN114003941B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111615380.6A CN114003941B (en) 2021-12-28 2021-12-28 Software authority control system and method based on Linux operating system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111615380.6A CN114003941B (en) 2021-12-28 2021-12-28 Software authority control system and method based on Linux operating system

Publications (2)

Publication Number Publication Date
CN114003941A CN114003941A (en) 2022-02-01
CN114003941B true CN114003941B (en) 2022-04-05

Family

ID=79932097

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111615380.6A Active CN114003941B (en) 2021-12-28 2021-12-28 Software authority control system and method based on Linux operating system

Country Status (1)

Country Link
CN (1) CN114003941B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116796308B (en) * 2023-02-03 2024-04-12 安芯网盾(北京)科技有限公司 Method and device for detecting executable program of camouflage process based on Linux kernel
CN117272351A (en) * 2023-11-21 2023-12-22 麒麟软件有限公司 User authority management method and system for operating system
CN117749489A (en) * 2023-12-20 2024-03-22 北京熠智科技有限公司 Network transmission privacy protection method and system of distributed system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104735091A (en) * 2015-04-17 2015-06-24 三星电子(中国)研发中心 Linux system-based user access control method and device
CN104885092A (en) * 2012-11-13 2015-09-02 奥克兰服务有限公司 Security system and method for operating systems
CN111683056A (en) * 2020-05-15 2020-09-18 中山大学 Linux security module-based information flow control system and method between cloud platforms

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1784725A1 (en) * 2004-08-03 2007-05-16 Softricity, Inc. System and method for controlling inter-application association through contextual policy control
US11562086B2 (en) * 2018-06-27 2023-01-24 International Business Machines Corporation Filesystem view separation for data confidentiality and integrity using lattice-based security domains
CN109460673A (en) * 2018-10-22 2019-03-12 南瑞集团有限公司 Method and system based on forced symmetric centralization protection mobile terminal sensitive data

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104885092A (en) * 2012-11-13 2015-09-02 奥克兰服务有限公司 Security system and method for operating systems
CN104735091A (en) * 2015-04-17 2015-06-24 三星电子(中国)研发中心 Linux system-based user access control method and device
CN111683056A (en) * 2020-05-15 2020-09-18 中山大学 Linux security module-based information flow control system and method between cloud platforms

Also Published As

Publication number Publication date
CN114003941A (en) 2022-02-01

Similar Documents

Publication Publication Date Title
CN114003941B (en) Software authority control system and method based on Linux operating system
US8667459B2 (en) Application specific runtime environments
US8381306B2 (en) Translating role-based access control policy to resource authorization policy
US7856653B2 (en) Method and apparatus to protect policy state information during the life-time of virtual machines
US7676831B2 (en) Role-based access control management for multiple heterogeneous application components
CN111695156A (en) Service platform access method, device, equipment and storage medium
US20170286644A1 (en) Protection Method and Device for Application Data
KR20010050351A (en) System and method for role based dynamic configuration of user profiles
JP4848430B2 (en) Virtual role
CN112149109B (en) Modularized authority control management method and system
CN108763951A (en) A kind of guard method of data and device
CN109951337B (en) Virtual operation and maintenance fortress system
CN109614204A (en) Memory insulation blocking method, isolation check hardware, SOC chip and storage medium
JP2004158007A (en) Computer access authorization
US20230342498A1 (en) Computer device and method for managing privilege delegation
CN111651738A (en) Fine-grained role authority unified management method based on front-end and back-end separation framework and electronic device
US11405381B2 (en) Tag-based access permissions for cloud computing resources
KR20070076342A (en) User Group Role / Permission Management System and Access Control Methods in a Grid Environment
CN112068953B (en) Cloud resource fine management traceability system and method
US7546631B1 (en) Embedded management system for a physical device having virtual elements
KR102081173B1 (en) System and method for affiliation identification and management of terminal in cloud environment
CN113434217A (en) Vulnerability scanning method and device, computer equipment and medium
CN104092745A (en) Method for generating criterion of using intelligent card to login remote computer
US10075448B2 (en) Password setup management
JP2009301357A (en) Access control program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant