CN103593607A - Method and device for file system isolation of host machine and virtual machine - Google Patents
Method and device for file system isolation of host machine and virtual machine Download PDFInfo
- Publication number
- CN103593607A CN103593607A CN201310627409.1A CN201310627409A CN103593607A CN 103593607 A CN103593607 A CN 103593607A CN 201310627409 A CN201310627409 A CN 201310627409A CN 103593607 A CN103593607 A CN 103593607A
- Authority
- CN
- China
- Prior art keywords
- file
- host
- proc
- target
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2149—Restricted operating environment
Abstract
The invention provides a method and device for file system isolation of a host machine and a virtual machine. A fuse mechanism is adopted in the host machine to invent a virtual proc file system, and the virtual proc file system is mounted to a temporary catalogue; a callback function of a target designation file is registered in the virtual proc file system through the host machine; the proc file system is mounted to rootfs of the virtual machine through the host machine; the target designation file in the virtual proc file system is bound to a source designation file in the proc file system by means of the host machine; the host machine calls an open command to open the source designation file. In the Linux system, the host machine opens the used source designation file, the virtual machine cannot carry out deletion or unloading, the virtual machine cannot execute unmount to remove binding between the target designation file and the source designation file, and effective isolation for files of the proc system of the host machine is achieved.
Description
Technical field
The present invention relates to field of computer technology, particularly relate to host and virtual machine file isolation of system method and apparatus.
Background technology
While moving virtual machine Linux container(lxc), the proc file system of host is directly mounted in the root file system of virtual machine.Virtual machine and host use same proc file system, the file corresponding with host and virtual machine in proc file system, except process file, other file is all identical, and virtual machine is identical to the authority of the All Files in proc file system with host.Therefore, virtual machine can carry out read-write operation to proc file system, can cause the problems such as host information leakage or Kernel Panic.For example, while using check/proc/stat of top order file in virtual machine, the service condition that not only can check virtual machine CPU, also can view the cpu usage of host; In virtual machine, when writing character c in/proc/sysrq-irq file, can make to cause the Kernel Panic of host, whole system cannot be moved.
In order to solve the problem of information leakage in host, virtual machine is file system mounted under temp directory by the proc of host, for example: tmp/proc, by virtual machine, use the virtual virtual proc file system of fuse mechanism again, carry out mount-bind/tmp/proc/proc, use virtual proc file system to replace host proc file system.When virtual machine is carried out top order, while reading the tmp/proc/stat file in proc file, due to proc file and the binding of virtual proc file, therefore, what read is the proc file system that fuse mechanism fictionalizes.But, adopt the virtual virtual proc file of fuse mechanism, and need in the booting script of virtual machine, carry out with the order of virtual proc file system replacement host proc file system, and the booting script of virtual machine can be checked by the user of virtual machine, user can carry out reverse operating (for example: the reverse operating of mount-bind is umount) to Virtual File System, can remove the binding of host proc file system and virtual proc file system, after releasing, re-use top order and still can obtain the information of host, poor stability.
In order to solve the problem of host Kernel Panic, adopt the Application Armor module in linux system, Application Armor module is a security module in linux system kernel, can each program is associated with a secure configuration file, thus the function of limiting program.Can/operating right of proc/sysrq-irq file right by Application Armor limit module virtual machine, make virtual machine to carry out write operation by right/proc/sysrq-irq file.But Application Armor module can only could be used in the version after Linux2.6.36, cannot use in the Linux2.6.32 version of existing main flow.
Visible, above-mentioned two kinds of modes all can not well realize the effective isolation between host and virtual machine.
Summary of the invention
In view of this, the invention provides a kind of host and virtual machine file isolation of system method and apparatus, the virtual virtual proc file system of host, by the source specified file binding of the proc file system of carry in the target specified file in virtual proc file system and virtual machine, open source specified file, prevent the reverse operating to binding, and can be applied in the linux system of all versions.
And a virtual machine file isolation of system method, described method comprises:
Host adopts the virtual virtual proc file system of fuse mechanism, and described virtual proc is file system mounted in temp directory;
Host is at the call back function of described virtual proc file system registration target specified file, and described call back function is for the treatment of the data message of virtual machine;
Host is file system mounted in the rootfs of virtual machine by proc;
Host is by the source specified file binding in the target specified file in described virtual proc file system and described proc file system, and the target specified file of described binding is identical with the filename of source specified file;
Host calls source specified file described in open instruction unpack.
Optionally, described target specified file comprises:
Target stat file, target meminfo file and target sysrq-irq file.
Optionally, described host comprises at the call back function of described virtual proc file system registration target specified file:
Described host is registered open, read and the write function of target stat file in described virtual proc file system, and described open, read and write function are for opening, read and write the CPU usage data of virtual machine;
Described host is registered open, read and the write function of target meminfo file in described virtual proc file system, and described open, read and write function are for opening, read and write the usage data of virutal machine memory and exchange partition;
Described host is registered open, read and the write function of target sysrq-irq file in described virtual proc file system, and described open, read and write function are for opening, read and write the data of target sysrq-irq file.
Optionally, host comprises the source specified file binding in the target specified file in described virtual proc file system and described proc file system:
Host is by the source Stat file binding in the target stat file in described virtual proc file system and described proc file system;
Host is by the source meminfo file binding in the target meminfo file in described virtual proc file system and described proc file system;
Host is by the source sysrq-irq file binding in the target sysrq-irq file in described virtual proc file system and described proc file system.
Optionally, described method also comprises:
During source specified file in the roofs of accesses virtual machine in the proc file system of carry, host receives the request of access and the target specified file of source specified file binding;
Host calls the call back function of described target specified file registration;
Host utilizes described call back function backward reference result.
When optionally, described source specified file is source stat file or source meminfo file:
When the source stat file in the roofs that reads virtual machine in the proc file system of carry or source meminfo file, host receive read with the target stat file of source stat file binding or with the request of the target meminfo file of source meminfo file binding;
Host calls the read call back function of described target stat file or target meminfo file registration;
Host utilizes described read call back function to return to read the result of target stat file or target meminfo file.
When optionally, described source specified file is source sysrq-irq file;
Source sysrq-irq file in the proc file system of carry in virtual machine roofs is write fashionable, and host receives the request that writes the target sysrq-irq file of binding with source sysrq-irq file,
Host calls the write call back function of described target sysrq-irq file registration;
Host utilizes described write call back function to target sysrq-irq file data writing.
And a virtual machine file isolation of system device, described device comprises:
Virtual module, adopts the virtual virtual proc file system of fuse mechanism for host, and described virtual proc is file system mounted in temp directory;
Registering modules, the call back function for host at described virtual proc file system registration target specified file, described call back function is for the treatment of the data message of virtual machine;
Carry module, for host by the file system mounted rootfs to virtual machine of proc;
Binding module, for host, by the source specified file binding in the target specified file of described virtual proc file system and described proc file system, the target specified file of described binding is identical with the filename of source specified file;
Open module, for host, call source specified file described in open instruction unpack.
Optionally, described target specified file comprises target Stat file, target meminfo file and target sysrq-irq file, and described Registering modules comprises:
The first registering unit, registers open, read and the write function of target stat file in described virtual proc file system for described host, described open, read and write function are for opening, read and write the CPU usage data of virtual machine;
The second registering unit, for described host, register open, read and the write function of target meminfo file in described virtual proc file system, described open, read and write function are for opening, read and write the usage data of virutal machine memory and exchange partition;
The 3rd registering unit, for described host, register open, read and the write function of target sysrq-irq file in described virtual proc file system, described open, read and write function are for opening, read and write the data of target sysrq-irq file.
Optionally, described target specified file comprises target Stat file, target meminfo file and target sysrq-irq file, and described binding module comprises:
The first binding unit, binds the source Stat file in the target stat file of described virtual proc file system and described proc file system for host;
The second binding unit, binds the source meminfo file in the target meminfo file of described virtual proc file system and described proc file system for host;
The 3rd binding unit, binds the source sysrq-irq file in the target sysrq-irq file of described virtual proc file system and described proc file system for host.
Optionally, described device also comprises:
Receiver module, during for source specified file in the proc file system of the roofs carry when accesses virtual machine, host receives the request of access and the target specified file of source specified file binding;
Calling module, calls the call back function of described target specified file registration for host;
Return to module, for host, utilize described call back function backward reference result.As shown in the above, the present invention has following beneficial effect:
The invention provides a kind of host and virtual machine file isolation of system method and apparatus, host adopts the virtual virtual proc file system of fuse mechanism, and described virtual proc is file system mounted in temp directory, host is at the call back function of described virtual proc file system registration target specified file, and described call back function is for the treatment of the data message of virtual machine, host is file system mounted in the rootfs of virtual machine by proc, host is by the source specified file binding in the target specified file in described virtual proc file system and described proc file system, and the target specified file of described binding is identical with the filename of source specified file, host calls source specified file described in open instruction unpack, in linux system, the source specified file that host opens and uses, virtual machine can not be deleted and unload, therefore, virtual machine cannot be carried out umount and remove target specified file in described virtual proc file system and the binding of the source specified file in described proc file system, also just cannot obtain the source specified file in proc file system, and, because the present invention can be applied in the version of all linux systems, can not be subject to the restriction of linux version, realized the effective isolation to the proc system file of host.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is a kind of host of the present invention and virtual machine file isolation of system embodiment of the method one process flow diagram;
Fig. 2 is a kind of host of the present invention and virtual machine file isolation of system embodiment of the method two process flow diagrams;
Fig. 3 is a kind of host of the present invention and virtual machine file isolation of system device embodiment tri-structural representations;
Fig. 4 is a kind of host of the present invention and virtual machine file isolation of system device embodiment tetra-structural representations.
Embodiment
The invention provides a kind of host and virtual machine file isolation of system method and apparatus, the virtual virtual proc file system of host, by the source specified file binding of the proc file system of carry in the target specified file in virtual proc file system and virtual machine, open source specified file, prevent the reverse operating to binding, realize the effective isolation to host proc file system.
In prior art, virtual machine is by under the file system mounted temp directory of setting up to virtual machine of the proc of host, for example: tmp/proc, by virtual machine, use the virtual virtual proc file system of fuse mechanism again, carry out mount-bind/tmp/proc/proc, use virtual proc file system to replace host proc file system.When virtual machine is carried out top order, while reading the tmp/proc/stat file in proc file system, due to the stat file binding in the stat file in proc file system and virtual proc file system, what therefore, read is the stat file in the proc file system that fictionalizes of fuse mechanism.But, adopt the virtual virtual proc file of fuse mechanism, and need in the booting script of virtual machine, carry out with the order of virtual proc file system replacement host proc file system, and the booting script of virtual machine can be checked by the user of virtual machine, user can carry out reverse operating (for example: the reverse operating of mount-bind is umount) to Virtual File System, can remove the binding of host proc file system and virtual proc file system.Virtual machine can open and close Stat file, meminfo file and sysrq-irq file etc. voluntarily, can arbitrarily carry out the operation of the reverse solution binding of umount.
On the other hand, if realize a virtual virtual proc file system in virtual machine, and bind the proc file system of virtual proc file system and virtual machine carry, need to be in virtual machine carry cgroup file system, because cgroup file system can be rewritten the resource limitation to virtual machine, can cause user can arbitrarily change the operating right of virtual machine, whole system is caused to potential safety hazard.
Again on the one hand, in prior art, solve the problem that the sysrq-irq file in proc file system can not write, employing be Application Armor mechanism, but can not in all linux versions, use, in conventional linux2.6.32, use limited.
The invention provides a kind of host and virtual machine file isolation of system method and apparatus, be used for solving the problems of the technologies described above, below in conjunction with accompanying drawing, the specific embodiment of the invention is elaborated.
Embodiment mono-
Fig. 1 is a kind of host of the present invention and virtual machine file isolation of system embodiment of the method one process flow diagram, and described method comprises:
Step 101: host adopts the virtual virtual proc file system of fuse mechanism, and described virtual proc is file system mounted in temp directory.
User's space file system (Filesystem in Userspace, be called for short FUSE) be the concept in operating system, refer to the file system realizing in user's state completely, fuse mechanism provides can API(Application Programming Interface, application programming interface) for generating user's state file system.
Fuse can derive from user's state file system that a process generates for the treatment of application program access, application programming interface is also provided, file system under the first catalogue is mounted under the second catalogue, file system that can be from second directory access the first catalogue, adopts two kinds of access stencils below:
Mirror image (mirror) mode: for the file that relates to general data in file system, can directly access file the first catalogue from the second catalogue;
Agency's (proxy) mode: for the file that relates to secure data in file system, can restrict access be set to the specified file under the first catalogue, adopt the file in shielding system to replace specified file, specified file is isolated to access.
Under linux system, host adopts the virtual virtual proc file system identical with the proc file system of host of fuse mechanism, and set up a temp directory, by in the file system mounted temp directory of setting up to host of virtual proc, to virtual proc file is conducted interviews.
Step 102: host is at the call back function of described virtual proc file system registration target specified file, and described call back function is for the treatment of the data message of virtual machine.
Can conduct interviews to the file in the virtual proc file system out setting of restriction of host, re-registers the call back function of target specified file.
Wherein, target specified file comprises target stat file, target meminfo file and target sysrq-irq file.Here it should be noted that, target specified file refers to stat file, meminfo file and the sysrq-irq file in virtual proc file system, but be not limited only to above-mentioned three kinds of files, every file that relates to host secure data, can in virtual proc file system, re-register call back function, repeat no longer one by one here.
Open, read and tri-kinds of call back functions of write of difference Offered target stat file, target meminfo file and target sysrq-irq file.The open, the read that arrange have defined and can only open and read the CPU usage data of virtual machine and the usage data of virutal machine memory and exchange partition, cannot obtain the data message of host.Write call back function has defined to be write fashionablely to sysrq-irq file, can only write the target sysrq-irq file in virtual proc file system, can not write the source sysrq-irq file in the proc file system of host.
Target specified file in the virtual proc file system that host is fictionalized has re-registered call back function, and call back function has redefined access mode and the storage data content of the target specified file in virtual proc file system.
Step 103: host is file system mounted in the rootfs of virtual machine by proc.
Step 104: host is by the source specified file binding in the target specified file in described virtual proc file system and described proc file system, and the target specified file of described binding is identical with the filename of source specified file.
In the rootfs of virtual machine carry the proc file system of virtual machine, host is bound the target specified file in the source specified file in the proc file system of virtual machine carry and the virtual virtual proc file system of host.Wherein, the filename of binding is identical mutually.For example: by the source stat file binding in the target stat file in virtual proc file system and proc file system; By the source meminfo file binding in the target meminfo file in virtual proc file system and proc file system; By the source sysrq-irq file binding in the target sysrq-irq file in virtual proc file system and proc file system.
Here it should be noted that, " target " and " source " is mainly for distinguishing the file in different proc file system, in actual use procedure, in virtual proc file system and proc file system, the filename of stat file, meminfo file and sysrq-irq file is identical.
For example: after the source specified file binding in the target specified file in the virtual proc file system of host and the proc file system of virtual machine carry, when carrying out top order checking the source stat file in proc file system in virtual machine, due to the target stat file binding in source stat file and host, carry out and check target stat file.Step 102 has redefined the call back function of target stat file, when target stat file is checked, call the call back function of registration, only obtain the CPU usage data of virtual machine, can not obtain the CPU usage data of host, the CPU usage data of virtual machine is returned.
Step 105: host calls source specified file described in open instruction unpack.
Host has opened and used the source specified file in the proc file system of virtual machine carry, due to the operation of the uncontrollable host of virtual machine, cannot close the source specified file that host is opened.Linux system regulation, can not unload and delete the file having opened and used.But, if from virtual machine to the target specified file of virtual proc file system when reverse operating is carried out in the binding of the source specified file of the proc of carry file system, must delete the target specified file of virtual proc file system and the source specified file of proc file system.Therefore, virtual machine cannot carry out the operation of unbind, has realized the effective isolation to host proc file system.
As shown in the above, the present invention has following beneficial effect:
Host adopts the virtual virtual proc file system of fuse mechanism, and described virtual proc is file system mounted in temp directory, host is at the call back function of described virtual proc file system registration target specified file, and described call back function is for the treatment of the data message of virtual machine, host is file system mounted in the rootfs of virtual machine by proc, host is by the source specified file binding in the target specified file in described virtual proc file system and described proc file system, and the target specified file of described binding is identical with the filename of source specified file, host calls source specified file described in open instruction unpack, in linux system, the source specified file that host opens and uses, virtual machine can not be deleted and unload, therefore, virtual machine cannot be carried out umount and remove target specified file in described virtual proc file system and the binding of the source specified file in described proc file system, also just cannot obtain the source specified file in proc file system, and, because the present invention can be applied in the version of all linux systems, can not be subject to the restriction of linux version, realized the effective isolation to the proc system file of host.
Embodiment bis-
Fig. 2 is a kind of host of the present invention and virtual machine file isolation of system embodiment of the method two process flow diagrams, compares with embodiment mono-, and described method also comprises virtual machine execute file request of access, and described method comprises:
Step 201: host adopts the virtual virtual proc file system of fuse mechanism, and described virtual proc is file system mounted in temp directory.
Step 202: host is at the call back function of described virtual proc file system registration target specified file, and described call back function is for the treatment of the data message of virtual machine.
Step 203: host is file system mounted in the rootfs of virtual machine by proc.
Step 204: host is by the source specified file binding in the target specified file in described virtual proc file system and described proc file system, and the target specified file of described binding is identical with the filename of source specified file.
Step 205: host calls source specified file described in open instruction unpack.
Step 201 is similar with embodiment mono-to step 205, and the description of reference example one, repeats no more here.
Step 206: during source specified file in the roofs of accesses virtual machine in the proc file system of carry, host receives the request of access and the target specified file of source specified file binding.
In virtual machine, use top order can check the service condition of CPU in virtual machine current system, use free order can check internal memory and exchange partition service condition in virtual machine current system.
When virtual machine receives top order, source stat file in accesses virtual machine in the proc file system of carry, due to the target stat file binding in the virtual proc file system of source stat file and host, host receives the request of access destination stat file.
When virtual machine receives free order, source meminfo file in accesses virtual machine in the proc file system of carry, due to the target meminfo file binding in the virtual proc file system of source meminfo file and host, host receives the request of access destination meminfo file.
When virtual machine receives the request that writes sysrq-irq file, source sysrq-irq file in accesses virtual machine in the proc file system of carry, due to the target sysrq-irq file binding in the virtual proc file system of source sysrq-irq file and host, host receives the request that writes target sysrq-irq file.
Step 207: host calls the call back function of described target specified file registration.
Host has re-registered the call back function of the target specified file in virtual proc file system in step 201, when receiving the request of access destination specified file, calls the call back function corresponding with target specified file.
When host receives the target stat file in accesses virtual proc file system, call the read call back function to the registration of target stat file, read call back function regulation can only read the CPU usage data of virtual machine, and read call back function only can be searched virtual machine CPU usage data.
When host receives the target meminfo file in accesses virtual proc file system, call the read call back function to target meminfo file registration, read call back function regulation can only read internal memory and the exchange partition usage data of virtual machine, and read call back function only can be searched virtual machine CPU internal memory and exchange partition usage data.
When host receives the target sysrq-irq file writing in virtual proc file system, call the write call back function to target sysrq-irq file registration, write call back function regulation can only write to the target sysrq-irq file in virtual proc file system, can not the source sysrq-irq file in the proc file system of host be write.
Hence one can see that, while carrying out the order of access carry proc file system in virtual machine, due to target specified file binding in the virtual proc file system of source specified file and host in carry proc file system, actual access be the target specified file in virtual proc file system, because host has re-registered the call back function of target specified file, call back function regulation can not open, the stat file in read host proc file system, the data message in meminfo file, data message that can only accesses virtual machine; Writing fashionablely, can not write the sysrq-irq file in host proc file system, can only write the target sysrq-irq file in the virtual proc file system that host fictionalizes.Realize thus the effective isolation to host proc file system.
Step 208: host utilizes described call back function backward reference result.
Host is to virtual machine backward reference result, when host receive be top order time, to virtual machine, return to the CPU usage data of virtual machine; When host receive be free order time, to virtual machine, return to the internal memory of virtual machine and the usage data of exchange partition; When host receive be write order time, the target sysrq-irq file in virtual proc file system writes, and returns and write result.
As shown in the above, the present invention also has following beneficial effect:
Effective shielding system that the embodiment of the present invention two can be set up according to embodiment mono-, carry out the orders such as top, free and write, the leakage of host information can be do not caused, can, to the sysrq-irq file data writing in host proc file system, host Kernel Panic can be do not caused yet.
Embodiment tri-
Fig. 3 is a kind of host of the present invention and virtual machine file isolation of system device embodiment tri-structural representations, and embodiment tri-is and the corresponding device of method described in embodiment mono-that described device comprises:
Registering modules 302, the call back function for host at described virtual proc file system registration target specified file, described call back function is for the treatment of the data message of virtual machine.
Described Registering modules 302 comprises:
The first registering unit, registers open, read and the write function of target stat file in described virtual proc file system for described host, described open, read and write function are for opening, read and write the CPU usage data of virtual machine;
The second registering unit, for described host, register open, read and the write function of target meminfo file in described virtual proc file system, described open, read and write function are for opening, read and write the usage data of virutal machine memory and exchange partition;
The 3rd registering unit, for described host, register open, read and the write function of target sysrq-irq file in described virtual proc file system, described open, read and write function are for opening, read and write the data of target sysrq-irq file.
Binding module 304, for host, by the source specified file binding in the target specified file of described virtual proc file system and described proc file system, the target specified file of described binding is identical with the filename of source specified file.
Described binding module 304 comprises:
The first binding unit, binds the source Stat file in the target stat file of described virtual proc file system and described proc file system for host;
The second binding unit, binds the source meminfo file in the target meminfo file of described virtual proc file system and described proc file system for host;
The 3rd binding unit, binds the source sysrq-irq file in the target sysrq-irq file of described virtual proc file system and described proc file system for host.
Similar with embodiment mono-herein, the description of reference example one, repeats no more here.
Embodiment tetra-
Fig. 4 is a kind of host of the present invention and virtual machine file isolation of system device embodiment tetra-structural representations, and embodiment tetra-is and the corresponding device of method described in embodiment bis-that described device comprises:
Registering modules 302, the call back function for host at described virtual proc file system registration target specified file, described call back function is for the treatment of the data message of virtual machine.
Described Registering modules 302 comprises:
The first registering unit, registers open, read and the write function of target stat file in described virtual proc file system for described host, described open, read and write function are for opening, read and write the CPU usage data of virtual machine;
The second registering unit, for described host, register open, read and the write function of target meminfo file in described virtual proc file system, described open, read and write function are for opening, read and write the usage data of virutal machine memory and exchange partition;
The 3rd registering unit, for described host, register open, read and the write function of target sysrq-irq file in described virtual proc file system, described open, read and write function are for opening, read and write the data of target sysrq-irq file.
Binding module 304, for host, by the source specified file binding in the target specified file of described virtual proc file system and described proc file system, the target specified file of described binding is identical with the filename of source specified file.
Described binding module 304 comprises:
The first binding unit, binds the source Stat file in the target stat file of described virtual proc file system and described proc file system for host;
The second binding unit, binds the source meminfo file in the target meminfo file of described virtual proc file system and described proc file system for host;
The 3rd binding unit, binds the source sysrq-irq file in the target sysrq-irq file of described virtual proc file system and described proc file system for host.
Calling module 402, calls the call back function of described target specified file registration for host.
Return to module 403, for host, utilize described call back function backward reference result.
When the source stat file in the roofs that reads virtual machine in the proc file system of carry or source meminfo file, host receive read with the target stat file of source stat file binding or with the request of the target meminfo file of source meminfo file binding;
Host calls the read call back function of described target stat file or target meminfo file registration;
Host utilizes described read call back function to return to read the result of target stat file or target meminfo file.
Source sysrq-irq file in the proc file system of carry in virtual machine roofs is write fashionable, and host receives the request that writes the target sysrq-irq file of binding with source sysrq-irq file,
Host calls the write call back function of described target sysrq-irq file registration;
Host utilizes described write call back function to target sysrq-irq file data writing.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (11)
1. host and a virtual machine file isolation of system method, is characterized in that, described method comprises:
Host adopts the virtual virtual proc file system of fuse mechanism, and described virtual proc is file system mounted in temp directory;
Host is at the call back function of described virtual proc file system registration target specified file, and described call back function is for the treatment of the data message of virtual machine;
Host is file system mounted in the rootfs of virtual machine by proc;
Host is by the source specified file binding in the target specified file in described virtual proc file system and described proc file system, and the target specified file of described binding is identical with the filename of source specified file;
Host calls source specified file described in open instruction unpack.
2. method according to claim 1, is characterized in that, described target specified file comprises:
Target stat file, target meminfo file and target sysrq-irq file.
3. method according to claim 2, is characterized in that, described host comprises at the call back function of described virtual proc file system registration target specified file:
Described host is registered open, read and the write function of target stat file in described virtual proc file system, and described open, read and write function are for opening, read and write the CPU usage data of virtual machine;
Described host is registered open, read and the write function of target meminfo file in described virtual proc file system, and described open, read and write function are for opening, read and write the usage data of virutal machine memory and exchange partition;
Described host is registered open, read and the write function of target sysrq-irq file in described virtual proc file system, and described open, read and write function are for opening, read and write the data of target sysrq-irq file.
4. method according to claim 2, is characterized in that, host comprises the source specified file binding in the target specified file in described virtual proc file system and described proc file system:
Host is by the source Stat file binding in the target stat file in described virtual proc file system and described proc file system;
Host is by the source meminfo file binding in the target meminfo file in described virtual proc file system and described proc file system;
Host is by the source sysrq-irq file binding in the target sysrq-irq file in described virtual proc file system and described proc file system.
5. according to the method described in claim 1-4 any one, it is characterized in that, described method also comprises:
During source specified file in the roofs of accesses virtual machine in the proc file system of carry, host receives the request of access and the target specified file of source specified file binding;
Host calls the call back function of described target specified file registration;
Host utilizes described call back function backward reference result.
6. method according to claim 5, is characterized in that, when described source specified file is source stat file or source meminfo file:
When the source stat file in the roofs that reads virtual machine in the proc file system of carry or source meminfo file, host receive read with the target stat file of source stat file binding or with the request of the target meminfo file of source meminfo file binding;
Host calls the read call back function of described target stat file or target meminfo file registration;
Host utilizes described read call back function to return to read the result of target stat file or target meminfo file.
7. method according to claim 5, is characterized in that, when described source specified file is source sysrq-irq file;
Source sysrq-irq file in the proc file system of carry in virtual machine roofs is write fashionable, and host receives the request that writes the target sysrq-irq file of binding with source sysrq-irq file,
Host calls the write call back function of described target sysrq-irq file registration;
Host utilizes described write call back function to target sysrq-irq file data writing.
8. host and a virtual machine file isolation of system device, is characterized in that, described device comprises:
Virtual module, adopts the virtual virtual proc file system of fuse mechanism for host, and described virtual proc is file system mounted in temp directory;
Registering modules, the call back function for host at described virtual proc file system registration target specified file, described call back function is for the treatment of the data message of virtual machine;
Carry module, for host by the file system mounted rootfs to virtual machine of proc;
Binding module, for host, by the source specified file binding in the target specified file of described virtual proc file system and described proc file system, the target specified file of described binding is identical with the filename of source specified file;
Open module, for host, call source specified file described in open instruction unpack.
9. device according to claim 8, is characterized in that, described target specified file comprises target Stat file, target meminfo file and target sysrq-irq file, and described Registering modules comprises:
The first registering unit, registers open, read and the write function of target stat file in described virtual proc file system for described host, described open, read and write function are for opening, read and write the CPU usage data of virtual machine;
The second registering unit, for described host, register open, read and the write function of target meminfo file in described virtual proc file system, described open, read and write function are for opening, read and write the usage data of virutal machine memory and exchange partition;
The 3rd registering unit, for described host, register open, read and the write function of target sysrq-irq file in described virtual proc file system, described open, read and write function are for opening, read and write the data of target sysrq-irq file.
10. device according to claim 8, is characterized in that, described target specified file comprises target Stat file, target meminfo file and target sysrq-irq file, and described binding module comprises:
The first binding unit, binds the source Stat file in the target stat file of described virtual proc file system and described proc file system for host;
The second binding unit, binds the source meminfo file in the target meminfo file of described virtual proc file system and described proc file system for host;
The 3rd binding unit, binds the source sysrq-irq file in the target sysrq-irq file of described virtual proc file system and described proc file system for host.
Device described in 11. according to Claim 8-10 any one, is characterized in that, described device also comprises:
Receiver module, during for source specified file in the proc file system of the roofs carry when accesses virtual machine, host receives the request of access and the target specified file of source specified file binding;
Calling module, calls the call back function of described target specified file registration for host;
Return to module, for host, utilize described call back function backward reference result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310627409.1A CN103593607B (en) | 2013-11-26 | 2013-11-26 | Host and virtual machine file isolation of system method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310627409.1A CN103593607B (en) | 2013-11-26 | 2013-11-26 | Host and virtual machine file isolation of system method and apparatus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103593607A true CN103593607A (en) | 2014-02-19 |
| CN103593607B CN103593607B (en) | 2016-05-04 |
Family
ID=50083741
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310627409.1A Active CN103593607B (en) | 2013-11-26 | 2013-11-26 | Host and virtual machine file isolation of system method and apparatus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103593607B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105447203A (en) * | 2015-12-31 | 2016-03-30 | 杭州华为数字技术有限公司 | Shared file access method and system and associated equipment |
| WO2017097114A1 (en) * | 2015-12-09 | 2017-06-15 | 华为技术有限公司 | Shared file access method, system and related device |
| CN108111575A (en) * | 2017-11-29 | 2018-06-01 | 北京京航计算通讯研究所 | A kind of expansible client computer and virtual-machine data interactive system |
| CN108268299A (en) * | 2016-12-29 | 2018-07-10 | 航天信息股份有限公司 | A kind of Docker based on OpenStack cloud platforms shares storage solution |
| CN110659248A (en) * | 2019-09-05 | 2020-01-07 | 上海交通大学 | User mode file system design method and system based on nonvolatile memory |
| CN111880846A (en) * | 2020-06-04 | 2020-11-03 | 普联国际有限公司 | Method, device and equipment for quickly starting embedded system |
| CN113127853A (en) * | 2019-12-31 | 2021-07-16 | 奇安信科技集团股份有限公司 | Method and device for safely processing virtual machine file |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101403983A (en) * | 2008-11-25 | 2009-04-08 | 北京航空航天大学 | Resource monitoring method and system for multi-core processor based on virtual machine |
| US20100037206A1 (en) * | 2008-08-07 | 2010-02-11 | Code Systems Corporation | Method and system for configuration of virtualized software applications |
-
2013
- 2013-11-26 CN CN201310627409.1A patent/CN103593607B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100037206A1 (en) * | 2008-08-07 | 2010-02-11 | Code Systems Corporation | Method and system for configuration of virtualized software applications |
| CN101403983A (en) * | 2008-11-25 | 2009-04-08 | 北京航空航天大学 | Resource monitoring method and system for multi-core processor based on virtual machine |
Non-Patent Citations (1)
| Title |
|---|
| 张勇等: "虚拟机与宿主机之间的文件访问控制", 《信息安全与通信保密》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017097114A1 (en) * | 2015-12-09 | 2017-06-15 | 华为技术有限公司 | Shared file access method, system and related device |
| CN105447203A (en) * | 2015-12-31 | 2016-03-30 | 杭州华为数字技术有限公司 | Shared file access method and system and associated equipment |
| CN105447203B (en) * | 2015-12-31 | 2019-03-26 | 杭州华为数字技术有限公司 | A kind of access method of shared file, system and relevant device |
| CN108268299A (en) * | 2016-12-29 | 2018-07-10 | 航天信息股份有限公司 | A kind of Docker based on OpenStack cloud platforms shares storage solution |
| CN108111575A (en) * | 2017-11-29 | 2018-06-01 | 北京京航计算通讯研究所 | A kind of expansible client computer and virtual-machine data interactive system |
| CN110659248A (en) * | 2019-09-05 | 2020-01-07 | 上海交通大学 | User mode file system design method and system based on nonvolatile memory |
| CN110659248B (en) * | 2019-09-05 | 2022-11-11 | 上海交通大学 | User mode file system design method and system based on nonvolatile memory |
| CN113127853A (en) * | 2019-12-31 | 2021-07-16 | 奇安信科技集团股份有限公司 | Method and device for safely processing virtual machine file |
| CN111880846A (en) * | 2020-06-04 | 2020-11-03 | 普联国际有限公司 | Method, device and equipment for quickly starting embedded system |
| CN111880846B (en) * | 2020-06-04 | 2023-12-15 | 普联国际有限公司 | Method, device and equipment for quickly starting embedded system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103593607B (en) | 2016-05-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103593607A (en) | Method and device for file system isolation of host machine and virtual machine | |
| US10296423B2 (en) | System and method for live virtual incremental restoring of data from cloud storage | |
| US20150081644A1 (en) | Method and system for backing up and restoring a virtual file system | |
| US9904484B2 (en) | Securing protected information based on software designation | |
| US9886398B2 (en) | Implicit sharing in storage management | |
| US20130275973A1 (en) | Virtualisation system | |
| US9053333B2 (en) | Managing confidential information | |
| US10140462B2 (en) | Stackable file system with user space policy management | |
| PL183365B1 (en) | Computer system for archiving open files | |
| CN103593225A (en) | Method for multiplexing Binder IPC mechanism by multiple Android systems in mobile virtualization scene | |
| WO2014150339A2 (en) | Method and system for enabling communications between unrelated applications | |
| CN114327777B (en) | Method and device for determining global page directory, electronic equipment and storage medium | |
| JPWO2008114560A1 (en) | Computer, operation rule application method, operating system | |
| CN108040122B (en) | File transmission method and device | |
| CN109756527B (en) | Data sharing method, device and system | |
| CN103617039A (en) | Method and device for accessing user space file system | |
| CN109460187A (en) | A kind of qcow2 file data consistency verification method and verifying terminal | |
| CN112148709A (en) | Data migration method, system and storage medium | |
| US10891153B1 (en) | System and method for switching file systems underneath working processes | |
| CN105574425B (en) | Access the method and device of storage data | |
| WO2013117142A1 (en) | File processing method and system | |
| CN111767257A (en) | Data transmission method and device based on FUSE file system and NFS protocol | |
| CN105653988A (en) | External storage device read-write permission control method and device and terminal device | |
| Savoldi et al. | A comparison between windows mobile and Symbian S60 embedded forensics | |
| CN112434285B (en) | File management method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP02 | Change in the address of a patent holder |
Address after: 100086 12, 1201, 3 building, 2 South Road, Haidian District Academy of Sciences, Beijing. Patentee after: Beijing Sohu New Media Information Technology Co., Ltd. Address before: 100084 Beijing Haidian District Zhongguancun East Road 1 hospital 9 building Sohu cyber Building 8 floor 802 room. Patentee before: Beijing Sohu New Media Information Technology Co., Ltd. |
|
| CP02 | Change in the address of a patent holder |