CN104091132B - Method, device and the routing device of plug-in unit are run on routing device - Google Patents
Method, device and the routing device of plug-in unit are run on routing device Download PDFInfo
- Publication number
- CN104091132B CN104091132B CN201410269810.7A CN201410269810A CN104091132B CN 104091132 B CN104091132 B CN 104091132B CN 201410269810 A CN201410269810 A CN 201410269810A CN 104091132 B CN104091132 B CN 104091132B
- Authority
- CN
- China
- Prior art keywords
- plug
- directory
- starting
- configuration file
- running
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 203
- 238000011022 operating instruction Methods 0.000 claims abstract description 7
- 238000009434 installation Methods 0.000 claims description 18
- 230000006835 compression Effects 0.000 claims description 10
- 238000007906 compression Methods 0.000 claims description 10
- 238000001514 detection method Methods 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 7
- 238000004321 preservation Methods 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 14
- 230000006870 function Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000006837 decompression Effects 0.000 description 2
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 1
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/56—Routing software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The disclosure is directed to a kind of method, device and routing device that plug-in unit is run on routing device, this method includes:Obtain the operating instruction for plug-in unit;The plug-in unit is obtained from the first setting catalogue in operating system;Process corresponding with the plug-in unit is created, and it is the described first setting catalogue to limit the addressing space of the process;The plug-in unit is run in the process.Because the addressing space of limiting process is only set under catalogue first, under the catalogue for installing plug-in unit, the catalogue for being commonly installed plug-in unit is not the catalogue of the system file preservation of operating system, therefore process can not access the system file of operating system, process thus can be effectively prevented to destroy the system file of the operating system of routing device, it is ensured that operating system normal work.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method and an apparatus for running a plug-in on a routing device, and a routing device.
Background
With the rapid development of communication technology, routing devices become more and more intelligent, and the intelligent routing devices are similar to an open operating system and can execute operations such as installation, running and uninstalling of plug-ins.
However, when a plug-in is run on the current routing device, the system file in the operating system is often destroyed, which leads to the problem of the operating system being paralyzed. Therefore, there is a need for a method for operating a plug-in that can prevent the operating system from being damaged during the operation of the plug-in.
Disclosure of Invention
In order to overcome the problems in the related art, the present disclosure provides a method and an apparatus for running a plug-in on a routing device, and a routing device.
According to a first aspect of the embodiments of the present disclosure, there is provided a method for running a plug-in on a routing device, including:
acquiring an operating instruction aiming at the plug-in;
acquiring the plug-in from a first setting directory of an operating system;
creating a process corresponding to the plug-in, and limiting the access space of the process to be the first set directory;
running the plug-in the process.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the step of obtaining an execution instruction for a plug-in includes:
after starting, calling a starting script of the plug-in unit stored in a starting directory to generate the running instruction; or,
after starting, acquiring a configuration file of the plug-in from a second set directory through a plug-in starting management script under a starting directory, and if the configuration file carries a starting identifier, generating the running instruction; and if the configuration file does not carry the starting-up identification, receiving the operation instruction sent by the client.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the step of limiting the access space of the process to the first set directory includes:
if the process requests to access other directories except the first set directory in the operating system, mounting the other directories under the first set directory;
and setting the attribute of other directories mounted under the first set directory as read-only.
With reference to the first aspect, the first possible implementation manner of the first aspect, or the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the method further includes:
and recording the identification information of the process in a process list.
With reference to the first aspect, in a fourth possible implementation manner of the first aspect, the method further includes:
acquiring an installation instruction aiming at the plug-in;
acquiring a compression package corresponding to the plug-in, wherein the compression package comprises the plug-in, a dynamic link library corresponding to the plug-in, a configuration file and a digital certificate;
decrypting and authenticating the compressed packet according to the digital certificate and a pre-stored public key;
and if the compressed packet passes decryption authentication, storing the plug-in and the dynamic link library in the first set directory, and storing the configuration file in a second set directory.
With reference to the fourth possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, the method further includes:
and if the configuration file carries a startup mark, adding a startup script of the plug-in under a startup directory.
With reference to the first aspect, in a sixth possible implementation manner of the first aspect, the method further includes:
acquiring an unloading instruction aiming at the plug-in;
after the plug-in is determined to stop running, detecting whether a starting script of the plug-in is deleted from the starting directory;
and if the starting script of the plug-in is deleted from the starting directory, emptying the first set directory.
With reference to the sixth possible implementation manner of the first aspect, in a seventh possible implementation manner of the first aspect, the step of determining that the plugin stops operating includes:
detecting whether identification information of a process corresponding to the plug-in exists in a process list or not;
if the process list does not contain the identification information of the process corresponding to the plug-in, determining that the plug-in stops running;
and if the identification information of the process corresponding to the plug-in exists in the process list, deleting the identification information of the process corresponding to the plug-in.
According to a second aspect of the embodiments of the present disclosure, there is provided an apparatus for running a plug-in on a routing device, including:
the first acquisition module is used for acquiring an operation instruction aiming at the plug-in;
the second acquisition module is used for acquiring the plug-in from a first setting directory of the operating system;
the limiting module is used for creating a process corresponding to the plug-in and limiting the access space of the process to the first set directory;
and the running module is used for running the plug-in the process.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the first obtaining module includes:
the generating unit is used for calling a starting script for storing the plug-in under a starting directory and generating the running instruction after starting; or,
and the processing unit is used for acquiring a configuration file of the plug-in from a second set directory through a plug-in starting management script under the starting directory after starting, generating the running instruction if the configuration file carries a starting identifier, and receiving the running instruction sent by the client if the configuration file does not carry the starting identifier.
With reference to the second aspect, in a second possible implementation manner of the second aspect, the limiting module includes:
a mounting unit, configured to mount, if the process requests to access another directory in the operating system except the first set directory, the other directory under the first set directory;
and the setting unit is used for setting the attribute of other directories mounted under the first set directory as read-only.
With reference to the second aspect, the first possible implementation manner of the second aspect, or the second possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the apparatus further includes:
and the recording module is used for recording the identification information of the process in the process list.
With reference to the second aspect, in a fourth possible implementation manner of the second aspect, the apparatus further includes:
the third acquisition module is used for acquiring an installation instruction aiming at the plug-in;
a fourth obtaining module, configured to obtain a compressed package corresponding to the plug-in, where the compressed package includes the plug-in, a dynamic link library corresponding to the plug-in, a configuration file, and a digital certificate;
the decryption authentication module is used for carrying out decryption authentication on the compressed packet according to the digital certificate and a pre-stored public key;
and the storage module is used for storing the plug-in and the dynamic link library in the first set directory and storing the configuration file in the second set directory if the compressed packet passes decryption authentication.
With reference to the fourth possible implementation manner of the second aspect, in a fifth possible implementation manner of the second aspect, the apparatus further includes:
and the adding module is used for adding the starting script of the plug-in under the starting directory if the configuration file carries the starting mark.
With reference to the second aspect, in a sixth possible implementation manner of the second aspect, the apparatus further includes:
a fifth obtaining module, configured to obtain an uninstall instruction for the plugin;
the detection module is used for detecting whether the starting script of the plug-in is deleted from the starting directory or not after the plug-in stops running;
and the clearing module is used for clearing the first set directory if the starting script of the plug-in is deleted from the starting directory.
With reference to the sixth possible implementation manner of the second aspect, in a seventh possible implementation manner of the second aspect, the detecting module includes:
the detection unit is used for detecting whether the identification information of the process corresponding to the plug-in exists in the process list;
a determining unit, configured to determine that the plugin stops running if the identification information of the process corresponding to the plugin does not exist in the process list; and if the identification information of the process corresponding to the plug-in exists in the process list, deleting the identification information of the process corresponding to the plug-in.
According to a third aspect of the embodiments of the present disclosure, there is provided a routing device, including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
acquiring an operating instruction aiming at the plug-in;
acquiring the plug-in from a first setting directory of an operating system;
creating a process corresponding to the plug-in, and limiting the access space of the process to be the first set directory;
running the plug-in the process.
The technical scheme provided by the embodiment of the disclosure can have the following beneficial effects: the method comprises the steps of obtaining an operation instruction aiming at a plug-in, obtaining the plug-in from a first set directory of an operating system, creating a process corresponding to the plug-in, limiting an access space of the process to be the first set directory, and operating the plug-in the process.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
Fig. 1 is a flow diagram illustrating a method of running a plug-in on a routing device in accordance with an example embodiment.
Fig. 2 is a flow diagram illustrating installation of a plug-in on a routing device in accordance with an example embodiment.
Fig. 3 is a flow diagram illustrating a method for offloading a plug-in on a routing device in accordance with an example embodiment.
Fig. 4 is a flow diagram illustrating a method of running a plug-in on a routing device in accordance with an example embodiment.
Fig. 5 is a block diagram illustrating a first type of running a plug-in device on a routing device according to an example embodiment.
FIG. 6 is a block diagram illustrating a restriction module in accordance with an exemplary embodiment.
Fig. 7 is a block diagram illustrating a second type of plug-in device running on a routing device in accordance with an example embodiment.
Fig. 8 is a block diagram illustrating a third type of plug-in device running on a routing device in accordance with an example embodiment.
Fig. 9 is a block diagram illustrating a fourth type of plug-in device running on a routing device in accordance with an illustrative embodiment.
Fig. 10 is a block diagram illustrating a fifth example of running a plug-in device on a routing device in accordance with an example embodiment.
FIG. 11 is a block diagram illustrating a detection module in accordance with an exemplary embodiment.
Fig. 12 is a block diagram illustrating a routing device in accordance with an example embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the invention, as detailed in the appended claims.
Fig. 1 is a flow chart illustrating a method of running a plug-in on a routing device, as shown in fig. 1, for use in the routing device, according to an example embodiment, including the following steps.
In step S11, an operation instruction for the plug-in is acquired.
The run instruction indicates that the plug-in needs to be run.
In step S12, a plug-in is acquired from the first setting directory of the operating system.
The plug-in is installed in a first setting directory of an operating system of the routing device, and after an operation instruction for the plug-in is obtained, the plug-in can be obtained from the first setting directory.
In step S13, a process corresponding to the plug-in is created, and the access space of the process is restricted to the first setting directory.
When the operating systems are different, tools and functions adopted by the creating process are different. Assuming that the operating system is a linux system, a tool can be specially created, and the tool is used for calling a fork function to create a process corresponding to a plug-in.
Since the main concern of running the plug-in is security, if the plug-in intentionally deletes the system file under the root directory of the operating system, it will cause a fatal attack to the operating system, so it is necessary to limit the access space of the process corresponding to the plug-in. For example, if a plug-in is installed under the plug-in folder/ID, a process corresponding to the plug-in should only access files under the directory and not access other directories, i.e. the plug-in folder/ID/is the root directory of the plug-in, and invoking the chrome command takes the plug-in folder/ID/as its root, it may be implemented to limit the access space of the process.
In step S14, the plug-in is run in the process.
Continuing with the above example, exec functions may be called to run plug-ins in process.
According to the scheme, an operation instruction for the plug-in is obtained, the plug-in is obtained from a first set directory of an operating system, a process corresponding to the plug-in is created, an access space of the process is limited to be the first set directory, the plug-in is operated in the process, and because the access space of the process is limited to be only under the first set directory, namely under the directory for installing the plug-in, the directory for installing the plug-in is not a directory saved by system files of the operating system, the process cannot access the system files of the operating system, so that the process can be effectively prevented from damaging the system files of the operating system of the routing equipment, and the normal work of the operating system is guaranteed.
The step of acquiring the operation instruction for the plug-in S11 may include the following two cases:
in the first case, after the startup, a startup script of the plug-in is saved under the startup catalog is called to generate an operation instruction.
If the plug-in needs to be run when being started, the start script of the plug-in needs to be stored under a start directory when the plug-in is installed, and the start directory can be/etc/init.d.
After the routing equipment is started, the starting script of the plug-in saved under the starting directory can be called to generate an operation instruction.
And in the second situation, after the client is started, acquiring a configuration file of the plug-in from a second set directory through a plug-in starting management script under the starting directory, if the configuration file carries a starting identifier, generating an operation instruction, and if the configuration file does not carry the starting identifier, receiving the operation instruction sent by the client.
If the plug-in needs to be operated when being started, the plug-in starting management script can be stored in the starting catalogue. And after the routing equipment is started, the plug-in starts the management script to obtain the configuration file of the plug-in from the second set directory, and generates an operation instruction after detecting that the configuration file carries a starting identifier. If the plug-in does not need to be started, the user can send out an operation instruction through the client when the plug-in needs to be operated.
Wherein the second setting directory may be a Pluginsfolder/Register, and the configuration file may be expressed as a manifest.
The step of restricting the access space of the process to the first set directory in S13 includes:
if the process requests to access other directories except the first set directory in the operating system, mounting the other directories under the first set directory;
the attribute of the other directory mounted under the first set directory is set to read only.
If a process corresponding to a plug-in must access a system file of an operating system, for example, a system file below/usr/bin, a mount (mount bin) technique may be adopted to mount a/usr/bin directory onto a plug-ins folder/ID directory to obtain a plug-ins folder/ID/usr/bin directory, and then set an attribute of the plug-ins folder/ID/usr/bin directory to be read-only, so that an access space of the process may be limited to be the plug-ins folder/ID/, and since the attribute of the plug-ins folder/ID/usr/bin directory is read-only, the process cannot perform a destroy operation on the/usr/bin, thereby effectively preventing the process from destroying the system file of the operating system and ensuring that the operating system operates normally.
Identification information of the process can be recorded in the process list, so that the plug-in is convenient to stop running or uninstall.
Fig. 2 is a flow chart illustrating installation of a plug-in on a routing device, as shown in fig. 2, for use in the routing device, including the following steps, according to an example embodiment.
In step S21, an installation instruction for the plug-in is acquired.
For example, it may be to receive an installation instruction for a plug-in sent by a client.
In step S22, a compressed package corresponding to the plug-in is obtained, where the compressed package includes the plug-in, the dynamic link library corresponding to the plug-in, the configuration file, and the digital certificate.
For example, the compressed package corresponding to the plug-in may be downloaded from a plug-in store or uploaded locally.
In step S23, the compressed packet is decrypted and authenticated according to the digital certificate and the pre-stored public key.
For example, since the compressed packet is usually encrypted, a public key may be pre-stored on the routing device, and decryption authentication may be performed according to the digital certificate and the pre-stored public key in the compressed packet.
In step S24, if the compressed package passes the decryption authentication, the plug-in and the dynamic link library are stored in the first setting directory, and the configuration file is stored in the second setting directory.
And if the compressed package passes decryption authentication, storing the files in the compressed package in a fixed directory, wherein the directory is the uniform installation position of the plug-in. Assuming that the fixed directory is a plugins folder, each plug-in has identification information (denoted as ID), the plug-ins and the dynamic link library obtained after decompression can be stored under the plugins folder/ID/this directory, i.e. a first setting directory, and the configuration files obtained after decompression can be stored under the plugins folder/Register directory, i.e. a second setting directory.
And if the configuration file carries a startup mark, adding a startup script of the plug-in under the startup directory. If the configuration file carries a boot start identifier, that is, the plug-in needs to be booted, the boot script of the plug-in is added under the boot directory, so that the plug-in can be booted.
Fig. 3 is a flow chart illustrating a method for offloading a plug-in on a routing device, as shown in fig. 3, for use in a routing device, including the following steps, according to an example embodiment.
In step S31, an uninstall instruction for the plug-in is acquired.
In step S32, after determining that the plug-in stops running, it is detected whether a start script of the plug-in is stored under the boot directory.
If the start script of the plug-in is stored under the boot directory, in step S33, the start script of the plug-in is deleted.
In step S34, the first setting directory is cleared.
For example, if the boot script of the plug-in is not stored in the boot directory, step S34 is executed.
Because the plug-in is installed in the first set directory, the plug-in can be emptied in the first set directory after the start script of the plug-in is confirmed to be deleted from the boot directory, so that the plug-in is unloaded.
The step of determining that the plug-in unit stops operating in S32 includes:
detecting whether identification information of a process corresponding to the plug-in exists in the process list;
if the process list does not contain the identification information of the process corresponding to the plug-in, determining that the plug-in stops running;
and if the identification information of the process corresponding to the plug-in exists in the process list, deleting the identification information of the process corresponding to the plug-in.
In this way, whether the plug-in stops running can be determined by detecting whether the identification information of the process corresponding to the plug-in exists in the process list.
Fig. 4 is a flowchart illustrating a method for use in a routing device, as shown in fig. 4, assuming that the operating system on the routing device is a Linux system, the method comprising the following steps, according to an example embodiment.
In step S411, an installation instruction for the plug-in is acquired.
When a user needs to install the plug-in on the routing device, an installation instruction for the plug-in can be sent to the routing device through the client. For example, when a plug-in a is selected in an application store and then installed on a router B, the server transmits an installation package of the plug-in a to the router B. Meanwhile, the router B receives an installation instruction for the plug-in.
In step S412, a compression package corresponding to the plug-in is obtained, where the compression package includes the plug-in, a dynamic link library corresponding to the plug-in, a configuration file, and a digital certificate.
The plug-in is an executable file, the dynamic link library corresponding to the plug-in is a dynamic link library which can be used by the executable file, the configuration file is used for describing the executable file, and the digital certificate is used for decrypting and authenticating.
In step S413, the compressed packet is decrypted and authenticated according to the digital certificate and the pre-stored public key.
Since the compressed packet is usually encrypted, a public key is pre-stored in a fixed location on the routing device for decryption and authentication of the compressed packet.
In step S414, if the compressed package passes the decryption authentication, the plug-in and the dynamic link library are stored in the first set directory, and the configuration file is stored in the second set directory.
The files in a typical compressed package are stored under a fixed directory, which is a uniform installation location for the plug-ins. Assuming that the fixed directory is PluginsFolder and each plug-in has an ID, the first set directory is PluginsFolder/ID/, the decompressed plug-ins and dynamic link library may be stored under the directory, and the second set directory is PluginsFolder/Register, and the decompressed configuration file is stored under the directory.
In step S415, when the configuration file carries the boot start flag, the start script of the plug-in is added under the boot directory. For example, in Linux systems, the boot directory is/etc/init.d.
In step S416, an execution instruction for the plug-in is acquired.
The following two cases can be included in this step:
in the first case, after the startup, a startup script of the plug-in is saved under the startup catalog is called to generate an operation instruction.
If the plug-in needs to be operated when being started, the start script of the plug-in can be called/etc/init.d to be stored, and an operation instruction is generated.
And in the second situation, after the client is started, acquiring a configuration file of the plug-in from a second set directory through a plug-in starting management script under the starting directory, if the configuration file carries a starting identifier, generating an operation instruction, and if the configuration file does not carry the starting identifier, receiving the operation instruction sent by the client.
If the plug-in needs to be operated when being started, the plug-in starting management script can be stored under/etc/init.d. After the routing equipment is started, the plug-in starts the management script to remove the Pluginsfolder/Register to obtain the configuration file of the plug-in, and generates an operation instruction after detecting that the configuration file carries a starting identifier. If the plug-in does not need to be started, the user can send out an operation instruction through the client when the plug-in needs to be operated. The configuration file may be denoted as manifest.
In step S417, a plug-in is acquired from the first setup directory of the operating system.
I.e. get the plug-in from the Pluginsfolder/ID/.
In step S418, a process corresponding to the plug-in is created, and the access space of the process is restricted to the first setting directory.
In the linux system, a tool can be specially created, and the tool is used for calling a fork function to create a process corresponding to a plug-in. The access space of the process is PluginFolder/ID/, the directory is the root directory of the plug-in, and the process can be limited by calling the chroma command to take the PluginFolder/ID/as the root of the process.
If a process corresponding to the plug-in must access a system file of the Linux system, for example, a system file below the/usr/bin, a bin technology may be adopted to mount the/usr/bin directory to the plugins folder/ID directory to obtain a plugins folder/ID/usr/bin directory, and then the attribute of the plugins folder/ID/usr/bin directory is set to be read-only, so that the access space of the process may be limited to be the plugins folder/ID/, and since the attribute of the plugins folder/ID/usr/bin directory is read-only, the process cannot destroy the/usr/bin directory, so that the process can be effectively prevented from destroying the system file of the operating system, and the normal operation of the operating system is ensured.
In step S419, a plug-in is executed in the process, and the ID of the process of the plug-in is recorded in the process list.
For example, exec functions may be called to run plug-ins in a process.
In step S420, an uninstall instruction for the plug-in is acquired.
When the user wants to uninstall the plug-in on the routing device, an uninstall instruction for the plug-in can be sent to the routing device through the client.
In step S421, after determining that the plug-in stops running, it is detected whether the startup script of the plug-in is stored under the startup directory.
For example, whether the plugin stops running or not can be determined by detecting whether the identification information of the process corresponding to the plugin exists in the process list, and if the identification information of the process corresponding to the plugin does not exist in the process list, the plugin stops running; and if the identification information of the process corresponding to the plug-in exists in the process list, deleting the identification information of the process corresponding to the plug-in, thereby determining that the plug-in stops running.
If the startup script of the plug-in is stored under the startup directory, in step S422, the startup script of the plug-in is deleted.
In step S423, the first setting directory is cleared.
If the startup script of the plug-in is not stored in the startup directory, step S423 is executed.
Since the plug-in is installed under the plugins folder/ID/, after confirming that the start-up script for the plug-in has been deleted from/etc/init.d., the plugins folder/ID/, can be emptied, thereby enabling the plug-in to be unloaded.
Fig. 5 is a block diagram illustrating a first apparatus for running a plug-in on a routing device according to an example embodiment. Referring to fig. 5, the apparatus includes a first obtaining module 511, a second obtaining module 512, a limiting module 513, and an executing module 514.
The first obtaining module 511 is configured to obtain an execution instruction for the plug-in.
The second obtaining module 512 is configured to obtain the plug-in from the first setup directory of the operating system.
The restriction module 513 is configured to create a process corresponding to the plug-in and restrict an access space of the process to the first set directory.
The run module 514 is configured to run the plug-in a process.
The first obtaining module 511 includes one of a generating unit and a processing unit.
The generating unit is configured to call a start script of the plug-in saved under the boot starting catalog after starting, and generate an operation instruction.
The processing unit is configured to, after being started, acquire a configuration file of the plug-in from the second setting directory through the plug-in startup management script under the startup directory, generate an operation instruction if the configuration file carries a startup identifier, and receive an operation instruction sent by the client if the configuration file does not carry the startup identifier.
As shown in fig. 6, the restriction module 513 includes a mounting unit 5131 and a setting unit 5132.
The mounting unit 5131 is configured to mount other directories except the first setting directory in the operating system if the process requests access to the other directories.
The setting unit 5132 is configured to set the attribute of the other directory mounted under the first setting directory to read only.
A second apparatus for running a plug-in on a routing device is shown in fig. 7, and further includes a recording module 515 on the basis of the apparatus shown in fig. 5.
The recording module 515 is configured to record identification information of the process in the process list.
The third apparatus for running a plug-in on a routing device is shown in fig. 8, and further includes a third obtaining module 516, a fourth obtaining module 517, a decryption authentication module 518, and a storage module 519 on the basis of the apparatus shown in fig. 5.
The third retrieving module 516 is configured to retrieve installation instructions for the plug-ins.
The fourth obtaining module 517 is configured to obtain a compressed package corresponding to the plug-in, where the compressed package includes the plug-in, a dynamic link library corresponding to the plug-in, a configuration file, and a digital certificate.
The decryption authentication module 518 is configured to decrypt and authenticate the compressed packet according to the digital certificate and a pre-stored public key.
The storage module 519 is configured to store the plug-ins and the dynamic link library in a first set directory and the configuration file in a second set directory if the compressed package passes decryption authentication.
A fourth apparatus for running plug-ins on a routing device is shown in fig. 9, and further includes an adding module 520 on the basis of the apparatus shown in fig. 8.
The adding module 520 is configured to add a start script of the plug-in under the boot directory if the configuration file carries the boot flag.
A fifth apparatus for running a plug-in on a routing device is shown in fig. 10, and further includes a fifth obtaining module 521, a detecting module 522 and an emptying module 523 on the basis of the apparatus shown in fig. 5.
The fifth obtaining module 521 is configured to obtain an uninstall instruction for the plug-in.
The detection module 522 is configured to detect whether the startup script of the plug-in has been deleted from the boot directory after determining that the plug-in has stopped running.
The clearing module 523 is configured to clear the first setup directory if the startup script of the plug-in has been deleted from the boot-up directory.
As shown in fig. 11, the detection module 522 includes a detection unit 5221 and a determination unit 5222.
The detecting unit 5221 is configured to detect whether identification information of a process corresponding to the plug-in exists in the process list.
The determining unit 5222 is configured to determine that the plug-in stops running if the identification information of the process corresponding to the plug-in does not exist in the process list; and if the identification information of the process corresponding to the plug-in exists in the process list, deleting the identification information of the process corresponding to the plug-in.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
Fig. 12 is a block diagram illustrating an apparatus 1900 for running a plug-in on a routing device in accordance with an example embodiment. For example, the apparatus 1900 may be provided as a routing device. Referring to fig. 12, the device 1900 includes a processing component 1922 further including one or more processors and memory resources, represented by memory 1932, for storing instructions, e.g., applications, executable by the processing component 1922. The application programs stored in memory 1932 may include one or more modules that each correspond to a set of instructions. Further, the processing component 1922 is configured to execute instructions to perform the above-described method of running a plug-in on a routing device.
The device 1900 may also include a power component 1926 configured to perform power management of the device 1900, a wired or wireless network interface 1950 configured to connect the device 1900 to a network, and an input/output (I/O) interface 1958. The device 1900 may operate based on an operating system stored in memory 1932, such as Windows Server, MacOS XTM, UnixTM, LinuxTM, FreeBSDTM, or the like.
In one embodiment, a routing device is provided, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
acquiring an operating instruction aiming at the plug-in;
acquiring the plug-in from a first setting directory of an operating system;
creating a process corresponding to the plug-in, and limiting the access space of the process to be the first set directory;
running the plug-in the process.
Optionally, in another embodiment, the step of obtaining the execution instruction for the plug-in includes:
after starting, calling a starting script of the plug-in unit stored in a starting directory to generate the running instruction; or,
after the starting, obtaining a configuration file of the plug-in from a second set directory through a plug-in starting management script under a starting directory, if the configuration file carries a starting identifier, generating the running instruction, and if the configuration file does not carry the starting identifier, receiving the running instruction sent by a client.
Optionally, in another embodiment, the step of limiting the access space of the process to the first set directory includes:
if the process requests to access other directories except the first set directory in the operating system, mounting the other directories under the first set directory;
and setting the attribute of other directories mounted under the first set directory as read-only.
Optionally, in another embodiment, the identification information of the process is recorded in a process list.
Optionally, in another embodiment, an installation instruction for the plug-in is obtained; acquiring a compression package corresponding to the plug-in, wherein the compression package comprises the plug-in, a dynamic link library corresponding to the plug-in, a configuration file and a digital certificate; decrypting and authenticating the compressed packet according to the digital certificate and a pre-stored public key; and if the compressed packet passes decryption authentication, storing the plug-in and the dynamic link library in the first set directory, and storing the configuration file in a second set directory.
Optionally, in another embodiment, if the configuration file carries a boot start flag, a start script of the plug-in is added under the boot directory.
Optionally, in another embodiment, an uninstall instruction for the plug-in is obtained; after determining that the plug-in stops running, detecting whether a starting script of the plug-in is deleted from a starting directory or not; and if the starting script of the plug-in is deleted from the starting catalog, emptying the first set catalog.
Optionally, in another embodiment, the step of determining that the plugin stops operating includes:
detecting whether identification information of a process corresponding to the plug-in exists in a process list or not;
if the process list does not contain the identification information of the process corresponding to the plug-in, determining that the plug-in stops running;
and if the identification information of the process corresponding to the plug-in exists in the process list, deleting the identification information of the process corresponding to the plug-in.
The disclosed embodiments provide a non-transitory computer-readable storage medium in which instructions, when executed by a processor of a routing device, enable the routing device to perform a method of running a plug-in on the routing device, the method comprising:
acquiring an operating instruction aiming at the plug-in;
acquiring a plug-in from a first set directory of an operating system;
creating a process corresponding to the plug-in, and limiting the access space of the process to be a first set directory;
the plug-in is run in the process.
The step of acquiring the operation instruction for the plug-in comprises the following steps:
after starting, calling a starting script of the plug-in unit stored in a starting directory to generate the running instruction; or,
after the starting, obtaining a configuration file of the plug-in from a second set directory through a plug-in starting management script under a starting directory, if the configuration file carries a starting identifier, generating the running instruction, and if the configuration file does not carry the starting identifier, receiving the running instruction sent by a client.
The step of limiting the access space of the process to the first set directory comprises:
if the process requests to access other directories except the first set directory in the operating system, mounting the other directories under the first set directory;
and setting the attribute of other directories mounted under the first set directory as read-only.
The method further comprises the following steps:
and recording the identification information of the process in a process list.
The method further comprises the following steps:
acquiring an installation instruction aiming at the plug-in;
acquiring a compression package corresponding to the plug-in, wherein the compression package comprises the plug-in, a dynamic link library corresponding to the plug-in, a configuration file and a digital certificate;
decrypting and authenticating the compressed packet according to the digital certificate and a pre-stored public key;
and if the compressed packet passes decryption authentication, storing the plug-in and the dynamic link library in the first set directory, and storing the configuration file in a second set directory.
The method further comprises the following steps:
and if the configuration file carries a startup mark, adding a startup script of the plug-in under a startup directory.
The method further comprises the following steps:
acquiring an unloading instruction aiming at the plug-in;
after the plug-in is determined to stop running, detecting whether a starting script of the plug-in is deleted from the starting directory;
and if the starting script of the plug-in is deleted from the starting directory, emptying the first set directory.
The step of determining that the plug-in is out of service comprises:
detecting whether identification information of a process corresponding to the plug-in exists in a process list or not;
if the process list does not contain the identification information of the process corresponding to the plug-in, determining that the plug-in stops running;
and if the identification information of the process corresponding to the plug-in exists in the process list, deleting the identification information of the process corresponding to the plug-in.
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.
Claims (15)
1. A method of running a plug-in on a routing device, comprising:
acquiring an operating instruction aiming at the plug-in;
acquiring the plug-in from a first setting directory of an operating system;
creating a process corresponding to the plug-in, and limiting the access space of the process to be the first set directory;
running the plug-in the process, wherein,
the step of acquiring the operation instruction for the plug-in comprises the following steps:
after starting, calling a starting script of the plug-in unit stored in a starting directory to generate the running instruction; or,
after the starting, obtaining a configuration file of the plug-in from a second set directory through a plug-in starting management script under a starting directory, if the configuration file carries a starting identifier, generating the running instruction, and if the configuration file does not carry the starting identifier, receiving the running instruction sent by a client.
2. The method of claim 1, wherein the step of restricting the access space of the process to the first set of directories comprises:
if the process requests to access other directories except the first set directory in the operating system, mounting the other directories under the first set directory;
and setting the attribute of other directories mounted under the first set directory as read-only.
3. The method according to claim 1 or 2, characterized in that the method further comprises:
and recording the identification information of the process in a process list.
4. The method of claim 1, wherein the method further comprises:
acquiring an installation instruction aiming at the plug-in;
acquiring a compression package corresponding to the plug-in, wherein the compression package comprises the plug-in, a dynamic link library corresponding to the plug-in, a configuration file and a digital certificate;
decrypting and authenticating the compressed packet according to the digital certificate and a pre-stored public key;
and if the compressed packet passes decryption authentication, storing the plug-in and the dynamic link library in the first set directory, and storing the configuration file in a second set directory.
5. The method of claim 4, further comprising:
and if the configuration file carries a startup mark, adding a startup script of the plug-in under a startup directory.
6. The method of claim 1, wherein the method further comprises:
acquiring an unloading instruction aiming at the plug-in;
after the plug-in is determined to stop running, detecting whether a starting script of the plug-in is deleted from the starting directory;
and if the starting script of the plug-in is deleted from the starting directory, emptying the first set directory.
7. The method of claim 6, wherein the step of determining that the plug-in is out of service comprises:
detecting whether identification information of a process corresponding to the plug-in exists in a process list or not;
if the process list does not contain the identification information of the process corresponding to the plug-in, determining that the plug-in stops running;
and if the identification information of the process corresponding to the plug-in exists in the process list, deleting the identification information of the process corresponding to the plug-in.
8. An apparatus for running a plug-in on a routing device, comprising:
the first acquisition module is used for acquiring an operation instruction aiming at the plug-in;
the second acquisition module is used for acquiring the plug-in from a first setting directory of the operating system;
the limiting module is used for creating a process corresponding to the plug-in and limiting the access space of the process to the first set directory;
an execution module to execute the plug-in the process, wherein,
the first obtaining module comprises:
the generating unit is used for calling a starting script for storing the plug-in under a starting directory and generating the running instruction after starting; or,
and the processing unit is used for acquiring a configuration file of the plug-in from a second set directory through a plug-in starting management script under the starting directory after starting, generating the running instruction if the configuration file carries a starting identifier, and receiving the running instruction sent by the client if the configuration file does not carry the starting identifier.
9. The apparatus of claim 8, wherein the restriction module comprises:
a mounting unit, configured to mount, if the process requests to access another directory in the operating system except the first set directory, the other directory under the first set directory;
and the setting unit is used for setting the attribute of other directories mounted under the first set directory as read-only.
10. The apparatus of claim 8 or 9, further comprising:
and the recording module is used for recording the identification information of the process in the process list.
11. The apparatus of claim 8, wherein the apparatus further comprises:
the third acquisition module is used for acquiring an installation instruction aiming at the plug-in;
a fourth obtaining module, configured to obtain a compressed package corresponding to the plug-in, where the compressed package includes the plug-in, a dynamic link library corresponding to the plug-in, a configuration file, and a digital certificate;
the decryption authentication module is used for carrying out decryption authentication on the compressed packet according to the digital certificate and a pre-stored public key;
and the storage module is used for storing the plug-in and the dynamic link library in the first set directory and storing the configuration file in the second set directory if the compressed packet passes decryption authentication.
12. The apparatus of claim 11, further comprising:
and the adding module is used for adding the starting script of the plug-in under the starting directory if the configuration file carries the starting mark.
13. The apparatus of claim 8, wherein the apparatus further comprises:
a fifth obtaining module, configured to obtain an uninstall instruction for the plugin;
the detection module is used for detecting whether the starting script of the plug-in is deleted from the starting directory or not after the plug-in stops running;
and the clearing module is used for clearing the first set directory if the starting script of the plug-in is deleted from the starting directory.
14. The apparatus of claim 13, wherein the detection module comprises:
the detection unit is used for detecting whether the identification information of the process corresponding to the plug-in exists in the process list;
a determining unit, configured to determine that the plugin stops running if the identification information of the process corresponding to the plugin does not exist in the process list; and if the identification information of the process corresponding to the plug-in exists in the process list, deleting the identification information of the process corresponding to the plug-in.
15. A routing device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
acquiring an operating instruction aiming at the plug-in;
acquiring the plug-in from a first setting directory of an operating system;
creating a process corresponding to the plug-in, and limiting the access space of the process to be the first set directory;
running the plug-in the process, wherein,
the step of acquiring the operation instruction for the plug-in comprises the following steps:
after starting, calling a starting script of the plug-in unit stored in a starting directory to generate the running instruction; or,
after the starting, obtaining a configuration file of the plug-in from a second set directory through a plug-in starting management script under a starting directory, if the configuration file carries a starting identifier, generating the running instruction, and if the configuration file does not carry the starting identifier, receiving the running instruction sent by a client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410269810.7A CN104091132B (en) | 2014-06-17 | 2014-06-17 | Method, device and the routing device of plug-in unit are run on routing device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410269810.7A CN104091132B (en) | 2014-06-17 | 2014-06-17 | Method, device and the routing device of plug-in unit are run on routing device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104091132A CN104091132A (en) | 2014-10-08 |
| CN104091132B true CN104091132B (en) | 2017-07-28 |
Family
ID=51638847
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410269810.7A Active CN104091132B (en) | 2014-06-17 | 2014-06-17 | Method, device and the routing device of plug-in unit are run on routing device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104091132B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105653961B (en) * | 2015-12-31 | 2019-07-23 | 北京元心科技有限公司 | A kind of method and apparatus improving mobile terminal application load safety |
| CN114546511A (en) * | 2020-11-11 | 2022-05-27 | 华为技术有限公司 | Plug-in management method, system and device |
| CN118034889A (en) * | 2024-03-08 | 2024-05-14 | 荣耀终端有限公司 | Plug-in process mapping method and related device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101014034A (en) * | 2006-12-31 | 2007-08-08 | 武汉蓝星科技股份有限公司 | U disk server-based cluster solving method |
| CN101403973A (en) * | 2006-12-05 | 2009-04-08 | 三星电子株式会社 | Application program launching method and system for improving security of embedded Linux kernel |
| CN101515238A (en) * | 2009-03-31 | 2009-08-26 | 山东鲁西化工股份有限公司 | Method for automatically installing or uninstalling application software of computers and a device thereof |
| CN103106091A (en) * | 2013-01-31 | 2013-05-15 | 深圳市开立科技有限公司 | Start-up system and method of operating system based on removable storage media |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP5476834B2 (en) * | 2009-07-24 | 2014-04-23 | 株式会社リコー | Information processing apparatus, workflow system, workflow management method, program, and recording medium |
| CN102968321B (en) * | 2012-11-22 | 2016-05-25 | 用友优普信息技术有限公司 | Application program erecting device and application program installation method |
| CN104036183B (en) * | 2013-05-17 | 2015-04-08 | 腾讯科技(深圳)有限公司 | Method and system for installing software in sandbox |
-
2014
- 2014-06-17 CN CN201410269810.7A patent/CN104091132B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101403973A (en) * | 2006-12-05 | 2009-04-08 | 三星电子株式会社 | Application program launching method and system for improving security of embedded Linux kernel |
| CN101014034A (en) * | 2006-12-31 | 2007-08-08 | 武汉蓝星科技股份有限公司 | U disk server-based cluster solving method |
| CN101515238A (en) * | 2009-03-31 | 2009-08-26 | 山东鲁西化工股份有限公司 | Method for automatically installing or uninstalling application software of computers and a device thereof |
| CN103106091A (en) * | 2013-01-31 | 2013-05-15 | 深圳市开立科技有限公司 | Start-up system and method of operating system based on removable storage media |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104091132A (en) | 2014-10-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109214168B (en) | Firmware upgrading method and device | |
| US9779241B2 (en) | Synchronization of UEFI secure boot variables on a managed server | |
| JP6055574B2 (en) | Context-based switching to a secure operating system environment | |
| WO2015090153A1 (en) | Security detection method, apparatus, and system for application installation package | |
| CN101719821B (en) | System for managing application program of intelligent card and method thereof | |
| US9594915B2 (en) | Information processing apparatus | |
| US20120291106A1 (en) | Confidential information leakage prevention system, confidential information leakage prevention method, and confidential information leakage prevention program | |
| EP2743827A1 (en) | Software upgrading system and method, and server and client | |
| US20150095653A1 (en) | Method and apparatus of creating application package, method and apparatus of executing application package, and recording medium storing application package | |
| US9665720B2 (en) | Image forming apparatus that performs update of firmware, and control method therefor | |
| JP4991592B2 (en) | Software alteration detection method, software alteration detection program and device | |
| CN110188555B (en) | Disk data protection method, system and related components | |
| US9344406B2 (en) | Information processing device, information processing method, and computer program product | |
| CN107066298B (en) | Method and device for running application program without traces | |
| CN104091132B (en) | Method, device and the routing device of plug-in unit are run on routing device | |
| CN112596740A (en) | Program deployment method and device | |
| CN107066346B (en) | Data backup method, data recovery method and device | |
| CN110784302A (en) | Encrypted data generating device, digital signature generating device, data generating device with digital signature and system | |
| US9990493B2 (en) | Data processing system security device and security method | |
| CN110837643B (en) | Activation method and device of trusted execution environment | |
| CN109905408B (en) | Network security protection method, system, readable storage medium and terminal equipment | |
| JP2008040853A (en) | Application execution method and application execution device | |
| CN109145599B (en) | Protection method for malicious viruses | |
| CN105975624B (en) | A kind of data transmission method, equipment and system | |
| CN106648770B (en) | Generation method, loading method and device of application program installation package |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |