CN104346559B - Authority request response method and corresponding device - Google Patents
Authority request response method and corresponding device Download PDFInfo
- Publication number
- CN104346559B CN104346559B CN201410696530.4A CN201410696530A CN104346559B CN 104346559 B CN104346559 B CN 104346559B CN 201410696530 A CN201410696530 A CN 201410696530A CN 104346559 B CN104346559 B CN 104346559B
- Authority
- CN
- China
- Prior art keywords
- authority
- authority request
- authentication list
- uid
- allowed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 203
- 230000004044 response Effects 0.000 title claims abstract description 20
- 238000004891 communication Methods 0.000 claims abstract description 111
- 230000006854 communication Effects 0.000 claims abstract description 111
- 230000008569 process Effects 0.000 claims description 163
- 238000012423 maintenance Methods 0.000 claims description 12
- 230000007246 mechanism Effects 0.000 claims description 12
- 239000011230 binding agent Substances 0.000 claims description 11
- 230000000977 initiatory effect Effects 0.000 claims description 10
- 238000012544 monitoring process Methods 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 9
- 230000009471 action Effects 0.000 claims description 4
- 230000006870 function Effects 0.000 description 23
- 230000000694 effects Effects 0.000 description 8
- 230000008901 benefit Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 4
- 238000009434 installation Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000009467 reduction Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000003780 insertion Methods 0.000 description 2
- 230000037431 insertion Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000007619 statistical method Methods 0.000 description 2
- 230000007175 bidirectional communication Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 230000026676 system process Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Telephonic Communication Services (AREA)
Abstract
The present invention discloses a kind of authority request response method, comprised the following steps by taking Android application scenarios as an example:Start the communication interface for belonging to system level, outside authority request is monitored by the communication interface;The signature identification of requesting party is obtained according to the authority request, this feature is retrieved in preset authentication list and is identified whether in the state being allowed to;It is the authority request to system application authority when this feature, which is identified as, is allowed to state.By the authority request management function realized of the present invention, have communication rapidly and efficiently, the characteristics of technical security is reliable.
Description
Technical field
The present invention relates to the rights management techniques of computer operating system, more particularly to a kind of authority request response method and
Corresponding device.
Background technology
The operating system being born based on Uinux, the Android operation system from Linux series to mobile terminal, is present
Strict user management mechanism.Wherein, by taking Android as an example, the highest authority account number of system is Root, the authority of account
The highest level of rights management mechanism is represent, a process can be started or stoped, deletes or increases user, increase or disabling
Hardware etc..When mobile terminal device dispatches from the factory, manufacturer does not typically open Root authority for safety factor considers to user.
In this case, the system operatio that user is carried out to mobile terminal device, or third-party application such as mobile phone safe software
Need to realize some such as unloadings dispatch from the factory using etc function when, be subject to obstruction.Therefore, obtaining Root authority just becomes
It is more and more common.
Mobile phone safe software on the market at present, such as " 360 mobile phone assistant ", it is commonly equipped with and applies and carry for mobile phone
The authority management module of confession., it is necessary to further strengthen the management to authority request after acquisition Root authority, because just realizing to operation
The security monitoring of system, prevent malicious application from arbitrarily realizing itself purpose, such as ROL request-online people authority, request mobile phone IMEI power
Limit etc., to accomplish both to give user the bigger operation free degree, is able to ensure that technical security again.
Prior art has been largely fulfilled Root authority management, and still, there is also following deficiency:On the one hand, by
In the communication mechanism for carrying out rights management using the reason being not good at, cause the inefficient of Root authority management;On the other hand, mistake
Divide the function dependent on system, cause the operational efficiency of rights management not high.
The content of the invention
It is an object of the invention to provide a kind of more efficient authority request response method of operational efficiency and its accordingly
Device.
To realize the purpose of the present invention, the present invention adopts the following technical scheme that:
A kind of authority request response method provided by the invention, comprises the following steps:
Start the communication interface for belonging to system level, outside authority request is monitored by the communication interface;
The signature identification of requesting party is obtained according to the authority request, this feature mark is retrieved in preset authentication list is
It is no in the state being allowed to;
It is the authority request to system application authority when this feature, which is identified as, is allowed to state.
Preferably, the communication interface of the system level, the communication for referring to the Binder mechanism based on Android and establishing
Service processes, for the applications process communication with initiating authority request.
Preferably, described signature identification, refers to that the UID in android system, each UID correspond to an application.
According to disclosed in an embodiment of the present invention, the preset authentication list, some signature identifications, feature are stored with
The presence in authentication list is identified, this feature is characterized and is identified as the state of being allowed to.
According to disclosed in another embodiment of the present invention, the preset authentication list, some signature identifications and right are stored with
The state recognition field for answering each signature identification to set, when the corresponding state recognition field of some signature identification is arranged to table
When levying the symbol being allowed to, the state of being allowed to is identified as with the symbolic representation this feature.
Further, when the signature identification for it is non-be allowed to state when, refuse described authority request.
Preferably, this method includes another step:Common authentication table data is obtained from remote interface and is updated local
The authentication list.
Further, after successfully Root authority is obtained using the authority request, the user that the authority request is initiated in binding enters
The communication of journey and service processes, service processes are used to respond the instruction for performing and asking execution by consumer process.
Preferably, in the local authentication list, it is provided with for characterizing the user corresponding with the signature identification
The type identification of the authority action period of program, prescribes a time limit to system applying right, the corresponding type identification application different type
Authority.
A kind of authority request responding device provided by the invention, it includes:
Communication interface, started otherwise with system-level, for monitoring outside authority request;
Retrieval unit, for obtaining the signature identification of requesting party according to the authority request, examined in preset authentication list
Rope this feature is identified whether in the state being allowed to;
Processing unit, when this feature, which is identified as, is allowed to state, for being the authority request to system application authority.
Specifically, the communication interface, the logical of system level is placed in for what the Binder mechanism based on Android was established
Telecommunications services process, by obtaining the authority request with applications process communication.
Preferably, described signature identification, refers to that the UID in android system, each UID correspond to an application.
It is disclosed according to an embodiment of the present, the preset authentication list, for storing some signature identifications,
Presence of the signature identification in authentication list, characterize this feature and be identified as the state of being allowed to.
It is disclosed according to another embodiment of the present invention, the preset authentication list, for being stored with some feature marks
The state recognition field that each signature identification is set is known and corresponds to, when the corresponding state recognition field of some signature identification is set
When being set to the symbol for characterizing and being allowed to, the state of being allowed to is identified as with the symbolic representation this feature.
Further, the processing unit, when the signature identification for it is non-be allowed to state when, for refusing described authority
Request.
Preferentially, the present invention includes maintenance unit, for obtaining common authentication table data from remote interface and updating this
The authentication list on ground.
Further, the device also includes service processes, after successfully Root authority is obtained using the authority request, with initiation
The consumer process BOUND communication of the authority request, the service processes are used to respond the instruction for performing and asking execution by consumer process.
Preferably, in the local authentication list, it is provided with for characterizing the user corresponding with the signature identification
The type identification of the authority action period of program, prescribes a time limit to system applying right, the corresponding type identification application different type
Authority.
Compared to prior art, the present invention at least has the following advantages that:It is of the invention to be using the communication interface of system level
Basis, the rights management mechanism of the authority request based on applications is established, have the advantages that communication is quick, success rate is high, enter
One step, by establishing preset authentication list, it is possible to achieve to managing independently for the authority requests of applications, from technical standpoint
From the point of view of, this authentication list possesses the effect similar to fire wall, have the advantages that in data set, operation it is efficient, safe and reliable.
The additional aspect of the present invention and advantage will be set forth in part in the description, and these will become from the following description
Obtain substantially, or recognized by the practice of the present invention.
Brief description of the drawings
Of the invention above-mentioned and/or additional aspect and advantage will become from the following description of the accompanying drawings of embodiments
Substantially and it is readily appreciated that, wherein:
Fig. 1 is the theory diagram of the authority request response method of the present invention;
Fig. 2 is the theory diagram of the authority request responding device of the present invention.
Embodiment
Embodiments of the invention are described below in detail, the example of the embodiment is shown in the drawings, wherein from beginning to end
Same or similar label represents same or similar element or the element with same or like function.Below with reference to attached
The embodiment of figure description is exemplary, is only used for explaining the present invention, and is not construed as limiting the claims.
Those skilled in the art of the present technique are appreciated that unless expressly stated, singulative " one " used herein, " one
It is individual ", " described " and "the" may also comprise plural form.It is to be further understood that what is used in the specification of the present invention arranges
Diction " comprising " refer to the feature, integer, step, operation, element and/or component be present, but it is not excluded that in the presence of or addition
One or more other features, integer, step, operation, element, component and/or their groups.It should be understood that when we claim member
Part is " connected " or during " coupled " to another element, and it can be directly connected or coupled to other elements, or there may also be
Intermediary element.In addition, " connection " used herein or " coupling " can include wireless connection or wireless coupling.It is used herein to arrange
Taking leave "and/or" includes whole or any cell and all combinations of one or more associated list items.
Those skilled in the art of the present technique are appreciated that unless otherwise defined, all terms used herein (including technology art
Language and scientific terminology), there is the general understanding identical meaning with the those of ordinary skill in art of the present invention.Should also
Understand, those terms defined in such as general dictionary, it should be understood that have with the context of prior art
The consistent meaning of meaning, and unless by specific definitions as here, idealization or the implication of overly formal otherwise will not be used
To explain.
Those skilled in the art of the present technique are appreciated that " terminal " used herein above, " terminal device " both include wireless communication
The equipment of number receiver, it only possesses the equipment of the wireless signal receiver of non-emissive ability, includes receiving again and transmitting hardware
Equipment, its have on bidirectional communication link, can perform two-way communication reception and launch hardware equipment.This equipment
It can include:Honeycomb or other communication equipments, it has single line display or multi-line display or shown without multi-line
The honeycomb of device or other communication equipments;PCS (Personal Communications Service, PCS Personal Communications System), it can
With combine voice, data processing, fax and/or its communication ability;PDA (Personal Digital Assistant, it is personal
Digital assistants), it can include radio frequency receiver, pager, the Internet/intranet access, web browser, notepad, day
Go through and/or GPS (Global Positioning System, global positioning system) receiver;Conventional laptop and/or palm
Type computer or other equipment, its have and/or the conventional laptop including radio frequency receiver and/or palmtop computer or its
His equipment." terminal " used herein above, " terminal device " they can be portable, can transport, installed in the vehicles (aviation,
Sea-freight and/or land) in, or be suitable for and/or be configured in local runtime, and/or with distribution form, operate in the earth
And/or any other position operation in space." terminal " used herein above, " terminal device " can also be communication terminal, on
Network termination, music/video playback terminal, such as can be PDA, MID (Mobile Internet Device, mobile Internet
Equipment) and/or mobile phone or the equipment such as intelligent television, set top box with music/video playing function.
Those skilled in the art of the present technique are appreciated that server used herein above, high in the clouds, remote network devices etc. are general
Read, there is effects equivalent, it includes but is not limited to computer, network host, single network server, multiple webserver collection
Or the cloud that multiple servers are formed.Here, cloud is taken by a large amount of computers or network based on cloud computing (Cloud Computing)
Business device is formed, wherein, cloud computing is one kind of Distributed Calculation, and one be made up of the computer collection of a group loose couplings is super
Virtual machine., can be by any logical between remote network devices, terminal device and WNS servers in embodiments of the invention
Letter mode realizes communication, includes but is not limited to, mobile communication based on 3GPP, LTE, WIMAX, based on TCP/IP, udp protocol
Computer network communication and the low coverage wireless transmission method based on bluetooth, Infrared Transmission standard.
It will be appreciated by those skilled in the art that " application ", " application program ", " application software " and class alleged by the present invention
It is the same concept well known to those skilled in the art like the concept of statement, refers to be instructed by series of computation machine and related data
The computer software for being suitable to electronics operation of the organic construction of resource.Unless specified, this name is not in itself by programming language
Species, rank, the operating system of operation of also not rely by it or platform are limited.In the nature of things, this genus also not by appoint
The terminal of what form is limited.
A kind of application scenarios of authority request response method of the present invention, the operating system environment based on based on Unix systems
Middle realization.In order to realize this method, it is necessary to which this method example is melted into application program, Root authority is obtained, installs and runs
In relevant operation system.
It is well known that Root authority refers to system manager's power of Unix type operating systems (including Linux, Android)
Limit, similar to Administrator (keeper) authority in Windows (form) system;Root authority can be accessed and repaiied
Use almost all of file (android system file and user file, not including ROM) in the mobile device at family instead.But by
It is strict in management of the current mobile terminal system for Root authority, most applications or program be not under normal circumstances
Possess Root authority, therefore can not just be performed for some operations for needing to have Root authority, such as installation or unloading application
Deng operation;Meanwhile such operation calls process is required for system application Root authority when performing corresponding operating every time, but if
Now other application process is used Root authority and carries out associative operation, then the Root authority application of this calling process just can not
Success;What is more, if user is provided with the operation of disabling Root authority in systems, related calling process just can not be carried out
Associative operation.Based on this, the present invention proposes only to need to send a Root authority acquisition request to system, can specifically pass through calling
SU (Super User, power user) orders built in system obtain Root authority, or by obtaining with Root authority
Shell obtains Root authority and the launching process in shell, then after the Root authority mandate of the system is obtained, you can
Without repeating application Root authority when making other follow-up calling process to perform associative operation;Specific Root authority acquisition process can
With reference to the Root authority call function of prior art, the present invention will not be repeated here.Based on above-mentioned guide's knowledge, below in conjunction with
Fig. 1 discloses the authority request response method of the present invention in detail.This method comprises the following steps:
S11, startup belong to the communication interface of system level, and outside authority request is monitored by the communication interface:
Communication interface alleged by the present embodiment, refer to run on internal memory by the program module realized with this method
In, realized by the corresponding host process in internal memory after proposing power operation as previously described, to one communication service process of system registry.
By taking Android as an example, Binder mechanism that the communication service process is provided based on android system, to System
Manager registers itself, by Android provide intrinsic Binder mechanism, communication service process and its monitor outside
The line of communication of C/S frameworks is established between portion's application process.Specifically, after the Root authority for the system that gets, in order to just
In subsequently realizing monitoring and associative operation function to outside application process, the present invention, which starts to have first, has obtained Root
The host process for being able to run and being formed after being instantiated by this method of authority, insert the communication clothes in systems by host process
Business process, such as insertion operation can be realized by system call function ServiceManager.addService, it is achieved in
Successful operation to the instantiation procedure of this method, not only make the host process memory-resident of this method, and by the logical of its foundation
Telecommunications services process also turns into the communication interface of system level.It should be noted that the communication service process is matched somebody with somebody by above-mentioned
Put, have become the service processes rank of system level, its authority is obviously higher than other applications processes even master and entered
These call the authority of its process for journey and other processes etc., therefore the communication service process can be used as communication infrastructure, be it
He calls its process to provide communication support, completion system and other call communication connection between its process.Thus also may be used
Further to deduce, the client of the communication specification of other any communication interfaces for observing the present invention, it can pass through Binder machines
Make and communicated with the communication interface of the present invention, obtain corresponding authority.
Therefore, described communication interface, shows as described communication service process in the present embodiment, and its function is used for real
Existing Binder between host process and applications process communicates, and this communication mode has the characteristics of fast and stable.For this
For the care important point of method, the communication service process is mainly used in monitoring the authority request that applications process is initiated,
This authority request typically refers to it is expected that obtaining Root authority realizes that access the deep layer of system resource proposes power request.For
For this method, in addition to the communication service process can be used for establishing communication interface, it is of course also possible to by other processes come real
Existing other different functions, and these other processes can be carried out by described communication service process and applications process
Communication, so as to which other special operational instructions are completed in the combination of inner and outside.For example, these other processes can perform following one or more
Operation, and not by limitation herein:Unloading, the installation for performing application program or the unloading of preset application are performed, performs and applies number
According to backup or reduction, perform application program and enable or disable.
Described communication interface, after turning into interprocess communication basis, the monitoring to outside application process can be realized, when outer
When portion's application process needs to obtain Root authority, the authority request for obtaining Root authority will be sent to system, communication service is entered
Journey just can preferentially obtain because its residing rank is higher and handle this user request.Communication service process obtains the authority please
After asking, host process of the present invention can be submitted to, is handled by host process is further.
S12, the signature identification according to authority request acquisition requesting party, retrieve this feature mark in preset authentication list
Whether know in the state being allowed to:
It is well known that the definition in android system to UID (User Identifier, user's mark), is to be every
One specific distinguished symbol of concrete application institute, has unique features, therefore, UID is the uniqueness of each concrete application
Signature identification.In the present embodiment, host process that this method is realized, entering for external application is derived from from communication interface forwarding
In the authority request of journey, the signature identification of the external application process can be obtained, can be further according to this feature mark
Corresponding application program is identified, and decides whether to be opened authority request response.
In this step, by for realizing that the host process of this step is also responsible for the maintenance of an authentication list.The certification arranges
Table can take various forms realization, and various forms of differences are mainly reflected in its internal maps relation, are exemplified below two kinds
Form supplies reference:
A, the UID that each acquiescence allows to obtain the application program of Root authority can be only stored, thus, into the certification
Application program corresponding to the signature identification of list, just it is considered as it is expected the request for obtaining Root authority, in the shape being allowed to
State, it will be met.
B, a status indicator field can be increased in the authentication list of A schemes, be each signature identification correspondence mappings
One status indicator character, for example, when the status indicator character of the record where some UID is " Y ", it is right to characterize UID institutes
The authority request answered is to be allowed to state;When for " N " when, characterize authority request corresponding to the UID and be allowed to state to be non-.
In addition to above two ways realizes the authentication list, for the ease of process scheduling, can further increase into
Journey identifies PID, in the life cycle of host process, and when external application carries out sending permission request first, therefrom
PID corresponding to acquisition, is stored in authentication list, and for the applications process, when initiating authority request next time, control makes
With being allowed to state with what PID and UID together decided on authority request.In this way, further authority request management can be refine to
The subprocess of external application.
When the host process realized with this method receive communication interface forwarding authority request after, extract UID therein (with
And PID, similarly hereinafter), then go in the authentication list to retrieve with the UID, for mode A, when the UID in authentication list being present
When, you can confirm that the authority request corresponding to the UID should be allowed to, if without corresponding UID, table in authentication list
The UID is levied to be not allowed to;For mode B, when the UID and the status identifier of its status indicator field in authentication list being present
For " Y " when, characterizing the authority request corresponding to the UID should be allowed to, conversely, when status identifier is " N ", characterize the UID
Corresponding authority request is not allowed to.
As can be seen that using the authentication list of the present invention, there is Root authority by startup after obtaining system Root authority
Service processes and into system insert communication service process, you can perform the applications process of calling communication service process
Without repeating application Root authority during corresponding operating, and corresponding operating can be performed by the host process of startup, be effectively prevented from
Because Root authority be used or it is disabled caused by operation failure, and then substantially increase the efficiency of data communication.
The acquisition of initial data in described authentication list, can be during the history use of this method, according to user
Use habit and generate.For example, user is directed to the request of some external application process first, giving one allows its acquisition
The subjective instruction of Root authority, i.e., be added in the authentication list by the host process of the present invention, corresponding labeled as acquisition is allowed to
The state of authority, it can subsequently exempt from pop-up inquiry.Described authentication list can also pass through described host process by remote maintenance
Remote communication interface, timing or authentication list data sporadically newest from high in the clouds download are called, with the local certification of renewal
List, it is possible thereby to play big data advantage, the data in authentication list are made to have more security.
The above situation is adapted to, a common authentication list is safeguarded in high in the clouds, by being provided with program with the inventive method
Host process upload user allows authority whether data obtained for what each program UID was made, then according to statistical method pair
Each UID is counted, and when most users such as 60% allow some UID to obtain Root authority, marks the UID corresponding
Status indicator word be " Y ", otherwise, labeled as " N ".Local host process is downloaded in the common authentication list by remote interface,
It is compared with the authentication list of local, on the basis of the subjective instruction of user is respected, adds newly-increased in common authentication list
It recorded in local authentication list.Certainly, for the sake of security, can be directed in two tables, UID is identical and note that state is different
Record carries out pop-up inquiry, sees whether user uses the data of common authentication list, if user's selection is to arrange common authentication
The record related UID of table replaces the respective record of local authentication list, if it is not, then abandoning subsequent operation.It can see
Go out, the Dynamic Maintenance to authentication list can be realized in this way, the angle that authentication list is realized in technology is sent out significantly
Its safety effect is waved.
It is appreciated that the form for the common authentication list that high in the clouds is safeguarded should be not limited to described UID, PID field information,
It further can be generalized to and call the program of the communication service process or the signing messages of service etc. for its addition so that communication
Service processes further can initiate the program of authority request or the signing messages of service to determine whether to open for it by verifying
Root authority is put, strengthens its security protection effect.
It is pointed out that the storage form of described authentication list, it both can be chained list in internal memory or deposited
The form of local database or text is stored in, can flexibly be realized by those skilled in the art.
S13, when this feature be identified as be allowed to state when, be the authority request to system application authority.
By the implementation of previous step, it can judge that an authority request is whether corresponding signature identification is to be allowed to
State, if it is, can be let pass by the host process that the present invention is realized for the authority request, for the Root of the authority request system
Authority, Root authority is opened from system to corresponding external application process.And if the result that previous step obtains is phase
The signature identification answered is allowed to state to be non-, then, host process can refuse the authority request, by its communication interface to outside
Application process returns to dummy message so that the authority request that applications process is provided is come back after a vain attempt;Or also can directly it return
The unsuccessful reply of authority request.
By the present invention above with respect to its authority request response method, it is possible to achieve run more efficient rights management machine
System, not only ensures that the communication between each process is more fast and effective, and on technological layer, by the effect of authentication list,
Also it can make it that rights management is safer.
Accordingly, the present invention can provide a kind of authority request responding device according to foregoing method, by the device
The modules realized, each step of this method is realized respectively, can also realize corresponding function.The device can handled
Realization is concentrated on device in a manner of logic function.Referring to Fig. 2, specifically, authority request responding device provided by the invention,
Including communication interface 11, retrieval unit 12 and processing unit 13.
Described communication interface 11, built by a communication service process run in internal memory, by corresponding in internal memory
After host process realizes that the power of carrying as previously described operates, realized to one communication service process of system registry.Using Android as
Example, the Binder mechanism that the communication service process is provided based on android system, itself is registered to System Manager,
The intrinsic Binder mechanism provided by Android, builds between communication service process and its applications process monitored
The line of communication of vertical C/S frameworks, communication service process just form described communication interface 11.Specifically, it is when getting
After the Root authority of system, for the ease of subsequently realizing monitoring and the associative operation function to outside application process, the present invention is led to
Cross a host process and insert the communication service process in systems, such as system call function can be passed through
ServiceManager.addService realizes insertion operation, thus, can not only make the host process memory-resident, Er Qieyou
Its communication service process established also turns into the communication interface 11 of system level.It should be noted that the communication service process
By above-mentioned configuration, have become the service processes rank of system level, its authority is obviously higher than other applications processes
Even the host process and other processes etc. these call the authority of its process, therefore the communication service process can be used as it is logical
Letter basis, call its process to provide communication support for other, completion system and other call communication link between its process
Connect.
Therefore, described communication interface 11, shows as described communication service process in the present embodiment, and its function is used for
Realize that the Binder between host process and applications process communicates, this communication mode has the characteristics of fast and stable.For
For the care important point of the present apparatus, the communication service process is mainly used in the authority that monitoring applications process is initiated please
Ask, this authority request typically refers to it is expected that obtaining Root authority realizes that access the deep layer of system resource proposes power request.
For the present apparatus, except the communication service process can be used for establish communication interface 11 in addition to, it is of course also possible to by it is other enter
Journey realizes other different functions, and these other processes can be entered by described communication service process with applications
Cheng Jinhang communicates, so as to which other special operational instructions are completed in the combination of inner and outside.For example, these other processes can perform following one kind
Or a variety of operations, and not by limitation herein:Perform the unloading of preset application, perform the installation or unloading, execution of application program
The backup or reduction of application data, perform enabling or disabling for application program etc., perform internal memory clearing function etc..
Described communication interface 11, after turning into interprocess communication basis, the monitoring to outside application process can be realized, when
When applications process needs to obtain Root authority, the authority request for obtaining Root authority, communication service will be sent to system
Process just can preferentially obtain because its residing rank is higher and handle this user request.Communication service process obtains the authority
After request, host process of the present invention can be submitted to, is handled by host process is further.
Described retrieval unit 12, for obtaining the signature identification of requesting party according to the authority request, in preset certification
This feature is retrieved in list to identify whether in the state being allowed to.
It is well known that the definition in android system to UID (User Identifier, user's mark), is to be every
One specific distinguished symbol of concrete application institute, has unique features, therefore, UID is the uniqueness of each concrete application
Signature identification.In the present embodiment, host process that the present apparatus is realized, external application is derived from from what communication interface 11 forwarded
In the authority request of process, the signature identification of the external application process can be obtained, can enter one according to this feature mark
Step identifies corresponding application program, and decides whether to be opened authority request response.
In this retrieval unit 12, by for realizing that the host process of this retrieval unit 12 is also responsible for the dimension of an authentication list
Shield, a maintenance unit (not shown) is built based on this, for safeguarding described authentication list.In logic, the maintenance unit can
, also can be separate to be combined into one with this retrieval unit 12.The authentication list can take various forms realization, various forms
Difference be mainly reflected in its internal maps relation, be exemplified below two kinds of forms and supply reference:
A, the UID that each acquiescence allows to obtain the application program of Root authority can be only stored, thus, into the certification
Application program corresponding to the signature identification of list, just it is considered as it is expected the request for obtaining Root authority, in the shape being allowed to
State, it will be met.
B, a status indicator field can be increased in the authentication list of A schemes, be each signature identification correspondence mappings
One status indicator character, for example, when the status indicator character of the record where some UID is " Y ", it is right to characterize UID institutes
The authority request answered is to be allowed to state;When for " N " when, characterize authority request corresponding to the UID and be allowed to state to be non-.
In addition to above two ways realizes the authentication list, for the ease of process scheduling, can further increase into
Journey identifies PID, in the life cycle of host process, and when external application carries out sending permission request first, therefrom
PID corresponding to acquisition, is stored in authentication list, and for the applications process, when initiating authority request next time, control makes
With being allowed to state with what PID and UID together decided on authority request.In this way, further authority request management can be refine to
The subprocess of external application.
After the host process realized with the present apparatus receives the authority request of the forwarding of communication interface 11, UID therein is extracted
(and PID, similarly hereinafter), then go in the authentication list to retrieve with the UID, should when existing in authentication list for mode A
During UID, you can confirm that the authority request corresponding to the UID should be allowed to, if no corresponding UID in authentication list,
The UID is then characterized to be not allowed to;For mode B, when the UID and the state mark of its status indicator field in authentication list being present
When knowledge symbol is " Y ", characterizing the authority request corresponding to the UID should be allowed to, conversely, when status identifier is " N ", characterizing should
Authority request corresponding to UID is not allowed to.
As can be seen that using the authentication list of the present invention, there is Root authority by startup after obtaining system Root authority
Service processes and into system insert communication service process, you can perform the applications process of calling communication service process
Without repeating application Root authority during corresponding operating, and corresponding operating can be performed by the host process of startup, be effectively prevented from
Because Root authority be used or it is disabled caused by operation failure, and then substantially increase the efficiency of data communication.
The maintenance of the authentication list, realized by the maintenance unit, include how to make authentication list basis of formation data
How therein data are updated.
The acquisition of initial data in described authentication list, can be during the history use of the present apparatus, according to user
Use habit and generate.For example, user is directed to the request of some external application process first, giving one allows its acquisition
The subjective instruction of Root authority, i.e., be added in the authentication list by the host process of the present invention, corresponding labeled as acquisition is allowed to
The state of authority, it can subsequently exempt from pop-up inquiry.Described authentication list can also combine high in the clouds and carry out remote maintenance, pass through institute
The host process stated calls remote communication interface 11, timing or authentication list data sporadically newest from high in the clouds download, with more
New local authentication list, it is possible thereby to play big data advantage, makes the data in authentication list have more security.
The above situation is adapted to, a common authentication list is safeguarded in high in the clouds, is used by being provided with to upload with the host process of the present invention
Family allows authority whether data obtained for what each program UID was made, and then each UID is united according to statistical method
Meter, when most users such as 60% allow some UID to obtain Root authority, mark status indicator word corresponding to the UID
For " Y ", otherwise, labeled as " N ".Local host process is downloaded in the common authentication list by remote interface, the certification with local
List is compared, and on the basis of the subjective instruction of user is respected, newly-increased recorded added in common authentication list is locally recognized
Demonstrate,prove in list.Certainly, for the sake of security, can be directed in two tables, UID is identical and record that state is different carries out pop-up inquiry
Ask, see whether user uses the data of common authentication list, if user's selection is, by the UID phases of common authentication list
The record of pass replaces the respective record of local authentication list, if it is not, then abandoning subsequent operation.Obviously, local side these
Operation, should be realized by the authentication list dynamic update module in described maintenance unit, so more meet logical partitioning.Safeguard
Unit can further include a program upgraded module, the dynamic renewal for the program realized for the present invention that follows up.Can be with
Find out, the Dynamic Maintenance to authentication list can be realized in this way, make the angle that authentication list is realized in technology significantly
Its safety effect is played.
It is pointed out that the storage form of described authentication list, it both can be chained list in internal memory or deposited
The form of local database or text is stored in, can flexibly be realized by those skilled in the art.
Described processing unit 13, when this feature, which is identified as, is allowed to state, for being the authority request to system Shen
Please authority;When this feature, which is identified as, is not allowed to state, for refusing the authority request.
By the processing of retrieval unit 12, it can judge that an authority request is whether corresponding signature identification is to be permitted
Perhaps state, if it is, can be let pass by the host process that the present invention is realized for the authority request, for the authority request system
Root authority, Root authority is opened from system to corresponding external application process.And if the knot that retrieval unit 12 obtains
Fruit is that corresponding signature identification is allowed to state to be non-, then, host process can refuse the authority request, pass through its communication interface
11 return to dummy message to outside application process so that the authority request that applications process is provided is come back after a vain attempt;Or also may be used
Directly return to the unsuccessful reply of authority request.
It should be noted that the acquisition modes of Root authority, from the point of view of the life cycle of authority effect, including permanent Root
Authority and temporary Root authority, as its name suggests, in the case of permanent Root authority, application program authorizes once Root, later may not be used
Root must be carried out again proposes power operation;And in the case of temporary Root authority, the life cycle of authority effect is the one of operating system
The secondary process from start to shutdown, start next time still need to carry out Root.The realization of the present invention is not limited by this classification, but
Optional program can be done according to both different modes to realize.For example, can provide user interface for user it is selected whether
Carry out permanent Root or interim Root, with reference to be in the local authentication list each UID it is additional whether permanent Root or interim
Root type identification, different authority requests then is done to the user program/process for initiating request according to different marks and opened
Put processing.
As it was previously stated, the present invention can realize that the subsequent instructions after authority request perform by service processes.Service into
Journey can be independent, for the convenience illustrated, be called command service process.When the present invention realizes the related service of rights management
Process is that user right is asked after successfully obtaining system Root authority, you can binds the service processes with initiating the use of authority request
Direct communication between the process of family, then, send and instruct from consumer process to the service processes, such as:Perform preset application
Unloading, the installation for performing application program or unloading, the backup for performing application data or reduction, perform enabling or prohibiting for application program
With grade, perform internal memory or cache cleaner function etc..The service processes are configured with the function for performing these functions, and service processes pass through
The instruction of consumer process is parsed, function corresponding with ownership goal function is called, corresponding function is realized, so as to solve user's
Demand.
To sum up, by the above embodiments as can be seen that the authority request management function realized of the present invention, has logical
The characteristics of letter is rapidly and efficiently, technical security is reliable.
Described above is only some embodiments of the present invention, it is noted that for the ordinary skill people of the art
For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (14)
1. a kind of authority request response method, it is characterised in that comprise the following steps:
Start the communication interface for belonging to system level, outside authority request is monitored by the communication interface;
The signature identification of requesting party is obtained according to the authority request, this feature is retrieved in preset authentication list and identifies whether to locate
In the state being allowed to;The signature identification includes UID and PID, is carried out in the life cycle of host process, and in requesting party
When sending permission is asked first, therefrom PID corresponding to acquisition, is stored in local authentication list, for the requesting party under
Control uses during secondary initiation authority request;
Common authentication table data is obtained from remote interface and updates the local authentication list, the common authentication list number
Allow authority whether data obtained for what each program UID and PID was made according to including user;For in two tables, UID and
PID is identical and record that state is different carries out pop-up inquiry, sees whether user uses the data of common authentication list, if user
Selection is that the UID of common authentication list records related to PID is then replaced to the respective record of local authentication list, if
It is not then to abandon subsequent operation;
It is the authority request to system application authority when this feature, which is identified as, is allowed to state;When using the authority request into
After work(obtains Root authority, the communication of the consumer process and service processes of the authority request is initiated in binding, and the service processes are used for
Response performs the instruction that execution is asked by consumer process.
2. authority request response method according to claim 1, it is characterised in that the communication interface of the system level,
The communication service process for referring to the Binder mechanism based on Android and establishing, for the applications with initiating authority request
Process communication.
3. authority request response method according to claim 1, it is characterised in that described signature identification, refer to
UID in android system, each UID correspond to an application.
4. authority request response method according to claim 1, it is characterised in that the preset authentication list, storage
There are some signature identifications, presence of the signature identification in authentication list, characterize this feature and be identified as the state of being allowed to.
5. authority request response method according to claim 1, it is characterised in that the preset authentication list, storage
There is the state recognition field that some signature identifications and corresponding each signature identification are set, when the corresponding state of some signature identification
When identification field is arranged to characterize the symbol being allowed to, the state of being allowed to is identified as with the symbolic representation this feature.
6. authority request response method according to claim 1, it is characterised in that when the signature identification is allowed to be non-
During state, refuse described authority request.
7. the authority request response method in as requested 1 to 6 described in any one, it is characterised in that the local certification
In list, the type identification of the authority action period for characterizing the user program corresponding with the signature identification is provided with,
Prescribed a time limit to system applying right, the corresponding different types of authority of type identification application.
8. a kind of authority request responding device, it is characterised in that it includes:
Communication interface, started otherwise with system-level, for monitoring outside authority request;
Retrieval unit, for obtaining the signature identification of requesting party according to the authority request, retrieval should in preset authentication list
Whether signature identification is in the state being allowed to;The signature identification includes UID and PID, in the life cycle of host process, and
And when requesting party carries out sending permission request first, therefrom PID corresponding to acquisition, is stored in local authentication list, is supplied
Requesting party control when initiating authority request next time uses;
Maintenance unit, it is described for obtaining common authentication table data from remote interface and updating the local authentication list
Common authentication table data includes user allows authority whether data obtained for what each program UID and PID was made;For
In two tables, UID with PID is identical and record that state is different carries out pop-up inquiry, see whether user uses common authentication list
Data, if user selection be, by the UID of common authentication list it is related to PID record replacement local authentication list
Respective record, if it is not, then abandoning subsequent operation;
Processing unit, when this feature, which is identified as, is allowed to state, for being the authority request to system application authority;
Also include service processes, after successfully Root authority is obtained using the authority request, the user with initiating the authority request
Process BOUND communication, the service processes are used to respond the instruction for performing and asking execution by consumer process.
9. authority request responding device according to claim 8, it is characterised in that the communication interface, for based on
Android Binder mechanism and the communication service process for being placed in system level established, by with applications process communication
Obtain the authority request.
10. authority request responding device according to claim 8, it is characterised in that described signature identification, refer to
UID in android system, each UID correspond to an application.
11. authority request responding device according to claim 8, it is characterised in that the preset authentication list, be used for
Some signature identifications are stored, presence of the signature identification in authentication list, this feature is characterized and is identified as the state of being allowed to.
12. authority request responding device according to claim 8, it is characterised in that the preset authentication list, be used for
The state recognition field that some signature identifications and corresponding each signature identification are set is stored with, it is corresponding when some signature identification
When state recognition field is arranged to characterize the symbol being allowed to, the state of being allowed to is identified as with the symbolic representation this feature.
13. authority request responding device according to claim 8, it is characterised in that the processing unit, when the feature
Be identified as it is non-when being allowed to state, for refusing described authority request.
14. the authority request responding device in as requested 8 to 13 described in any one, it is characterised in that recognize described in local
Demonstrate,prove in list, be provided with the type mark of the authority action period for characterizing the user program corresponding with the signature identification
Know, prescribed a time limit to system applying right, the corresponding different types of authority of type identification application.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410696530.4A CN104346559B (en) | 2014-11-26 | 2014-11-26 | Authority request response method and corresponding device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410696530.4A CN104346559B (en) | 2014-11-26 | 2014-11-26 | Authority request response method and corresponding device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104346559A CN104346559A (en) | 2015-02-11 |
| CN104346559B true CN104346559B (en) | 2018-01-02 |
Family
ID=52502140
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410696530.4A Expired - Fee Related CN104346559B (en) | 2014-11-26 | 2014-11-26 | Authority request response method and corresponding device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104346559B (en) |
Families Citing this family (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105808536B (en) * | 2014-12-27 | 2021-01-12 | 北京奇虎科技有限公司 | File processing method and device |
| CN105282241B (en) * | 2015-09-28 | 2021-11-16 | 青岛海尔智能家电科技有限公司 | Control method and device for Internet of things equipment |
| CN105243325A (en) * | 2015-09-29 | 2016-01-13 | 北京奇虎科技有限公司 | Method for residual process file in mobile terminal, mobile terminal and server |
| CN106886715A (en) * | 2015-12-15 | 2017-06-23 | 北京奇虎科技有限公司 | authority request response method and corresponding device |
| CN106886712B (en) * | 2015-12-16 | 2021-03-19 | 北京奇虎科技有限公司 | Method and device for installing program |
| CN106919812B (en) * | 2015-12-26 | 2020-06-16 | 腾讯科技(深圳)有限公司 | Application process authority management method and device |
| CN107203706B (en) * | 2016-03-16 | 2020-04-14 | 阿里巴巴集团控股有限公司 | APP internal permission detection method and device |
| CN105912930B (en) * | 2016-04-11 | 2019-02-01 | 北京奇虎科技有限公司 | Mobile terminal and its system resource method of controlling security |
| CN106127031A (en) * | 2016-06-23 | 2016-11-16 | 北京金山安全软件有限公司 | Method and device for protecting process and electronic equipment |
| CN106296129A (en) * | 2016-08-16 | 2017-01-04 | 天脉聚源(北京)传媒科技有限公司 | A kind of status indicator method and device |
| CN106372496A (en) * | 2016-08-31 | 2017-02-01 | 福建联迪商用设备有限公司 | Method and system for improving payment terminal application security |
| CN106503577A (en) * | 2016-09-28 | 2017-03-15 | 乐视控股(北京)有限公司 | A kind of System right management method, device and corresponding equipment |
| CN106570390A (en) * | 2016-10-27 | 2017-04-19 | 努比亚技术有限公司 | Equipment permission control method and device |
| CN107333150A (en) * | 2017-08-15 | 2017-11-07 | 四川长虹电器股份有限公司 | The method that management and control is installed in Android intelligent television application |
| CN109936550A (en) * | 2017-12-18 | 2019-06-25 | 福建天泉教育科技有限公司 | The setting method and terminal of network firewall in a kind of Android system |
| CN115314247B (en) * | 2022-06-30 | 2024-02-09 | 中化学交通建设集团有限公司 | Internet of things equipment management method and related equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102591727A (en) * | 2012-01-04 | 2012-07-18 | 华为终端有限公司 | Method for processing application data and computing node |
| CN103617389A (en) * | 2013-11-08 | 2014-03-05 | 上海天奕达网络科技有限公司 | Terminal rights management method and terminal device |
| CN103826215A (en) * | 2014-02-11 | 2014-05-28 | 北京奇虎科技有限公司 | Method and apparatus for carrying out root authority management at terminal equipment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103108320A (en) * | 2011-11-15 | 2013-05-15 | 网秦无限(北京)科技有限公司 | Method and system for monitoring application program of mobile device |
-
2014
- 2014-11-26 CN CN201410696530.4A patent/CN104346559B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102591727A (en) * | 2012-01-04 | 2012-07-18 | 华为终端有限公司 | Method for processing application data and computing node |
| CN103617389A (en) * | 2013-11-08 | 2014-03-05 | 上海天奕达网络科技有限公司 | Terminal rights management method and terminal device |
| CN103826215A (en) * | 2014-02-11 | 2014-05-28 | 北京奇虎科技有限公司 | Method and apparatus for carrying out root authority management at terminal equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104346559A (en) | 2015-02-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104346559B (en) | Authority request response method and corresponding device | |
| CN103944890B (en) | Virtual interaction system based on customer end/server mode and method | |
| CN104376256B (en) | Program process hatching control and device | |
| CN103607385B (en) | Method and apparatus for security detection based on browser | |
| CN104375494B (en) | Security sandbox construction method and security sandbox construction device | |
| CN101340444B (en) | Fireproof wall and server policy synchronization method, system and apparatus | |
| CN104408367B (en) | Application program configuration method and device | |
| CN105427096A (en) | Payment security sandbox realization method and system and application program monitoring method and system | |
| CN105550595A (en) | Private data access method and system for intelligent communication equipment | |
| CN104375869A (en) | Self-starting application control method and device | |
| US20170237704A1 (en) | Addressing communication method and electronic device based on media access control address | |
| CN104376255A (en) | Application program running control method and device | |
| CN106452798B (en) | The network equipment command identifying method and command identifying of high-volume deployment | |
| CN107820702B (en) | Management and control method, device and electronic equipment | |
| CN105553999A (en) | Application program user behavior analysis and security control method and corresponding device | |
| CN109302397B (en) | Network security management method, platform and computer readable storage medium | |
| CN108347731A (en) | A kind of method, medium, equipment and terminal carrying out secure binding | |
| CN113271299B (en) | Login method and server | |
| CN103810420A (en) | Application uninstall preventing method and system | |
| CN106355100A (en) | Safety protection system and method | |
| CN106411742A (en) | Message transmission method and device | |
| CN106909833A (en) | A kind of safety protecting method and device | |
| CN103138961B (en) | server control method, controlled server and central control server | |
| US12015502B2 (en) | Artificial intelligence integration of third-party software into large-scale digital platforms | |
| CN103023943A (en) | Method, device and terminal equipment for task processing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220727 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180102 |