CN105306447B - A kind of method and system being had secure access in smart machine using D-Bus - Google Patents

A kind of method and system being had secure access in smart machine using D-Bus Download PDF

Info

Publication number
CN105306447B
CN105306447B CN201510605432.XA CN201510605432A CN105306447B CN 105306447 B CN105306447 B CN 105306447B CN 201510605432 A CN201510605432 A CN 201510605432A CN 105306447 B CN105306447 B CN 105306447B
Authority
CN
China
Prior art keywords
bus
interface
sensitive permission
verification
sensitive
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510605432.XA
Other languages
Chinese (zh)
Other versions
CN105306447A (en
Inventor
宋仓龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yuanxin Information Technology Group Co.,Ltd.
Original Assignee
Beijing Yuanxin Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Yuanxin Science and Technology Co Ltd filed Critical Beijing Yuanxin Science and Technology Co Ltd
Priority to CN201510605432.XA priority Critical patent/CN105306447B/en
Publication of CN105306447A publication Critical patent/CN105306447A/en
Application granted granted Critical
Publication of CN105306447B publication Critical patent/CN105306447B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Abstract

The invention discloses the method and systems being had secure access in a kind of smart machine using D-Bus, the method comprise the steps that configuration D-Bus services the sensitive permission of each interface;Determine whether the access request from a process is related to sensitive permission;When the request is related to sensitive permission and requested process provides verification interface, verified using the verification interface according to the verification rule of requested process;When verification passes through, D-Bus forwards access request message to requested process.The method of the present invention and system realize that unified security examines verification, have not only met simple and safe demand but also have met complicated demand for security, so as to adapt to the safety requirements of different industries.

Description

A kind of method and system being had secure access in smart machine using D-Bus
Technical field
This application involves in smart machine data transmission more particularly to it is a kind of using D-Bus smart machine in into The method and system of row secure access.
Background technique
D-Bus is Linux interprocess communication (IPC) mechanism increased income under freedesktop, is issued using GPL licensing. Other IPC communication mechanisms of itself Linux further include: pipeline (fifo), shared drive, semaphore, message queue, Socket Deng.D-Bus aims at two kinds of concrete condition designs:
1, the communication between the application of same desktop session, to allow to integrate desktop session as an entirety, and solve into The life cycle problem of journey, this is referred to as session bus;
2, the communication between desktop session and operating system, operating system generally include kernel and any system finger daemon or Process, this is referred to as system bus.
For built-in desktop session, popular GNOME and KDE desktop has completely different IPC solution experience, Such as CORBA and DCOP.The foundation of D-Bus is based on these experiences, and well-designed, to meet the special need of these desktop applications It asks, therefore D-Bus has very strong flexibility.
However, saying from security standpoint, although D-Bus has done some security strategy configurations, these strategy configurations are by taking Business supplier provides according to oneself demand for services.This causes different demands for security to need to disperse to be configured, and inconvenience is pacified Full management, does not have unified examination verification scheme yet.
Summary of the invention
An object of the application be to provide in the smart machine using D-Bus it is a kind of have unified security examine verification, Not only meet simple and safe demand but also meet the safety access method and system of complicated demand for security.
An object of the application realized by a kind of had secure access in smart machine using D-Bus method, the party Method includes:
Configuration D-Bus services the sensitive permission of each interface;
Determine whether the access request from a process is related to sensitive permission;
When access request is related to sensitive permission and requested process and provides verification interface, using verification interface according to being asked The verification rule of process is asked to be verified;
When verification passes through, D-Bus forwards access request message to requested process.
An object of the application is also by the security access system realization in a kind of smart machine using D-Bus, the system packet It includes:
Configuration unit services the sensitive permission of each interface for configuring D-Bus;
Sensitive permission determination unit, for determining whether the access request from a process is related to sensitive permission;
Verification unit, for utilizing verification when access request is related to sensitive permission and requested process provides verification interface Interface is verified according to the verification rule of requested process;
D-Bus retransmission unit, for request message to be transmitted to requested process when verification passes through.
By the present processes and system, since D-Bus is provided with unified sensitive permission verification, so that D-Bus has The realization of body service is adapted to the safety requirements of different industries, because security centre is that various industries or department respectively provide , D-Bus is verified using its security centre's verification interface, therefore necessarily satisfying for its demand for security, such as: certain industry It needs to limit the access of certain equipment, limit certain sensitive document access or limitation sensitive data access etc..It is related to for any To the access of sensitive security, it is only necessary to secure access can be realized by the present processes and system, not only contribute to equipment Safety, and it is additionally beneficial to the scalability of equipment.
Unless explicitly stated otherwise, singular as used herein " one ", "the" include that plural reference (has " at least one " The meaning).It will be further understood that terminology used herein " having ", " include " and or " include " show exist institute it is old Feature, step, the operations, elements, and/or components of column, but do not preclude the presence or addition of one or more other features, step, behaviour Work, component, assembly unit and/or combination thereof.Term "and/or" as used in this includes one or more relevant items enumerated Any and all combination.Unless explicitly stated otherwise, the step of any method disclosed herein need not be accurately according to disclosed sequence It executes.
Detailed description of the invention
The present invention will more completely be illustrated below with reference to attached drawing and in conjunction with preferred embodiment.
Fig. 1 is the schematic illustration of the existing security strategy of D-Bus.
Fig. 2 is the flow chart according to an embodiment of the method for the present invention.
Fig. 3 is the flow chart according to another embodiment of the method for the present invention.
Fig. 4 is the structural schematic diagram according to an embodiment of present system.
Fig. 5 is the structural schematic diagram according to another embodiment of present system.
For clarity, these attached drawings are figure that is schematic and simplifying, they are only gived for understanding institute of the present invention Necessary details, and omit other details.
Specific embodiment
By detailed description given below, the scope of application of the invention will be evident.It will be appreciated, however, that detailed While thin description and specific example show the preferred embodiment for the present invention, they are provided only for illustration purpose.
The most important purposes of D-Bus is to provide communication in Linux desktop environment for process, while can be by Linux desktop ring Border and linux kernel event are as message transmission to process.D-Bus is a message bus system, and function has covered process Between all demands for communicating, and have some special purposes.D-Bus is the interprocess communication system of 3 layer architectures, including following Several parts:
The library-libdbus is supplied to each application call, the ability for making application program have communication and data exchange, Two application programs can be communicated directly, be like the channel socket, established after channel between two programs, just It can communicate.
Message finger daemon creates on the basis of libdbus, can manage the communication between multiple application programs.Often A application program all establishes the connection of dbus with message finger daemon, and the assignment of message is then carried out by message finger daemon.
, there are libdbus-glib, libdbus-qt etc. in various packaging libraries, it is therefore an objective to which the bottom api of dbus is carried out one Lower encapsulation.
Fig. 1 shows the schematic illustration of the existing security strategy of D-Bus.As shown in fig. 1, the existing security strategy of D-Bus Configuration file is only to be decided whether to forward request message according to destination matching rule, if destination matches, in the future Another application process is transmitted to from the request message of an application process.Specific verification of the D-Bus without sensitive permission.
Fig. 2 shows an embodiments according to the method for the present invention, in such as mobile electricity of the smart machine using D-Bus Secure access is realized in words, Pad etc., the method comprising the steps of:
Step S10, configuration D-Bus service the sensitive permission of each interface.Term " sensitive permission " refers to access sensitive equipment, quick Feel the permission of resource.Sensitive permission is defined by the user and is integrated into system, common sensitive permission for example including but it is unlimited Yu represents bluetooth access right, storage card access right, camera access right, WiFi access right and phone access right.? In embodiment, by respectively being connect with being used to refer to service to existing D-Bus service strategy (policy) file extent grammer keyword Which kind of sensitive permission mouth is related to.For example, expanding on original policy keyword basis on existing xml elements of grammar Method_permission keyword, it occurs as the attribute of allow/deny keyword, to be used to describe this service interface The sensitive permission title that middle method is related to, is related to multiple sensitive permissions, can be with ' | ', and symbol connects.Than as follows Face rule:
< allow send_destination=" com.service.time "
Send_interface=" com.service.time.interface "
Send_member=" wall_clock_settings "
Send_type=" method_call "
Method_permission=" SYS.PERMISSION.ADMIN_TIME "/>
Whenever the starting of D-Bus own services, configuration file is parsed, to identify new permission keyword language Method, to identify which service interface needs to carry out sensitive permission verification.
Step S20, determines whether the access request from a process is related to sensitive permission.If it is determined that access request does not relate to And sensitive permission, processing go to step S41, request message is transmitted to requested process by D-Bus.Otherwise, processing proceeds to step Rapid S30.
Step S30 is advised using verification interface according to the verification of requested process when requested process provides verification interface Then verified.Different industries have different security centres according to different demands for security, thus have different safety check rules. Security centre provides the interface for sensitive permission verification, is then integrated into D-Bus, so that D-Bus is used to carry out permission school It tests.After obtaining check results, processing proceeds to step S40.
As an example, such as public security system information security center, the information system of its own must assure that safe (such as citizen ID certificate information), some dbus service provide interface, to facilitate third party user to access its information system, but It is that must assure that secure access, in order to reach this purpose, which services when configuring interface message, has done and has retouched as described below It states:
< allow send_destination=" com.syberos.access. "
Send_interface=" com.syberos.access.ID "
Method=" GetID " permission=" COM.SYBEROS.ID.ENABLE "/>
Above description expresses, if it is desired to just must have using this dbus service interface member GetID This permission of COM.SYBEROS.ID.ENABLE can access.
After above-mentioned exploitation and configuration description are completed in Dbus service, public security system information security center also needs to realize its access The definition of rule, and according to its access rule, to determine whether some access request allows, for example public security system security centre is fixed The following simple rule of justice (the rule definition that other industries have its own):
A, all users use system itself UID to indicate.
B, security centre is provided with some ability groups, such as: capable of accessing the group of ID card information, (this group possesses COM.SYBEROS.ID.ENABLE permission), can access group of account information etc., each group be certain permissions set.
C, the connection between each UID and each secure group is defined, for example, UID-A belongs to the group that can access identity card, UID-B Belong to the group that can access the registered permanent residence, UID-C belongs to above-mentioned two group, etc. simultaneously.
Verification library is provided so that dbus is integrated, the interface in the library can receive UID, dbus required parameter and access is related to Sensitive permission (similar COM.SYBEROS.ID.ENABLE as permission).In this way, the library can be tri- according to a, b, c Rule come determine issue request uid whether have permission to access its request interface.
Step S40 is determined and is verified successfully or fail.If verification failure, processing goes to step S42, and D-Bus forbids turning Send out access request message.If verification passes through, processing proceeds to step S41, and access request message is transmitted to requested by D-Bus Process.
Fig. 3 shows another embodiment of the method for the present invention.The sensitive permission basis of each interface is serviced in configured D-Bus On, when D-Bus is received from the access request message of a process, processing proceeds to step S21, and acquisition request message body is each The value of field, including but not limited to user identifier UID and the interface used.Later, processing proceeds to step S25, determines and uses Interface whether announced.If interface is not announced, processing proceeds to step S42, and D-Bus forbids forwarding access request message. If interface is announced, processing proceeds to step S26, obtains sensitive permission list.Later, processing proceeds to step S27, and determination makes Whether interface is contained in sensitive permission list.If not, processing proceeds to step S41, D-Bus allows that access is forwarded to ask Seek message.If it is, thinking that access request is related to sensitive permission, processing proceeds to step S30, provides school in requested process When testing interface, is verified using verification interface according to the verification rule of requested process and obtain inspection result.Then, it handles Proceed to step S40, determines and verify successfully or fail.If verification failure, processing go to step S42, D-Bus forbids forwarding Access request message.If verification passes through, processing proceeds to step S41, and D-Bus allows to forward access request message.Then, locate Reason terminates.
In embodiment, further include step S22 between step S21 and step S25, obtain access request originator and receiving end is double The UID of side.Then, processing proceeds to step S23, determines whether two UID are consistent.If two UID are consistent, show that this is asked Seeking Truth oneself is sent to oneself, and processing proceeds to step S41, and D-Bus allows to forward access request message.If it is inconsistent, Processing proceeds to step S25, is handled as described above.
Fig. 4 shows an embodiment of the system according to the present invention, which is contained in the smart machine using D-Bus And include: configuration unit 10, the sensitive permission of each interface is serviced for configuring D-Bus;Sensitive permission determination unit 20, for true Whether the fixed access request from a process is related to sensitive permission;Verification unit 30, for being related to sensitive permission in access request And requested process is verified using verification interface according to the verification rule of requested process when providing verification interface;D-Bus Retransmission unit 40, for request message to be transmitted to requested process when verification passes through.
Fig. 5 shows another embodiment of the system according to the present invention, which includes: configuration unit 10, for configuring D-Bus services the sensitive permission of each interface;Field value obtains subelement 21, the user identifier at least acquisition request message body The value of UID field and the interface field used;It announces and determines subelement 22, for determining whether the interface used has been announced;Column Table obtains subelement 23, and sensitive permission list is obtained when for having announced in the interface used;Subelement 24 is determined, for making Interface determines that access request is related to sensitive permission when being contained in sensitive permission list;Verification unit 30, for accessing It is advised using verification interface according to the verification of requested process when request is related to sensitive permission and requested process offer verification interface Then verified;D-Bus retransmission unit 40 for request message to be transmitted to requested process when verification passes through, and makes Forbid forwarding access request message when interface is not announced.
By means of the present invention and system, D-Bus is from before forwarding access request message, be to being related to sensitive permission Request carry out safety check, to decide whether to forward, to realize unified permission in the smart machine using D-Bus Verification, and meet different degrees of demand for security.
Some preferred embodiments are illustrated in front, it should be emphasized, however, that the present invention is not limited to this A little embodiments, but can be realized with the other way within the scope of present subject matter.

Claims (10)

1. a kind of method being had secure access in smart machine using D-Bus, which is characterized in that the described method includes:
Configuration D-Bus services the sensitive permission of each interface;
Determine whether the access request from a process is related to sensitive permission;
When the request is related to sensitive permission and requested process and provides verification interface, using the verification interface according to being asked The verification rule of process is asked to be verified;
When verification passes through, D-Bus forwards access request message to requested process.
2. according to the method described in claim 1, where it is determined whether the step of being related to sensitive permission include:
The value of each field of acquisition request message body;
Determine whether the request is related to sensitive permission according to described value.
3. according to the method described in claim 2, the interface that wherein described value includes at least user identifier UID and uses.
4. according to the method described in claim 3, wherein determining whether the request is related to the step of sensitive permission according to described value Suddenly include:
Determine whether the interface used has been announced;
When the interface used has been announced, sensitive permission list is obtained;
When the interface used is contained in the list, determine that the request is related to sensitive permission.
5. according to the method described in claim 4, further include:
When the interface used is not announced, D-Bus forbids forwarding access request message.
6. according to the method described in claim 4, further include:
When the interface used is not included in the list, D-Bus allows to forward access request message.
7. the security access system in a kind of smart machine using D-Bus, comprising:
Configuration unit services the sensitive permission of each interface for configuring D-Bus;
Sensitive permission determination unit, for determining whether the access request from a process is related to sensitive permission;
Verification unit, for utilizing the verification when the request is related to sensitive permission and requested process provides verification interface Interface is verified according to the verification rule of requested process;
D-Bus retransmission unit, for request message to be transmitted to requested process when verification passes through.
8. system according to claim 7, wherein sensitive permission determination unit includes:
Field value obtains subelement, the user identifier UID field at least acquisition request message body and the interface field that uses Value;
Sensitive permission determines subelement, for determining whether the request is related to sensitive permission according to described value.
9. system according to claim 8, wherein sensitive permission determines that subelement includes:
It announces and determines subelement, for determining whether the interface used has been announced;
List obtains subelement, for obtaining sensitive permission list when the interface used has been announced;
Subelement is determined, for determining that the request is related to sensitive power when the interface used is contained in the list Limit.
10. system according to claim 9, wherein D-Bus retransmission unit is forbidden when the interface used is not announced Forward access request message.
CN201510605432.XA 2015-09-21 2015-09-21 A kind of method and system being had secure access in smart machine using D-Bus Active CN105306447B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510605432.XA CN105306447B (en) 2015-09-21 2015-09-21 A kind of method and system being had secure access in smart machine using D-Bus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510605432.XA CN105306447B (en) 2015-09-21 2015-09-21 A kind of method and system being had secure access in smart machine using D-Bus

Publications (2)

Publication Number Publication Date
CN105306447A CN105306447A (en) 2016-02-03
CN105306447B true CN105306447B (en) 2019-05-31

Family

ID=55203200

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510605432.XA Active CN105306447B (en) 2015-09-21 2015-09-21 A kind of method and system being had secure access in smart machine using D-Bus

Country Status (1)

Country Link
CN (1) CN105306447B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106209891A (en) * 2016-07-26 2016-12-07 广东道易鑫物联网科技有限公司 A kind of means of communication based on D BUS communications protocol

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102281281A (en) * 2011-05-27 2011-12-14 无锡华御信息技术有限公司 Intelligent device access and authority control method in wireless network environment
CN102640160A (en) * 2009-10-09 2012-08-15 诺基亚公司 Platform security
CN102647429A (en) * 2012-04-28 2012-08-22 杭州格畅科技有限公司 Application communication access control method, application process manager and online application platform

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070136603A1 (en) * 2005-10-21 2007-06-14 Sensis Corporation Method and apparatus for providing secure access control for protected information

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102640160A (en) * 2009-10-09 2012-08-15 诺基亚公司 Platform security
CN102281281A (en) * 2011-05-27 2011-12-14 无锡华御信息技术有限公司 Intelligent device access and authority control method in wireless network environment
CN102647429A (en) * 2012-04-28 2012-08-22 杭州格畅科技有限公司 Application communication access control method, application process manager and online application platform

Also Published As

Publication number Publication date
CN105306447A (en) 2016-02-03

Similar Documents

Publication Publication Date Title
CN107995215B (en) Control method and device of intelligent household equipment and cloud platform server
US9654577B2 (en) Techniques to generate mass push notifications
US20210144147A1 (en) System and method for externally-delegated access control and authorization
US11134035B2 (en) Method and device for securely sending message
US10044705B2 (en) Session management for internet of things devices
US9792459B2 (en) Flexible policy arbitration control suite
US9350847B2 (en) Differentiated access for mobile device
KR20170066503A (en) Multi-screen sharing based application management method and device, and storage medium
CN111212075A (en) Service request processing method and device, electronic equipment and computer storage medium
CN105893055A (en) Method for triggering process engine platformization
CN110430180A (en) A kind of platform of internet of things and implementation method based on hot plug
US11151551B2 (en) Systems and methods related to executing transactions in a hybrid cloud environment
US20220060513A1 (en) Centralized request processing and security zone policy enforcement in a cloud infrastructure system
CN105306447B (en) A kind of method and system being had secure access in smart machine using D-Bus
US20230351288A1 (en) Attachment and detachment of compute instances owned by different tenancies
US20160381135A1 (en) Brokered advanced pairing
US9577967B2 (en) Method and system for managing an informational site using a social networking application
US10560462B2 (en) Context-based resource access mediation
CN114329406A (en) Resource processing method, device and equipment
CN111970162B (en) Heterogeneous GIS platform service central control system under super-integration framework
JPWO2014155498A1 (en) Electronics
US8543587B2 (en) Composite context information management apparatus and method of providing composite context information using the same
CN113312661B (en) User authorization system, method and device and electronic equipment
US20230222204A1 (en) Authorization brokering
WO2023027775A1 (en) Attachment and detachment of compute instances owned by different tenancies

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20210128

Address after: 101300 room 153, 1 / F, building 17, 16 Caixiang East Road, Nancai Town, Shunyi District, Beijing

Patentee after: Yuanxin Information Technology Group Co.,Ltd.

Address before: 100176 room 408-27, building 8, No.1, Disheng North Street, Beijing Economic and Technological Development Zone, Daxing District, Beijing (centralized office area)

Patentee before: BEIJING YUANXIN SCIENCE & TECHNOLOGY Co.,Ltd.

TR01 Transfer of patent right
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20160203

Assignee: Beijing Yuanxin Junsheng Technology Co.,Ltd.

Assignor: Yuanxin Information Technology Group Co.,Ltd.

Contract record no.: X2021110000018

Denomination of invention: A method and system for secure access in intelligent devices using D-Bus

Granted publication date: 20190531

License type: Common License

Record date: 20210531

EE01 Entry into force of recordation of patent licensing contract