CN108089925B - Method and device for controlling resource occupation of process - Google Patents

Method and device for controlling resource occupation of process Download PDF

Info

Publication number
CN108089925B
CN108089925B CN201711481340.0A CN201711481340A CN108089925B CN 108089925 B CN108089925 B CN 108089925B CN 201711481340 A CN201711481340 A CN 201711481340A CN 108089925 B CN108089925 B CN 108089925B
Authority
CN
China
Prior art keywords
request message
resource occupation
occupation request
container
resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711481340.0A
Other languages
Chinese (zh)
Other versions
CN108089925A (en
Inventor
高连凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yuanxin Information Technology Group Co ltd
Original Assignee
Yuanxin Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yuanxin Technology filed Critical Yuanxin Technology
Priority to CN201711481340.0A priority Critical patent/CN108089925B/en
Publication of CN108089925A publication Critical patent/CN108089925A/en
Application granted granted Critical
Publication of CN108089925B publication Critical patent/CN108089925B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides a method for managing and controlling resource occupation of a process, which comprises the following steps: when receiving the resource occupation request message, determining a container and/or a current system mode to which a process sending the resource occupation request message belongs and/or a type of the resource occupation request message, and then determining whether to execute an operation corresponding to the resource occupation request message based on a determination result. The embodiment of the invention provides a method and a device for managing and controlling resource occupation of a process, which are suitable for managing and controlling the resource occupation of the process in a container.

Description

Method and device for controlling resource occupation of process
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for managing and controlling resource occupation of a process.
Background
With the development of information technology, container technology develops, and the content carried in the container is a series of tasks or processes. And a Control group (CGroup) file system is arranged in the kernel, and the CGroup file system is used for controlling the condition that the processes in the container occupy resources.
Typically, the CGroup file system will be mounted in a/sys/fs/CGroup directory, where there are two files under the directory, file 1 for describing the controlled resources and file 2 with the file name tasks, whose contents include a series of process ID numbers, or possibly empty files, and for indicating the processes on which these controlled resources are acting. If a certain process ID is in the tasks file, the resource which can be accessed by the process is controlled by the content of the resource description file in the peer directory of the tasks file, namely the maximum authority of all processes in the tasks file for accessing the resource is set in the resource description file in the peer directory of the tasks file.
In the prior art, there are some processes capable of changing permissions in a tasks file, and these processes can change permissions through a CGroup interface so as not to be limited by resource description files in a peer directory of the tasks file.
Disclosure of Invention
In order to overcome the above technical problems or at least partially solve the above technical problems, the following technical solutions are proposed:
according to a first aspect, an embodiment of the present invention provides a method for managing resource occupation by a process, including:
when receiving a resource occupation request message, determining a container to which a process sending the resource occupation request message belongs and/or a mode of a current system and/or a type of the resource occupation request message;
and determining whether to execute the operation corresponding to the resource occupation request message based on the determination result.
Specifically, determining a container to which a process sending the resource occupation request message belongs and/or a mode of a current system and/or a type of the resource occupation request message; based on the determination result, the step of determining whether to execute the operation corresponding to the resource occupation request message includes:
determining whether a container to which a process sending the resource occupation request message belongs is a preset container;
and if the container to which the process sending the resource occupation request message belongs is a preset container, determining whether to execute the operation corresponding to the resource occupation request message or not based on the mode of the current system and/or the resource occupation request message.
Specifically, the step of determining whether to execute an operation corresponding to the resource occupation request message based on the mode of the current system and/or the resource occupation request message includes:
determining whether a current system is set to a strict mode, the strict mode being a system mode in which no operation is performed;
if the resource is not set to be the strict mode, determining whether the resource occupation request message is a message for requesting to enlarge the access resource;
and if the request message is not the message for requesting to enlarge the access resource, executing the operation corresponding to the resource occupation request message.
Optionally, after the step of determining whether the container to which the process sending the resource occupation request message belongs to a preset container, the method further includes:
and if the container is not the preset container, executing the operation corresponding to the resource occupation request message.
Specifically, determining a container to which a process sending the resource occupation request message belongs and/or a mode of a current system and/or a type of the resource occupation request message; based on the determination result, the step of determining whether to execute the operation corresponding to the resource occupation request message includes:
determining whether the resource occupation request message is a message requesting for enlarging resources;
and if the resource occupation request message is not the message requesting for expanding the access resource, determining whether to execute the operation corresponding to the resource occupation request message or not based on the container to which the process sending the resource occupation request message belongs and/or the mode of the current system.
Specifically, the step of determining whether to execute the operation corresponding to the resource occupation request message based on the container to which the process sending the resource occupation request message belongs and/or the mode of the current system includes:
determining whether a container to which a process sending the resource occupation request message belongs is a preset container;
if the current system mode is the strict mode, determining whether the current system mode is the strict mode;
and if the mode is not the strict mode, executing the operation corresponding to the resource occupation request message.
Optionally, after the step of determining whether the resource occupation request message is a message requesting to expand the resource, the method further includes:
if the message is a message requesting for resource expansion, determining whether a container to which a process sending the resource occupation request message belongs is a preset container;
and if the container is not the preset container, executing the operation corresponding to the resource occupation request message.
Specifically, the determining the mode of the container to which the process sending the resource occupation request message belongs includes:
and determining a container to which the process sending the resource occupation request message belongs based on the namespace corresponding to the process sending the resource occupation request message.
Specifically, the step of determining whether the resource occupation request message is a message requesting extended access to the resource includes:
and determining whether the resource occupation request message requests to modify the maximum authority value of resource access in the first preset file and/or remove the process information from the second preset file, wherein the process information is the process information corresponding to the process sending the resource occupation request message.
According to another aspect, an embodiment of the present invention further provides an apparatus for managing resource occupation by a process, including:
the determining module is used for determining a container to which a process sending the resource occupation request message belongs and/or a mode of a current system and/or a type of the resource occupation request message when the resource occupation request message is received;
and the determining module is further used for determining whether to execute the operation corresponding to the resource occupation request message based on the determination result.
Specifically, the determining module is specifically configured to determine whether a container to which a process that sends the resource occupation request message belongs is a preset container;
the determining module is further specifically configured to determine whether to execute an operation corresponding to the resource occupation request message based on the current system mode and/or the resource occupation request message when the container to which the process that sends the resource occupation request message belongs is a preset container.
Specifically, the determining module includes: a determining unit and an executing unit;
a determination unit configured to determine whether a current system is set to a strict mode, the strict mode being a system mode in which no operation is performed;
the determining unit is further used for determining whether the resource occupation request message is a message requesting for expanding access to the resource when the strict mode is not set;
and the execution unit is used for executing the operation corresponding to the resource occupation request message when the resource occupation request message is not the message requesting for expanding the access resource.
Further, the apparatus further comprises: an execution module;
and the execution unit is used for executing the operation corresponding to the resource occupation request message when the container is not the preset container.
Specifically, the determining module is further configured to determine whether the resource occupation request message is a message requesting to expand the resource;
and the determining module is further used for determining whether to execute the operation corresponding to the resource occupation request message based on the container to which the process sending the resource occupation request message belongs and/or the mode of the current system when the resource occupation request message is not the message requesting to enlarge the access resource.
Specifically, the determining module includes: a determining unit and an executing unit;
a determining unit, configured to determine whether a container to which a process that sends a resource occupation request message belongs is a preset container;
the determining unit is further configured to determine whether the current system mode is a strict mode when the container to which the process sending the resource occupation request message belongs is a preset container;
and the execution unit is used for executing the operation corresponding to the resource occupation request message when the determination unit determines that the mode of the current system is not the strict mode.
Optionally, the execution unit is further configured to, when the determining unit determines that the container to which the process that sends the resource occupation request message belongs is not a preset container, execute an operation corresponding to the resource occupation request message.
Optionally, the determining module is further configured to determine, when the message is a message requesting to expand the resource, whether a container to which a process that sends the resource occupation request message belongs is a preset container;
and the execution module is further used for executing the operation corresponding to the resource occupation request message when the determining module determines that the container to which the process for sending the resource occupation request message belongs is not a preset container.
Specifically, the determining module is further configured to determine, based on a namespace corresponding to the process that sends the resource occupation request message, a container to which the process that sends the resource occupation request message belongs.
Specifically, the determining module is specifically configured to determine whether the resource occupation request message requests modification of a maximum permission value of resource access in a first preset file and/or removal of process information from a second preset file, where the process information is process information corresponding to a process that sends the resource occupation request message.
Specifically, the determining module includes: a determining unit and an executing unit;
a determining unit, configured to determine whether a container to which a process that sends a resource occupation request message belongs to a preset container;
the determining unit is further used for determining whether the resource occupation request message is a message requesting for expanding access to the resource when the resource occupation request message belongs to the preset container;
and the execution unit is used for executing the operation corresponding to the resource occupation request message when the determination unit determines that the message is not the message requesting for expanding the access resource.
Optionally, the apparatus further comprises: an execution module;
and the execution module is used for executing the operation corresponding to the resource occupation request message when the resource occupation request message does not belong to the preset container.
Specifically, the determining module includes: a determining unit and an executing unit;
the determining unit is used for determining whether the resource occupation request message is a message requesting for expanding access to the resource;
the determining unit is further used for determining whether a container to which a process sending the resource occupation request message belongs to a preset container or not when the message requesting for expanding the access resource is the message;
and the execution unit is used for executing the operation corresponding to the resource occupation request message when the determination unit determines that the resource occupation request message does not belong to the preset container.
Optionally, the execution module is further configured to execute an operation corresponding to the resource occupation request message when the message requesting to enlarge the access resource is not received.
Specifically, the determining module is specifically configured to determine, based on a namespace corresponding to a process that sends the resource occupation request message, a container to which the process that sends the resource occupation request message belongs.
Specifically, the determining module is further configured to determine whether the resource occupation request message requests to modify a maximum permission value of resource access in the first preset file and/or remove process information from the second preset file, where the process information is process information corresponding to a process that sends the resource occupation request message.
According to another aspect, an embodiment of the present invention further provides an apparatus, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the program to implement the method for managing resource usage by a process according to the first aspect.
The invention provides a method and a device for managing and controlling the process to occupy the resource, compared with the prior art, when receiving the resource occupation request message, the invention determines the container to which the process sending the resource occupation request message belongs and/or the mode of the current system and/or the type of the resource occupation request message, then determines whether to execute the operation corresponding to the resource occupation request message based on the determination result, namely, before executing the operation corresponding to the resource occupation request message, the invention needs to determine whether to execute the operation corresponding to the resource occupation request message based on at least one of the resource occupation request message, the process sending the resource occupation request message and the system mode of the current system, and does not allow the operation corresponding to the resource occupation request message under the condition that the operation corresponding to the resource occupation request message is not satisfied, thereby avoiding some malicious process changing authorities, the resource is occupied maliciously, and therefore the effect of container isolation can be improved.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
The foregoing and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
fig. 1 is a schematic flow chart illustrating a method for managing resource occupation by a process according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of an apparatus for managing resource occupation by a process according to an embodiment of the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are illustrative only and should not be construed as limiting the invention.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or wirelessly coupled. As used herein, the term "and/or" includes all or any element and all combinations of one or more of the associated listed items.
It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
As will be appreciated by those skilled in the art, a "terminal" as used herein includes both devices having a wireless signal receiver, which are devices having only a wireless signal receiver without transmit capability, and devices having receive and transmit hardware, which have devices having receive and transmit hardware capable of two-way communication over a two-way communication link. Such a device may include: a cellular or other communication device having a single line display or a multi-line display or a cellular or other communication device without a multi-line display; PCS (Personal Communications Service), which may combine voice, data processing, facsimile and/or data communication capabilities; a PDA (Personal Digital Assistant), which may include a radio frequency receiver, a pager, internet/intranet access, a web browser, a notepad, a calendar and/or a GPS (Global Positioning System) receiver; a conventional laptop and/or palmtop computer or other device having and/or including a radio frequency receiver. As used herein, a "terminal" or "terminal device" may be portable, transportable, installed in a vehicle (aeronautical, maritime, and/or land-based), or situated and/or configured to operate locally and/or in a distributed fashion at any other location(s) on earth and/or in space. As used herein, a "terminal Device" may also be a communication terminal, a web terminal, a music/video playing terminal, such as a PDA, an MID (Mobile Internet Device) and/or a Mobile phone with music/video playing function, or a smart tv, a set-top box, etc.
Example one
An embodiment of the present invention provides a method for managing resource occupation by a process, as shown in fig. 1, including:
step 101, when receiving a resource occupation request message, determining a container and/or a current system mode to which a process sending the resource occupation request message belongs and/or a type of the resource occupation request message.
For the embodiment of the present invention, when receiving the resource occupation request message, it is determined whether a container to which a process sending the resource occupation request message belongs is a preset container (a restricted container) and/or it is determined whether a mode of a current system is a strict mode, and/or the resource occupation request message is a message requesting to expand access to a resource.
Wherein the strict mode is a system mode in which no operation is performed.
And step 102, determining whether to execute the operation corresponding to the resource occupation request message based on the determination result.
Compared with the prior art, the embodiment of the invention provides a method for managing and controlling resource occupation of a process, wherein when a resource occupation request message is received, a container to which the process sending the resource occupation request message belongs and/or a mode of a current system and/or a type of the resource occupation request message are determined, and then whether to execute an operation corresponding to the resource occupation request message is determined based on a determination result, namely, before executing the operation corresponding to the resource occupation request message, the embodiment of the invention needs to determine whether to execute the operation corresponding to the resource occupation request message based on at least one of the resource occupation request message, the process sending the resource occupation request message and the system mode of the current system, and does not allow the execution of the operation corresponding to the resource occupation request message under the condition that the operation corresponding to the resource occupation request message is not satisfied, thereby avoiding some malicious process change authorities, the resource is occupied maliciously, and therefore the effect of container isolation can be improved.
Example two
Another possible implementation manner of the embodiment of the present invention further includes, on the basis of the first embodiment, the operation shown in the second embodiment, wherein,
the steps 101 and 102 include a step a (not shown) and a step b (not shown), wherein,
step a, when receiving the resource occupation request message, determining whether a container to which a process sending the resource occupation request message belongs is a preset container.
For the embodiment of the present invention, the preset container is a restricted container, that is, if a certain container belongs to the preset container, the process in the container is restricted to execute the operation corresponding to the message requesting to enlarge the access resource.
The method for determining the container to which the process sending the resource occupation request message belongs comprises the following steps: and determining a container to which the process sending the resource occupation request message belongs based on the namespace corresponding to the process sending the resource occupation request message.
For the embodiment of the present invention, the namespace is a physical concept, which is actually a pointer to a data structure in each process control block, and when the pointer points to which space, the process belongs to which space. Each space is a segment of memory created by the kernel each time a container is newly created, and the segment of memory has a unique mark to represent a different space. In the embodiment of the invention, at the beginning of system startup, only one space exists in the system, namely the initial space, and a process wants to add into which space, namely a certain container, only needs to point the own data structure pointer to the target space.
Further, after the step a, the method further comprises the following steps: and if the container to which the process sending the resource occupation request message belongs is not a preset container, executing the operation corresponding to the resource occupation request message.
For the embodiment of the present invention, if it is determined that the container to which the process sending the resource occupation request message belongs does not belong to the preset container, a normal CGroup interface process is executed, that is, an operation corresponding to the resource occupation request message is executed.
And b, if the container to which the process sending the resource occupation request message belongs is a preset container, determining whether to execute the operation corresponding to the resource occupation request message or not based on the mode of the current system and/or the resource occupation request message.
Specifically, the step of determining whether to execute an operation corresponding to the resource occupation request message based on the mode of the current system and/or the resource occupation request message includes: determining whether the current system is set to a strict mode; if the resource is not set to be the strict mode, determining whether the resource occupation request message is a message for requesting to enlarge the access resource; and if the request message is not the message for requesting to enlarge the access resource, executing the operation corresponding to the resource occupation request message.
For the embodiment of the invention, the setting of the current system to be the strict mode can be set by a user or a kernel. The present invention is not limited to the embodiments.
For the embodiment of the invention, if the message requesting for expanding the access resource is not the message requesting for reducing the access resource, the operation corresponding to the resource occupation request message is executed.
Further, if the container to which the process sending the resource occupation request message belongs is a preset container, is not set to a strict mode, and is a message requesting to enlarge access to the resource, the operation corresponding to the resource occupation request message is not executed.
Specifically, the step of determining whether the resource occupation request message is a message requesting extended access to the resource includes: determining whether the resource occupation request message requests to modify the maximum authority value of resource access in the first preset file and/or remove the process information from the second preset file.
And the process information is the process information corresponding to the process which sends the resource occupation request message.
For the embodiment of the invention, a CGroup mechanism exists in the kernel and is used for controlling resources; generally, the CGroup file system is mounted to a/sys/fs/CGroup directory, and two files are disposed under the directory, where the first file is used to describe the controlled resource information, i.e. a first preset file, and the second file is used to represent a process acted by the controlled resource information described in the first file, i.e. a second preset file. In the embodiment of the present invention, the second file is generally a file, for example, the file name is tasks, which includes the process ID corresponding to the process acted by the controlled resource information described in the first file, and the second file may also be an empty file. In the embodiment of the invention, if a certain process ID is in the tasks file, the resource which can be accessed by the process is characterized to be controlled by the content of the resource description file in the statistics directory of the tasks file.
For example, if a certain description of the same directory as the tasks uses a memory-sized file as memory-max-size, and the content of the file is 1024M, that is, 1024M is the maximum permission value that the process in the tasks file can access the memory; if the process in the tasks file needs to access larger memory, the content of memory-max-size is modified to be larger than 1024M, or the ID of the restricted process is removed from the tasks file.
For the embodiment of the invention, whether the operation corresponding to the resource occupation request message is executed or not is determined by determining whether the container corresponding to the resource occupation request message is a preset container or not, namely, the operation corresponding to the resource occupation request message is executed only when the process of the sender of the resource occupation request message is positioned in an undefined container, so that the effect of container isolation can be enhanced.
EXAMPLE III
Another possible implementation manner of the embodiment of the present invention further includes, on the basis of the operation shown in the first embodiment, the operation shown in the third embodiment, wherein,
the steps 101 and 102 include a step c (not shown) and a step d (not shown), wherein,
and step c, when receiving the resource occupation request message, determining whether the resource occupation request message is a message for requesting to expand the resource.
For the embodiment of the present invention, the manner of determining that the resource occupation request message is a message requesting to expand the resource is detailed in embodiment two, and details are not described herein again.
After step c, the method further comprises the following steps: if the message is a message requesting for resource expansion, determining whether a container to which a process sending the resource occupation request message belongs is a preset container; and if the container is not the preset container, executing the operation corresponding to the resource occupation request message.
For the embodiment of the present invention, after the step of determining whether the container to which the process sending the resource occupation request message belongs is a preset container if the message is a message requesting to expand the resource, the method further includes: and if the container is the preset container, not executing the operation corresponding to the resource occupation request message.
The method for determining the container to which the process sending the resource occupation request message belongs is described in detail in embodiment two. The present invention is not limited to the embodiments.
And d, if the resource occupation request message is not the message requesting for expanding the access resource, determining whether to execute the operation corresponding to the resource occupation request message or not based on the container to which the process sending the resource occupation request message belongs and/or the mode of the current system.
Specifically, step d includes: step d1 (not shown), step d2 (not shown), and step d3 (not shown), wherein,
and d1, if the resource occupation request message is not the message requesting to enlarge the access resource, determining whether the container to which the process sending the resource occupation request message belongs is a preset container.
Further, after the step d1, the method further includes: and if the container to which the process sending the resource occupation request message belongs is not a preset container, executing the operation corresponding to the resource occupation request message.
And d2, if the current system mode is the strict mode, determining whether the current system mode is the strict mode.
And d3, if the mode is not the strict mode, executing the operation corresponding to the resource occupation request message.
For the embodiment of the invention, if the resource occupation request message is not a message requesting for expanding access to the resource, the container to which the process sending the resource occupation request message belongs is a preset container, and the current system mode is a strict mode, the operation corresponding to the resource occupation request message is not executed.
An embodiment of the present invention provides a device for managing resource occupation by a process, as shown in fig. 2, including: a determination module 21;
the determining module 21 is configured to, when receiving the resource occupation request message, determine a container to which a process sending the resource occupation request message belongs and/or a mode of a current system and/or a type of the resource occupation request message.
The determining module 21 is further configured to determine whether to execute an operation corresponding to the resource occupation request message based on the determination result.
Specifically, the determining module 21 is specifically configured to determine whether a container to which a process that sends the resource occupation request message belongs is a preset container.
The determining module 21 is further specifically configured to determine whether to execute an operation corresponding to the resource occupation request message based on the current system mode and/or the resource occupation request message when the container to which the process sending the resource occupation request message belongs is a preset container.
Further, as shown in fig. 2, the determining module 21 includes: a determination unit 211, an execution unit 212;
a determining unit 211, configured to determine whether the current system is set to the strict mode.
Wherein the strict mode is a system mode in which no operation is performed.
The determining unit 211 is further configured to determine whether the resource occupation request message is a message requesting extended access to the resource when the strict mode is not set.
An executing unit 212, configured to, when the determining unit 211 determines that the resource occupation request message is not a message requesting to expand the access resource, execute an operation corresponding to the resource occupation request message.
Further, as shown in fig. 2, the apparatus further includes: an execution module 22;
and the execution module 22 is configured to execute an operation corresponding to the resource occupation request message when the container is not the preset container.
Specifically, the determining module 21 is further configured to determine whether the resource occupation request message is a message requesting to expand the resource.
The determining module 21 is further configured to determine whether to execute an operation corresponding to the resource occupation request message based on a container to which the process sending the resource occupation request message belongs and/or a mode of the current system, when the resource occupation request message is not a message requesting to expand the access resource.
Specifically, the determining module 21 is further configured to determine whether the resource occupation request message is a message requesting to expand the resource.
The determining module 21 is further specifically configured to, when the resource occupation request message is not a message requesting to expand the access resource, determine whether to execute an operation corresponding to the resource occupation request message based on a container to which the process sending the resource occupation request message belongs and/or a mode of the current system.
Specifically, the determining unit 211 is configured to determine whether a container to which a process sending the resource occupation request message belongs is a preset container.
The determining unit 211 is further configured to determine whether the mode of the current system is a strict mode when the current system is a preset container.
An executing unit 212, configured to execute an operation corresponding to the resource occupation request message when the determining unit 211 determines that the current system mode is not the strict mode.
Optionally, the executing unit 212 is further configured to, when the determining unit 211 determines that the container to which the process sending the resource occupation request message belongs is not a preset container, execute an operation corresponding to the resource occupation request message.
Optionally, the determining module 21 is further configured to determine, when the message requesting to expand the resource is a message requesting to expand the resource, whether a container to which a process sending the resource occupation request message belongs is a preset container.
The executing module 22 is further configured to, when the determining module 21 determines that the container to which the process sending the resource occupation request message belongs is not a preset container, execute an operation corresponding to the resource occupation request message.
Specifically, the determining module 21 is further configured to determine, based on a namespace corresponding to the process that sends the resource occupation request message, a container to which the process that sends the resource occupation request message belongs.
Specifically, the determining module 21 is specifically configured to determine whether the resource occupation request message requests to modify the maximum permission value of resource access in the first preset file and/or remove the process information from the second preset file.
And the process information is the process information corresponding to the process which sends the resource occupation request message.
Compared with the prior art, the embodiment of the invention provides a device for managing and controlling the resource occupation of a process, and when receiving a resource occupation request message, the embodiment of the invention determines a container to which the process sending the resource occupation request message belongs and/or a mode of a current system and/or a type of the resource occupation request message, and then determines whether to execute an operation corresponding to the resource occupation request message based on a determination result, namely, before executing the operation corresponding to the resource occupation request message, the embodiment of the invention needs to determine whether to execute the operation corresponding to the resource occupation request message based on at least one of the resource occupation request message, the process sending the resource occupation request message and the system mode of the current system, and does not allow the execution of the operation corresponding to the resource occupation request message under the condition that the operation corresponding to the resource occupation request message is not satisfied, thereby avoiding some malicious process change authorities, the resource is occupied maliciously, and therefore the effect of container isolation can be improved.
The embodiment of the present invention provides a device for managing and controlling resource occupation by a process, which is applicable to the foregoing method embodiment and will not be described herein again.
An embodiment of the present invention provides an apparatus, including a memory, a processor, and a computer program that is stored in the memory and can be run on the processor, where the processor executes the computer program to implement the method for managing resource occupation by a process shown in any one of the first to third embodiments.
Compared with the prior art, the embodiment of the present invention provides a device, and in the embodiment of the present invention, when a resource occupation request message is received, a container to which a process sending the resource occupation request message belongs and/or a mode of a current system and/or a type of the resource occupation request message are determined, and then, based on a determination result, whether to execute an operation corresponding to the resource occupation request message is determined, that is, before executing the operation corresponding to the resource occupation request message, the embodiment of the present invention needs to determine whether to execute the operation corresponding to the resource occupation request message based on at least one of the resource occupation request message, the process sending the resource occupation request message, and the system mode of the current system, and if the condition is not satisfied, the operation corresponding to the resource occupation request message is not allowed to be executed, thereby avoiding some malicious process modification permissions, the resource is occupied maliciously, and therefore the effect of container isolation can be improved.
The embodiment of the present invention provides an apparatus, which is suitable for the above method embodiment, and details are not described herein again.
Those skilled in the art will appreciate that the present invention includes apparatus directed to performing one or more of the operations described in the present application. These devices may be specially designed and manufactured for the required purposes, or they may comprise known devices in general-purpose computers. These devices have stored therein computer programs that are selectively activated or reconfigured. Such a computer program may be stored in a device (e.g., computer) readable medium, including, but not limited to, any type of disk including floppy disks, hard disks, optical disks, CD-ROMs, and magnetic-optical disks, ROMs (Read-Only memories), RAMs (Random Access memories), EPROMs (Erasable Programmable Read-Only memories), EEPROMs (Electrically Erasable Programmable Read-Only memories), flash memories, magnetic cards, or optical cards, or any type of media suitable for storing electronic instructions, and each coupled to a bus. That is, a readable medium includes any medium that stores or transmits information in a form readable by a device (e.g., a computer).
It will be understood by those within the art that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by computer program instructions. Those skilled in the art will appreciate that the computer program instructions may be implemented by a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, implement the features specified in the block or blocks of the block diagrams and/or flowchart illustrations of the present disclosure.
Those of skill in the art will appreciate that various operations, methods, steps in the processes, acts, or solutions discussed in the present application may be alternated, modified, combined, or deleted. Further, various operations, methods, steps in the flows, which have been discussed in the present application, may be interchanged, modified, rearranged, decomposed, combined, or eliminated. Further, steps, measures, schemes in the various operations, methods, procedures disclosed in the prior art and the present invention can also be alternated, changed, rearranged, decomposed, combined, or deleted.
The foregoing is only a partial embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (8)

1. A method for managing resource occupation by a process is characterized by comprising the following steps:
when receiving a resource occupation request message, determining a container to which a process sending the resource occupation request message belongs, and determining a mode of a current system or a type of the resource occupation request message;
determining whether to execute the operation corresponding to the resource occupation request message based on the determination result;
determining the container of the process of the resource occupation request includes:
determining a container to which a process sending the resource occupation request message belongs based on a namespace corresponding to the process sending the resource occupation request message;
determining a container to which a process sending the resource occupation request message belongs, and determining a mode of a current system or a type of the resource occupation request message; based on the determination result, the step of determining whether to execute the operation corresponding to the resource occupation request message includes:
determining whether a container to which a process sending the resource occupation request message belongs is a preset container;
if the container to which the process sending the resource occupation request message belongs is a preset container, determining whether to execute the operation corresponding to the resource occupation request message based on the mode of the current system or the type of the resource occupation request message;
and if the container to which the process sending the resource occupation request message belongs is not a preset container, executing the operation corresponding to the resource occupation request message.
2. The method according to claim 1, wherein the step of determining whether to execute the operation corresponding to the resource occupation request message based on the mode of the current system or the resource occupation request message comprises:
determining whether a current system is set to a strict mode, the strict mode being a system mode not to perform any operation;
if the resource occupation request message is not set to be the strict mode, determining whether the resource occupation request message is a message for requesting to enlarge the access resource;
and if the request message is not the message for requesting to enlarge the access resource, executing the operation corresponding to the resource occupation request message.
3. The method according to claim 1, wherein a container to which a process that transmits a resource occupation request message belongs is determined, and a mode of a current system or a type of the resource occupation request message is determined; based on the determination result, the step of determining whether to execute the operation corresponding to the resource occupation request message includes:
determining whether the resource occupation request message is a message requesting for enlarging resources;
and if the resource occupation request message is not a message requesting for expanding and accessing the resource, determining whether to execute the operation corresponding to the resource occupation request message or not based on the container to which the process sending the resource occupation request message belongs and the mode of the current system.
4. The method according to claim 3, wherein the step of determining whether to execute the operation corresponding to the resource occupation request message based on the container to which the process sending the resource occupation request message belongs and the mode of the current system comprises:
determining whether a container to which a process sending the resource occupation request message belongs is a preset container;
if the current system mode is the strict mode, determining whether the current system mode is the strict mode;
and if the resource occupation request message is not in a strict mode, executing the operation corresponding to the resource occupation request message.
5. The method according to claim 4, wherein after the step of determining whether the container to which the process sending the resource occupation request message belongs is a preset container, the method further comprises:
and if the request message is not the preset container, executing the operation corresponding to the resource occupation request message.
6. The method according to any of claims 3-5, wherein the step of determining whether the resource occupation request message is a message requesting to expand the resource further comprises:
if the message is a message requesting for resource expansion, determining whether a container to which a process sending the resource occupation request message belongs is a preset container;
and if the request message is not the preset container, executing the operation corresponding to the resource occupation request message.
7. An apparatus for managing resource usage by a process, comprising:
a determining module, configured to determine, when receiving a resource occupation request message, a container to which a process that sends the resource occupation request message belongs, and determine a mode of a current system or a type of the resource occupation request message;
the determining module is further configured to determine whether to execute an operation corresponding to the resource occupation request message based on a determination result;
determining the container of the process of the resource occupation request includes:
determining a container to which a process sending the resource occupation request message belongs based on a named control corresponding to the process sending the resource occupation request message;
the determining module is specifically configured to determine whether a container to which a process that sends the resource occupation request message belongs is a preset container;
if the container to which the process sending the resource occupation request message belongs is a preset container, determining whether to execute the operation corresponding to the resource occupation request message based on the mode of the current system or the type of the resource occupation request message;
the determining module is specifically configured to execute an operation corresponding to the resource occupation request message if the container to which the process that sends the resource occupation request message belongs is not a preset container.
8. An apparatus for managing the use of resources by a process, comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor executes the program to implement the method of managing the use of resources by a process according to any one of claims 1 to 6.
CN201711481340.0A 2017-12-29 2017-12-29 Method and device for controlling resource occupation of process Active CN108089925B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711481340.0A CN108089925B (en) 2017-12-29 2017-12-29 Method and device for controlling resource occupation of process

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711481340.0A CN108089925B (en) 2017-12-29 2017-12-29 Method and device for controlling resource occupation of process

Publications (2)

Publication Number Publication Date
CN108089925A CN108089925A (en) 2018-05-29
CN108089925B true CN108089925B (en) 2021-12-31

Family

ID=62180070

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711481340.0A Active CN108089925B (en) 2017-12-29 2017-12-29 Method and device for controlling resource occupation of process

Country Status (1)

Country Link
CN (1) CN108089925B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111399999B (en) * 2020-03-05 2023-06-20 腾讯科技(深圳)有限公司 Computer resource processing method, device, readable storage medium and computer equipment

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012103827A2 (en) * 2012-03-15 2012-08-09 华为技术有限公司 Method and device for checkpoint and restart of container state
US9047442B2 (en) * 2012-06-18 2015-06-02 Microsoft Technology Licensing, Llc Provisioning managed devices with states of arbitrary type
EP3561672B1 (en) * 2015-04-07 2022-06-01 Huawei Technologies Co., Ltd. Method and apparatus for a mobile device based cluster computing infrastructure
CN105183558B (en) * 2015-08-26 2018-11-16 北京元心科技有限公司 The management method of intelligent terminal and its containment system
CN106933648B (en) * 2015-12-31 2020-11-03 中国电信股份有限公司 Method and system for multi-tenant container resource management
CN106874125B (en) * 2017-01-13 2021-04-06 北京元心科技有限公司 Method and device for sharing system resources among multi-container systems
CN107329829A (en) * 2017-06-28 2017-11-07 快云信息科技有限公司 A kind of Service Source management-control method for application container engine of increasing income
CN107450989B (en) * 2017-09-26 2020-08-07 中国科学院声学研究所 Embedded platform and method for dynamically regulating and controlling application resources

Also Published As

Publication number Publication date
CN108089925A (en) 2018-05-29

Similar Documents

Publication Publication Date Title
CN108845816B (en) Application program updating method, system, computer device and storage medium
US9182975B2 (en) Automatic application updates
CN102349062B (en) Method and system for synchronizing browser caches across devices and web services
RU2456663C2 (en) Progressive boot strap loading for wireless device
US20090288004A1 (en) System, method, apparatus and computer program product for providing a notification of widget availability
US20080119178A1 (en) Allocating Compression-Based Firmware Over the Air
US10200386B2 (en) Intelligent web page content blocking
CN104978215A (en) File updating method, relevant equipment and system
CN107360165B (en) Terminal device, cloud server and method and device for managing and controlling operating system
CN111316230B (en) Method and equipment for generating patch package
CN102017673A (en) Interworking system between user terminal and smart card for executing widget, and method thereof
CN106990993B (en) Multi-system basic library file loading method and device
CN106776013B (en) Multi-system resource scheduling method and device
CN111638894A (en) Software upgrading method and device and computer storage medium
US20220236902A1 (en) Systems and methods for data transfer for computational storage devices
CN108089925B (en) Method and device for controlling resource occupation of process
WO2007056364A1 (en) Apparatus and associated methods for reducing application startup latency
CN106851535B (en) Method and device for sharing Bluetooth by multiple systems
US20020196942A1 (en) Location-based information for computer files and messages
EP4036725A1 (en) Systems and methods for data transfer for computational storage devices
CN114610366A (en) Difference package upgrading method and system, intelligent electronic equipment and storage medium
CN104252587A (en) File pulling method, device and system
CN114489697A (en) Application program installation method and device
CN111291379A (en) Android-based vehicle-mounted system application detection method and device and electronic equipment
CN107678877B (en) Operation response method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230427

Address after: Room 401, Floor 4, No. 2, Haidian East Third Street, Haidian District, Beijing 100080

Patentee after: Yuanxin Information Technology Group Co.,Ltd.

Address before: 100176 room 2222, building D, building 33, 99 Kechuang 14th Street, Beijing Economic and Technological Development Zone, Daxing District, Beijing

Patentee before: YUANXIN TECHNOLOGY

TR01 Transfer of patent right