CN109325358A - Method, electronic equipment based on linux system definition application permission - Google Patents
Method, electronic equipment based on linux system definition application permission Download PDFInfo
- Publication number
- CN109325358A CN109325358A CN201810963267.9A CN201810963267A CN109325358A CN 109325358 A CN109325358 A CN 109325358A CN 201810963267 A CN201810963267 A CN 201810963267A CN 109325358 A CN109325358 A CN 109325358A
- Authority
- CN
- China
- Prior art keywords
- application program
- added
- file
- linux system
- white list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The present invention discloses a kind of method based on linux system definition application permission, electronic equipment, method is comprising steps of white list is added in the addressable file of application program by the NameSpace for first passing through the offer of linux system kernel in advance, and blacklist list is added in the inaccessible file of application program;It is called by the system that application program can be performed the system-computed that linux system kernel provides and the white list is added, and the not executable system of application program called, the blacklist list is added.Even if the system that can not also access the file in blacklist list or execute in blacklist list is called in this way, application program obtains highest permission.Therefore, the addressable file of application program and inaccessible file can be accurately controlled, and accurately controls the system that the not executable system of application program is called and be can be performed and calls.
Description
Technical field
The present invention relates to (SuSE) Linux OS fields, more particularly to the side based on linux system definition application permission
Method, electronic equipment.
Background technique
Currently, progress information can be not only accessed between application program and application program mutually, is answered in linux system
The system file of linux system can be also directly accessed with program.For example, direct access control panel etc..
For safety, scholar proposes a kind of method for defining permission access.Specifically, when application program A obtains system
When permission, then application program A can access system file or access the progress information of other applications;It is opposite, when answering
When there is no system permission with program B, then application program B just can not access system file or access other applications
Progress information.
Although this method is simple and effective, this traditional permission control mode only supports single read-write
Control or access control, can not access authority to application program or access limit be precisely controlled.
After authorizing some permission of application program using the control of traditional permission, application program can obtain permission subordinate
All resources.For example, the permission of access root is awarded in application program C, then application program C can be obtained in root
The all the elements such as document, browsing record, picture video.
Moreover, certain applications program is called according to the permission acquired, direct-execution system, and system is caused to collapse
It bursts, when serious, system is also made to fall into virus and wooden horse crisis.
That is, in the prior art, the access authority of application program can not be accurately controlled or execute permission.
Therefore, the existing technology needs to be improved and developed.
Summary of the invention
In view of above-mentioned deficiencies of the prior art, the purpose of the present invention is to provide be based on linux system definition application
The method of permission, electronic equipment, it is intended to solve in the prior art, the access authority or right of execution of application program can not be accurately controlled
The problem of limit.
Technical scheme is as follows:
A method of based on linux system definition application permission comprising step:
White list column are added in the addressable file of application program by the NameSpace for first passing through the offer of linux system kernel in advance
Table, and blacklist list is added in the inaccessible file of application program;
It is called by the system that application program can be performed the system-computed that linux system kernel provides and the white name is added
Single-row table, and the not executable system of application program is called, the blacklist list is added.
Preferably, the method also includes steps:
The network access authority of the IP management information system definition application of linux system kernel offer is be provided in advance;
The network access authority includes addressable network and inaccessible network.
Preferably, the file is one kind or several of progress information, Internet resources, document, browsing record, picture and video
Kind.
Preferably, the pre- NameSpace for first passing through the offer of linux system kernel is by the addressable file of application program
White list is added, and the step of blacklist list is added in the inaccessible file of application program includes:
The white list is added in the addressable hardware information of application program by NameSpace, and journey will be applied
White list is added in the inaccessible hardware information of sequence, and the hardware information is microphone, camera, mouse, keyboard or raises
The one or more of sound device.
Preferably, the system that application program can be performed the system-computed provided by linux system kernel is called
Be added the white list, and by the not executable system of application program call the step of blacklist list is added it
After include:
When application program, which accesses inaccessible file or the not executable system of execution, to be called, application program is intercepted
Access executes, and by the title of the corresponding application programs of task details table record and record access time or holds
The row time.
The present invention also provides a kind of electronic equipment comprising:
Processor is adapted for carrying out each instruction, and
Equipment is stored, is suitable for storing a plurality of instruction, described instruction is suitable for being loaded and being executed by processor:
White list column are added in the addressable file of application program by the NameSpace for first passing through the offer of linux system kernel in advance
Table, and blacklist list is added in the inaccessible file of application program;
It is called by the system that application program can be performed the system-computed that linux system kernel provides and the white name is added
Single-row table, and the not executable system of application program is called, the blacklist list is added.
Preferably, the file is one kind or several of progress information, Internet resources, document, browsing record, picture and video
Kind.
Preferably, the pre- NameSpace for first passing through the offer of linux system kernel is by the addressable file of application program
White list is added, and the step of blacklist list is added in the inaccessible file of application program includes:
The white list is added in the addressable hardware information of application program by NameSpace, and journey will be applied
White list is added in the inaccessible hardware information of sequence, and the hardware information is microphone, camera, mouse, keyboard or raises
The one or more of sound device.
The present invention also provides a kind of computer program products, wherein computer program product is non-volatile including being stored in
Computer program on computer readable storage medium, computer program include program instruction, when program instruction is held by processor
When row, the processor is made to execute the method based on linux system definition application permission.
The present invention also provides a kind of non-volatile computer readable storage medium storing program for executing, wherein the non-volatile computer can
It reads storage medium and is stored with computer executable instructions, when which is executed by one or more processors,
One or more of processors may make to execute the method based on linux system definition application permission.
The utility model has the advantages that the method provided through the invention, due in advance by the addressable file of application program, executable
System calling is added to white list, and the inaccessible file of application program, not executable system are called addition
To blacklist list.In this way, application program just can only access the file in white list or execute in white list
System call, and can not access the file in blacklist list or execute blacklist list in system call.Meanwhile it applying
Even if program obtains highest permission, it can not also access the file in blacklist list or execute the system tune in blacklist list
With.Therefore, the addressable file of application program and inaccessible file can be accurately controlled, and accurately controls application program not
Executable system is called and executable system is called.
Detailed description of the invention
Fig. 1 is that the present invention is based on the flow charts of the method preferred embodiment of linux system definition application permission.
Fig. 2 is the structural block diagram of electronic equipment preferred embodiment of the present invention.
Specific embodiment
The present invention provides method based on linux system definition application permission, electronic equipment, to make mesh of the invention
, technical solution and effect it is clearer, clear, the present invention is described in more detail below.It should be appreciated that described herein
Specific embodiment be only used to explain the present invention, be not intended to limit the present invention.
Referring to Fig. 1, a kind of method based on linux system definition application permission comprising step:
White name is added in the addressable file of application program by S1, the NameSpace for first passing through the offer of linux system kernel in advance
Single-row table, and blacklist list is added in the inaccessible file of application program;
S2, it is called described in addition by the system that application program can be performed the system-computed that linux system kernel provides
White list, and the not executable system of application program is called, the blacklist list is added.
It should be noted that step S1 and step S2 is just for the sake of facilitating narration, it is not conditioning step S1 and step
The sequencing of S2.That is, the NameSpace that can first pass through the offer of linux system kernel will apply journey in the present invention
White list is added in the addressable file of sequence, and blacklist list is added in the inaccessible file of application program, can also
The system that application program can be performed with first passing through the system-computed of linux system kernel offer, which is called, is added white list,
And the not executable system of application program is called, blacklist list is added.
The method provided through the invention, it is only necessary to the namespace provided by linux system kernel (lives by user
The name space) and seccomp (system-computed) the addressable file of application program and executable system calling are configured.Just
The access authority of application program can be precisely controlled and execute permission.
In the step S1, the original name of the NameSpace are as follows: namespace.NameSpace is also referred to as name space, title
Space etc., it indicates the visible range of an identifier (identifier).One identifier can be in multiple NameSpaces
Definition, it is meant that mutually incoherent in different NameSpaces.In this way, can define in a new NameSpace any
Identifier, they will not be clashed with any existing identifier, because existing definition is all in other names space.
For example, the employee that Bill is X company, work number 123 are set, and John is the employee of Y company, work number is also 123.By
In two people in different company works, identical work number can be used to identify without causing confusion, each company is just here
Indicate an independent NameSpace.If two people are in same company work, that is to say, that belong to the same NameSpace,
So its work number cannot be identical, and confusion otherwise can occur.
A special file can be established by NameSpace, and the addressable file of application program is then added to one
In special file, i.e. white list.Likewise, can also establish another special file by NameSpace, so
The inaccessible file of application program is added in a special file afterwards, i.e. blacklist list.
Certainly, directly addressable file and inaccessible file can also be isolated by NameSpace.Also
It is to say, addressable file and inaccessible file, the two are in a parallel surface, the region without any intersection.
In this way, application program is when accessing file, it is just not in exception.
Preferably, the file is one kind or several of progress information, Internet resources, document, browsing record, picture and video
Kind.
Progress information refers to that the program in computer is that system carries out about the primary operation activity on certain data acquisition system
The basic unit of Resource Distribution and Schedule is the basis of operating system configuration.
Internet resources refer to network IP, network address and network speed etc..
Browsing record specifically includes the browsing record of browser, the browsing record of access hard disk and the operation to application program
Record.
Certainly, the file is also possible to lantern slide, music file, programming code and application program installation kit etc..
Preferably, the step S1 includes:
The white list is added in the addressable hardware information of application program by NameSpace, and journey will be applied
White list is added in the inaccessible hardware information of sequence, and the hardware information is microphone, camera, mouse, keyboard or raises
The one or more of sound device.
It is specific how that hardware information addition white list is similar to by the file addition mode of the single-row table of table name, so
It does not repeat them here.
Certainly, the hardware information further includes the processor of electronic equipment, memory etc..
In this way, application program just can not access the hardware information in blacklist list.For example, processor information is added black
List, in this way, any application program can not obtain the hardware information of processor.Because certain applications program will acquire to obtain
Hardware information is uploaded to illegal website, and the hardware information of personal electronic equipments is caused to be revealed, and not sending out molecule may be according to obtaining
The hardware information illegal invasion electronic equipment arrived.
In the step S2, the original name of the system-computed are as follows: seccomp, certain seccomp are its abbreviations, specific
Title are as follows: secure computing.Seccomp is that one kind that Linux kernel is introduced from 2.6.23 version is succinct
Sandboxing mechanism.In linux system, a large amount of system calls (system call) to be directly exposed to User space program
(application program).But not all system calling is all required, and unsafe code abuse system calls meeting pair
System causes security threat.Seccomp security mechanism can make a process enter a kind of " safety " operational mode, under the mode
Process 4 kinds of systems can only be called to call (system call), i.e. read (), write (), exit () and sigreturn
(), otherwise process will be terminated.
Wherein, system, which is called, refers to that the program for operating in user's space needs higher permission fortune to operating system nucleus request
Capable service.System calls the interface provided between user program and operating system.Most systems interactive operation demand exists
Kernel state operation.Such as equipment I/O operation or interprocess communication.
In this way, the system that application program can be can be performed by seccomp is called and white list is added, journey will be applied
The not executable system of sequence, which is called, is added blacklist list.
Specific Adding Way is similar to the step of white list is added in file, so not repeating them here.
Preferably, the method also includes steps:
The network access authority of the IP management information system definition application of linux system kernel offer is be provided in advance;
The network access authority includes addressable network and inaccessible network.
The Old Name of the IP management information system are as follows: iptables.Iptables is the application for operating in user's space
Software, by controlling linux kernel netfilter module, to manage the flowing and transfer of network packet.In major part
On linux system, can be used/usr/sbin/iptables operates iptables, it can be obtained through man iptables instruction
It takes.Usual iptables requires the module of kernel level to cooperate running, and Xtables is mainly inside inner nuclear layer grade
The module of iptables API operational function.
That is, will further limit application program by network access technologies such as iptables and network will be accessed
Permission, only specified Internet resources just can normal request service, other unauthorized access requests will intercept by kernel.
Preferably, include: after the step S2
When application program, which accesses inaccessible file or the not executable system of execution, to be called, application program is intercepted
Access executes, and by the title of the corresponding application programs of task details table record and record access time or holds
The row time.
For example, file A belongs in white list, file B belongs in blacklist list, and system calls C to belong to white list
In list, system calls D to belong in blacklist list.
If application program E access file B or executing system and calling D, then task details table is by records application program E
Title, for example, be recorded as E and records application program E access file B the specific time and application program E execute system
Call the specific time of D.
In this way, can intuitively obtain application program access file or execute the time that system is called, it is convenient to using journey
Sequence is further processed.For example, application program E frequently accesses the file in blacklist list, and execute in blacklist list
System call, then, can according to this actual conditions unload application program E.
The method provided through the invention, user can directly by namespace and seccomp by addressable file or
Executable system, which is called, is added white list, in this way, application program is regardless of whether obtain permission, addressable table name is single-row
The system in file or execution white list in table is called.To realize the access authority and execution to application program
Permission is precisely controlled, so that application program does not visit again all files or executes all system calling.
Referring to Fig. 2, the present invention also provides a kind of electronic equipment 10 comprising:
Processor 110 is adapted for carrying out each instruction, and
Equipment 120 is stored, is suitable for storing a plurality of instruction, described instruction is suitable for being loaded and being executed by processor:
White list column are added in the addressable file of application program by the NameSpace for first passing through the offer of linux system kernel in advance
Table, and blacklist list is added in the inaccessible file of application program;
It is called by the system that application program can be performed the system-computed that linux system kernel provides and the white name is added
Single-row table, and the not executable system of application program is called, the blacklist list is added.
The processor 110 can for general processor, digital signal processor (DSP), specific integrated circuit (ASIC),
Field programmable gate array (FPGA), single-chip microcontroller, ARM (Acorn RISC Machine) or other programmable logic device are divided
Any combination of vertical door or transistor logic, discrete hardware component or these components.In addition, processor can also be any
Conventional processors, microprocessor or state machine.Processor also may be implemented as calculating the combination of equipment, for example, DSP and Wei Chu
Manage combination, multi-microprocessor, one or more microprocessors combination DSP core, any other this configuration of device.
It stores equipment 120 and is used as a kind of non-volatile computer readable storage medium storing program for executing, can be used for storing non-volatile software
Program, non-volatile computer executable program and module, as being defined in the embodiment of the present invention based on linux system is applied
The corresponding program instruction of the method for program authority.Processor is stored in the non-volatile software journey in storage equipment by operation
Sequence, instruction and unit, at various function application and data based on linux system definition application permission
Reason, the i.e. method based on linux system definition application permission in realization above method embodiment.
Preferably, the file is one kind or several of progress information, Internet resources, document, browsing record, picture and video
Kind.
Preferably, the pre- NameSpace for first passing through the offer of linux system kernel is by the addressable file of application program
White list is added, and the step of blacklist list is added in the inaccessible file of application program includes:
The white list is added in the addressable hardware information of application program by NameSpace, and journey will be applied
White list is added in the inaccessible hardware information of sequence, and the hardware information is microphone, camera, mouse, keyboard or raises
The one or more of sound device.
It about the particular technique details of above-mentioned electronic equipment 10, is described in detail in above-mentioned steps, so not repeating them here.
The present invention also provides a kind of computer program products, wherein computer program product is non-volatile including being stored in
Computer program on computer readable storage medium, computer program include program instruction, when program instruction is held by processor
When row, the processor is made to execute the method based on linux system definition application permission.
The present invention also provides a kind of non-volatile computer readable storage medium storing program for executing, wherein the non-volatile computer can
It reads storage medium and is stored with computer executable instructions, when which is executed by one or more processors,
One or more of processors may make to execute the method based on linux system definition application permission.
It should be understood that application program of the invention is not limited to above-mentioned citing, those of ordinary skill in the art are come
It says, it can be modified or changed according to the above description, and all these modifications and variations all should belong to right appended by the present invention and want
The protection scope asked.
Claims (10)
1. a kind of method based on linux system definition application permission, which is characterized in that comprising steps of
White list is added in the addressable file of application program by the NameSpace for first passing through the offer of linux system kernel in advance,
And blacklist list is added in the inaccessible file of application program;
It is called by the system that application program can be performed the system-computed that linux system kernel provides and the white list column is added
Table, and the not executable system of application program is called, the blacklist list is added.
2. the method according to claim 1 based on linux system definition application permission, which is characterized in that further include
Step:
The network access authority of the IP management information system definition application of linux system kernel offer is be provided in advance;It is described
Network access authority includes addressable network and inaccessible network.
3. the method according to claim 1 based on linux system definition application permission, which is characterized in that the text
Part is the one or more of progress information, Internet resources, document, browsing record, picture and video.
4. the method according to claim 1 based on linux system definition application permission, which is characterized in that described pre-
White list is added in the addressable file of application program by the NameSpace for first passing through the offer of linux system kernel, and will
The inaccessible file of application program is added the step of blacklist list and includes:
The white list is added in the addressable hardware information of application program by NameSpace, and not by application program
White list is added in addressable hardware information, and the hardware information is microphone, camera, mouse, keyboard or loudspeaker
One or more.
5. the method according to claim 1 based on linux system definition application permission, which is characterized in that described logical
The system calling addition white list that application program can be performed the system-computed of linux system kernel offer is crossed, with
And the not executable system of application program is called into the step of blacklist list is added later and includes:
When application program, which accesses inaccessible file or the not executable system of execution, to be called, the access of application program is intercepted
Or it executes, and by the title of the corresponding application programs of task details table record and record access time or when executing
Between.
6. a kind of electronic equipment characterized by comprising
Processor is adapted for carrying out each instruction, and
Equipment is stored, is suitable for storing a plurality of instruction, described instruction is suitable for being loaded and being executed by processor:
White list is added in the addressable file of application program by the NameSpace for first passing through the offer of linux system kernel in advance,
And blacklist list is added in the inaccessible file of application program;
It is called by the system that application program can be performed the system-computed that linux system kernel provides and the white list column is added
Table, and the not executable system of application program is called, the blacklist list is added.
7. wanting 6 electronic equipments according to right, which is characterized in that the file is progress information, Internet resources, document, clear
Look at the one or more of record, picture and video.
8. wanting 6 electronic equipments according to right, which is characterized in that the pre- name for first passing through the offer of linux system kernel
White list is added in the addressable file of application program by space, and black name is added in the inaccessible file of application program
The step of single-row table includes:
The white list is added in the addressable hardware information of application program by NameSpace, and not by application program
White list is added in addressable hardware information, and the hardware information is microphone, camera, mouse, keyboard or loudspeaker
One or more.
9. a kind of computer program product, which is characterized in that computer program product can including being stored in non-volatile computer
The computer program on storage medium is read, computer program includes program instruction, when program instruction is executed by processor, makes institute
It states processor perform claim and requires the described in any item methods based on linux system definition application permission of 1-5.
10. a kind of non-volatile computer readable storage medium storing program for executing, which is characterized in that the non-volatile computer readable storage medium
Matter is stored with computer executable instructions, when which is executed by one or more processors, may make institute
Stating one or more processors perform claim requires 1-5 described in any item based on linux system definition application permission
Method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810963267.9A CN109325358A (en) | 2018-08-22 | 2018-08-22 | Method, electronic equipment based on linux system definition application permission |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810963267.9A CN109325358A (en) | 2018-08-22 | 2018-08-22 | Method, electronic equipment based on linux system definition application permission |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109325358A true CN109325358A (en) | 2019-02-12 |
Family
ID=65263823
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810963267.9A Pending CN109325358A (en) | 2018-08-22 | 2018-08-22 | Method, electronic equipment based on linux system definition application permission |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109325358A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111031038A (en) * | 2019-12-12 | 2020-04-17 | 惠州Tcl移动通信有限公司 | Network processing method and device, storage medium and terminal equipment |
CN111159690A (en) * | 2019-12-13 | 2020-05-15 | 深圳市科陆电子科技股份有限公司 | Remote monitoring method, system and storage medium based on embedded Linux system |
CN112052439A (en) * | 2020-09-29 | 2020-12-08 | 北京智芯微电子科技有限公司 | Access right control method and device of embedded system and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107294962A (en) * | 2017-06-14 | 2017-10-24 | 福州汇思博信息技术有限公司 | A kind of method and terminal for configuring firewall security policy |
CN107506642A (en) * | 2017-08-10 | 2017-12-22 | 四川长虹电器股份有限公司 | The method and system for preventing file from being damaged by malicious operation behavior |
US20180013660A1 (en) * | 2016-07-11 | 2018-01-11 | Harmonic, Inc. | Namespace routing |
CN108205461A (en) * | 2016-12-19 | 2018-06-26 | 华耀(中国)科技有限公司 | The virtual platform and dispositions method of a kind of mixed deployment |
-
2018
- 2018-08-22 CN CN201810963267.9A patent/CN109325358A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180013660A1 (en) * | 2016-07-11 | 2018-01-11 | Harmonic, Inc. | Namespace routing |
CN108205461A (en) * | 2016-12-19 | 2018-06-26 | 华耀(中国)科技有限公司 | The virtual platform and dispositions method of a kind of mixed deployment |
CN107294962A (en) * | 2017-06-14 | 2017-10-24 | 福州汇思博信息技术有限公司 | A kind of method and terminal for configuring firewall security policy |
CN107506642A (en) * | 2017-08-10 | 2017-12-22 | 四川长虹电器股份有限公司 | The method and system for preventing file from being damaged by malicious operation behavior |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111031038A (en) * | 2019-12-12 | 2020-04-17 | 惠州Tcl移动通信有限公司 | Network processing method and device, storage medium and terminal equipment |
CN111159690A (en) * | 2019-12-13 | 2020-05-15 | 深圳市科陆电子科技股份有限公司 | Remote monitoring method, system and storage medium based on embedded Linux system |
CN111159690B (en) * | 2019-12-13 | 2023-08-08 | 深圳市科陆电子科技股份有限公司 | Remote monitoring method, system and storage medium based on embedded Linux system |
CN112052439A (en) * | 2020-09-29 | 2020-12-08 | 北京智芯微电子科技有限公司 | Access right control method and device of embedded system and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9684785B2 (en) | Providing multiple isolated execution environments for securely accessing untrusted content | |
Felt et al. | Permission re-delegation: Attacks and defenses. | |
US10346625B2 (en) | Automated mechanism to analyze elevated authority usage and capability | |
US8627451B2 (en) | Systems and methods for providing an isolated execution environment for accessing untrusted content | |
US9449170B2 (en) | Inhibiting denial-of-service attacks using group controls | |
EP2672382A2 (en) | System and method for changing abilities of a process by modifying the privileges assigned to the process | |
US20180218148A1 (en) | System call policies for containers | |
US20080162707A1 (en) | Time Based Permissioning | |
US10831915B2 (en) | Method and system for isolating application data access | |
CN101208928A (en) | Running internet applications with low rights | |
US8819766B2 (en) | Domain-based isolation and access control on dynamic objects | |
CN109325358A (en) | Method, electronic equipment based on linux system definition application permission | |
US9928365B1 (en) | Automated mechanism to obtain detailed forensic analysis of file access | |
US20240012883A1 (en) | Monitoring license constraints in a container orchestration system | |
JP2004158007A (en) | Computer access authorization | |
US11750619B2 (en) | Modify assigned privilege levels and limit access to resources | |
US11886605B2 (en) | Differentiated file permissions for container users | |
US10187391B2 (en) | Data access by external users | |
KR20090026846A (en) | Separator of the internal/external network throughout the dual indepentent environment and th controlling method thereof | |
US7979865B2 (en) | Identifying separate threads executing within a single process | |
US20070038572A1 (en) | Method, system and computer program for metering software usage | |
CN101777002B (en) | Software running method based on virtualization | |
JP2006107504A (en) | Integrated access authorization | |
KR101731920B1 (en) | Mobile terminal and control method thereof | |
JP6322967B2 (en) | Data protection apparatus, method, and program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20190212 |
|
WD01 | Invention patent application deemed withdrawn after publication |