CN109635588A - A kind of document protection method based on Linux Virtual File System - Google Patents
A kind of document protection method based on Linux Virtual File System Download PDFInfo
- Publication number
- CN109635588A CN109635588A CN201811565559.3A CN201811565559A CN109635588A CN 109635588 A CN109635588 A CN 109635588A CN 201811565559 A CN201811565559 A CN 201811565559A CN 109635588 A CN109635588 A CN 109635588A
- Authority
- CN
- China
- Prior art keywords
- file
- vfs
- file system
- security
- filter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 230000007246 mechanism Effects 0.000 claims abstract description 11
- 238000012545 processing Methods 0.000 claims abstract description 8
- 230000008569 process Effects 0.000 claims description 6
- 238000001914 filtration Methods 0.000 claims description 5
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000012216 screening Methods 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides a kind of document protection methods based on Linux Virtual File System, comprising: S1, carries out subregion to equipment storage medium, separates one piece of writeable operating space;S2, realize that the write-protect of storage medium reduces the writeable range of storage medium by being separately configured for writeable operating space in device drive layer;S3, in VFS layers of configuration VFS safety management module;S4, it is based on step S1 and S2, enables module in client layer setting security mechanism;If do not enabled, VFS security management and control module is without any processing, the equivalent traditional Linux file system of entire file system;If enabled security mechanism, any operation to the file of file system can all pass through VFS layers, do the processing of VFS security management and control module.Document protection method of the present invention based on Linux Virtual File System.
Description
Technical field
The invention belongs to Linux Virtual File System protection technique fields, virtually literary based on Linux more particularly, to one kind
The document protection method of part system.
Background technique
The file protection technique of operating system is an important foundation technology of information security field, in information security application
On play an important role.In safety monitoring AI application field, the storage and read-write of complicated application environment and big data are all right
The safety of file proposes higher technological challenge.
In order to guarantee the file security under operating system, different file protection schemes are introduced.Common protection technique has
Protection based on storage medium, and then realize the protection to file, but this method is applicable in read-only operating system or is carrying out
Need to carry out frequent de-preservation operation before big data analysis;There are also the security mechanisms based on file attribute to carry out the soft of file
Protection, but this method lacks effective control to file under operating system, is easy to generate intermediate file and operate storage repeatedly and be situated between
Matter causes storage medium, generates threat such as the damage of flash, and then to file security.
On existing Research foundation, a kind of file protection technique based on Linux Virtual File System, the technology are proposed
By setting can operation file collection and read-only file collection, process of aggregation is made to the file in file system in advance, only to written document
Small range change, the frequent read-write and dump of file are reduced, by Virtual File System (VFS) layer to the effective mistake of file progress
Chimney filter control reduces intermediate file or illegal file to storage medium maloperation, reduces file spoilage under operating system.
Summary of the invention
In view of this, the present invention is directed to propose a kind of document protection method based on Linux Virtual File System, to solve
Existing document protection method be easy to cause storage medium to damage, and then leads to the problem of threat to file security.
In order to achieve the above objectives, the technical scheme of the present invention is realized as follows:
A kind of document protection method based on Linux Virtual File System, comprising:
S1, subregion is carried out to equipment storage medium, separates one piece of writeable operating space;
S2, the write-protect that storage medium is realized in device drive layer reduce storage by being separately configured for writeable operating space
The writeable range of medium;
S3, in VFS layers of configuration VFS safety management module;
S4, it is based on step S1 and S2, enables module in client layer setting security mechanism;If do not enabled, VFS security management and control
Module is without any processing, the equivalent traditional Linux file system of entire file system;If enabled security mechanism, to file system
Any operation of the file of system can all pass through VFS layers, do the processing of VFS security management and control module.
Further, security filter, the security filter are created in the VFS safety management module in the step S3
For recording the file information for allowing to operate.
Further, it in the step S3, when operation document system file, is filtered by VFS safety management module
Operation, file operation include creation operation and opening operation, and the creation operation and opening operation are required by safety filtering
Device screening.
Further, the method for carrying out the creation operation is as follows:
Judged when creation by security filter, if can pass through, file is allowed normally to create, file belongs to legal text
Part, if failing to pass through, file is illegal file, forbids any operation of illegal file.
Further, the process for carrying out the opening operation is as follows:
File open operation includes the reading of file and writes, if reading file, supporting paper is that have text under file system
Part is directly passed through, normal operating by filter;There is no creation file when if it is written document or writing, filter can be passed through
Filtration treatment then creates file according to normal write operation or when writing by filter, when by filter process, then not forbidding pair
The write operation of file.
Compared with the existing technology, the document protection method of the present invention based on Linux Virtual File System have with
Lower advantage:
Document protection method of the present invention based on Linux Virtual File System can be to all in file system
File is effectively managed, and unchangeable file will not be illegally modified or destroy, and the file under safety management configuration is permitted
Perhaps it modifies, guarantees the stability of file system and the controllability of file, controllable write operation reduces the frequent behaviour to storage medium
Make, reduces the probability of failure of the file storage of file system and the spoilage of storage medium.
Detailed description of the invention
The attached drawing for constituting a part of the invention is used to provide further understanding of the present invention, schematic reality of the invention
It applies example and its explanation is used to explain the present invention, do not constitute improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is the document protection method hierarchical chart based on Linux Virtual File System described in the embodiment of the present invention;
Fig. 2 is VFS security management and control module implementation flow chart described in the embodiment of the present invention.
Specific embodiment
It should be noted that in the absence of conflict, the feature in embodiment and embodiment in the present invention can phase
Mutually combination.
In the description of the present invention, it is to be understood that, term " center ", " longitudinal direction ", " transverse direction ", "upper", "lower",
The orientation or positional relationship of the instructions such as "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outside" is
It is based on the orientation or positional relationship shown in the drawings, is merely for convenience of description of the present invention and simplification of the description, rather than instruction or dark
Show that signified device or element must have a particular orientation, be constructed and operated in a specific orientation, therefore should not be understood as pair
Limitation of the invention.In addition, term " first ", " second " etc. are used for description purposes only, it is not understood to indicate or imply phase
To importance or implicitly indicate the quantity of indicated technical characteristic.The feature for defining " first ", " second " etc. as a result, can
To explicitly or implicitly include one or more of the features.In the description of the present invention, unless otherwise indicated, " multiple "
It is meant that two or more.
In the description of the present invention, it should be noted that unless otherwise clearly defined and limited, term " installation ", " phase
Even ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected;It can
To be mechanical connection, it is also possible to be electrically connected;It can be directly connected, can also can be indirectly connected through an intermediary
Connection inside two elements.For the ordinary skill in the art, above-mentioned term can be understood by concrete condition
Concrete meaning in the present invention.
The present invention will be described in detail below with reference to the accompanying drawings and embodiments.
As shown in Figure 1, the method that present patent application uses increases in VFS layers of addition safety management module, and in client layer
Security mechanism enables module.
Whether client layer enables module by control security mechanism, actively enable to increase the file operation of file system and protect
Protection mechanism, security mechanism enable the flexible ease for use that module increases the protection technique.Core function is in VFS security management and control module
It realizes, the implementation process of VFS security management and control module is as shown in Figure 2:
VFS security management and control module starts unauthorized access log first, and unauthorized access log is under operation document system
File, to not by the record unauthorized access log of security filter file will record lower illegal file specifying information and
The time of illegal operation.Under the auxiliary of unauthorized access log, security filter can be precisely configured, can also check file system
The file that file may be subject in operation in uniting threatens.
Security filter is that the core of VFS security management and control module is realized.User, will be writeable by combing file system files
Or need the file that creates to be placed on the writeable subregion of storage medium, and by the filter condition of client layer configuration security filter,
This technology is mainly that will need that the file information operated is allowed to be recorded in security filter.The configuration of security filter may not
It is that can once complete, by unauthorized access log, can checks which needs the file filtered to be intercepted by system.Directly
It is operated normally to system, completes the configuration of security filter.
File operation critical path is the key that VFS security management and control module composition.The critical path of the operation of file is exactly
Creation perhaps opens file read-write etc., and other operate the operation that must all have opening or creation.In VFS layers of creation and opening
The two critical paths add security filter.
File creation operation crosses security filter processing, judges through filter the filtering of file, if file is in safety
In the configuration of filter, belong to legitimate files, then safety, permission file normally create file;If failing to pass through safety
The screening of filter, file just belong to illegal file, then forbid the creation and the operation of subsequent alternative document of illegal file.
File open operation crosses security filter processing, opens read operation and write operation that file relates generally to file, such as
Fruit reads file operation and opens file, and operation is already present file in file system, belongs to legitimate files, and will not introduce
Other illegal operations, opening operation in this case directly pass through security filter, and file is normally opened, and can complete normal
Reading file operation;If operating writing-file and open file, there are the harm of illegal modifications file, main includes that modification is existing
File such as is not present and illegally creates at the file operations when file or written document, when file makees the filtration treatment of security filter, text
Part is in security filter configuration, then safety filter, makees normal File Open write operation or creation operation, if not
It can be not present by the screening of security filter, file, then not allow to create, if file exists, belong to protection file, no
Allow to carry out illegal opening write operation.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Within mind and principle, any modification, equivalent replacement, improvement and so on be should all be included in the protection scope of the present invention.
Claims (5)
1. a kind of document protection method based on Linux Virtual File System characterized by comprising
S1, subregion is carried out to equipment storage medium, separates one piece of writeable operating space;
S2, the write-protect that storage medium is realized in device drive layer reduce storage medium by being separately configured for writeable operating space
Writeable range;
S3, in VFS layers of configuration VFS safety management module;
S4, it is based on step S1 and S2, enables module in client layer setting security mechanism;If do not enabled, VFS security management and control module
It is without any processing, the equivalent traditional Linux file system of entire file system;If enabled security mechanism, to file system
Any operation of file can all pass through VFS layers, do the processing of VFS security management and control module.
2. the document protection method according to claim 1 based on Linux Virtual File System, it is characterised in that: described
Security filter is created in VFS safety management module in step S3, the security filter is used to record the text for allowing to operate
Part information.
3. the document protection method according to claim 1 based on Linux Virtual File System, it is characterised in that: described
In step S3, when operation document system file, operation is filtered by VFS safety management module, file operation includes creation
Operation and opening operation, the creation operation and opening operation require to screen by security filter.
4. the document protection method according to claim 3 based on Linux Virtual File System, which is characterized in that carry out
The method of the creation operation is as follows:
Judged when creation by security filter, if can pass through, file is allowed normally to create, file belongs to legitimate files,
If failing to pass through, file is illegal file, forbids any operation of illegal file.
5. the document protection method according to claim 3 based on Linux Virtual File System, which is characterized in that carry out
The process of the opening operation is as follows:
File open operation includes the reading of file and writes, if reading file, supporting paper is existing file under file system, is led to
It crosses filter directly to pass through, normal operating;When if it is written document or writing there is no creation file, can be by filter filtering at
Reason, then creates file according to normal write operation or when writing by filter, when not passing through filter process, then forbids to file
Write operation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811565559.3A CN109635588A (en) | 2018-12-20 | 2018-12-20 | A kind of document protection method based on Linux Virtual File System |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811565559.3A CN109635588A (en) | 2018-12-20 | 2018-12-20 | A kind of document protection method based on Linux Virtual File System |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109635588A true CN109635588A (en) | 2019-04-16 |
Family
ID=66075955
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811565559.3A Pending CN109635588A (en) | 2018-12-20 | 2018-12-20 | A kind of document protection method based on Linux Virtual File System |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109635588A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111104373A (en) * | 2019-12-24 | 2020-05-05 | 天地伟业技术有限公司 | Database performance optimization method |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5953522A (en) * | 1996-07-01 | 1999-09-14 | Sun Microsystems, Inc. | Temporary computer file system implementing using anonymous storage allocated for virtual memory |
US20120102266A1 (en) * | 2009-06-16 | 2012-04-26 | Ikonoskop Ab | Method And System For Storage Of Data |
CN102662870A (en) * | 2012-03-20 | 2012-09-12 | 武汉噢易科技有限公司 | Android operation system protection method based on input/output request intercepted by VFS (virtual file system) layer |
US9165003B1 (en) * | 2004-11-29 | 2015-10-20 | Netapp, Inc. | Technique for permitting multiple virtual file systems having the same identifier to be served by a single storage system |
CN105808977A (en) * | 2014-12-30 | 2016-07-27 | Tcl集团股份有限公司 | Processing methods and apparatuses for file reading and writing operations |
-
2018
- 2018-12-20 CN CN201811565559.3A patent/CN109635588A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5953522A (en) * | 1996-07-01 | 1999-09-14 | Sun Microsystems, Inc. | Temporary computer file system implementing using anonymous storage allocated for virtual memory |
US9165003B1 (en) * | 2004-11-29 | 2015-10-20 | Netapp, Inc. | Technique for permitting multiple virtual file systems having the same identifier to be served by a single storage system |
US20120102266A1 (en) * | 2009-06-16 | 2012-04-26 | Ikonoskop Ab | Method And System For Storage Of Data |
CN102662870A (en) * | 2012-03-20 | 2012-09-12 | 武汉噢易科技有限公司 | Android operation system protection method based on input/output request intercepted by VFS (virtual file system) layer |
CN105808977A (en) * | 2014-12-30 | 2016-07-27 | Tcl集团股份有限公司 | Processing methods and apparatuses for file reading and writing operations |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111104373A (en) * | 2019-12-24 | 2020-05-05 | 天地伟业技术有限公司 | Database performance optimization method |
CN111104373B (en) * | 2019-12-24 | 2023-09-19 | 天地伟业技术有限公司 | Database performance optimization method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP2603344B2 (en) | How to manage sensitive access to files on computer systems | |
US20130080773A1 (en) | File protecting method and a system therefor | |
US20080046997A1 (en) | Data safe box enforced by a storage device controller on a per-region basis for improved computer security | |
CN106951789B (en) | A kind of USB Anti-ferry method based on safety label | |
JP2005301980A (en) | Assuring genuineness of data stored on storage device | |
CN106484570A (en) | A kind of backpu protecting method and system extorting software document data for defence | |
CN101403993B (en) | Data security safekeeping equipment and method | |
US20210117110A1 (en) | Data processing method and storage device | |
US20070206400A1 (en) | Write protection for computer long-term memory devices with write-once read-many blocking | |
CN110516428A (en) | A kind of data read-write method of movable storage device, device and storage medium | |
CN108762782A (en) | A kind of safety access control method for encrypting solid state disk and BIOS chips based on safety | |
CN107729777A (en) | A kind of safety encryption solid-state storage method | |
CN109635588A (en) | A kind of document protection method based on Linux Virtual File System | |
CN101236531A (en) | Memory and its automatic protection realization method | |
US8725780B2 (en) | Methods and systems for rule-based worm enforcement | |
CN101539972B (en) | Method for protecting electronic document information and system thereof | |
CN109376530A (en) | Process coercive action control method and system based on label | |
Sutherland et al. | Malware and steganography in hard disk firmware | |
CN100547543C (en) | A kind of protecting computer file method | |
JP5159777B2 (en) | Apparatus and method for managing and storing information and metadata | |
US20070192852A1 (en) | Disk unit, magnetic disk unit and information storage unit | |
CN106874802A (en) | A kind of industrial control equipment virus protection system based on drive control | |
BRPI0611797A2 (en) | itso pvc2 application monitor | |
JP4464497B2 (en) | Interface device for external storage device and external storage device incorporating the same | |
US9390133B2 (en) | Method and system for regulating entry of data into a protected system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190416 |
|
RJ01 | Rejection of invention patent application after publication |