CN110673849B - Method and device for presetting file security contexts in batches - Google Patents
Method and device for presetting file security contexts in batches Download PDFInfo
- Publication number
- CN110673849B CN110673849B CN201910747300.9A CN201910747300A CN110673849B CN 110673849 B CN110673849 B CN 110673849B CN 201910747300 A CN201910747300 A CN 201910747300A CN 110673849 B CN110673849 B CN 110673849B
- Authority
- CN
- China
- Prior art keywords
- file
- files
- directory
- security
- security context
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/61—Installation
- G06F8/63—Image based installation; Cloning; Build to order
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention relates to a method and a device for presetting file security contexts in batches, wherein the method comprises the following steps: traversing a total directory, wherein the total directory comprises all files and directories to be processed; searching a strategy file of the system according to the file name, and searching a security context corresponding to the file to be processed; setting a corresponding security context for each file through a security context setting tool according to the search result; circularly processing all files and catalogues; after the setting of the security contexts of all the files is completed, the general directory is packed into a compressed package, and since the security contexts are metadata of the files, the security context of each file can be packed into the compressed package together with the files; and placing the compressed package into a software upgrading package. The method and the device can avoid setting and mounting the file system attribute for a plurality of times in the system starting stage, reduce the risk of intrusion of the system and improve the setting efficiency of the security context.
Description
Technical Field
The invention relates to the field of communication, in particular to a method and a device for presetting file security contexts in batches.
Background
In a system using SELinux, everything objects (objects), and all files, port resources and processes that are accessed by the security element stored in the extended attribute field of the inode are provided with security tags: security context (security context).
Currently, the security context of a markup document is typically in the following manner: the kernel marks the security context for each file through definition in a SELinux strategy file in the system starting process, and the marked operation is actually to modify the metadata of the file and belongs to the writing operation on the file. In embedded systems, the file system is usually set to a read-only attribute based on security, so that the kernel cannot mark the security attribute of the file on the read-only file system. Therefore, the file system can be set as the readable and writable attribute temporarily only in the process of starting the system, and the kernel can re-mount the file system as the read-only attribute after finishing the task of marking the security context. According to the method, the file system is temporarily set to be readable and writable in the system starting process, so that the risk of intrusion of the system is increased on one hand, and the attribute of the file system is temporarily set for a plurality of times in the system starting process, so that system starting failure is easy to cause.
In addition, when the software is upgraded to the embedded system, the files to be upgraded to the embedded system are preset for the security context before the software upgrading package is generated, and then are packaged into the compressed package and put into the software upgrading package, so that the files in the software upgrading package have the security context, and when the software upgrading package is burnt to the system, the compressed package is decompressed, and the files have the security context. However, the compressed package contains a very large number of files required by the whole system, and the files are distributed under different sub-directories, so that the time for manually setting the security attribute of the files is very long.
Disclosure of Invention
The invention aims to provide a method and a device for presetting file security contexts in batches, which can solve the problem that a read-only file system cannot mark the file security contexts under the condition that the attribute of the file system is not changed and the file system is re-mounted in the system starting process, avoid setting and mounting the attribute of the file system for a plurality of times in the system starting stage, reduce the risk of intrusion of the system and improve the setting efficiency of the security contexts.
A method for batch presetting of file security contexts, comprising: traversing a total directory, wherein the total directory comprises all files and directories to be processed; searching a strategy file of the system according to the file name, and searching a security context corresponding to the file to be processed; setting a corresponding security context for each file through a security context setting tool according to the search result; circularly processing all files and catalogues; after the setting of the security contexts of all the files is completed, the general directory is packed into a compressed package, and since the security contexts are metadata of the files, the security context of each file can be packed into the compressed package together with the files; and placing the compressed package into a software upgrading package.
Further, in the process of circularly processing all files and directories, if the subdirectories are encountered, the subdirectories are entered, and all files under the subdirectories are processed until the traversal of the whole total directory is completed.
Further, the method further comprises the step of burning the software upgrading package into equipment to upgrade the software.
Further, the device is an embedded device.
Further, the traversing of the total directory is performed during the compiling of the software.
Further, the system is a SELinux system.
The invention also provides a device for presetting file security contexts in batches, which comprises: the searching module is used for traversing the total directory, searching the strategy file of the system according to the file name of the file to be processed in the total directory, and searching the security context corresponding to the file to be processed; the generation module is used for setting a corresponding security context for each file through the security context setting tool; and the packing module is used for packing the total catalogue into a compressed package and placing the compressed package into a software upgrading package.
Further, the system also comprises a storage module, wherein the storage module is used for storing the software upgrade package.
Compared with the prior art, the invention has the beneficial effects that:
1. the problem that the security context of the file can be marked only by changing the attribute of the file system and re-mounting the file system by the read-only file system in the system starting process is solved;
2. the file system attribute is prevented from being set and mounted for a plurality of times in the system starting stage, so that the risk of intrusion of the system is prevented from being increased when the file system attribute is set as a writable attribute;
3. the security context of the files is automatically preset in batches, so that the security context of each file is prevented from being searched and set manually, and the setting efficiency of the security rest files is improved;
4. and the work of setting the file security context is scripted and integrated into a software compiling and publishing process, so that the migration of a subsequent Linux platform is facilitated.
Drawings
FIG. 1 is a general flow chart of a method of batch presettinga file security context of the present invention.
FIG. 2 is a script flow diagram of a method of batch presettingfile security context of the present invention.
FIG. 3 is a flow chart of compiling a method for batch presettinga file security context according to the invention.
FIG. 4 is a block diagram of an apparatus for batch provisioning of file security contexts in accordance with the present invention.
Detailed Description
The following detailed description is provided for a better understanding of the above objects, aspects and advantages of embodiments of the present application. The detailed description sets forth various embodiments of the devices and/or methods via the use of block diagrams, flowcharts, etc., of the figures and/or examples. In these block diagrams, flowcharts, and/or examples, one or more functions and/or operations are included. Those skilled in the art will appreciate that: the various functions and/or operations within the block diagrams, flowcharts, or examples can be implemented solely or jointly by a wide variety of hardware, software, firmware, or any combination of hardware, software, and firmware.
As shown in fig. 1, in one embodiment, a method for presetting file security contexts in batches according to the present invention includes the following steps:
s11: traversing a total directory, wherein the total directory comprises all files and directories to be processed. In particular, traversing the general catalog is preferably performed during the compilation of the software.
S12: and searching the strategy file of the system according to the file name, and searching the security context corresponding to the file to be processed. Wherein the system is a SELinux system.
S13: and setting a corresponding security context for each file through a security context setting tool according to the search result. The security context setting tool is a prior art, and will not be described herein.
S14: and circularly processing all files and directories. And if the subdirectory is encountered in the process of circularly processing all files and catalogs, entering the subdirectory, and processing all files under the subdirectory until the traversal of the whole total catalogue is completed.
S15: after the security context setting of all the files is completed, the total directory is packed into a compressed package, and since the security context is metadata of the files, the security context of each file is packed into the compressed package together with the files.
S16: and placing the compressed package into a software upgrading package.
S17: and burning the software upgrading package to equipment to upgrade the software. The device may be one of a computer, a special purpose computer, and an embedded device.
In specific implementation, the method for presetting the file security context in batches can be written into a script through python, and the file security context in batches is preset through executing the script. Referring to fig. 2, a script flow diagram for batch presetting of file security contexts includes:
s21: the path of the total directory is entered.
S22: and traversing the total directory to obtain the path of the current processing directory or file. If the total directory contains the sub-directory, the sub-directory is entered, and all files under the sub-directory are processed until the traversal of the whole total directory is completed.
S23: the security context of the current file is looked up from the security context definition file.
S24: a security context is set for the current file.
S25: it is detected whether there are unprocessed files or directories, and if so, the process returns to step S22, otherwise, the script ends.
The script can be integrated into the process of compiling and packaging the software so as to facilitate the migration of a subsequent Linux platform, please refer to fig. 3, a compiling flow chart for presetting file security contexts in batches, which includes:
s31: and compiling software.
S32: and searching the corresponding security context from the security context definition file according to the compiled file.
S33: and setting a security context for the file according to the search result.
S34: and generating a software upgrading package.
S35: and burning the software upgrading package into the embedded equipment to upgrade the software.
The invention provides a device 100 for presetting file security contexts in batches, which is used for presetting file security contexts in batches and comprises the following steps: the searching module 101 is configured to traverse the total directory, search a policy file of the system according to a file name of a file to be processed in the total directory, and find a security context corresponding to the file to be processed. A generating module 102, configured to set, by a security context setting tool, a corresponding security context for each file. And the packaging module 103 is used for packaging the total catalogue into a compressed package and placing the compressed package into a software upgrading package. And a storage module 104 for storing a software upgrade package.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various modifications and variations can be made to the embodiments of the present application without departing from the spirit and scope of the embodiments of the present application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to encompass such modifications and variations.
Claims (8)
1. A method for batch presetting of file security contexts, comprising:
traversing a total directory, wherein the total directory comprises all files and directories to be processed, acquiring a current processing directory or a path of the files, entering the sub-directory if the total directory contains the sub-directory, and processing all files under the sub-directory until the traversing of the whole total directory is completed;
searching a strategy file of the system according to the file name, and searching a security context corresponding to the file to be processed;
setting a corresponding security context for each file through a security context setting tool according to the search result;
circularly processing all files and catalogues;
after the setting of the security contexts of all the files is completed, the general directory is packed into a compressed package, and since the security contexts are metadata of the files, the security context of each file can be packed into the compressed package together with the files;
and placing the compressed package into a software upgrading package.
2. The method for batch presetting of file security context according to claim 1, wherein in the process of circularly processing all files and directories, if a subdirectory is encountered, the subdirectory is entered, and all files under the subdirectory are processed until the traversal of the whole total directory is completed.
3. The method for batch provisioning of file security contexts of claim 1, further comprising burning the software upgrade package into a device to upgrade software.
4. A method of batch pre-setting of file security contexts as claimed in claim 3 wherein said device is an embedded device.
5. The method for batch pre-setting of file security contexts of claim 1, wherein said traversing the master catalog occurs during compilation of software.
6. The method for batch pre-setting of file security contexts of claim 1, wherein said system is a SELinux system.
7. An apparatus for batch presetting of document security contexts, comprising:
the searching module is used for traversing the total directory, searching the strategy file of the system according to the file name of the file to be processed in the total directory, and searching the security context corresponding to the file to be processed;
the generation module is used for setting a corresponding security context for each file through the security context setting tool;
and the packing module is used for packing the total catalogue into a compressed package and placing the compressed package into a software upgrading package.
8. The apparatus for batch presettig of file security contexts of claim 7, further comprising a storage module for storing a software upgrade package.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910747300.9A CN110673849B (en) | 2019-08-14 | 2019-08-14 | Method and device for presetting file security contexts in batches |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910747300.9A CN110673849B (en) | 2019-08-14 | 2019-08-14 | Method and device for presetting file security contexts in batches |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110673849A CN110673849A (en) | 2020-01-10 |
| CN110673849B true CN110673849B (en) | 2023-04-21 |
Family
ID=69068570
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910747300.9A Active CN110673849B (en) | 2019-08-14 | 2019-08-14 | Method and device for presetting file security contexts in batches |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110673849B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116601985A (en) * | 2020-12-25 | 2023-08-15 | 华为技术有限公司 | Security context generation method, device and computer readable storage medium |
| CN114760276B (en) * | 2022-06-13 | 2022-09-09 | 深圳市汇顶科技股份有限公司 | Method and device for downloading data and secure element |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7752214B2 (en) * | 2000-09-01 | 2010-07-06 | Op40, Inc. | Extended environment data structure for distributed digital assets over a multi-tier computer network |
| US8458765B2 (en) * | 2009-12-07 | 2013-06-04 | Samsung Electronics Co., Ltd. | Browser security standards via access control |
| US9405896B2 (en) * | 2011-04-12 | 2016-08-02 | Salesforce.Com, Inc. | Inter-application management of user credential data |
| US8966572B2 (en) * | 2011-09-30 | 2015-02-24 | Oracle International Corporation | Dynamic identity context propagation |
| US9230128B2 (en) * | 2013-03-13 | 2016-01-05 | Protegrity Corporation | Assignment of security contexts to define access permissions for file system objects |
| EP3475866A1 (en) * | 2016-06-24 | 2019-05-01 | Siemens Aktiengesellschaft | Plc virtual patching and automated distribution of security context |
| CN108062483B (en) * | 2016-11-09 | 2020-11-17 | 中国移动通信有限公司研究院 | Method, device and terminal for accessing system resources by application |
| CN106453413B (en) * | 2016-11-29 | 2019-06-25 | 北京元心科技有限公司 | Method and device for applying SELinux security policy in multi-system |
-
2019
- 2019-08-14 CN CN201910747300.9A patent/CN110673849B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN110673849A (en) | 2020-01-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2565109C2 (en) | Method and apparatus for recovering backup database | |
| CN106775723B (en) | Android platform-based system firmware customization method and Android device | |
| CN104123126B (en) | It is a kind of to be used to generate the method and apparatus for merging conflict record list | |
| CN103077043B (en) | A kind of method of quick Start-up and operating performance Linux | |
| CN110673849B (en) | Method and device for presetting file security contexts in batches | |
| CN105760184A (en) | Method and device for loading component | |
| CN110442371B (en) | Method, device and medium for releasing codes and computer equipment | |
| CN111026455B (en) | Plug-in generation method, electronic device and storage medium | |
| CN105224361A (en) | A kind of method and system that sqlite3 type embedded database is upgraded | |
| CN105404691A (en) | File storage method and apparatus | |
| CN105867903A (en) | Method and device or splitting code library | |
| CN104376073A (en) | Database recovery method and device | |
| CN103678715A (en) | Snapshot supporting metadata information management method for distributed file system | |
| US9917697B2 (en) | Performing incremental upgrade on APK base file corresponding to APK eigenvalue value | |
| CN111984666B (en) | Database access method, apparatus, computer readable storage medium and computer device | |
| CN104484240A (en) | Method and device for storing terminal data | |
| CN112451972A (en) | Game engine-based resource compression package construction method, device, system and medium | |
| CN108628632B (en) | Packing method and device | |
| CN112230947A (en) | Upgrading method and upgrading system of operating system | |
| WO2019041891A1 (en) | Method and device for generating upgrade package | |
| CN103984621B (en) | log separation method and system | |
| CN104572876A (en) | Method and device for reading configuration file corresponding to software | |
| CN111324373B (en) | Method and device for sub-coding warehouse on multiple engineering files and computing equipment | |
| CN112559118A (en) | Application data migration method and device, electronic equipment and storage medium | |
| US9626371B2 (en) | Attribute selectable file operation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |