CN110674530A - File access control method, equipment and device based on user mode - Google Patents

File access control method, equipment and device based on user mode Download PDF

Info

Publication number
CN110674530A
CN110674530A CN201910937153.1A CN201910937153A CN110674530A CN 110674530 A CN110674530 A CN 110674530A CN 201910937153 A CN201910937153 A CN 201910937153A CN 110674530 A CN110674530 A CN 110674530A
Authority
CN
China
Prior art keywords
file
backup area
operation event
recombined
directory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910937153.1A
Other languages
Chinese (zh)
Other versions
CN110674530B (en
Inventor
谭皇
樊宇
何坤
叶晓虎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhou Lvmeng Chengdu Technology Co ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Beijing NSFocus Information Security Technology Co Ltd filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201910937153.1A priority Critical patent/CN110674530B/en
Publication of CN110674530A publication Critical patent/CN110674530A/en
Application granted granted Critical
Publication of CN110674530B publication Critical patent/CN110674530B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/71Version control; Configuration management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a file access control method, equipment and a device based on a user mode, which are used for solving the problem that different versions of compilers are required to be configured aiming at different versions of kernels. If the file in the monitoring sequence is determined to be accessed and controlled, generating an operation event corresponding to the file; determining whether the operation event is allowed according to a file protection rule; if the operation event is allowed, the file after access control is backed up in a backup area; and if the operation event is not allowed, restoring the file from the backup area. The access control mechanism is operated in the kernel mode without configuring the compilers of different versions aiming at the kernels of different versions, so that only one set of compilers is required to be configured aiming at the kernels of different versions to operate the access control mechanism in the user mode, and the compatibility of the system is further improved.

Description

File access control method, equipment and device based on user mode
Technical Field
The invention relates to the technical field of computers, in particular to a file access control method, equipment and device based on user states.
Background
The file system security under the operating system platform is an important content of the operating system, and relates to monitoring and auditing of the file system, backup and recovery of the file system, and tamper-proof filtering management of the file system.
Macroscopically, the operating system architecture is divided into a user mode and a kernel mode (or user space and kernel). The kernel is essentially software that controls the hardware resources of the computer and provides an operating environment for upper-level applications; the execution of the user mode (active space of the upper layer application) application program must depend on the resources provided by the kernel, including CPU resources, storage resources, I/O resources, etc., and the kernel provides an accessible system call interface for the upper layer application program.
State of the art in operating systems, file access control mechanisms are running in kernel mode, e.g., tamper-resistant mechanisms in file access control mechanisms. However, because the kernel versions of the operating system are many and there are great differences between different versions, if the access control mechanism of the file runs in the kernel mode, compilers of different versions need to be configured for the kernels of different versions.
To sum up, when the file access control mechanism operates in the kernel mode, compilers of different versions need to be configured for kernels of different versions.
Disclosure of Invention
The invention provides a user mode-based file access control method, device and apparatus, which are used for solving the problems that a file access control mechanism in the prior art runs in a kernel mode and compilers of different versions need to be configured for kernels of different versions.
In a first aspect, an embodiment of the present invention provides a file access control method based on a user mode, where the method includes:
if the file in the monitoring sequence is determined to be controlled to be accessed, generating an operation event corresponding to the file; determining whether the operation event is allowed according to a file protection rule; if the operation event is allowed, the file after access control is backed up in a backup area; and if the operation event is not allowed, restoring the file from the backup area.
In the method, if the file in the monitoring sequence is determined to be accessed and controlled, whether the operation event corresponding to the file is allowed or not is determined according to the file protection rule, and if the operation event is allowed, the accessed and controlled file is backed up in the backup area; and if the operation event is not allowed, restoring the file from the backup area. Because whether the accessed and controlled file is in the protected file type of the file protection rule or not is judged in the user mode, and when the accessed and controlled file is restored in the user mode, compilers of different versions do not need to be configured for kernels of different versions to operate an access control mechanism in the kernel mode, only one set of compilers need to be configured for kernels of different versions to operate the access control mechanism in the user mode, and the compatibility of the system is further improved.
In a possible implementation manner, if the file is a directory file, the method further includes:
if the directory file is determined to be deleted, determining whether the protected file type of the file protection rule comprises the file type of the directory file;
if the file type of the directory file exists in the protected file types in the user mode, restoring the directory file from the backup area, and then placing the restored directory file in the monitoring sequence again.
In the method, if the file is a directory file, whether the directory file is deleted is judged, if the directory file is deleted, whether the file type of the directory file is included in the protected file type is judged, if the protected file type is determined to include the file type of the directory file, the directory file is restored from the backup area, and the restored directory file is placed in the monitoring sequence again. Since the whole directory file is deleted, after the deleted directory file is restored, the restored directory file is monitored, that is, whether the directory file is tampered or not is monitored, so that the security of the file can be ensured.
In one possible implementation manner, the restoring the file from the backup area includes:
determining a backup file corresponding to the file from the backup area;
comparing the file with the backup file to obtain a difference file;
and after the file and the difference file are recombined, deleting the file, and taking the recombined file as a recovered file.
The method comprises the steps of firstly determining a backup file corresponding to the file controlled to be accessed from the backup area, then comparing the file controlled to be accessed with the backup file to obtain a difference file, then recombining the difference file and the file controlled to be accessed, deleting the file controlled to be accessed, and then taking the recombined file as the file after recovery. Because the difference file and the accessed and controlled file are recombined, the recombined file is used as the restored file instead of directly copying the backup file in the backup area into the restored file, thereby saving time and improving the restoration efficiency.
In a possible implementation manner, the restoring the file from the backup area if the operation event is not allowed includes:
determining the file type of the file according to the suffix name of the file carried in the operation event;
and if the protected file type is determined to comprise the suffix name of the file, recovering the file from the backup area.
In the method, the file type of the file is determined according to the suffix name of the file, and if the protected file type is determined to include the suffix name of the file in the user mode, the file is restored from the backup area. The suffix name of the file is taken as the file type of the file, so that the file is convenient to identify.
In a possible implementation manner, the deleting the file after the file is reassembled with the difference file, and taking the reassembled file as a recovered file includes:
recombining the file and the difference file to obtain a recombined file;
after carrying out Hash operation on the file name of the file to obtain a Hash value, taking the Hash value as a suffix name of the recombined file;
deleting the file, and taking the file name of the file as the file name of the recombined file;
and taking the recombined file as the restored file.
In the method, the hash value obtained by performing the hash operation on the file name of the file is used as the suffix name of the reconstructed file, if the protected file type is determined not to include the suffix name, the reconstructed file is not subjected to recovery processing, the file is deleted, the file name of the file is used as the file name of the reconstructed file, and the reconstructed file is used as the recovered file. Because the recovered file is recovered by the system, the recovered file does not need to be monitored again, so that repeated processing of the file can be reduced, resources are saved, and time is saved.
In a possible implementation manner, before determining that a file in the monitoring sequence is controlled by access, the method further includes:
and carrying out redundancy deduplication processing on the redundancy events generated by the file.
According to the method, before the file in the monitoring sequence is determined to be accessed and controlled, redundancy processing is performed on the redundancy event generated by the file, so that resources can be saved, and time can be saved.
In a possible implementation manner, before determining that a file in the monitoring sequence is controlled by access, the method further includes:
and determining the file as the file in the monitoring sequence according to the file protection rule.
According to the method, before the file in the monitoring sequence is determined to be accessed and controlled, the file is determined to be the file in the monitoring sequence according to the file protection rule, so that the file in the monitoring sequence only needs to be restored or backed up, and unnecessary system overhead is reduced.
In a second aspect, an embodiment of the present invention provides a file access control device based on a user mode, where the device includes: at least one processing unit and at least one memory unit, wherein the memory unit stores program code that, when executed by the processing unit, causes the processing unit to perform the following:
if the file in the monitoring sequence is determined to be controlled to be accessed, generating an operation event corresponding to the file; determining whether the operation event is allowed according to a file protection rule; if the operation event is allowed, the file after access control is backed up in a backup area; and if the operation event is not allowed, restoring the file from the backup area.
In a possible implementation manner, if the file is a directory file, the processing unit is further configured to:
if the directory file is determined to be deleted, determining whether the protected file type of the file protection rule comprises the file type of the directory file;
if the file type of the directory file exists in the protected file types, restoring the directory file from the backup area, and then placing the restored directory file in the monitoring sequence again.
In a possible implementation manner, the processing unit is specifically configured to:
determining a backup file corresponding to the file from the backup area;
comparing the file with the backup file to obtain a difference file;
and after the file and the difference file are recombined, deleting the file, and taking the recombined file as a recovered file.
In a possible implementation manner, the processing unit is specifically configured to:
determining the file type of the file according to the suffix name of the file carried in the operation event;
and if the protected file type is determined to comprise the suffix name of the file, recovering the file from the backup area.
In a possible implementation manner, the processing unit is specifically configured to:
recombining the file and the difference file to obtain a recombined file;
after carrying out Hash operation on the file name of the file to obtain a Hash value, taking the Hash value as a suffix name of the recombined file;
deleting the file, and taking the file name of the file as the file name of the recombined file;
and taking the recombined file as the restored file.
In one possible implementation, the processing unit is further configured to:
and before determining that the file in the monitoring sequence is controlled by access, performing redundancy deduplication processing on redundancy events generated by the file.
In one possible implementation, the processing unit is further configured to:
and before determining that the file in the monitoring sequence is controlled by access, determining the file as the file in the monitoring sequence according to the file protection rule.
In a third aspect, an embodiment of the present invention provides a file access control device based on a user mode, where the device includes:
the generating module is used for generating an operation event corresponding to a file when the file in the monitoring sequence is determined to be accessed and controlled;
the determining module is used for determining whether the operation event is allowed according to a file protection rule;
the processing module is used for backing up the file after the access control in the backup area if the operation event is allowed; and if the operation event is not allowed, restoring the file from the backup area.
In one possible implementation, if the file is a directory file:
the determining module is used for determining whether the protected file type of the file protection rule comprises the file type of the directory file if the directory file is determined to be deleted;
and the recovery module is used for restoring the directory file from the backup area and then placing the restored directory file in the monitoring sequence again if the protected file type is determined to comprise the file type of the directory file.
In one possible implementation, the processing module is further configured to:
determining a backup file corresponding to the file from the backup area;
comparing the file with the backup file to obtain a difference file;
and after the file and the difference file are recombined, deleting the file, and taking the recombined file as a recovered file.
In a possible implementation manner, the processing module is specifically configured to:
determining the file type of the file according to the suffix name of the file carried in the operation event;
and if the protected file type is determined to comprise the suffix name of the file, recovering the file from the backup area.
In a possible implementation manner, the processing module is specifically configured to:
recombining the file and the difference file to obtain a recombined file;
after carrying out Hash operation on the file name of the file to obtain a Hash value, taking the Hash value as a suffix name of the recombined file;
deleting the file, and taking the file name of the file as the file name of the recombined file;
and taking the recombined file as the restored file.
In one possible implementation, the processing module is further configured to:
and before determining that the file in the monitoring sequence is controlled by access, performing redundancy deduplication processing on redundancy events generated by the file.
In one possible implementation, the processing module is further configured to:
and before determining that the file in the monitoring sequence is controlled by access, determining the file as the file in the monitoring sequence according to the file protection rule.
In a fourth aspect, an embodiment of the present invention provides a computer storage medium, on which a computer program is stored, which when executed by a processor implements the steps of the method according to any one of the first aspect.
In addition, for technical effects brought by any one implementation manner of the second aspect to the fourth aspect, reference may be made to technical effects brought by different implementation manners of the first aspect, and details are not described here.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
FIG. 1 is a schematic diagram of a file system I/O access process under a Linux operating system platform;
fig. 2 is a schematic flowchart of a file access control method based on a user mode according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for adding a file protection rule according to an embodiment of the present invention;
fig. 4 is a flowchart illustrating a method for deleting a file protection rule according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating a method for modifying file protection rules according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a file access control device based on a user mode according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a file access control device based on a user mode according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, for the file system I/O access process under the Linux operating system platform, a user mode application program accessing the file system is embedded into a kernel through a 0X80 soft interrupt, and an I/O system call operation on a target file system is realized through a VFS mechanism. The VFS is used as an access entrance of the file system in the kernel mode, and provides an entry point for the access control of the file system.
As can be seen from FIG. 1, the application and the glibc library are in the user state, and the VFS mechanism, the General block Device layer, the Device driver, and the Physical Device are in the kernel state.
For the write file, the write file can be directly sent to a VFS mechanism of a kernel mode by an application program, or can be sent to the VFS mechanism of the kernel mode by a glibc library, and after being processed by the VFS mechanism, the write file is processed by a general Device layer and a Device driver and finally sent to a Physical Device for storage.
For the file system I/O access process under the Linux operating system platform, when a file is accessed and controlled, the file may be tampered, for example, deleted, modified, and the like, and when the file is tampered, the tampered file needs to be restored.
Furthermore, the file access control method in the user mode in the embodiment of the present invention mainly includes two parts, that is, a method for backing up an access-controlled file and a method for performing tamper-resistant recovery on the access-controlled file.
Specifically, when performing file access control in the embodiment of the present invention, it may be determined whether a file subjected to the access control is a file in the monitoring sequence, and if yes, an operation event corresponding to the file is generated. Then, whether the operation event is allowed or not can be determined according to file protection rules, if the operation event is allowed, the operation event can be confirmed to be a security event, the file can be operated, and the file after access control can be backed up in a backup in order to ensure the security and the stability of the file; on the contrary, if the operation event is not allowed, it may be determined that the operation event is an insecure event, and the file is at risk of being tampered, so that the event may be recovered from the backup area to ensure the accuracy of the file.
Further, in the embodiment of the present invention, when performing tamper resistance according to the user-mode access control method, it may be first determined whether a file in the monitoring sequence is tampered, and if it is determined that the file in the monitoring sequence is tampered, it is determined whether a protected file type of the file protection rule includes a file type of the tampered file, and if it is determined that the protected file type includes the file type of the tampered file, the tampered file is recovered from the backup area.
The application scenario described in the embodiment of the present invention is for more clearly illustrating the technical solution of the embodiment of the present invention, and does not form a limitation on the technical solution provided in the embodiment of the present invention, and it can be known by a person skilled in the art that with the occurrence of a new application scenario, the technical solution provided in the embodiment of the present invention is also applicable to similar technical problems.
For the application scenario, the present application provides a file access control method, as shown in fig. 2, the method includes the following steps:
s200, if the file in the monitoring sequence is determined to be controlled to be accessed, generating an operation event corresponding to the file;
s201, determining whether the operation event is allowed according to a file protection rule;
s202, if the operation event is allowed, backing up the file after access control in a backup area; and if the operation event is not allowed, restoring the file from the backup area.
In the embodiment of the invention, if the file in the monitoring sequence is determined to be accessed and controlled, whether the operation event corresponding to the file is allowed or not is determined according to the file protection rule, and if the operation event is allowed, the file after access control is backed up in the backup area; and if the operation event is not allowed, restoring the file from the backup area. Because whether the accessed and controlled file is in the protected file type of the file protection rule or not is judged in the user mode, and when the accessed and controlled file is restored in the user mode, compilers of different versions do not need to be configured for kernels of different versions to operate an access control mechanism in the kernel mode, only one set of compilers need to be configured for kernels of different versions to operate the access control mechanism in the user mode, and the compatibility of the system is further improved.
In implementation, when access control is performed on the file, whether the file in the monitoring sequence is tampered is determined, the method can be judged through an existing mechanism inotify, the inotify mechanism can judge whether the accessed file is tampered, if the accessed file is determined to be tampered, the inotify mechanism can trigger a monitoring event management thread in a user mode, and then whether the file type of the tampered file is included in the protection file type of the file protection rule in the user mode is judged.
Before judging whether the protected file type of the file protection rule comprises the file type of the file in the user mode, determining that the file protection rule is effective. After the file protection rule is determined to be effective, whether the protected file type of the file rule comprises the file type of the tampered file or not is judged in the user mode.
The file protection rule can be configured by a user, and in the file tamper-proofing method based on the user mode in the embodiment of the invention, the file protection rule can be updated, such as addition, deletion, modification and the like. The following description will be made separately.
Fig. 3 is a schematic flow chart of a method for adding a new file protection rule according to an embodiment of the present invention.
S300, traversing a file protection rule list;
s301, judging whether the traversal of the file protection rule list is finished, if so, executing S305, and otherwise, executing S302;
s302, acquiring a rule ID field in the protection rule of the newly added file;
s303, judging whether the rule ID fields of all the file protection rules in the file protection rule list are consistent with the rule ID fields in the newly added file protection rules, if so, executing S304, otherwise, executing S301;
s304, determining that the protection rule of the newly added file exists;
s305, newly adding a file protection rule to a file protection rule linked list;
s306, judging whether all the file protection rules in the file protection rule list with the added file protection rules are in an effective state, if so, executing S307, otherwise, ending;
s307, newly building a backup task to a task list;
and S308, waking up the backup task processing thread.
Fig. 4 is a schematic flow chart of a method for deleting a file protection rule according to an embodiment of the present invention.
S400, traversing a file protection rule list;
s401, judging whether traversing the file protection rule list is finished or not, if so, finishing, and if not, executing S402;
s402, judging whether the rule ID fields of all the file protection rules in the file protection rule list are consistent with the rule ID fields in the deleted file protection rule, if so, executing S403, otherwise, executing S400;
s403, deleting the file protection rule needing to be deleted from the file protection rule list;
s404, judging whether all file protection rules in the file protection rule list after the file protection rule needing to be deleted is deleted are in an effective state, if so, executing S405, and if not, ending;
s405, deleting the backup task and the monitoring information corresponding to the file protection rule needing to be deleted.
Fig. 5 is a schematic flow chart of a method for modifying a file protection rule according to an embodiment of the present invention.
S500, traversing a file protection rule list;
s501, judging whether the traversal of the file protection rule list is finished, if so, finishing, and if not, executing S502;
s502, judging whether a file protection rule directory in the file protection rule list changes, if so, executing S503, otherwise, ending;
s503, modifying the corresponding protection rule by changing the field;
s504, judging whether the modified file protection rule is in an effective state, if so, executing S505, and if not, ending;
s505, deleting the backup task and the monitoring information corresponding to the protection rule before modification;
s506, newly adding the modified backup task to a task queue;
and S507, awakening the backup task processing thread.
The above is a description of the updating of file protection rules.
It should be further noted that before determining that the accessed file in the monitoring sequence is tampered with, it is also determined that the file corresponding to the protected file type is backed up to the backup area specified by the user after the file protection rule is validated. The backup area designated by the user may be a local backup area or a remote backup area, and which backup mode is specifically used may be determined according to actual needs, which is not limited in the present invention.
For example, the user may select the backup mode, or the system may default the backup mode.
In implementation, before judging whether the protected file type of the file protection rule includes the file type of the file in the user mode, in order to save resources and save time, redundancy deduplication processing is performed on redundancy events generated by the file in the user mode.
The file protection rule in the user mode includes a protected file type, for example, the file type protected by the protection rule is set as "×", all types of files are protected, and the protected file type may also be specified, such as PDF, txt, etc., it should be noted that the protection rule may protect files of one file type, and may also protect files of multiple file types.
For example, if the type of the tampered file is determined to include the file type of the tampered file in the protected file type, the file is restored from the backup area.
In the embodiment of the present invention, the file may be a directory file, and if the file is a directory file and it is determined in the monitoring sequence that the directory file is deleted, it is determined whether the file type of the directory file is included in the protected file types of the file protection rule, and if the file type of the directory file is included, the directory file is restored from the backup area, and then the restored directory file is placed in the monitoring sequence again, and the monitoring of the directory file is continued.
In implementation, the file is restored from the backup area, a backup file corresponding to the file may be determined from the backup area, then the file is compared with the backup file to obtain a difference file, finally the file is recombined with the difference file, the file is deleted, and the recombined file is used as the restored file.
For example, when it is determined that the file a is tampered and the protected file type includes the file type of the file a, the file a is restored from the backup area, the file a ' corresponding to the file a and not tampered is already stored in the backup area, the backup file a ' corresponding to the file a is first determined, then the file a and the backup file a ' are compared to obtain a difference file B, the file a and the difference file B are recombined, the file a is deleted, and the file obtained by recombining the file a and the difference file B is used as the restored file.
In an implementation, the file type of the file may be determined from the suffix name of the file, and the file may be restored from the backup area if it is determined that the suffix name of the file is included in the protected file type.
The manner of restoring the file from the backup area may be the same as described above, and will not be described herein.
When the file type of the file is determined according to the suffix name of the file, the file name of the file can be subjected to hash operation, the hash value obtained after the hash operation is used as the suffix name of the restructured file, the suffix name of the restructured file is determined not to be included in the protected file type, namely the hash value obtained by the hash operation on the file name of the file is not included in the protected file type, the restructured file is not subjected to recovery processing, the file is deleted, the file name of the file is used as the file name of the restructured file, and the restructured file is used as the restored file.
For example, if the file name of the tampered file is a, the file name a is subjected to hash operation to obtain a hash value B, the hash value B is used as a suffix name of the reconstructed file, and it is determined that the protected file type does not include B, the reconstructed file is not subjected to recovery processing.
The process of recovering the file also belongs to tampering, but the recovery processing of the recombined file is not needed, so the suffix name of the recombined file is changed to ensure that the suffix name of the recombined file is not in the protected file type, and the recovery processing of the recombined file is not needed.
It should be noted that, the protected file type is generally a common file type, for example, ". PDF" ". txt" or the like, and the file name is subjected to a hash operation, and the obtained hash value is used as a suffix name of the reconstructed file, and the probability of occurrence in the protected file type is extremely small (if the hash value is consistent with the protected file type, the hash value is recalculated), so that the hash value obtained after the file name is subjected to the hash operation can be used as the suffix name of the restored file, that is, the file type.
Based on the same inventive concept, the embodiment of the present invention further provides a file access control device based on a user mode, and as the principle of solving the problem of the device is similar to the file access control method in the embodiment of the present invention, the implementation of the device may refer to the implementation of the method, and repeated parts are not described again.
As shown in fig. 6, a file access control device based on a user mode according to an embodiment of the present invention includes: at least one processing unit 600 and at least one memory unit 601, wherein the memory unit 601 stores program code that, when executed by the processing unit 600, causes the processing unit 600 to perform the following:
if the file in the monitoring sequence is determined to be controlled to be accessed, generating an operation event corresponding to the file;
determining whether the operation event is allowed according to a file protection rule;
if the operation event is allowed, the file after access control is backed up in a backup area; and if the operation event is not allowed, restoring the file from the backup area.
Optionally, if the file is a directory file, the processing unit 600 is further configured to:
if the directory file is determined to be deleted, determining whether the protected file type of the file protection rule comprises the file type of the directory file;
if the protected file type is determined to include the file type of the directory file, the directory file is restored from the backup area, and then the restored directory file is placed in the monitoring sequence again.
Optionally, the processing unit 600 is specifically configured to:
determining a backup file corresponding to the file from the backup area;
comparing the file with the backup file to obtain a difference file;
and after the file and the difference file are recombined, deleting the file, and taking the recombined file as a recovered file.
Optionally, the processing unit 600 is specifically configured to:
determining the file type of the file according to the suffix name of the file carried in the operation event;
and if the protected file type is determined to comprise the suffix name of the file, recovering the file from the backup area.
Optionally, the processing unit 600 is specifically configured to:
recombining the file and the difference file to obtain a recombined file;
after carrying out Hash operation on the file name of the file to obtain a Hash value, taking the Hash value as a suffix name of the recombined file;
deleting the file, and taking the file name of the file as the file name of the recombined file;
and taking the recombined file as the restored file.
Optionally, the processing unit 600 is further configured to:
and before determining that the file in the monitoring sequence is controlled by access, performing redundancy deduplication processing on the file.
Optionally, the processing unit 600 is further configured to:
and before determining that the file in the monitoring sequence is controlled by access, determining the file as the file in the monitoring sequence according to the file protection rule.
Based on the same inventive concept, the embodiment of the present invention further provides a file access control device based on a user mode, and as the principle of the device for solving the problem is similar to the file tamper-proofing method in the embodiment of the present invention, the implementation of the device can refer to the implementation of the method, and repeated parts are not described again.
As shown in fig. 7, a file access control device based on a user mode according to an embodiment of the present invention includes:
a generating module 700, configured to generate an operation event corresponding to an accessed file in a monitoring sequence when it is determined that the file is accessed and controlled;
a determining module 701, configured to determine whether the operation event is allowed according to a file protection rule;
a processing module 702, configured to backup the access-controlled file in a backup area if the operation event is allowed; and if the operation event is not allowed, restoring the file from the backup area.
Optionally, if the file is a directory file, the determining module 701 is further configured to:
if the directory file is determined to be deleted, determining whether the protected file type of the file protection rule comprises the file type of the directory file;
the processing module 702 is further configured to:
and if the protected file type is determined to include the file type of the directory file, restoring the directory file from the backup area, and then resetting the restored directory file in the monitoring sequence.
Optionally, the processing module 702 is further configured to:
determining a backup file corresponding to the file from the backup area;
comparing the file with the backup file to obtain a difference file;
and after the file and the difference file are recombined, deleting the file, and taking the recombined file as a recovered file.
Optionally, the processing module 702 is specifically configured to:
determining the file type of the file according to the suffix name of the file carried in the operation event;
and if the protected file type is determined to comprise the suffix name of the file, recovering the file from the backup area.
Optionally, the processing module 702 is specifically configured to:
recombining the file and the difference file to obtain a recombined file;
after carrying out Hash operation on the file name of the file to obtain a Hash value, taking the Hash value as a suffix name of the recombined file;
deleting the file, and taking the file name of the file as the file name of the recombined file;
and taking the recombined file as the restored file.
Optionally, the processing module 702 is further configured to:
and before determining that the file in the monitoring sequence is controlled by access, performing redundancy deduplication processing on redundancy events generated by the file.
Optionally, the processing module 702 is further configured to:
and before determining that the files in the monitoring sequence are controlled to be accessed, backing up the files corresponding to the protected file types to the backup area.
Further, an embodiment of the present invention also provides a computer-readable non-volatile storage medium, which includes program code, when the program code runs on a computing device, the program code is configured to enable the computing device to execute the steps of the file access control method according to the embodiment of the present invention.
The present application is described above with reference to block diagrams and/or flowchart illustrations of methods, apparatus (systems) and/or computer program products according to embodiments of the application. It will be understood that one block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, and/or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer and/or other programmable data processing apparatus, create means for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks.
Accordingly, the subject application may also be embodied in hardware and/or in software (including firmware, resident software, micro-code, etc.). Furthermore, the present application may take the form of a computer program product on a computer-usable or computer-readable storage medium having computer-usable or computer-readable program code embodied in the medium for use by or in connection with an instruction execution system. In the context of this application, a computer-usable or computer-readable medium may be any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (16)

1. A file access control method based on user mode is characterized by comprising the following steps:
if the file in the monitoring sequence is determined to be controlled to be accessed, generating an operation event corresponding to the file;
determining whether the operation event is allowed according to a file protection rule;
if the operation event is allowed, the file after access control is backed up in a backup area; and if the operation event is not allowed, restoring the file from the backup area.
2. The method of claim 1, wherein if the file is a directory file, the method further comprises:
if the directory file is determined to be deleted, determining whether the protected file type of the file protection rule comprises the file type of the directory file;
if the protected file type is determined to include the file type of the directory file, the directory file is restored from the backup area, and then the restored directory file is placed in the monitoring sequence again.
3. The method of claim 1, wherein the restoring the file from the backup area comprises:
determining a backup file corresponding to the file from the backup area;
comparing the file with the backup file to obtain a difference file;
and after the file and the difference file are recombined, deleting the file, and taking the recombined file as a recovered file.
4. The method of claim 3, wherein the restoring the file from the backup area if the operational event is not allowed comprises:
determining the file type of the file according to the suffix name of the file carried in the operation event;
and if the protected file type is determined to comprise the suffix name of the file, recovering the file from the backup area.
5. The method of claim 4, wherein deleting the file after the file is reassembled with the difference file, and taking the reassembled file as a recovered file comprises:
recombining the file and the difference file to obtain a recombined file;
after carrying out Hash operation on the file name of the file to obtain a Hash value, taking the Hash value as a suffix name of the recombined file;
deleting the file, and taking the file name of the file as the file name of the recombined file;
and taking the recombined file as the restored file.
6. The method of claim 1, wherein prior to determining that a file in the monitoring sequence is access controlled, further comprising:
and carrying out redundancy deduplication processing on the redundancy events generated by the file.
7. The method of any of claims 1 to 6, wherein before determining that a file in the monitoring sequence is access controlled, further comprising:
and determining the file as the file in the monitoring sequence according to the file protection rule.
8. A file access control device based on a user mode, the device comprising: at least one processing unit and at least one memory unit, wherein the memory unit stores program code that, when executed by the processing unit, causes the processing unit to perform the following:
if the file in the monitoring sequence is determined to be controlled to be accessed, generating an operation event corresponding to the file;
determining whether the operation event is allowed according to a file protection rule;
if the operation event is allowed, the file after access control is backed up in a backup area; and if the operation event is not allowed, restoring the file from the backup area.
9. The device of claim 8, wherein if the file is a directory file, the processing unit is further configured to:
if the directory file is determined to be deleted, determining whether the protected file type of the file protection rule comprises the file type of the directory file;
if the protected file type is determined to include the file type of the directory file, the directory file is restored from the backup area, and then the restored directory file is placed in the monitoring sequence again.
10. The device of claim 8, wherein the processing unit is specifically configured to:
determining a backup file corresponding to the file from the backup area;
comparing the file with the backup file to obtain a difference file;
and after the file and the difference file are recombined, deleting the file, and taking the recombined file as a recovered file.
11. The device of claim 10, wherein the processing unit is specifically configured to:
determining the file type of the file according to the suffix name of the file carried in the operation event;
and if the protected file type is determined to comprise the suffix name of the file, recovering the file from the backup area.
12. The device of claim 11, wherein the processing unit is specifically configured to:
recombining the file and the difference file to obtain a recombined file;
after carrying out Hash operation on the file name of the file to obtain a Hash value, taking the Hash value as a suffix name of the recombined file;
deleting the file, and taking the file name of the file as the file name of the recombined file;
and taking the recombined file as the restored file.
13. The device of claim 8, wherein the processing unit is further to:
and before determining that the file in the monitoring sequence is controlled by access, performing redundancy deduplication processing on redundancy events generated by the file.
14. The apparatus of any of claims 8 to 13, wherein the processing unit is further configured to:
and before determining that the file in the monitoring sequence is controlled by access, determining the file as the file in the monitoring sequence according to the file protection rule.
15. A file access control apparatus based on a user mode, the apparatus comprising:
the generating module is used for generating an operation event corresponding to a file when the file in the monitoring sequence is determined to be accessed and controlled;
the determining module is used for determining whether the operation event is allowed according to a file protection rule;
the processing module is used for backing up the file after the access control in the backup area if the operation event is allowed; and if the operation event is not allowed, restoring the file from the backup area.
16. A computer storage medium having a computer program stored thereon, the program, when executed by a processor, implementing the steps of the method according to any one of claims 1 to 7.
CN201910937153.1A 2019-09-29 2019-09-29 File access control method, equipment and device based on user mode Active CN110674530B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910937153.1A CN110674530B (en) 2019-09-29 2019-09-29 File access control method, equipment and device based on user mode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910937153.1A CN110674530B (en) 2019-09-29 2019-09-29 File access control method, equipment and device based on user mode

Publications (2)

Publication Number Publication Date
CN110674530A true CN110674530A (en) 2020-01-10
CN110674530B CN110674530B (en) 2021-06-18

Family

ID=69080439

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910937153.1A Active CN110674530B (en) 2019-09-29 2019-09-29 File access control method, equipment and device based on user mode

Country Status (1)

Country Link
CN (1) CN110674530B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114124680A (en) * 2021-09-24 2022-03-01 绿盟科技集团股份有限公司 File access control alarm log management method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388033A (en) * 2008-11-05 2009-03-18 山东中创软件工程股份有限公司 File protection technology based on Windows system file altering event
CN103324885A (en) * 2013-06-19 2013-09-25 山东中创软件商用中间件股份有限公司 Method and system for protecting kernel-level file
CN106971120A (en) * 2017-03-24 2017-07-21 北京奇虎科技有限公司 A kind of method, device and computing device for realizing file protection
US20190104118A1 (en) * 2013-09-17 2019-04-04 Auburn University Space-time separated and jointly evolving relationship-based network access and data protection system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388033A (en) * 2008-11-05 2009-03-18 山东中创软件工程股份有限公司 File protection technology based on Windows system file altering event
CN103324885A (en) * 2013-06-19 2013-09-25 山东中创软件商用中间件股份有限公司 Method and system for protecting kernel-level file
US20190104118A1 (en) * 2013-09-17 2019-04-04 Auburn University Space-time separated and jointly evolving relationship-based network access and data protection system
CN106971120A (en) * 2017-03-24 2017-07-21 北京奇虎科技有限公司 A kind of method, device and computing device for realizing file protection

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114124680A (en) * 2021-09-24 2022-03-01 绿盟科技集团股份有限公司 File access control alarm log management method and device
CN114124680B (en) * 2021-09-24 2023-11-17 绿盟科技集团股份有限公司 File access control alarm log management method and device

Also Published As

Publication number Publication date
CN110674530B (en) 2021-06-18

Similar Documents

Publication Publication Date Title
US11392461B2 (en) Method and apparatus for processing information
US11966385B2 (en) Database transaction log writing and integrity checking
US10430281B2 (en) Space efficient cascading point in time copying
JP6984710B2 (en) Computer equipment and memory management method
CN109598122B (en) Method and device for detecting side channel attack
TWI672634B (en) Bios security
US10678755B2 (en) File metadata verification in a distributed file system
US20200159413A1 (en) Component aware incremental backup, restore, and reconciliation solution
KR20130093775A (en) Apparatus, method, terminal and system for recovery protection of system files
CN110674530B (en) File access control method, equipment and device based on user mode
JP2005202523A (en) Computer device and process control method
US8825603B2 (en) Ordering volumes and tracks for data transfer based on usage characteristics
US10127270B1 (en) Transaction processing using a key-value store
KR101789933B1 (en) Computing system and method for data consistency
US20090158267A1 (en) System and method for inserting authorized code into a program
US20230306137A1 (en) Information processing device and control method of information processing device
US11381602B2 (en) Security design planning support device
US20230244575A1 (en) Managing restore workloads using a hazard function
JP4937387B2 (en) Automatic rewriting program and automatic rewriting device
US20240231959A9 (en) Apparatus, and method
JP6827244B1 (en) Auditing equipment, auditing methods, auditing programs and auditing systems
JP2011081501A (en) Operating system program and computer carrying the same
JPH02226350A (en) Data control method for computer system
CN118332578A (en) Law enforcement event processing system safety protection method, device, equipment and medium
AU2023274188A1 (en) Method and Apparatus for Operating a Computer

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Applicant after: NSFOCUS Technologies Group Co.,Ltd.

Applicant after: NSFOCUS TECHNOLOGIES Inc.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Applicant before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

Applicant before: NSFOCUS TECHNOLOGIES Inc.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20220401

Address after: 610015 China (Sichuan) pilot Free Trade Zone, Chengdu, Sichuan

Patentee after: Shenzhou Lvmeng Chengdu Technology Co.,Ltd.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee before: NSFOCUS Technologies Group Co.,Ltd.

Patentee before: NSFOCUS TECHNOLOGIES Inc.

TR01 Transfer of patent right