Disclosure of Invention
The invention provides a user mode-based file access control method, device and apparatus, which are used for solving the problems that a file access control mechanism in the prior art runs in a kernel mode and compilers of different versions need to be configured for kernels of different versions.
In a first aspect, an embodiment of the present invention provides a file access control method based on a user mode, where the method includes:
if the file in the monitoring sequence is determined to be controlled to be accessed, generating an operation event corresponding to the file; determining whether the operation event is allowed according to a file protection rule; if the operation event is allowed, the file after access control is backed up in a backup area; and if the operation event is not allowed, restoring the file from the backup area.
In the method, if the file in the monitoring sequence is determined to be accessed and controlled, whether the operation event corresponding to the file is allowed or not is determined according to the file protection rule, and if the operation event is allowed, the accessed and controlled file is backed up in the backup area; and if the operation event is not allowed, restoring the file from the backup area. Because whether the accessed and controlled file is in the protected file type of the file protection rule or not is judged in the user mode, and when the accessed and controlled file is restored in the user mode, compilers of different versions do not need to be configured for kernels of different versions to operate an access control mechanism in the kernel mode, only one set of compilers need to be configured for kernels of different versions to operate the access control mechanism in the user mode, and the compatibility of the system is further improved.
In a possible implementation manner, if the file is a directory file, the method further includes:
if the directory file is determined to be deleted, determining whether the protected file type of the file protection rule comprises the file type of the directory file;
if the file type of the directory file exists in the protected file types in the user mode, restoring the directory file from the backup area, and then placing the restored directory file in the monitoring sequence again.
In the method, if the file is a directory file, whether the directory file is deleted is judged, if the directory file is deleted, whether the file type of the directory file is included in the protected file type is judged, if the protected file type is determined to include the file type of the directory file, the directory file is restored from the backup area, and the restored directory file is placed in the monitoring sequence again. Since the whole directory file is deleted, after the deleted directory file is restored, the restored directory file is monitored, that is, whether the directory file is tampered or not is monitored, so that the security of the file can be ensured.
In one possible implementation manner, the restoring the file from the backup area includes:
determining a backup file corresponding to the file from the backup area;
comparing the file with the backup file to obtain a difference file;
and after the file and the difference file are recombined, deleting the file, and taking the recombined file as a recovered file.
The method comprises the steps of firstly determining a backup file corresponding to the file controlled to be accessed from the backup area, then comparing the file controlled to be accessed with the backup file to obtain a difference file, then recombining the difference file and the file controlled to be accessed, deleting the file controlled to be accessed, and then taking the recombined file as the file after recovery. Because the difference file and the accessed and controlled file are recombined, the recombined file is used as the restored file instead of directly copying the backup file in the backup area into the restored file, thereby saving time and improving the restoration efficiency.
In a possible implementation manner, the restoring the file from the backup area if the operation event is not allowed includes:
determining the file type of the file according to the suffix name of the file carried in the operation event;
and if the protected file type is determined to comprise the suffix name of the file, recovering the file from the backup area.
In the method, the file type of the file is determined according to the suffix name of the file, and if the protected file type is determined to include the suffix name of the file in the user mode, the file is restored from the backup area. The suffix name of the file is taken as the file type of the file, so that the file is convenient to identify.
In a possible implementation manner, the deleting the file after the file is reassembled with the difference file, and taking the reassembled file as a recovered file includes:
recombining the file and the difference file to obtain a recombined file;
after carrying out Hash operation on the file name of the file to obtain a Hash value, taking the Hash value as a suffix name of the recombined file;
deleting the file, and taking the file name of the file as the file name of the recombined file;
and taking the recombined file as the restored file.
In the method, the hash value obtained by performing the hash operation on the file name of the file is used as the suffix name of the reconstructed file, if the protected file type is determined not to include the suffix name, the reconstructed file is not subjected to recovery processing, the file is deleted, the file name of the file is used as the file name of the reconstructed file, and the reconstructed file is used as the recovered file. Because the recovered file is recovered by the system, the recovered file does not need to be monitored again, so that repeated processing of the file can be reduced, resources are saved, and time is saved.
In a possible implementation manner, before determining that a file in the monitoring sequence is controlled by access, the method further includes:
and carrying out redundancy deduplication processing on the redundancy events generated by the file.
According to the method, before the file in the monitoring sequence is determined to be accessed and controlled, redundancy processing is performed on the redundancy event generated by the file, so that resources can be saved, and time can be saved.
In a possible implementation manner, before determining that a file in the monitoring sequence is controlled by access, the method further includes:
and determining the file as the file in the monitoring sequence according to the file protection rule.
According to the method, before the file in the monitoring sequence is determined to be accessed and controlled, the file is determined to be the file in the monitoring sequence according to the file protection rule, so that the file in the monitoring sequence only needs to be restored or backed up, and unnecessary system overhead is reduced.
In a second aspect, an embodiment of the present invention provides a file access control device based on a user mode, where the device includes: at least one processing unit and at least one memory unit, wherein the memory unit stores program code that, when executed by the processing unit, causes the processing unit to perform the following:
if the file in the monitoring sequence is determined to be controlled to be accessed, generating an operation event corresponding to the file; determining whether the operation event is allowed according to a file protection rule; if the operation event is allowed, the file after access control is backed up in a backup area; and if the operation event is not allowed, restoring the file from the backup area.
In a possible implementation manner, if the file is a directory file, the processing unit is further configured to:
if the directory file is determined to be deleted, determining whether the protected file type of the file protection rule comprises the file type of the directory file;
if the file type of the directory file exists in the protected file types, restoring the directory file from the backup area, and then placing the restored directory file in the monitoring sequence again.
In a possible implementation manner, the processing unit is specifically configured to:
determining a backup file corresponding to the file from the backup area;
comparing the file with the backup file to obtain a difference file;
and after the file and the difference file are recombined, deleting the file, and taking the recombined file as a recovered file.
In a possible implementation manner, the processing unit is specifically configured to:
determining the file type of the file according to the suffix name of the file carried in the operation event;
and if the protected file type is determined to comprise the suffix name of the file, recovering the file from the backup area.
In a possible implementation manner, the processing unit is specifically configured to:
recombining the file and the difference file to obtain a recombined file;
after carrying out Hash operation on the file name of the file to obtain a Hash value, taking the Hash value as a suffix name of the recombined file;
deleting the file, and taking the file name of the file as the file name of the recombined file;
and taking the recombined file as the restored file.
In one possible implementation, the processing unit is further configured to:
and before determining that the file in the monitoring sequence is controlled by access, performing redundancy deduplication processing on redundancy events generated by the file.
In one possible implementation, the processing unit is further configured to:
and before determining that the file in the monitoring sequence is controlled by access, determining the file as the file in the monitoring sequence according to the file protection rule.
In a third aspect, an embodiment of the present invention provides a file access control device based on a user mode, where the device includes:
the generating module is used for generating an operation event corresponding to a file when the file in the monitoring sequence is determined to be accessed and controlled;
the determining module is used for determining whether the operation event is allowed according to a file protection rule;
the processing module is used for backing up the file after the access control in the backup area if the operation event is allowed; and if the operation event is not allowed, restoring the file from the backup area.
In one possible implementation, if the file is a directory file:
the determining module is used for determining whether the protected file type of the file protection rule comprises the file type of the directory file if the directory file is determined to be deleted;
and the recovery module is used for restoring the directory file from the backup area and then placing the restored directory file in the monitoring sequence again if the protected file type is determined to comprise the file type of the directory file.
In one possible implementation, the processing module is further configured to:
determining a backup file corresponding to the file from the backup area;
comparing the file with the backup file to obtain a difference file;
and after the file and the difference file are recombined, deleting the file, and taking the recombined file as a recovered file.
In a possible implementation manner, the processing module is specifically configured to:
determining the file type of the file according to the suffix name of the file carried in the operation event;
and if the protected file type is determined to comprise the suffix name of the file, recovering the file from the backup area.
In a possible implementation manner, the processing module is specifically configured to:
recombining the file and the difference file to obtain a recombined file;
after carrying out Hash operation on the file name of the file to obtain a Hash value, taking the Hash value as a suffix name of the recombined file;
deleting the file, and taking the file name of the file as the file name of the recombined file;
and taking the recombined file as the restored file.
In one possible implementation, the processing module is further configured to:
and before determining that the file in the monitoring sequence is controlled by access, performing redundancy deduplication processing on redundancy events generated by the file.
In one possible implementation, the processing module is further configured to:
and before determining that the file in the monitoring sequence is controlled by access, determining the file as the file in the monitoring sequence according to the file protection rule.
In a fourth aspect, an embodiment of the present invention provides a computer storage medium, on which a computer program is stored, which when executed by a processor implements the steps of the method according to any one of the first aspect.
In addition, for technical effects brought by any one implementation manner of the second aspect to the fourth aspect, reference may be made to technical effects brought by different implementation manners of the first aspect, and details are not described here.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, for the file system I/O access process under the Linux operating system platform, a user mode application program accessing the file system is embedded into a kernel through a 0X80 soft interrupt, and an I/O system call operation on a target file system is realized through a VFS mechanism. The VFS is used as an access entrance of the file system in the kernel mode, and provides an entry point for the access control of the file system.
As can be seen from FIG. 1, the application and the glibc library are in the user state, and the VFS mechanism, the General block Device layer, the Device driver, and the Physical Device are in the kernel state.
For the write file, the write file can be directly sent to a VFS mechanism of a kernel mode by an application program, or can be sent to the VFS mechanism of the kernel mode by a glibc library, and after being processed by the VFS mechanism, the write file is processed by a general Device layer and a Device driver and finally sent to a Physical Device for storage.
For the file system I/O access process under the Linux operating system platform, when a file is accessed and controlled, the file may be tampered, for example, deleted, modified, and the like, and when the file is tampered, the tampered file needs to be restored.
Furthermore, the file access control method in the user mode in the embodiment of the present invention mainly includes two parts, that is, a method for backing up an access-controlled file and a method for performing tamper-resistant recovery on the access-controlled file.
Specifically, when performing file access control in the embodiment of the present invention, it may be determined whether a file subjected to the access control is a file in the monitoring sequence, and if yes, an operation event corresponding to the file is generated. Then, whether the operation event is allowed or not can be determined according to file protection rules, if the operation event is allowed, the operation event can be confirmed to be a security event, the file can be operated, and the file after access control can be backed up in a backup in order to ensure the security and the stability of the file; on the contrary, if the operation event is not allowed, it may be determined that the operation event is an insecure event, and the file is at risk of being tampered, so that the event may be recovered from the backup area to ensure the accuracy of the file.
Further, in the embodiment of the present invention, when performing tamper resistance according to the user-mode access control method, it may be first determined whether a file in the monitoring sequence is tampered, and if it is determined that the file in the monitoring sequence is tampered, it is determined whether a protected file type of the file protection rule includes a file type of the tampered file, and if it is determined that the protected file type includes the file type of the tampered file, the tampered file is recovered from the backup area.
The application scenario described in the embodiment of the present invention is for more clearly illustrating the technical solution of the embodiment of the present invention, and does not form a limitation on the technical solution provided in the embodiment of the present invention, and it can be known by a person skilled in the art that with the occurrence of a new application scenario, the technical solution provided in the embodiment of the present invention is also applicable to similar technical problems.
For the application scenario, the present application provides a file access control method, as shown in fig. 2, the method includes the following steps:
s200, if the file in the monitoring sequence is determined to be controlled to be accessed, generating an operation event corresponding to the file;
s201, determining whether the operation event is allowed according to a file protection rule;
s202, if the operation event is allowed, backing up the file after access control in a backup area; and if the operation event is not allowed, restoring the file from the backup area.
In the embodiment of the invention, if the file in the monitoring sequence is determined to be accessed and controlled, whether the operation event corresponding to the file is allowed or not is determined according to the file protection rule, and if the operation event is allowed, the file after access control is backed up in the backup area; and if the operation event is not allowed, restoring the file from the backup area. Because whether the accessed and controlled file is in the protected file type of the file protection rule or not is judged in the user mode, and when the accessed and controlled file is restored in the user mode, compilers of different versions do not need to be configured for kernels of different versions to operate an access control mechanism in the kernel mode, only one set of compilers need to be configured for kernels of different versions to operate the access control mechanism in the user mode, and the compatibility of the system is further improved.
In implementation, when access control is performed on the file, whether the file in the monitoring sequence is tampered is determined, the method can be judged through an existing mechanism inotify, the inotify mechanism can judge whether the accessed file is tampered, if the accessed file is determined to be tampered, the inotify mechanism can trigger a monitoring event management thread in a user mode, and then whether the file type of the tampered file is included in the protection file type of the file protection rule in the user mode is judged.
Before judging whether the protected file type of the file protection rule comprises the file type of the file in the user mode, determining that the file protection rule is effective. After the file protection rule is determined to be effective, whether the protected file type of the file rule comprises the file type of the tampered file or not is judged in the user mode.
The file protection rule can be configured by a user, and in the file tamper-proofing method based on the user mode in the embodiment of the invention, the file protection rule can be updated, such as addition, deletion, modification and the like. The following description will be made separately.
Fig. 3 is a schematic flow chart of a method for adding a new file protection rule according to an embodiment of the present invention.
S300, traversing a file protection rule list;
s301, judging whether the traversal of the file protection rule list is finished, if so, executing S305, and otherwise, executing S302;
s302, acquiring a rule ID field in the protection rule of the newly added file;
s303, judging whether the rule ID fields of all the file protection rules in the file protection rule list are consistent with the rule ID fields in the newly added file protection rules, if so, executing S304, otherwise, executing S301;
s304, determining that the protection rule of the newly added file exists;
s305, newly adding a file protection rule to a file protection rule linked list;
s306, judging whether all the file protection rules in the file protection rule list with the added file protection rules are in an effective state, if so, executing S307, otherwise, ending;
s307, newly building a backup task to a task list;
and S308, waking up the backup task processing thread.
Fig. 4 is a schematic flow chart of a method for deleting a file protection rule according to an embodiment of the present invention.
S400, traversing a file protection rule list;
s401, judging whether traversing the file protection rule list is finished or not, if so, finishing, and if not, executing S402;
s402, judging whether the rule ID fields of all the file protection rules in the file protection rule list are consistent with the rule ID fields in the deleted file protection rule, if so, executing S403, otherwise, executing S400;
s403, deleting the file protection rule needing to be deleted from the file protection rule list;
s404, judging whether all file protection rules in the file protection rule list after the file protection rule needing to be deleted is deleted are in an effective state, if so, executing S405, and if not, ending;
s405, deleting the backup task and the monitoring information corresponding to the file protection rule needing to be deleted.
Fig. 5 is a schematic flow chart of a method for modifying a file protection rule according to an embodiment of the present invention.
S500, traversing a file protection rule list;
s501, judging whether the traversal of the file protection rule list is finished, if so, finishing, and if not, executing S502;
s502, judging whether a file protection rule directory in the file protection rule list changes, if so, executing S503, otherwise, ending;
s503, modifying the corresponding protection rule by changing the field;
s504, judging whether the modified file protection rule is in an effective state, if so, executing S505, and if not, ending;
s505, deleting the backup task and the monitoring information corresponding to the protection rule before modification;
s506, newly adding the modified backup task to a task queue;
and S507, awakening the backup task processing thread.
The above is a description of the updating of file protection rules.
It should be further noted that before determining that the accessed file in the monitoring sequence is tampered with, it is also determined that the file corresponding to the protected file type is backed up to the backup area specified by the user after the file protection rule is validated. The backup area designated by the user may be a local backup area or a remote backup area, and which backup mode is specifically used may be determined according to actual needs, which is not limited in the present invention.
For example, the user may select the backup mode, or the system may default the backup mode.
In implementation, before judging whether the protected file type of the file protection rule includes the file type of the file in the user mode, in order to save resources and save time, redundancy deduplication processing is performed on redundancy events generated by the file in the user mode.
The file protection rule in the user mode includes a protected file type, for example, the file type protected by the protection rule is set as "×", all types of files are protected, and the protected file type may also be specified, such as PDF, txt, etc., it should be noted that the protection rule may protect files of one file type, and may also protect files of multiple file types.
For example, if the type of the tampered file is determined to include the file type of the tampered file in the protected file type, the file is restored from the backup area.
In the embodiment of the present invention, the file may be a directory file, and if the file is a directory file and it is determined in the monitoring sequence that the directory file is deleted, it is determined whether the file type of the directory file is included in the protected file types of the file protection rule, and if the file type of the directory file is included, the directory file is restored from the backup area, and then the restored directory file is placed in the monitoring sequence again, and the monitoring of the directory file is continued.
In implementation, the file is restored from the backup area, a backup file corresponding to the file may be determined from the backup area, then the file is compared with the backup file to obtain a difference file, finally the file is recombined with the difference file, the file is deleted, and the recombined file is used as the restored file.
For example, when it is determined that the file a is tampered and the protected file type includes the file type of the file a, the file a is restored from the backup area, the file a ' corresponding to the file a and not tampered is already stored in the backup area, the backup file a ' corresponding to the file a is first determined, then the file a and the backup file a ' are compared to obtain a difference file B, the file a and the difference file B are recombined, the file a is deleted, and the file obtained by recombining the file a and the difference file B is used as the restored file.
In an implementation, the file type of the file may be determined from the suffix name of the file, and the file may be restored from the backup area if it is determined that the suffix name of the file is included in the protected file type.
The manner of restoring the file from the backup area may be the same as described above, and will not be described herein.
When the file type of the file is determined according to the suffix name of the file, the file name of the file can be subjected to hash operation, the hash value obtained after the hash operation is used as the suffix name of the restructured file, the suffix name of the restructured file is determined not to be included in the protected file type, namely the hash value obtained by the hash operation on the file name of the file is not included in the protected file type, the restructured file is not subjected to recovery processing, the file is deleted, the file name of the file is used as the file name of the restructured file, and the restructured file is used as the restored file.
For example, if the file name of the tampered file is a, the file name a is subjected to hash operation to obtain a hash value B, the hash value B is used as a suffix name of the reconstructed file, and it is determined that the protected file type does not include B, the reconstructed file is not subjected to recovery processing.
The process of recovering the file also belongs to tampering, but the recovery processing of the recombined file is not needed, so the suffix name of the recombined file is changed to ensure that the suffix name of the recombined file is not in the protected file type, and the recovery processing of the recombined file is not needed.
It should be noted that, the protected file type is generally a common file type, for example, ". PDF" ". txt" or the like, and the file name is subjected to a hash operation, and the obtained hash value is used as a suffix name of the reconstructed file, and the probability of occurrence in the protected file type is extremely small (if the hash value is consistent with the protected file type, the hash value is recalculated), so that the hash value obtained after the file name is subjected to the hash operation can be used as the suffix name of the restored file, that is, the file type.
Based on the same inventive concept, the embodiment of the present invention further provides a file access control device based on a user mode, and as the principle of solving the problem of the device is similar to the file access control method in the embodiment of the present invention, the implementation of the device may refer to the implementation of the method, and repeated parts are not described again.
As shown in fig. 6, a file access control device based on a user mode according to an embodiment of the present invention includes: at least one processing unit 600 and at least one memory unit 601, wherein the memory unit 601 stores program code that, when executed by the processing unit 600, causes the processing unit 600 to perform the following:
if the file in the monitoring sequence is determined to be controlled to be accessed, generating an operation event corresponding to the file;
determining whether the operation event is allowed according to a file protection rule;
if the operation event is allowed, the file after access control is backed up in a backup area; and if the operation event is not allowed, restoring the file from the backup area.
Optionally, if the file is a directory file, the processing unit 600 is further configured to:
if the directory file is determined to be deleted, determining whether the protected file type of the file protection rule comprises the file type of the directory file;
if the protected file type is determined to include the file type of the directory file, the directory file is restored from the backup area, and then the restored directory file is placed in the monitoring sequence again.
Optionally, the processing unit 600 is specifically configured to:
determining a backup file corresponding to the file from the backup area;
comparing the file with the backup file to obtain a difference file;
and after the file and the difference file are recombined, deleting the file, and taking the recombined file as a recovered file.
Optionally, the processing unit 600 is specifically configured to:
determining the file type of the file according to the suffix name of the file carried in the operation event;
and if the protected file type is determined to comprise the suffix name of the file, recovering the file from the backup area.
Optionally, the processing unit 600 is specifically configured to:
recombining the file and the difference file to obtain a recombined file;
after carrying out Hash operation on the file name of the file to obtain a Hash value, taking the Hash value as a suffix name of the recombined file;
deleting the file, and taking the file name of the file as the file name of the recombined file;
and taking the recombined file as the restored file.
Optionally, the processing unit 600 is further configured to:
and before determining that the file in the monitoring sequence is controlled by access, performing redundancy deduplication processing on the file.
Optionally, the processing unit 600 is further configured to:
and before determining that the file in the monitoring sequence is controlled by access, determining the file as the file in the monitoring sequence according to the file protection rule.
Based on the same inventive concept, the embodiment of the present invention further provides a file access control device based on a user mode, and as the principle of the device for solving the problem is similar to the file tamper-proofing method in the embodiment of the present invention, the implementation of the device can refer to the implementation of the method, and repeated parts are not described again.
As shown in fig. 7, a file access control device based on a user mode according to an embodiment of the present invention includes:
a generating module 700, configured to generate an operation event corresponding to an accessed file in a monitoring sequence when it is determined that the file is accessed and controlled;
a determining module 701, configured to determine whether the operation event is allowed according to a file protection rule;
a processing module 702, configured to backup the access-controlled file in a backup area if the operation event is allowed; and if the operation event is not allowed, restoring the file from the backup area.
Optionally, if the file is a directory file, the determining module 701 is further configured to:
if the directory file is determined to be deleted, determining whether the protected file type of the file protection rule comprises the file type of the directory file;
the processing module 702 is further configured to:
and if the protected file type is determined to include the file type of the directory file, restoring the directory file from the backup area, and then resetting the restored directory file in the monitoring sequence.
Optionally, the processing module 702 is further configured to:
determining a backup file corresponding to the file from the backup area;
comparing the file with the backup file to obtain a difference file;
and after the file and the difference file are recombined, deleting the file, and taking the recombined file as a recovered file.
Optionally, the processing module 702 is specifically configured to:
determining the file type of the file according to the suffix name of the file carried in the operation event;
and if the protected file type is determined to comprise the suffix name of the file, recovering the file from the backup area.
Optionally, the processing module 702 is specifically configured to:
recombining the file and the difference file to obtain a recombined file;
after carrying out Hash operation on the file name of the file to obtain a Hash value, taking the Hash value as a suffix name of the recombined file;
deleting the file, and taking the file name of the file as the file name of the recombined file;
and taking the recombined file as the restored file.
Optionally, the processing module 702 is further configured to:
and before determining that the file in the monitoring sequence is controlled by access, performing redundancy deduplication processing on redundancy events generated by the file.
Optionally, the processing module 702 is further configured to:
and before determining that the files in the monitoring sequence are controlled to be accessed, backing up the files corresponding to the protected file types to the backup area.
Further, an embodiment of the present invention also provides a computer-readable non-volatile storage medium, which includes program code, when the program code runs on a computing device, the program code is configured to enable the computing device to execute the steps of the file access control method according to the embodiment of the present invention.
The present application is described above with reference to block diagrams and/or flowchart illustrations of methods, apparatus (systems) and/or computer program products according to embodiments of the application. It will be understood that one block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, and/or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer and/or other programmable data processing apparatus, create means for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks.
Accordingly, the subject application may also be embodied in hardware and/or in software (including firmware, resident software, micro-code, etc.). Furthermore, the present application may take the form of a computer program product on a computer-usable or computer-readable storage medium having computer-usable or computer-readable program code embodied in the medium for use by or in connection with an instruction execution system. In the context of this application, a computer-usable or computer-readable medium may be any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.