CN113239390B - Program access authority control method and device, computing device and storage medium - Google Patents

Program access authority control method and device, computing device and storage medium Download PDF

Info

Publication number
CN113239390B
CN113239390B CN202110787396.9A CN202110787396A CN113239390B CN 113239390 B CN113239390 B CN 113239390B CN 202110787396 A CN202110787396 A CN 202110787396A CN 113239390 B CN113239390 B CN 113239390B
Authority
CN
China
Prior art keywords
module
file system
program
result
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110787396.9A
Other languages
Chinese (zh)
Other versions
CN113239390A (en
Inventor
张丁元
张继德
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Uniontech Software Technology Co Ltd
Original Assignee
Uniontech Software Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Uniontech Software Technology Co Ltd filed Critical Uniontech Software Technology Co Ltd
Priority to CN202110787396.9A priority Critical patent/CN113239390B/en
Priority to CN202111199637.4A priority patent/CN113886853A/en
Publication of CN113239390A publication Critical patent/CN113239390A/en
Application granted granted Critical
Publication of CN113239390B publication Critical patent/CN113239390B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a program access right control method, a device, a computing device and a storage medium, wherein the program access right control method is executed in the computing device, and the method comprises the following steps: receiving a first access request sent by a program, wherein the first access request at least comprises an identification parameter of the program; forwarding, by the first module, the first access request from the first file system to the second module; sending, by the second module, the first access request to an entitlement control module residing in the user space; the authority control module generates a result indicating the access authority of the program according to the identification parameter, and the second module forwards the result to the first file system through the first module; the first file system forwards the result to the program so that the program executes the corresponding flow based on the result.

Description

Program access authority control method and device, computing device and storage medium
Technical Field
The invention relates to the field of internet, in particular to a program access right control method, a program access right control device, a computing device and a storage medium.
Background
For the requirements of permission isolation and security management, a program usually needs to isolate permission to operate when accessing a system file, that is, only a target file which is authorized to be accessed by the program itself can be accessed, for example, UWP of Windows, data-string api of Android, application isolation of iOS, access control based on permission and an access control list of a Linux system, and the like.
The access control based on the authority and the access control list provided by the Linux system can only prevent the program from illegally accessing data, and cannot strictly prevent the program from collecting related information. In particular, the home directory of the user basically has no limitation on the process of the user, any program can access and acquire the content of the user directory, and in order to realize the access control function, the kernel space of the Linux system needs to be developed, and the kernel mode development has the biggest problem that the related content is more, and the debugging is not convenient, so that many functional applications are not willing to relate to the development of the kernel space.
Disclosure of Invention
In view of the above, the present invention has been made to provide a program access right control method, apparatus, computing device and storage medium that overcome or at least partially solve the above problems.
According to an aspect of the present invention, there is provided a program access right control method, executed in a computing device, the computing device including a first file system and a second file system, the second file system including at least a first module and a second module, the first file system residing in a kernel space of an operating system, the first module residing in the kernel space of the operating system, and the second module residing in a user space of the first operating system, the method including: receiving a first access request sent by a program, wherein the first access request at least comprises an identification parameter of the program; forwarding, by the first module, the first access request from the first file system to the second module; sending, by the second module, the first access request to an entitlement control module residing in the user space; the authority control module generates a result indicating the access authority of the program according to the identification parameter, and the second module forwards the result to the first file system through the first module; the first file system forwards the result to the program so that the program executes the corresponding flow based on the result.
Optionally, in the method for controlling access right to a program according to the present invention, the step of forwarding, by the first module, the first access request from the first file system to the second module includes: connecting a calling interface of the first file system with a first module; and connecting the calling interfaces of the first module and the second module.
Optionally, in the method for controlling access rights to a program according to the present invention, the step of generating, by the rights control module, a result indicating the access rights to the program according to the identifier parameter, and forwarding, by the second module, the result to the first file system through the first module includes: judging whether the program corresponding to the identification parameter has the authority of accessing the target file; if yes, generating a first result; if not, a second result is generated.
Optionally, in the method for controlling access rights to a program according to the present invention, after the step of generating the second result if the program is not provided, the method further includes the steps of: and prompting the user whether to authorize the program.
Optionally, in the method for controlling access to a program according to the present invention, before the step of receiving a first access request sent by the program, where the first access request includes at least an identification parameter of the program, the method further includes the steps of: and dynamically generating the authority control module based on the second file system.
Optionally, in the method for controlling program access permission according to the present invention, the step of dynamically generating the permission control module based on the second file system includes: encapsulating the functional function residing in the second module; rewriting the function of the second module based on the packaged function; and generating an authority control module according to the rewritten function and the preset function requirement.
Optionally, in the method for controlling program access permissions according to the present invention, the first file system is a VFS, the second file system is a FUSE, the first module is a FUSE kernel module, and the second module is a libFUSE.
According to still another aspect of the present invention, there is provided a program access right control apparatus including: the first file system is suitable for receiving a first access request sent by the program and forwarding the result of the access right to the program, wherein the first access request at least comprises an identification parameter of the program; the second file system comprises a first module and a second module, the first module is suitable for forwarding the first access request from the first file system to the second module and forwarding the result of the access right to the first file system; the second module is suitable for sending the first access request to the authority control module residing in the user space and forwarding the result of the access authority to the first module; the authority control module is suitable for generating a result indicating the access authority of the program according to the identification parameters; the first file system and the first module are arranged in a kernel space of the operating system, and the second module and the authority control module are arranged in a user space of the operating system.
According to yet another aspect of the invention, there is provided a computing device comprising: at least one processor; and a memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, the program instructions comprising instructions for performing the above-described method.
According to yet another aspect of the present invention, there is provided a readable storage medium storing program instructions which, when read and executed by a computing device, cause the computing device to perform the above-described method.
According to the scheme of the invention, the problem that the file system needs to be in the kernel space is solved through the second file system residing in the user space, the realization of the file system is moved from the kernel mode to the user mode, the access of the kernel space is all forwarded to the user space, and the problem of developing the authority control module in the kernel space is solved.
According to the scheme of the invention, the program development is completed in the user space, the user space development program is more convenient than the kernel space, and a modularized or plug-in development mode can be conveniently used. By providing the function of loading the plug-in, calling in the form of middleware can conveniently expand different functions through the plug-in.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 shows a schematic diagram of a computing device 100, according to one embodiment of the invention;
FIG. 2 illustrates a flow diagram of a method 200 of program access permission control according to one embodiment of the invention;
fig. 3 shows a block diagram of a program access right control apparatus 300 according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Currently, under the circumstances of vigorous demonstration and popularization of autonomous controllable application, security of file application based on a Linux operating system environment is more and more emphasized and also more and more widely paid attention to, and security, usability and usability of the file application are particularly important.
In the Linux operating system environment, the secure application management of the file includes encryption protection and identification security level of the file, and a common method in the market is to configure access control based on authority and an access control list in the Linux system, but such operation can only prevent a program from illegally accessing data, and cannot strictly prevent the program from collecting related information. In particular, the home directory of the user basically has no limitation on the process of the user, and any program can access and acquire the content of the user directory.
However, the File System (virtual File System VFS) of Linux is developed in kernel space, and the greatest problem of kernel space development is that the contents involved are many and debugging is not convenient. Therefore, many application functions are not willing to involve the development of kernel space, so that there is no better method for controlling program access rights.
It is easy to understand that the VFS is used to read and write different file systems on different physical media by using standard Unix system calls, i.e. a uniform operation interface and application programming interface are provided for each file system. The VFS is a bond layer that allows system calls such as open (), read (), write (), and the like to operate without regard to the underlying storage medium and file system type.
In order to solve the problems in the prior art, the invention provides a scheme. One embodiment of the invention provides a program access right control method, which can be executed in a computing device. FIG. 1 shows a block diagram of a computing device 100, according to one embodiment of the invention. As shown in FIG. 1, in a basic configuration 102, a computing device 100 typically includes a system memory 106 and one or more processors 104. A memory bus 108 may be used for communication between the processor 104 and the system memory 106.
Depending on the desired configuration, the processor 104 may be any type of processing, including but not limited to: a microprocessor (μ P), a microcontroller (μ C), a digital information processor (DSP), or any combination thereof. The processor 104 may include one or more levels of cache, such as a level one cache 110 and a level two cache 112, a processor core 114, and registers 116. The example processor core 114 may include an Arithmetic Logic Unit (ALU), a Floating Point Unit (FPU), a digital signal processing core (DSP core), or any combination thereof. The example memory controller 118 may be used with the processor 104, or in some implementations the memory controller 118 may be an internal part of the processor 104.
Depending on the desired configuration, system memory 106 may be any type of memory, including but not limited to: volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof. The physical memory in the computing device is usually referred to as a volatile memory RAM, and data in the disk needs to be loaded into the physical memory to be read by the processor 104. System memory 106 may include an operating system 120, one or more applications 122, and program data 124. The application 122 is actually a plurality of program instructions that direct the processor 104 to perform corresponding operations. In some embodiments, the application 122 may be arranged to execute instructions on an operating system with the program data 124 by the one or more processors 104 in some embodiments. Operating system 120 may be, for example, Linux, Windows, etc., which includes program instructions for handling basic system services and performing hardware dependent tasks. The application 122 includes program instructions for implementing various user-desired functions, and the application 122 may be, for example, but not limited to, a browser, instant messenger, a software development tool (e.g., an integrated development environment IDE, a compiler, etc.), and the like. When the application 122 is installed into the computing device 100, a driver module may be added to the operating system 120.
When the computing device 100 is started, the processor 104 reads program instructions of the operating system 120 from the memory 106 and executes them. The application 122 runs on top of the operating system 120, utilizing the operating system 120 and interfaces provided by the underlying hardware to implement various user-desired functions. When the user starts the application 122, the application 122 is loaded into the memory 106, and the processor 104 reads the program instructions of the application 122 from the memory 106 and executes the program instructions.
The computing device 100 also includes a storage device 132, the storage device 132 including removable storage 136 and non-removable storage 138, the removable storage 136 and the non-removable storage 138 each connected to the storage interface bus 134.
Computing device 100 may also include an interface bus 140 that facilitates communication from various interface devices (e.g., output devices 142, peripheral interfaces 144, and communication devices 146) to the basic configuration 102 via the bus/interface controller 130. The example output device 142 includes a graphics processing unit 148 and an audio processing unit 150. They may be configured to facilitate communication with various external devices, such as a display or speakers, via one or more a/V ports 152. Example peripheral interfaces 144 may include a serial interface controller 154 and a parallel interface controller 156, which may be configured to facilitate communication with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device) or other peripherals (e.g., printer, scanner, etc.) via one or more I/O ports 158. An example communication device 146 may include a network controller 160, which may be arranged to facilitate communications with one or more other computing devices 162 over a network communication link via one or more communication ports 164.
A network communication link may be one example of a communication medium. Communication media may typically be embodied by computer readable instructions, data structures, program modules, and may include any information delivery media, such as carrier waves or other transport mechanisms, in a modulated data signal. A "modulated data signal" may be a signal that has one or more of its data set or its changes made in such a manner as to encode information in the signal. By way of non-limiting example, communication media may include wired media such as a wired network or private-wired network, and various wireless media such as acoustic, Radio Frequency (RF), microwave, Infrared (IR), or other wireless media. The term computer readable media as used herein may include both storage media and communication media.
The computing device 100 also includes a storage interface bus 134 coupled to the bus/interface controller 130. The storage interface bus 134 is coupled to the storage device 132, and the storage device 132 is adapted to store data. An example storage device 132 may include removable storage 136 (e.g., CD, DVD, usb disk, removable hard disk, etc.) and non-removable storage 138 (e.g., hard disk drive HDD, etc.).
In the computing device 100 according to the invention, the application 122 comprises a plurality of program instructions that perform the method 200.
Fig. 2 shows a flow diagram of a program access right control method 200 according to one embodiment of the invention. The method 200 is suitable for execution in a computing device, such as the computing device 100 described above.
As shown in fig. 2, the method 200 is to implement a program access right control method, starting from step S202, in step S202, a first access request sent by a program is received, where the first access request at least includes an identification parameter of the program.
It should be noted that, in the computing device that can execute the program access right control method of this embodiment, a first operating system is configured, where the first operating system includes a first file system and a second file system, the second file system includes at least a first module and a second module, the first file system resides in a kernel space of the operating system, the first module resides in the kernel space of the operating system, and the second module resides in a user space of the first operating system. The first operating system is a Linux operating system, the first file system is a VFS, and the second file system is a FUSE. Wherein, fuse (filesystem in user space) is a file system of a user space. The FUSE is composed of a FUSE kernel module (ko) and a libfuse of a dynamic link library of a user space, and a developer can realize a file system only by realizing specific file operation according to an interface provided by the FUSE through the support of the FUSE kernel module. This provides a number of benefits to developers since it mainly implements code in user space without requiring recompilation of the kernel.
In step S204, the first access request is forwarded by the first module from the first file system to the second module. The FUSE kernel module may forward the call interface of the VFS to the call interface of the libfuse, thereby enabling forwarding of the first access request from the first file system to the second file system. The libFUSE provides a large number of interfaces, and can transfer all the access of the kernel space to the user space for control, although the switching of the kernel space and the user space brings certain performance consumption, the convenience brought by the method is incomparable to kernel programming.
Specifically, a calling interface of a first file system is connected with a first module; and connecting the calling interfaces of the first module and the second module. The FUSE kernel module is arranged in the kernel space of the computing equipment, and can provide functions of intercepting directories and files and the like for the user space besides the interface forwarding function.
It should be noted that, since the FUSE kernel module cannot directly forward the call interface of the VFS located in the kernel space to the call interface of the FUSE located in the user space, the space interface conversion module residing in the FUSE is required to implement the conversion of the interface from the user space to the kernel space or from the kernel space to the user space.
In step S206, the second module sends the first access request to the right control module residing in the user space. The authority control module is essentially a plug-in with authority control function, and the plug-in is dynamically generated based on the second file system. That is, the rights control module is a user-state plug-in (also referred to as a program) developed using FUSE.
Since the libFUSE is an interface of C and is not particularly convenient to be developed in C + + language, a series of processes are required for functions of libFUSE.
Specifically, the functional function residing in the second module is first encapsulated.
In one specific example, a template class is provided that encapsulates libfuses as follows:
template <class T>
FUSE::t_getattr FUSE::Fuse<T>::proxy_getattr = nullptr;
template <class T>
FUSE::t_readlink FUSE::Fuse<T>::proxy_readlink = nullptr;
template <class T>
FUSE::t_mknod FUSE::Fuse<T>::proxy_mknod = nullptr;
template <class T>
FUSE::t_mkdir FUSE::Fuse<T>::proxy_mkdir = nullptr;
template <class T>
FUSE::t_unlink FUSE::Fuse<T>::proxy_unlink = nullptr;
template <class T>
FUSE::t_rmdir FUSE::Fuse<T>::proxy_rmdir = nullptr;
template <class T>
FUSE::t_symlink FUSE::Fuse<T>::proxy_symlink = nullptr;
template <class T>
FUSE::t_rename FUSE::Fuse<T>::proxy_rename = nullptr.
and then rewriting the function of the second module based on the packaged function. After the basic encapsulation of the libFUSE function is completed, the rewriting of the libFUSE function can be completed by using the inheritance of C + + normally.
Continuing with the previous embodiment, rewriting of the libFUSE function may be accomplished by the following function:
class Proxy : public FUSE::Fuse<Proxy> {
public:
Proxy() {}
~Proxy() {}
static void *proxy_init(struct fuse_conn_info *, struct fuse_config *cfg);
static int proxy_getattr(const char *, struct stat *, struct fuse_file_info *);
static int proxy_access(const char *path, int mask);
static int proxy_readdir(const char * path,
void * buf,
fuse_fill_dir_t filler,
off_t offset,
struct fuse_file_info *fi,
enum fuse_readdir_flags);
static int proxy_open(const char *path, struct fuse_file_info *fi);
static int proxy_read(const char * path,
char * buf,
size_t size,
off_t offset,
struct fuse_file_info *fi);
static int proxy_write(const char * path,
const char * buf,
size_t size,
off_t offset,
struct fuse_file_info *fi);
static int proxy_symlink(const char *from, const char *to);
static int proxy_readlink(const char *path, char *buf, size_t size);
};
it should be noted that each function in the FUSE has different functions, and some functions also need to be matched with multiple functions to complete the final work, for example, opening a file, it is necessary to call the getattr function to obtain the rights, and then call the open function to open the file.
In order to provide security for local storage, dotting needs to be performed on several key functions, such as an open function, a readdir function, and the like, when a program accesses storage, a fuse kernel module forwards a call of a relevant function to a user-mode local process, and finally calls the relevant function of the program for processing. If the program rejects the open function, the file cannot be opened, and if the program prohibits the read function, the content cannot be acquired even if the file is open (the open function passes).
In this embodiment, by providing the FUSE, development of the plug-in may be conveniently implemented using a modular or plug-in development manner. By providing the function of loading the plug-in, calling in the form of middleware, different functions can be conveniently expanded through the plug-in, such as providing an authority control plug-in and a black and white list plug-in, and as long as one plug-in does not allow access, the final result is that access is not allowed.
In addition, in some embodiments, the authority control module actively registers the target function residing in the second module based on the communication interface with the second module, that is, the authority control module actively registers its own processing function by defining the communication interface of libFUSE.
In one specific example, the permission control module may be enabled to actively register the objective function residing in the second module by the following interface definition:
class FrameProxyInterface {
virtual int register(ActionType type, std::function<bool> function);
virtual bool unRegister(int descriptor);
};
class PluginInterface {
virtual bool register(FrameProxyInterface const *interface);
virtual void unRegister();
};
by defining the communication interface of the libFUSE, the plug-in can actively register the processing function of the plug-in, such as an authority control plug-in, and can perform authority control and authority registration on functions such as open/read and the like.
In step S208, the permission control module generates a result indicating the access permission of the program according to the identifier parameter, and the second module forwards the result to the first file system through the first module.
The authority control module developed based on the step S206 is capable of determining whether the program has the authority to access the target file according to the program corresponding to the identification parameter, and if so, generating a first result; if not, a second result is generated.
Specifically, the determination may be made by querying a history access record, for example, if the program has been granted the right to access the target file by the user before the access request is received, a result (a first result) of allowing the access is generated, and otherwise, a result (a second result) of not allowing the access is generated.
It should be noted that the history record may be stored in the authority control module, or may be stored in the libFUSE library, and the authority control module obtains the history record through interface call. This embodiment is not limited to this.
Preferably, after generating the second result, the user may also be prompted whether to authorize the program. If the user authorizes the user, the second result is modified to the first result, otherwise, the second result is maintained.
For the result forwarding process, firstly, the second module in the second file system receives the result, and then forwards the result to the first file system through the first module, and the forwarding principle of the result is the same as that of the foregoing first access request, which is not described herein again.
In step S210, the first file system forwards the result to the program, so that the program executes the corresponding process based on the result.
Fig. 3 shows a block diagram of a program access right control apparatus 300 according to an embodiment of the present invention. As shown in FIG. 3, the apparatus 300 includes a first file system 302 (VFS) and a second file system 304 (FUSE), the second file system 304 includes at least a first module 324 (FUSE kernel module) and a second module 344 (libFUSE), the first file system 302 resides in the kernel space of the operating system, the first module 324 resides in the kernel space of the operating system and the second module 344 resides in the user space of the operating system, and the right control module 306.
A first file system 302 adapted to receive a first access request sent by a program and to forward the result of the access right to the program, the first access request including at least an identification parameter of the program;
a first module 324 adapted to forward the first access request from the first file system 302 to the second module 344 and to forward the result of the access right to the first file system 302;
a second module 344 adapted to send the first access request to the right control module 306 residing in the user space and to forward the result of the access right to the first module 324;
the right control module 306 is adapted to generate a result indicating the access right of the program according to the identification parameter.
It should be noted that the principle and the working flow of the program access right control apparatus 300 provided in this embodiment are similar to those of the program access right control method 200, and reference may be made to the description of the program access right control method 300 for relevant points, which is not described herein again.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions thereof, may take the form of program code (i.e., instructions) embodied in tangible media, such as removable hard drives, U.S. disks, floppy disks, CD-ROMs, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the computing device will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to perform the method of the invention according to instructions in said program code stored in the memory.
By way of example, and not limitation, readable media may comprise readable storage media and communication media. Readable storage media store information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
In the description provided herein, algorithms and displays are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with examples of this invention. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose preferred embodiments of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment or alternatively may be located in one or more devices different from the devices in this example. The modules in the foregoing examples may be combined into one module or may be further divided into multiple sub-modules.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
Furthermore, some of the described embodiments are described herein as a method or combination of method elements that can be performed by a processor of a computer system or by other means of performing the described functions. A processor having the necessary instructions for carrying out the method or method elements thus forms a means for carrying out the method or method elements. Further, the elements of the apparatus embodiments described herein are examples of the following apparatus: the apparatus is used to implement the functions performed by the elements for the purpose of carrying out the invention.
As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention has been disclosed in an illustrative rather than a restrictive sense with respect to the scope of the invention, as defined in the appended claims.

Claims (8)

1. A program access permission control method executed in a computing device, the computing device including a first file system, a second file system and a permission control module, the second file system including at least a first module and a second module, the first file system residing in a kernel space of an operating system, the first module residing in a kernel space of the operating system and the second module residing in a user space of the operating system, the permission control module being dynamically generated by the second file system, and the permission control module residing in a user space of the operating system, wherein the first file system is a VFS, the second file system is a FUSE, the first module is a FUSE kernel module, and the second module is a libFUSE, the method comprising:
a first file system receives a first access request sent by a program, wherein the first access request at least comprises an identification parameter of the program;
forwarding, by the first module, the first access request from the first file system to the second module;
sending, by the second module, the first access request to the entitlement control module;
generating a result indicating the access authority of the program by the authority control module according to the identification parameter and forwarding the result to the first file system by the second module through the first module;
the first file system forwards the result to the program so that the program executes a corresponding process based on the result.
2. The method of claim 1, wherein the forwarding, by the first module, the first access request from the first file system to the second module comprises:
connecting a calling interface of the first file system with the first module;
and connecting the calling interfaces of the first module and the second module.
3. The method of claim 1, wherein the step of generating, by the entitlement control module, a result indicative of the access entitlement of the program according to the identification parameter and forwarding, by the second module, the result to the first file system via the first module comprises:
judging whether the program corresponding to the identification parameter has the authority of accessing the target file;
if yes, generating a first result;
if not, a second result is generated.
4. The method of claim 3, wherein after the step of generating the second result if not present, further comprising the step of:
and prompting a user whether to authorize the program.
5. The method of claim 1, wherein the dynamically generating an entitlement control module based on the second file system comprises:
encapsulating the functional function residing in the second module;
rewriting the function of the second module based on the packaged function;
and generating the authority control module according to the rewritten function and the preset function requirement.
6. A program access right control device comprising:
the file system comprises a first file system, a second file system and a permission control module, wherein the second file system at least comprises a first module and a second module, the first file system resides in a kernel space of an operating system, the first module resides in the kernel space of the operating system and the second module resides in a user space of the operating system, the permission control module is dynamically generated by the second file system, and the permission control module resides in the user space of the operating system, wherein the first file system is VFS, the second file system is FUSE, the first module is FUSE kernel module, and the second module is libFUSE; the system comprises a first file system, a second file system and a third file system, wherein the first file system is suitable for receiving a first access request sent by a program, and the first access request at least comprises an identification parameter of the program;
a first module adapted to forward the first access request from the first file system to the second module;
a second module adapted to send the first access request to the rights control module;
the authority control module is suitable for generating a result indicating the access authority of the program according to the identification parameter;
a second module further adapted to forward the result to the first file system through the first module;
the first file system is further suitable for forwarding the result to the program so that the program executes the corresponding process based on the result.
7. A computing device, comprising:
at least one processor; and
a memory storing program instructions configured for execution by the at least one processor, the program instructions comprising instructions for performing the method of any of claims 1-5.
8. A readable storage medium storing program instructions that, when read and executed by a computing device, cause the computing device to perform the method of any of claims 1-5.
CN202110787396.9A 2021-07-13 2021-07-13 Program access authority control method and device, computing device and storage medium Active CN113239390B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202110787396.9A CN113239390B (en) 2021-07-13 2021-07-13 Program access authority control method and device, computing device and storage medium
CN202111199637.4A CN113886853A (en) 2021-07-13 2021-07-13 Program access authority control method and device, computing device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110787396.9A CN113239390B (en) 2021-07-13 2021-07-13 Program access authority control method and device, computing device and storage medium

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202111199637.4A Division CN113886853A (en) 2021-07-13 2021-07-13 Program access authority control method and device, computing device and storage medium

Publications (2)

Publication Number Publication Date
CN113239390A CN113239390A (en) 2021-08-10
CN113239390B true CN113239390B (en) 2021-11-09

Family

ID=77135374

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202110787396.9A Active CN113239390B (en) 2021-07-13 2021-07-13 Program access authority control method and device, computing device and storage medium
CN202111199637.4A Pending CN113886853A (en) 2021-07-13 2021-07-13 Program access authority control method and device, computing device and storage medium

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN202111199637.4A Pending CN113886853A (en) 2021-07-13 2021-07-13 Program access authority control method and device, computing device and storage medium

Country Status (1)

Country Link
CN (2) CN113239390B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115017534B (en) * 2021-11-05 2023-08-29 荣耀终端有限公司 File processing authority control method, device and storage medium
CN114547423B (en) * 2022-04-27 2022-08-09 杜江波 Occupational competence big data knowledge graph data access management method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105812436A (en) * 2014-12-31 2016-07-27 中国移动通信集团公司 Heterogeneous storage operation method and device
CN106708627A (en) * 2016-12-29 2017-05-24 中国科学院计算技术研究所 Multi-virtual-machine mapping and multipath fuse acceleration method and system based on kvm
CN112181916A (en) * 2020-09-14 2021-01-05 星辰天合(北京)数据科技有限公司 File pre-reading method and device based on user space file system FUSE, and electronic equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8285682B2 (en) * 2009-05-11 2012-10-09 Novell, Inc Techniques for establishing a file system that exposes a virtual file system for backup operations

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105812436A (en) * 2014-12-31 2016-07-27 中国移动通信集团公司 Heterogeneous storage operation method and device
CN106708627A (en) * 2016-12-29 2017-05-24 中国科学院计算技术研究所 Multi-virtual-machine mapping and multipath fuse acceleration method and system based on kvm
CN112181916A (en) * 2020-09-14 2021-01-05 星辰天合(北京)数据科技有限公司 File pre-reading method and device based on user space file system FUSE, and electronic equipment

Also Published As

Publication number Publication date
CN113239390A (en) 2021-08-10
CN113886853A (en) 2022-01-04

Similar Documents

Publication Publication Date Title
US11956220B2 (en) Logic repository service using encrypted configuration data
CN107015845B (en) GPU virtualization
Lange et al. L4Android: a generic operating system framework for secure smartphones
EP0803154B1 (en) A mechanism for providing security to a dual decor command host system
EP3519960B1 (en) Logic repository service
KR101095769B1 (en) A method and system for a security model for a computing device
JP5006366B2 (en) System that provides transitions between device operating modes
US8104083B1 (en) Virtual machine file system content protection system and method
CN113239390B (en) Program access authority control method and device, computing device and storage medium
US20190044971A1 (en) Techniques to provide function-level isolation with capability-based security
WO2011138852A1 (en) Information processing device, information processing method, and program distribution system
JP2022522678A (en) Secure execution guest owner environment control
CN113986515B (en) Method and device for creating sandbox environment for plug-in operation and computing equipment
CN111201553A (en) Safety element and related equipment
Vahidi et al. VETE: Virtualizing the Trusted Execution Environment
Van Strydonck et al. CHERI-TrEE: Flexible enclaves on capability machines
US10628611B2 (en) Exclusive execution environment within a system-on-a-chip computing system
US20220391517A1 (en) Ephemeral Data Storage
CN112231761B (en) Device mounting method, computing device and readable storage medium
CN116070201A (en) Data management method, system, electronic equipment and medium
CN117940900A (en) Storing diagnostic state of secure virtual machines
JPH08212139A (en) Equipment and method for data protection
CN114510706A (en) Permission control method and device based on physical interface and computing equipment
US20220129542A1 (en) Deterministic trusted execution container through managed runtime language metadata
US20240078129A1 (en) Execution of bios components with virtual machines

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant