CN113297566A - Sandbox implementation method, sandbox implementation device, sandbox implementation equipment and storage medium - Google Patents
Sandbox implementation method, sandbox implementation device, sandbox implementation equipment and storage medium Download PDFInfo
- Publication number
- CN113297566A CN113297566A CN202010415447.0A CN202010415447A CN113297566A CN 113297566 A CN113297566 A CN 113297566A CN 202010415447 A CN202010415447 A CN 202010415447A CN 113297566 A CN113297566 A CN 113297566A
- Authority
- CN
- China
- Prior art keywords
- interface
- sandbox
- operating system
- target
- mode operating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 244000035744 Hura crepitans Species 0.000 title claims abstract description 314
- 238000000034 method Methods 0.000 title claims abstract description 294
- 238000003860 storage Methods 0.000 title claims abstract description 87
- 230000008569 process Effects 0.000 claims abstract description 197
- 230000006870 function Effects 0.000 claims description 51
- 238000006243 chemical reaction Methods 0.000 claims description 17
- 230000006378 damage Effects 0.000 claims description 13
- 238000013468 resource allocation Methods 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 23
- 230000003993 interaction Effects 0.000 description 8
- 238000004590 computer program Methods 0.000 description 6
- 230000009471 action Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000002955 isolation Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000007429 general method Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000011022 operating instruction Methods 0.000 description 2
- 238000005192 partition Methods 0.000 description 2
- 101100498818 Arabidopsis thaliana DDR4 gene Proteins 0.000 description 1
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Abstract
The embodiment of the application provides a sandbox implementation method, device, equipment and storage medium, and the sandbox implementation method comprises the following steps: acquiring a target storage path of a target dynamic library file by a sandbox process; the target dynamic file comprises a general interface for calling a target user mode operating system; and under the condition that the target dynamic library file is obtained according to the target storage path, the sandbox process configures a target user mode operating system in the sandbox container corresponding to the sandbox process by calling the general interface. According to the method and the device, the sandbox process converts the general calling method of the user operation into the original calling method of the target user mode operating system through the general interface, the purpose that the sandbox process calls the target user mode operating system is achieved, operation control of different types of user mode operating systems in the original operating system can be achieved through a set of general calling method, and therefore compatibility of various types of user mode operating systems in one original operating system is achieved.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a sandbox implementation method and apparatus, an electronic device, and a storage medium.
Background
With the continuous demand for ensuring data security, how to improve the security of application data when a user uses an application is a new research topic.
At present, two implementation manners may be provided for ensuring the security of application data, where one implementation manner is to adopt a Trusted Execution Environment (TEE) technology, use a secure area on a main processor of an electronic device as a Trusted Execution Environment, and run an application in the Trusted Execution Environment, so that the security of codes and data loaded into the Trusted Execution Environment is ensured. And secondly, isolating the application by adopting a library Operating System (LibOS) in a user mode, enabling the LibOS to put a System calling function of the Operating System in the user mode and realize the function in a library mode, and after the LibOS and a main Operating System of the electronic equipment are configured, loading the application by the LibOS to form an Operating environment of a private storage area. In the running environment of one private storage area, a plurality of applications can be simultaneously run in the running LibOS.
However, in the first mode, in order to implement the application running in the trusted execution environment, the code of the application program itself needs to be modified, which destroys the integrity of the application. In the second mode, the LibOS has multiple types, the LibOS generally needs to be configured in a complex way during running, and the configuration method of each LibOS is not universal, so that one set of main operating system cannot run multiple different types of LibOS in a compatible way.
Disclosure of Invention
The embodiment of the application provides a sandbox implementation method to improve compatibility of different types of LibOS.
Correspondingly, the embodiment of the application also provides a sandbox implementation device, electronic equipment and a storage medium, which are used for ensuring the implementation and application of the method.
In order to solve the above problem, an embodiment of the present application discloses a sandbox implementing method, where the method includes:
acquiring a target storage path of a target dynamic library file by a sandbox process; the target dynamic library file is obtained by compiling a target user mode operating system, and the target dynamic file comprises a general interface for calling the target user mode operating system;
and under the condition that the target dynamic library file is obtained according to the target storage path, the sandbox process configures the target user mode operating system in a sandbox container corresponding to the sandbox process by calling the general interface.
The embodiment of the application discloses a sandbox implementation method, which comprises the following steps:
displaying a configuration interface;
receiving configuration information in the configuration interface; the configuration information comprises a target storage path of a target dynamic library file; the target dynamic library file is obtained by compiling a target user mode operating system, and the target dynamic file comprises a general interface for calling the target user mode operating system;
and sending the configuration information to a server, so that the sandbox process configures the target user mode operating system in a sandbox container corresponding to the sandbox process by calling the general interface under the condition that the server acquires the target dynamic library file according to the target storage path.
The embodiment of the application also discloses a sandbox implementation device, the device includes:
the path acquisition module is used for acquiring a target storage path of the target dynamic library file by the sandbox process; the target dynamic library file is obtained by compiling a target user mode operating system, and the target dynamic file comprises a general interface for calling the target user mode operating system;
and the configuration module is used for configuring the target user mode operating system in a sandbox container corresponding to the sandbox process by calling the universal interface through the sandbox process under the condition that the target dynamic library file is obtained according to the target storage path.
The embodiment of the application also discloses a sandbox implementation device, the device includes:
the display module is used for displaying a configuration interface;
the interface configuration receiving module is used for receiving configuration information in the configuration interface; the configuration information comprises a target storage path of a target dynamic library file; the target dynamic library file is obtained by compiling a target user mode operating system, and the target dynamic file comprises a general interface for calling the target user mode operating system;
and the sending module is used for sending the configuration information to a server so that the sandbox process configures the target user mode operating system in a sandbox container corresponding to the sandbox process by calling the general interface under the condition that the server acquires the target dynamic library file according to the target storage path.
The embodiment of the application also discloses an electronic device, which comprises: a processor; and a memory having executable code stored thereon that, when executed, causes the processor to perform a method as described in one or more of the embodiments of the application.
Embodiments of the present application also disclose one or more machine-readable media having executable code stored thereon that, when executed, cause a processor to perform a method as described in one or more of the embodiments of the present application.
Compared with the prior art, the embodiment of the application has the following advantages:
in the embodiment of the application, each user-mode operating system is compiled into a dynamic library file, and a universal interface for calling the user-mode operating system is realized in the dynamic library file, the universal interface can convert a set of universal calling methods into a native calling method corresponding to the user-mode operating system, so that a user can send a target storage path of a target dynamic library file corresponding to a target user-mode operating system to a sandbox process according to actual requirements, and under the condition that the sandbox process obtains the target dynamic library file according to the target storage path, the sandbox process converts the universal calling method operated by the user into the native calling method of the target user-mode operating system through the universal interface therein, so as to realize the purpose that the sandbox process calls the target user-mode operating system, and complete the configuration of the target user-mode operating system in a sandbox container corresponding to the sandbox process, therefore, the operation control of different types of user mode operating systems in the native operating system can be realized through a set of universal calling method, and the compatibility of various types of user mode operating systems in one native operating system is achieved.
Drawings
FIG. 1 is a system architecture diagram of a sandbox implementation of the present application;
FIG. 2 is a flow chart of the steps of a sandbox implementation of the present application;
FIG. 3 is a flowchart illustrating the steps of a sandbox implementation method according to the present application;
FIG. 4 is an interaction diagram of a sandbox implementation of the present application;
FIG. 5 is an interaction diagram of another sandbox implementation of the present application;
FIG. 6 is an interaction diagram of another sandbox implementation of the present application;
FIG. 7 is an interaction diagram of another sandbox implementation of the present application;
FIG. 8 is a flow chart of steps of another sandbox implementation method of the present application;
FIG. 9 is an interaction diagram of another sandbox implementation of the present application;
FIG. 10 is a block diagram of a sandbox implementing apparatus embodiment of the present application;
FIG. 11 is a block diagram of another sandbox implementing apparatus embodiment of the present application;
fig. 12 is a schematic structural diagram of an apparatus according to an embodiment of the present application.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description.
Referring to fig. 1, which shows a system architecture diagram of a sandbox implementation method provided in an embodiment of the present application, an electronic device may include at least: an operating system and a hardware layer.
The operating system is divided into a user layer and a kernel layer, the user layer is constructed based on a user mode, the kernel layer is constructed based on a kernel mode, the user layer is an activity space of an upper process, and the execution of the upper process must depend on resources provided by the kernel layer. The kernel layer controls hardware resources of the computer and provides an environment for running upper-layer processes, and the processes running in the kernel layer can access the computer resources in the kernel layer through system call. The hardware layer may include hardware resources such as a processor and a memory.
It should be noted that the above process refers to a computer program for performing one or more specific tasks, which may run on the user layer, may interact with the user, may have a visual user interface, and may also run in the background.
In the embodiment of the application, a sandbox (sandbox) is a virtual system program running on a user layer, and is an execution environment for limiting application program behaviors according to a security policy, the sandbox process only allows an authorized user to run other application programs in a sandbox container created by the sandbox process, and data in the sandbox container can be deleted after the application programs are run, so that the specificity and the security of application data are ensured. The sandbox process creates an independent operation environment similar to a sandbox, and the application program running in the sandbox process cannot generate permanent influence on the external environment.
Specifically, a container is a modern way to package, share, and deploy an application, and is essentially a set of processes that are resource-constrained and isolated from each other, the container is at the operating system level, an operating system can be emulated for each container at runtime, and the container can share the kernel and physical hardware resources of the host operating system. After the sandbox process completes deployment of the sandbox containers in the corresponding execution environment, resources of each sandbox container, such as a file system, a process and a network stack, are all arranged in a virtual isolation environment, other containers cannot access the isolation environment, and external changes cannot affect the sandbox containers, so that the sandbox containers can be understood as an isolation environment, and data security of running application programs is not affected by the outside. It should be noted that the sandbox process and the sandbox Container may be compatible with the Open Container Initiative (OCI) standard to implement standardized application of Container technology. In addition, hardware resources with corresponding sizes can be allocated to the sandbox container according to the resource allocation information of the sandbox container in the configuration file generated according to the actual requirement, and the hardware resources include memory resources, processor resources and the like.
Further, the user-mode operating system is a virtualized lightweight operating system, which allows applications to run therein, and is run in the user layer, unlike the virtual machine technology based on kernel-mode implementation, which allows it to be controlled by the user.
In the embodiment of the present application, in order to ensure data security of a user application, there is a need to place the application in a sandbox container created by a sandbox process for running, so based on the need, the embodiment of the present application may run a user-mode operating system in the sandbox container corresponding to the sandbox process, and run the application in the user-mode operating system. In addition, because the user-mode operating system can allow the application program to run without modification, compared with the case that the application program is directly placed in a container to run, the application program is run in the user-mode operating system in the sandbox container in the embodiment of the application, so that the application program can be prevented from being modified, and the integrity of the application program is ensured.
It should be noted that the user-mode operating system may be a user-mode operating system (LibOS), the LibOS is implemented based on a single kernel (unikernel) concept, the operating system is designed as a modular library, and the LibOS is an operating system that allows a user to configure a customized system as needed, and a resource management function originally belonging to an operating system kernel can be provided to an application program in the form of a library (libraries) by a certain high-level programming language according to a corresponding requirement, so that the application program can directly access underlying hardware, so that the application program can efficiently run.
However, based on different native operating system environments of the electronic device, a plurality of different types of LibOS are generated, and the respective instruction forms and formats of the different types of LibOS are different, such as: based on different requirements, the instruction forms and formats of Occlum LibOS and Graphere-SGXLIBOS developed based on a linux system are different, namely the system interface function names, parameter types and the like of the Occlum LibOS and the Graphere-SGXLIBOS are different. Therefore, when the LibOS is implemented in one native operating system environment, the complex configuration of the LibOS needs to be performed, but the configuration methods of different types of LibOS are not universal, which results in higher configuration cost for using different LibOS in one native operating system environment, and cannot conveniently implement compatibility of multiple LibOS.
In the embodiment of the application, in order to implement compatibility of multiple types of LibOS in a native operating system environment, a target LibOS may be compiled into a target dynamic library file, and a (instances) common interface for calling a target user-mode operating system is implemented in the target dynamic library file, so that a user may send a target storage path of a target dynamic library file corresponding to the target LibOS that can meet an actual demand to a sandbox process according to the actual demand, and when the sandbox process acquires the target dynamic library file according to the target storage path, the sandbox process calls the target LibOS through the common interface therein, and configures the target LibOS in a sandbox container corresponding to the sandbox process.
In particular, a dynamic library file is a non-executable binary program file that allows programs to share code and other resources necessary to perform specific tasks, and in a Windows environment, a dynamic library file may include a dll (dynamic Link library) format file; in a linux environment, a dynamic library file may include a so-formatted file. The functions can be imported into the dynamic library file and implemented in the form of a shared function library to provide the functions to other application programs. For example, in the embodiment of the present application, the sandbox process may call a general interface function in the target dynamic library file, and in addition, if a function for implementing another function is added to the target dynamic library file, the sandbox process or another process may also implement call of the function for implementing the other function.
In the embodiment of the application, each LibOS can be compiled into a dynamic library file, and a function of a common interface corresponding to each of one or more native operation interfaces in the LibOS is created, each common interface comprises a conversion rule, the conversion rule can convert an identifiable instruction of a sandbox process into an identifiable instruction of a native operation interface, so that no matter what type of LibOS is currently requested by a user, the user can send a unified common operation instruction to the sandbox process, the sandbox process converts the common operation instruction into an instruction identifiable by the native operation interface corresponding to the common interface in the dynamic library file corresponding to the LibOS requested by the user, so that the identifiable operation is executed according to the native operation interface and the native operation interface instruction, and the control of different types of LibOS in the native operation system can be realized through a set of common instructions, the compatibility of various LibOS in a native operating system is realized.
For example, assuming that there are a first type of LibOS1 and a second type of LibOS2, the LibOS1 uses an a-type instruction, the LibOS2 uses a B-type instruction, and the LibOS1 compiles a dynamic library file 1, the LibOS2 compiles a dynamic library file 2, a universal interface function including a rule for converting a universal instruction C into an a-type instruction may be implemented in the dynamic library file 1; a generic interface function may be implemented in the dynamic library file 2 that includes rules for converting generic instructions C into instructions of type B. When the user uses the LibOS1, the user may send a general instruction C to the sandbox process, and the sandbox process converts the general instruction C into an a-type instruction by calling a general interface function in the dynamic library file 1, so that the LibOS1 can complete a corresponding operation through a recognizable a-type instruction, which is the same for the LibOS 2. Thus, a user can realize the control of the LibOS1 and the LibOS2 through a set of general instructions C, and the compatibility of 2 LibOS in a native operating system is realized.
Further, LibOS needs to be configured to run in a sandbox container, referring to fig. 1, a process of creating the sandbox container in the sandbox process may include that the sandbox process may determine a size of a hardware resource required by the sandbox container according to an actual requirement, and allocates a hardware resource to the running LibOS sandbox container in a hardware layer through a sandbox driver corresponding to the sandbox process in a kernel layer, and after the hardware resource allocation is completed, the LibOS may directly access the hardware resource corresponding to the sandbox container through a library system driver corresponding to the LibOS in a process of loading an application program, so as to implement running of the application program.
The embodiment of the application can compile each user mode operating system into a dynamic library file, and realize a general interface for calling the user mode operating system in the dynamic library file, the general interface can convert a set of general calling methods into a primary calling method corresponding to the user mode operating system, so that a user can send a target storage path of a target dynamic library file corresponding to a target user mode operating system to a sandbox process according to actual requirements, and under the condition that the sandbox process obtains the target dynamic library file according to the target storage path, the sandbox process converts the general calling method operated by the user into the primary calling method of the target user mode operating system through the general interface therein, so as to realize the purpose that the sandbox process calls the target user mode operating system, and complete the configuration of the target user mode operating system in a sandbox container corresponding to the sandbox process, therefore, the operation control of different types of user mode operating systems in the native operating system can be realized through a set of universal calling method, and the compatibility of various types of user mode operating systems in one native operating system is achieved.
Referring to fig. 2, an embodiment of the present application provides a flowchart of steps of a sandbox implementation method, including:
The target dynamic library file is obtained by compiling a target user mode operating system, and the target dynamic file comprises a general interface for calling the target user mode operating system.
In this embodiment, the target storage path may be a storage path of the target dynamic library file in the memory. The user can configure the target storage path according to actual requirements, and enable the sandbox process to receive the target storage path.
Specifically, the user-mode operating system may be a user-mode operating system (LibOS), the LibOS is implemented based on a single kernel (unikernel) concept, the operating system is designed into a modular library, and the LibOS is an operating system that allows a user to configure a customized system as needed, and a resource management function originally belonging to an operating system kernel can be provided to an application program in a library (libraries) form by a certain high-level programming language according to a corresponding requirement, so that the application program can directly access underlying hardware, and the application program can efficiently run. To enable compatibility of multiple types of LibOS in a native operating system environment, a target LibOS may be compiled into a target dynamic library file and a generic interface for invoking a target user-state operating system is implemented (instances) in the target dynamic library file, the generic interface including conversion rules that are capable of converting recognizable instructions of a sandbox process into recognizable instructions of a native operating interface.
In the embodiment of the application, the target dynamic library file can provide a general interface for the sandbox process, and a method statement for converting the general method into the native method is added to the general interface, the general interface is similar to a specification and a protocol and is an abstract concept, and the general interface is a function statement for converting the general method into the native method from a program perspective and is simply understood.
102, under the condition that the target dynamic library file is obtained according to the target storage path, the sandbox process configures the target user mode operating system in the sandbox container corresponding to the sandbox process by calling the general interface.
In the embodiment of the application, the containers are of an operating system level, an operating system can be simulated for each container during running, and the containers can share the kernel and the physical hardware resources of the host operating system. After the sandbox process completes deployment of the sandbox containers in the corresponding execution environment, resources of each sandbox container are arranged in a virtual isolation environment, other containers cannot access the isolation environment, and external changes cannot affect the sandbox containers, so that the sandbox containers can be understood as the isolation environment, and data security of running application programs is not affected by the external.
Specifically, the user-mode operating system may be LibOS, and the present application may compile each LibOS into a dynamic library file, and create a function of a common interface corresponding to each of one or more native operating interfaces in the LibOS, where each common interface includes a conversion rule capable of converting an identifiable instruction of a sandbox process into an identifiable instruction of a native operating interface, so that, no matter what type of LibOS is currently requested by a user, the user may send a unified common operating instruction to the sandbox process, and the sandbox process may convert the common operating instruction into an instruction identifiable by the native operating interface corresponding to the common interface in a dynamic library file corresponding to the LibOS requested by the user, so that a corresponding operation may be performed according to the native operating interface and the identifiable instruction by the native operating interface, so that a set of common instructions may be passed, the control of different types of LibOS in the native operating system is realized, and the compatibility of various LibOS in one native operating system is realized.
It should be noted that the LibOS may be converted into a dynamic library file through a compiler, for example, in a linux environment, the Occlum LibOS may be converted into a dynamic library file liberpal-oclum.
In summary, the present application compiles each user-mode operating system into a dynamic library file, and implements a common interface for invoking the user-mode operating system in the dynamic library file, where the common interface can convert a set of common invoking methods into native invoking methods corresponding to the user-mode operating systems, so that a user can send a target storage path of a target dynamic library file corresponding to a target user-mode operating system to a sandbox process according to actual requirements, and in a case where the sandbox process acquires the target dynamic library file according to the target storage path, the sandbox process converts the common invoking methods operated by the user into the native invoking methods of the target user-mode operating system through the common interface therein, so as to achieve the purpose that the sandbox process invokes the target user-mode operating system, thereby completing configuring the target user-mode operating system in a sandbox container corresponding to the sandbox process, therefore, the operation control of different types of user mode operating systems in the native operating system can be realized through a set of universal calling method, and the compatibility of various types of user mode operating systems in one native operating system is achieved.
Referring to fig. 3, a flowchart illustrating specific steps of another sandbox implementation method embodiment of the present application is shown.
The target dynamic library file is obtained by compiling a target user mode operating system, and the target dynamic file comprises a general interface for calling the target user mode operating system.
In the embodiment of the present application, referring to fig. 4, an interaction schematic diagram of a sandbox implementation method of the present application is shown, where a user may configure a target storage path of a target dynamic library file through a configuration interface 11 of a client 10, and may also configure a hardware resource scheme of a target user-mode operating system in a configuration interface 12 according to actual requirements, and after the configuration is completed, click a "generate configuration file and send" button, and the client 10 may send the configuration file to an electronic device 20. It is understood that the device in fig. 4 is an example, and other terminal devices may be used for configuration.
It should be noted that, if the electronic device 20 has an operable interface and a corresponding input interface, the user may also directly implement configuration and generation of the configuration file in the configuration interface of the electronic device 20.
After the sandbox process of the electronic device 20 completes configuring the target LibOS in the sandbox container according to the configuration file, the electronic device 20 may deliver the target LibOS to the client 10, i.e., provide the client 10 with the right to access the target LibOS.
It should be noted that, referring to fig. 5, which shows an interaction schematic diagram of another sandbox implementation method according to the present application, the electronic device 22 may have an operation interface, install a sandbox process, and generate a configuration file by the configuration interface 21 and the configuration interface 22, the electronic device 22 may configure a target LibOS in a sandbox container according to the configuration file through the sandbox process, and provide the operable target LibOS to a user, for example, after clicking a "configuration complete, commit after clicking" button, the configuration interface may be converted to an interface of a subsequent operation target LibOS.
Step 202, under the condition that the target dynamic library file is obtained according to the target storage path, the sandbox process configures the target user mode operating system in the sandbox container corresponding to the sandbox process by calling the general interface.
This step may specifically refer to step 102, which is not described herein again.
Optionally, the target user-mode operating system includes a native operation interface for invoking the target user-mode operating system, and the generic interface is configured to invoke the native operation interface corresponding to the generic interface.
Optionally, a conversion rule between the first type instruction and the second type instruction is set in the universal interface; the first type of instruction is an identifiable instruction of the sandbox process, and the second type of instruction is an identifiable instruction of the native operation interface, where step 202 may specifically include:
sub-step 2021, receiving, by the sandboxed process, a first type of instruction.
Substep 2022, calling the generic interface by the sandbox process, converting the first type instruction into the second type instruction according to the conversion rule, and sending the second type instruction to a native operation interface corresponding to the generic interface.
In the embodiment of the application, the universal interfaces and the native operation interfaces are in one-to-one correspondence, and the universal interfaces refer to the native operation interfaces corresponding to the universal interfaces in terms of functions, so that the universal interfaces can send data to the corresponding native operation interfaces. For example, if a LibOS has three functions of initialization, loading, and destruction, the LibOS has a common initialization interface and a corresponding native initialization operation interface; the universal loading interface and the corresponding native loading operation interface; the general destruction interface is connected with the corresponding native destruction operation interface.
In this step, after the sandbox process receives the recognizable first type instruction of the sandbox process, the sandbox process may convert the first type instruction into a second type instruction recognizable by the native operation interface by calling the general interface in the target dynamic library file according to a conversion rule between the first type instruction and the second type instruction, and send the second type instruction to the native operation interface corresponding to the general interface.
Substep 2023, configuring, through the native operation interface, the target user-mode operating system in the sandbox container corresponding to the sandbox process according to the second type instruction.
In this step, since the native operation interface has obtained the recognizable second type instruction, the operation corresponding to the second type instruction may be further executed according to the native operation interface and the second type instruction, and the target user-mode operating system is configured in the sandbox container corresponding to the sandbox process.
Optionally, the common interface includes at least one of a common initialization interface, a common application loading interface, a common application closing interface, and a common destruction interface.
The universal initialization interface is used for allocating resources for the target user-mode operating system in the sandbox container and initializing the target user-mode operating system;
the universal application program loading interface is used for loading at least one application program to run after the target user mode operating system is initialized;
the general application program closing interface is used for closing the running application program;
the universal destruction interface is used for closing the target user mode operating system and releasing system resources.
In the embodiment of the present application, the four basic functions implemented by the target user mode operating system include: initializing a target user mode operating system, loading an application program in the target user mode operating system, closing the application program running in the target user mode operating system, closing the target user mode operating system and releasing system resources.
Referring to fig. 6, an interaction schematic diagram of another sandbox implementation method of the present application is shown, where an execution operation interface 23 of the electronic device 20 includes four function options, namely "initialize", "load application", "close application", and "destroy and release resource", and the target dynamic library file has a general initialization interface and a corresponding native initialization operation interface, a general application loading interface and a corresponding native load operation interface, a general application closing interface and a corresponding native close operation interface, a general destroy interface, and a corresponding native destroy operation interface.
The user may select a corresponding function option according to an actual requirement, and after selecting the corresponding function option, the electronic device 20 may generate a first type instruction common to the function option, convert the first type instruction into a second type instruction through a corresponding general interface in the target dynamic library file, and send the second type instruction to a native operation interface corresponding to the general interface for execution.
For example, after the user completes initialization of the target user-mode operating system, the user may select an "load application" option in the execution operating interface 23 of fig. 6, and further enter the selection interface 24 of fig. 7, and by selecting the selectable application in the selection interface 24, the purpose of loading the selected application into the target user-mode operating system for running is achieved through the general application loading interface.
After the user completes initialization of the target user mode operating system, the user may select an option of "close application" in the execution operating interface 23 of fig. 6, and further enter another selection interface, and by selecting an application program selectable in the another selection interface, the selected application program is stopped through the general application program close interface.
After the user completes initialization of the target user-mode operating system, the user may select a "destroy and release resources" option in the execution operating interface 23 in fig. 6, further delete data stored in the hardware resources corresponding to the sandbox container through the general destruction interface, and deliver the hardware resources to the host operating system, thereby implementing closing of the target user-mode operating system and release of system resources.
In an actual Linux application scenario, a function for a universal initialization interface is defined as:
wherein, the parameter attr- > instance _ path refers to: transferring a path of an instance of the LibOS;
the parameter attr- > log _ level refers to: a log level;
parameter int (. pal _ init) (); the method comprises the following steps: and (5) initializing operation.
A return value of 0 indicates: success is achieved; a return value of ENOENT indicates: instance _ path does not exist; return values are other representations: LibOS custom error.
The description of the function definition is: the path (e.g.,/xxx/. ocsum or xxxx. manifest) and log level of the LibOS instance are passed in and the LibOS is initialized.
The function definition for the generic application load interface is:
struct stdio_fds{
int stdin,stdout,stderr;
};
int page _ exec (char path, char argv [ ], structstdio _ fds stdio, int exit _ value), where the parameter path refers to: a path of a binary file (application program) to be run;
the parameter argv refers to: binary parameters, ending with null elements;
the parameter exit _ value refers to: exit code after binary operation is finished;
the parameter stdio means: the stdio handle used by the binary;
parameter int (. pal _ exec) (); the method comprises the following steps: the binary application is loaded.
A return value of 0 indicates: success is achieved; a return value of ENOENT indicates: path does not exist; the return value is the EACCES representation: a path file access error; the return value is ENOEXEC and indicates that: a path non-executable file; the return value is expressed as ENOMEM: the memory is insufficient.
The description of the function definition is: and transmitting a path of the binary file to be executed, synchronously waiting for the binary operation to be finished and returning a result.
The function for the generic application to close the interface is defined as:
intpal_kill(intpid,int sig);
wherein, the parameter sig refers to: the transmitted signal value;
the parameter pid means: pid is-1 and is sent to all processes; when the value is 0, sending the value to the current process; if the value is more than 0, sending the value to a designated pid process;
a return value of 0 indicates: success is achieved; return values are eingal representation: sigs are invalid; the returned value of ESRCH indicates that the process number is invalid; a return value of EPERM indicates that no signal can be sent; the return value of ENOSYS indicates that the function is not realized; return values are other: LibOS custom error.
The description of the function definition is: the binary file is stopped running.
The function for the generic destruction interface is defined as:
intpal_destroy()
a return value of 0 indicates: success is achieved; the return value is ENOSYS: the function is not realized; return values are other: LibOS custom error.
The description of the function definition is: the LibOS instance is destroyed.
Optionally, the configuration file further includes system resource configuration information, and in the case that the generic interface includes a generic initialization interface, step 202 may specifically include:
substep 2024, allocating, by the sandbox process, a system resource corresponding to the resource configuration information in the sandbox container corresponding to the sandbox process by calling the general initialization interface, and initializing the target user mode operating system based on the system resource.
Referring to fig. 5, the parameters selected by the electronic device 20 in the configuration interface 22 may be resource configuration information of hardware resources allocated to a sandbox container corresponding to the sandbox process, where the resource configuration information includes, but is not limited to, memory resources, processor resources, network card resources, and the like.
Referring to fig. 1, the process of creating a sandbox container in a sandbox process may include: the sandbox process can determine the size of hardware resources required by the sandbox container according to actual requirements, the hardware resources are distributed for the operation of the LibOS sandbox container in the hardware layer through the sandbox driver corresponding to the sandbox process in the kernel layer, and after the hardware resource distribution is completed, the LibOS can directly access the hardware resources corresponding to the sandbox container through the library system driver corresponding to the LibOS in the process of loading the application program, so that the operation of the application program is achieved.
Further, initializing the target user-mode operating system based on the system resources, specifically, assigning a variable of the target user-mode operating system based on parameters of the system resources, and if the variable is assigned as a default value, making the target user-mode operating system in a default state and waiting for loading of the application.
Step 203, converting the sandbox container configured with the target user mode operating system into an image file or a software development kit.
And step 204, providing the image file or the software development kit to the client.
Specifically, the image file is similar to the compressed package file, a specific series of files are made into a single file according to a certain format so as to be convenient for a user to download and use, and the most important characteristic of the file is that the file can be identified by specific software and can be directly recorded on an optical disc. The image file can be expanded again, and more information can be contained in the image file. Such as system files, boot files, partition table information, etc., so that the image file may contain all the information for a partition or even a hard disk.
A software development kit is generally a collection of development tools used by software engineers to build application software for a particular software package, software framework, hardware platform, operating system, etc.
In the embodiment of the application, after the target user-mode operating system is configured in the sandbox container corresponding to the sandbox process, in order to improve the convenience of the user in using the target user-mode operating system, the sandbox container configured with the target user-mode operating system may be converted into the image file or the software development kit and delivered to the user, so that the user can conveniently use the sandbox container configured with the target user-mode operating system through the image file or the software development kit.
For example, after a sandbox container configured with a target user mode operating system is converted into an image file or a software development kit and delivered to a user, the user may open a non-sandbox process through a client for execution when other non-sandbox processes need to be executed, and may directly open a corresponding image file or a corresponding software development kit when the user needs to execute application program isolation, so that the sandbox container configured with the target user mode operating system directly runs, and the user's requirements are met.
Optionally, the configuration file further includes: a type of target user-mode operating system, the method may further comprise:
step a1, in case it is determined that the type is a preset type, step 202 is performed.
In this embodiment of the present application, the configuration file may further include an "include _ destroy _ TYPE" option, where a TYPE of LibOS, such as oclum, graphene, and the like, may be selected from the option, the sandbox process may preset a preset TYPE of LibOS that can be supported, and determine a TYPE of the target user mode operating system in the configuration file, and only when the TYPE of the target user mode operating system is the preset TYPE, the sandbox process further executes, when the target dynamic library file is acquired according to the target storage path, to configure the target user mode operating system in a sandbox container corresponding to the sandbox process by calling the general interface.
If the type of the target user mode operating system is not the preset type, the sandbox process can report an error for the user to correct.
Optionally, the method may further include:
and step B1, opening the target dynamic library file corresponding to the target storage path through a preset library function tool.
Step B2, in case that it is detected that the target dynamic library file includes the function identifier of the generic interface, executing step 202.
In this step, a target storage path is received, a target dynamic library file corresponding to the target storage path is opened through a preset library function tool, codes in the target dynamic library file are traversed, the validity of the target dynamic library file can be judged when the target dynamic library file is detected to include a function identifier of a general interface, and a sandbox process configures a target user mode operating system in a sandbox container corresponding to the sandbox process by calling the general interface when the target dynamic library file is acquired according to the target storage path.
If the target dynamic library file does not include the function identifier of the universal interface, the sandbox process may report an error for the user to correct.
Optionally, the method may further include:
and step C1, starting the sandbox process.
Step C2, creating the sandbox container by the sandbox process.
In this embodiment of the application, LibOS needs to be configured to run in a sandbox container, and referring to fig. 1, a process of creating a sandbox container in a sandbox process may include that the sandbox process may determine a size of a hardware resource required by the sandbox container according to an actual requirement, and allocate a hardware resource to the running LibOS sandbox container in a hardware layer through a sandbox driver corresponding to the sandbox process in a kernel layer, and after the hardware resource allocation is completed, LibOS may directly access the hardware resource corresponding to the sandbox container through a library system driver corresponding to LibOS in a process of loading an application program, so as to implement running of the application program.
To sum up, in the embodiment of the present application, each user-mode operating system is compiled into a dynamic library file, and a common interface for invoking the user-mode operating system is implemented in the dynamic library file, the common interface is capable of converting a set of common invoking methods into native invoking methods corresponding to the user-mode operating systems, so that a user can send a target storage path of a target dynamic library file corresponding to a target user-mode operating system to a sandbox process according to actual requirements, and when the sandbox process acquires the target dynamic library file according to the target storage path, the sandbox process converts the common invoking methods operated by the user into the native invoking methods of the target user-mode operating system through the common interface therein, thereby achieving the purpose that the sandbox process invokes the target user-mode operating system, so as to complete configuration of the target user-mode operating system in a sandbox container corresponding to the sandbox process, therefore, the operation control of different types of user mode operating systems in the native operating system can be realized through a set of universal calling method, and the compatibility of various types of user mode operating systems in one native operating system is achieved.
Referring to fig. 8, an embodiment of the present application further provides a flowchart of steps of a sandbox implementing method, including:
and step 301, displaying a configuration interface.
Step 302, receiving configuration information in the configuration interface; the configuration information comprises a target storage path of a target dynamic library file; the target dynamic library file is obtained by compiling a target user mode operating system, and the target dynamic file comprises a general interface for calling the target user mode operating system.
Referring to fig. 4, the client 10 may display a configuration interface 11 and a configuration interface 12, and a user may configure the target storage path of the target dynamic library file through the configuration interface 11 of the client 10, and may also configure the hardware resource scheme of the target user-mode operating system in the configuration interface 12 according to actual requirements. After the user inputs the selection operation in the configuration interface 11 and the configuration interface 12, the configuration information is correspondingly generated.
The client 10 may be a mobile terminal, or may be a terminal device such as a tablet computer or a personal computer, and the embodiments of the present application do not limit the present invention.
It should be noted that the configuration information may include a target storage path of the target dynamic library file, so that the server 20 obtains the target dynamic library file according to the target storage path, and the configuration information may also include system resource configuration information, so that the server 20 allocates a system resource corresponding to the resource configuration information for the sandbox container corresponding to the sandbox process, and initializes the target user-mode operating system based on the system resource.
Step 303, sending the configuration information to a server, so that the sandbox process configures the target user-mode operating system in a sandbox container corresponding to the sandbox process by calling the general interface when the server acquires the target dynamic library file according to the target storage path.
Referring further to the example of fig. 4 in step 302, after the configuration information is generated, the user clicks the "generate configuration file and send" button, and the client 10 may send the configuration file generated according to the configuration information to the server 20, so that when the server 20 obtains the target dynamic library file according to the target storage path, the sandbox process running in the server 20 configures the target user-mode operating system in the sandbox container corresponding to the sandbox process by calling the common interface.
It can be understood that the server 20 in fig. 4 is an example, and in addition, referring to fig. 9, the cloud server 30 is further used to receive configuration information generated in the configuration interface by the client 10, and according to the configuration information, when the cloud server 30 acquires the target dynamic library file according to the target storage path, a sandbox process running in the cloud server 30 configures the target user-mode operating system in a sandbox container corresponding to the sandbox process by calling the general interface.
To sum up, in the embodiment of the present application, each user-mode operating system is compiled into a dynamic library file, and a common interface for invoking the user-mode operating system is implemented in the dynamic library file, the common interface is capable of converting a set of common invoking methods into native invoking methods corresponding to the user-mode operating systems, so that a user can send a target storage path of a target dynamic library file corresponding to a target user-mode operating system to a sandbox process according to actual requirements, and when the sandbox process acquires the target dynamic library file according to the target storage path, the sandbox process converts the common invoking methods operated by the user into the native invoking methods of the target user-mode operating system through the common interface therein, thereby achieving the purpose that the sandbox process invokes the target user-mode operating system, so as to complete configuration of the target user-mode operating system in a sandbox container corresponding to the sandbox process, therefore, the operation control of different types of user mode operating systems in the native operating system can be realized through a set of universal calling method, and the compatibility of various types of user mode operating systems in one native operating system is achieved.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the embodiments are not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the embodiments. Further, those skilled in the art will also appreciate that the embodiments described in the specification are presently preferred and that no particular act is required of the embodiments of the application.
On the basis of the above embodiments, this embodiment further provides a sandbox implementing apparatus, which is applied to electronic devices such as a terminal device and a server.
Referring to fig. 10, a block diagram of a sandbox implementing apparatus according to an embodiment of the present application is shown, and specifically, the sandbox implementing apparatus may include the following modules:
a path obtaining module 401, configured to obtain, by the sandbox process, a target storage path of the target dynamic library file; the target dynamic library file is obtained by compiling a target user mode operating system, and the target dynamic file comprises a general interface for calling the target user mode operating system;
optionally, the path obtaining module 401 includes:
a configuration receiving submodule for receiving a configuration file by the sandbox process; the configuration file includes a target storage path of the target dynamic library file.
A configuration module 402, configured to, when the target dynamic library file is obtained according to the target storage path, configure, by the sandbox process, the target user-mode operating system in a sandbox container corresponding to the sandbox process by calling the general interface.
Optionally, the target user-mode operating system includes a native operation interface for invoking the target user-mode operating system, and the generic interface is configured to invoke the native operation interface corresponding to the generic interface.
Optionally, a conversion rule between the first type instruction and the second type instruction is set in the universal interface; the first type instruction is an identifiable instruction of a sandbox process, and the second type instruction is an identifiable instruction of the native operation interface; the configuration module 402 includes:
a receiving submodule for receiving a first type of instruction by the sandbox process;
the conversion submodule is used for calling the universal interface by the sandbox process, converting the first type instruction into the second type instruction according to the conversion rule and sending the second type instruction to a native operation interface corresponding to the universal interface;
and the configuration submodule is used for configuring the target user mode operating system in the sandbox container corresponding to the sandbox process according to the second type instruction through the native operation interface.
Optionally, the universal interface includes at least one of a universal initialization interface, a universal application loading interface, a universal application closing interface, and a universal destruction interface; the universal initialization interface is used for allocating resources for the target user-mode operating system in the sandbox container and initializing the target user-mode operating system; the universal application program loading interface is used for loading at least one application program to run after the target user mode operating system is initialized; the general application program closing interface is used for closing the running application program; the universal destruction interface is used for closing the target user mode operating system and releasing system resources.
Optionally, the configuration file further includes system resource configuration information, and in a case that the generic interface includes a generic initialization interface, the configuration module 402 includes:
and the allocation submodule is used for allocating the system resource corresponding to the resource allocation information in the sandbox container corresponding to the sandbox process by calling the universal initialization interface through the sandbox process, and initializing the target user mode operating system based on the system resource.
Optionally, the configuration file further includes: type of target user mode operating system; the device further comprises:
and the first checking module executes the configuration module.
Optionally, the configuration file further includes: type of target user mode operating system; the device further comprises:
and the first checking module is used for executing the configuration module under the condition that the type is determined to be a preset type.
The starting module is used for opening a target dynamic library file corresponding to the target storage path through a preset library function tool;
and the second check module is used for executing the configuration module under the condition that the target dynamic library file is detected to comprise the function identification of the universal interface.
Optionally, the apparatus further comprises:
the starting module is used for starting the sandbox process;
a creation module to create the sandbox container by the sandbox process.
Optionally, the apparatus further comprises:
the conversion module is used for converting the sandbox container configured with the target user mode operating system into a mirror image file or a software development kit;
and the providing module is used for providing the image file or the software development kit for the client.
To sum up, in the embodiment of the present application, each user-mode operating system is compiled into a dynamic library file, and a common interface for invoking the user-mode operating system is implemented in the dynamic library file, the common interface is capable of converting a set of common invoking methods into native invoking methods corresponding to the user-mode operating systems, so that a user can send a target storage path of a target dynamic library file corresponding to a target user-mode operating system to a sandbox process according to actual requirements, and when the sandbox process acquires the target dynamic library file according to the target storage path, the sandbox process converts the common invoking methods operated by the user into the native invoking methods of the target user-mode operating system through the common interface therein, thereby achieving the purpose that the sandbox process invokes the target user-mode operating system, so as to complete configuration of the target user-mode operating system in a sandbox container corresponding to the sandbox process, therefore, the operation control of different types of user mode operating systems in the native operating system can be realized through a set of universal calling method, and the compatibility of various types of user mode operating systems in one native operating system is achieved.
Referring to fig. 11, a block diagram of a sandbox implementing apparatus according to an embodiment of the present application is shown, and specifically, the sandbox implementing apparatus may include the following modules:
a display module 501, configured to display a configuration interface;
an interface configuration receiving module 502, configured to receive configuration information in the configuration interface; the configuration information comprises a target storage path of a target dynamic library file; the target dynamic library file is obtained by compiling a target user mode operating system, and the target dynamic file comprises a general interface for calling the target user mode operating system;
a sending module 503, configured to send the configuration information to a server, so that the sandbox process configures the target user-mode operating system in a sandbox container corresponding to the sandbox process by calling the general interface when the server acquires the target dynamic library file according to the target storage path.
To sum up, in the embodiment of the present application, each user-mode operating system is compiled into a dynamic library file, and a common interface for invoking the user-mode operating system is implemented in the dynamic library file, the common interface is capable of converting a set of common invoking methods into native invoking methods corresponding to the user-mode operating systems, so that a user can send a target storage path of a target dynamic library file corresponding to a target user-mode operating system to a sandbox process according to actual requirements, and when the sandbox process acquires the target dynamic library file according to the target storage path, the sandbox process converts the common invoking methods operated by the user into the native invoking methods of the target user-mode operating system through the common interface therein, thereby achieving the purpose that the sandbox process invokes the target user-mode operating system, so as to complete configuration of the target user-mode operating system in a sandbox container corresponding to the sandbox process, therefore, the operation control of different types of user mode operating systems in the native operating system can be realized through a set of universal calling method, and the compatibility of various types of user mode operating systems in one native operating system is achieved.
The present application further provides a non-transitory, readable storage medium, where one or more modules (programs) are stored, and when the one or more modules are applied to a device, the device may execute instructions (instructions) of method steps in this application.
Embodiments of the present application provide one or more machine-readable media having instructions stored thereon, which when executed by one or more processors, cause an electronic device to perform the methods as described in one or more of the above embodiments. In the embodiment of the present application, the electronic device includes various types of devices such as a terminal device and a server (cluster).
Embodiments of the present disclosure may be implemented as an apparatus, which may include electronic devices such as a terminal device, a server (cluster), etc., using any suitable hardware, firmware, software, or any combination thereof, to perform a desired configuration. Fig. 12 schematically illustrates an example apparatus 700 that may be used to implement various ones of the embodiments described in the present application.
For one embodiment, fig. 12 illustrates an exemplary apparatus 700 having one or more processors 702, a control module (chipset) 704 coupled to at least one of the processor(s) 702, a memory 706 coupled to the control module 704, a non-volatile memory (NVM)/storage 708 coupled to the control module 704, one or more input/output devices 710 coupled to the control module 704, and a network interface 712 coupled to the control module 704.
The processor 702 may include one or more single-core or multi-core processors, and the processor 702 may include any combination of general-purpose or special-purpose processors (e.g., graphics processors, application processors, baseband processors, etc.). In some embodiments, the apparatus 700 can be used as a terminal device, a server (cluster), or the like in the embodiments of the present application.
In some embodiments, the apparatus 700 may include one or more computer-readable media (e.g., the memory 706 or the NVM/storage 708) having instructions 714 and one or more processors 702 in combination with the one or more computer-readable media configured to execute the instructions 714 to implement modules to perform the actions described in this disclosure.
For one embodiment, control module 704 may include any suitable interface controllers to provide any suitable interface to at least one of processor(s) 702 and/or any suitable device or component in communication with control module 704.
The control module 704 may include a memory controller module to provide an interface to the memory 706. The memory controller module may be a hardware module, a software module, and/or a firmware module.
The memory 706 may be used, for example, to load and store data and/or instructions 714 for the apparatus 700. For one embodiment, memory 706 may comprise any suitable volatile memory, such as suitable DRAM. In some embodiments, the memory 706 may comprise a double data rate type four synchronous dynamic random access memory (DDR4 SDRAM).
For one embodiment, control module 704 may include one or more input/output controllers to provide an interface to NVM/storage 708 and input/output device(s) 710.
For example, NVM/storage 708 may be used to store data and/or instructions 714. NVM/storage 708 may include any suitable non-volatile memory (e.g., flash memory) and/or may include any suitable non-volatile storage device(s) (e.g., one or more hard disk drive(s) (HDD (s)), one or more Compact Disc (CD) drive(s), and/or one or more Digital Versatile Disc (DVD) drive (s)).
NVM/storage 708 may include storage resources that are physically part of the device on which apparatus 700 is installed, or it may be accessible by the device and need not be part of the device. For example, NVM/storage 708 may be accessible over a network via input/output device(s) 710.
Input/output device(s) 710 may provide an interface for apparatus 700 to communicate with any other suitable device, input/output device(s) 710 may include communication components, audio components, sensor components, and so forth. Network interface 712 may provide an interface for device 700 to communicate over one or more networks, and device 700 may communicate wirelessly with one or more components of a wireless network according to any of one or more wireless network standards and/or protocols, such as access to a communication standard-based wireless network, such as WiFi, 2G, 3G, 4G, 5G, etc., or a combination thereof.
For one embodiment, at least one of the processor(s) 702 may be packaged together with logic for one or more controller(s) (e.g., memory controller module) of control module 704. For one embodiment, at least one of the processor(s) 702 may be packaged together with logic for one or more controllers of control module 704 to form a System In Package (SiP). For one embodiment, at least one of the processor(s) 702 may be integrated on the same die with logic for one or more controller(s) of control module 704. For one embodiment, at least one of the processor(s) 702 may be integrated on the same die with logic for one or more controllers of control module 704 to form a system on a chip (SoC).
In various embodiments, the apparatus 700 may be, but is not limited to being: a server, a desktop computing device, or a mobile computing device (e.g., a laptop computing device, a handheld computing device, a tablet, a netbook, etc.), among other terminal devices. In various embodiments, apparatus 700 may have more or fewer components and/or different architectures. For example, in some embodiments, device 700 includes one or more cameras, a keyboard, a Liquid Crystal Display (LCD) screen (including a touch screen display), a non-volatile memory port, multiple antennas, a graphics chip, an Application Specific Integrated Circuit (ASIC), and speakers.
The detection device can adopt a main control chip as a processor or a control module, sensor data, position information and the like are stored in a memory or an NVM/storage device, a sensor group can be used as an input/output device, and a communication interface can comprise a network interface.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the true scope of the embodiments of the application.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.
The method and the device for implementing the sandbox, the electronic device and the storage medium provided by the application are introduced in detail, and a specific example is applied in the text to explain the principle and the implementation of the application, and the description of the above embodiment is only used to help understand the method and the core idea of the application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (26)
1. A sandbox implementation method, comprising:
acquiring a target storage path of a target dynamic library file by a sandbox process; the target dynamic library file is obtained by compiling a target user mode operating system, and the target dynamic file comprises a general interface for calling the target user mode operating system;
and under the condition that the target dynamic library file is obtained according to the target storage path, the sandbox process configures the target user mode operating system in a sandbox container corresponding to the sandbox process by calling the general interface.
2. The method of claim 1, wherein the target user-state operating system comprises a native operation interface for invoking the target user-state operating system, and wherein the generic interface is for invoking the native operation interface corresponding to the generic interface.
3. The method according to claim 2, wherein a conversion rule between a first type of instruction and a second type of instruction is set in the general interface; the first type of instruction is an identifiable instruction of the sandbox process, and the second type of instruction is an identifiable instruction of the native operation interface;
the configuring, by the sandbox process, the target user-mode operating system in the sandbox container corresponding to the sandbox process by calling the generic interface when the target dynamic library file is acquired according to the target storage path includes:
receiving, by the sandbox process, a first type of instruction;
calling the universal interface by the sandbox process, converting the first type instruction into the second type instruction according to the conversion rule, and sending the second type instruction to a native operation interface corresponding to the universal interface;
and configuring the target user mode operating system in the sandbox container corresponding to the sandbox process according to the second type instruction through the native operation interface.
4. The method of claim 3, wherein the generic interface comprises at least one of a generic initialization interface, a generic application loading interface, a generic application shutdown interface, and a generic destruction interface; the universal initialization interface is used for allocating resources for the target user-mode operating system in the sandbox container and initializing the target user-mode operating system; the universal application program loading interface is used for loading at least one application program to run after the target user mode operating system is initialized; the general application program closing interface is used for closing the running application program; the universal destruction interface is used for closing the target user mode operating system and releasing system resources.
5. The method according to any one of claims 1 to 4, wherein the obtaining, by the sandbox process, the target storage path of the target dynamic library file comprises:
receiving, by the sandbox process, a configuration file; the configuration file includes a target storage path of the target dynamic library file.
6. The method of claim 5, wherein the configuration file further includes system resource configuration information, and in a case that the generic interface includes a generic initialization interface, the sandbox process configures the target user-mode operating system in a sandbox container corresponding to the sandbox process by calling the generic interface, including:
and the sandbox process allocates the system resource corresponding to the resource configuration information in the sandbox container corresponding to the sandbox process by calling the universal initialization interface, and initializes the target user mode operating system based on the system resource.
7. The method of claim 6, wherein the configuration file further comprises: type of target user mode operating system; the method further comprises the following steps:
and under the condition that the type is determined to be a preset type, executing the step that the sandbox process configures the target user mode operating system in the sandbox container corresponding to the sandbox process by calling the general interface under the condition that the target dynamic library file is obtained according to the target storage path.
8. The method of claim 1, further comprising:
opening a target dynamic library file corresponding to the target storage path through a preset library function tool;
and under the condition that the target dynamic library file is detected to comprise the function identification of the universal interface, executing the step that the sandbox process configures the target user mode operating system in the sandbox container corresponding to the sandbox process by calling the universal interface.
9. The method of claim 1, further comprising:
starting the sandbox process;
creating, by the sandbox process, the sandbox container.
10. The method of claim 1, further comprising:
converting the sandbox container configured with the target user-mode operating system into a mirror image file or a software development toolkit;
and providing the image file or the software development kit to a client.
11. A sandbox implementation method, comprising:
displaying a configuration interface;
receiving configuration information in the configuration interface; the configuration information comprises a target storage path of a target dynamic library file; the target dynamic library file is obtained by compiling a target user mode operating system, and the target dynamic file comprises a general interface for calling the target user mode operating system;
and sending the configuration information to a server, so that the sandbox process configures the target user mode operating system in a sandbox container corresponding to the sandbox process by calling the general interface under the condition that the server acquires the target dynamic library file according to the target storage path.
12. A sandbox implementing apparatus, said apparatus comprising:
the path acquisition module is used for acquiring a target storage path of the target dynamic library file by the sandbox process; the target dynamic library file is obtained by compiling a target user mode operating system, and the target dynamic file comprises a general interface for calling the target user mode operating system;
and the configuration module is used for configuring the target user mode operating system in a sandbox container corresponding to the sandbox process by calling the universal interface through the sandbox process under the condition that the target dynamic library file is obtained according to the target storage path.
13. The apparatus of claim 12, wherein the target user-state operating system comprises a native operation interface for invoking the target user-state operating system, and wherein the generic interface is for invoking the native operation interface corresponding to the generic interface.
14. The apparatus according to claim 13, wherein a conversion rule between a first type of instruction and a second type of instruction is set in the general interface; the first type instruction is an identifiable instruction of a sandbox process, and the second type instruction is an identifiable instruction of the native operation interface;
the configuration module includes:
a receiving submodule for receiving a first type of instruction by the sandbox process;
the conversion submodule is used for calling the universal interface by the sandbox process, converting the first type instruction into the second type instruction according to the conversion rule and sending the second type instruction to a native operation interface corresponding to the universal interface;
and the configuration submodule is used for configuring the target user mode operating system in the sandbox container corresponding to the sandbox process according to the second type instruction through the native operation interface.
15. The apparatus of claim 14, wherein the generic interface comprises at least one of a generic initialization interface, a generic application loading interface, a generic application shutdown interface, and a generic destruction interface; the universal initialization interface is used for allocating resources for the target user-mode operating system in the sandbox container and initializing the target user-mode operating system; the universal application program loading interface is used for loading at least one application program to run after the target user mode operating system is initialized; the general application program closing interface is used for closing the running application program; the universal destruction interface is used for closing the target user mode operating system and releasing system resources.
16. The apparatus according to any one of claims 12-15, wherein the path acquisition module comprises:
a configuration receiving submodule for receiving a configuration file by the sandbox process; the configuration file includes a target storage path of the target dynamic library file.
17. The apparatus of claim 16, wherein the configuration file further comprises system resource configuration information, and wherein in the case that the generic interface comprises a generic initialization interface, the configuration module comprises:
and the allocation submodule is used for allocating the system resource corresponding to the resource allocation information in the sandbox container corresponding to the sandbox process by calling the universal initialization interface through the sandbox process, and initializing the target user mode operating system based on the system resource.
18. The apparatus of claim 17, wherein the configuration file further comprises: type of target user mode operating system; the device further comprises:
and the first checking module is used for executing the configuration module under the condition that the type is determined to be a preset type.
19. The apparatus of claim 12, further comprising:
the starting module is used for opening a target dynamic library file corresponding to the target storage path through a preset library function tool;
and the second check module is used for executing the configuration module under the condition that the target dynamic library file is detected to comprise the function identification of the universal interface.
20. The apparatus of claim 12, further comprising:
the starting module is used for starting the sandbox process;
a creation module to create the sandbox container by the sandbox process.
21. The apparatus of claim 12, further comprising:
the conversion module is used for converting the sandbox container configured with the target user mode operating system into a mirror image file or a software development kit;
and the providing module is used for providing the image file or the software development kit for the client.
22. A sandbox implementing apparatus, said apparatus comprising:
the display module is used for displaying a configuration interface;
the interface configuration receiving module is used for receiving configuration information in the configuration interface; the configuration information comprises a target storage path of a target dynamic library file; the target dynamic library file is obtained by compiling a target user mode operating system, and the target dynamic file comprises a general interface for calling the target user mode operating system;
and the sending module is used for sending the configuration information to a server so that the sandbox process configures the target user mode operating system in a sandbox container corresponding to the sandbox process by calling the general interface under the condition that the server acquires the target dynamic library file according to the target storage path.
23. An electronic device, comprising: a processor; and
memory having stored thereon executable code which, when executed, causes the processor to perform the method of one or more of claims 1-10.
24. One or more machine-readable media having executable code stored thereon that, when executed, causes a processor to perform the method of one or more of claims 1-10.
25. An electronic device, comprising: a processor; and
a memory having executable code stored thereon that, when executed, causes the processor to perform the method of claim 11.
26. One or more machine-readable media having executable code stored thereon that, when executed, causes a processor to perform the method of claim 11.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010415447.0A CN113297566B (en) | 2020-05-15 | 2020-05-15 | Sandbox implementation method, device, equipment and storage medium |
| PCT/CN2021/092302 WO2021227971A1 (en) | 2020-05-15 | 2021-05-08 | Sandbox implementation method, device, apparatus, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010415447.0A CN113297566B (en) | 2020-05-15 | 2020-05-15 | Sandbox implementation method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113297566A true CN113297566A (en) | 2021-08-24 |
| CN113297566B CN113297566B (en) | 2024-04-02 |
Family
ID=77318037
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010415447.0A Active CN113297566B (en) | 2020-05-15 | 2020-05-15 | Sandbox implementation method, device, equipment and storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN113297566B (en) |
| WO (1) | WO2021227971A1 (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114253240A (en) * | 2021-12-20 | 2022-03-29 | 中国电信股份有限公司 | Control method, device, equipment and storage medium for cloud industrial system equipment |
| CN116010941A (en) * | 2023-03-28 | 2023-04-25 | 之江实验室 | Multi-center medical queue construction system and method based on sandboxes |
| CN116798457A (en) * | 2023-08-29 | 2023-09-22 | 中孚安全技术有限公司 | Recording behavior identification and management and control method, system, equipment and medium |
| CN116880866A (en) * | 2023-09-07 | 2023-10-13 | 京东科技信息技术有限公司 | Method, equipment and system for installing operating system |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115994361B (en) * | 2023-03-22 | 2023-05-30 | 北京升鑫网络科技有限公司 | Container vulnerability detection method, system, electronic device and readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101627377A (en) * | 2007-03-09 | 2010-01-13 | 微软公司 | Abstracting operating environment from operating system |
| CN103136468A (en) * | 2011-12-12 | 2013-06-05 | 微软公司 | Facilitating system service request interactions for hardware-protected applications |
| CN103493011A (en) * | 2011-03-03 | 2014-01-01 | 微软公司 | Application compatibility with library operating systems |
| CN107615243A (en) * | 2015-07-28 | 2018-01-19 | 华为技术有限公司 | A kind of method, apparatus and system of call operation system library |
| CN108345496A (en) * | 2017-01-23 | 2018-07-31 | 华为技术有限公司 | A kind of method and device of operation application program |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103699620A (en) * | 2013-12-19 | 2014-04-02 | 珠海世纪鼎利通信科技股份有限公司 | Method and system for achieving database operation by utilizing object relational mapping (ORM) frame in object orientation |
| EP3776194A4 (en) * | 2018-04-11 | 2022-06-01 | Cornell University | Method and system for improving software container performance and isolation |
-
2020
- 2020-05-15 CN CN202010415447.0A patent/CN113297566B/en active Active
-
2021
- 2021-05-08 WO PCT/CN2021/092302 patent/WO2021227971A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101627377A (en) * | 2007-03-09 | 2010-01-13 | 微软公司 | Abstracting operating environment from operating system |
| CN103493011A (en) * | 2011-03-03 | 2014-01-01 | 微软公司 | Application compatibility with library operating systems |
| CN103136468A (en) * | 2011-12-12 | 2013-06-05 | 微软公司 | Facilitating system service request interactions for hardware-protected applications |
| CN107615243A (en) * | 2015-07-28 | 2018-01-19 | 华为技术有限公司 | A kind of method, apparatus and system of call operation system library |
| CN108345496A (en) * | 2017-01-23 | 2018-07-31 | 华为技术有限公司 | A kind of method and device of operation application program |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114253240A (en) * | 2021-12-20 | 2022-03-29 | 中国电信股份有限公司 | Control method, device, equipment and storage medium for cloud industrial system equipment |
| CN116010941A (en) * | 2023-03-28 | 2023-04-25 | 之江实验室 | Multi-center medical queue construction system and method based on sandboxes |
| CN116010941B (en) * | 2023-03-28 | 2023-06-30 | 之江实验室 | Multi-center medical queue construction system and method based on sandboxes |
| CN116798457A (en) * | 2023-08-29 | 2023-09-22 | 中孚安全技术有限公司 | Recording behavior identification and management and control method, system, equipment and medium |
| CN116798457B (en) * | 2023-08-29 | 2023-12-15 | 中孚安全技术有限公司 | Recording behavior identification and management and control method, system, equipment and medium |
| CN116880866A (en) * | 2023-09-07 | 2023-10-13 | 京东科技信息技术有限公司 | Method, equipment and system for installing operating system |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2021227971A1 (en) | 2021-11-18 |
| CN113297566B (en) | 2024-04-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113297566B (en) | Sandbox implementation method, device, equipment and storage medium | |
| CN109032706B (en) | Intelligent contract execution method, device, equipment and storage medium | |
| US6571388B1 (en) | Building a custom software environment including pre-loaded classes | |
| US9928038B2 (en) | Dynamically building locale objects or subsections of locale objects based on historical data | |
| JP7231681B2 (en) | Function extension method and system for package file | |
| CA2768752C (en) | Terminal device of non-android platform for executing android applications, and computer readable recording medium for storing program of executing android applications on non-android platform | |
| US7562349B2 (en) | Version adaptation interface for integration of different virtual machines | |
| WO2022016848A1 (en) | Method and apparatus for performing application deployment according to service role | |
| JP5496683B2 (en) | Customization method and computer system | |
| US20160019072A1 (en) | Dynamic determination of application server runtime classloading | |
| CN110007980B (en) | Method and device for realizing multi-service server | |
| JP2006525575A (en) | Off-device class / resource loading method, system, and computer program product for debugging Java applications in Java microdevices | |
| CN111223036B (en) | GPU (graphics processing unit) virtualization sharing method and device, electronic equipment and storage medium | |
| US20180210768A1 (en) | Api-based service command invocation | |
| US11683232B2 (en) | Methods and apparatus to implement cloud specific functionality in a cloud agnostic system | |
| US20210158131A1 (en) | Hierarchical partitioning of operators | |
| Rechert et al. | Introduction to an emulation-based preservation strategy for software-based artworks | |
| CN113826076A (en) | Expandable and secure container | |
| US9141353B2 (en) | Dynamically building locale objects at run-time | |
| US10353700B1 (en) | Code base sharing between standalone and web-based versions of an application via an emulated network communication channel | |
| US9135025B2 (en) | Launcher for software applications | |
| US10114830B2 (en) | Lazy logger wrappers | |
| CN114860401A (en) | Heterogeneous cloud desktop scheduling system, method, service system, device and medium | |
| US9934052B1 (en) | Large scale virtual application deployment using system provisioning tools | |
| EP3791274B1 (en) | Method and node for managing a request for hardware acceleration by means of an accelerator device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40059747 Country of ref document: HK |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |