CN114372282A - File access control method, file access control device, electronic device, medium, and program product - Google Patents

File access control method, file access control device, electronic device, medium, and program product Download PDF

Info

Publication number
CN114372282A
CN114372282A CN202111663378.6A CN202111663378A CN114372282A CN 114372282 A CN114372282 A CN 114372282A CN 202111663378 A CN202111663378 A CN 202111663378A CN 114372282 A CN114372282 A CN 114372282A
Authority
CN
China
Prior art keywords
file
file access
initial
target
access rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111663378.6A
Other languages
Chinese (zh)
Inventor
林皓
张泽云
杨泳
李健波
成旭飞
汪元雄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing VRV Software Corp Ltd
Original Assignee
Beijing VRV Software Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing VRV Software Corp Ltd filed Critical Beijing VRV Software Corp Ltd
Priority to CN202111663378.6A priority Critical patent/CN114372282A/en
Publication of CN114372282A publication Critical patent/CN114372282A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The disclosure relates to the technical field of communication, and provides a file access control method, a file access control device, an electronic device, a medium and a program product. The method comprises the following steps: responding to a security policy input by an administrator, and acquiring path information of a file; based on the path information, obtaining an initial file access rule corresponding to the file, and storing the initial file access rule; and obtaining a target file access rule based on the initial file access rule and a security policy, wherein the target file access rule at least comprises a first target flag bit and a second target flag bit, the first target flag bit is used for indicating to read the second target flag bit, the second target flag bit is used for indicating an access request mode corresponding to the file, and the access request mode at least comprises a file read-only mode.

Description

File access control method, file access control device, electronic device, medium, and program product
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a file access control method, apparatus, electronic device, medium, and program product.
Background
Currently, in a Linux system, file access control technologies can be divided into autonomous access control and mandatory access control, where the autonomous access control is an access control service, and a principal has a right to access an access object such as a file and a data table created by the principal, and can grant its access right to other principals, or withdraw its access right. The mandatory access control means that the system controls the access of the subject authority and the operation object according to a specified rule to the object created by the subject, and mainly performs the mandatory access control to all subjects and objects such as processes and files controlled by the subjects.
However, with respect to the existing autonomous access control and mandatory access control, there are the following problems: for autonomous access control, a user can view and change the file access security policy, resulting in leakage of files, and autonomous access control only supports partial file system types under Linux system, resulting in unavailability of file system types such as FAT, FAT32, NTFS; for mandatory access control, the subject needs to monitor both file access control and non-file access control, but monitoring for non-file access control is redundant and irrelevant, thereby increasing consumption of system performance.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a file access control method, apparatus, electronic device, medium, and program product for addressing the above technical problems.
In a first aspect, an embodiment of the present disclosure provides a file access control method, which is applied in a virtual file system, and the method includes:
responding to a security policy input by an administrator, and acquiring path information of a file;
based on the path information, obtaining an initial file access rule corresponding to the file, and storing the initial file access rule;
and obtaining a target file access rule based on the initial file access rule and the security policy, wherein the target file access rule at least comprises a first target flag bit and a second target flag bit, the first target flag bit is used for indicating to read the second target flag bit, the second target flag bit is used for indicating an access request mode corresponding to the file, and the access request mode at least comprises a file read-only mode.
In an embodiment, the obtaining an initial file access rule corresponding to the file based on the path information includes:
acquiring a first initial node structure member and a second initial node structure member corresponding to the file based on the path information;
and reading a first initial zone bit corresponding to the first initial node structure member based on the first initial node structure member, and reading a second initial zone bit corresponding to the second initial node structure member based on the second initial node structure member to obtain an initial file access rule corresponding to the file.
In one embodiment, obtaining the target file access rule based on the initial file access rule and the security policy includes:
based on the security policy, rewriting the first initial flag bit in the initial file access rule to obtain the first target flag bit, and rewriting the second initial flag bit in the initial file access rule to obtain the second target flag bit;
and obtaining the target file access rule based on the first target zone bit and the second target zone bit.
In one embodiment, further comprising:
updating the target file access rule to the initial file access rule in response to the security policy entered by an administrator.
In an embodiment, before obtaining the first initial node structure member and the second initial node structure member corresponding to the file based on the path information, the method further includes:
judging whether the initial node structure members corresponding to the file comprise the first initial node structure member and the second initial node structure member;
and if so, acquiring the first initial node structure member and the second initial node structure member corresponding to the file based on the path information.
In one embodiment, further comprising:
when a file access request input by a user is received, acquiring an access request mode corresponding to the file based on the target file access rule;
and when the access request mode is consistent with the file access request, executing the file access request.
In a second aspect, an embodiment of the present disclosure provides a file access control apparatus, including:
the path information acquisition module is used for responding to a security policy input by an administrator and acquiring the path information of the file;
the processing module is used for acquiring an initial file access rule corresponding to the file based on the path information and storing the initial file access rule;
and a target file access rule obtaining module, configured to obtain a target file access rule based on the initial file access rule and the security policy, where the target file access rule at least includes a first target flag bit and a second target flag bit, the first target flag bit is used to indicate to read the second target flag bit, the second target flag bit is used to indicate an access request mode corresponding to the file, and the access request mode at least includes a file read-only mode.
In a third aspect, an embodiment of the present disclosure provides an electronic device, which includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps of the file access control method according to the first aspect when executing the computer program.
In a fourth aspect, the disclosed embodiments provide a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the steps of the file access control method of the first aspect.
In a fifth aspect, the embodiments of the present disclosure provide a computer program product, which when run on a computer, causes the computer to execute the steps of the file access control method of the first aspect.
According to the file access control method, the file access control device, the electronic equipment, the medium and the program product, path information of a file is acquired in a mode of responding to a security policy input by an administrator; based on the path information, obtaining an initial file access rule corresponding to the file, and storing the initial file access rule; and obtaining a target file access rule based on the initial file access rule and the security policy, wherein the target file access rule at least comprises a first target flag bit and a second target flag bit, the first target flag bit is used for indicating to read the second target flag bit, the second target flag bit is used for indicating an access request mode corresponding to the file, and the access request mode at least comprises a file read-only mode. In this way, the target file access rule is set in the file virtual system, and the setting of the access authority of the file is realized according to the first target zone bit and the second target zone bit in the target file access rule, so that the performance consumption of the system is reduced, the file is ensured not to be modified, and the security of file access control is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic flowchart of a file access control method according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of another file access control method provided in the embodiment of the present disclosure;
fig. 3 is a schematic flowchart of another file access control method provided in an embodiment of the present disclosure;
fig. 4 is a schematic flowchart of another file access control method provided in the embodiment of the present disclosure;
fig. 5 is a schematic flowchart of another file access control method provided in the embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of a file access control device according to an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, aspects of the present disclosure will be further described below. It should be noted that the embodiments and features of the embodiments of the present disclosure may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced in other ways than those described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.
Currently, in a Linux system, file access control technologies can be divided into autonomous access control and mandatory access control, where the autonomous access control is an access control service, and a principal has a right to access an access object such as a file and a data table created by the principal, and can grant its access right to other principals, or withdraw its access right. The mandatory access control means that the system controls the access of the subject authority and the operation object according to a specified rule to the object created by the subject, and mainly performs the mandatory access control to all subjects and objects such as processes and files controlled by the subjects.
However, with respect to the existing autonomous access control and mandatory access control, there are the following problems: for autonomous access control, a user can view and change the file access security policy, resulting in leakage of files, and autonomous access control only supports partial file system types under Linux system, resulting in unavailability of file system types such as FAT, FAT32, NTFS; for mandatory access control, the subject needs to monitor both file access control and non-file access control, but monitoring for non-file access control is redundant and irrelevant, thereby increasing consumption of system performance.
Therefore, the present disclosure provides a file access control method, which is applied in a virtual file system, and acquires path information of a file by responding to a security policy input by an administrator; based on the path information, obtaining an initial file access rule corresponding to the file, and storing the initial file access rule; and obtaining a target file access rule based on the initial file access rule and the security policy, wherein the target file access rule at least comprises a first target flag bit and a second target flag bit, the first target flag bit is used for indicating to read the second target flag bit, the second target flag bit is used for indicating an access request mode corresponding to the file, and the access request mode at least comprises a file read-only mode. In this way, the target file access rule is set in the file virtual system, and the setting of the file access authority is realized according to the first target zone bit and the second target zone bit in the target file access rule, so that the performance consumption of the system is reduced, the file is ensured not to be modified, and the security of file access control is improved.
The Virtual File Systems (VFS) refer to a distributed File system for a network environment, and are an interface layer between a physical File system and a service, and can abstract each File system in a Linux system, so that cores of different File Systems in the Linux system and other processes running in the system are the same. The VFS is not an actual file system, only exists in the memory, and does not exist in any external memory space, and is established when the system is started and died when the system is closed.
The file system refers to a method and a data structure for indicating files on a disk or a partition by a terminal operating system, and generally, the organization structure of the file system is a tree structure, wherein each node is a file or a directory, and the files or directories in the file system can be used as objects to be accessed.
In an embodiment, as shown in fig. 1, fig. 1 is a schematic flowchart of a file access control method provided in an embodiment of the present disclosure, and specifically includes the following steps:
s00: and responding to the security policy input by the administrator, and acquiring the path information of the file.
The path information of the file refers to path information corresponding to a file to be accessed by a user, and for example, for a file a to be accessed by the user, the path information corresponding to the file a is/usr/local/a, but is not limited thereto, and the disclosure is not particularly limited thereto. The file access request refers to an access request sent by a user to a file, and mainly comprises read, write and executable access requests.
The security policy refers to a rule set for implementing security protection on a file, and an administrator may set an access right of the corresponding file, but the disclosure is not limited thereto, and those skilled in the art may set the rule according to actual situations.
Specifically, when the administrator inputs the security policy, the terminal device, such as a computer, responds to the security policy to obtain the path information of the file corresponding to the security policy input by the administrator.
For example, when a terminal device such as a computer receives a security policy input by an administrator, in response to the security policy input by the administrator, a kernel module is created in a kernel space, and a character device is established at the same time, and a user space sends path information of a file to the kernel module through the character device to obtain the path information of the file, but the disclosure is not limited thereto.
It should be noted that, the user space refers to an application program running space, the kernel space refers to a running space for executing a driver, and when the user space needs to implement an operation on the kernel, for example, when a read () function is used to implement an access request on a file, since the user space cannot directly operate the kernel, a method of "system call" is used to implement an operation from the user space to the kernel space, so as to implement an access request on the file.
Character devices are used to enable communication between user space and kernel space.
S01: and acquiring an initial file access rule corresponding to the file based on the path information, and storing the initial file access rule.
The initial file access rule refers to an original access rule of a file that is default by a system in a terminal device, such as a computer, for example, for the file a, the initial access rule may be, for example, a read-only mode, that is, only a request access for performing a read on the file a is allowed, but is not limited thereto, and the disclosure is not particularly limited.
Specifically, the terminal device, such as a computer, obtains an initial file access rule corresponding to the file by calling a corresponding function according to the obtained path information, and stores the initial file access rule after obtaining the initial file access rule.
For example, the storing the initial file access rule may be that the initial file access rule is sent to a user space by a kernel module through a character device, and the initial file access rule is stored in the user space, but the disclosure is not limited thereto, and a person skilled in the art may specifically set the initial file access rule according to actual situations.
Based on the foregoing embodiments, in some embodiments of the present disclosure, further, as shown in fig. 2, one possible implementation manner of S01 is as follows:
s011, acquiring a first initial node structure member and a second initial node structure member corresponding to the file based on the path information.
The initial node structure member refers to that each file is regarded as a node in a file system, and each node stores the structure member corresponding to the file, such as information of access authority, access time and the like of the file.
Illustratively, after receiving the path information of the file, the terminal device, such as a kernel module in the computer, calls the function kernel _ path () according to the file virtual system and the path information of the file to obtain a first initial node structure member, such as i _ opflags, and a second initial node structure member, i _ flags, where the first initial node structure member and the second initial node structure member are used to set the access authority of the file, but not limited thereto, and those skilled in the art may set the access authority according to actual situations.
S012, reading a first initial flag bit corresponding to the first initial node structure member based on the first initial node structure member, and reading a second initial flag bit corresponding to the second initial node structure member based on the second initial node structure member, so as to obtain an initial file access rule corresponding to the file.
For example, for the first initial flag bit, such as the IOP _ fasttherm bit, to indicate to ignore the control effect of the second initial flag bit, such as the S _ IMMUTABLE bit, is used to indicate the access request mode of the file, for example, for the file a, the access request mode of the file a may be read only by setting the S _ IMMUTABLE bit, but the disclosure is not limited thereto, and those skilled in the art may specifically set the access right to the file according to the actual situation.
Specifically, after a first initial node structure member and a second initial node structure member corresponding to the file are obtained, a first initial flag bit and a second initial flag bit corresponding to the first initial node structure member and the second initial node structure member are respectively read, so as to obtain an initial file access rule corresponding to the file.
S02: and obtaining a target file access rule based on the initial file access rule and the security policy.
The target file access rule at least comprises a first target flag bit and a second target flag bit, the first target flag bit is used for indicating reading of the second target flag bit, the second target flag bit is used for indicating an access request mode corresponding to a file, and the access request mode at least comprises a file read-only mode.
Specifically, after the terminal device, such as a computer, acquires the initial file access rule, the terminal device processes the initial file access rule according to the security policy input by the administrator, so as to obtain the target file access rule corresponding to the file.
Based on the foregoing embodiments, in some embodiments of the present disclosure, further, as shown in fig. 3, one possible implementation manner of S02 is as follows:
s021, based on the security policy, rewriting a first initial zone bit in the initial file access rule to obtain a first target zone bit, and rewriting a second initial zone bit in the initial file access rule to obtain a second target zone bit.
S022, obtaining a target file access rule based on the first target zone bit and the second target zone bit.
Specifically, according to a security policy input by an administrator, a first initial zone bit read by a first initial structure member and a second initial zone bit read by a second initial structure member are rewritten to obtain a first target zone bit and a second target zone bit corresponding to the first initial zone bit and the second initial zone bit, respectively, so as to obtain a target file access rule.
For example, the first initial flag bit, such as the IOP _ fasttherm bit, is used to indicate that the file access request is quickly implemented, and after the IOP _ fasttherm bit is rewritten, the first target flag bit is obtained, so that after the first target flag bit is read, the kernel module of the terminal device, such as a computer, does not quickly implement the file access request any more, but executes an operation of reading the second target flag bit.
The second initial flag bit, for example, the S _ IMMUTABLE bit, is used to indicate an access request mode of a file, for example, for the file a, the access request mode of the file a may be a write-only mode through the S _ IMMUTABLE bit, or may also be a read mode, a write mode, and an executable mode exist at the same time, and after the S _ IMMUTABLE bit is rewritten, a second target flag bit is obtained, so that after a kernel module of a terminal device, such as a computer, reads the second target flag bit, it is known that the access request mode of the file a is only a read-only mode, but the disclosure is not limited thereto, and a person skilled in the art may specifically set the access request mode according to an actual situation.
Thus, the embodiment obtains the path information of the file by responding to the security policy input by the administrator; based on the path information, obtaining an initial file access rule corresponding to the file, and storing the initial file access rule; and obtaining a target file access rule based on the initial file access rule and the security policy, wherein the target file access rule at least comprises a first target flag bit and a second target flag bit, the first target flag bit is used for indicating to read the second target flag bit, the second target flag bit is used for indicating an access request mode corresponding to the file, and the access request mode at least comprises a file read-only mode. In this way, the target file access rule is set in the file virtual system, and the setting of the file access authority is realized according to the first target zone bit and the second target zone bit in the target file access rule, so that the performance consumption of the system is reduced, the file is ensured not to be modified, and the security of file access control is improved.
Fig. 4 is a schematic flowchart of another file access control method provided in an embodiment of the present disclosure, where fig. 4 is based on the embodiment shown in fig. 3, and as shown in fig. 4, further includes:
s03: and updating the target file access rule to the initial file access rule in response to the security policy input by the administrator.
Specifically, when the terminal device, such as a computer, receives the security policy input by the administrator, the stored initial file access rule is used to update the target file access rule.
Illustratively, when a terminal device such as a computer receives a security policy input by an administrator at a kernel module, if the security policy is to restore a file to an initial file access rule, a user space sends the stored initial file access rule to a kernel space through a character device, and after receiving the initial file access rule, the kernel space updates a target file access rule to the initial file access rule.
On the basis of the foregoing embodiment, in some embodiments of the present disclosure, further before acquiring, based on the path information, the first initial node structure member and the second initial node structure member corresponding to the file, the method further includes:
and judging whether the initial node structure members corresponding to the files comprise a first initial node structure member and a second initial node structure member. And if so, acquiring a first initial node structure member and a second initial node structure member corresponding to the file based on the path information.
For example, whether the initial node structure member corresponding to the file includes the first initial node structure member and the second initial node structure member may be determined, by obtaining a kernel version of a current terminal device, such as a computer, and determining that the kernel version is higher than 3.1, the initial node structure member corresponding to the file includes the first initial node structure member and the second initial node structure member, and when it is determined that the initial node structure member corresponding to the file includes the first initial node structure member and the second initial node structure member, the first initial node structure member and the second initial node structure member corresponding to the file are obtained.
Fig. 5 is a schematic flowchart of another file access control method provided in an embodiment of the present disclosure, and fig. 5 is based on the embodiment shown in fig. 4, as shown in fig. 4, further including:
s041: when a file access request input by a user is received, an access request mode corresponding to a file is obtained based on a target file access rule.
S042: when the access request pattern is consistent with the file access request, the file access request is executed.
Specifically, when a terminal device such as a computer receives a file access request input by a user, a kernel module of the terminal device such as the computer reads a second target flag bit in a target file access rule to obtain an access request mode of the file which the user needs to access, and judges whether an access request mode corresponding to the file is consistent with the file access request input by the user, and when the access request mode is consistent with the file access request input by the user, the file access request is executed.
Illustratively, the file a to be accessed by the user obtains, according to the second target flag bit in the target file access rule, that the access request mode corresponding to the file a is read-only, and if the file access request input by the user is read, it is determined that the access request mode corresponding to the file a is consistent with the file access request input by the user, the file access request input by the user is executed, so as to implement the read operation on the file.
In this way, the embodiment sets the target file access rule of the file to realize the setting of the file access authority, and when receiving the file access request input by the user, the embodiment can ensure the security of the file according to the target file access rule.
It should be understood that although the various steps in the flowcharts of fig. 1-5 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 1-5 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternating with other steps or at least some of the sub-steps or stages of other steps.
In one embodiment, as shown in fig. 6, there is provided a file access control apparatus including: a path information obtaining module 00, a processing module 01 and a target file access rule obtaining module 02.
The path information acquiring module 00 is configured to respond to a security policy input by an administrator to acquire path information of a file;
and the processing module 01 is configured to obtain an initial file access rule corresponding to the file based on the path information, and store the initial file access rule.
And a target file access rule obtaining module 02, configured to obtain a target file access rule based on the initial file access rule and the security policy, where the target file access rule at least includes a first target flag bit and a second target flag bit, the first target flag bit is used to indicate reading of the second target flag bit, the second target flag bit is used to indicate an access request mode corresponding to the file, and the access request mode at least includes a file read-only mode.
In an embodiment of the present invention, the processing module 01 is specifically configured to obtain, based on the path information, a first initial node structure member and a second initial node structure member corresponding to the file; and reading a first initial zone bit corresponding to the first initial node structure member based on the first initial node structure member, and reading a second initial zone bit corresponding to the second initial node structure member based on the second initial node structure member to obtain an initial file access rule corresponding to the file.
In an embodiment of the present invention, the target file access rule obtaining module 02 is specifically configured to, based on a security policy, rewrite a first initial flag bit in an initial file access rule to obtain a first target flag bit, and rewrite a second initial flag bit in the initial file access rule to obtain a second target flag bit; and obtaining the target file access rule based on the first target zone bit and the second target zone bit.
In an implementation manner of an embodiment of the present invention, the apparatus further includes: and the updating module is used for responding to the security policy input by the administrator and updating the target file access rule into the initial file access rule.
In an implementation manner of an embodiment of the present invention, the apparatus further includes: the judging module is used for judging whether the initial node structure members corresponding to the files comprise a first initial node structure member and a second initial node structure member; the processing module 01 is further specifically configured to, if the initial node structure member corresponding to the file includes a first initial node structure member and a second initial node structure member, obtain the first initial node structure member and the second initial node structure member corresponding to the file based on the path information.
In an implementation manner of an embodiment of the present invention, the apparatus further includes: the execution module is used for acquiring an access request mode corresponding to a file based on a target file access rule when a file access request input by a user is received; when the access request pattern is consistent with the file access request, the file access request is executed.
In the above embodiment, the path information obtaining module 00 is configured to obtain the path information of the file in response to the security policy input by the administrator; and the processing module 01 is configured to obtain an initial file access rule corresponding to the file based on the path information, and store the initial file access rule. And a target file access rule obtaining module 02, configured to obtain a target file access rule based on the initial file access rule and the security policy, where the target file access rule at least includes a first target flag bit and a second target flag bit, the first target flag bit is used to indicate reading of the second target flag bit, the second target flag bit is used to indicate an access request mode corresponding to the file, and the access request mode at least includes a file read-only mode. In this way, the target file access rule is set in the file virtual system, and the setting of the access authority of the file is realized according to the first target zone bit and the second target zone bit in the target file access rule, so that the performance consumption of the system is reduced, the file is ensured not to be modified, and the security of file access control is improved.
For specific limitations of the file access control device, reference may be made to the above limitations of the file access control method, which are not described herein again. The various modules in the server described above may be implemented in whole or in part by software, hardware, and combinations thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
An embodiment of the present disclosure provides an electronic device, including: the file access control method provided in the embodiments of the present disclosure may be implemented when the processor executes the computer program, for example, the technical solution of any one of the method embodiments shown in fig. 1 to 5 may be implemented when the processor executes the computer program, and the implementation principle and the technical effect are similar, and are not described herein again.
The present disclosure also provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, may implement the file access control method provided in the embodiments of the present disclosure, for example, when executed by the processor, implement the technical solution of any one of the method embodiments shown in fig. 1 to 5, and the implementation principle and the technical effect are similar, and are not described herein again.
The present disclosure provides a computer program product, when the computer program product runs on a computer, so that the file access control method provided in the embodiments of the present disclosure can be implemented when the computer executes, for example, when the computer executes, the technical solution of any one of the method embodiments shown in fig. 1 to 5 is implemented, and the implementation principle and the technical effect are similar, and details are not repeated here.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, databases, or other media used in the embodiments provided by the present disclosure may include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM is available in many forms, such as Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), and the like.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present disclosure, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for those skilled in the art, various changes and modifications can be made without departing from the concept of the present disclosure, and these changes and modifications are all within the scope of the present disclosure. Therefore, the protection scope of the present disclosure should be subject to the appended claims.

Claims (10)

1. A file access control method is applied to a virtual file system and comprises the following steps:
responding to a security policy input by an administrator, and acquiring path information of a file;
based on the path information, obtaining an initial file access rule corresponding to the file, and storing the initial file access rule;
and obtaining a target file access rule based on the initial file access rule and the security policy, wherein the target file access rule at least comprises a first target flag bit and a second target flag bit, the first target flag bit is used for indicating to read the second target flag bit, the second target flag bit is used for indicating an access request mode corresponding to the file, and the access request mode at least comprises a file read-only mode.
2. The method according to claim 1, wherein the obtaining of the initial file access rule corresponding to the file based on the path information comprises:
acquiring a first initial node structure member and a second initial node structure member corresponding to the file based on the path information;
and reading a first initial zone bit corresponding to the first initial node structure member based on the first initial node structure member, and reading a second initial zone bit corresponding to the second initial node structure member based on the second initial node structure member to obtain an initial file access rule corresponding to the file.
3. The method of claim 2, wherein deriving the target file access rule based on the initial file access rule and the security policy comprises:
based on the security policy, rewriting the first initial flag bit in the initial file access rule to obtain the first target flag bit, and rewriting the second initial flag bit in the initial file access rule to obtain the second target flag bit;
and obtaining the target file access rule based on the first target zone bit and the second target zone bit.
4. The method of claim 1, further comprising:
updating the target file access rule to the initial file access rule in response to the security policy entered by an administrator.
5. The method according to claim 2, wherein before obtaining the first initial node structure member and the second initial node structure member corresponding to the file based on the path information, the method further comprises:
judging whether the initial node structure members corresponding to the file comprise the first initial node structure member and the second initial node structure member;
and if so, acquiring the first initial node structure member and the second initial node structure member corresponding to the file based on the path information.
6. The method according to claim 1, characterized in that it comprises:
when a file access request input by a user is received, acquiring an access request mode corresponding to the file based on the target file access rule;
and when the access request mode is consistent with the file access request, executing the file access request.
7. A file access control apparatus, comprising:
the path information acquisition module is used for responding to a security policy input by an administrator and acquiring the path information of the file;
the processing module is used for acquiring an initial file access rule corresponding to the file based on the path information and storing the initial file access rule;
and a target file access rule obtaining module, configured to obtain a target file access rule based on the initial file access rule and the security policy, where the target file access rule at least includes a first target flag bit and a second target flag bit, the first target flag bit is used to indicate to read the second target flag bit, the second target flag bit is used to indicate an access request mode corresponding to the file, and the access request mode at least includes a file read-only mode.
8. An electronic device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the file access control method according to any one of claims 1 to 6 when executing the computer program.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the file access control method according to any one of claims 1 to 6.
10. A computer program product, characterized in that it causes a computer to carry out the steps of the file access control method according to any one of claims 1 to 6, when said computer program product is run on said computer.
CN202111663378.6A 2021-12-31 2021-12-31 File access control method, file access control device, electronic device, medium, and program product Pending CN114372282A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111663378.6A CN114372282A (en) 2021-12-31 2021-12-31 File access control method, file access control device, electronic device, medium, and program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111663378.6A CN114372282A (en) 2021-12-31 2021-12-31 File access control method, file access control device, electronic device, medium, and program product

Publications (1)

Publication Number Publication Date
CN114372282A true CN114372282A (en) 2022-04-19

Family

ID=81141595

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111663378.6A Pending CN114372282A (en) 2021-12-31 2021-12-31 File access control method, file access control device, electronic device, medium, and program product

Country Status (1)

Country Link
CN (1) CN114372282A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116663042A (en) * 2023-08-01 2023-08-29 北京长扬软件有限公司 Access control method, device, equipment and storage medium of multi-user-level directory

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116663042A (en) * 2023-08-01 2023-08-29 北京长扬软件有限公司 Access control method, device, equipment and storage medium of multi-user-level directory
CN116663042B (en) * 2023-08-01 2023-10-13 北京长扬软件有限公司 Access control method, device, equipment and storage medium of multi-user-level directory

Similar Documents

Publication Publication Date Title
EP3317805B1 (en) A policy aware unified file system
US6714949B1 (en) Dynamic file system configurations
US6859812B1 (en) System and method for differentiating private and shared files within a computer cluster
EP0323013A2 (en) Method of operating a multiprocessor system employing a shared virtual memory
US10353636B2 (en) Write filter with dynamically expandable overlay
US11461267B2 (en) Method, device and computer readable medium for accessing files
US20070162515A1 (en) Method and apparatus for cloning filesystems across computing systems
CA2480459A1 (en) Persistent key-value repository with a pluggable architecture to abstract physical storage
CN108170495B (en) BIOS upgrading method, system, equipment and computer readable storage medium
US10620871B1 (en) Storage scheme for a distributed storage system
US8949590B2 (en) Controlling access to software component state
US11960442B2 (en) Storing a point in time coherently for a distributed storage system
CN114372282A (en) File access control method, file access control device, electronic device, medium, and program product
CN114995948A (en) Method, device, equipment and system for downloading secure container mirror image file
CN113296891B (en) Platform-based multi-scene knowledge graph processing method and device
US8561050B2 (en) Method and system for updating an application
CN107832097B (en) Data loading method and device
US10127270B1 (en) Transaction processing using a key-value store
CN110119388B (en) File reading and writing method, device, system, equipment and computer readable storage medium
US20220269651A1 (en) Managing data hidden by userspace filesystem
US9904602B1 (en) Secure search
CN111708626A (en) Data access method and device, computer equipment and storage medium
CN116257326B (en) Method and device for managing storage space of container
CN113590309B (en) Data processing method, device, equipment and storage medium
CN113495746B (en) Program upgrading method, device, medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination