CN115510429A - Sandbox application access right control method, computing device and readable storage medium - Google Patents
Sandbox application access right control method, computing device and readable storage medium Download PDFInfo
- Publication number
- CN115510429A CN115510429A CN202211452409.8A CN202211452409A CN115510429A CN 115510429 A CN115510429 A CN 115510429A CN 202211452409 A CN202211452409 A CN 202211452409A CN 115510429 A CN115510429 A CN 115510429A
- Authority
- CN
- China
- Prior art keywords
- service
- application
- sandbox
- access
- target service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 244000035744 Hura crepitans Species 0.000 title claims abstract description 160
- 238000000034 method Methods 0.000 title claims abstract description 89
- 238000003860 storage Methods 0.000 title claims abstract description 29
- 230000008569 process Effects 0.000 claims abstract description 24
- 230000015654 memory Effects 0.000 claims description 17
- 238000012544 monitoring process Methods 0.000 claims description 9
- 238000004891 communication Methods 0.000 description 9
- 230000001276 controlling effect Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 238000012360 testing method Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 238000013475 authorization Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000001105 regulatory effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000002708 enhancing effect Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000007723 transport mechanism Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a management and control method for access authority of sandbox application, computing equipment and a readable storage medium, and relates to the field of computers. The invention discloses a management and control method of sandbox application access authority, which comprises the following steps: the sandboxed application is monitored through the socket file mounted in the sandbox. When the dbus message of the sandbox application is monitored, the dbus message is analyzed, and the associated information of the target service to be accessed by the sandbox application is obtained. The association information for the target service is then matched with the association information for each accessible service stored in the configuration file for the sandboxed application. If the matching is successful, the dbus message is forwarded to the bus daemon process. And if the matching fails, applying for accessing the target service. If the access is allowed, the dbus message is forwarded to the bus daemon process, and if the access is denied, an error message is sent to the sandbox application. The invention supports the user to dynamically authorize the sandbox application to access the host machine service, so that the user can more conveniently and flexibly configure the access authority of the sandbox application.
Description
Technical Field
The invention relates to the field of computers, in particular to a sandbox application access right control method, a computing device and a readable storage medium.
Background
The message bus system dbus is an efficient IPC mechanism, and is widely used for cross-process communication in systems. Wherein, the application program running in the sandbox can conveniently access the host machine resource through the dbus bus.
However, sandboxing is a security mechanism in nature, and its purpose is to provide an isolated operating environment for applications running therein, thereby protecting the security and stability of the host system. Therefore, it is necessary to place certain restrictions on the access of applications in the sandbox to the host resources over the dbus bus.
Disclosure of Invention
To this end, the present invention provides a method, a computing device and a readable storage medium for managing access rights of sandboxed applications in an attempt to solve or at least alleviate the above-identified problems.
According to an aspect of the present invention, a method for managing and controlling access permissions of a sandbox application is provided, where a configuration file of the sandbox application stores associated information of each accessible service that the sandbox application can access through a message bus system dbus in the sandbox, and a socket file is mounted in the sandbox, the method including: monitoring the sandbox application through the socket file; when the dbus message of the sandbox application is monitored, analyzing the dbus message to acquire the associated information of the target service to be accessed by the sandbox application; matching the associated information of the target service with the associated information of each accessible service stored in the configuration file; if the matching is successful, forwarding the dbus message to a bus daemon process; if the matching fails, applying for accessing the target service; if the application result is that the access is allowed, the dbus message is forwarded to the bus daemon process; and if the application result is that the access is denied, sending an error message to the sandbox application to inform that the sandbox application does not have the authority of accessing the target service.
Optionally, in the method for managing and controlling access permissions of sandbox application according to the present invention, the sandbox application is equipped with a permission setting file, and accordingly, the associated information of each accessible service stored in the configuration file is configured through the permission setting file.
Optionally, in the method for managing and controlling access rights to a sandbox application according to the present invention, the associated information of each accessible service stored in the configuration file is configured through a terminal command.
Optionally, in the method for managing and controlling access rights to a sandbox application according to the present invention, the associated information includes a service name, a service path, and a service interface.
Optionally, in the method for managing and controlling access permissions of a sandbox application according to the present invention, matching the associated information of the target service with the associated information of each accessible service stored in the configuration file includes: matching the service name, the service path and the service interface of the target service with the service name, the service path and the service interface of each accessible service respectively; and if the service name, the service path and the service interface of the accessible service are completely the same as those of the target service, judging that the matching is successful, otherwise, judging that the matching is failed.
Optionally, in the method for managing and controlling access permissions of a sandbox application according to the present invention, the permission of access includes a current permission and a permanent permission, and the denial of access includes a current denial and a permanent denial.
Optionally, in the method for managing and controlling access rights of sandboxed application according to the present invention, the following steps are performed: if the access is allowed permanently, the method further comprises: determining a target service as an accessible service, and adding the associated information of the target service to a configuration file; if the denial of access is a permanent denial, the method further comprises: and determining the target service as the inaccessible service, and storing the associated information of the target service into the configuration file.
Optionally, in the method for managing and controlling access rights to a sandbox application according to the present invention, after obtaining the associated information of the target service to be accessed by the sandbox application, the method further includes: matching the associated information of the target service with the associated information of each inaccessible service stored in the configuration file; if the matching fails, continuously performing matching of the associated information of the target service and the associated information of each accessible service stored in the configuration file; if the match is successful, an error message is sent to the sandbox application to inform that it does not have the right to access the target service.
According to yet another aspect of the invention, there is provided a computing device comprising: at least one processor; and a memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, the program instructions comprising instructions for performing a method of regulating access rights of a sandboxed application according to the present invention.
According to still another aspect of the present invention, there is provided a readable storage medium storing program instructions which, when read and executed by a computing device, cause the computing device to execute a method of regulating access rights to a sandboxed application according to the present invention.
According to the control method of the access authority of the sandbox application, the sandbox application is monitored through the socket files mounted in the sandbox. When the dbus message of the sandbox application is monitored, the dbus message is analyzed, and the associated information of the target service to be accessed by the sandbox application is obtained. The associated information of the target service is then matched with the associated information of each accessible service stored in the configuration file of the sandboxed application. If the matching is successful, the dbus message is forwarded to the bus daemon. And if the matching fails, applying for accessing the target service. If the application result is that the access is allowed, the dbus message is forwarded to the bus daemon process. And if the application result is that the access is denied, sending an error message to the sandbox application to inform that the sandbox application does not have the authority of accessing the target service.
Therefore, the invention manages and controls the right of the sandbox application to access the host machine resource through dbus, and the sandbox application can only access the service which is granted with the access right, thereby enhancing the safety of the system. In addition, the method and the system support the user to dynamically authorize the sandbox application to access the host machine service, so that the user can more conveniently and flexibly configure the access authority of the sandbox application, and the user experience is improved.
Drawings
To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings, which are indicative of various ways in which the principles disclosed herein may be practiced, and all aspects and equivalents thereof are intended to be within the scope of the claimed subject matter. The above and other objects, features and advantages of the present disclosure will become more apparent from the following detailed description read in conjunction with the accompanying drawings. Throughout this disclosure, like reference numerals generally refer to like parts or elements.
FIG. 1 shows a block diagram of a computing device 100, according to one embodiment of the invention;
FIG. 2 illustrates a flow diagram of a method 200 of governing access rights of a sandboxed application according to one embodiment of the present invention;
FIG. 3 illustrates a diagram of whether to allow popup for a target service according to an embodiment of the present invention;
fig. 4 is a schematic diagram illustrating a flowchart of a method for managing access rights of a sandboxed application according to another embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
In order to protect the security of the host system, it is necessary to restrict the access of applications in the sandbox to the resources (or services) of the host via the dbus bus. Based on this, each service that the sandbox application can access through dbus can be specified by using the static command parameter before the sandbox application is run, namely, the right of the sandbox application to access the service through dbus can be configured through the terminal command. For example, when a com.belmousaii.decoder application needs to access com.deep.lingong.appmanager service, a-talk-name parameter may be added to specify the service name before executing the application, specifically the terminal command configuration is as follows:
flatpak run --talk-name=com.deepin.linglong.ArrManager com.belmoussaoui.Decoder
however, with this approach, the right to access the service can only be configured before the sandboxed application runs. Obviously, if the sandbox application is run without configuring the services accessible through dbus, the application program cannot access the host resources through dbus after running, and the application cannot run normally. At this time, if the application is to be normally operated, the user needs to quit the application sandbox and re-execute the command parameters for configuration, that is, the application needs to be re-started in a cold state for configuration, and the operation is complex.
Based on the above, the invention provides a management and control method for access permission of a sandbox application, in the method, regarding the permission of the sandbox application for accessing host machine resources through dbus, a user can perform configuration through a preset static configuration file besides setting through configuration parameters when the user runs the application, and can perform dynamic configuration in the running process of the sandbox application.
Fig. 1 illustrates a block diagram of the physical components (i.e., hardware) of a computing device 100. In a basic configuration, computing device 100 includes at least one processing unit 102 and system memory 104. According to one aspect, the processing unit 102 may be implemented as a processor depending on the configuration and type of computing device. The system memory 104 includes, but is not limited to, volatile storage (e.g., random access memory), non-volatile storage (e.g., read-only memory), flash memory, or any combination of such memories. According to one aspect, operating system 105 and program modules 106 are included in system memory 104, and privilege management module 120 is included in program modules 106, privilege management module 120 being configured to perform a method 200 of managing access privileges for sandboxed applications of the present invention.
According to one aspect, the operating system 105 is, for example, adapted to control the operation of the computing device 100. Further, the examples are practiced in conjunction with a graphics library, other operating systems, or any other application program, and are not limited to any particular application or system. This basic configuration is illustrated in fig. 1 by those components within dashed line 108. According to one aspect, the computing device 100 has additional features or functionality. For example, according to one aspect, computing device 100 includes additional data storage devices (removable and/or non-removable) such as, for example, magnetic disks, optical disks, or tape. Such additional storage is illustrated in FIG. 1 by removable storage 109 and non-removable storage 110.
As stated hereinabove, according to one aspect, program modules are stored in the system memory 104. According to one aspect, the program modules may include one or more application programs, the invention not being limited to the type of application program, for example, the application programs may include: email and contacts applications, word processing applications, spreadsheet applications, database applications, slide show applications, drawing or computer-aided applications, web browser applications, and the like.
According to one aspect, examples may be practiced in a circuit comprising discrete electronic elements, a packaged or integrated electronic chip containing logic gates, a circuit utilizing a microprocessor, or on a single chip containing electronic elements or microprocessors. For example, an example may be practiced via a system on a chip (SOC) in which each or many of the components shown in fig. 1 may be integrated on a single integrated circuit. According to one aspect, such SOC devices may include one or more processing units, graphics units, communication units, system virtualization units, and various application functions, all integrated (or "burned") onto a chip substrate as a single integrated circuit. When operating via an SOC, the functionality described herein may be operated via application-specific logic integrated with other components of the computing device 100 on the single integrated circuit (chip). Embodiments of the invention may also be practiced using other technologies capable of performing logical operations (e.g., AND, OR, AND NOT), including but NOT limited to mechanical, optical, fluidic, AND quantum technologies. In addition, embodiments of the invention may be practiced within a general purpose computer or in any other circuit or system.
According to one aspect, computing device 100 may also have one or more input devices 112, such as a keyboard, mouse, pen, voice input device, touch input device, or the like. Output device(s) 114 such as a display, speakers, printer, etc. may also be included. The foregoing devices are examples and other devices may also be used. Computing device 100 may include one or more communication connections 116 that allow communication with other computing devices 118. Examples of suitable communication connections 116 include, but are not limited to: RF transmitter, receiver and/or transceiver circuitry; universal Serial Bus (USB), parallel, and/or serial ports.
The term computer readable media as used herein includes computer storage media. Computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, or program modules. System memory 104, removable storage 109, and non-removable storage 110 are all examples of computer storage media (i.e., memory storage). Computer storage media may include Random Access Memory (RAM), read-only memory (ROM), electrically erasable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other article of manufacture that may be used to store information and that may be accessed by computing device 100. In accordance with one aspect, any such computer storage media may be part of computing device 100. Computer storage media does not include a carrier wave or other propagated data signal.
According to one aspect, communication media is embodied by computer readable instructions, data structures, program modules, or other data in a modulated data signal (e.g., a carrier wave or other transport mechanism) and includes any information delivery media. According to one aspect, the term "modulated data signal" describes a signal that has one or more characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio Frequency (RF), infrared, and other wireless media.
FIG. 2 illustrates a flow diagram of a method 200 for governing access rights to sandboxed applications according to one embodiment of the present invention, where method 200 is suitable for execution within a computing device (e.g., computing device 100 shown in FIG. 1).
It is explained first that a sandbox application refers to an application running in a sandbox that can access the services of the host through the message bus system dbus within the sandbox. In order to protect the safety of a host system, the invention provides that the permission of the sandbox application for accessing the service of the host through dbus in the sandbox is managed, the sandbox application is only allowed to access the service which is granted with the access permission, and other services are not allowed to access.
Specifically, for each service that the sandboxed application is allowed to access through the dbus within the sandbox, the sandboxed application may be granted access to this service by storing its associated information in the configuration file of the sandboxed application. Therefore, the configuration file of the sandbox application stores the associated information of each accessible service that the sandbox application can access through dbus in the sandbox. The associated information may include a service name, a service path, and a service interface. That is, the sandboxed application's configuration file has stored therein the service name, service path, and service interface of each service it may access through dbus (i.e., each accessible service is identified by its name, path, and interface). Of course, in some embodiments, some other information of the service may also be stored, and the invention is not limited thereto.
Wherein the association information about each accessible service stored in the configuration file of the sandbox application may be configured by a terminal command according to an embodiment of the present invention. That is, the association information of each service accessible by the sandboxed application through dbus is configured in the configuration file using the terminal command.
An example of configuring the service name, service path and service interface of the accessible service com.
ll-cli run --session --filter-name=com.deepin.linglong.AppManager --filter-path=/com/deepin/ling
long/PackageManager --filter-interface=com.deepin.linglong.PackageManager org.deepin.music
In addition, in some embodiments, the sandbox application may be further provided with a permission setting file, and then the associated information of each service accessible in the sandbox application is stored in the configuration file of the sandbox application through the permission setting file, that is, the associated information of each accessible service stored in the configuration file is configured through the permission setting file.
In particular, the permission setting file may include association information of the service that the sandboxed application is allowed to access, and in some embodiments, may further include the dbus type that the sandboxed application is allowed to access, and the name of the sandboxed application. For example, when the association information includes a service name, a service path, and a service interface, the name of the sandbox application, the dbus type of the sandbox access, and the service name, the service path, and the service interface of the sandbox application are included in the permission setting file.
In the following, taking as an example the configuration of the service name, the service path and the service interface of the accessible service org, freedesktop, portal, flight for the sandbox application org, deepin, test in the permission setting file info.
{
"dbuspermission": {
"type": "session",
"appId": "org.deepin.test",
"permission": [
{
"name": "org.freedesktop.portal.Flatpak",
"path": "/org/freedesktop/portal/Flatpak",
"interface": "org.freedesktop.portal.Flatpak"
}
]
}
}
The type is a dbus type allowed to be accessed, two types of a session and a system can be distinguished specifically, appId is an application unique name, permission is an allowed access authority list, name is a service name allowed to be accessed, path is a service path allowed to be accessed, and interface is a service interface allowed to be accessed.
It should be noted that the format of the authority setting file may be json format shown above, and may also be xml format, db format, and the like, and the present invention is not limited thereto. In addition, the rights settings file supports the use of wildcards ++,
configuration of association information of the accessible service.
Therefore, when the sandbox application is authorized to access the right of the service through dbus, the method and the device can not only perform authorization through a terminal command, but also perform authorization through the right setting file, so that a user can set the access right of the sandbox application more conveniently and flexibly.
Next, a method 200 for managing access rights of a sandboxed application according to the present invention will be described. As shown in fig. 2, the method 200 begins at 210. Therein, a socket file may be mounted in the sandbox, in particular, to the sandbox/run/user/$ UID/bus, prior to execution 210. Of course, this is merely an example, and the present invention is not limited thereto. A socket is an abstraction layer through which an application can send or receive data. Therefore, after the sandbox is loaded with the socket file, the sandbox application may call the socket file to perform data transmission with other processes, so as to transmit a socket message (e.g., dbus message). Obviously, the monitoring of the sandbox application can be realized through the socket file mounted in the sandbox. Next, 210 is entered.
At 210, the sandboxed application is snooped through the socket file. And further, monitoring dbus messages of the sandbox application. And when the dbus message of the sandbox application is monitored, entering 220, analyzing the dbus message, and acquiring the associated information of the target service to be accessed by the sandbox application.
According to one embodiment of the invention, dbus can be monitored after the sandbox application establishes a connection with dbus, wherein the dbus can be monitored by the DbusProxy module. And when the dbus message of the sandbox application is monitored, analyzing the dbus message. In some embodiments, the dbus message may be analyzed by the dbus message module, and the association information of the service included in the dbus message is obtained and used as the association information of the target service to be accessed by the sandbox application.
And then 230, matching the associated information of the target service with the associated information of each accessible service stored in the configuration file, wherein the matching can be completed by the dbus filter module. In addition, as already noted above, the association information may include a service name (name), a service path (path), and a service interface (interface). Therefore, the associated information of the target service is matched with the associated information of each accessible service stored in the configuration file, and specifically, the service name, the service path, and the service interface of the target service are matched with the service name, the service path, and the service interface of each accessible service, respectively. If the service name, the service path and the service interface of the accessible service are completely the same as those of the target service, the matching is judged to be successful, and if not, the matching is judged to be failed.
If the matching is successful, the sandbox application is judged to have the right to access the target service, and then the operation proceeds to 240, and the dbus message is forwarded to a bus daemon process (dbus-daemon). If the matching fails, the sandbox application is judged to not have the right to access the target service at present, and then the step 250 is entered to apply for accessing the target service. Specifically, the query interface may be a popup window that displays whether to allow access to the target service. That is, after the matching fails, a popup is displayed whether to allow access to the target service. In some embodiments, the pop-up window may include an allow access button and a deny access button so that the user may then allow/deny the sandboxed application access to the target service by clicking the allow access button/deny access button.
If the application result is allow access (i.e., the user allows the sandboxed application to access the target service), then 260 is entered and the dbus message is forwarded to the bus daemon. If the application result is a denial of access (i.e., the user denies the sandbox application to access the target service), then 270 is entered, and an error message is sent to the sandbox application to notify that the sandbox application does not have the right to access the target service. That is, when the user does not allow the sandbox application to access the target service, the dbus message is not forwarded to the bus daemon, but an error message is constructed and sent to the sandbox application to inform that the sandbox application does not have the right to access the target service. Wherein, the constructed error message should conform to the dbus protocol standard. With regard to the constructed error message, an example is given below:
"l\x03\x01\x01""B\x00\x00\x00\x03\x00\x00\x00g\x00\x00\x00\x04\x01s\x00(\x00\x00\x00org.freedesktop.DBus.Error.UnknownMethod\x00\x00\x00\x00\x00\x00\x00\x00\x06\x01s\x00\x06\x00\x00\x00:1.120\x00\x00\x05\x01u\x00\x02\x00\x00\x00\b\x01g\x00\x01s\x00\x00\x07\x01s\x00\x06\x00\x00\x00:1.103\x00\x00=\x00\x00\x00org.freedesktop.DBus.Error.AccessDenied, dbus msg hijack test\x00"
it should be noted that the above is only an example, and the invention is not limited to the false positive text. In addition, with respect to the permission of access and the denial of access, the description is given here. In some embodiments, allowing access may further include allowing and permanently allowing this time, and denying access may further include denying and permanently denying this time. Taking the above example of displaying a pop-up window whether to Allow access to the target service after the matching fails, the pop-up window includes a current permission button (Allow Once), a permanent permission button (Allow), a current rejection button (Deny Once), and a permanent rejection button (Deny), as shown in fig. 3.
Specifically, if the user clicks the allow button, which indicates that the user allows the sandbox application to access the target service this time, the dbus message is forwarded to the bus daemon as described above. And if the user clicks the permanent permission button, the user indicates that the sandbox application is subsequently allowed to access the target service, and based on the result, while the dbus message is forwarded to the bus daemon process, the target service can be determined as the accessible service, and the associated information of the service is added to the configuration file of the sandbox application. That is, if the user chooses to allow access permanently, the present embodiment not only forwards the dbus message to the bus daemon, but also adds the target service as a newly accessible service for the sandboxed application to its configuration file to grant the sandboxed application subsequent access to the target service. Therefore, the method and the device not only support the permission of statically authorizing the sandbox application to access the service in a terminal command and permission setting file mode, but also support the permission of dynamically authorizing the sandbox application to access the service in a popup window mode.
Similarly, if the user clicks the reject button this time, indicating that the user does not allow the sandbox application to access the target service this time, the user sends an error message to the sandbox application as described above. And if the user clicks the permanent rejection button, the user indicates that the sandbox application is not allowed to access the target service subsequently, and based on the fact that the user sends an error message to the sandbox application, the target service can be determined to be the inaccessible service and the associated information of the inaccessible service is stored in the configuration file. That is, if the user chooses to permanently deny access, this embodiment not only sends an error message to the sandbox application, informing that it does not have the right to access the target service, but also adds the target service to its configuration file as an inaccessible service of the sandbox application.
It can be seen that for services that the user permanently denies access, the present invention will also record it in the configuration file of the sandboxed application. Based on this, according to an embodiment of the present invention, after obtaining the associated information of the target service to be accessed by the sandbox application, the associated information of the target service may be first matched with the associated information of each inaccessible service stored in the configuration file of the sandbox application.
If the matching is successful, the target service is indicated to be the service which can not be accessed by the sandbox application, and then an error message is sent to the sandbox application to inform that the sandbox application does not have the right to access the target service.
And if the matching fails, matching the associated information of the target service with the associated information of each accessible service stored in the configuration file. If the association information of the accessible service is matched with the association information of the target service, the dbus message is forwarded to the bus daemon process. If there is no match between the association information of an accessible service and the association information of the target service, the user is asked whether to allow access. If the user selects the permission, the dbus message is forwarded to the bus daemon process; if the user chooses to allow permanently, the dbus message is forwarded to the bus daemon and the target service is stored as an accessible service in the sandboxed application's configuration file. If the user selects the rejection, an error message is sent to the sandbox application; if the user chooses to permanently reject, an error message is sent to the sandbox application and the target service is stored as an inaccessible service in a configuration file of the sandbox application.
For better understanding of the present invention, the method for regulating access rights of a sandbox application according to the present invention is described below with reference to fig. 4 by way of a specific example. In this example, the user configures each service accessible to the sandboxed application by setting the service name, service path, and service interface in a static white list (i.e., the permission set file described above), as follows.
Firstly, when the sandbox application is started, analyzing the starting parameters, acquiring a dbus bus monitoring address, and loading an operation configuration file app.yaml of the sandbox application.
And secondly, monitoring dbus messages of the sandbox application based on the dbus bus monitoring address, and establishing connection with a bus daemon.
And thirdly, when the dbus message of the sandbox application is monitored, the dbus message is analyzed.
And fourthly, judging whether the sandbox application has the access right or not based on the parsed dbus message. Specifically, the service name, the service path, and the service interface in the dbus message are matched with the service name, the service path, and the service interface of each service recorded in the running profile app. If the matching is successful, the sandbox application is determined to have the access right, and if the matching is failed, the sandbox application is determined not to have the access right currently.
And fifthly, after judging that the sandbox application has the access right, forwarding dbus information of the sandbox application to the bus daemon process, and after receiving a reply message of the bus daemon process, forwarding the dbus information to the sandbox application.
And sixthly, after judging that the sandbox application does not have the access right at present, applying for authorization to the user through the popup window.
And seventhly, if the user authorizes the access authority of the sandbox application, forwarding the dbus message of the sandbox application to the bus daemon process, and after receiving a reply message of the bus daemon process, forwarding the dbus message to the sandbox application.
And step eight, if the user does not authorize the access right of the sandbox application, constructing an error message to be replied to the sandbox application.
It can be seen that, in this embodiment, after the sandbox application is started, the dbus message in the sandbox is monitored. And after monitoring the dbus message of the sandbox application, matching the service name, the service path and the service interface in the dbus message with the service name, the service path and the service interface of each service set in a white list by a user. And if the matching is successful, forwarding the overheard dbus message to the bus daemon process. If the matching fails, applying for the access authority to the user in a popup mode, if the user allows, forwarding the monitored dbus message to the bus daemon, if the user does not allow, forging an error socket message which accords with the dbus protocol standard and replying the error socket message to the sandbox application, and not forwarding the monitored dbus message to the bus daemon of the host machine any more, so that the control on the access authority of the sandbox application is realized.
It is pointed out that the method can be performed by a rights management module. Therefore, the authority control module is a server side for the sandbox application program and is responsible for monitoring and forwarding dbus information of the sandbox application program to a bus daemon process of the host machine, and is a client side for the bus daemon process of the host machine and is responsible for forwarding the monitored dbus information of the sandbox application program to the bus daemon process and forwarding the dbus information replied by the bus daemon process to the sandbox application program.
In addition, the invention also tests the control method of the sandbox application access authority. Specifically, after running the application, the application sandbox is entered, and then dbus-send commands are used to simulate the sandbox application's access to the sandbox hosted system resources. Wherein, the test result is as follows: when the user selects the permission, the dbus-send can normally acquire the calling result; when the user selects the permanent permission, the dbus-send can normally acquire the calling result, and the configuration of the current user can be updated to the app.yaml permission configuration; when the user selects to reject, the client receives an error message prompt. Therefore, based on the invention, the user can dynamically configure the access authority of the sandbox application to the service in a popup mode.
In conclusion, the invention manages and controls the access authority of the sandbox application to the host machine resource through dbus, and the sandbox application can only access the service which is granted with the access authority, thereby enhancing the security of the system. In addition, the method and the device support static configuration of the access authority of the sandbox application in a terminal command and authority setting file mode, and also support dynamic configuration of the access authority of the sandbox application in a popup window mode, so that a user can more conveniently and flexibly configure the access authority of the sandbox application, and user experience is improved.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions thereof, may take the form of program code (i.e., instructions) embodied in tangible media, such as removable hard drives, U.S. disks, floppy disks, CD-ROMs, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the computing device will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to execute the method for managing access rights of the sandbox application according to the instructions in the program codes stored in the memory.
By way of example, and not limitation, readable media may comprise readable storage media and communication media. Readable storage media store information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of readable media.
In the description provided herein, algorithms and displays are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with examples of this invention. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
It should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim.
Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment, or alternatively may be located in one or more devices different from the device in this example. The modules in the foregoing examples may be combined into one module or may be further divided into multiple sub-modules.
Those skilled in the art will appreciate that the modules in the devices in an embodiment may be adaptively changed and arranged in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Moreover, those skilled in the art will appreciate that although some embodiments described herein include some features included in other embodiments, not others, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments.
Furthermore, some of the described embodiments are described herein as a method or combination of method elements that can be performed by a processor of a computer system or by other means of performing the described functions. A processor having the necessary instructions for carrying out the method or method elements thus forms a means for carrying out the method or method elements. Further, the elements of the apparatus embodiments described herein are examples of the following apparatus: the means for performing the functions performed by the elements for the purpose of carrying out the invention.
As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention has been disclosed in an illustrative rather than a restrictive sense, and the scope of the present invention is defined by the appended claims.
Claims (10)
1. A management and control method for access authority of a sandbox application, wherein association information of each accessible service which can be accessed by the sandbox application through a message bus system dbus in the sandbox is stored in a configuration file of the sandbox application, and a socket file is hung in the sandbox, and the method comprises the following steps:
monitoring the sandbox application through the socket file;
when the dbus message of the sandbox application is monitored, analyzing the dbus message to acquire the associated information of the target service to be accessed by the sandbox application;
matching the associated information of the target service with the associated information of each accessible service stored in the configuration file;
if the matching is successful, forwarding the dbus message to a bus daemon process;
if the matching fails, applying for accessing the target service;
if the application result is that the access is allowed, forwarding the dbus message to a bus daemon process;
and if the application result is that the access is denied, sending an error message to the sandbox application to inform that the sandbox application does not have the authority of accessing the target service.
2. The method of claim 1, wherein the sandboxed application is provided with a permission profile, and accordingly, the associated information of each accessible service stored in the configuration profile is configured through the permission profile.
3. The method of claim 1, wherein the association information of each accessible service stored in the configuration file is configured by a terminal command.
4. The method of any of claims 1-3, wherein the association information includes a service name, a service path, and a service interface.
5. The method of claim 4, wherein the matching the association information of the target service with the association information of each accessible service stored in the configuration file comprises:
matching the service name, the service path and the service interface of the target service with the service name, the service path and the service interface of each accessible service respectively;
and if the service name, the service path and the service interface of the accessible service are completely the same as those of the target service, judging that the matching is successful, otherwise, judging that the matching is failed.
6. The method of any of claims 1-3, wherein the allowing access comprises a present allowing and a permanent allowing, and the denying access comprises a present denying and a permanent denying.
7. The method of claim 6, wherein:
if the allowed access is permanently allowed, the method further comprises: determining the target service as an accessible service and adding the associated information of the target service to the configuration file;
if the denial of access is a permanent denial, the method further comprises: and determining the target service as an inaccessible service, and storing the associated information of the target service into the configuration file.
8. The method of claim 7, wherein after obtaining the association information of the target service to be accessed by the sandboxed application, further comprising:
matching the associated information of the target service with the associated information of each inaccessible service stored in the configuration file;
if the matching fails, continuing to perform the matching of the associated information of the target service and the associated information of each accessible service stored in the configuration file;
and if the matching is successful, sending an error message to the sandbox application to inform that the sandbox application does not have the authority of accessing the target service.
9. A computing device, comprising:
at least one processor; and
a memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, the program instructions comprising instructions for performing the method of any of claims 1-8.
10. A readable storage medium storing program instructions that, when read and executed by a computing device, cause the computing device to perform the method of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211452409.8A CN115510429B (en) | 2022-11-21 | 2022-11-21 | Sandbox application access right control method, computing device and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211452409.8A CN115510429B (en) | 2022-11-21 | 2022-11-21 | Sandbox application access right control method, computing device and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115510429A true CN115510429A (en) | 2022-12-23 |
| CN115510429B CN115510429B (en) | 2023-04-14 |
Family
ID=84514122
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211452409.8A Active CN115510429B (en) | 2022-11-21 | 2022-11-21 | Sandbox application access right control method, computing device and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115510429B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103761472A (en) * | 2014-02-21 | 2014-04-30 | 北京奇虎科技有限公司 | Application program accessing method and device based on intelligent terminal |
| CN106384045A (en) * | 2016-09-12 | 2017-02-08 | 电子科技大学 | Android storage application sandbox based on application program virtualization, and communication method thereof |
| CN108536461A (en) * | 2018-03-13 | 2018-09-14 | Oppo广东移动通信有限公司 | Resource regeneration method, device, terminal and storage medium |
| CN108985086A (en) * | 2018-07-18 | 2018-12-11 | 中软信息系统工程有限公司 | Application program authority control method, device and electronic equipment |
| CN109391676A (en) * | 2018-07-19 | 2019-02-26 | 珠海市魅族科技有限公司 | Terminal equipment control method, terminal device and computer readable storage medium |
| CN110851823A (en) * | 2019-11-12 | 2020-02-28 | 腾讯科技(深圳)有限公司 | Data access method, device, terminal and storage medium |
| US20220027458A1 (en) * | 2020-07-25 | 2022-01-27 | Unisys Corporation | Compiiling and executing code in a secure sandbox |
| CN114491509A (en) * | 2022-01-28 | 2022-05-13 | 济南大学 | Sandbox-based malicious program behavior analysis processing method and system |
| CN114662090A (en) * | 2022-02-24 | 2022-06-24 | 阿里巴巴(中国)有限公司 | File processing method, device, storage medium and system |
| CN114780950A (en) * | 2022-06-20 | 2022-07-22 | 中国人民解放军国防科技大学 | Method, system, device and storage medium for cross-version compatible operation of application software |
-
2022
- 2022-11-21 CN CN202211452409.8A patent/CN115510429B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103761472A (en) * | 2014-02-21 | 2014-04-30 | 北京奇虎科技有限公司 | Application program accessing method and device based on intelligent terminal |
| CN106384045A (en) * | 2016-09-12 | 2017-02-08 | 电子科技大学 | Android storage application sandbox based on application program virtualization, and communication method thereof |
| CN108536461A (en) * | 2018-03-13 | 2018-09-14 | Oppo广东移动通信有限公司 | Resource regeneration method, device, terminal and storage medium |
| CN108985086A (en) * | 2018-07-18 | 2018-12-11 | 中软信息系统工程有限公司 | Application program authority control method, device and electronic equipment |
| CN109391676A (en) * | 2018-07-19 | 2019-02-26 | 珠海市魅族科技有限公司 | Terminal equipment control method, terminal device and computer readable storage medium |
| CN110851823A (en) * | 2019-11-12 | 2020-02-28 | 腾讯科技(深圳)有限公司 | Data access method, device, terminal and storage medium |
| US20220027458A1 (en) * | 2020-07-25 | 2022-01-27 | Unisys Corporation | Compiiling and executing code in a secure sandbox |
| CN114491509A (en) * | 2022-01-28 | 2022-05-13 | 济南大学 | Sandbox-based malicious program behavior analysis processing method and system |
| CN114662090A (en) * | 2022-02-24 | 2022-06-24 | 阿里巴巴(中国)有限公司 | File processing method, device, storage medium and system |
| CN114780950A (en) * | 2022-06-20 | 2022-07-22 | 中国人民解放军国防科技大学 | Method, system, device and storage medium for cross-version compatible operation of application software |
Non-Patent Citations (3)
| Title |
|---|
| 蒋文娟等: "沙箱技术比较", 《才智》 * |
| 谭爱泉等: "Flex结合Delphi解决UDP通信问题", 《电脑编程技巧与维护》 * |
| 贾能: "基于Android系统的手机信息安全分析及策略改进", 《无线互联科技》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115510429B (en) | 2023-04-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9898592B2 (en) | Application marketplace administrative controls | |
| US10380344B1 (en) | Secure controller operation and malware prevention | |
| US10853511B2 (en) | Securely accessing and processing data in a multi-tenant data store | |
| US8656465B1 (en) | Userspace permissions service | |
| EP3552098B1 (en) | Operating system update management for enrolled devices | |
| US11017088B2 (en) | Crowdsourced, self-learning security system through smart feedback loops | |
| WO2015124018A1 (en) | Method and apparatus for application access based on intelligent terminal device | |
| CN106330958A (en) | Secure accessing method and device | |
| CN107665301A (en) | Verification method and device | |
| WO2015180690A1 (en) | Method and device for reading verification information | |
| EP3963914B1 (en) | Controlling access to resources of edge devices | |
| WO2017088135A1 (en) | Method and device for configuring security indication information | |
| CN111433770A (en) | User-selected key authentication | |
| KR20160018554A (en) | Roaming internet-accessible application state across trusted and untrusted platforms | |
| CN115510429B (en) | Sandbox application access right control method, computing device and readable storage medium | |
| CN112788017B (en) | Security verification method, device, equipment and medium | |
| US20180121644A1 (en) | Device, System, and Method for Securing Executable Operations | |
| CN113114635A (en) | Authority management method and system | |
| CN114138365B (en) | Authentication method, authentication device, electronic equipment and storage medium | |
| US11902327B2 (en) | Evaluating a result of enforcement of access control policies instead of enforcing the access control policies | |
| US11855997B1 (en) | System and methods for controlled access to computer resources | |
| CN114676399A (en) | Data security access method and device, electronic equipment and server | |
| CN115186239A (en) | Authority control method and device, computing equipment and storage medium | |
| CN114154141A (en) | Method, device, equipment and storage medium for determining access authority | |
| CN115038193A (en) | Bluetooth connection method, device, computing equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |