CN115758420A - File access control method, device, equipment and medium - Google Patents

File access control method, device, equipment and medium Download PDF

Info

Publication number
CN115758420A
CN115758420A CN202211505930.3A CN202211505930A CN115758420A CN 115758420 A CN115758420 A CN 115758420A CN 202211505930 A CN202211505930 A CN 202211505930A CN 115758420 A CN115758420 A CN 115758420A
Authority
CN
China
Prior art keywords
file
target
information
access
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211505930.3A
Other languages
Chinese (zh)
Other versions
CN115758420B (en
Inventor
杨强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202211505930.3A priority Critical patent/CN115758420B/en
Publication of CN115758420A publication Critical patent/CN115758420A/en
Application granted granted Critical
Publication of CN115758420B publication Critical patent/CN115758420B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The disclosed embodiment relates to a file access control method, a device, equipment and a medium, which relate to the technical field of computers, wherein the method is applied to a file access control management system, the file access control management system comprises an eBPF program and an encryption and decryption module, and the method comprises the following steps: acquiring a file access request, wherein the file access request comprises access information; determining a matching result of the access information and preset authorization information through an eBPF program, and when the matching result is determined to be successful, acquiring a target key of a target file based on file information in the access information and storing the target key; and acquiring a target key through the encryption and decryption module, and executing file access operation on the target file based on the target key. According to the embodiment of the disclosure, access to the file under an unauthorized condition is avoided, the target file corresponds to the target key, and even if the target key is leaked, other files which are not decrypted by using the target key are safe, so that the safety of the file is improved.

Description

File access control method, device, equipment and medium
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a medium for controlling file access.
Background
With the development of computer technology, the security of files becomes more important, and the transparent encryption technology is a technology capable of improving the security of files.
In the related art, a file is transparently encrypted by an eCryptfs encryption file system, but the eCryptfs encryption file system has the problem of low security in user dimension and file dimension.
Disclosure of Invention
To solve the technical problems or at least partially solve the technical problems, the present disclosure provides a file access control method, apparatus, device, and medium.
The embodiment of the present disclosure provides a file access control method, which is applied to a file access control management system, where the file access control management system includes an eBPF program and an encryption/decryption module, and includes:
acquiring a file access request, wherein the file access request comprises access information;
determining a matching result of the access information and preset authorization information through the eBPF program, and when the matching result is determined to be successful, acquiring a target key of a target file based on file information in the access information and storing the target key;
and acquiring the target key through the encryption and decryption module, and executing file access operation on the target file based on the target key.
The embodiment of the present disclosure further provides a file access control device, which is disposed in a file access control management system, where the file access control management system includes an eBPF program and an encryption/decryption module, and the device includes:
the device comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring a file access request, and the file access request comprises access information;
the second obtaining module is used for determining a matching result of the access information and preset authorization information through the eBPF program, and obtaining a target key of a target file based on file information in the access information and storing the target key when the matching result is determined to be successful;
and the access module is used for acquiring the target key through the encryption and decryption module and executing file access operation on the target file based on the target key.
The embodiment of the disclosure further provides a file access control system, which includes an eBPF program and an encryption/decryption module in communication connection with the eBPF program, and is used to execute the file access control method provided by the embodiment of the disclosure
An embodiment of the present disclosure further provides an electronic device, including: a processor; a memory for storing the processor-executable instructions; the processor is used for reading the executable instructions from the memory and executing the instructions to realize the file access control method provided by the embodiment of the disclosure.
The embodiment of the disclosure also provides a computer-readable storage medium, which stores a computer program for executing the file access control method provided by the embodiment of the disclosure.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages: the file access control scheme provided in the embodiments of the present disclosure is applied to a file access control management system, where the file access control management system includes an eBPF program and an encryption/decryption module, and includes: acquiring a file access request, wherein the file access request comprises access information; determining a matching result of the access information and preset authorization information through an eBPF program, and when the matching result is determined to be successful, acquiring a target key of a target file based on file information in the access information and storing the target key; and acquiring a target key through the encryption and decryption module, and executing file access operation on the target file based on the target key. By adopting the technical scheme, under the condition that the access information is successfully matched with the authorization information, the target key of the target file is further obtained, and the file access operation is carried out on the target file based on the target key, so that the access to the file under the unauthorized condition is avoided, the security of the file is improved in the user dimension, the target file corresponds to the target key, even if the target key is leaked, other files which are not decrypted by using the target key are still safe, and the security of the file is further improved in the file dimension.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic flowchart of a file access control method according to an embodiment of the present disclosure;
fig. 2 is a schematic diagram of an architecture of a file access control management system according to an embodiment of the present disclosure;
FIG. 3 is a schematic flow chart illustrating a process for storing a target key by a file access module according to an embodiment of the present disclosure;
FIG. 4 is a schematic flowchart illustrating a file reading operation according to an embodiment of the disclosure;
FIG. 5 is a schematic flow chart illustrating a file write operation according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of a file access control device according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, aspects of the present disclosure will be further described below. It should be noted that the embodiments and features of the embodiments of the present disclosure may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced in other ways than those described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.
With the development of computer technology, the security of file access becomes more important, and the transparent encryption technology is a technology for improving the security of file access. In transparent encryption technology, files can be encrypted without the encryption process being noticeable to the user. Specifically, when a user opens or edits a file, the system automatically encrypts the unencrypted file, so that the file is stored on the hard disk in an encrypted file form; and automatically decrypting the encrypted file to enable the file to be a plaintext file in the memory. When the using environment of the file is changed, the file content is invalid because the file cannot be automatically decrypted, thereby achieving the purpose of protecting the file content.
In the related technology, a file is transparently encrypted through an eCryptfs encryption file system, in the eCryptfs encryption file system, characteristic parameters for decrypting the encrypted file need to be mounted on the eCryptfs encryption system, so that automatic encryption and automatic decryption of the file are realized, when the characteristic parameters are not mounted, a user opens the file to see a messy code, and the user cannot obtain the real content of the file. After the characteristic parameters are mounted to the transparent encryption system, not only can the mounted user see the plaintext content of the file, but also other users can see the plaintext content of the file, the file security of the user dimension is low, the files in the eCryptfs encryption file system are encrypted by using the same characteristic parameters, if one file is decrypted, other files can also be decrypted by using the characteristic parameters for decrypting the file, and the file security of the file dimension is low.
In order to solve the above problem, embodiments of the present disclosure provide a file access control method, which is described below with reference to specific embodiments.
Fig. 1 is a flowchart of a file access control method provided in an embodiment of the present disclosure, where the file access control method may be executed by a file access control apparatus, where the apparatus may be implemented by software and/or hardware, and may be generally integrated in an electronic device. As shown in fig. 1, the file access control method is applied to a file access control management system, the file access control management system includes an eBPF program and an encryption/decryption module, and the file access control method includes:
step 101, obtaining a file access request, wherein the file access request includes access information.
The file access control management system may be a software system capable of managing file access, and the file access control management system may intercept operations and parameters invoked by a user mode system. An Extended Berkeley Packet Filter (eBPF) may be understood as a virtual machine implemented in a kernel of an operating system, and when a specific event is triggered, eBPF bytecode may be executed in the virtual machine environment to implement corresponding functions such as monitoring, security, and the like. The encryption and decryption module can be a functional module for performing encryption processing and decryption processing on files, and a buffer layer can be arranged in the encryption and decryption module to perform buffer processing on the encrypted files or the decrypted files.
In the embodiment of the present disclosure, the file access request may be a request for indicating access to a file, and the access information may be information characterizing a file access from one or more dimensions, and optionally, the access information may include at least one of process information, user information, and file information.
In the embodiment of the present disclosure, in response to an access operation of a user to a file, or in a case of receiving an access request of a program to the file, a virtual file system in a kernel space can generate access information according to a login user of a file access control management system and/or an operating system, a process of applying for accessing the file, and the like, and generate a file access request including the access information, and the file access control management system obtains the file access request.
In some embodiments of the present disclosure, the eBPF program includes a file access module and a user-mode configuration program, and before acquiring the file access request, the file access control method further includes: after the authorization information sent by the user mode configuration program is obtained through the file access module, the authorization information is stored in a key value pair mode, and eBPF program codes corresponding to calling functions are set through a function probe, wherein the calling functions comprise a system opening function, a virtual file opening function and a system closing function.
The user mode configuration program may be a program that generates authorization information according to configuration operation in a user mode of the operating system. The file access module may be a functional module that receives and stores information transmitted in the user space in the kernel space. Authorization information may be understood as a condition that enables access to a file. The key-value pair is a data structure, and the type of the key-value pair is various, and the embodiment is not limited, for example, the key-value pair may be a Map type.
The function probe may be a function provided by the kernel that is capable of dynamically probing a specified kernel function, the function probe including: kprobe function and krettprobe function. The kProbe function is used for detecting the function execution entry, and the kretProbe function is used for detecting the function return execution. The kprobe function and the kretprobe function can trigger the execution of the corresponding eBPF program code in the case of the entry of the execution or the return of the execution of the probed function. The system open function is a sys _ open () function, which can be instrumented by a kprobe function. The virtual file open function is a vfs _ open () function, which can be probed by a kprobe function. The system shutdown function may be a sys _ close () function, which may be instrumented by a kretprobe function.
In this embodiment, a file manager may configure, on an interface, a user who authorizes access to one or more files, a user who does not authorize access to the files, a process that authorizes access to the files, a process that does not authorize access to the files, and the like. According to the configuration operation of the file management personnel, corresponding authorization information can be generated through the user mode configuration program, and the authorization information is sent to the file access module through the user mode configuration program. After the authorization information is obtained through the file access module, the authorization information is stored in a Map type hash table.
The eBPF program code corresponding to the call function is set by the kprobe function and the kretprobe function, and specifically, the eBPF program code corresponding to the sys _ open () function and the vfs _ open () function is set by the kprobe function, and the eBPF program code corresponding to the sys _ close () function is set by the kretprobe function.
And step 102, determining a matching result of the access information and preset authorization information through an eBPF program, and acquiring a target key of a target file based on file information in the access information and storing the target key when the matching result is determined to be successful.
The matching result may include a matching success and a matching failure, where the matching success may indicate that the access information is queried in the authorization information, and the matching failure may indicate that the access information is not queried in the authorization information. The document information may be understood as information that can uniquely characterize a certain document, and the representation form of the document information is not limited, and may be, for example, numbers, letters, or the like. In this embodiment, the path information of a certain file may be used as the file information of the file. The target key may be a key for encrypting and decrypting the target file, the type of the decryption algorithm may be various, and the present embodiment is not limited thereto, for example, the Encryption and decryption algorithm may be an Advanced Encryption Standard (AES) algorithm with a 256-bit key.
In the disclosed embodiment, the access information is matched with the authorization information through the eBPF program, if the access information can be retrieved from the authorization information, the matching result is determined to be a successful matching, and the target file is determined according to the file information in the access information, so as to obtain the target key that can encrypt and decrypt the target file, and store the target key.
In some embodiments of the present disclosure, the eBPF program includes a file access module and a user configuration program, and sets, by a function probe, an eBPF program code corresponding to a call function, and accordingly, determining, by the eBPF program, a matching result of access information and preset authorization information includes:
when the file access module intercepts the call of a virtual file system to a system opening function based on a file access request, determining a first eBPF program code corresponding to the system opening function; and matching the access information with the authorization information based on the first eBPF program code to obtain a matching result.
The VFS is a subsystem of the kernel, and the VFS can provide a unified system call of operating files for the user-mode program, and when the VFS receives the system call of the user-mode program, the VFS transfers the system call to the specific File system through processing of the VFS. The virtual file system can be understood as an abstract file system common layer, which is mainly composed of a set of abstract, standard file operations, and which can provide the user with system call functions, such as open () function, read () function, write () function, etc., and the corresponding system call functions in the kernel are sys _ open () function, vfs _ open () function, sys _ read () function, sys _ write () function, respectively. The system calls of the read () function and the write () function are processed by the virtual file system and then mapped to a specific physical file system, for example, the physical file system may be a Fourth generation Extended file system (EXT 4).
The first eBPF program code may be code that implements a function to match access information to authorization information. The embodiment does not limit the specific code of the first eBPF program code and the specific programming language for implementing the first eBPF program code.
In this embodiment, a first eBPF program code corresponding to the system open function is preset, so that when it is intercepted that the system open function is called, the first eBPF program code is executed, and matching between the access information and the authorization information is realized. Specifically, in the process of accessing the target file, the virtual file system in the Linux system calls a system open function based on the file access request, the call of the system open function can be intercepted through the file access module, and then the first eBPF program code corresponding to the system open function is determined. Before the next operation of accessing the target file is carried out, executing the first eBPF program code to match the access information with the authorization information, and if the authorization condition consistent with the access information exists in all authorization conditions included in the authorization information, determining that the matching result is successful; and if the authorization condition which is consistent with the access information does not exist in the authorization conditions included in the authorization information, determining that the matching result is matching failure, and returning a matching failure instruction to the system call of the system open function to terminate the access to the target file.
In some embodiments of the present disclosure, the authorization information includes an authorized process and an authorized user corresponding to each file, the access information includes file information, process information, and user information, and determining that the matching result is a successful matching includes: and if the authorized process comprises the process corresponding to the process information, or the authorized user corresponding to the target file comprises the current user of the user information, determining that the matching result is successful.
The process may be a process with a file access function, the process information may be information capable of uniquely characterizing a certain process, the presentation form of the process information is not limited, for example, the process information may be numbers or letters, and the process information may be understood as a process identifier. The user may be a login user of the system or software, the user information may be information capable of uniquely characterizing a certain user, the user information may be understood as a user identifier, the representation form of the user information is not limited, and the user information may include numbers and/or letters, for example. The authorized process may be a process that has been authorized for file access. The authorized user may be a user who has been authorized to access one or more files.
In the embodiment of the present disclosure, a structural body describing a process and a file in a kernel may be used to obtain file information corresponding to an accessed file, process information corresponding to a process for accessing the file and user information of a user, and access information may be generated according to the file information, the process information, and the user information. The authorized process and the authorized user corresponding to each file are recorded in the authorization information, the process information is inquired in the authorized process, if the process information is inquired, the process can access the file, and the matching result is successful matching. Or, according to the authorized user corresponding to each file, determining the authorized user corresponding to the target file, querying the user information in the authorized user corresponding to the target file, and if the user information is queried, indicating that the user can access the target file, wherein the matching result is successful.
In some embodiments of the present disclosure, the eBPF program includes a file access module, a user configuration program, and a key management module, and acquires a target key of a target file based on file information in access information and stores the target key, including:
when the file access module intercepts and calls a virtual file opening function, a second eBPF program code corresponding to the virtual file opening function acquires a target key and a file descriptor of a target file in block equipment based on file information; if the target key is obtained, storing the target key in a file descriptor of the target file; otherwise, calling a key management module to generate a target key of the target file, and storing the target key in a file descriptor of the target file
The key management module may be a functional module having at least one of a key generation function, a key storage function, and a key management function. Optionally, in order to prevent that, after the key of a certain file is leaked, other files are also decrypted by the leaked key, the key management module may generate a one-to-one key for each file. The second eBPF program code may be code that implements the function of storing a key corresponding to the target file in the corresponding file descriptor. The embodiment does not limit the specific code of the second eBPF program code and the specific programming language for implementing the second eBPF program code. A block device is a physical device, which may be one of I/O devices, and may be a hard disk, a usb disk, or the like. The file descriptor may be the basis for the kernel to access the file.
In this embodiment, a second eBPF program code corresponding to the virtual file open function is set in advance, so that when it is intercepted that the virtual file open function is called, the second eBPF program code is executed, and the target key is stored in the file descriptor. Specifically, if the file access module can intercept the call to the virtual file open function, it is determined that the access information and the authorization information are successfully matched. And when the call to the virtual file opening function is intercepted, determining a second eBPF program code corresponding to the virtual file opening function, determining a target file in the block device, acquiring a target key and a file descriptor of the target file, and storing the target key in private data of the file descriptor of the target file.
Or, in some scenarios, the target file is a newly created file, and the newly created file does not have a corresponding key, so when the file access module intercepts the call of the virtual file open function, the key management module is called to generate the target key of the target file based on the second eBPF program code, and further, the newly generated target key is stored in the private data of the file descriptor of the target file.
In some embodiments of the present disclosure, the target key is stored in the block device at the end or start position of the target file. In an alternative embodiment, since the start position of the target file usually stores the related information of the target file, in order to avoid the influence of storing the target key on the related information, the target key may be stored at the end position of the target file, and the position of the target key is marked by recording the offset position of the target key relative to the last bit of the file.
And 103, acquiring a target key through the encryption and decryption module, and executing file access operation on the target file based on the target key.
The file access operation may be a processing operation for a file, and the file access operation includes, but is not limited to, a file read operation, a file write operation, and the like.
In the embodiment of the disclosure, after the target key is stored by the eBPF program, the target key is acquired from the eBPF program by the encryption and decryption module, the target file is decrypted or decrypted based on the target key, and the file access operation is performed based on the encrypted or decrypted target file.
The file access control method provided by the embodiment of the disclosure is applied to a file access control management system, wherein the file access control management system comprises an eBPF program and an encryption and decryption module, and comprises the following steps: acquiring a file access request, wherein the file access request comprises access information; determining a matching result of the access information and preset authorization information through an eBPF program, and when the matching result is determined to be successful, acquiring a target key of a target file based on file information in the access information and storing the target key; and acquiring a target key through the encryption and decryption module, and executing file access operation on the target file based on the target key. By adopting the technical scheme, under the condition that the access information is successfully matched with the authorization information, the target key of the target file is further obtained, and the file access operation is carried out on the target file based on the target key, so that the file access under the unauthorized condition is avoided, the file security is improved in the user dimension, the target file corresponds to the target key, even if the target key is leaked, other files which are not decrypted by using the target key are still secure, and the file security is further improved in the file dimension.
In some embodiments of the present disclosure, the file access control method further includes: acquiring a file closing request, and determining a third eBPF program code corresponding to a system closing function when a file access module intercepts the call of a virtual file system to the system closing function based on the file closing request; the target key stored in the file descriptor of the target file is moved to the target file based on the third eBPF program code.
The file closing request may be a request for indicating file closing, and the file closing request may include file information of the closed file. The third eBPF program code may be a code for realizing the function of moving the target key in the file descriptor to the target file, and the embodiment does not limit the specific code of the third eBPF program code and the programming language for realizing the third eBPF program code.
In this embodiment, a third eBPF program code corresponding to the system shutdown function is preset, so that when it is intercepted that the system shutdown function is called, the third eBPF program code is executed, and the target key is moved to the target file. Specifically, the virtual file system calls a system closing function to close the file according to the received file closing request, the file access module intercepts the call of the system closing function, and executes a third eBPF program code corresponding to the system closing function, which is set by the function probe. By executing the third eBPF program code, determining a file descriptor of the target file, determining a target key stored in the file descriptor, and moving the target key to the end position of the target file.
In the above scheme, by intercepting the call of the system closing function, the target key in the file descriptor is determined before the target file is closed, and the target key is stored in the target file, and if the target key is the key of the new file, the corresponding relationship between the key and the new file is determined by storing the key in the new file.
In some embodiments of the present disclosure, a copy may be reserved in the kernel for a recently opened file or a written file, where the size of the copy is the size of a physical page, when the file needs to be read again, the file does not need to be read from the block device, when the content of the file is written again, the file may be written into a corresponding page buffer first, and when the file is free, the file may be written into the block device from the page buffer again.
In some embodiments of the present disclosure, the encryption and decryption module is provided with a plaintext page buffer layer, the file access request is a file read request, the encryption and decryption module obtains a target key, and performs a file access operation on a target file based on the target key, including: if the target file is determined not to be included in the plaintext page buffer layer through the encryption and decryption module, the target file is obtained from the block device, the target key is obtained from the file descriptor of the target file of the file access module, the target file is decrypted in the unit of page based on the target key, and then the decrypted target file is added to the plaintext page buffer layer and then returned. Optionally, if it is determined that the plaintext page buffer layer includes the target file through the encryption and decryption module, the target file is read from the plaintext page buffer layer and returned.
The encryption and decryption module is a stack file system operating in a kernel state, divides a file into a plurality of logic blocks, the size of each logic block is equal to the size of a physical page, encrypts and decrypts the file by taking the logic block as a unit, and comprises a page buffer layer which maintains a buffer area of the file. The plaintext page buffer layer may be a page buffer layer that maintains a buffer in which the plaintext file is stored, and the plaintext file may be understood as a decrypted file. The file read request may be a request for instructing to perform a file read. The stack file system is a layer of file system located between a virtual file system and a bottom layer physical file system, does not store data, and realizes functional requirement development by loading the file system function to be realized on the bottom layer physical file system. Thus, the time overhead of frequent switching of the kernel space and the user space is saved.
In this embodiment, when reading the target file, the encryption and decryption module reads the target file from the plaintext page buffer layer, and if the target file is found in the plaintext page buffer layer by the encryption and decryption module, which indicates that the decrypted target file currently exists, the target file in the plaintext page buffer layer is read, and the target file is returned; if the target file is not found in the plain text page buffer layer, which indicates that the decrypted target file does not exist currently, the physical page where the target file is located is obtained from the block device, the target file stored in the physical page can be understood as the target file before decryption, the target key is obtained from the file descriptor of the target file in the file access module, the physical page where the target file is located is decrypted by using the target key, the decrypted target file is obtained, and the decrypted target file is added to the plain text page buffer layer and then returned to the decrypted target file.
In the above scheme, since the file stored in the plaintext page buffer layer may be periodically cleared, before the target file is closed, if the target file needs to be repeatedly read, the target file needs to be repeatedly decrypted, and the target key of the target file needs to be repeatedly acquired, the target key is acquired from the file descriptor of the target file in the file access module, and the target key is not acquired from the target file of the block device, so that the acquisition efficiency of the target key is improved.
In some embodiments of the present disclosure, the encryption and decryption module is provided with a plaintext page buffer layer and a ciphertext page buffer layer, the file access request is a file write request, the encryption and decryption module obtains a target key, and performs a file access operation on a target file based on the target key, including: writing the target file into a plain text page buffer layer through the encryption and decryption module, acquiring a target key from a file descriptor of the target file of the file access module, encrypting the target file by taking a page as a unit based on the target key, and writing the encrypted target file into a cipher text page buffer layer.
The ciphertext page buffer layer may be a page buffer layer that maintains a buffer area in which the ciphertext file is stored, and the ciphertext file may be understood as a file before decryption. The file write request may be a request for instructing to write a file.
In this embodiment, when writing the target file, it can be understood that the target file is the received target file before encryption, and it is determined whether a plaintext buffer exists in the plaintext page buffer layer through the encryption and decryption module, if so, the target file is written into the plaintext buffer in the plaintext page buffer layer through the encryption and decryption module, otherwise, a plaintext buffer in the plaintext page buffer layer is created through the encryption and decryption module, and then the target file is written into a plaintext buffer ring in the plaintext page buffer layer. After writing the target file into the plaintext page buffer layer, writing the target file into the ciphertext page buffer layer. Specifically, whether a ciphertext buffer area exists in a ciphertext page buffer layer is determined through an encryption module, if yes, the target key is obtained from a file descriptor of a target file of a file access module, the target file is encrypted by using the target key with a page as a unit to obtain an encrypted target file, and the encrypted target file is written into the ciphertext buffer area in the ciphertext page buffer layer.
If the encryption module determines that the ciphertext page buffer layer does not have the ciphertext buffer area, the encryption module creates the ciphertext buffer area in the ciphertext page buffer layer, obtains the target key from the file descriptor of the target file of the file access module, encrypts the target file by taking the page as a unit by using the target key to obtain the encrypted target file, and writes the encrypted target file into the ciphertext buffer area in the newly created ciphertext page buffer layer.
Optionally, after writing the encrypted target file into the ciphertext page buffer layer, the content of the ciphertext page buffer layer may be written into the block device, and the content recorded in the ciphertext page buffer layer and the plaintext page buffer layer may be cleared.
According to the scheme, the target file before encryption is written into the plaintext page buffer layer, and the encrypted target file is written into the ciphertext page buffer layer, so that the target file is prevented from being read from the block device every time, and the reading efficiency of the target file is improved.
The embodiment of the disclosure provides a file access control system, which includes an eBPF program and an encryption and decryption module in communication connection with the eBPF program, and is configured to execute any one of the file access control methods in the embodiments.
In this embodiment, the file access control system may be installed in a Linux system, and an eBPF program and an encryption/decryption module under the file access control system are installed, and based on the configuration that the file access control system may implement authorization information, that is, a process capable of accessing a file and one or more files that each user can access are determined, and the authorization information is issued to the eBPF program.
Fig. 2 is a schematic structural diagram of a file access control management system according to an embodiment of the present disclosure, and as shown in fig. 2, in a user space, a user process and a user mode configuration program exist. In the kernel space, there are file access module, key management module, virtual file system, encryption and decryption module, block device file system driver and block device, where the encryption and decryption module includes ciphertext page buffer layer and plaintext page buffer layer. The data transmission relationship in the file access control management system is shown in the above embodiments, and is not described herein again.
Next, the file access control method in the embodiment of the present disclosure is further described by a specific example. The file access control method comprises the following steps:
in the user mode, the user mode configuration program configures authorized and unauthorized processes and files which are allowed and not allowed to be accessed by each user through an interface to obtain authorized information. And sending the authorization information to a file access module, and storing the authorization information in an MAP type hash table of the file access module.
Keys can be generated, stored and managed by a key management module. In addition, in order to prevent that other encrypted files can be decrypted through the leaked keys after the keys of a certain encrypted file are leaked, the key management module randomly generates keys for each encrypted file, the keys correspond to the encrypted files one by one, and the keys are stored at the tail end of the encrypted files. Alternatively, the key may be encrypted, and therefore, even if the key of the encrypted file leaks, the encrypted file cannot be decrypted using the encrypted key.
The file access module stores authorization information, detects the system call of sys _ open () in a kernel mode through a kprobe function, and detects the system call of vfs _ open () function and sys _ close () function in the kernel mode through a kretprobe function, so that the operation and parameters of the system call in a user mode are intercepted. The working process of the file access module is as follows:
when the call of the sys _ open () system is intercepted, executing a first eBPF program code corresponding to the type of the call of the sys _ open () system set through a kprobe function, determining file information corresponding to a currently processed file, process information corresponding to a process and user information through a structural body describing the process and the file in a kernel, obtaining access information, matching the access information with authorization information in a hash table, and if the matching is successful, running the process or determining that a user can access the target file. And if the matching fails, returning a matching failure instruction to the system call so as to prevent subsequent operations such as reading and writing aiming at the target file from being executed.
When the function call of vfs _ open () is intercepted, which indicates that the process or the user is allowed to access the target file, the second eBPF program code corresponding to the type of the vfs _ open () system call set by the kprobe function is executed. By executing the second eBPF program code, firstly, acquiring a target key at the tail end of a target file, and if the target key is acquired to indicate that the target file is an encrypted file, storing the acquired target key in private data of a file descriptor of the target file; if the target key is not acquired, which indicates that the target file may be a newly-built file, an interface of the key management module is called to randomly generate a key to acquire the target key, and then the generated target key is stored in the private data of the file descriptor of the target file. The encryption algorithm of the target file can adopt an advanced encryption standard algorithm of a 256-bit key and the like.
When the call of the sys _ close () function is intercepted, executing third eBPF program code corresponding to the type of the sys _ close () system call set by the kretprobe function, and storing a target key stored in a file descriptor of the target file at the end of the target file by executing the third eBPF program code.
Fig. 3 is a schematic diagram of a process for storing a target key by a file access module according to an embodiment of the present disclosure, where as shown in fig. 3, the process for storing the target key includes:
step 301, if the system call of the system open function is intercepted, executing a first eBPF program code corresponding to the system open function set by the first function probe. The system open function is sys _ open () function, and the first function probe is kprobe function.
Step 302, determine whether the process or the user allows accessing the target file. If so, go to step 304, otherwise go to step 303.
Step 303, return the matching failure instruction.
And step 304, if the system call of the virtual file opening function is intercepted, executing a second eBPF program code corresponding to the virtual file opening function set by the function probe. Wherein the virtual file open function is a vfs _ open () function.
Step 305, determine whether the target key is obtained at the end of the target file. If yes, go to step 307, otherwise go to step 306.
Step 306, calling the key management module interface to randomly generate a key.
Step 307, the destination key is stored in the private data of the file descriptor of the destination file.
The encryption and decryption module is a stack file system which runs in a kernel space, and a page buffer layer of the encryption and decryption module is used for carrying out page buffering on files. The Linux kernel uses an address _ space structure body to represent the page buffer layer, and uses a radix tree to manage the page buffer layer. In the embodiment, the ciphertext page buffer layer and the plaintext page buffer layer are used, and the performance of reading the file can be improved by arranging the double buffer layers. Fig. 4 is a schematic flowchart of a file reading operation provided in an embodiment of the present disclosure, and as shown in fig. 4, the reading operation includes:
step 401, querying whether the plaintext page buffer layer includes a plaintext type target file. If yes, go to step 402, otherwise go to step 403.
Step 402, returning the target file in the plaintext type.
In step 403, the physical page of the target file is recorded in the block device.
Step 404, obtaining a target key from the file descriptor of the target file, decrypting the physical page describing the target file by using the target key to obtain a plaintext type target file, and returning to the target file.
Fig. 5 is a schematic flowchart of a file write operation provided in an embodiment of the present disclosure, and as shown in fig. 5, the write operation includes the following steps:
step 501, inquiring whether the plaintext page buffer layer includes a plaintext buffer area. If yes, go to step 503, otherwise go to step 502.
Step 502, a plaintext buffer is created.
Step 503, writing the plaintext type object file into the plaintext buffer.
Step 504, query whether the ciphertext page buffer layer includes a ciphertext buffer. If so, go to step 506, otherwise, go to step 505.
Step 505, a ciphertext buffer is created.
Step 506, encrypting the plaintext type target file in the plaintext buffer area by using the target key to obtain a ciphertext type target file, and writing the ciphertext type target file into the ciphertext buffer area.
Optionally, after the content of the ciphertext buffer is written into the block device, the ciphertext buffer and the corresponding plaintext buffer may be cleared.
In the scheme, the plain text type target file and the cipher text type target file are cached in the memory by using an I/O page buffering mode of the Linux system, so that frequent decryption operation in the reading operation process is omitted, and the performance of the reading operation is improved. Moreover, each file is encrypted and decrypted by using different keys, and even if the key of one file is leaked, other files are still safe because the key cannot decrypt other files. The method comprises the steps of intercepting system call of sys _ open () function through an event type corresponding to a kprobe function supported by an eBPF technology, detecting parameters and a call progress, judging whether the progress or a user has the authority to access the file or not according to authorization information, and improving safety.
Fig. 6 is a schematic structural diagram of a file access control apparatus provided in an embodiment of the present disclosure, where the apparatus may be implemented by software and/or hardware, and may be generally integrated in an electronic device. As shown in fig. 5, the apparatus is installed in a file access control management system, where the file access control management system includes an eBPF program and an encryption/decryption module, and includes:
a first obtaining module 601, configured to obtain a file access request, where the file access request includes access information;
a second obtaining module 602, configured to determine, by the eBPF program, a matching result between the access information and preset authorization information, and when it is determined that the matching result is a successful match, obtain a target key of a target file based on file information in the access information, and store the target key;
an accessing module 603, configured to obtain the target key through the encryption and decryption module, and perform a file access operation on the target file based on the target key.
Optionally, the eBPF program includes a file access module and a user-mode configuration program, and before acquiring the file access request, the apparatus further includes:
and the setting module is used for storing the authorization information in a key-value pair mode after the authorization information sent by the user mode configuration program is obtained through the file access module, and setting eBPF program codes corresponding to calling functions through a function probe, wherein the calling functions comprise a system opening function, a virtual file opening function and a system closing function.
Optionally, the second obtaining module 602 is configured to:
when the file access module intercepts the calling of a virtual file system to the system opening function based on the file access request, determining a first eBPF program code corresponding to the system opening function;
and matching the access information with the authorization information based on the first eBPF program code to obtain a matching result.
Optionally, the authorization information includes an authorized process and an authorized user corresponding to each file, the access information includes file information, process information, and user information, and the second obtaining module 602 is configured to:
and if the authorized process comprises the process corresponding to the process information, or the authorized user corresponding to the target file comprises the current user of the user information, determining that the matching result is successful.
Optionally, the eBPF program includes a key management module, and the second obtaining module 602 includes:
when the file access module intercepts and calls the virtual file opening function, a second eBPF program code corresponding to the virtual file opening function acquires a target key and a file descriptor of the target file in block equipment based on the file information;
if the target key is obtained, storing the target key in a file descriptor of the target file; otherwise, calling the key management module to generate a target key of the target file, and storing the target key in a file descriptor of the target file
Optionally, the target key is stored in the end position or the start position of the target file in the block device.
Optionally, the apparatus further comprises:
a third obtaining module, configured to obtain a file closing request, and determine a third eBPF program code corresponding to the system closing function when the file access module intercepts a call of a virtual file system to the system closing function based on the file closing request;
a move module to move a target key stored in a file descriptor of the target file to the target file based on the third eBPF program code.
Optionally, the encryption and decryption module is provided with a plaintext page buffer layer, the file access request is a file read request, and the access module 603 is configured to:
if the encryption and decryption module determines that the target file is not included in the plain text page buffer layer, the target file is obtained from the block device, the target key is obtained from the file descriptor of the target file of the file access module, the target file is decrypted in a page unit based on the target key, and then the decrypted target file is added to the plain text page buffer layer and then returned.
Optionally, the accessing module 603 is further configured to:
and if the target file is determined to be contained in the plain text page buffer layer through the encryption and decryption module, reading the target file in the plain text page buffer layer and returning.
Optionally, the encryption and decryption module is provided with a plaintext page buffer layer and a ciphertext page buffer layer, the file access request is a file write request, and the access module 603 is configured to:
writing the target file into the plain text page buffer layer through the encryption and decryption module, acquiring the target key from a file descriptor of the target file of the file access module, encrypting the target file by taking a page as a unit based on the target key, and writing the encrypted target file into the ciphertext page buffer layer.
The file access control device provided by the embodiment of the disclosure can execute the file access control method provided by any embodiment of the disclosure, and has corresponding functional modules and beneficial effects of the execution method.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. As shown in fig. 7, the electronic device 700 includes one or more processors 701 and memory 702.
The processor 701 may be a Central Processing Unit (CPU) or other form of processing unit having file access control capabilities and/or instruction execution capabilities, and may control other components in the electronic device 700 to perform desired functions.
Memory 702 may include one or more computer program products that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, random Access Memory (RAM), cache memory (cache), and/or the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, etc. One or more computer program instructions may be stored on the computer-readable storage medium and executed by the processor 701 to implement the file access control methods of the embodiments of the present disclosure described above and/or other desired functions. Various contents such as an input signal, a signal component, a noise component, etc. may also be stored in the computer-readable storage medium.
In one example, the electronic device 700 may further include: an input device 703 and an output device 704, which are interconnected by a bus system and/or other form of connection mechanism (not shown).
The input device 703 may include, for example, a keyboard, a mouse, and the like.
The output device 704 may output various information including the determined distance information, direction information, and the like to the outside. The output devices 704 may include, for example, a display, speakers, printer, and the like, as well as a communication network and its connected remote output devices.
Of course, for simplicity, only some of the components of the electronic device 700 relevant to the present disclosure are shown in fig. 7, omitting components such as buses, input/output interfaces, and the like. In addition, electronic device 700 may include any other suitable components depending on the particular application.
In addition to the above methods and apparatus, embodiments of the present disclosure may also be a computer program product comprising computer program instructions that, when executed by a processor, cause the processor to perform a file access control method provided by embodiments of the present disclosure.
The computer program product may write program code for carrying out operations for embodiments of the present disclosure in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present disclosure may also be a computer-readable storage medium having stored thereon computer program instructions that, when executed by a processor, cause the processor to perform the file access control method provided by the embodiments of the present disclosure.
The computer readable storage medium may take any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (14)

1. A file access control method is applied to a file access control management system, the file access control management system comprises an eBPF program and an encryption and decryption module, and the method comprises the following steps:
acquiring a file access request, wherein the file access request comprises access information;
determining a matching result of the access information and preset authorization information through the eBPF program, and when the matching result is determined to be successful, acquiring a target key of a target file based on file information in the access information and storing the target key;
and acquiring the target key through the encryption and decryption module, and executing file access operation on the target file based on the target key.
2. The method of claim 1, wherein the eBPF program comprises a file access module and a user-mode configuration program, and wherein prior to obtaining a file access request, the method further comprises:
after the authorization information sent by the user mode configuration program is obtained through the file access module, the authorization information is stored in a key value pair mode, and eBPF program codes corresponding to calling functions are set through a function probe, wherein the calling functions comprise a system opening function, a virtual file opening function and a system closing function.
3. The method of claim 2, wherein determining, by the eBPF program, a match between the access information and preset authorization information comprises:
when the file access module intercepts the calling of the system opening function by the virtual file system based on the file access request, determining a first eBPF program code corresponding to the system opening function;
and matching the access information with the authorization information based on the first eBPF program code to obtain a matching result.
4. The method of claim 1, wherein the authorization information includes authorized processes and authorized users corresponding to the files, the access information includes file information, process information, and user information, and determining that the matching result is a successful matching comprises:
and if the authorized process comprises the process corresponding to the process information, or the authorized user corresponding to the target file comprises the current user of the user information, determining that the matching result is successful.
5. The method of claim 2, wherein the eBPF program comprises a key management module that obtains a target key of a target file based on file information in the access information and stores the target key, comprising:
when the file access module intercepts and calls the virtual file opening function, a second eBPF program code corresponding to the virtual file opening function acquires a target key and a file descriptor of the target file in block equipment based on the file information;
if the target key is obtained, storing the target key in a file descriptor of the target file; otherwise, calling the key management module to generate a target key of the target file, and storing the target key in a file descriptor of the target file.
6. Method according to claim 1 or 5, wherein the target key is stored in a block device at the end position or the start position of the target file.
7. The method of claim 2, further comprising:
acquiring a file closing request, and determining a third eBPF program code corresponding to a system closing function when the file access module intercepts the call of a virtual file system to the system closing function based on the file closing request;
moving a target key stored in a file descriptor of the target file into the target file based on the third eBPF program code.
8. The method according to claim 1, wherein the encryption and decryption module is provided with a plain text page buffer layer, the file access request is a file read request, the target key is obtained by the encryption and decryption module, and a file access operation is performed on the target file based on the target key, and the method comprises:
if the encryption and decryption module determines that the target file is not included in the plain text page buffer layer, the target file is obtained from a block device, the target key is obtained from the file descriptor of the target file of the file access module, the target file is decrypted by taking a page as a unit based on the target key, and then the decrypted target file is added to the plain text page buffer layer and then returned.
9. The method of claim 8, further comprising:
and if the target file is determined to be contained in the plain text page buffer layer through the encryption and decryption module, reading the target file in the plain text page buffer layer and returning.
10. The method according to claim 1, wherein the encryption and decryption module is provided with a plaintext page buffer layer and a ciphertext page buffer layer, the file access request is a file write request, the target key is obtained by the encryption and decryption module, and a file access operation is performed on the target file based on the target key, including:
writing the target file into the plain text page buffer layer through the encryption and decryption module, acquiring the target key from a file descriptor of the target file of the file access module, encrypting the target file by taking a page as a unit based on the target key, and writing the encrypted target file into the ciphertext page buffer layer.
11. A file access control system comprising an eBPF program and an encryption/decryption module communicatively connected to the eBPF program for performing the file access control method of any one of claims 1 to 10.
12. A file access control device provided in a file access control management system including an eBPF program and an encryption/decryption module, the device comprising:
the device comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring a file access request, and the file access request comprises access information;
the second obtaining module is used for determining a matching result of the access information and preset authorization information through the eBPF program, and obtaining a target key of a target file based on file information in the access information and storing the target key when the matching result is determined to be successful;
and the access module is used for acquiring the target key through the encryption and decryption module and executing file access operation on the target file based on the target key.
13. An electronic device, characterized in that the electronic device comprises:
a processor;
a memory for storing the processor-executable instructions;
the processor is configured to read the executable instructions from the memory and execute the instructions to implement the file access control method of any one of claims 1 to 10.
14. A computer-readable storage medium, characterized in that the storage medium stores a computer program for executing the file access control method of any one of claims 1 to 10.
CN202211505930.3A 2022-11-29 2022-11-29 File access control method, device, equipment and medium Active CN115758420B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211505930.3A CN115758420B (en) 2022-11-29 2022-11-29 File access control method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211505930.3A CN115758420B (en) 2022-11-29 2022-11-29 File access control method, device, equipment and medium

Publications (2)

Publication Number Publication Date
CN115758420A true CN115758420A (en) 2023-03-07
CN115758420B CN115758420B (en) 2023-06-09

Family

ID=85339720

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211505930.3A Active CN115758420B (en) 2022-11-29 2022-11-29 File access control method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN115758420B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116107846A (en) * 2023-04-12 2023-05-12 北京长亭未来科技有限公司 Linux system event monitoring method and device based on EBPF
CN116881869A (en) * 2023-09-07 2023-10-13 麒麟软件有限公司 Encryption protection method and system for executable program on Linux system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110955631A (en) * 2018-09-26 2020-04-03 上海瑾盛通信科技有限公司 File access tracking method and device, storage medium and terminal
CN113609221A (en) * 2021-07-27 2021-11-05 卓尔智联(武汉)研究院有限公司 Data storage method, data access device and storage medium
US20220156391A1 (en) * 2019-03-22 2022-05-19 Huawei Technologies Co., Ltd. File access right authentication method and electronic device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110955631A (en) * 2018-09-26 2020-04-03 上海瑾盛通信科技有限公司 File access tracking method and device, storage medium and terminal
US20220156391A1 (en) * 2019-03-22 2022-05-19 Huawei Technologies Co., Ltd. File access right authentication method and electronic device
CN113609221A (en) * 2021-07-27 2021-11-05 卓尔智联(武汉)研究院有限公司 Data storage method, data access device and storage medium

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116107846A (en) * 2023-04-12 2023-05-12 北京长亭未来科技有限公司 Linux system event monitoring method and device based on EBPF
CN116881869A (en) * 2023-09-07 2023-10-13 麒麟软件有限公司 Encryption protection method and system for executable program on Linux system
CN116881869B (en) * 2023-09-07 2023-12-26 麒麟软件有限公司 Encryption protection method and system for executable program on Linux system

Also Published As

Publication number Publication date
CN115758420B (en) 2023-06-09

Similar Documents

Publication Publication Date Title
US10708051B2 (en) Controlled access to data in a sandboxed environment
KR102107711B1 (en) Authorized direct memory access in the processing system
US11809584B2 (en) File system metadata protection
US10235304B2 (en) Multi-crypto-color-group VM/enclave memory integrity method and apparatus
JP4089171B2 (en) Computer system
CN115758420B (en) File access control method, device, equipment and medium
CN112433817B (en) Information configuration method, direct storage access method and related device
US9152813B2 (en) Transparent real-time access to encrypted non-relational data
US11537723B2 (en) Secure data storage
US20240061790A1 (en) Locally-stored remote block data integrity
JP2010510574A (en) Protection and method of flash memory block in secure device system
JP2011048661A (en) Virtual server encryption system
US20190238560A1 (en) Systems and methods to provide secure storage
CN115329389B (en) File protection system and method based on data sandbox
KR20050050530A (en) Encryption of system paging file
EP3227822A1 (en) Secure document management
Miao Research and analysis on encryption principle of truecrypt software system
WO2022019910A1 (en) Read protection for uefi variables
RU2715293C1 (en) Method of protecting data in a computing system
CN117094016B (en) Encryption method and device based on Guomai Linux kernel file system data
US11841970B1 (en) Systems and methods for preventing information leakage
CN118036026A (en) Transparent data encryption method and system based on MongoDB
TW202036349A (en) Computer system and method for virtual hard disk encryption and decryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant