CN116474374A - System initialization method, access control method based on MAC (media access control) and related equipment - Google Patents
System initialization method, access control method based on MAC (media access control) and related equipment Download PDFInfo
- Publication number
- CN116474374A CN116474374A CN202310469694.2A CN202310469694A CN116474374A CN 116474374 A CN116474374 A CN 116474374A CN 202310469694 A CN202310469694 A CN 202310469694A CN 116474374 A CN116474374 A CN 116474374A
- Authority
- CN
- China
- Prior art keywords
- container
- policy
- database
- host
- policy database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 205
- 238000011423 initialization method Methods 0.000 title claims abstract description 20
- 230000008569 process Effects 0.000 claims abstract description 163
- 230000007246 mechanism Effects 0.000 claims abstract description 11
- 238000012795 verification Methods 0.000 claims abstract description 6
- 230000015654 memory Effects 0.000 claims description 27
- 230000004044 response Effects 0.000 claims description 8
- 230000006870 function Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 230000006403 short-term memory Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- A—HUMAN NECESSITIES
- A63—SPORTS; GAMES; AMUSEMENTS
- A63F—CARD, BOARD, OR ROULETTE GAMES; INDOOR GAMES USING SMALL MOVING PLAYING BODIES; VIDEO GAMES; GAMES NOT OTHERWISE PROVIDED FOR
- A63F13/00—Video games, i.e. games using an electronically generated display having two or more dimensions
- A63F13/70—Game security or game management aspects
- A63F13/77—Game security or game management aspects involving data related to game devices or game servers, e.g. configuration data, software version or amount of memory
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/28—Databases characterised by their database models, e.g. relational or object models
- G06F16/289—Object oriented databases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45562—Creating, deleting, cloning virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45575—Starting, stopping, suspending or resuming virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45579—I/O management, e.g. providing access to device drivers or storage
Abstract
The embodiment of the application discloses a system initialization method, an access control method based on MAC and related equipment, which are used for enabling a kernel to accurately run an MAC authority examination function. The method comprises the following steps: creating a container init process of the container system; and starting the container init process, so that the container init process mounts a container resource file of the container system, and writes container policy data of the container system into a container policy database, wherein the container policy data is determined based on the container policy file in the container resource file, and the container policy database is used for executing MAC forced access control mechanism verification on the container system.
Description
Technical Field
The embodiment of the application relates to the field of cloud games, in particular to a system initialization method, an access control method based on MAC and related equipment.
Background
For intelligent terminal equipment, a set of hardware is usually shipped to install a single operating system, so that the performance is enough to meet the normal running of various small-sized applications. In a cloud game scenario, the hardware device is typically an array server assembled from a plurality of System On Chips (SOCs). To maximize the utilization of SOC resources, system virtualization is typically performed for a single SOC, depending on game complexity. Thus, each system of a single SOC can run games, and a plurality of users can use the games simultaneously and parallelly.
Virtualization based on container technology, i.e. by sharing a kernel and loading different user file systems. The mandatory access control (MAC, mandatory access control) authority checking function is performed by the kernel, but in the hardware device implementing virtualization, the MAC authority checking function of the kernel may be confused and disabled due to the sharing of the kernel environment. That is, the kernel cannot distinguish between the virtual system (or the container system) and the host system, and cannot distinguish between the rules corresponding to the virtual system and the host system in the policy database, and thus cannot implement MAC authority examination for the virtual system or the host system.
Therefore, there is a need for a method that can allow a kernel to accurately run a MAC right inspection function in a hardware device that implements virtualization.
Disclosure of Invention
The embodiment of the application provides a system initialization method, an access control method based on MAC and related equipment, which are used for enabling a kernel to accurately run an MAC authority examination function.
A first aspect of the present application provides a system initialization method applied to a computer device, where the computer device deploys a hosting system and a container system, and the hosting system has a corresponding hosting policy database, and the method includes:
creating a container init process of the container system;
and starting the container init process, so that the container init process mounts a container resource file of the container system, and writes container policy data of the container system into a container policy database, wherein the container policy data is determined based on the container policy file in the container resource file, and the container policy database is used for executing MAC forced access control mechanism verification on the container system.
In a specific implementation, the creating a container init process of the container system includes:
the host system creates a container init process of the container system.
In one specific implementation, the host system creates a container init process of the container system, comprising:
the host system creating the container manager;
the container manager is started such that the container manager creates a container init process of the container system.
In a specific implementation, before the starting the container init process, the method further includes:
modifying the access authority of the container init process into kernel mode authority so that the container init process accesses the kernel space of the host system, and storing the container policy database and the host policy database in the kernel space.
In a specific implementation manner, the kernel space of the host system includes the host policy database, and at least one blank policy database constructed in advance, and the container init process writes container policy data of the container system into the container policy database, including:
determining the container strategy database from at least one blank strategy database constructed in advance;
and writing the container policy data of the container system into the container policy database.
In a specific implementation, before determining the container policy database, the method further includes:
creating a plurality of blank strategy databases in a kernel space of the host system;
creating a host init process of the host system in response to kernel initialization of the host system;
and starting the host init process, so that the host init process mounts a host resource file of the host system, and writes host strategy data of the host system into any blank strategy database, wherein the any blank strategy database is the host strategy database.
In a specific implementation manner, the determining the container policy database from at least one blank policy database constructed in advance includes:
determining a container process name space to which the container init process belongs;
based on the container process namespace, the container policy database is determined from at least one blank policy database constructed in advance.
In one specific implementation, the container init process writes container policy data of the container system to a container policy database, comprising:
and the container init process copies the container policy data into a memory, so that the memory analyzes the container policy data and writes the analyzed container policy data into the container policy database.
A second aspect of an embodiment of the present application provides an access control method based on MAC, including:
determining a target strategy database corresponding to any system in response to a resource access application sent by a user space process of the any system, wherein the target strategy database is a strategy database written with strategy data of the any system, and the target strategy database is constructed by the system initialization method of the first aspect;
and examining the resource access application based on the target policy database.
In a specific implementation manner, the target policy database includes at least one type of policy table, and the step of examining the resource access application based on the target policy database includes:
searching a similar strategy table corresponding to the resource access application from the target strategy database, and checking the strategy type of strategy data required by the resource access application, wherein the strategy type is consistent with the strategy type corresponding to the similar strategy table;
determining target policy data required for examining the resource access application from the similar policy table;
and based on the target policy data, examining the resource access application.
A third aspect of the embodiments of the present application provides a computer device deploying a hosting system and a container system, the hosting system having a corresponding hosting policy database, the computer device comprising:
a creating unit, configured to create a container init process of the container system;
the writing unit is used for starting the container init process, so that the container init process mounts a container resource file of the container system, and writes container policy data of the container system into a container policy database, wherein the container policy data is determined based on the container policy file in the container resource file, and the container policy database is used for executing MAC forced access control mechanism verification on the container system.
In a specific implementation, the creating unit is specifically configured to cause the host system to create a container init process of the container system.
In a specific implementation manner, the creating unit is specifically configured to cause the host system to create the container management program;
the container manager is started such that the container manager creates a container init process of the container system.
In a specific implementation, the computer device further includes: a modifying unit;
the modification unit is configured to modify an access right of the container init process into a kernel mode right, so that the container init process accesses a kernel space of the host system, and the container policy database and the host policy database are stored in the kernel space.
In a specific implementation manner, the kernel space of the host system includes the host policy database and at least one blank policy database which is pre-built, and the writing unit is specifically configured to determine the container policy database from the at least one blank policy database which is pre-built;
and writing the container policy data of the container system into the container policy database.
In a specific implementation manner, the creating unit is further configured to create a plurality of blank policy databases in a kernel space of the host system;
the creation unit is further used for creating a host init process of the host system in response to kernel initialization of the host system;
the writing unit is further configured to start the hosting init process, so that the hosting init process mounts a hosting resource file of the hosting system, and writes hosting policy data of the hosting system into any blank policy database, where any blank policy database is the hosting policy database.
In a specific implementation manner, the writing unit is specifically configured to determine a container process namespace to which the container init process belongs;
based on the container process namespace, the container policy database is determined from at least one blank policy database constructed in advance.
In a specific implementation manner, the writing unit is specifically configured to copy the container policy data to a memory by using the container init process, so that the memory parses the container policy data, and writes the parsed container policy data into the container policy database.
A fourth aspect of the present embodiment provides a computer device, including:
the determining unit is used for responding to a resource access application sent by a user space process of any system, determining a target strategy database corresponding to the any system, wherein the target strategy database is a strategy database written with strategy data of the any system, and the target strategy database is constructed by the system initialization method of the first aspect;
and the examination unit is used for examining the resource access application based on the target strategy database.
In a specific implementation manner, the examining unit is specifically configured to search, from the target policy database, a similar policy table corresponding to the resource access application, and examine a policy type of policy data required by the resource access application, where the policy type is consistent with a policy type corresponding to the similar policy table;
determining target policy data required for examining the resource access application from the similar policy table;
and based on the target policy data, examining the resource access application.
A fifth aspect of embodiments of the present application provides a computer device, comprising:
a central processing unit, a memory and an input/output interface;
the memory is a short-term memory or a persistent memory;
the central processor is configured to communicate with the memory and to execute instruction operations in the memory to perform the method of the first or second aspect.
A sixth aspect of the embodiments of the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method according to the first or second aspect.
A seventh aspect of embodiments of the present application provides a computer storage medium having instructions stored therein, which when executed on a computer, cause the computer to perform the method of the first or second aspect.
From the above technical solutions, the embodiments of the present application have the following advantages: for computer devices deployed with both a hosting system and a container system, the hosting system is configured with a corresponding hosting policy database. Meanwhile, in the process of initializing the container system, the container init process writes the container policy data of the container system into the container policy database. The policy database deployment mode allows the kernel to call the container policy database corresponding to the container system when receiving the MAC mechanism examination initiated by the container system, and uses the container policy data recorded in the container policy database to carry out examination, so that the kernel can accurately operate the MAC authority examination function.
Drawings
FIG. 1 is a schematic flow chart of a system initialization method disclosed in an embodiment of the present application;
FIG. 2 is a schematic diagram of a Linux system call flow disclosed in an embodiment of the present application;
fig. 3 is a schematic flow chart of a system initialization method and a MAC-based access control method according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a computer device according to an embodiment of the present application;
FIG. 5 is another schematic structural diagram of a computer device disclosed in an embodiment of the present application;
fig. 6 is another schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
The embodiment of the application provides a system initialization method, an access control method based on MAC and related equipment, which are used for enabling a kernel to accurately run an MAC authority examination function.
Referring to fig. 1, an embodiment of the present application provides a system initialization method, which may be executed by a computer device, and includes the following steps:
101. a container init process of the container system is created.
All processes in Linux are created and run by init processes. Thus, to complete initialization of the container system, a container init process controlling the container system should first be created.
In addition, it should be noted that, in the embodiment of the present application, the computer device is deployed with a hosting system and at least one container system, where the hosting system has a corresponding hosting policy database, and the computer device may be a server, a server cluster, a terminal, or the like, and the device deployed with the hosting system and at least one container system may be implemented, which is not limited herein specifically.
In some implementations, the creation of the container init process may be created by a host system or kernel. Further, if the container init process is created by the host system, the container init process may be created by a user-state container manager running on the host system. Specifically, first, a container manager is created by a host system; the container manager then starts and creates a container init process in the container environment.
The container management program is created by the host system and is used for being responsible for the starting and stopping management of the container and the starting of the container init process.
102. And starting the container init process, so that the container init process mounts a container resource file of the container system, and writes container policy data of the container system into a container policy database, wherein the container policy data is determined based on the container policy file in the container resource file, and the container policy database is used for executing Mac mechanism verification on the container system.
After the container init process is started, the container init process may mount the container resource file of the container system and write the container policy data of the container system to the container policy database. When the container policy data is written into the container policy database, the kernel receives the MAC mechanism examination (or resource access application) initiated by the container system, and then the corresponding container policy data in the container policy database can be invoked for examination.
In practical applications, the container resource file of the container system may be obtained from a server. When a new container system is created, the container resource file of the container system may be obtained from the specified server address by the system identification of the corresponding container system. In the cloud game scenario, the container resource file may be different according to the type of the operating system or the type of the cloud game, so that the system identifier of the container system may be determined according to the type of the operating system or the type of the cloud game that is required to be deployed by the current SOC, which is not limited herein specifically. In addition, the container resource file of the container system may further include, in addition to the container policy file: configuration files and running resource files required for normal running of the container system.
In the embodiment of the application, for the computer device in which the hosting system and the container system are deployed at the same time, the hosting system is configured with a corresponding hosting policy database. Meanwhile, in the process of initializing the container system, the container init process writes the container policy data of the container system into the container policy database. The policy database deployment mode allows the kernel to call the container policy database corresponding to the container system when receiving the MAC mechanism examination initiated by the container system, and uses the container policy data recorded in the container policy database to carry out examination, so that the kernel can accurately operate the MAC authority examination function.
In the foregoing embodiments, a specific implementation of creating a user-state container manager by a host system and creating a container init process by the container manager is provided. The container policy database is deployed in the kernel, so the init process that writes the container policy data to the container policy database in step 102 needs to have kernel rights.
However, the container init process is created in the container environment, and thus the context in which the container init process is located is in the user state. Therefore, before the container init process is started in the step 102, the access rights of the container init process need to be modified to kernel mode rights, so as to ensure that the container init process can access the kernel space of the host system. It should be noted that the host policy database is also located in the kernel space of the host system. Further, because the container init process is created by the container manager, the rights of the container init process may also be specified by the container manager.
In some specific implementations, in order to improve the construction efficiency of the container policy database, the kernel space of the host system may further include pre-constructing at least one blank policy database in addition to the host policy database. If the kernel space of the host system includes at least one blank policy database pre-constructed, in the foregoing step 102, the step of writing the container policy data of the container system into the container policy database by the container init process may be implemented in the following manner: determining a container strategy database from at least one blank strategy database constructed in advance; the container policy data of the container system is written to a container policy database.
In particular, the architecture of the blank policy database required may vary depending on the container policy data. Meanwhile, the container policy data is considered to be closely related to the type of the operating system or the type of the cloud game, so that blank policy databases corresponding to different types of operating systems or cloud games can be configured, and the container policy databases can be determined accurately according to the type of the operating system or the type of the cloud game deployed by the container system.
Further, the host system also performs a type of system initialization procedure before the container system performs system initialization. Wherein, before the step of determining the container policy database, the initialization procedure of the host system may include the steps of: creating a plurality of blank strategy databases in a kernel space of a host system; creating a host init process of the host system in response to kernel initialization of the host system; and starting the host init process, so that the host init process mounts a host resource file of a host system, and writes host strategy data of the host system into any blank strategy database, wherein any blank strategy database is the host strategy database.
Specifically, first, in the kernel initialization process, the host init process of the host system completes the creation. Then, the hosting init process is started, and is used for mounting a hosting resource file of the hosting system, and writing hosting policy data of the hosting system into any blank policy database (after any blank policy database is written into the hosting policy database, the hosting policy database is formed). In the host (i.e., the computer device in which the host system is deployed), the host system is the first operating system deployed, so before the host system performs system initialization, there is no system in the host, and thus there is no policy database that has been written in the host, i.e., there is only a blank policy database in kernel space. The manner of determining any blank policy database may refer to the manner of determining the container policy database, which is not limited herein.
The process namespaces are active spaces where processes are located, and are mainly used for grouping and isolating the processes, and unique identity identifiers can be allocated during creation. In practical applications, to achieve process isolation, all processes of the host system typically run in the host process namespace, and all processes of the container system typically run in the container process namespace. In consideration of the above characteristics, a corresponding relationship between each process namespace and a blank policy database may be constructed first, and then, the container policy database may be determined according to the container process naming control to which the container init process belongs. Specifically, a corresponding relationship between a container process naming space A operated by a container system A in a host machine and a blank strategy database A is established, and a corresponding relationship between a container process naming space B operated by a container system B in the host machine and a blank strategy database B is established. The determination of the container policy database is not specifically limited in this application.
In some specific implementations, in order to better improve the reading efficiency of the kernel in the process of writing policy data, a memory mapping manner may be used to write the policy data into the policy database. Specifically, the container init process copies the container policy data to the memory, so that the memory parses the container policy data, and writes the parsed container policy data into the container policy database. The copying of the container policy data into the memory means copying the container policy data into the memory to form what looks like a file, so that the memory is convenient to read.
On the basis of the system initialization method described in the foregoing embodiment, the embodiment of the present application provides an access control method based on MAC, including the following steps: responding to a resource access application sent by a user space process of any system, determining a target strategy database corresponding to any system, wherein the target strategy database is a strategy database for writing strategy data of any system, and the target strategy database is constructed by any system initialization method provided in the various embodiments; the resource access application is reviewed based on the target policy database.
Specifically, after the system initialization method described in the foregoing embodiment is used to complete the construction of the container policy database and/or the host policy database, when a resource access application sent by any system is received, first, a user process namespace to which any system belongs is determined (because all process namespaces are deployed in the user space, the host process namespaces and the container process namespaces may be collectively referred to as a user process namespaces), that is, the user process namespaces corresponding to each process running in any system. Then, a target policy database corresponding to the user process name space is determined, namely, a policy database written with policy data of any system. Finally, the resource access application may be reviewed based on policy data in the target policy database (i.e., policy data corresponding to any one of the systems).
In practical applications, in order to better manage policy data in a policy database, policy data tables corresponding to different policy types are generally constructed in the policy database, that is, the target policy database includes at least one type of policy table. By constructing the policy data table, when the resource access application is examined, the policy type of the policy data required (or applied) by the resource access application can be quickly positioned to the similar policy data table in the target policy database, and then the required target policy data for examining the resource requested by the resource access application can be accurately determined based on the similar policy data table. Finally, the resource access application is reviewed based on the target policy data.
The foregoing describes various implementation manners of the system initialization method and the access control method based on MAC provided in the present application, please refer to fig. 2 and fig. 3, and the technical solution of the embodiments of the present application is described below in a scenario of deploying security-enhanced Linux (SELinux).
First, during the system (container system and/or host system) initialization, a selinux initialization is performed, comprising the steps of: the kernel starts an initialization environment; the kernel creates user init processes (host init processes and container init processes may be collectively referred to as user init processes because all init processes are deployed in user space); an init process (init for short) initializes a user space environment and creates a device node; init mounts the file system, load the file that the procedure can visit; init mounts selinuxfs; init loads policy files to the kernel through selinuxfs; init enables the selinux function through selinuxfs.
Secondly, after finishing selinux initialization and system initialization, the system can realize access control based on the MAC mechanism through the following procedures, comprising the following steps: the host system user space process applies for resource access; the process triggers the system call, and the system call is trapped into the kernel space through the interrupt; the kernel firstly checks parameters of system call; the kernel then performs DAC checking on the current user of the system call; the kernel then performs MAC inspection on the system call by looking up an access vector table (AVC); the kernel finally executes the corresponding resource access operation; the kernel returns a system call execution result to the user space;
specifically, firstly, a host init process is created in a kernel initialization flow, the context environment where the host init process is located is in a kernel mode, at the moment, the system is not completely ready, part of kernel threads are not created, and init has kernel super-rights; the method comprises the steps that a container init process is created in a container environment, a context environment is in a user state, the container init process is created by a container management program in the user state, and the authority of the container init process is specified by the container management program; kernel permissions are required when initializing policy databases, while container system init process permissions are typically user-wise restricted by modifying container init process permissions. Wherein the flow of the host system and the container system are similar, and the differences include, but are not limited to, the host system's need to create a container manager.
Then, the host init process and the container init process mount kernel selinuxfs to the user space, and at the same time, the kernel selects a policy database according to the process name space to which the init process belongs, if the current process name space is not available, the policy database is newly created, and an internal table (i.e. a policy data table) is initialized. The specific logic is as follows: and (3) calling a superblock for mounting the kernel selinuxfs through a mount system (different superblocks can be mounted by different process namespaces), mapping a selinuxfs file list to a user space, and filling a strategy database by the kernel by using strategy data.
Then, the host init process and the container init process open a file named load in selinuxfs, write rules in a memory mapping mode, analyze the rules and classify the rules by a kernel, and then insert the rules into a corresponding table sequentially.
Finally, because the processes of the host system and the processes of the container system belong to different process namespaces, when the system call of the kernel is triggered, the kernel firstly selects a corresponding strategy database by acquiring the process namespaces ID of the current process, and then inquires about authority strategy items in a strategy table of the corresponding strategy database to carry out examination.
In the embodiment of the application, part of code logic is modified in an up-down path created by an init process, different process namespaces of a host system and a container system are used for distinguishing the mount in the mount and loading process, and rules in different strategy databases are indexed for authority examination by judging the process namespaces of the processes in an access control link based on MAC. Under the condition of no influence on the original single host system, the access control based on the MAC mechanism under the virtual multi-system is realized.
In fig. 2 and fig. 3, the Hook function chain refers to an abstract layer of the Linux security module (LSM, linux secrity module) of the kernel, and is responsible for associating the entry function and the exit function, specifically, through a pre-configured security module, so as to jump to the corresponding function. For example, if the security module is selinux, the security module can jump to the corresponding selinux function through the pre-configured selinux security module; wherein the security module may also be a rule set based access control (RSBAC, rule set based access control) without limitation herein.
Referring to fig. 4, the embodiment of the present application further provides a computer device, where the computer device deploys a hosting system and a container system, where the hosting system has a corresponding hosting policy database, and the computer device includes:
a creating unit 401 for creating a container init process of the container system;
a writing unit 402, configured to start a container init process, so that the container init process mounts a container resource file of the container system, and write container policy data of the container system into a container policy database, where the container policy data is determined based on the container policy file in the container resource file, and the container policy database is used to perform MAC mandatory access control mechanism verification on the container system.
In a specific implementation, the creating unit 401 is specifically configured to cause the host system to create a container init process of the container system.
In a specific implementation, the creating unit 401 is specifically configured to cause the host system to create a container management program;
the container manager is started such that the container manager creates a container init process of the container system.
In one specific implementation, the computer device further includes: a modifying unit;
the modification unit is used for modifying the access right of the container init process into kernel mode right so that the container init process accesses the kernel space of the host system, and the container policy database and the host policy database are stored in the kernel space.
In a specific implementation, the kernel space of the host system includes a host policy database, and at least one blank policy database that is pre-constructed, and the writing unit 402 is specifically configured to determine a container policy database from the at least one blank policy database that is pre-constructed;
the container policy data of the container system is written to a container policy database.
In a specific implementation manner, the creating unit 401 is further configured to create a plurality of blank policy databases in a kernel space of the host system;
a creating unit 401, configured to create a host init process of the host system in response to kernel initialization of the host system;
the writing unit 402 is further configured to start the hosting init process, so that the hosting init process mounts a hosting resource file of the hosting system, and writes hosting policy data of the hosting system into any blank policy database, where any blank policy database is a hosting policy database.
In a specific implementation, the writing unit 402 is specifically configured to determine a container process namespace to which the container init process belongs;
based on the container process namespace, a container policy database is determined from at least one blank policy database constructed in advance.
In a specific implementation manner, the writing unit 402 is specifically configured to copy the container policy data to the memory by the container init process, so that the memory parses the container policy data, and writes the parsed container policy data into the container policy database.
Referring to fig. 5, an embodiment of the present application further provides a computer device, including:
a determining unit 501, configured to determine, in response to a resource access application sent by a user space process of any system, a target policy database corresponding to any system, where the target policy database is a policy database written with policy data of any system, and the target policy database is constructed by the system initialization method of the first aspect;
the auditing unit 502 reviews the resource access application based on the target policy database.
In a specific implementation manner, the examining unit 502 is specifically configured to search, from the target policy database, a similar policy table corresponding to the resource access application, and examine a policy type of policy data required by the resource access application, where the policy type is consistent with the policy type corresponding to the similar policy table;
determining target strategy data required for examining the resource access application from the similar strategy table;
based on the target policy data, the resource access application is reviewed.
Fig. 6 is a schematic structural diagram of a computer device provided in an embodiment of the present application, where the computer device 600 may include one or more central processing units (central processing units, CPU) 601 and a memory 605, where the memory 605 stores one or more application programs or data.
Wherein the memory 605 may be volatile storage or persistent storage. The program stored in the memory 605 may include one or more modules, each of which may include a series of instruction operations in the computer device. Still further, the central processor 601 may be arranged to communicate with the memory 605 to execute a series of instruction operations in the memory 605 on the computer device 600.
The computer device 600 may also include one or more power supplies 602, one or more wired or wireless network interfaces 603, one or more input/output interfaces 604, and/or one or more operating systems, such as Windows ServerTM, mac OS XTM, unixTM, linuxTM, freeBSDTM, etc.
The cpu 601 may perform the operations performed by the computer device in the embodiments shown in fig. 1 to 5, and detailed descriptions thereof are omitted herein.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (RAM, random access memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Embodiments of the present application also provide a computer program product containing instructions that, when run on a computer, cause the computer to perform a system initialization method as described above, as well as a MAC-based access control method.
Claims (11)
1. A system initialization method applied to a computer device deploying a hosting system and a container system, the hosting system having a corresponding hosting policy database, the method comprising:
creating a container init process of the container system;
and starting the container init process, so that the container init process mounts a container resource file of the container system, and writes container policy data of the container system into a container policy database, wherein the container policy data is determined based on the container policy file in the container resource file, and the container policy database is used for executing MAC forced access control mechanism verification on the container system.
2. The method of claim 1, wherein the creating a container init process of the container system comprises:
the host system creates a container init process of the container system.
3. The method of claim 2, wherein the host system creates a container init process of the container system, comprising:
the host system creating the container manager;
the container manager is started such that the container manager creates a container init process of the container system.
4. The method of claim 1, wherein prior to said launching the container init process, the method further comprises:
modifying the access authority of the container init process into kernel mode authority so that the container init process accesses the kernel space of the host system, and storing the container policy database and the host policy database in the kernel space.
5. The method of claim 1, wherein the kernel space of the host system includes the host policy database and at least one blank policy database that is pre-built, the container init process writing container policy data of the container system to a container policy database, comprising:
determining the container strategy database from at least one blank strategy database constructed in advance;
and writing the container policy data of the container system into the container policy database.
6. The method of claim 5, wherein prior to determining the container policy database, the method further comprises:
creating a plurality of blank strategy databases in a kernel space of the host system;
creating a host init process of the host system in response to kernel initialization of the host system;
and starting the host init process, so that the host init process mounts a host resource file of the host system, and writes host strategy data of the host system into any blank strategy database, wherein the any blank strategy database is the host strategy database.
7. The method of claim 5, wherein said determining said container policy database from at least one blank policy database constructed in advance comprises:
determining a container process name space to which the container init process belongs;
based on the container process namespace, the container policy database is determined from at least one blank policy database constructed in advance.
8. The method of any of claims 1 to 7, wherein the container init process writes container policy data of the container system to a container policy database, comprising:
and the container init process copies the container policy data into a memory, so that the memory analyzes the container policy data and writes the analyzed container policy data into the container policy database.
9. A MAC-based access control method, comprising:
determining a target policy database corresponding to any system in response to a resource access application sent by a user space process of the any system, wherein the target policy database is a policy database for writing policy data of the any system, and the target policy database is constructed by the system initialization method according to any one of claims 1 to 7;
and examining the resource access application based on the target policy database.
10. The method of claim 9, wherein the target policy database comprises at least one type of policy table, wherein the auditing the resource access application based on the target policy database comprises:
searching a similar strategy table corresponding to the resource access application from the target strategy database, and checking the strategy type of strategy data required by the resource access application, wherein the strategy type is consistent with the strategy type corresponding to the similar strategy table;
determining target policy data required for examining the resource access application from the similar policy table;
and based on the target policy data, examining the resource access application.
11. A computer storage medium having instructions stored therein, which when executed on a computer, cause the computer to perform the method of any of claims 1-8 or 9-10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310469694.2A CN116474374A (en) | 2023-04-24 | 2023-04-24 | System initialization method, access control method based on MAC (media access control) and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310469694.2A CN116474374A (en) | 2023-04-24 | 2023-04-24 | System initialization method, access control method based on MAC (media access control) and related equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116474374A true CN116474374A (en) | 2023-07-25 |
Family
ID=87224815
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310469694.2A Pending CN116474374A (en) | 2023-04-24 | 2023-04-24 | System initialization method, access control method based on MAC (media access control) and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116474374A (en) |
-
2023
- 2023-04-24 CN CN202310469694.2A patent/CN116474374A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8924954B2 (en) | Application software installation method and application software installation apparatus | |
| EP2765508B1 (en) | Installation method and installation device for application software | |
| US9904527B1 (en) | Optimizing API implementer programs using fine-grained code analysis | |
| US8914606B2 (en) | System and method for soft partitioning a computer system | |
| US8775696B2 (en) | Storage area network access for virtual machines | |
| US20210240489A1 (en) | Firmware update patch | |
| US11403146B2 (en) | Method, apparatus, and server for managing image across cloud servers | |
| US10574524B2 (en) | Increasing reusability of and reducing storage resources required for virtual machine images | |
| CN113296792B (en) | Storage method, device, equipment, storage medium and system | |
| US10310872B2 (en) | Transparent fast application launcher | |
| US20120011513A1 (en) | Implementing a versioned virtualized application runtime environment | |
| US9734311B1 (en) | Secure authentication of firmware configuration updates | |
| US20130031291A1 (en) | System and method for virtual partition monitoring | |
| US10732995B2 (en) | Distributed job manager for stateful microservices | |
| US11775475B2 (en) | Deferred path resolution during container deployment | |
| CN112130960A (en) | Lightweight mobile edge computing node and construction method | |
| US20160378361A1 (en) | Methods and apparatus to apply a modularized virtualization topology using virtual hard disks | |
| CN111857951A (en) | Containerized deployment platform and deployment method | |
| US20020049897A1 (en) | Method for adding processor | |
| US20230035594A1 (en) | Managing peripherals in a containerized environment | |
| CN112861118B (en) | Dual-system inter-container security policy isolation method, electronic device and storage medium | |
| CN113296891B (en) | Platform-based multi-scene knowledge graph processing method and device | |
| US8677354B2 (en) | Controlling kernel symbol visibility and accessibility across operating system linkage spaces | |
| CN116474374A (en) | System initialization method, access control method based on MAC (media access control) and related equipment | |
| CN116521306A (en) | Method for enabling selinux by container and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |