WO2021227971A1 - 沙箱实现方法、装置、设备和存储介质 - Google Patents
沙箱实现方法、装置、设备和存储介质 Download PDFInfo
- Publication number
- WO2021227971A1 WO2021227971A1 PCT/CN2021/092302 CN2021092302W WO2021227971A1 WO 2021227971 A1 WO2021227971 A1 WO 2021227971A1 CN 2021092302 W CN2021092302 W CN 2021092302W WO 2021227971 A1 WO2021227971 A1 WO 2021227971A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- interface
- sandbox
- operating system
- target
- user mode
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Definitions
- This application relates to the field of computer technology, in particular to a sandbox realization method, device, equipment and storage medium.
- the first way is to use Trusted Execution Environment (TEE, Trusted Execution Environment) technology to use a secure area on the main processor of an electronic device as a trusted execution environment. , Run the application in the trusted execution environment, so that the security of the code and data loaded into the trusted execution environment is guaranteed.
- the second method is to use a user-mode library operating system (LibOS, library Operating System) to isolate applications. LibOS can place the system call function of the operating system in the user mode and implement it in the form of a library. After the operating system is configured, applications can be loaded through LibOS to form a private storage area operating environment. In the operating environment of a private storage area, multiple applications can be run simultaneously in the running LibOS.
- TEE Trusted Execution Environment
- the application code itself needs to be modified, which destroys the integrity of the application.
- the second method there are multiple types of LibOS, and the operation of LibOS usually requires complex configuration, and the configuration method of each LibOS is not universal, resulting in a set of main operating systems that cannot be compatible with running many different types of LibOS.
- the embodiment of the present application provides a sandbox implementation method to improve the performance of target detection on an image.
- the embodiments of the present application also provide a sandbox implementation device, an electronic device, and a storage medium to ensure the implementation and application of the above method.
- an embodiment of the present application discloses a sandbox implementation method, and the method includes:
- the target dynamic library file is compiled and obtained according to the target user mode operating system, and the target dynamic file includes a general interface for calling the target user mode operating system;
- the sandbox process configures the target user profile in the sandbox container corresponding to the sandbox process by calling the general interface operating system.
- the embodiment of the present application discloses a sandbox implementation method, and the method includes:
- the configuration information is received in the configuration interface;
- the configuration information includes the target storage path of the target dynamic library file; wherein the target dynamic library file is compiled according to the target user mode operating system, and the target dynamic file includes calling the The general interface of the target user mode operating system;
- the configuration information is sent to the server, so that when the server obtains the target dynamic library file according to the target storage path, the sandbox process calls the general interface to perform the
- the target user mode operating system is configured in the sandbox container corresponding to the sandbox process.
- the embodiment of the application also discloses a sandbox realization device, which includes:
- the path obtaining module is used to obtain the target storage path of the target dynamic library file by the sandbox process; wherein the target dynamic library file is compiled and obtained according to the target user mode operating system, and the target dynamic file includes calling the target user mode operation
- the general interface of the system
- the configuration module is configured to configure in the sandbox container corresponding to the sandbox process by the sandbox process by calling the universal interface when the target dynamic library file is obtained according to the target storage path The target user mode operating system.
- the embodiment of the application also discloses a sandbox realization device, which includes:
- Display module used to display the configuration interface
- the interface configuration receiving module is used to receive configuration information in the configuration interface;
- the configuration information includes the target storage path of the target dynamic library file; wherein, the target dynamic library file is compiled and obtained according to the target user state operating system, the The target dynamic file includes a general interface for calling the target user mode operating system;
- the sending module is configured to send the configuration information to the server, so that when the server obtains the target dynamic library file according to the target storage path, the sandbox process calls the universal An interface for configuring the target user mode operating system in the sandbox container corresponding to the sandbox process.
- the embodiment of the present application also discloses an electronic device, including: a processor; and a memory on which executable code is stored.
- the processor is made to execute as in the embodiment of the present application.
- the embodiment of the present application also discloses one or more machine-readable storage media on which executable code is stored.
- the processor executes one or more The method described.
- the embodiments of the present application include the following advantages:
- the general interface can convert a set of general calling methods to It is the native calling method corresponding to the user mode operating system, so that the user can send the target storage path of the target dynamic library file corresponding to the target user mode operating system to the sandbox process according to actual needs, and the sandbox process obtains it according to the target storage path
- the sandbox process converts the general call method of user operations into the native call method of the target user mode operating system through the general interface therein, so as to realize the purpose of calling the target user mode operating system by the sandbox process.
- Figure 1 is a system architecture diagram of a sandbox implementation method according to an embodiment of the present application
- Figure 2 is a flow chart of the steps of a sandbox implementation method of the present application.
- Figure 3 is a flow chart of specific steps of a sandbox implementation method of the present application.
- Fig. 4 is a schematic diagram of interaction of a sandbox implementation method of the present application.
- FIG. 5 is an interactive schematic diagram of another sandbox implementation method of the present application.
- Fig. 6 is an interactive schematic diagram of another sandbox implementation method of the present application.
- FIG. 7 is an interactive schematic diagram of another sandbox implementation method of the present application.
- FIG. 8 is a flow chart of the steps of another sandbox implementation method of the present application.
- FIG. 9 is an interactive schematic diagram of another sandbox implementation method of the present application.
- FIG. 10 is a structural block diagram of an embodiment of a sandbox implementation device of the present application.
- FIG. 11 is a structural block diagram of another embodiment of a sandbox implementation device of the present application.
- FIG. 12 is a schematic structural diagram of a device provided by an embodiment of the present application.
- the electronic device may at least include an operating system and a hardware layer.
- the operating system is divided into a user layer and a kernel layer.
- the user layer is constructed based on the user mode
- the kernel layer is constructed based on the kernel mode
- the user layer is the activity space of the upper process.
- the execution of the upper process must rely on the kernel layer. resource.
- the kernel layer controls the hardware resources of the computer and provides an environment for the upper process to run.
- the processes running in the kernel layer can access the computer resources in the kernel layer through system calls.
- the hardware layer can include hardware resources such as processors and memory.
- the above process refers to a computer program for completing one or more specific tasks. It can run at the user level, can interact with the user, can have a visual user interface, or run in the background.
- the sandbox (Sandboxie) is a virtual system program running at the user level, which is an execution environment that restricts application behavior in accordance with security policies.
- the sandbox process only allows authorized users to create sandboxes in the sandbox process.
- Other applications are running in the container, and the data in the sandbox container can be deleted after the application is run to ensure the specificity and security of the application data.
- the sandbox process creates an independent operating environment similar to a sandbox, and applications running inside it will not have a permanent impact on the external environment.
- a container is a modern way of packaging, sharing, and deploying applications. Its essence is a set of processes that are restricted by resources and isolated from each other.
- the container is at the operating system level.
- the container simulates an operating system, and the container shares the kernel and physical hardware resources of the host operating system.
- the resources of each sandbox container such as the file system, process, and network stack, will be placed in a virtual isolation environment, and other containers cannot When accessing this isolated environment, changes produced by the outside world will not affect the sandbox container, that is, the sandbox container can be understood as an isolated environment in which the data security of the running application is not affected by the outside world.
- the sandbox process and the sandbox container can be compatible with the Open Container Initiative (OCI, Open Container Initiative) standard to realize the standardized application of container technology.
- OCI Open Container Initiative
- the resource configuration information of the sandbox container in the configuration file generated according to actual needs can be used to allocate hardware resources of a corresponding size for the sandbox container.
- the hardware resources include memory resources, processor resources, and so on.
- the user-mode operating system is a virtualized lightweight operating system that can allow applications to run in it. It is different from the virtual machine technology based on kernel mode.
- the user-mode operating system runs in the user layer. This makes it controllable by the user.
- the embodiment of the present application in order to ensure the data security of the user application, there is a requirement to place the application in a sandbox container created by the sandbox process. Therefore, based on this requirement, the embodiment of the present application can be used in The sandbox container corresponding to the sandbox process runs the user-mode operating system, and runs the application program in the user-mode operating system. In addition, since the user-mode operating system can allow applications to run without modification, compared to directly putting the application program to run in the container, the embodiment of the present application runs the application program in the user-mode operating system in the sandbox container. It is possible to avoid modifying the application program itself, ensuring the integrity of the application program.
- the user-mode operating system can be a user-mode operating system (LibOS).
- LibOS user-mode operating system
- the implementation of LibOS is based on the concept of unikernel.
- the operating system is designed as a modular library, which is a kind of library that allows users to meet their needs. Configure a customized operating system.
- a high-level programming language can provide the resource management functions originally belonging to the operating system kernel to the application in the form of libraries, so that the application can directly access the underlying hardware , So that the application can run efficiently.
- LibOS based on the different native operating system environments of electronic devices, many different types of LibOS have been produced. Different types of LibOS have different instruction forms and formats, such as: Occlum LibOS and Graphene developed based on the Linux system based on different needs. SGXLibOS, Occlum LibOS and Graphene-SGXLibOS have different command forms and formats, that is, there are differences in system interface function names, parameter types, etc. between the two. This makes it necessary to perform complex configuration of LibOS when implementing LibOS in a native operating system environment, but the configuration methods of different types of LibOS are not universal, which leads to a higher configuration cost for a native operating system environment to use different LibOS. Can not easily achieve the compatibility of multiple LibOS.
- the target LibOS in order to achieve compatibility of multiple types of LibOS in the native operating system environment, can be compiled into a target dynamic library file, and implemented in the target dynamic library file for calling the target user state
- the general interface of the operating system the user can send to the sandbox process the target storage path of the target dynamic library file corresponding to the target LibOS that can meet the needs according to actual needs, and the sandbox process obtains the target dynamic library file according to the target storage path
- the target LibOS is called by the sandbox process through the general interface, and the target LibOS is configured in the sandbox container corresponding to the sandbox process.
- a dynamic library file is a non-executable binary program file, which allows the program to share the code and other resources necessary to perform special tasks.
- dynamic library files can include .dll (Dynamic Link Library) format files ;
- .so format files can be imported into the dynamic library file to be implemented in the form of a shared function library to provide the functions in other applications.
- the sandbox process can call the general interface function in the target dynamic library file.
- the sandbox process or other processes can also implement the Calling functions that implement other functions.
- each LibOS can be compiled into a dynamic library file, and a function of a general interface corresponding to one or more native operating interfaces in LibOS can be created.
- Each general interface includes a conversion rule, and the conversion rule can Convert the recognizable instructions of the sandbox process to the recognizable instructions of the native operation interface. In this way, no matter what type of LibOS the user is currently requesting, the user can send a unified and general operation instruction to the sandbox process.
- LibOS1 uses type A instructions
- LibOS2 uses type B instructions
- LibOS1 is compiled to obtain dynamic library file 1
- LibOS2 is compiled to obtain dynamic library file 2.
- Common interface functions can be implemented in file 1, including the rules for converting common instructions C to type A instructions; in dynamic library file 2, common interface functions can be implemented, including rules for converting common instructions C to type B instructions .
- the user can send a general command C to the sandbox process.
- the sandbox process converts the general command C into an A-type command by calling the general interface function in the dynamic library file 1, so that LibOS1 can pass the recognizable Type A instructions complete the corresponding operations, the same is true for LibOS2.
- the user can realize the control of LibOS1 and LibOS2 through a set of common instructions C, and realize the compatibility of the two LibOS in a native operating system.
- the process of establishing a sandbox container in the sandbox process can include the sandbox process can determine the size of the hardware resources required by the sandbox container according to actual needs. And through the sandbox driver corresponding to the sandbox process in the kernel layer, hardware resources are allocated to the running LibOS sandbox container at the hardware layer. After the hardware resource allocation is completed, LibOS can use the corresponding library of LibOS during the process of loading applications. The system driver directly accesses the hardware resources corresponding to the sandbox container to realize the operation of the application.
- each user-mode operating system can be compiled into a dynamic library file, and a general interface for calling the user-mode operating system can be implemented in the dynamic library file.
- the general interface can convert a set of general calling methods into a user
- the native invoking method corresponding to the operating system allows the user to send the target storage path of the target dynamic library file corresponding to the target user-mode operating system to the sandbox process according to actual needs.
- the sandbox process obtains the target dynamics according to the target storage path.
- the sandbox process converts the general call method of user operations into the native call method of the target user mode operating system through the general interface therein, so as to realize the purpose of calling the target user mode operating system by the sandbox process.
- the target user-mode operating system is configured in the sandbox container corresponding to the sandbox process, so that the operation control of different types of user-mode operating systems in the native operating system can be realized through a set of general calling methods, thus achieving a native operating system. Compatibility of multiple types of user-mode operating systems in the operating system.
- an embodiment of the present application provides a flow chart of the steps of a sandbox implementation method, including:
- Step 101 The sandbox process obtains the target storage path of the target dynamic library file.
- the target dynamic library file is compiled and obtained according to the target user mode operating system, and the target dynamic file includes a general interface for calling the target user mode operating system.
- the target storage path may be the storage path of the target dynamic library file in the memory.
- the user can configure the target storage path according to actual needs, and make the sandbox process receive the target storage path.
- the user-mode operating system can be a user-mode operating system (LibOS).
- LibOS user-mode operating system
- the implementation of LibOS is based on the concept of unikernel.
- the operating system is designed as a modular library, which is a way for users to configure guest
- a certain high-level programming language can provide the resource management functions originally belonging to the operating system kernel to applications in the form of libraries according to corresponding requirements, so that the applications can directly access the underlying hardware in order to The application can run efficiently.
- the target LibOS can be compiled into a target dynamic library file and implemented in the target dynamic library file for calling the general interface of the target user mode operating system.
- the interface includes conversion rules that can convert recognizable instructions of the sandbox process into recognizable instructions of the native operation interface.
- the target dynamic library file can provide a general interface to the sandbox process, and add a method declaration to convert the general method into a native method in the general interface.
- the general interface is similar to a specification and a protocol, and is an abstract Concept, from a program point of view, simple understanding, a universal interface is a function declaration that converts a universal method into a native method.
- Step 102 When the target dynamic library file is obtained according to the target storage path, the sandbox process configures the sandbox container corresponding to the sandbox process by calling the general interface. Target user mode operating system.
- the container is at the operating system level, and an operating system can be simulated for each container during runtime, and the container will share the kernel and physical hardware resources of the host operating system.
- the resources of each sandbox container will be placed in a virtual isolation environment, and other containers cannot access this isolation environment.
- the change will not affect the sandbox container, that is, the sandbox container can be understood as an isolated environment in which the data security of the running application is not affected by the outside world.
- the user-mode operating system can be LibOS.
- This application can compile each LibOS into a dynamic library file, and create a function of a general interface corresponding to one or more native operating interfaces in LibOS, and each general interface includes conversion Rules, the conversion rules can convert the recognizable instructions of the sandbox process into the recognizable instructions of the native operation interface, so that no matter what type of LibOS the user is currently requesting, the user can send a unified and general operation instruction to the sandbox
- the sandbox process calls the corresponding general interface in the dynamic library file corresponding to the LibOS requested by the user, and converts the general operation instruction into an instruction recognizable by the native operation interface corresponding to the common interface, so that the native operation interface is connected to the native operation interface.
- the instructions that can be recognized by the operation interface and the corresponding operations are executed, so that a set of universal instructions can be used to realize the control of different types of LibOS in the native operating system, and realize the compatibility of multiple LibOS in
- LibOS can be converted into a dynamic library file through a compiler.
- Occlum LibOS can be converted into a dynamic library file liberpal-occlum.so.
- this application compiles each user-mode operating system into a dynamic library file, and implements a general interface for calling the user-mode operating system in the dynamic library file.
- the general interface can convert a set of general calling methods to It is the native calling method corresponding to the user mode operating system, so that the user can send the target storage path of the target dynamic library file corresponding to the target user mode operating system to the sandbox process according to actual needs, and the sandbox process obtains it according to the target storage path
- the sandbox process converts the general call method of user operations into the native call method of the target user mode operating system through the general interface therein, so as to realize the purpose of calling the target user mode operating system by the sandbox process.
- FIG. 3 a flowchart of specific steps of another embodiment of the sandbox implementation method of the present application is shown.
- Step 201 The sandbox process receives a configuration file; the configuration file includes a target storage path of the target dynamic library file.
- the target dynamic library file is compiled and obtained according to the target user mode operating system, and the target dynamic file includes a general interface for calling the target user mode operating system.
- FIG. 4 an interactive schematic diagram of a sandbox implementation method of the present application is shown, in which the user can perform the target storage path of the target dynamic library file through the configuration interface 11 of the client terminal 10.
- Configuration you can also configure the hardware resource plan of the target user mode operating system in the configuration interface 12 according to actual needs.
- click the "generate configuration file and send" button and the client 10 can send the configuration file to the electronic device 20.
- the device in FIG. 4 is an example, and other terminal devices may also be used for configuration.
- the user can also directly implement the configuration and generation of the configuration file in the configuration interface of the electronic device 20.
- the electronic device 20 may deliver the target LibOS to the client 10, that is, provide the client 10 with the permission to access the target LibOS.
- the electronic device 20 may have an operation interface, install a sandbox process, and use the configuration interface 21 and the configuration interface 22 by itself. Generate a configuration file.
- the electronic device 20 can configure the target LibOS in the sandbox container according to the configuration file through the sandbox process, and provide the user with the target LibOS that can be operated.
- the configuration interface is converted to the interface of the subsequent operation target LibOS.
- Step 202 When the target dynamic library file is obtained according to the target storage path, the sandbox process configures the sandbox container corresponding to the sandbox process by calling the general interface. Target user mode operating system.
- step 102 For details of this step, reference may be made to step 102 above, which will not be repeated here.
- the target user mode operating system includes a native operation interface for invoking the target user mode operating system, and the general interface is used for invoking the native operation interface corresponding to the general interface.
- step 202 may specifically include:
- the sandbox process receives a first type instruction.
- the sandbox process calls the universal interface, converts the first type instruction into the second type instruction according to the conversion rule, and sends the second type instruction to the The native operation interface corresponding to the general interface.
- the universal interface references its corresponding native operation interface in function, so that the universal interface can send data to its corresponding native operation interface.
- the LibOS has a common initialization interface and corresponding native initialization operation interface; common loading interface and corresponding native loading operation interface; common destruction interface and corresponding native destruction Operation interface.
- the sandbox process can call the general interface in the target dynamic library file according to the difference between the first type instruction and the second type instruction.
- the conversion rule is to convert the first type instruction into the second type instruction recognizable by the native operation interface, and send the second type instruction to the native operation interface corresponding to the general interface.
- the target user mode operating system is configured in the sandbox container corresponding to the sandbox process according to the second type instruction through the native operation interface.
- the operation corresponding to the second-type instruction can be further performed according to the native operation interface and the second-type instruction, and the sandbox container corresponding to the sandbox process Configure the target user mode operating system in the.
- the universal interface includes at least one of a universal initialization interface, a universal application loading interface, a universal application closing interface, and a universal destruction interface.
- the general initialization interface is used to allocate resources for the target user mode operating system in the sandbox container, and initialize the target user mode operating system;
- the universal application program loading interface is used to load at least one application program to run after the initialization of the target user mode operating system is completed;
- the general application program closing interface is used to close the running application program
- the universal destruction interface is used to shut down the target user mode operating system and release system resources.
- the four basic functions implemented by the target user mode operating system include: initializing the target user mode operating system, loading application programs in the target user mode operating system, and closing applications running in the target user mode operating system. Shut down the target user mode operating system and release system resources.
- the execution operation interface 23 of the electronic device 20 includes "initialize”, “load application”, “close application”, and “ “Destroy and release resources” four functional options, and the target dynamic library file has a common initialization interface and corresponding native initialization operation interface, common application loading interface and corresponding native loading operation interface, common application closing interface and corresponding native Close operation interface, general destruction interface and corresponding native destruction operation interface.
- the user can select the corresponding function option according to actual needs.
- the electronic device 20 will generate the first type command common to the function option, and use the corresponding general interface in the target dynamic library file to set the first type command.
- the type instruction is converted into the second type instruction, and the second type instruction is sent to the native operation interface corresponding to the general interface for execution.
- the user can select the "load application” option in the execution interface 23 of FIG. 6, and further enter the selection interface 24 of FIG.
- the selection of the program realizes the purpose of loading the selected application program into the target user mode operating system through the universal application program loading interface.
- the user After the user completes the initialization of the target user-mode operating system, he can select the "Destroy and release resources" option in the execution interface 23 of FIG. 6, and further delete the data stored in the hardware resources corresponding to the sandbox container through the general destruction interface. And deliver the hardware resources to the host operating system to close the target user mode operating system and release system resources.
- the parameter attr->instance_path refers to the path where the instance of LibOS is passed;
- the parameter attr->log_level refers to: log level
- the parameter int(*pal_init)() refers to the initialization operation.
- a return value of 0 means: success; a return value of ENOENT means: instance_path does not exist; a return value of other means: LibOS custom error.
- the function definition for the universal application loading interface is:
- the parameter path refers to: the path of the binary file (application) to be run;
- the parameter argv refers to: a binary parameter, ending with a null element
- the parameter exit_value refers to the exit code after the binary operation ends
- the parameter stdio refers to: the stdio handle used by the binary;
- the parameter int(*pal_exec)() refers to: binary application loading.
- a return value of 0 means: success; a return value of ENOENT means: path does not exist; a return value of EACCES means: path file access error; a return value of ENOEXEC means: path is not an executable file; a return value of ENOMEM means: insufficient memory.
- the parameter sig refers to: the value of the signal sent
- the parameter pid means: pid is -1, sent to all processes; when it is 0, it is sent to the current process; when it is greater than 0, it is sent to the specified pid process;
- the return value of 0 means: success; the return value of EINVAL means: sig is invalid; the return value of ESRCH means: the process number is invalid; the return value of EPERM means: the signal cannot be sent; the return value of ENOSYS means: the function is not implemented; the return value is Other: LibOS custom error.
- the description of the function definition is: stop running the binary file.
- the return value of 0 means: success; the return value of ENOSYS means: the function is not implemented; the return value is other: LibOS custom error.
- the configuration file further includes system resource configuration information.
- the general interface includes a general initialization interface
- step 202 may specifically include:
- the sandbox process allocates system resources corresponding to the resource configuration information in the sandbox container corresponding to the sandbox process by calling the general initialization interface, and compares all resources based on the system resources.
- the target user mode operating system is initialized.
- the parameters selected by the electronic device 20 in the configuration interface 22 can be used as resource configuration information of the hardware resources allocated to the sandbox container corresponding to the sandbox process, where the resource configuration information includes but is not limited to memory resources, processor resources , Network card resources, etc.
- the process of establishing a sandbox container in the sandbox process can include: the sandbox process can determine the hardware resource size required by the sandbox container according to actual needs, and pass the sandbox driver corresponding to the sandbox process in the kernel layer
- the program allocates hardware resources for running LibOS sandbox containers at the hardware layer. After hardware resource allocation is completed, LibOS can directly access the hardware resources corresponding to the sandbox container through the library system driver corresponding to LibOS during the process of loading applications. , To achieve the operation of the application.
- the target user mode operating system is initialized based on system resources, specifically based on system resource parameters, the variables of the target user mode operating system are assigned values, such as assigning variables to default values, so that the target user mode operating system is in the default Status, waiting for the application to load.
- Step 203 Convert the sandbox container configured with the target user mode operating system into an image file or a software development kit.
- Step 204 Provide the image file or software development kit to the client.
- the mirror file is similar to the compressed package file. It makes a specific series of files into a single file according to a certain format to facilitate users to download and use. Its most important feature is that it can be recognized by specific software and can be directly Burn to disc.
- the image file can be expanded a bit, and more information can be contained in the image file. For example, system files, boot files, partition table information, etc., so that the image file can contain all the information of a partition or even a hard disk.
- Software development kits are generally a collection of development tools used by software engineers to build application software for specific software packages, software frameworks, hardware platforms, and operating systems.
- the target user mode operating system may also be configured
- the sandbox container is converted into an image file or software development kit and then delivered to the user, so that the user can conveniently use the sandbox container configured with the target user-mode operating system through the image file or the software development kit.
- a sandbox container configured with a target user-mode operating system is converted into an image file or software development kit and delivered to the user
- the user can open the non-sandbox process through the client when it needs to execute other non-sandbox processes.
- the box process is executed.
- the corresponding image file or software development kit can be directly opened, so that the sandbox container configured with the target user-mode operating system can run directly to meet the needs of the user.
- the configuration file further includes: the type of the target user mode operating system, and the method may further include:
- Step A1 when it is determined that the type is a preset type, step 202 is executed.
- the configuration file may also include the "ENCLAVE_RUNTIME_TYPE" option, in which the type of LibOS can be selected, such as occlum, graphene, etc.
- the sandbox process can be preset with preset types of LibOS that can be supported, It also judges the type of the target user-mode operating system in the configuration file. Only when the type of the target user-mode operating system is a preset type, can it be further executed when the target dynamic library is obtained according to the target storage path. In the case of files, the sandbox process configures the target user mode operating system in the sandbox container corresponding to the sandbox process by calling the general interface.
- the sandbox process can report an error for the user to correct.
- the method may further include:
- Step B1 Open the target dynamic library file corresponding to the target storage path through the preset library function tool.
- Step B2 in a case where it is detected that the target dynamic library file includes the function identifier of the universal interface, step 202 is executed.
- the library function tool can read and process the dynamic library file in the specified format.
- the target storage path is received, and the target storage path is opened through the preset library function tool.
- Corresponding target dynamic library file and traverse the code in the target dynamic library file.
- the legality of the target dynamic library file can be judged and further executed
- the sandbox process configures the target user mode operating system in the sandbox container corresponding to the sandbox process by calling the general interface.
- the sandbox process can report an error for the user to correct.
- the method may further include:
- Step C1 Start the sandbox process.
- Step C2 The sandbox container is created by the sandbox process.
- the process of establishing a sandbox container in the sandbox process may include: the sandbox process can determine what the sandbox container needs according to actual needs. Hardware resource size, and through the sandbox driver corresponding to the sandbox process in the kernel layer, hardware resources are allocated to the running LibOS sandbox container at the hardware layer. After hardware resource allocation is completed, LibOS can pass The library system driver corresponding to LibOS directly accesses the hardware resources corresponding to the sandbox container to realize the operation of the application.
- the embodiment of the application compiles each user-mode operating system into a dynamic library file, and implements a general interface for calling the user-mode operating system in the dynamic library file.
- the general interface can incorporate a set of general calling methods. , Converted to the native call method corresponding to the user-mode operating system, so that the user can send the target storage path of the target dynamic library file corresponding to the target user-mode operating system to the sandbox process according to actual needs, and the sandbox process according to the target storage path
- the sandbox process converts the general call method of user operation into the native call method of the target user mode operating system through the general interface therein, so that the sandbox process can call the target user mode operating system.
- the purpose is to complete the configuration of the target user mode operating system in the sandbox container corresponding to the sandbox process, so that the operation control of different types of user mode operating systems in the native operating system can be achieved through a set of general calling methods, so as to achieve To achieve the compatibility of multiple types of user-mode operating systems in a native operating system.
- an embodiment of the present application also provides a flow chart of the steps of a sandbox implementation method, including:
- Step 301 Display the configuration interface.
- Step 302 Receive configuration information in the configuration interface; the configuration information includes the target storage path of the target dynamic library file; wherein, the target dynamic library file is compiled according to the target user state operating system, and the target dynamic file includes Call the general interface of the target user mode operating system.
- the client 10 can display the configuration interface 11 and the configuration interface 12.
- the user can configure the target storage path of the target dynamic library file through the configuration interface 11 of the client 10. It can also be configured in the configuration interface 12 according to actual needs. Configure the hardware resource scheme of the target user-mode operating system in the process. After the user inputs a selection operation in the configuration interface 11 and the configuration interface 12, configuration information is generated correspondingly.
- the client terminal 10 may be a mobile terminal, or a terminal device such as a tablet computer and a personal computer, which is not limited in the embodiment of the present application.
- the configuration information may include the target storage path of the target dynamic library file, so that the server 20 can obtain the target dynamic library file according to the target storage path.
- the configuration information may also include system resource configuration information for the server 20 to perform The sandbox container corresponding to the sandbox process allocates system resources corresponding to the resource configuration information, and initializes the target user mode operating system based on the system resources.
- Step 303 Send the configuration information to the server, so that when the server obtains the target dynamic library file according to the target storage path, the sandbox process calls the general interface,
- the target user mode operating system is configured in the sandbox container corresponding to the sandbox process.
- step 302 after the configuration information is generated, the user clicks the "generate configuration file and send" button, and the client 10 can send the configuration file generated according to the configuration information to the server 20, so that the service
- the terminal 20 obtains the target dynamic library file according to the target storage path
- the sandbox process running in the server 20 configures the target user mode operating system in the sandbox container corresponding to the sandbox process by calling the general interface.
- the server 20 in FIG. 4 is an example.
- the cloud server 30 is used to receive the configuration information generated by the client 10 in the configuration interface, and according to the configuration information, In the case that the target dynamic library file is obtained according to the target storage path, the sandbox process running in the cloud server 30 configures the target user mode operating system in the sandbox container corresponding to the sandbox process by calling the general interface.
- the embodiment of this application compiles each user-mode operating system into a dynamic library file, and implements a general interface for calling the user-mode operating system in the dynamic library file.
- the general interface can integrate a set of general calling methods. , Converted to the native call method corresponding to the user-mode operating system, so that the user can send the target storage path of the target dynamic library file corresponding to the target user-mode operating system to the sandbox process according to actual needs, and the sandbox process according to the target storage path
- the sandbox process converts the general call method of user operation into the native call method of the target user mode operating system through the general interface therein, so that the sandbox process can call the target user mode operating system.
- the purpose is to complete the configuration of the target user mode operating system in the sandbox container corresponding to the sandbox process, so that the operation control of different types of user mode operating systems in the native operating system can be achieved through a set of general calling methods, so as to achieve To achieve the compatibility of multiple types of user-mode operating systems in a native operating system.
- this embodiment also provides a sandbox implementation device, which is applied to electronic devices such as terminal devices and servers.
- FIG. 10 a structural block diagram of an embodiment of a sandbox implementation device according to an embodiment of the present application is shown, which may specifically include the following modules:
- the path obtaining module 401 is configured to obtain the target storage path of the target dynamic library file by the sandbox process; wherein the target dynamic library file is compiled and obtained according to the target user mode operating system, and the target dynamic file includes calling the target user mode The general interface of the operating system;
- the path acquisition module 401 includes:
- the configuration receiving submodule is configured to receive a configuration file by the sandbox process; the configuration file includes the target storage path of the target dynamic library file.
- the configuration module 402 is configured to, when the target dynamic library file is obtained according to the target storage path, call the universal interface by the sandbox process in the sandbox container corresponding to the sandbox process Configure the target user mode operating system.
- the target user mode operating system includes a native operation interface for invoking the target user mode operating system, and the general interface is used for invoking the native operation interface corresponding to the general interface.
- a conversion rule between a first type of instruction and a second type of instruction is set in the universal interface;
- the first type of instruction is an identifiable instruction of a sandbox process, and the second type of instruction is the Recognizable instructions of the native operating interface;
- the configuration module 402 includes:
- a receiving sub-module configured to receive a first type instruction by the sandbox process
- the conversion sub-module is configured to call the universal interface by the sandbox process, convert the first type instruction into the second type instruction according to the conversion rule, and send the second type instruction to the The native operation interface corresponding to the universal interface;
- the configuration sub-module is configured to configure the target user mode operating system in the sandbox container corresponding to the sandbox process according to the second type instruction through the native operating interface.
- the universal interface includes at least one of a universal initialization interface, a universal application loading interface, a universal application closing interface, and a universal destruction interface; wherein, the universal initialization interface is used in the sandbox container
- the target user mode operating system allocates resources and initializes the target user mode operating system
- the universal application loading interface is used to load at least one application program to run after the target user mode operating system is initialized
- the general application program closing interface is used to close the running application
- the general destruction interface is used to close the target user mode operating system and release system resources.
- the configuration file further includes system resource configuration information.
- the configuration module 402 includes:
- the allocation submodule is used for the sandbox process to allocate system resources corresponding to the resource configuration information in the sandbox container corresponding to the sandbox process by calling the general initialization interface, and based on the system resources
- the target user mode operating system is initialized.
- the configuration file further includes: the type of the target user mode operating system; the device further includes:
- the first verification module executes the configuration module.
- the configuration file further includes: the type of the target user mode operating system; the device further includes:
- the first verification module is configured to execute the configuration module when it is determined that the type is a preset type.
- the opening module is used to open the target dynamic library file corresponding to the target storage path through a preset library function tool
- the second verification module is configured to execute the configuration module when it is detected that the target dynamic library file includes the function identifier of the universal interface.
- the device further includes:
- the startup module is used to start the sandbox process
- the creation module is used to create the sandbox container by the sandbox process.
- the device further includes:
- the providing module is used to provide the image file or software development kit to the client.
- the embodiment of this application compiles each user-mode operating system into a dynamic library file, and implements a general interface for calling the user-mode operating system in the dynamic library file.
- the general interface can convert a set of general calling methods into a dynamic library file.
- the sandbox process converts the general call method of user operations into the native call method of the target user mode operating system through the general interface therein, so as to realize the purpose of calling the target user mode operating system by the sandbox process.
- FIG. 11 there is shown a structural block diagram of an embodiment of a sandbox implementation device according to an embodiment of the present application, which may specifically include the following modules:
- the display module 501 is used to display the configuration interface
- the interface configuration receiving module 502 is configured to receive configuration information in the configuration interface; the configuration information includes the target storage path of the target dynamic library file; wherein the target dynamic library file is compiled and obtained according to the target user mode operating system, so The target dynamic file includes a general interface for calling the target user mode operating system;
- the sending module 503 is configured to send the configuration information to the server, so that when the server obtains the target dynamic library file according to the target storage path, the sandbox process calls the A universal interface for configuring the target user mode operating system in the sandbox container corresponding to the sandbox process.
- the embodiment of this application compiles each user-mode operating system into a dynamic library file, and implements a general interface for calling the user-mode operating system in the dynamic library file.
- the general interface can convert a set of general calling methods into a dynamic library file.
- the sandbox process converts the general call method of user operations into the native call method of the target user mode operating system through the general interface therein, so as to realize the purpose of calling the target user mode operating system by the sandbox process.
- the embodiment of the present application also provides a non-volatile readable storage medium.
- the storage medium stores one or more modules (programs). When the one or more modules are applied to a device, the device can execute Instructions for each method step in the embodiment of this application.
- the embodiments of the present application provide one or more machine-readable storage media on which instructions are stored.
- the electronic device executes the operations described in one or more of the above embodiments. method.
- the electronic equipment includes various types of equipment such as terminal equipment and servers (clusters).
- the embodiments of the present disclosure may be implemented as a device that uses any appropriate hardware, firmware, software, or any combination thereof to perform a desired configuration.
- the device may include electronic devices such as terminal devices, servers (clusters), and the like.
- Fig. 12 schematically shows an exemplary apparatus 700 that can be used to implement the various embodiments described in the embodiments of the present application.
- FIG. 12 shows an exemplary apparatus 700 having one or more processors 702, a control module (chipset) 704 coupled to at least one of the processor(s) 702 , The memory 706 coupled to the control module 704, the non-volatile memory (NVM)/storage device 708 coupled to the control module 704, one or more input/output devices 710 coupled to the control module 704, and the The network interface 712 is coupled to the control module 704.
- a control module (chipset) 704 coupled to at least one of the processor(s) 702
- the memory 706 coupled to the control module 704
- the non-volatile memory (NVM)/storage device 708 coupled to the control module 704
- one or more input/output devices 710 coupled to the control module 704, and the
- the network interface 712 is coupled to the control module 704.
- the processor 702 may include one or more single-core or multi-core processors, and the processor 702 may include any combination of a general-purpose processor or a special-purpose processor (such as a graphics processor, an application processor, a baseband processor, etc.).
- the apparatus 700 can be used as the terminal device, server (cluster) and other devices described in the embodiments of the present application.
- the apparatus 700 may include one or more computer-readable storage media (for example, the memory 706 or the NVM/storage device 708) having instructions 714, and a storage medium related to the one or more computer-readable storage media.
- the apparatus 700 may include one or more processors 702 configured to execute instructions 714 to implement modules to perform the actions described in this disclosure.
- control module 704 may include any suitable interface controller to provide any suitable interface controller to at least one of the processor(s) 702 and/or any suitable device or component in communication with the control module 704 Interface.
- the control module 704 may include a memory controller module to provide an interface to the memory 706.
- the memory controller module may be a hardware module, a software module, and/or a firmware module.
- the memory 706 may be used to load and store data and/or instructions 714 for the device 700, for example.
- the memory 706 may include any suitable volatile memory, for example, a suitable DRAM.
- the memory 706 may include a double data rate type quad synchronous dynamic random access memory (DDR4 SDRAM).
- control module 704 may include one or more input/output controllers to provide interfaces to the NVM/storage device 708 and the input/output device(s) 710.
- NVM/storage device 708 may be used to store data and/or instructions 714.
- the NVM/storage device 708 may include any suitable non-volatile memory (e.g., flash memory) and/or may include any suitable non-volatile storage device(s) (e.g., one or more hard drives (HDD), one or more compact disc (CD) drives and/or one or more digital versatile disc (DVD) drives).
- suitable non-volatile memory e.g., flash memory
- suitable non-volatile storage device(s) e.g., one or more hard drives (HDD), one or more compact disc (CD) drives and/or one or more digital versatile disc (DVD) drives.
- HDD hard drives
- CD compact disc
- DVD digital versatile disc
- the NVM/storage device 708 may include storage resources that are physically part of the device on which the apparatus 700 is installed, or it may be accessible by the device and may not necessarily be a part of the device.
- the NVM/storage device 708 can be accessed via the input/output device(s) 710 via the network.
- the input/output device(s) 710 may provide an interface for the apparatus 700 to communicate with any other suitable devices.
- the input/output device 710 may include communication components, audio components, sensor components, and the like.
- the network interface 712 can provide an interface for the device 700 to communicate through one or more networks, and the device 700 can communicate with one or more of the wireless network standards and/or protocols according to any of the one or more wireless network standards and/or protocols.
- the components perform wireless communication, for example, access a wireless network based on a communication standard, such as WiFi, 2G, 3G, 4G, 5G, etc., or a combination of them for wireless communication.
- At least one of the processor(s) 702 may be packaged with the logic of one or more controllers (eg, memory controller modules) of the control module 704.
- at least one of the processor(s) 702 may be packaged with the logic of one or more controllers of the control module 704 to form a system in package (SiP).
- at least one of the processor(s) 702 may be integrated with the logic of one or more controllers of the control module 704 on the same mold.
- at least one of the processor(s) 702 may be integrated with the logic of one or more controllers of the control module 704 on the same mold to form a system on chip (SoC).
- SoC system on chip
- the apparatus 700 may be, but is not limited to, a terminal device such as a server, a desktop computing device, or a mobile computing device (for example, a laptop computing device, a handheld computing device, a tablet computer, a netbook, etc.).
- the device 700 may have more or fewer components and/or different architectures.
- the device 700 includes one or more cameras, keyboards, liquid crystal display (LCD) screens (including touchscreen displays), non-volatile memory ports, multiple antennas, graphics chips, application specific integrated circuits ( ASIC) and speakers.
- LCD liquid crystal display
- ASIC application specific integrated circuits
- the detection device can use the main control chip as a processor or a control module, sensor data, location information, etc. are stored in a memory or NVM/storage device, the sensor group can be used as an input/output device, and the communication interface can include a network interface.
- the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiment.
- These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing terminal equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
- the instruction device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
- These computer program instructions can also be loaded on a computer or other programmable data processing terminal equipment, so that a series of operation steps are executed on the computer or other programmable terminal equipment to produce computer-implemented processing, so that the computer or other programmable terminal equipment
- the instructions executed above provide steps for implementing functions specified in a flow or multiple flows in the flowchart and/or a block or multiple blocks in the block diagram.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
Description
Claims (26)
- 一种沙箱实现方法,其特征在于,所述方法包括:由沙箱进程获取目标动态库文件的目标存储路径;其中,所述目标动态库文件根据目标用户态操作系统编译获得,所述目标动态文件包括调用所述目标用户态操作系统的通用接口;在根据所述目标存储路径获取到所述目标动态库文件的情况下,由所述沙箱进程通过调用所述通用接口,在所述沙箱进程对应的沙箱容器中配置所述目标用户态操作系统。
- 根据权利要求1所述的方法,其特征在于,所述目标用户态操作系统包括用于调用所述目标用户态操作系统的原生操作接口,所述通用接口用于调用与所述通用接口对应的原生操作接口。
- 根据权利要求2所述的方法,其特征在于,所述通用接口中设置有第一类型指令和第二类型指令之间的转换规则;所述第一类型指令为所述沙箱进程的可识别指令,所述第二类型指令为所述原生操作接口的可识别指令;所述在根据所述目标存储路径获取到所述目标动态库文件的情况下,由所述沙箱进程通过调用所述通用接口,在所述沙箱进程对应的沙箱容器中配置所述目标用户态操作系统,包括:由所述沙箱进程接收第一类型指令;由所述沙箱进程调用所述通用接口,将所述第一类型指令按照所述转换规则转换为所述第二类型指令,并将所述第二类型指令发送给与所述通用接口对应的原生操作接口;通过所述原生操作接口,根据所述第二类型指令,在所述沙箱进程对应的沙箱容器中配置所述目标用户态操作系统。
- 根据权利要求3所述的方法,其特征在于,所述通用接口包括通用初始化接口、通用应用程序加载接口、通用应用程序关闭接口、通用销毁接口中的至少一种;其中,所述通用初始化接口用于在所述沙箱容器为所述目标用户态操作系统分配资源,以及对所述目标用户态操作系统进行初始化;所述通用应用程序加载接口用于在所述目标用户态操作系统初始化完成之后,加载至少一个应用程序进行运行;所述通用应用程序关闭接口用于关闭运行中的应用程序;所述通用销毁接口用于关闭所述目标用户态操作系统并释放系统资源。
- 根据权利要求1-4任一项所述的方法,其特征在于,所述由沙箱进程获取目标动态库文件的目标存储路径,包括:由所述沙箱进程接收配置文件;所述配置文件包括所述目标动态库文件的目标存储路径。
- 根据权利要求5所述的方法,其特征在于,所述配置文件还包括系统资源配置信息,在所述通用接口包括通用初始化接口的情况下,所述沙箱进程通过调用所述通用接口,在所述沙箱进程对应的沙箱容器中配置所述目标用户态操作系统,包括:由所述沙箱进程通过调用所述通用初始化接口,在所述沙箱进程对应的沙箱容器中分配与所述资源配置信息对应的系统资源,并基于所述系统资源对所述目标用户态操作系统进行初始化。
- 根据权利要求6所述的方法,其特征在于,所述配置文件还包括:目标用户态操作系统的类型;所述方法还包括:在确定所述类型为预设类型的情况下,执行在根据所述目标存储路径获取到所述目标动态库文件的情况下,沙箱进程通过调用所述通用接口,在所述沙箱进程对应的沙箱容器中配置所述目标用户态操作系统的步骤。
- 根据权利要求1所述的方法,其特征在于,所述方法还包括:通过预设的库函数工具,打开所述目标存储路径对应的目标动态库文件;在检测到所述目标动态库文件包括所述通用接口的函数标识的情况下,执行由所述沙箱进程通过调用所述通用接口,在所述沙箱进程对应的沙箱容器中配置所述目标用户态操作系统的步骤。
- 根据权利要求1所述的方法,其特征在于,所述方法还包括:启动所述沙箱进程;由所述沙箱进程创建所述沙箱容器。
- 根据权利要求1所述的方法,其特征在于,所述方法还包括:将配置有所述目标用户态操作系统的所述沙箱容器,转换为镜像文件或软件开发工具包;向客户端提供所述镜像文件或软件开发工具包。
- 一种沙箱实现方法,其特征在于,所述方法包括:显示配置界面;在所述配置界面中接收配置信息;所述配置信息包括目标动态库文件的目标存储路径;其中,所述目标动态库文件根据目标用户态操作系统编译获得,所述目标动态文件包括调用所述目标用户态操作系统的通用接口;向服务端发送所述配置信息,以供所述服务端在根据所述目标存储路径获取到所述目标动态库文件的情况下,由沙箱进程通过调用所述通用接口,在所述沙箱进程对应的沙箱容器中配置所述目标用户态操作系统。
- 一种沙箱实现装置,其特征在于,所述装置包括:路径获取模块,用于由沙箱进程获取目标动态库文件的目标存储路径;其中,所述目标动态库文件根据目标用户态操作系统编译获得,所述目标动态文件包括调用所述目标用户态操作系统的通用接口;配置模块,用于在根据所述目标存储路径获取到所述目标动态库文件的情况下,由所述沙箱进程通过调用所述通用接口,在所述沙箱进程对应的沙箱容器中配置所述目标用户态操作系统。
- 根据权利要求12所述的装置,其特征在于,所述目标用户态操作系统包括用于调用所述目标用户态操作系统的原生操作接口,所述通用接口用于调用与所述通用接口对应的原生操作接口。
- 根据权利要求13所述的装置,其特征在于,所述通用接口中设置有第一类型指令和第二类型指令之间的转换规则;所述第一类型指令为沙箱进程的可识别指令,所述第二类型指令为所述原生操作接口的可识别指令;所述配置模块,包括:接收子模块,用于由所述沙箱进程接收第一类型指令;转换子模块,用于由所述沙箱进程调用所述通用接口,将所述第一类型指令按照所述转换规则转换为所述第二类型指令,并将所述第二类型指令发送给与所述通用接口对应的原生操作接口;配置子模块,用于通过所述原生操作接口,根据所述第二类型指令,在所述沙箱进程对应的沙箱容器中配置所述目标用户态操作系统。
- 根据权利要求14所述的装置,其特征在于,所述通用接口包括通用初始化接口、通用应用程序加载接口、通用应用程序关闭接口、通用销毁接口中的至少一种;其中,所述通用初始化接口用于在所述沙箱容器为所述目标用户态操作系统分配资源,以及对所述目标用户态操作系统进行初始化;所述通用应用程序加载接口用于在所述目标用户态操作系统初始化完成之后,加载至少一个应用程序进行运行;所述通用应用程序关闭接口用于关闭运行中的应用程序;所述通用销毁接口用于关闭所述目标用户态操作系统并释放系统资源。
- 根据权利要求12-15任一项所述的装置,其特征在于,所述路径获取模块,包括:配置接收子模块,用于由所述沙箱进程接收配置文件;所述配置文件包括所述目标动态库文件的目标存储路径。
- 根据权利要求16所述的装置,其特征在于,所述配置文件还包括系统资源配置信息,在所述通用接口包括通用初始化接口的情况下,所述配置模块,包括:分配子模块,用于由所述沙箱进程通过调用所述通用初始化接口,在所述沙箱进程对应的沙箱容器中分配与所述资源配置信息对应的系统资源,并基于所述系统资源对所述目标用户态操作系统进行初始化。
- 根据权利要求17所述的装置,其特征在于,所述配置文件还包括:目标用户态操作系统的类型;所述装置还包括:第一校验模块,用于在确定所述类型为预设类型的情况下,执行配置模块。
- 根据权利要求12所述的装置,其特征在于,所述装置还包括:开启模块,用于通过预设的库函数工具,打开所述目标存储路径对应的目标动态库文件;第二校验模块,用于在检测到所述目标动态库文件包括所述通用接口的函数标识的情况下,执行配置模块。
- 根据权利要求12所述的装置,其特征在于,所述装置还包括:启动模块,用于启动所述沙箱进程;创建模块,用于由所述沙箱进程创建所述沙箱容器。
- 根据权利要求12所述的装置,其特征在于,所述装置还包括:转换模块,用于将配置有所述目标用户态操作系统的所述沙箱容器,转换为镜像文件或软件开发工具包;提供模块,用于向客户端提供所述镜像文件或软件开发工具包。
- 一种沙箱实现装置,其特征在于,所述装置包括:显示模块,用于显示配置界面;界面配置接收模块,用于在所述配置界面中接收配置信息;所述配置信息包括目标动态库文件的目标存储路径;其中,所述目标动态库文件根据目标用户态操作系统编译获得,所述目标动态文件包括调用所述目标用户态操作系统的通用接口;发送模块,用于向服务端发送所述配置信息,以供所述服务端在根据所述目标存储路径获取到所述目标动态库文件的情况下,由沙箱进程通过调用所述通用接口,在所述沙箱进程对应的沙箱容器中配置所述目标用户态操作系统。
- 一种电子设备,其特征在于,包括:处理器;和存储器,其上存储有可执行代码,当所述可执行代码被执行时,使得所述处理器执行如权利要求1-10中一个或多个所述的方法。
- 一个或多个机器可读的存储介质,其上存储有可执行代码,当所述可执行代码被执行时,使得处理器执行如权利要求1-10中一个或多个所述的方法。
- 一种电子设备,其特征在于,包括:处理器;和存储器,其上存储有可执行代码,当所述可执行代码被执行时,使得所述处理器执行如权利要求11所述的方法。
- 一个或多个机器可读的存储介质,其上存储有可执行代码,当所述可执行代码被执行时,使得处理器执行如权利要求11所述的方法。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010415447.0 | 2020-05-15 | ||
CN202010415447.0A CN113297566B (zh) | 2020-05-15 | 2020-05-15 | 沙箱实现方法、装置、设备和存储介质 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021227971A1 true WO2021227971A1 (zh) | 2021-11-18 |
Family
ID=77318037
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2021/092302 WO2021227971A1 (zh) | 2020-05-15 | 2021-05-08 | 沙箱实现方法、装置、设备和存储介质 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN113297566B (zh) |
WO (1) | WO2021227971A1 (zh) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114625439A (zh) * | 2022-03-10 | 2022-06-14 | 腾讯音乐娱乐科技(深圳)有限公司 | 基于微前端架构的子应用运行方法、电子设备及存储介质 |
CN115994361A (zh) * | 2023-03-22 | 2023-04-21 | 北京升鑫网络科技有限公司 | 容器漏洞的检测方法、系统、电子设备及可读存储介质 |
CN117609989A (zh) * | 2023-12-24 | 2024-02-27 | 中国人民解放军61660部队 | 一种通过隐藏应用特征在互联网上保护个人信息的方法 |
CN117806852A (zh) * | 2024-03-01 | 2024-04-02 | 傲拓科技股份有限公司 | 一种接口调用方法、装置、存储介质及处理器 |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114253240B (zh) * | 2021-12-20 | 2024-08-27 | 中国电信股份有限公司 | 云化工业系统设备的控制方法、装置、设备及存储介质 |
CN116010941B (zh) * | 2023-03-28 | 2023-06-30 | 之江实验室 | 一种基于沙箱的多中心医学队列构建系统及方法 |
CN116798457B (zh) * | 2023-08-29 | 2023-12-15 | 中孚安全技术有限公司 | 刻录行为识别与管控方法、系统、设备及介质 |
CN116880866A (zh) * | 2023-09-07 | 2023-10-13 | 京东科技信息技术有限公司 | 安装操作系统的方法、设备及系统 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103493011A (zh) * | 2011-03-03 | 2014-01-01 | 微软公司 | 与库操作系统的应用兼容性 |
CN103699620A (zh) * | 2013-12-19 | 2014-04-02 | 珠海世纪鼎利通信科技股份有限公司 | 面向对象中利用orm框架实现数据库操作的方法及系统 |
CN108345496A (zh) * | 2017-01-23 | 2018-07-31 | 华为技术有限公司 | 一种运行应用程序的方法及装置 |
WO2019200102A1 (en) * | 2018-04-11 | 2019-10-17 | Cornell University | Method and system for improving software container performance and isolation |
CN107615243B (zh) * | 2015-07-28 | 2019-12-13 | 华为技术有限公司 | 一种调用操作系统库的方法、装置及系统 |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080222659A1 (en) * | 2007-03-09 | 2008-09-11 | Microsoft Corporation | Abstracting operating environment from operating system |
US9389933B2 (en) * | 2011-12-12 | 2016-07-12 | Microsoft Technology Licensing, Llc | Facilitating system service request interactions for hardware-protected applications |
-
2020
- 2020-05-15 CN CN202010415447.0A patent/CN113297566B/zh active Active
-
2021
- 2021-05-08 WO PCT/CN2021/092302 patent/WO2021227971A1/zh active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103493011A (zh) * | 2011-03-03 | 2014-01-01 | 微软公司 | 与库操作系统的应用兼容性 |
CN103699620A (zh) * | 2013-12-19 | 2014-04-02 | 珠海世纪鼎利通信科技股份有限公司 | 面向对象中利用orm框架实现数据库操作的方法及系统 |
CN107615243B (zh) * | 2015-07-28 | 2019-12-13 | 华为技术有限公司 | 一种调用操作系统库的方法、装置及系统 |
CN108345496A (zh) * | 2017-01-23 | 2018-07-31 | 华为技术有限公司 | 一种运行应用程序的方法及装置 |
WO2019200102A1 (en) * | 2018-04-11 | 2019-10-17 | Cornell University | Method and system for improving software container performance and isolation |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114625439A (zh) * | 2022-03-10 | 2022-06-14 | 腾讯音乐娱乐科技(深圳)有限公司 | 基于微前端架构的子应用运行方法、电子设备及存储介质 |
CN115994361A (zh) * | 2023-03-22 | 2023-04-21 | 北京升鑫网络科技有限公司 | 容器漏洞的检测方法、系统、电子设备及可读存储介质 |
CN117609989A (zh) * | 2023-12-24 | 2024-02-27 | 中国人民解放军61660部队 | 一种通过隐藏应用特征在互联网上保护个人信息的方法 |
CN117806852A (zh) * | 2024-03-01 | 2024-04-02 | 傲拓科技股份有限公司 | 一种接口调用方法、装置、存储介质及处理器 |
CN117806852B (zh) * | 2024-03-01 | 2024-05-14 | 傲拓科技股份有限公司 | 一种接口调用方法、装置、存储介质及处理器 |
Also Published As
Publication number | Publication date |
---|---|
CN113297566B (zh) | 2024-04-02 |
CN113297566A (zh) | 2021-08-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021227971A1 (zh) | 沙箱实现方法、装置、设备和存储介质 | |
US8112610B2 (en) | Partition bus | |
US7181610B2 (en) | Method and system to encapsulate a driver written for an operating system (OS) runtime environment in an OS independent environment firmware extension | |
RU2406113C2 (ru) | Системы и способы двухрежимной виртуализации устройства реальных и идеализированных аппаратных устройств | |
EP2843552B1 (en) | Method and system for executing callback functions delivered via a communication between a user-space application and the operating system kernel | |
WO2022016848A1 (zh) | 一种根据服务角色的进行应用部署的方法及装置 | |
US20100205604A1 (en) | Systems and methods for efficiently running multiple instances of multiple applications | |
CN109032706A (zh) | 智能合约执行方法、装置、设备和存储介质 | |
CN110007980B (zh) | 多业务服务端的实现方法和装置 | |
US10445126B2 (en) | Preloading enhanced application startup | |
JP2010521034A (ja) | オペレーティングシステムからオペレーティング環境を抽象化する方法 | |
WO2022222537A1 (zh) | Ai应用部署方法及相关平台、集群、介质、程序产品 | |
JP4000327B2 (ja) | 非同期挙動変更をマネージドアプリケーションプロセスに誘導するためのシステムおよび方法 | |
US20230409417A1 (en) | Automated generation of application programming interfaces for microservices | |
WO2022170946A1 (zh) | 一种访问控制方法及相关装置 | |
US10389746B2 (en) | Multi-tenant environment using pre-readied trust boundary components | |
Maaskant | A robust component model for consumer electronic products | |
US9141352B2 (en) | Dynamically building locale objects at run-time | |
US10120777B1 (en) | Remediating serialization incompatibilities | |
US11249760B2 (en) | Parameter management between programs | |
CN105550050A (zh) | 硬件通信的方法及装置 | |
Rothman et al. | Harnessing the UEFI Shell: Moving the platform beyond DOS | |
CN112948062B (zh) | 设备文件的透传方法、设备及计算机存储介质 | |
US20190102230A1 (en) | Managing split packages in a module system | |
Pandurov et al. | Platform for extending home automation gateway's functionality with plugin mechanism |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21805136 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21805136 Country of ref document: EP Kind code of ref document: A1 |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205N DATED 13/01/2023) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21805136 Country of ref document: EP Kind code of ref document: A1 |