WO2022194156A1 - 分布式的访问控制方法、相关装置及系统 - Google Patents
分布式的访问控制方法、相关装置及系统 Download PDFInfo
- Publication number
- WO2022194156A1 WO2022194156A1 PCT/CN2022/080973 CN2022080973W WO2022194156A1 WO 2022194156 A1 WO2022194156 A1 WO 2022194156A1 CN 2022080973 W CN2022080973 W CN 2022080973W WO 2022194156 A1 WO2022194156 A1 WO 2022194156A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- caller
- instance
- callee
- access
- resource
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 307
- 230000015654 memory Effects 0.000 claims abstract description 79
- 244000035744 Hura crepitans Species 0.000 claims description 98
- 238000013475 authorization Methods 0.000 claims description 88
- 230000008569 process Effects 0.000 claims description 71
- 238000004891 communication Methods 0.000 claims description 68
- 230000006854 communication Effects 0.000 claims description 68
- 230000006870 function Effects 0.000 claims description 68
- 230000035945 sensitivity Effects 0.000 claims description 55
- 238000003860 storage Methods 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 16
- 230000004044 response Effects 0.000 claims description 16
- 238000002955 isolation Methods 0.000 abstract description 34
- 230000007246 mechanism Effects 0.000 abstract description 10
- 238000007726 management method Methods 0.000 description 104
- 230000001360 synchronised effect Effects 0.000 description 16
- 230000008859 change Effects 0.000 description 15
- 238000001824 photoionisation detection Methods 0.000 description 14
- 238000012545 processing Methods 0.000 description 14
- 230000005236 sound signal Effects 0.000 description 13
- 238000010295 mobile communication Methods 0.000 description 11
- 201000009032 substance abuse Diseases 0.000 description 11
- 101150053844 APP1 gene Proteins 0.000 description 10
- 101100189105 Homo sapiens PABPC4 gene Proteins 0.000 description 10
- 102100039424 Polyadenylate-binding protein 4 Human genes 0.000 description 10
- 102100038359 Xaa-Pro aminopeptidase 3 Human genes 0.000 description 10
- 101710081949 Xaa-Pro aminopeptidase 3 Proteins 0.000 description 10
- 210000000988 bone and bone Anatomy 0.000 description 10
- 238000010586 diagram Methods 0.000 description 10
- 238000013507 mapping Methods 0.000 description 10
- 101100055496 Arabidopsis thaliana APP2 gene Proteins 0.000 description 8
- 101100016250 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) GYL1 gene Proteins 0.000 description 8
- 230000002159 abnormal effect Effects 0.000 description 8
- 210000004027 cell Anatomy 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 8
- 238000012546 transfer Methods 0.000 description 7
- 238000013500 data storage Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 6
- 238000011156 evaluation Methods 0.000 description 6
- 238000013508 migration Methods 0.000 description 6
- 230000005012 migration Effects 0.000 description 6
- 238000013528 artificial neural network Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 4
- 238000011161 development Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 229920001621 AMOLED Polymers 0.000 description 3
- 230000001133 acceleration Effects 0.000 description 3
- 230000003796 beauty Effects 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 3
- 238000009434 installation Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000002093 peripheral effect Effects 0.000 description 3
- 230000000007 visual effect Effects 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 230000036772 blood pressure Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 235000019580 granularity Nutrition 0.000 description 2
- 239000002096 quantum dot Substances 0.000 description 2
- 230000005855 radiation Effects 0.000 description 2
- 239000002994 raw material Substances 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 238000009877 rendering Methods 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000037007 arousal Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000003416 augmentation Effects 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 238000010009 beating Methods 0.000 description 1
- 230000007175 bidirectional communication Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 238000013529 biological neural network Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 210000004556 brain Anatomy 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000019771 cognition Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 239000004020 conductor Substances 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000005484 gravity Effects 0.000 description 1
- 230000003862 health status Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000001939 inductive effect Effects 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000005304 joining Methods 0.000 description 1
- 239000010985 leather Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000004807 localization Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 210000002569 neuron Anatomy 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000009958 sewing Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003238 somatosensory effect Effects 0.000 description 1
- 230000006641 stabilisation Effects 0.000 description 1
- 238000011105 stabilization Methods 0.000 description 1
- 210000000352 storage cell Anatomy 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000001755 vocal effect Effects 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/2803—Home automation networks
- H04L12/2823—Reporting information sensed by appliance or service execution status of appliance services in a home automation network
- H04L12/2827—Reporting to a device within the home network; wherein the reception of the information reported automatically triggers the execution of a home appliance functionality
- H04L12/2829—Reporting to a device within the home network; wherein the reception of the information reported automatically triggers the execution of a home appliance functionality involving user profiles according to which the execution of a home appliance functionality is automatically triggered
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/30—Creation or generation of source code
- G06F8/36—Software reuse
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/52—Program synchronisation; Mutual exclusion, e.g. by means of semaphores
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/547—Remote procedure calls [RPC]; Web services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2113—Multi-level security, e.g. mandatory access control
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2137—Time limited access, e.g. to a computer or data
Definitions
- the present application relates to the field of computer and communication technologies, and in particular, to a distributed access control method, related apparatus and system.
- the present application provides a distributed access control method, a related device and a system, which can ensure that resources can be safely shared between devices and that device resources can be fully and reasonably utilized.
- the present application provides an access control method, the method is applied to a communication system including a first device, a second device and a third device, the first device is installed with the first caller, and the second device is installed There is a second caller, and a callee is installed in the third device; the first caller, the second caller, and the callee are application programs APP or functional components; APP is a program entity that implements multiple functions, and the functional components are A program entity that implements a single function.
- the method of the first aspect includes: the first device sends a first access request to the third device, where the first access request is used by the first caller to invoke the callee to access the first resource in the third device; the second device sends the first access request to the third device.
- the third device sends a second access request, and the second access request is used by the second caller to call the callee to access the second resource in the third device; the third device responds to the first access request and creates the callee's first access request.
- the third device responds to the second access request, creates a second instance of the callee, runs the second instance, and accesses the second resource, and the second instance is different from the first Instances, the first instance and the second instance are processes or threads running in the random access memory RAM, and the first instance and the second instance are isolated from each other.
- the same callee can activate multiple instances, and provide services for different callers through different instances. Due to the natural isolation between instances, different instances cannot access memory data from each other, which can provide a system-level memory data security mechanism, avoid the abuse and leakage of memory data by each caller, and ensure data security.
- the third device creates the first instance of the callee, and after creating the second instance of the callee, it can store the information between the first caller and the first instance in the first device.
- the calling relationship, and the calling relationship between the second caller in the second device and the second instance are examples of the third device.
- the calling relationship between the first caller and the callee may be stored.
- the calling relationship between the second caller and the callee may be stored.
- the calling relationship stored by each electronic device can be used to find the cause when a problem occurs in the calling process later.
- the third device may run the first instance in the first sandbox and the second instance in the second sandbox.
- the third device may run the first instance in the first sandbox and the second instance in the second sandbox.
- the third device if the third device generates the first application data in the process of running the first instance, the first application data can be stored in the first sandbox; and the second application data is generated in the process of running the second instance, and can store the first application data in the first sandbox.
- the second application data is stored in the second sandbox.
- the callee includes a first part and a second part, the first part is deployed in the first device, and the second part is deployed in the third device; the first resource includes the first device and the second part.
- Three resources in the device Before the first device sends the first access request to the third device, it can create a third instance of the first caller and run the third instance within the scope of the first permission; generated in the process. After the first device sends the first access request to the third device, it can create a fourth instance of the first part, and run the fourth instance within the scope of the second permission to access the first resource; the third instance and the fourth instance have the same
- the user identity UID of the second permission scope is different from the first permission scope.
- the first instance is an instance of the second part.
- the first device runs the caller's instance and the callee's instance in different permission scopes, which can prevent the callee's instance from acquiring data beyond its permission scope and avoid permission expansion To solve the problem, the data security in the first device can be guaranteed.
- the first device may send the first access request to the third device.
- the caller's second operational state is sent to the third device.
- the third device may change the running state of the first instance to the second running state.
- the running status of the callee instance can be changed with the running status of the caller in the task domain, so that the running status of the called callee and the caller are kept consistent, and the authority of the callee can be avoided.
- the scope is expanded to avoid problems such as data abuse and leakage.
- the first device after the first device sends the first access request to the third device, if the third device fails to respond to the first access request, the first device sends the first access request to the fourth device in the communication system
- the third access request; the fourth device and the third device are the same or different, and the callee is installed in the fourth device.
- the fourth device may, in response to the third access request, create a fifth instance of the callee, run the fifth instance, and access the third resource of the third device.
- the execution tasks in the task domain can be resumed, but resource calls between devices are not affected, and user experience is not affected.
- the first device before sending the first access request to the third device, may apply for and obtain the permission of the first caller to access the first resource, and request the first caller to access the first resource.
- the permission information of the resource is sent to the third device.
- the first device can send the access request to the third device under the condition of having the permission corresponding to the access request, so as to ensure the data security of the third device during the calling process.
- the third device runs the first instance, and before accessing the first resource, can check whether the first caller has the permission to access the first resource; if the first caller does not have access to the first resource
- the third device applies to the first device for the first caller's permission to access the first resource; the first device applies for and obtains the first caller's permission to access the first resource, and the first caller accesses the first resource.
- the permission information of the resource is sent to the third device. In this way, the third device can respond to the access request under the condition of having the permission corresponding to the access request, so as to ensure the data security of the third device during the calling process.
- the first device applies for and obtains the permission of the first caller to access the first resource, which is valid within the first time period.
- the granted permissions can be time-limited to ensure data security during the calling process.
- the first device may send a message for revoking the permission of the first caller to access the first resource to the third device.
- the authority can be revoked according to the user's needs to avoid the expansion of authority.
- the first caller is a third-party application
- the first device may record the first information after sending the permission information for the first caller to access the first resource to the third device.
- the information indicates that the third device has obtained the permission information of the first caller; after the permission of the first caller in the first device changes, the changed permission information of the first caller can be sent to the first device according to the first information. third device.
- the updated authority information is synchronized to the electronic device that has obtained the authority.
- This method of synchronizing the authority information according to the calling requirement only needs to synchronize the information involved in the calling request. Permission information can reduce synchronized data and consumption of memory and performance.
- the first caller is a system application, and before the first device sends the first access request to the third device, after establishing a connection with the third device, The permission information is sent to the third device. In this way, by passing the permission information after the connection, the burden of permission synchronization in the subsequent calling process can be reduced.
- the third device in response to the second access request, creates a second instance of the callee, and runs the second instance, before accessing the second resource, if the third device does not have authorization conditions , and the distance between the user and the user exceeds the first value or is currently not suitable for authorization, then the fifth device in the communication system can be notified to apply for the first permission, and the first permission includes calling the callee in the third device to access the third device.
- the third device can flexibly select an authorization device in the distributed system, and then the authorization device obtains the permission required for the access request from the user, so that the authorization device can be selected flexibly, and the authorization device can be selected flexibly without disturbing the user.
- the authorization is completed below to ensure data security during the calling process.
- the third device runs the first instance, and before accessing the first resource, the first device may send the identity information of the first caller to the third device, where the identity information of the first caller includes One or more of the following: the PID and UID of the first caller, the account ID for logging in to the first device, the system ID of the first device in the communication system, and the device ID of the first device; different identity information corresponds to different Access rights; the third device can confirm the access rights corresponding to the identity information of the first caller, including the rights of the first caller to access the callee.
- the third device can determine whether to respond to the access request initiated by the caller according to the identity information of the caller, and can determine its authority in combination with the identity information of the caller, so as to further meet the resource access requirements in the distributed system , to avoid data security problems during the calling process.
- the first device may receive the security level of the third device sent by the third device; and the security level of the third device, confirm sending the first access request; wherein, the security level of the device is determined by the security capability provided by the software and hardware of the device. The higher the security capability provided by the software and hardware, the higher the security level of the device.
- the first device can determine whether to send the access request initiated by the caller according to the identity information of the caller, and can determine the authority based on the identity information of the caller, so as to further meet the resource access requirements in the distributed system , to avoid data security problems during the calling process.
- the third device runs the first instance, and before accessing the first resource, the third device may receive the security level of the first device sent by the first device; and the security level of the third device, confirm running the first instance and access the first resource; the security level of the device is determined by the security capability provided by the software and hardware of the device. The higher the security capability provided by the software and hardware, the higher the security level of the device. high.
- the third device can determine whether to respond to the access request according to the security level of the object device and/or the subject device, so that resources can be selectively opened according to the security level of different devices, thereby avoiding the risk of data leakage .
- the first device may receive the security level of the callee sent by the third device; The security level of the callee and the callee is confirmed, and the first access request is sent; wherein, the security level of the application is determined by the security capability provided by the application, and the higher the security capability provided by the application, the higher the security level of the application.
- the first device can determine whether to initiate an access request according to the security level of the caller, so that resources can be selectively opened according to the security level of different applications, thereby avoiding the risk of data leakage.
- the third device runs the first instance, and before accessing the first resource, the third device may receive the security level of the first caller sent by the first device; The security level of the caller and the callee confirms running the first instance and accesses the first resource; wherein, the security level of the application is determined by the security capability provided by the application, and the higher the security capability provided by the application, the higher the security level of the application.
- the third device may determine whether to respond to the access request according to the security level of the caller. In this way, resources can be selectively opened according to the security level of different applications, avoiding the risk of data leakage.
- the first device may confirm sending the first access request according to the security sensitivities of the first device and the third device; wherein , the security sensitivity of the device is determined by the privacy degree of the data in the device. The higher the privacy degree of the data, the higher the security sensitivity of the device.
- the first device can determine whether to initiate an access request according to the security sensitivity of the object device and/or the subject device, so that resources can be selectively opened according to the security sensitivity of different devices, thereby avoiding data leakage risks of.
- the third device runs the first instance, and before accessing the first resource, the third device may confirm to run the first instance and access the first resource according to the security sensitivity of the first device and the third device.
- a resource wherein, the security sensitivity of the device is determined by the privacy degree of the data in the device, and the higher the privacy degree of the data, the higher the security sensitivity of the device.
- the third device can determine whether to respond to the access request according to the security sensitivity of the object device and/or the subject device, so that resources can be selectively opened according to the security sensitivity of different devices, avoiding the need for data risk of leakage.
- the above-mentioned first device, second device, and third device may be the same electronic device.
- the data security during the calling process can also be guaranteed to prevent data abuse and leakage.
- the communication between the devices may be omitted, and other operations may refer to the description of the first aspect or any implementation manner of the first aspect, which will not be repeated here.
- the present application provides a cross-device access control method.
- the method is applied to a communication system including a first device, a second device, and a third device.
- the first device is installed with a first caller, and the second device
- a second caller is installed in the device, and a callee is installed in the third device;
- the first caller, the second caller, and the callee are application programs APP or functional components;
- APP is a program entity that implements multiple functions,
- a functional component is a program entity that implements a single function.
- the method of the second aspect includes: the first device sending a first access request to the third device, where the first access request is used by the first caller to invoke the callee to access the third device The first resource of the third device; the second device sends a second access request to the third device, the second access request is for the second caller to call the callee to access the third device a resource; the third device determines that the priority of the first caller is higher than the priority of the second caller; the priority of the caller is determined by one or more of the following: the operation of the caller state, the device where the caller is located, the third device, the user logged in to the device where the caller is located, and the user logged in to the third device; the third device responds to the first access request and runs the callee to access the first resource.
- the object device when multiple callers access the resources in the object device, the object device confirms the priority of each caller according to the running status of the multiple callers and the user information of the main device and the object device , and give priority to responding to high-priority resource access requests. In this way, resources can be reasonably scheduled to meet the access requirements of users, and when the shared resources are insufficient, the real low-priority instances are released first to ensure the normal operation of the executing caller.
- the present application provides a cross-device access control method, which is applied to a communication system including a first device and a second device, where the first device is installed with a first operating system, and the second device A second operating system is installed; a caller is installed in the first device, and a callee is installed in the second device; the caller and the callee are application programs APP or functional components; the An APP is a program entity that implements multiple functions, and the functional component is a program entity that implements a single function.
- the method of the third aspect includes: the first device sends an access request to the second device, where the access request is used by the caller to invoke the callee to access the first resource of the second device ; the access request is the description form in the first operating system; the second device maps the access request from the description form in the first operating system to the description form in the second operating system; The second device executes the callee to access the first resource according to the access request in the form described in the second operating system.
- the present application provides a cross-device access control method, which is applied to a first device.
- a cross-device access control method which is applied to a first device.
- the present application provides a cross-device access control method, which is applied to a third device.
- a cross-device access control method which is applied to a third device.
- the operations performed by the third device in the method of the fifth aspect reference may be made to the operations performed by the third device in the first aspect or any implementation manner of the first aspect, and details are not repeated here.
- the present application provides a cross-device access control method, which is applied to a third device.
- a cross-device access control method which is applied to a third device.
- the present application provides a cross-device access control method, which is applied to a second device.
- a cross-device access control method which is applied to a second device.
- the operations performed by the second device in the method of the seventh aspect reference may be made to the operations performed by the second device in the third aspect or any implementation manner of the third aspect, and details are not repeated here.
- the present application provides an electronic device, comprising: a memory and one or more processors; the memory is coupled to the one or more processors, and the memory is used to store computer program code, and the computer program code includes computer instructions , one or more processors invoke computer instructions to cause the electronic device to perform the method of the fifth aspect or any one of the embodiments of the fifth aspect.
- the present application provides an electronic device, comprising: a memory and one or more processors; the memory is coupled to the one or more processors, and the memory is used for storing computer program code, and the computer program code includes computer instructions , one or more processors invoke computer instructions to cause the electronic device to perform the method of the sixth aspect or any one of the embodiments of the sixth aspect.
- the present application provides an electronic device, comprising: a memory and one or more processors; the memory is coupled to the one or more processors, and the memory is used for storing computer program code, and the computer program code includes computer instructions , one or more processors invoke computer instructions to cause the electronic device to perform the method of the seventh aspect or any one of the embodiments of the seventh aspect.
- the present application provides a communication system, including a first device, a second device, and a third device, where the first device is configured to perform the method of the fourth aspect or any one of the implementation manners of the fourth aspect, and the third Three devices are used to perform the method of the fifth aspect or any one of the embodiments of the fifth aspect.
- the present application provides a communication system, including a first device, a second device, and a third device, where the third device is configured to perform the method of the sixth aspect or any one of the implementation manners of the sixth aspect.
- the present application provides a communication system, including a first device and a second device, where the second device is configured to perform the method of the seventh aspect or any one of the implementation manners of the seventh aspect.
- the present application provides a computer-readable storage medium, comprising instructions, when the instructions are executed on an electronic device, the electronic device is made to perform the fourth aspect or any one of the implementation manners of the fourth aspect and the fifth aspect or any one of the fifth aspect, the sixth aspect or any one of the sixth aspect, or the seventh aspect or any one of the seventh aspect.
- the present application provides a computer program product, which, when the computer program product runs on a computer, causes the computer to execute any one of the implementation manners of the fourth aspect or the fourth aspect, the fifth aspect or any of the fifth aspect.
- FIG. 1 is a schematic structural diagram of a distributed system 10 provided by an embodiment of the present application.
- FIG. 2 provides a distributed scenario according to an embodiment of the present application
- 3A is a schematic diagram of two ways in which the called APP provides services in a stand-alone scenario
- FIG. 3B is a process isolation model provided by an embodiment of the present application.
- 3C is a flowchart of an access control method provided by an embodiment of the present application.
- FIG. 4A is a schematic diagram of a method for applying data isolation to a caller in a stand-alone scenario
- FIG. 4B is a sandbox isolation model provided by an embodiment of the present application.
- 4C is a flowchart of another access control method provided by an embodiment of the present application.
- 5A is a schematic diagram of several ways to avoid data leakage by FA
- FIG. 5B , FIG. 6 , FIG. 7 , FIG. 8A , FIG. 8B , and FIG. 9 are respectively flowcharts of an access control method provided by an embodiment of the present application;
- FIG. 10 is a software structure diagram of an electronic device 300 provided by an embodiment of the present application.
- FIG. 11 is a software structure diagram of an electronic device 100 provided by an embodiment of the present application.
- FIG. 12A is a flowchart of a cross-device access control method provided by an embodiment of the present application.
- FIG. 12B is a software structure diagram of the electronic device 300 for implementing the method shown in FIG. 12A;
- FIG. 13A is a flowchart of a cross-platform access control method provided by an embodiment of the present application.
- FIG. 13B is a software structure diagram of the electronic device 300 for implementing the method shown in FIG. 13A;
- FIG. 14 is a hardware structural diagram of an electronic device provided by an embodiment of the present application.
- first and second are only used for descriptive purposes, and should not be construed as implying or implying relative importance or implying the number of indicated technical features. Therefore, the features defined as “first” and “second” may explicitly or implicitly include one or more of the features. In the description of the embodiments of the present application, unless otherwise specified, the “multiple” The meaning is two or more.
- GUI graphical user interface
- an embodiment of the present application provides a communication system 10 .
- the communication system 10 includes a plurality of electronic devices.
- Communication system 10 may also be referred to as distributed system 10 .
- the multiple electronic devices included in the distributed system 10 are all intelligent terminal devices, which can be of various types, and the specific types of the multiple electronic devices are not particularly limited in this embodiment of the present application.
- the plurality of electronic devices include cell phones, and may also include tablet computers, desktop computers, laptop computers, handheld computers, notebook computers, smart screens, wearable devices, augmented reality (AR) devices, virtual Virtual reality (VR) devices, artificial intelligence (AI) devices, car devices, smart headsets, game consoles, and can also include Internet of things (IOT) devices or smart home devices such as smart water heaters, smart Lighting, smart air conditioners, etc.
- IOT Internet of things
- the plurality of devices in the distributed system 10 may also include non-portable terminal devices such as a laptop with a touch-sensitive surface or a touch panel, a desktop computer with a touch-sensitive surface or a touch panel, and the like Wait.
- non-portable terminal devices such as a laptop with a touch-sensitive surface or a touch panel, a desktop computer with a touch-sensitive surface or a touch panel, and the like Wait.
- the distributed system 10 When a plurality of electronic devices in the distributed system 10 are devices deployed in a home, the distributed system 10 may also be referred to as a home distributed system.
- Multiple electronic devices in the distributed system 10 can be connected by logging into the same account. For example, multiple electronic devices can log in to the same Huawei account and connect and communicate through the server.
- Multiple electronic devices in the distributed system 10 can also log in to different accounts, but are connected in a binding manner.
- the electronic device 100 and the electronic device 200 may log into different accounts, and the electronic device 100 binds the electronic device 200 to itself in the device management application, and then connects through the device management application.
- the electronic device 100 may be any electronic device in the distributed system 10
- the electronic device 200 may also be any electronic device in the distributed system 10 .
- the electronic device 100 is a smart phone
- the electronic device 200 is a smart screen.
- Bluetooth blue, BT
- wireless local area networks wireless local area networks
- WLAN wireless local area networks
- wireless fidelity point to point wireless fidelity point to point
- Wi-Fi P2P wireless fidelity point to point
- NFC near field communication
- infrared technology infrared, IR
- multiple electronic devices in the communication system may also be connected and communicate in combination with any of the foregoing manners, which is not limited in this embodiment of the present application.
- the multiple electronic devices may be configured with different software operating systems (operating systems, OS), including but not limited to and many more. in, For Huawei's Hongmeng system.
- OS software operating systems
- the multiple electronic devices may also be configured with the same software operating system, for example, they may be configured with the same software operating system.
- the software systems in multiple electronic devices are , the distributed system 10 can be regarded as a hyperterminal.
- each device in the distributed system 10 may install an application (application, APP), such as a traditional camera application, a gallery application, a setting application, and the like.
- application application
- APP application
- the traditional APP may be referred to as APP for short.
- distributed system 10 may install distributed applications (distributed applications).
- distributed applications may be a system application or a third-party application, which is not limited here.
- a distributed application consists of one or more functional components.
- a functional component is the smallest capability unit that can run independently in an electronic device, and is a concept of abstract encapsulation of a single capability.
- APP integrates multiple functions, and functional components take each function as a separate service-based basic capability and exist independently. That is, a functional component is a program entity that implements a single function.
- Each functional component can be downloaded, installed and run independently. Multiple functional components forming the same distributed application may be deployed in the same electronic device in the distributed system 10, or may be deployed in different electronic devices.
- Functional components in can include the following two categories:
- FA is a functional component that contains one or several sets of UI, which can provide the ability to interact with the user.
- UI graphical user interface
- a navigation interface in a map application a video call interface in an instant messaging application, etc., can be implemented as FA.
- FA is developed based on the MVVM (model-view-view-model) pattern, which separates the view UI and business logic.
- the business logic code and the view UI code are deployed separately, and the view UI code can be integrated into other apps.
- the view UI code can communicate with the business logic code to obtain the data required for UI display.
- FA supports the ability of page templates, such as Empty Ability, Login Ability, Setting Ability, etc.
- FA adopts scripting language (javascript, JS) to provide declarative development mode, adopts HTML-like and cascading style sheet (CSS) declarative programming language as the development language of page layout and page style, and supports ECMAScript standard JS Language provides page business logic.
- scripting language javascript, JS
- CSS HTML-like and cascading style sheet
- FA has the capabilities of free installation, independent operation, cross-device UI migration, and cross-device binary migration. FA also has the characteristics of multi-terminal deployment and distributed execution.
- FA can call AA or APP to realize more and more complex functions.
- PA is a functional component without UI, which can provide support for FA.
- PA can provide computing power as a background service, or provide data access capability as a data warehouse.
- beauty functions, positioning functions, audio and video encoding and decoding functions, etc. can be encapsulated as PA.
- PA also has the characteristics of multi-terminal deployment and distributed execution. PAs only have dependencies on system services and do not have dependencies on other PAs.
- PA actually encapsulates the realization of remote virtualization, remote invocation, PA management, cross-platform compatibility, security, etc., and opens up cross-device service enablement and arousal to developers for other devices to invoke the computing power of this device and coordinate with other devices.
- the device does the computing work.
- PA supports Service Ability, Data Ability, etc.
- Service Ability is used to provide the ability to run tasks in the background.
- Data Ability is used to provide a unified data access abstraction to the outside world.
- PA can call FA or APP to realize more and more complex functions.
- FA and PA are only a word used in this embodiment, and in some other embodiments of this application, they may also be referred to as other nouns.
- PA atomic capability
- FA may also be referred to as other terms such as atomic capability (AA), atomic application, meta-capability, atomic service, characteristic capability, and the like.
- Multiple functional components composing a distributed application may be developed or provided by the same developer, or may be developed or provided by multiple developers separately, which is not limited here. Different developers jointly develop functional components, which can improve the development efficiency of distributed applications.
- the functional components provide externally standardized interfaces for invocation.
- APP can call functional components.
- functional components can also call other functional components or APPs.
- the called functional component can also continue to call another functional component or APP, and the multi-level calling method can be called a chain call.
- each device After each device in the distributed system 10 establishes a communication connection, each device will synchronize the functional component information and APP information of other devices in the distributed system. Specifically, each device can synchronize its installed functional components, the name of the APP, and its own device information (for example, device identification) to other devices, so that the distributed system 10 can subsequently call the FA, PA and other functional components of other devices in the distributed system 10. . Which callers can be invoked by functional components such as FA and PA, and which other functional components can be invoked, can be preset and recorded in each electronic device.
- Fig. 2 exemplarily shows a possible distributed distance teaching business scenario.
- the distributed system includes electronic devices such as smart phones, tablet computers, and smart screens.
- the various devices in the distributed system are connected to each other in pairs.
- Smartphones, tablets, and smart screens can be configured with different software operating systems (OS), for example, smartphones and tablets can be configured system, smart screen can be configured system.
- OS software operating systems
- “Online classroom” is installed in the smartphone.
- “Online classroom” is an application program installed in an electronic device to provide teachers and students with various functions required for remote classes, and the name of the "online class” is not limited in this embodiment of the present application.
- “Online classroom” may include the following functional components: blackboard functional components, whiteboard functional components, audio and video codec functional components, and network connection functional components.
- the blackboard functional components and the whiteboard functional components belong to the FA
- the audio and video codec functional components and the network connection functional components belong to the PA.
- the blackboard function component provides the function of teaching courses remotely.
- the Whiteboard feature component provides the ability to answer questions remotely.
- the audio and video codec function components provide video and audio codec functions.
- the blackboard functional components can be migrated or switched to the smart screen, so as to explain the course on the smart screen.
- Migrating or switching functional components from one device A to another device B can include the following two types: 1. UI migration. When the FA's view UI and business logic are separated, when device A can run business logic code, device B can be triggered to run the view UI code, and the user seems to have migrated functional components from device A to device B. 2, the overall migration. The overall migration means that after device B downloads and installs the functional component from device A or from the network, it runs the functional component and provides corresponding functions.
- the "online classroom” is the caller, and the whiteboard functional component in the tablet computer and the blackboard functional component in the smart screen are the callee.
- Figure 2 also shows another possible distributed video call service scenario.
- the smart phone can also be installed with other distributed applications, such as instant messaging applications.
- Instant messaging applications can provide video calls, voice calls, and other communication features.
- the instant messaging application may include the following functional components: video calling functional components, audio and video codec functional components, and network connection functional components.
- the video calling function component of the application can be migrated or switched to the smart screen, so that the camera and display screen of the smart screen can be used to make video calls.
- the blackboard functional component in the above-mentioned "online classroom” and the video calling functional component in the instant messaging application may be the same functional component. That is to say, the functional component in the smart screen can be called separately by the "online classroom” and instant messaging applications installed on the smart phone.
- the instant messaging application is the caller
- the video call functional component ie, the video call functional component in the smart screen
- the service scenario shown in FIG. 2 is only used to assist in describing the technical solutions of the embodiments of the present application.
- the distributed system shown in FIG. 2 may include more terminal devices, more or less functional components may be deployed in each device, and each distributed application may include more or less functional components .
- the resources shared among the devices in the distributed system may include, but are not limited to, software resources, hardware resources, peripherals or accessory resources of the devices, and the like.
- the party that initiates the invocation of the functional component or the APP may be referred to as the invoker.
- the caller can be, for example, APP, FA or PA.
- the initial initiator of the entire call chain can be called the first caller.
- the first caller can be, for example, an APP or an FA.
- the call chain is: APP1 calls PA1, PA1 calls PA2, PA2 calls FA1, then APP1 is the first caller.
- the call chain is: FA1 calls PA1, PA1 calls PA2, then FA1 is the first caller.
- the middle called party and the last called party can be called the callee.
- the callee can be, for example, APP, FA or PA.
- the caller may also be referred to as a subject application, and the callee may also be referred to as an object application.
- the caller, and the callee can be deployed in the same electronic device or in different electronic devices. That is to say, the caller and the callee can be located in a distributed scenario or in a single-machine scenario.
- the device where the caller is located is called the subject device, and the device where the callee is located is the object device.
- Applications referred to in subsequent embodiments may include APPs, and may also include functional components in distributed applications.
- An instance is a running APP or functional component.
- an instance may refer to a process or a thread.
- a process is an execution of an application on a computer.
- a thread is a single sequential flow of control in the execution of an application.
- a process can contain multiple threads.
- RAM random access memory
- DDR SDRAM double data rate synchronous dynamic random access memory
- DDR5 SDRAM double data rate synchronous dynamic random access memory
- Application data refers to the content written during the running of the application, such as photos or videos obtained by photographing applications, text edited by users in document applications, and so on. Application data may also be referred to as file data.
- Application data may be stored in non-volatile memory (NVM).
- NVM non-volatile memory
- An NVM is a memory that retains saved data even when an electronic device is powered off.
- the NVM may include disk storage devices, flash memory.
- FIG. 3A exemplarily shows two ways in which APPs call each other in a stand-alone scenario.
- APP1 and APP2 are callers, and APP3 is integrated into the host APP in the form of a third-party library such as a software development kit (SDK) library or a dynamic link library (.so file). (that is, the caller), provide shared services for the host APP. Shared service means that the APP3 provides services for multiple different APPs at the same time. Since the third-party library can obtain all the resources and permissions of the host APP, there is a problem that the third-party library abuses the caller's memory data.
- SDK software development kit
- .so file dynamic link library
- each APP has a corresponding instance, and each instance is naturally isolated.
- the electronic The device will allocate a corresponding virtual address space for different APP instances, and the virtual address space is mapped with the unused physical address space in the memory of the electronic device.
- different APP instances access different physical address spaces in the corresponding memory through their virtual address spaces, and different APP instances cannot access the physical address spaces of other APP instances through their virtual address spaces.
- APP3 provides shared services for callers (APP1 and APP2) in the form of a single instance. In this way, the memory data of APP1 and APP2 can only be isolated by APP3 itself.
- APP3 has vulnerabilities or malicious behavior, the respective memory data of APP1 and APP2 may be misused by APP3.
- the above method (1) or (2) is used to realize the mutual call between the caller and the callee, and there is also the problem of confusion or misuse of the memory data of each caller described above.
- the blackboard capability unit ie, the video call capability unit
- the smart screen can simultaneously obtain the data of the "online classroom" in the smartphone and the memory data of the instant messaging application , both types of memory data may be misused.
- the following embodiments of the present application provide an access control method.
- the same callee can activate multiple instances, and provide services for different callers through different instances. Due to the natural isolation between instances, different instances cannot access memory data from each other, which can provide a system-level memory data security mechanism, avoid the abuse and leakage of memory data by each caller, and ensure data security.
- the electronic device allocates physical addresses in RAM for different instances on a per-process basis.
- the electronic device needs to run the instance, it will find the space corresponding to the instance in the RAM according to the virtual address, and run the instance in the space.
- the virtual address is mapped with the physical address assigned to the instance by the electronic device, and the mapping relationship is stored in the controller of the electronic device. That is to say, the instance uses the virtual address to find the actual storage location of the memory data.
- different instances can only access the physical address corresponding to their own virtual address through their own virtual addresses, that is, they cannot access the physical space of each other in RAM, so the instances are isolated from each other.
- FIG. 3B exemplarily shows an instance isolation model provided by an embodiment of the present application when the access control method is implemented.
- the distributed system 10 may be installed with: a caller 1 , a caller 2 , and a callee 1 .
- the meaning of each caller and callee, and the installation device can be referred to the related descriptions in FIG. 1 and FIG. 2 .
- caller 1, caller 2, and callee 1 may be installed in electronic device 100, electronic device 200, and electronic device 300, respectively.
- callee 1 and caller 2 respectively call callee 1, and at the same time, callee 1 is also running.
- the electronic device 300 will create three instances of the callee 1 to provide services for the caller 1, the caller 2, and the callee 1 itself. In this way, depending on the isolation property between instances, the memory data of caller 1 and caller 2 can be isolated to avoid abuse and leakage of memory data.
- FIG. 3C exemplarily shows a flowchart of the access control method.
- the method shown in FIG. 3C is described by taking the caller 1 in the electronic device 100 calling the callee 1 in the electronic device 300 as an example.
- the access control method may include the following steps:
- the electronic device 100 initiates an access request to the electronic device 300 , and the access request is used by the caller 1 to call the callee 1 and access the first resource in the electronic device 300 through the callee 1 .
- the electronic device 100 may initiate the access request in response to the received user operation, or may autonomously initiate the access request to the electronic device 300 in some cases, which is not limited here.
- callee 1 may be installed in the electronic device 300 in advance. In other embodiments, the electronic device 300 may download and install the callee 1 from the network after receiving the access request sent by the electronic device 100 , or directly download and install the callee 1 from the electronic device 100 .
- the caller 1 calls the callee 1 and accesses the first resource in the electronic device 300 through the callee 1 , that is, the caller 1 obtains the service provided by the callee 1 .
- the first resource may include software resources of the electronic device 300 (eg, beauty algorithm, positioning function, audio and video codec function), and may also include hardware resources (eg, camera, audio device, display screen, etc. hardware).
- the electronic device 300 determines whether there is a specific instance of the callee 1 .
- the object device ie, the electronic device 300
- the object device may enable different instances for different callers, and provide services for each caller respectively.
- the instance enabled by the object device for a caller can continue to provide services for the caller.
- the electronic device 300 may first determine whether there is an instance of the callee 1 enabled for the caller 1 before. In some embodiments, the electronic device 300 may enable different instances not only based on the caller, but also enable different instances based on one or more of the following: the main device, the caller's developer, the caller's The account of the user to which the user belongs or the main device, etc. When one or more of the above are different, the electronic device 300 may enable different callee instances to provide services for the caller.
- the specific instance of the callee 1 can be any of the following:
- callee 1 may also be created based on information such as the account of the user to which the caller belongs or the main device, which will not be listed one by one here.
- the electronic device 300 stores an invocation relationship in which the instance of the callee 1 is invoked, and the invocation relationship indicates that the callee 1 activates the instance and provides services for each caller. Therefore, the electronic device 300 can determine whether there is a specific instance of the callee 1 according to the calling relationship.
- the invocation relationship includes: the invocation relationship ID, the instance information of the callee, and the information of each caller who invoked the instance.
- the calling relationship ID may be assigned by the electronic device 100 .
- the object device (ie the electronic device 300 ) and the subject device (ie the electronic device 100 ) can share the same call relationship ID, and the call relationship ID can be carried in the access request of S101 and assigned by the electronic device 100 and then sent to the electronic device 300.
- the instance information of the callee 1 may include: the APP ID of the callee 1, the user ID (user ID, UID) and the process identifier (process identifier, PID) of the instance.
- the PID is the identity identifier of the instance, and when the electronic device runs an instance, a unique PID is assigned to the instance.
- the caller information includes the caller's application ID (APP ID), and may also include one or more of the following: the device ID of the main device (device ID), the caller's developer signature, the caller's user ID (user ID, UID), the account (account ID) of the subject device. in:
- APP ID used to identify the APP or functional component.
- the device ID may be, for example, the name of the device, a serial number, a media access control (media access control, MAC) address, and the like.
- Developer signature used to identify the developer.
- the electronic device will assign different UIDs to different installed apps or functional components to distinguish them.
- the electronic device may assign the same UID to each APP or functional component developed by the same developer.
- the same APP or functional component may have different UIDs in different electronic devices.
- account ID used to identify the user currently logged in to the electronic device, for example, a Huawei account.
- the access request of S101 may carry the caller information of the callee 1, so that the electronic device 300 searches and determines whether there is a specific instance of the callee 1 in the instance calling relationship of the callee 1.
- the electronic device 300 creates a specific instance of the callee 1 .
- the electronic device 300 starts and runs a new instance of the callee 1, and regards the instance as a specific instance of the callee 1, and its function refers to the relevant description in S102.
- the UID and PID can be assigned to the specific instance.
- the electronic device 300 may inherit the caller's UID, ie assign the caller's UID to the specific instance of callee 1 . Since the UIDs of different callers are different, the UIDs of the instances created by callee 1 for different callers are different.
- the electronic device 300 may individually assign a UID to a specific instance of the callee 1 .
- the electronic device 300 may assign UIDs to each APP in one data interval (eg, 10000-30000), and assign UIDs to the instances of each functional component (including the callee 1's A specific instance) is assigned a UID, and different UIDs are assigned for different instances of the same functional component.
- the UIDs assigned by the electronic device 300 to the instance 1, instance 2, and instance 3 of the callee 1 are respectively: UID 30000 and UID 30001.
- the electronic device 300 can distinguish different instances of the same callee by the UID.
- the electronic device 300 may directly use the UID assigned to the functional component, that is, directly assign the UID of the functional component to each instance of the functional component.
- the UIDs assigned by the electronic device 300 to instance 1, instance 2, and instance 3 of callee 1 can all be UID10000.
- the electronic device 300 assigns different PIDs to different instances, and the PID assigned to a specific instance of the callee 1 can distinguish the specific instance from other instances of the callee 1 .
- the electronic device 300 After the electronic device 300 creates the specific instance of the callee 1 , it can save the calling relationship composed of the caller 1 and the specific instance of the callee 1 .
- the calling relationship can be used to check whether the corresponding specific instance already exists when the callee 1 is called again subsequently, and can also be used to find the cause when a problem occurs.
- the electronic device 300 runs the specific instance of the callee 1, and accesses the first resource in response to the access request received in S101.
- the first resource may include software resources of the electronic device 300 (eg, beauty algorithm, positioning function, audio and video codec function), and may also include hardware resources (eg, camera, audio device, display screen, etc. hardware).
- software resources of the electronic device 300 eg, beauty algorithm, positioning function, audio and video codec function
- hardware resources eg, camera, audio device, display screen, etc. hardware
- the electronic device 300 can perform a series of operations according to the resource, such as displaying a video call interface through a display screen, capturing images through a camera, and so on.
- the access result may be sent back to the electronic device 100, for example, the positioning result or the calculation result may be sent to the electronic device 100, and so on.
- the main device ie, the electronic device 100
- the main device can also save the calling relationship composed of the caller 1 and a specific instance of the callee 1, but it is not necessary to save the detailed callee 1 like the object device.
- the UID and PID of the caller instance For an example of the calling relationship stored in the subject device and the object device, reference may be made to the subsequent related descriptions in Table 1 and Table 2, which will not be repeated here.
- the specific instance of the first type of callee 1 above can implement an instance of the callee 1 and only provide services for the same caller, thereby providing memory data isolation of different callers at the system level.
- the second specific instance of callee 1 above can implement an instance of callee 1 and only provide services for the same caller on the same device, thereby providing system-level access to different devices and/or different callers. In-memory data isolation.
- the third specific instance of callee 1 above can implement an instance of callee 1 and only provide services for the same caller developed by the same developer, thereby providing different developers and/or different calls at the system level In-memory data isolation for the user.
- the above-mentioned fourth specific instance of callee 1 can implement an instance of callee 1 and only provide services for the same caller developed by the same developer in the same device.
- the caller 1 and the callee 1 shown in FIG. 3C are located in different devices, and in some other embodiments of the present application, the caller 1 and the callee 1 may also be located in the same device.
- the device can independently perform all the steps shown in FIG. 3C.
- one electronic device in the multiple electronic devices may be called the first device
- the caller in the first device may be referred to as the first caller
- another electronic device eg, electronic device 200
- the caller in the second device may be referred to as the second caller
- the accessed electronic device eg, the electronic device 300
- the accessed resource in the third device may be referred to as a first resource.
- the access request sent by the first device to the third device may be referred to as the first access request
- the access request sent by the second device to the third device may be referred to as the second access request.
- FIG. 4A exemplarily shows a manner of isolating application data when APPs call each other in a stand-alone scenario.
- each APP in a single device runs in its own instance, and the electronic device creates an independent sandbox for each APP, and the sandbox is used to store application data generated during the running of the corresponding APP.
- the sandboxes are isolated from each other and cannot access each other, so as to protect the data of each application.
- APP3 provides services for APP1 and APP2, it can receive application data transmitted by APP1 and APP2, and these application data are all stored in the sandbox of APP1. This method can only rely on the callee 1 itself to isolate the application data from APP2 and APP3.
- APP3 has loopholes or malicious behavior, the respective application data of APP1 and APP2 may be misused by APP3, which cannot provide security isolation at the system layer.
- the callee itself isolates the application data of different callers, and there is also the problem of confusion or misuse of the application data of each caller.
- the callee when the access control method shown in FIG. 3C is executed, the callee can also Application data is isolated. Specifically, after enabling multiple instances of the same callee and providing services for different callers through different instances, different sandboxes can also be created for different callers, and application data from different callers can be stored in the in the corresponding sandbox. Due to the natural isolation between sandboxes, different sandboxes cannot access application data from each other, which can provide an application data security mechanism and avoid the abuse and leakage of application data by each caller.
- a sandbox is an independent operating environment that restricts program behavior according to security policies.
- the instance runs in the sandbox, and the application data generated during the running of the instance is also stored in the sandbox.
- Sandboxes use access control lists (ACLs) to define discretionary access control (DAC) policies, which define what types of operations users can perform on which database objects.
- ACLs access control lists
- DAC discretionary access control
- each user can belong to a group, and each file has a corresponding owner user, which can list a list of users who can perform certain operations on a certain file, and the user identifies the owner user of the file, The operation permissions that users in the same group and other users have on the file.
- the user here is for the file, which actually means the application or functional component.
- the electronic device will allocate different virtual address spaces for different instances in a process unit to form a sandbox.
- the virtual address space of the sandbox of the same instance is mapped with the physical address in the RAM and the physical address in the NVM described above.
- the mapping method is not limited.
- the electronic device runs the instance and generates application data, it will query the physical space corresponding to the instance in the NVM according to the virtual address, and store the application data in the space. That is to say, the instance finds the actual storage location of the application data through the virtual address. Under such a mechanism, different instances cannot know or access the virtual addresses of other sandboxes, and thus cannot access each other's physical space in the NVM, so they are isolated from each other.
- FIG. 4B exemplarily shows a sandbox isolation model in a distributed system provided by an embodiment of the present application.
- the electronic device 300 creates two sandboxes after creating two instances of callee 1 .
- the sandbox 1 is used to run the instance 1 that provides services for the caller 1, and is also used to store application data from the caller 1.
- Sandbox 2 is used to run instance 2 that provides services to caller 2, and is also used to store application data from caller 2. In this way, depending on the isolation property between sandboxes, the application data of caller 1 and caller 2 can be isolated to avoid abuse and leakage of application data.
- the process shown in FIG. 4C may also be performed before S104 .
- the process may include the following steps:
- the electronic device 300 determines whether a specific sandbox of the callee 1 exists.
- the object device ie, the electronic device 300
- the object device may create different sandboxes for different callers, and respectively provide application data storage and instance running services for each caller.
- the sandbox created by the object device for a caller can continue to provide services for the caller.
- the electronic device 300 can first determine whether there is a callee 1 created for callee 1 sandbox.
- the electronic device 300 may not only create different sandboxes based on the caller, but also create different sandboxes based on one or more of the following: the main device, the developer of the caller , the account of the user or the main device to which the caller belongs, etc. When one or more of the above are different, the electronic device 300 may create different sandboxes to provide the caller with application data storage and instance running services.
- the specific sandbox of the callee 1 can be determined according to the specific instance of the callee 1 created in S103 in FIG. 3C .
- the specific sandbox of the callee 1 can be any of the following:
- the above-mentioned specific sandbox of the callee 1 may also be created based on information such as the account of the user to which the caller belongs or the main device, which will not be listed one by one here.
- the electronic device 300 stores a correspondence between the sandbox of the callee 1 and the instances running in the sandbox, and the correspondence indicates that the sandbox of the callee 1 provides storage and instances of application data.
- the corresponding relationship includes: sandbox identification, instance information of the callee running in the sandbox, and information of each caller who invokes the instance.
- the application data stored in the sandbox includes application data from the caller of the running instance in the sandbox.
- the electronic device 300 creates a specific sandbox of the callee 1 .
- the electronic device 300 creates a new sandbox of the caller 1, and uses the sandbox as the specific sandbox of the callee 1, and its function refers to the relevant description in S201.
- Creating a sandbox by the electronic device 300 means that the electronic device 300 creates a separate storage area or working environment.
- a sandbox identifier may be assigned to the specific sandbox.
- the electronic device 300 creates the specific sandbox of the callee 1, the corresponding relationship between the sandbox of the callee 1 and the instances running in the sandbox can be saved.
- the application data may be directly passed by the caller 1 to the callee 1, or may be generated by the callee 1 autonomously during the calling process, which is not limited here.
- the electronic device 300 stores the application data in the specific sandbox of the callee 1 .
- the specific sandbox of the callee 1 is used to store the application data of the corresponding specific instance, and only the caller of the specific instance is allowed to access.
- the above-mentioned first specific sandbox of callee 1 can realize a sandbox of callee 1, which only stores application data from the same caller, thereby providing application data isolation of different callers.
- the second specific sandbox for callee 1 above can implement a sandbox for callee 1 that only stores application data from the same caller on the same device, thereby providing different devices and/or different callers application data isolation.
- the third specific sandbox for callee 1 above can implement a sandbox for callee 1, which only stores application data from the same caller developed by the same developer, thereby providing different developers and/or different Caller's application data isolation.
- the above-mentioned fourth specific sandbox for callee 1 can implement a sandbox for callee 1, which only stores application data from the same caller developed by the same developer in the same device.
- the caller 1 and the callee 1 shown in FIG. 4C are located in different devices, and in some other embodiments of the present application, the caller 1 and the callee 1 may also be located in the same device.
- the device can independently perform all the steps shown in FIG. 4C.
- the sandbox for running the first instance in the third device may be referred to as the first sandbox, and the sandbox for running the second instance may be referred to as the second sandbox.
- Application data generated by the third device in the process of running the first instance may be referred to as first application data
- application data generated in the process of running the second instance may be referred to as second application data.
- FA is developed using the MVVM (model-view-view-model) pattern, which abstracts the state and behavior of the view and separates the view UI and business logic. That is to say, the UI code of the FA is separated from the logic code, so the device where the FA is located has only the logic code, and the UI code is integrated into the caller's own code. When the FA is running, its UI code communicates with the FA's logic code to obtain data for UI display.
- MVVM model-view-view-model
- distributed systems can include cell phones and smart watches.
- a takeaway APP can be installed on the smart watch.
- a positioning page can be provided for users to check the location of the takeaway.
- the positioning data required by the smart watch to display the positioning page can be run by the mobile phone logic. code to get. That is to say, the takeaway APP in the smart watch, as the caller, integrates the UI code of the FA that realizes the positioning function, and the logic code is deployed in the mobile phone.
- the FA's UI code uses the caller's own authority to obtain sensitive data and passes it to the FA's logic code, resulting in data leakage.
- the logic code of the FA sends important business data to the UI code, and the business data may be maliciously obtained by the caller, resulting in data leakage.
- This method implements permission control on the UI code of the FA at the application layer, which is insufficient in security. Moreover, since the UI code of the FA is still running in the same instance as the caller, the risk of data leakage cannot be avoided.
- the scene of the (3)th approach is shown.
- the interface implemented by the UI code of the FA needs to be overlaid on the caller.
- the overlay effect is not good.
- the UI code of each FA generates a new application separately, which is too expensive for system performance and is not suitable for actual deployment.
- the UI code of the FA and the code of the caller belong to the same security domain.
- the traditional discretionary access control (DAC) policy fails, the caller and the FA will still be connected to each other. There is a risk of data leakage.
- the caller calls the FA
- the subject device is the caller and the caller
- the user's UI code creates an instance respectively, does not change the user identity (UID) to which the two instances belong, but divides the two instances into different security domains. Since the two instances have the same UID, the UI code of the caller and the FA can be isolated based on the difference of the instances without adding new applications or causing excessive system performance loss, and ensured by the isolation of the security domain. The two cannot maliciously obtain each other's data to avoid data leakage.
- UID user identity
- the security domain is located in the kernel layer, which is a collection of logical areas in the same working environment, with the same or similar security protection requirements and protection strategies, mutual trust, mutual association or interaction.
- a security domain can be regarded as a kernel-level sandbox, which provides kernel-level security isolation, and neither user nor application can change the access policy of a security domain.
- the access control between security domains is based on the mandatory access control (MAC) policy.
- MAC policy defines which subject can access which object, and the policy can only be enforced by the device system and cannot be changed by any user or application. . Therefore, different security domains can achieve kernel-level isolation and provide system-level security regimes.
- the electronic device 100 may further execute the process shown in FIG. 5B before S101 .
- the callee 1 is the FA.
- the process may include the following steps:
- the electronic device 100 creates an instance of caller 1 and a UI instance of callee 1 .
- the electronic device 100 executes the code of the caller 1 to create an instance of the caller 1 .
- the electronic device 100 can also run the UI code of the callee 1 integrated in the caller 1 to create a UI instance of the callee 1.
- the electronic device 100 may assign the same UID to the instance of caller 1 and the UI instance of callee 1 . And assign different PIDs to the two instances.
- the electronic device 100 runs the instance of the caller 1 within the first authority scope, and runs the UI instance of the callee 1 within the second authority scope.
- the second authority scope is different from the first authority scope.
- the UI instance of the callee 1 can be called the first part of the callee
- the business logic code of the callee in the third device can be called the second part of the callee.
- the instance of caller 1 may be referred to as the third instance
- the UI instance of callee 1 may be referred to as the fourth instance.
- the electronic device 100 runs the instance of the caller 1 and the UI instance of the callee 1 in different permission scopes, the UI instance of the callee 1 can be prevented from acquiring data beyond the scope of its permission, avoiding permission expansion problems to ensure data security.
- the electronic device 100 allocates a first security domain identity to the instance of caller 1 , and allocates a second security domain identity to the UI instance of callee 1 .
- the electronic device 100 allocates or creates multiple security domains at the kernel layer, and each security domain corresponds to a security domain identity (ie, an identity).
- a security domain identity ie, an identity
- the first security domain corresponds to the identity of the first security domain
- the second security domain corresponds to the identity of the second security domain.
- Each security domain defines what types of operations users can perform on what data or processes. For example, each newly created process will be assigned a security domain identity. When a process accesses a specific file or directory and communicates with other processes, it will determine whether to allow the security domain according to the access control rules defined in the security policy file. process to perform these operations.
- the access control rules corresponding to different security domains can be different. For different security domains, processes in different security domains cannot access each other.
- the electronic device 100 may assign different security domain identifiers to the instance of the caller 1 and the UI instance of the callee 1 respectively when it is confirmed that the developers of the caller 1 and the callee 1 are different.
- the two developers are the same, they can be assigned the same security domain ID. This can ensure that data between the caller and the callee of different developers does not leak, and when the two developers are the same, the resources consumed by allocating security domain identifiers are reduced.
- the electronic device 100 runs the instance of the caller 1 in the first security domain according to the identity of the first security domain, and runs the UI instance of the callee 1 in the second security domain according to the identity of the second security domain .
- the UI code of the FA will not appear when the caller 1 calls the callee 1 in the electronic device 300 Use the caller's own authority to obtain sensitive data and then pass it to the FA's logic code, and the FA's logic code sends important business data to the FA's UI code and is maliciously obtained by the caller, avoiding data leakage.
- the caller calls the callee
- the user can authorize the caller, and then the caller passes the permission to the callee, and then the callee accesses device resources and provides services under the permission.
- the state of the caller including running in the foreground, running in the background, stopping, etc.
- the scope of authority of the caller actually changes. If the callee's running state does not change with the caller, the callee's authority scope may be different from the caller's actual authority scope, resulting in data abuse and leakage.
- the callee provides services for each caller in the form of an independent instance.
- the caller is not treated differently, and the callee's running state cannot be changed synchronously according to the caller's state (such as front-end and back-end, etc.), nor can the callee be restored when it fails to be called.
- the same callee when the access control method shown in FIG. 3C is executed, the same callee enables multiple instances, through different After providing services for different callers, the relationship between the caller and the callee can be called a calling task, and the calling task forms a task domain. And, in the task domain, the running state of the callee instance can change with the running state of the caller in the task domain. In addition, the recovery of the callee can also be achieved through this task domain.
- the process may include the following steps:
- the electronic device 100 stores the task domain information of the caller 1 .
- the caller in the electronic device 100 and the specific instance of the callee 1 running in the electronic device 300 form a logical task domain.
- the event that the caller 1 in the electronic device 100 calls the callee 1 in the electronic device 300 may be referred to as a task.
- a caller can have multiple task domains.
- the task domain information of the caller stored in the electronic device 100 may include: task domain ID, calling relationship ID, APP ID of the caller, APP ID of the callee, task status, and the like.
- the task domain ID and the calling relationship ID may be allocated by the electronic device 100 .
- the task status can include: normal, abnormal, and so on.
- the abnormal task status can be subdivided into more types, such as the shutdown of the object device, the failure of the callee to pull up, and so on.
- the electronic device 100 monitors the running state of the caller 1, and transmits the running state of the caller 1 to the electronic device 300 according to the device ID of the object device in the task domain information of the caller 1.
- the running state of the caller may include: foreground running, background running, stopped running, and so on.
- the electronic device 100 may monitor the running status of the caller 1 continuously or periodically.
- the electronic device 100 may periodically send the monitored running state of the caller 1 to the electronic device 300, and may also send the running state of the caller 1 to the electronic device 300 when the monitored running state of the caller 1 changes. sent to the electronic device 300 .
- the electronic device 300 synchronously changes the running state of the callee 1 according to the running state of the caller 1 .
- the electronic device 300 can change the running state of the callee 1 to be consistent with the caller 1 .
- the callee 1 in the electronic device 300 also runs in the foreground; when the caller 1 in the electronic device 100 runs in the background, the callee 1 in the electronic device 300 runs in the background.
- the caller 1 also runs in the background; when the caller 1 in the electronic device 100 stops running, the callee 1 in the electronic device 300 also stops running.
- the electronic device 100 monitors the task status in the task domain of the caller 1 .
- the task status in the task domain of caller 1 can include normal and abnormal.
- the abnormal task status refers to the situation that the task cannot be executed normally, which may be caused by any of the following: the electronic device 300 is powered off or malfunctions, the electronic device 300 is a specific callee 1 created by the caller 1 in the electronic device 100 The instance exits abnormally or fails to start, etc.
- the electronic device 100 restores the task according to the task domain information of the caller 1 .
- the method for the electronic device 100 to restore the task state in the task domain of the caller 1 may include any one of the following:
- the electronic device 100 indicates the original object device (ie, the electronic device 300) in the task domain, recreates the specific instance of the callee 1 in S103 of FIG. 3C, and sets the identifier of the specific instance of the callee 1 in S103 (including the UID and/or PID) to the electronic device 300 .
- the electronic device 300 can recreate a specific instance of callee 1 and assign it the identity. In this way, the tasks in the task domain of caller 1 can be completely restored, which is the same as before, and does not affect the resource invocation in the task domain.
- the electronic device 100 instructs the appropriate electronic device in the distributed system 10 to create a specific instance of the callee 1 in S103 of FIG. PID) to the appropriate electronics.
- the appropriate electronic device creates a specific instance of the callee 1 and assigns it the identity. In this way, from the point of view of the electronic device 100, the task in the task domain of the caller 1 can be resumed across devices. Although the device where the invoked callee 1 is located is changed, the resource call in the task domain is not affected.
- a suitable electronic device may include an electronic device on which the callee 1 is installed or which is capable of installing the callee 1, which is selected by the electronic device 100 from a distributed system according to a selection policy.
- This embodiment of the present application does not limit the selection strategy, for example, it may be to select the device with the most available resources, for example, the device closest to the electronic device 100, and so on.
- S402-S403 and S404-S405 may be implemented alternatively, and when the two are implemented jointly, the present application does not limit the sequence between the two.
- the running state of the caller 1 before the change may be called the first running state
- the running state of the caller 1 after the change may be called the second running state
- the electronic device involved in re-creating a specific instance of the callee 1 when the electronic device 100 resumes the task in S405 may be referred to as a fourth device.
- the first device may send a fifth access request to the fourth device, so that the fourth device creates a specific instance of the callee 1 and accesses the third resource in the fourth device, and the specific instance may be called the callee
- the caller When calling the callee, the caller should ensure that the rights possessed by the callee are the same as those possessed by the caller. For example, when the caller does not have the camera permission, the callee also does not have the camera permission. Therefore, the object device needs to maintain/obtain the permission information granted by the caller in the main device, and when receiving an access request initiated by the caller, perform a permission check on the caller, and respond to the access request only after the check is passed. This ensures the consistency of permissions between the callee and the caller, and protects user privacy and data security.
- the caller APP passes its own authority to the callee.
- the callee provides services for different caller APPs in a single instance in a form similar to (2) in Figure 3A, then the single instance of the callee can obtain different callers APP permissions, there is a problem of expanding permissions.
- the authority in the calling process is managed through an independent authority management service. Specifically, when the callee provides services for the caller, it will confirm with the rights management service whether it has the corresponding rights. This requires the authorization management service to synchronize the authorization status and access policy of each device, which will result in additional time overhead.
- the same callee when the access control method shown in FIG. 3C is executed, the same callee enables multiple instances, and uses different instances for different calls provide services. After that, the caller can pass its own authority to the corresponding callee instance, and the caller instance can only use the authority to provide services for the corresponding caller, but not for other callers. In this way, the rights of the callee can be consistent with the rights of the caller, which can eliminate the risk of rights expansion caused by a single instance, ensure data security, and avoid time overhead by threading.
- the process shown in FIG. 7 may also be performed before S104 . As shown in Figure 7, the process may include the following steps:
- the electronic device 300 checks whether it has the authority required by the access request received in S101.
- the electronic device 300 when the access request initiated by the electronic device 100 is used to implement a video call on the side of the electronic device 300, the electronic device 300 must first obtain permission to access the camera and audio device.
- the electronic device 300 may first confirm whether it has the permission corresponding to the access request, and if it does not have the permission, it may perform the subsequent steps.
- the electronic device 300 applies to the caller 1 in the electronic device 100 for obtaining the permission required by the access request according to the calling relationship.
- the electronic device 300 applies to the user for the permission required by the access request.
- This embodiment of the present application does not limit the manner in which the electronic device 100 applies for the authority to the user, for example, the application may be applied through UI, voice, and the like.
- a user grants a permission
- he or she can set the life cycle of the permission, which is effective.
- the time limit may include, for example, temporary validity and permanent validity.
- Temporarily valid means that the caller 1 of the electronic device 100 has permission to access the resource corresponding to the access request only during a temporary period (eg, this calling period).
- Permanently valid means that the caller 1 of the electronic device 100 has the right to access the resource corresponding to the access request during operation.
- the life cycle that the user grants the permission may be the first time period, that is, the first caller has the permission to access the first resource within the first time period.
- the electronic device 100 transmits the permissions required by the applied access request to the specific instance of the callee 1 in the electronic device 300 .
- electronic device 100 may create a routing proxy.
- the routing agent represents the path from caller 1 of electronic device 100 to callee 1 in electronic device 300 .
- the electronic device 100 can transfer the permission acquired by the caller 1 to the callee 1 in the electronic device 300 according to the routing agent.
- the electronic device 300 After the electronic device 300 receives the permission passed by the electronic device 100, it can learn that the specific instance of the callee 1 has the permission when it provides services for the caller 1 in the electronic device 100, but when it provides services for other callers , does not have this permission.
- the electronic device 300 when the electronic device 300 executes S104, it may first confirm that the specific instance of the callee 1 has the permission required for the access request, and then run the specific instance of the callee 1, and respond to the request in S101.
- the received access request accesses the first resource.
- the electronic device 100 may execute S503 before sending the access request in 101 in FIG. 3C , and carry the requested permission information in the access request, and send it to the electronic device 300 together.
- the electronic device 300 can independently complete the permission check, and the electronic device 100 can independently complete the permission application, and does not need to apply to a third-party device or module for permission checking, and therefore does not require a third-party device to synchronize the permissions of both parties information, which can reduce the delay of the calling process and improve the data security of the device.
- the electronic device 100 and the electronic device 300 may also rely on a third-party rights management service to manage the rights in the calling process.
- the rights management service may first synchronize the rights information of the electronic device 100 and the electronic device 300, and then the electronic device 100 applies for the rights, and the electronic device 300 checks the rights by relying on the rights management service.
- the method shown in FIG. 7 may further include the following steps:
- the electronic device 100 revokes the authority passed to the specific instance of the callee 1 in the electronic device 300 in S501 .
- the electronic device 100 may revoke the permission immediately after the life cycle of the permission expires.
- the electronic device 100 may revoke the permission passed from the caller 1 in the electronic device 100 to the callee 1 in the electronic device 300 through the created routing agent.
- the electronic device 100 may send a message to the electronic device 300 to notify the electronic device 300 to revoke the permission, so that the electronic device 300 no longer has the permission.
- a possible solution is to synchronize the permission information of all local APPs to the peer device after each device in the distributed system establishes a connection.
- the permissions of the local APP change dynamically (for example, the user withdraws permissions, opens permissions, etc.)
- the local device synchronizes or updates permission information across devices one by one according to the maintained list of connected devices.
- This overall synchronization method has a large amount of data and frequent operations, which consumes a lot of memory and performance.
- the electronic device 300 may actively obtain the call from the electronic device 100 At the same time, the electronic device 100 records that the electronic device 300 has obtained the authority information of the caller. And, when the authority of the caller changes dynamically, the updated authority information is synchronized to the recorded electronic device 300 .
- This method of synchronizing the permission information according to the calling requirement only needs to synchronize the permission information involved in the calling request, which can reduce the data to be synchronized and the consumption of memory and performance.
- the process shown in FIG. 8A can also be executed. As shown in Figure 8A, the process may include the following steps:
- the electronic device 300 searches whether the permission information of the caller 1 required by the access request to be sent in S101 is stored.
- the electronic device 300 acquires the permission information of the caller 1 from the electronic device 100 , and records the permission information of the caller 1 in the electronic device 100 .
- the electronic device 300 may first send a permission request to the electronic device 100 , and then the electronic device 100 sends the permission information of the caller 1 in the electronic device 100 to the electronic device 300 in response to the request.
- the permission information of the caller 1 in the electronic device 100 records the accessible device resources, and the permission can be set by the user in the process of manipulating the electronic device 100 , or can be set by the caller 1 by default.
- the electronic device 100 may also directly send the permission information of the caller 1 in the electronic device 100 to the electronic device 300 after initiating an access request to the electronic device 300.
- the electronic device 100 records the situation that the electronic device 300 obtains the permission information of the caller 1 .
- the electronic device 100 may store the identifier of the electronic device 300 in association with the identifier of the caller 1 to indicate that the electronic device 300 has obtained the permission information of the caller 1 .
- the situation recorded by the electronic device 100 that the electronic device 300 obtains the authority information of the caller 1 may be referred to as the first information.
- the electronic device 300 may, when executing S104 in FIG. 3C, respond to the access request initiated by the electronic device 100 in S101 according to the permission information.
- the electronic device 300 may refuse to respond to the access request. This ensures that the callee has the same authority as the caller when providing services to the caller, avoids data security problems caused by the expansion of authority, and protects user privacy and data security.
- the authority information of the caller 1 in the electronic device 100 changes may include: the user changes the authority information of the caller 1 in the electronic device 100, the change of the state of the caller 1 in the electronic device 100 brings about There are no restrictions here, such as changes in the permission information, permission information due to changes in the time period, and so on.
- the electronic device 100 sends the changed permission information of the caller 1 in the electronic device 100 to the electronic device 300 recorded in S603.
- the electronic device 100 can update the changed authority information of the caller 1 to the device that has obtained the authority information of the caller 1 before, thereby Keep permissions consistent.
- the electronic device 300 updates the permission information of the caller 1 in the electronic device 100 .
- the rights synchronization method shown in FIG. 8A can be applied to any type of caller. That is, regardless of whether the caller is a system application or a third-party application, the distributed system can execute the method shown in FIG. 8A .
- System applications refer to applications provided or developed by manufacturers of electronic devices
- third-party applications refer to applications provided or developed by manufacturers of non-electronic devices.
- the manufacturer of the electronic device may include the manufacturer, supplier, provider or operator of the electronic device, and the like.
- a manufacturer may refer to a manufacturer that processes and manufactures electronic equipment with self-made or purchased parts and raw materials.
- the supplier may refer to the manufacturer that provides the complete machine, raw material or parts of the electronic equipment.
- the operator may refer to a manufacturer responsible for the distribution of the electronic device.
- the permission synchronization method shown in FIG. 8A may only be used for third-party applications, while for system applications, the permission synchronization is performed in an overall synchronization manner. That is to say, in some embodiments, before executing the method shown in FIG. 8A , the distributed system must first confirm that the caller 1 in the electronic device 100 is a third-party application.
- the process shown in FIG. 8B may also be performed before S101 .
- the caller 1 in the electronic device 100 is a system application. As shown in Figure 8B, the process may include the following steps:
- the electronic device 100 in the distributed system establishes a connection with the electronic device 300.
- the electronic device 300 searches whether permission information of each system application in the electronic device 100 is stored.
- the information of the application programs installed on the opposite end device can be synchronized, so as to know which traditional applications and functional components are installed on the opposite end device.
- the electronic device 100 sends permission information of each installed system application to the electronic device 300 .
- the electronic device 300 records the acquired permission information of each system application in the electronic device 100 .
- the electronic device 100 records the situation that the electronic device 300 obtains permission information of each system application.
- S706-S708 refer to S604-S606.
- the electronic device 100 and the electronic device 300 may call each other, for details, please refer to the related description in FIG. 3C .
- the callee When the caller calls the callee, the callee must explicitly obtain the user's authorization to ensure the security of sensitive data.
- the object device when the subject device accesses the resources of the object device, the object device usually obtains authorization from the user. However, when the object device does not have authorization conditions, such as no display screen for pop-up authorization, the object device cannot obtain authorization from the user when the screen of the object device is locked and the user is not nearby.
- the object device is performing other tasks, such as the user is playing a game, requesting authorization from the user at this time (for example, requesting authorization in the form of a pop-up box) will seriously affect the user experience on the host and object sides.
- an authorization device is flexibly selected in the distributed system according to the properties of the device, and then the authorization device obtains the permission of the subject device to initiate an access request to the object device from the user. This allows the flexibility to choose the authorized device and complete the authorization without disturbing the user.
- the process shown in FIG. 9 can also be executed. As shown in Figure 9, the process may include the following steps:
- the electronic device 300 checks whether it has the permission required by the access request, where the permission includes the permission to call the first caller to access the first resource.
- the electronic device 300 selects an authorized device in the distributed system according to the device attributes of each device in the case that the electronic device 300 does not have the authorization condition, the distance from the user exceeds the first value, or is currently not suitable for authorization.
- Each device in the distributed system may include: other various devices in the distributed system that establish a connection with the electronic device 300 .
- Device properties may include, but are not limited to, one or more of the following:
- the device may request authorization from the user in the following ways: pop-up authorization, fingerprint authorization, voice authorization, face recognition authorization, etc.
- Each authorization method requires corresponding conditions.
- the bullet box authorization requires the device to have a display screen
- the fingerprint authorization requires the device to have a fingerprint recognition sensor
- the voice authorization requires the device to have a microphone
- the face recognition authorization requires the device to have a camera.
- the running status may include, for example, whether the screen of the device is locked, whether a game is running, whether a video is playing, and so on.
- the electronic device 300 may periodically acquire the properties of each device, may also acquire the properties of each device when the authority needs to be acquired, and may also acquire the properties of each device when joining a distributed system. In some other embodiments, if the attributes of other devices are changed, the other devices may also actively send the updated attributes to the electronic device 300 .
- the electronic device 300 may select an authorized device according to the device attribute, which is not limited here.
- the electronic device 300 may select a device that has authorization conditions, is closest to the user, and whose display screen is not occupied as the authorized device.
- the electronic device 300 may also select the authorization mode synchronously, and the policy for the electronic device 100 to select the authorization mode is not limited here.
- the electronic device 300 notifies the authorization device to perform the authorization operation.
- the electronic device 100 may also notify the authorized device of the determined authorization method.
- the authorization device requests the user for the permission required by the caller 1 to initiate the access request.
- the authorization device may request authorization from the user using the authorization method notified by the electronic device 300 . In some other embodiments, if the electronic device 300 does not notify the authorization method, the authorization device may select an authorization method according to its own policy to request authorization from the user.
- the authorization device sends the user authorization result to the electronic device 300 .
- the electronic device 300 may execute S102-S104 in S101 of FIG. 3C .
- the authorization device may be referred to as a fifth device.
- the object device will find the corresponding resource access policy from the mapping library of "application identity-access policy" according to the caller's APP ID, and decide whether to approve the call initiated by the caller according to the policy.
- each caller can transparently use capabilities, data, and services provided by other devices. For the actual operation experience of upper-layer applications, this resource sharing is no different from that in traditional stand-alone devices. However, since different devices and callers from different devices are involved in the distributed system, and different devices have different security capabilities, the resource access strategy relying on APP ID cannot meet the resource access requirements in the distributed system. There may be data security issues.
- the security level of speakers and watches is low.
- the caller on the mobile phone calls the functional components on the watch, if the private data on the mobile phone is transferred to the watch without considering the low security level of the watch, there will be data security problems.
- the mobile phone calls the watch to make bank-type payments regardless of the fact that there is no secure environment on the watch, serious data leakage may occur.
- the electronic device 100 may also send the identity information of the caller 1 to the electronic device 300 .
- the caller's identity information can also include one or more of the following: the caller's PID, UID, the account ID of the main device, the system ID of the main device where the caller is located, and the deviceID of the main device .
- the system ID may be an identifier in the distributed system allocated by the distributed system to the electronic device after the electronic device joins the distributed system.
- the electronic device 100 if the electronic device 100 has previously sent the identity information of the caller 1 to the electronic device 300, the electronic device 100 does not need to send the complete identity information of the caller 1 to the electronic device 300 again, but only needs to send the identity information of the caller 1 to the electronic device 300.
- the device 300 only needs to send the dynamically changing part of the identity information.
- the electronic device 100 may process the dynamic change information in the identity information of the caller 1 into a hash value, and if the hash value changes, the changed hash value may be sent in S901.
- the electronic device 300 may first determine whether the caller 1 of the electronic device 100 has permission to access the resource corresponding to the request according to the identity information of the caller 1 and the access control policy. After it is determined that there is permission, the first resource is accessed in response to the access request received in S101.
- an access control policy may be pre-established in the electronic device 300, and the access control policy describes the mapping relationship between each resource in the electronic device 300 and the identity information of the APP that has permission to access these resources. There is no specific restriction on the access control policy here.
- the access control policy may include: 1. BLP (Bell-LaPadual) principle, that is, the caller cannot read the data of the callee whose security level is higher than that of the caller, and the caller cannot write the data whose security level is lower than that of the caller. Callee data. 2. Biba principle, that is, the caller cannot read the data of the callee whose security level is lower than it, and the caller cannot write the data of the callee whose security level is higher than it.
- BLP Bell-LaPadual
- Biba principle that is, the caller cannot read the data of the callee whose security level is lower than it, and the caller cannot write the data of the callee whose security level is higher than it.
- a device can access various resources in other devices across devices. Since different devices have different security capabilities and different types of data that can be accessed by different devices, there are potential confidentiality and availability risks when accessing resources across devices. For example, data leakage occurs when a mobile phone with a high security level sends data to a speaker with a low security level.
- the subject device when executing the access control method shown in FIG. 3C , may determine whether to initiate access according to the security level of the guest device and/or the subject device request, the guest device may determine whether to respond to the access request according to the security level of the guest device and/or the subject device. In this way, resources can be selectively opened according to the security level of different devices, avoiding the risk of data leakage.
- the electronic device 100 and the electronic device 300 in the distributed system can synchronize each other's device security levels.
- the security level of the device is mainly determined by the basic security capabilities provided by the software and hardware of the device itself. The higher the basic security capability of an electronic device, the higher the security level of the device.
- Basic security elements that affect basic security capabilities include device integrity protection, encryption and data security, security isolation, access control, and vulnerability prevention.
- device A runs the LiteOS lightweight OS, the hardware uses a low-end processor, does not support complex virtual memory isolation, nor does it support hardware-based security isolation;
- device B runs the Android system, the hardware uses a high-end processor, and the device supports hardware security capabilities such as security isolation and virtual memory isolation. Then the security level of device B is higher than that of device A.
- the security levels of mobile phones, tablet computers, smart watches, and large screens can be lowered in sequence.
- the electronic device 100 may first determine whether to initiate the access request according to the security level of the object device and/or the subject device.
- the embodiment of the present application does not specifically limit the policy of whether the object device and/or the subject device initiates an access request according to the security level of the electronic device 300 .
- the electronic device 100 may refuse to initiate the access request, thereby preventing the confidential data of the electronic device 100 from flowing to the electronic device 300 .
- the electronic device 300 may first determine whether to respond to the access request according to the security level of the object device and/or the subject device.
- the embodiment of the present application does not impose specific restrictions on the policy for the electronic device 300 to determine whether to respond to the access request according to the security level of the object device and/or the subject device. For example, when the resource requested by the access request is a sensitive resource and the security level of the electronic device 300 is low, the electronic device 300 may refuse to respond to the access request, thereby avoiding data leakage.
- corresponding resources can be selectively opened to other devices in the distributed system according to the security levels of different devices, so as to ensure the confidentiality and integrity of sensitive resources in each device.
- the confidentiality and integrity of the device resources can be guaranteed and the attack surface can be reduced.
- a device can access various resources in other devices across devices.
- Different applications have high and low security requirements.
- banking APPs require devices to have a trusted execution environment (TEE)
- music APPs only require devices to have basic isolation and access capabilities
- music APPs access data or resources of banking APPs, there are potential Confidentiality and Availability Risks.
- the subject device when executing the access control method shown in FIG. 3C , may determine whether to initiate an access request according to the security level of the caller, and the object device may Determine whether to respond to the access request according to the security level of the caller. In this way, resources can be selectively opened according to the security level of different applications, avoiding the risk of data leakage.
- the electronic device 100 and the electronic device 300 in the distributed system can synchronize the security levels of each application with each other.
- the security level of the application (including the APP and functional components) may be preset.
- the electronic device may formulate a security level for each application according to default hierarchical classification rules.
- the security level can be distinguished according to the category of the application, for example, the security level of system applications is higher than that of third-party applications, the security level of shopping applications is higher than that of reading applications, and so on.
- the security level of each application can also be manually set by the user, for example, the user can customize the security level of each application according to his own needs.
- the electronic device 100 may first determine whether to initiate the access request according to the security level of the caller 1 and/or the callee 1.
- the embodiment of the present application does not specifically limit the policy of whether the electronic device 100 initiates an access request according to the security level of the caller 1 and/or the callee 1. For example, when the resource requested by the access request is a sensitive resource, and the security level of the callee 1 is low, the electronic device 100 may refuse to initiate the access request, thereby preventing the confidential data of the caller 1 from flowing to the callee 1 .
- the electronic device 300 may first determine whether to respond to the access request according to the security level of the caller 1 and/or the callee 1 .
- the embodiment of the present application does not impose specific restrictions on the policy for the electronic device 300 to determine whether to respond to the access request according to the security level of the security level of the caller 1 and/or the callee 1 .
- the electronic device 300 may refuse to respond to the access request, thereby preventing the confidential data of the caller 1 from flowing to the callee 1 .
- corresponding resources can be selectively opened to other applications in the distributed system according to the security levels of different applications, so as to ensure the confidentiality and integrity of sensitive resources in each device.
- the confidentiality and integrity of the device resources can be guaranteed and the attack surface can be reduced.
- a device can access various resources in other devices across devices.
- Different devices have different security sensitivities and have different security protection requirements. For example, the security sensitivity of smart door locks and bedroom cameras is higher than that of devices with low security sensitivity such as smart desk lamps, then smart desk lamps or their applications cannot control bedroom cameras or smart door locks, while smart speakers can control smart desk lamps. If the security sensitivity of each device is not considered, it will bring about data security issues accessed across devices.
- the subject device when executing the access control method shown in FIG. 3C , may determine whether to When an access request is initiated, the object device may determine whether to respond to the access request according to the security sensitivity of the object device and/or the subject device. In this way, resources can be selectively opened according to the security sensitivity of different devices, avoiding the risk of data leakage.
- the electronic device 100 and the electronic device 300 in the distributed system can synchronize each other's device security levels.
- the security sensitivity of each device refers to the degree of privacy risk brought to users after data leakage in the device.
- the higher the data privacy in the device the higher the risk after the device is breached or the data in the device is leaked, and the higher the security sensitivity.
- device A is a desk lamp in the living room, and the consequence of being breached is "the desk lamp is turned on or off at will”
- device B is a bedroom camera, and the consequence of being breached or data leaked is "the video footage of the bedroom is leaked.” ". Compared with the two, the security sensitivity of device B is obviously higher for the user.
- the device security level is divided according to the software and hardware security capabilities of the device itself, and the device security sensitivity is divided according to the degree of privacy threat to the user when the device is destroyed.
- the security sensitivity of each device can be preset.
- each device may formulate security sensitivities for each device according to default hierarchical classification rules.
- the security sensitivity of the device can be pre-set based on one or more of the following: the location of the device (eg kitchen, bedroom, outdoor lights), whether the device is carried by the user, the type of the device, the type of data stored in the device, etc. Wait. For example, when the user wears the watch, the security sensitivity of the watch is high, but when it is detected that the watch is separated from the user, the security sensitivity level of the watch decreases. For another example, the security sensitivity of the camera in the bedroom is higher than that of the smart desk lamp in the kitchen.
- the security sensitivity of each device can also be manually set by the user, for example, the user can customize the security sensitivity of each device according to his own needs.
- the electronic device 100 may first determine whether to initiate the access request according to the security sensitivity of the object device and/or the subject device.
- this embodiment of the present application does not specifically limit the policy on whether the guest device and/or the subject device initiates an access request according to the security sensitivity of the electronic device 300.
- the electronic device 100 may refuse to initiate the access request, thereby preventing the confidential data of the electronic device 100 from flowing to the electronic device 300 .
- the electronic device 300 may first determine whether to respond to the access request according to the security sensitivity of the object device and/or the subject device.
- the embodiment of the present application does not impose specific restrictions on the policy for the electronic device 300 to determine whether to respond to the access request according to the security sensitivity of the object device and/or the subject device. For example, when the resource requested by the access request is a sensitive resource and the security sensitivity of the electronic device 300 is low, the electronic device 300 may refuse to respond to the access request, thereby avoiding data leakage.
- corresponding resources can be selectively opened to other devices in the distributed system, so as to ensure the confidentiality and integrity of the sensitive resources in each device.
- the confidentiality and integrity of the device resources can be guaranteed and the attack surface can be reduced.
- the software systems of both the electronic device 100 and the electronic device 300 may adopt a layered architecture, an event-driven architecture, a microkernel architecture, a microservice architecture, or a cloud architecture, or the like.
- the software systems of the electronic device 100 and the electronic device 300 include but are not limited to Linux or other operating systems.
- the layered architecture divides the software into several layers, and each layer has a clear role and division of labor. Layers communicate with each other through software interfaces. In some embodiments, from top to bottom may include: an application layer, an application framework layer, a system service layer, a kernel layer, and the like.
- the application layer may include a series of application packages, including APP such as camera, gallery, calendar, call, map, and may also include functional components such as FA and PA.
- APP such as camera, gallery, calendar, call, map
- functional components such as FA and PA.
- the application framework layer provides an application programming interface (application programming interface, API) and a programming framework for applications in the application layer.
- the application framework layer includes some predefined functions.
- the application framework layer can include window managers, content providers, view systems, telephony managers, resource managers, notification managers, etc.
- a window manager is used to manage window programs.
- the window manager can get the size of the display screen, determine whether there is a status bar, lock the screen, take screenshots, etc.
- Content providers are used to store and retrieve data and make these data accessible to applications.
- the data may include video, images, audio, calls made and received, browsing history and bookmarks, phone book, etc.
- the view system includes visual controls, such as controls for displaying text, controls for displaying pictures, and so on. View systems can be used to build applications.
- a display interface can consist of one or more views.
- the display interface including the short message notification icon may include a view for displaying text and a view for displaying pictures.
- the phone manager is used to provide the communication function of the electronic device. For example, the management of call status (including connecting, hanging up, etc.).
- the resource manager provides various resources for the application, such as localization strings, icons, pictures, layout files, video files and so on.
- the notification manager enables applications to display notification information in the status bar, which can be used to convey notification-type messages, and can disappear automatically after a brief pause without user interaction. For example, the notification manager is used to notify download completion, message reminders, etc.
- the notification manager can also display notifications in the status bar at the top of the system in the form of graphs or scroll bar text, such as notifications of applications running in the background, and notifications on the screen in the form of dialog windows. For example, text information is prompted in the status bar, a prompt sound is issued, the electronic device vibrates, and the indicator light flashes.
- the core library consists of two parts: one is the function functions that the java language needs to call, and the other is the core library of Android.
- the application layer and the application framework layer run in virtual machines.
- the virtual machine executes the java files of the application layer and the application framework layer as binary files.
- the virtual machine is used to perform functions such as object lifecycle management, stack management, thread management, safety and exception management, and garbage collection.
- a system library can include multiple functional modules. For example: surface manager (surface manager), media library (Media Libraries), 3D graphics processing library (eg: OpenGL ES), 2D graphics engine (eg: SGL), etc.
- surface manager surface manager
- media library Media Libraries
- 3D graphics processing library eg: OpenGL ES
- 2D graphics engine eg: SGL
- the Surface Manager is used to manage the display subsystem and provides a fusion of 2D and 3D layers for multiple applications.
- the media library supports playback and recording of a variety of commonly used audio and video formats, as well as still image files.
- the media library can support a variety of audio and video encoding formats, such as: MPEG4, H.264, MP3, AAC, AMR, JPG, PNG, etc.
- the 3D graphics processing library is used to implement 3D graphics drawing, image rendering, compositing, and layer processing.
- 2D graphics engine is a drawing engine for 2D drawing.
- the kernel layer is the layer between hardware and software.
- the kernel layer contains at least display drivers, camera drivers, audio drivers, and sensor drivers.
- FIG. 10 exemplarily shows the software structure of the electronic device 100 for executing the access control method in FIG. 3C and the solutions in the above-mentioned optional embodiments.
- the electronic device 300 includes the following modules: an application information management module, an application startup management module, an instance management module, a call relationship management module, a call relationship library, a functional component information management module, a functional component information synchronization module, Access control module, application rights management module, rights information base,
- the application information management module is used to manage the information of each APP and functional components installed in the electronic device 300 . For example, manage the PID of each APP and functional components, etc.
- the application startup management module is used to manage the startup of each APP and functional components. For example, when the electronic device 300 receives a request from another device to invoke a certain application, the application startup management module can start the application.
- the functional component information management module is used to maintain the functional component information synchronized by the local machine and other devices, including the name, type, and device of the functional component.
- the functional component information synchronization module is used for synchronizing the functional component information of the machine to other devices, and at the same time receiving the functional component information synchronized from other devices.
- the instance management module is responsible for dynamically enabling the instance of the callee according to the information of the caller and providing services for the caller. For the specific policy of enabling the instance of the callee by the instance management module, reference may be made to the detailed description of S102-S104 in FIG. 3C.
- the instance management module is also used to manage the lifecycle of enabled individual instances, such as stopping, destroying, restarting instances, and so on.
- the calling relationship management module is responsible for maintaining the calling relationship composed of the caller and the callee instance that provides services for the caller, and stores it in the calling relationship library.
- the call relationship library is used to store the call relationship composed of the caller and the callee instance.
- the calling relationship includes: instance information of the callee, and information of each caller that invokes the instance. For the instance information and the caller information of the caller, reference may be made to the relevant description of S102 in FIG. 3C , which will not be repeated here.
- the call relationship library can also be used to store the correspondence between the callee's sandbox and the instances running in the sandbox.
- the information in the calling relationship library may not only be stored in the object device (ie, the electronic device 300 ), but also may be stored in the subject device (eg, the electronic device 100 ) where the caller is located.
- Table 1 it exemplarily shows the information about the callee of the electronic device 300 and the related information of the caller stored in the call relationship library.
- the traditional application or functional component identified as "ID4" in the electronic device 300 is called by three callers.
- the electronic device 300 creates 2 instances, one instance serves the caller in the electronic device 100, and the other instance serves the two callers developed by the same developer in the electronic device 200 and the electronic device 400.
- the electronic device 300 creates 2 sandboxes, the sandbox 1 is used to run the callee 1 instance that provides services to the caller 1, and to store application data from the caller 1.
- Sandbox 2 is used to run Callee 1 instances that serve Caller 2 and Caller 3, and to store application data from Caller 2 and Caller 3.
- the access control module is used to manage the access request received by the electronic device 300 and decide whether to respond to the received access request.
- the access control module may call the caller 1 according to whether the caller 1 in the electronic device 100 has the right to access the first resource, the device security level of the electronic device 100 and the electronic device 300, the caller 1 and the receiver. The security level of caller 1, etc., to decide whether to initiate the access request.
- the access control module may include a local access control module and a DMS.
- the DMS is used to take charge of the callee's call according to the permission information of the corresponding caller.
- the local access control module is used for invoking the callee according to the permission information of the corresponding caller when the caller in the electronic device 300 calls the callee.
- the application permission management module is used to manage permission information of local applications (including APP and functional components).
- the application rights management module may include a local rights management module for managing local application rights information, and a distributed rights management module for managing application rights information in other devices in the distributed system.
- the local rights management module is also used to listen for changes in the rights information of the local application.
- the local permissions of the application can be determined by the user or the application can update itself. For example, the user can open/close the camera, microphone, access to the photo album, etc., and the application can update the open permissions.
- the permission information base is used to store and maintain the permission information of the application.
- the rights information base may include a local rights information base for maintaining rights information of local applications, and a distributed rights information base for maintaining rights information of applications in other devices in the distributed system.
- the electronic device 300 may further include the following module: a file management service, which is responsible for managing the storage of application data. Specifically, it is used to dynamically create the callee's sandbox according to the caller's information, and provide the caller with application data storage services.
- a file management service responsible for managing the storage of application data. Specifically, it is used to dynamically create the callee's sandbox according to the caller's information, and provide the caller with application data storage services.
- the file management service is also used to manage the lifecycle of the callee's various sandboxes, such as creation, deletion, and so on.
- the electronic device 300 may further include the following module: an application runtime identity management module, configured to manage the runtime identity of each application in the electronic device 300 .
- the electronic device 300 may further include the following module: a device security level evaluation module for evaluating the device security level of the electronic device 300 .
- the application security level evaluation module is used to evaluate the security level of each application (including APP and functional components) in the electronic device 300 .
- the device security sensitivity evaluation module is used to evaluate the security sensitivity of the electronic device 300 .
- the electronic device 300 may further include the following modules: a device information management module for synchronizing device information of other devices in the distributed system, such as the security level, security sensitivity, and security level of each application in the device Wait.
- the device information base is used to store the device information of other devices in the distributed system.
- the electronic device 300 may further include the following modules:
- the authorization module is used to confirm whether the electronic device 300 has authorization conditions, or whether the electronic device 300 is currently suitable for authorization, or whether the object device can be authorized by the user in time.
- the authorization module may select the authorization device through the authorization decision module. An authorization request is sent to the authorization device, and an authorization result returned by the authorization device is received. When the authorization result indicates that the user is allowed to grant the permission required by the access request, the authorization module obtains the permission required by the access request.
- the authorization module can call the software and hardware resources of the electronic device 300 to provide an authorization method to Gets the permissions required by this access request granted by the user.
- the authorization decision module is configured to select one electronic device in the distributed system as the authorization device according to the type of the electronic device 300 and the attributes of other electronic devices in the distributed system. In some embodiments, the authorization decision module may also be used to confirm the authorization method used by the authorization device.
- the device property management module is used for synchronizing the device properties of the electronic device 300 to other devices in the distributed system, and also for synchronizing the device properties of the other devices to the electronic device 300 .
- the device attribute library is used to store and maintain the device attributes of each device in the distributed system.
- modules in the electronic device 300 mentioned above may be located in the application layer, application framework layer, system service layer, kernel layer, etc. in the electronic device 300, which are not limited here.
- FIG. 11 exemplarily shows the software structure of the electronic device 100 for executing the access control method in the above-mentioned FIG. 3C and the solution in the above-mentioned optional embodiment.
- the electronic device 100 includes the following modules: The electronic device 100 includes the following modules: an application information management module, an application startup management module, a functional component information management module, a functional component information synchronization module, and a call relationship management module , Calling relationship library, application rights management module, and rights information base.
- application information management module application startup management module, functional component information management module, functional component information synchronization module, application rights management module, and rights information base, reference may be made to the foregoing descriptions about the electronic device 300 .
- the calling relationship management module is responsible for maintaining the calling relationship composed of the caller and the callee instance that provides services for the caller, and stores it in the calling relationship library.
- the call relationship library is used to store the call relationship composed of the caller and the callee instance.
- the calling relationship includes: instance information of the callee, and information of each caller that invokes the instance. For the instance information and the caller information of the caller, reference may be made to the relevant description of S102 in FIG. 3C , which will not be repeated here.
- Table 2 it exemplarily shows the related information of the caller and the callee of the electronic device 100 stored in the call relationship library.
- the electronic device 300 and the electronic device 100 can share the same calling relationship ID, and the calling relationship ID can be assigned by the main device (i.e. the electronic device 100).
- the call relationship management module includes a call relationship mapping module, which acts as a virtual agent to internally shield the actual information of the callee such as the device it is in, and externally find the correct device to call the callee according to requirements. For the caller in the electronic device 100, it does not know the actual information of the callee, and the actual information of the callee can be obtained by calling the relationship mapping module, and the call can be initiated.
- a call relationship mapping module acts as a virtual agent to internally shield the actual information of the callee such as the device it is in, and externally find the correct device to call the callee according to requirements.
- the caller in the electronic device 100 it does not know the actual information of the callee, and the actual information of the callee can be obtained by calling the relationship mapping module, and the call can be initiated.
- the access control module is configured to manage the access request initiated by the electronic device 100 and decide whether to initiate the access request.
- the access control module may call the caller 1 according to whether the caller 1 in the electronic device 100 has the right to access the first resource, the device security level of the electronic device 100 and the electronic device 300, the caller 1 and the receiver. The security level of caller 1, etc., to decide whether to initiate the access request.
- the electronic device 100 may further include the following modules: an instance management module, a security domain management module, a security domain policy management module, a security policy library, and a group management module.
- the instance management module is used to create an instance of the caller when the caller starts, and is also used to create a new instance to run the UI code of the FA when the caller calls the FA.
- the instance management module is also used to manage the life cycle of the FA UI instance, such as start, stop, destroy, restart, etc.
- the security domain management module is used to allocate security context information to each instance so that the kernel can create a corresponding kernel security domain. After the FA UI instance is created, the module dynamically decides whether to create a new security domain according to the default mechanism.
- the security domain policy management module is used to provide the security policy of the security domain for the security domain of the kernel layer to be loaded and enabled.
- the security policy library is used to store the security policies of each security domain. For example, it may include allowing the UI instance of the FA to communicate with the logic code instance of the FA, and denying the UI instance of the FA to communicate with the caller process integrating the UI code.
- the group management module is used to add, modify, and delete instance group information for the UI instance of FA.
- the corresponding group ID information is given to the FA UI instance when it is created, and the group ID information of the FA UI instance is also updated synchronously when the caller's permissions are dynamically changed.
- the above access control module is used to control the access of the FA UI instance to the system sensitive resources. Specifically, the module performs instance-level permission management and control according to the permission information of the UI instance of the FA granted by the caller.
- the electronic device 100 may further include the following modules:
- the task management module is responsible for managing the tasks in the task domain of the caller and externally providing the task status corresponding to the caller.
- the task management module is also used to restore the task when the task in the task domain is abnormal.
- the recovery task reference may be made to the descriptions in the foregoing method embodiments.
- the task information base is used to store the task information associated with the caller, including the task domain ID, the calling relationship ID, the task status, the caller's APP ID, and the callee's APP ID.
- Table 3 it exemplarily shows a task domain information of the electronic device 100 stored in the task information.
- the running state management module is used to manage the running state information of the caller and the callee, and synchronously change the running state of the callee instance according to the running state of the caller.
- the electronic device 100 may further include the following modules:
- the transfer permission application module is used to apply to the user for the permission required by the access request initiated by the caller 1 to the callee 1 in the electronic device 300 .
- the permission transfer module is used to transfer the permission applied by the caller 1 through the transfer permission application module to the callee 1 in the electronic device 300 .
- the routing proxy module is used to dynamically create a routing and revocation proxy object of a specified service according to an access request initiated by the electronic device 100, for example, creating a path from the caller 1 in the electronic device 100 to the callee 1 in the electronic device 300.
- the permission revocation module is responsible for revoking the permission passed by the caller in the electronic device 100 to other electronic devices (for example, the callee 1 in the electronic device 300 ).
- the electronic device 100 may further include: a synchronized device list, which is used to record or store a situation in which other devices obtain permission information of an application in the electronic device 100, for example, it may record that the electronic device 300 obtains the permission information of the caller 1 .
- a synchronized device list which is used to record or store a situation in which other devices obtain permission information of an application in the electronic device 100, for example, it may record that the electronic device 300 obtains the permission information of the caller 1 .
- the electronic device 100 may further include: an application runtime identity management module, configured to manage the runtime identity of each application in the electronic device 100 .
- the electronic device 100 may further include the following modules: a device security level assessment module, an application security level assessment module, and a device security sensitivity assessment module.
- the device security level evaluation module is used to evaluate the device security level of the electronic device 100 .
- the application security level evaluation module is used to evaluate the security level of each application (including APP and functional components) in the electronic device 100 .
- the device security sensitivity evaluation module is used to evaluate the device security sensitivity of the electronic device 100 .
- the electronic device 100 may further include the following modules: a device information management module and a device information library.
- the device information management module is used to synchronize the device information of other devices in the distributed system, such as the security level, security sensitivity of the device, and the security level of each application in the device.
- the device information base is used to store the device information of other devices in the distributed system.
- the electronic device 100 may further include the following modules:
- the device property management module is used for synchronizing the device properties of the electronic device 100 to other devices in the distributed system, and also for synchronizing the device properties of the other devices to the electronic device 100 .
- the device attribute library is used to store and maintain the device attributes of each device in the distributed system.
- modules in the electronic device 100 mentioned above may be located in the application layer, application framework layer, system service layer, kernel layer, etc. in the electronic device 100, which are not limited here.
- FIG. 10 and FIG. 11 are only schematic examples, and the software structures of the electronic device 100 and the electronic device 300 provided in the embodiments of the present application may also adopt other forms, or may include more or less modules, and here No restrictions.
- system applications and third-party applications can access various resources in the system after passing the permission check of the access control module.
- the resource scheduling management module of the system will perform scheduling management according to the state of the caller of the device and the type of the resource, so as to use the resource reasonably and meet the needs of the user. For example, when two callers request access to the camera at the same time, because the camera is an exclusive resource, it cannot provide shared services for the two callers at the same time. In a single-machine scenario, a caller will be decided to access the camera first.
- An embodiment of the present application provides a cross-device access control method, and the caller of the method is the distributed system 10 shown in FIG. 1 and the distributed scenario shown in FIG. 2 .
- the object device confirms the priority of each caller according to the running status of the multiple callers, the user information of the main device and the object device, and Respond to high-priority resource access requests first.
- resources can be reasonably scheduled to meet the access requirements of users, and when the shared resources are insufficient, the real low-priority instances are released first to ensure the normal operation of the executing caller.
- this embodiment of the present application does not limit the types of resources in the object device accessed by the caller.
- the resources of the object device accessed by the caller can be exclusive resources, such as cameras, audio devices, etc., or shared resources, such as stored files or data, memory resources, and so on.
- the running state of the caller may include foreground running, background running, and the like.
- the user information of the subject device or the object device includes the user who is currently logged in to the device, and the like.
- the priority policy may include: the priority of the caller of the device where the accessed resource is located is higher than the priority of callers of other devices, the foreground caller is higher than the background caller, and the device of the same user as the device where the accessed resource is located.
- the caller in the device has a higher priority than the caller in other devices and so on.
- the priority policy can be pre-stored in the object device, and can also be set or changed by the user, which is not limited here.
- FIG. 12A exemplarily shows a flowchart of a method for cross-device access control provided by an embodiment of the present application.
- the method may include the following steps:
- the electronic device 100 initiates an access request to the electronic device 300 , and the access request is used by the caller 1 to call the callee 1 and access the first resource in the electronic device 300 through the callee 1 .
- S901 may refer to S101 in FIG. 3C .
- the electronic device 300 determines whether to respond to the access request according to the priority policy.
- the priority policy can refer to the previous section.
- the electronic device 300 may determine the priority of the caller 1 and the priority of the caller currently accessing the resource corresponding to the access request in the electronic device 300 .
- the caller currently accessing the resource corresponding to the access request in the electronic device 300 may be a caller on other electronic devices, or may be a caller of the electronic device 300 itself.
- the electronic device 300 can select the caller with the highest priority to provide services for it, and temporarily refuse to provide services for other callers, so as to ensure that the caller with the highest priority can give priority to Use resources.
- the electronic device 300 can prioritize the caller 1 and multiple callers currently accessing the resource, and the maximum service that the shared resource can provide Inside, the caller with high priority is served first, and the caller with low priority is terminated.
- the electronic device 300 runs the instance of the callee 1, and accesses the first resource in response to the access request received in S101.
- one electronic device for example, the electronic device 100 among the multiple electronic devices may be called the first device
- the caller in the first device may be referred to as the first caller
- another electronic device eg, electronic device 200
- the caller in the second device may be referred to as the second caller
- the accessed electronic device eg, the electronic device 300
- the accessed resource in the third device may be referred to as a first resource.
- the access request sent by the first device to the third device may be referred to as the first access request
- the access request sent by the second device to the third device may be referred to as the second access request.
- FIG. 12B exemplarily shows the software structure of the electronic device 300 for executing the cross-device access control method provided by the embodiment of the present application.
- the software system of the electronic device 300 may adopt a layered architecture, an event-driven architecture, a microkernel architecture, a microservice architecture, or a cloud architecture, and the like.
- the software system of the electronic device 300 includes but is not limited to Linux or other operating systems.
- the layered architecture divides the software into several layers, and each layer has a clear role and division of labor.
- the layers communicate with each other through a software interface.
- from top to bottom may include: an application layer, an application framework layer, a system service layer, a kernel layer, and the like.
- the electronic device 300 may include: a device information management module, a device information library, an application state management module, an application state library, a call relationship management module, a call relationship library, a priority policy management module, a policy library, a distributed Resource scheduling module. in:
- the device information management module is used for synchronizing the user information of other devices in the distributed system, and also used for synchronizing the user information of the device to other devices in the distributed system.
- the device information base is used to store user information of other devices in the distributed system.
- the application state management module is used for synchronizing the state information of each application in other devices in the distributed system, and also used for synchronizing the state information of each application in the device to other devices in the distributed system.
- the application state library is used to store the state information of each application in other devices in the distributed system.
- the priority policy management module is used to manage the policy of setting priorities for each caller in the electronic device 300 .
- the priority policy for details of the priority policy, reference may be made to the foregoing related description.
- the policy library is used to store priority policies in the electronic device 300 .
- the distributed resource scheduling module is used to determine the priority of the caller 1 according to the application state information, the user information of the device, etc., according to the priority policy, and the call of the resource corresponding to the access request in the currently accessing electronic device 300 the priority of the users and decide how to schedule resources.
- modules in the electronic device 300 mentioned above may be located in the application layer, application framework layer, system service layer, kernel layer, etc. in the electronic device 300, which are not limited here.
- FIG. 12B is only a schematic example, and the software structure of the electronic device 300 provided in this embodiment of the present application may also adopt other forms, or may include more or less modules, which is not limited here.
- various types of smart devices equipped with different OS platforms form a logical "hyperterminal". From the perspective of the application in the device, the application can transparently use the resources provided by other devices and cannot perceive changes in the underlying platform. For example, the instant messaging APP in the mobile phone can use the camera of the smart screen to make a video call.
- the distributed system shields the underlying details of the cross-device from the application layer, and only provides the upper-layer application with an interface for obtaining video streams. From the user's point of view, functional components installed in one device can be seamlessly migrated to other devices to run, eliminating the need for installation and startup processes. For example, when the instant messaging APP of the above mobile phone accesses the camera of the smart screen, permission verification will be performed.
- the embodiment of the present application provides a cross-platform access control method, and the method is applied to the distributed system 10 shown in FIG. 1 and the distributed scenario shown in FIG. 2 .
- a distributed system composed of multiple heterogeneous OS devices
- the application's identity information, context information, and corresponding permission information are migrated to the peer device.
- FIG. 13A exemplarily shows a flowchart of a cross-platform access control method provided by an embodiment of the present application.
- the method may include the following steps:
- the electronic device 100 initiates an access request to the electronic device 300, where the access request is used by the caller 1 to call the callee 1 and access the first resource in the electronic device 300 through the callee 1.
- the electronic device 100 sends the access request and the identity information of the caller 1, such as the UID, to the electronic device 300.
- the electronic device 100 may further determine whether it has the right to initiate the access request according to the permission granted by the user. When authorized, the electronic device 100 executes S1002.
- the electronic device 300 maps the identity of the caller 1 in the electronic device 100 to the local application identity, and obtains the permission information and context information of the caller 1 according to the local application identity of the caller 1 .
- the electronic device 300 may synchronize the information in the electronic device 100, and the information may include one or more of the following information: identity information of each installed application For example, UID, permission information obtained by each application, context information of each application such as foreground and background status, and so on.
- the electronic device 300 can check whether the synchronized information of the electronic device 100 contains the permission information required by the access request, and if not, the electronic device 100 can also be triggered to obtain the permission . After the electronic device 100 obtains the permission, it can be transferred to the electronic device 300 .
- the information will be stored in a form accessible by the OS of the electronic device 300 . Due to the different forms of information stored in different OSs, devices of other OSs cannot directly access the information.
- the electronic device 300 maps the identity of the caller 1 in the electronic device 100 to the local application identity, which is equivalent to a translation process, which translates the access request in the electronic device 100 into a form that the OS of the electronic device 300 can understand, and then Decide whether to respond to the access request.
- the electronic device 300 can obtain the permission information and context information corresponding to the caller 1 from the stored information of the electronic device 100 according to the local identity information of the caller 1 in the electronic device 300 . Specifically, in order to distinguish applications installed by the electronic device 300 from applications mapped from other devices, the electronic device 300 can assign identity information to the applications installed by itself in the first interval (eg, 10000-19999), while in the second interval In the interval (for example, 100000-199990), the identity information is allocated to the applications of other devices that are mapped, so that it is convenient to distinguish the applications of the local application and the applications of other devices.
- the first interval eg, 10000-19999
- the second interval for example, 100000-199990
- the electronic device 300 determines whether to respond to the access request according to the permission information and context information of the caller 1 .
- the electronic device 300 may perform a permission check on the access request, and if the permission check passes, it may respond to the access request.
- the electronic device 300 may also determine whether to respond to the access request according to the context information of the caller 1 .
- the electronic device 100 may be referred to as the first device, the caller 1 may be referred to as the first caller, and the electronic device 300 may be referred to as the second device.
- the operating system of the electronic device 100 may be referred to as a first operating system, and the operating system of the electronic device 300 may be referred to as a second operating system.
- FIG. 13B exemplarily shows the software structure of the electronic device 300 for executing the cross-platform access control method provided by the embodiment of the present application.
- the software system of the electronic device 300 may adopt a layered architecture, an event-driven architecture, a microkernel architecture, a microservice architecture, or a cloud architecture, or the like.
- the software system of the electronic device 300 includes but is not limited to Linux or other operating systems.
- the layered architecture divides the software into several layers, and each layer has a clear role and division of labor. Layers communicate with each other through software interfaces.
- the electronic device 300 may include, from top to bottom, an application layer and an application framework layer. Not limited to this, in some other embodiments, the software system of the electronic device 300 may further include a kernel layer, a system service layer, and the like.
- the electronic device 300 may include: an application management module, an access control module, and an application information management module. in:
- the application management module includes: a local application management module and a cross-device application management module.
- the local application management module is used to manage the application of the local device. When the application that initiates access control is a local application, the local access control module is selected for access control.
- the cross-device application management module is used to manage the applications mapped from the main device. When the application that initiates access control is an application mapped from other devices, the cross-device access control module is selected for access control.
- the access control module includes: a local access control module and a cross-device access control module.
- the local access control module is used to authenticate the access request initiated by the local device.
- the cross-device access control module is used to authenticate access requests initiated by other devices.
- the application information management module includes: an application identity mapping module, an application context information management module, an application authority mapping management module, and an information synchronization module.
- the application identity mapping module is used to map application identities in other devices to local application identities.
- the application context information management module is used to manage the context information of each application (including the local application and the mapped application).
- the application permission mapping management module is used to map the permissions of applications in other devices to local permissions.
- the information synchronization module is used to synchronize application information in other devices, such as application identity, context information and synchronization information, to the electronic device 300 .
- modules in the electronic device 300 mentioned above may be located in the application layer, application framework layer, system service layer, kernel layer, etc. in the electronic device 300, which are not limited here.
- FIG. 13B is only a schematic example, and the software structure of the electronic device 300 provided in this embodiment of the present application may also adopt other forms, or may include more or less modules, which is not limited here.
- FIG. 14 shows a schematic structural diagram of an electronic device provided by an embodiment of the present application.
- the electronic device shown in FIG. 14 may be any electronic device in the distributed system 10 shown in FIG. 1 , or may be the electronic device 100 or the electronic device 300 in the foregoing embodiments, which is not limited here.
- the electronic device may include a processor 110 , an external memory interface 120 , an internal memory 121 , a universal serial bus (USB) interface 130 , a charging management module 140 , a power management module 141 , and a battery 142 , Antenna 1, Antenna 2, Mobile Communication Module 150, Wireless Communication Module 160, Audio Module 170, Speaker 170A, Receiver 170B, Microphone 170C, Headphone Interface 170D, Sensor Module 180, Key 190, Motor 191, Indicator 192, Camera 193 , a display screen 194, and a subscriber identification module (subscriber identification module, SIM) card interface 195 and the like.
- a processor 110 an external memory interface 120 , an internal memory 121 , a universal serial bus (USB) interface 130 , a charging management module 140 , a power management module 141 , and a battery 142 , Antenna 1, Antenna 2, Mobile Communication Module 150, Wireless Communication Module 160, Audio Module 170, Speaker 170A, Receiver
- the sensor module 180 may include a pressure sensor 180A, a gyroscope sensor 180B, an air pressure sensor 180C, a magnetic sensor 180D, an acceleration sensor 180E, a distance sensor 180F, a proximity light sensor 180G, a fingerprint sensor 180H, a temperature sensor 180J, a touch sensor 180K, and ambient light. Sensor 180L, bone conduction sensor 180M, etc.
- the structures illustrated in the embodiments of the present application do not constitute a specific limitation on the electronic device.
- the electronic device may include more or less components than shown, or combine some components, or separate some components, or arrange different components.
- the illustrated components may be implemented in hardware, software, or a combination of software and hardware.
- the processor 110 may include one or more processing units, for example, the processor 110 may include an application processor (application processor, AP), a modem processor, a graphics processor (graphics processing unit, GPU), an image signal processor (image signal processor, ISP), controller, video codec, digital signal processor (digital signal processor, DSP), baseband processor, and/or neural-network processing unit (neural-network processing unit, NPU), etc. Wherein, different processing units may be independent devices, or may be integrated in one or more processors.
- application processor application processor, AP
- modem processor graphics processor
- ISP image signal processor
- controller video codec
- digital signal processor digital signal processor
- baseband processor baseband processor
- neural-network processing unit neural-network processing unit
- the controller can generate an operation control signal according to the instruction operation code and timing signal, and complete the control of fetching and executing instructions.
- a memory may also be provided in the processor 110 for storing instructions and data.
- the memory in processor 110 is cache memory. This memory may hold instructions or data that have just been used or recycled by the processor 110 . If the processor 110 needs to use the instruction or data again, it can be called directly from the memory. Repeated accesses are avoided and the latency of the processor 110 is reduced, thereby increasing the efficiency of the system.
- the processor 110 may include one or more interfaces.
- the interface may include an integrated circuit (inter-integrated circuit, I2C) interface, an integrated circuit built-in audio (inter-integrated circuit sound, I2S) interface, a pulse code modulation (pulse code modulation, PCM) interface, a universal asynchronous transceiver (universal asynchronous transmitter) receiver/transmitter, UART) interface, mobile industry processor interface (MIPI), general-purpose input/output (GPIO) interface, subscriber identity module (SIM) interface, and / or universal serial bus (universal serial bus, USB) interface, etc.
- I2C integrated circuit
- I2S integrated circuit built-in audio
- PCM pulse code modulation
- PCM pulse code modulation
- UART universal asynchronous transceiver
- MIPI mobile industry processor interface
- GPIO general-purpose input/output
- SIM subscriber identity module
- USB universal serial bus
- the I2C interface is a bidirectional synchronous serial bus that includes a serial data line (SDA) and a serial clock line (SCL).
- the processor 110 may contain multiple sets of I2C buses.
- the processor 110 can be respectively coupled to the touch sensor 180K, the charger, the flash, the camera 193 and the like through different I2C bus interfaces.
- the processor 110 may couple the touch sensor 180K through the I2C interface, so that the processor 110 and the touch sensor 180K communicate with each other through the I2C bus interface, so as to realize the touch function of the electronic device.
- the I2S interface can be used for audio communication.
- the processor 110 may contain multiple sets of I2S buses.
- the processor 110 may be coupled with the audio module 170 through an I2S bus to implement communication between the processor 110 and the audio module 170 .
- the audio module 170 can transmit audio signals to the wireless communication module 160 through the I2S interface, so as to realize the function of answering calls through a Bluetooth headset.
- the PCM interface can also be used for audio communications, sampling, quantizing and encoding analog signals.
- the audio module 170 and the wireless communication module 160 may be coupled through a PCM bus interface.
- the audio module 170 can also transmit audio signals to the wireless communication module 160 through the PCM interface, so as to realize the function of answering calls through the Bluetooth headset. Both the I2S interface and the PCM interface can be used for audio communication.
- the UART interface is a universal serial data bus used for asynchronous communication.
- the bus may be a bidirectional communication bus. It converts the data to be transmitted between serial communication and parallel communication.
- a UART interface is typically used to connect the processor 110 with the wireless communication module 160 .
- the processor 110 communicates with the Bluetooth module in the wireless communication module 160 through the UART interface to implement the Bluetooth function.
- the audio module 170 can transmit audio signals to the wireless communication module 160 through the UART interface, so as to realize the function of playing music through the Bluetooth headset.
- the MIPI interface can be used to connect the processor 110 with peripheral devices such as the display screen 194 and the camera 193 .
- MIPI interfaces include camera serial interface (CSI), display serial interface (DSI), etc.
- the processor 110 communicates with the camera 193 through a CSI interface to implement the photographing function of the electronic device.
- the processor 110 communicates with the display screen 194 through the DSI interface to implement the display function of the electronic device.
- the GPIO interface can be configured by software.
- the GPIO interface can be configured as a control signal or as a data signal.
- the GPIO interface may be used to connect the processor 110 with the camera 193, the display screen 194, the wireless communication module 160, the audio module 170, the sensor module 180, and the like.
- the GPIO interface can also be configured as I2C interface, I2S interface, UART interface, MIPI interface, etc.
- the USB interface 130 is an interface that conforms to the USB standard specification, and can specifically be a Mini USB interface, a Micro USB interface, a USB Type C interface, and the like.
- the USB interface 130 can be used to connect a charger to charge the electronic device, and can also be used to transmit data between the electronic device and peripheral devices. It can also be used to connect headphones to play audio through the headphones.
- the interface can also be used to connect other electronic devices, such as AR devices.
- the interface connection relationship between the modules illustrated in the embodiments of the present application is only a schematic illustration, and does not constitute a structural limitation of the electronic device.
- the electronic device may also adopt different interface connection manners in the foregoing embodiments, or a combination of multiple interface connection manners.
- the charging management module 140 is used to receive charging input from the charger.
- the charger may be a wireless charger or a wired charger.
- the charging management module 140 may receive charging input from the wired charger through the USB interface 130 .
- the charging management module 140 may receive wireless charging input through a wireless charging coil of the electronic device. While the charging management module 140 charges the battery 142 , it can also supply power to the electronic device through the power management module 141 .
- the power management module 141 is used for connecting the battery 142 , the charging management module 140 and the processor 110 .
- the power management module 141 receives input from the battery 142 and/or the charging management module 140, and supplies power to the processor 110, the internal memory 121, the display screen 194, the camera 193, and the wireless communication module 160.
- the power management module 141 can also be used to monitor parameters such as battery capacity, battery cycle times, battery health status (leakage, impedance).
- the power management module 141 may also be provided in the processor 110 .
- the power management module 141 and the charging management module 140 may also be provided in the same device.
- the wireless communication function of the electronic device can be implemented by the antenna 1, the antenna 2, the mobile communication module 150, the wireless communication module 160, the modulation and demodulation processor, the baseband processor, and the like.
- Antenna 1 and Antenna 2 are used to transmit and receive electromagnetic wave signals.
- Each antenna in an electronic device can be used to cover a single or multiple communication frequency bands. Different antennas can also be reused to improve antenna utilization.
- the antenna 1 can be multiplexed as a diversity antenna of the wireless local area network. In other embodiments, the antenna may be used in conjunction with a tuning switch.
- the mobile communication module 150 can provide a wireless communication solution including 2G/3G/4G/5G etc. applied on the electronic device.
- the mobile communication module 150 may include at least one filter, switch, power amplifier, low noise amplifier (LNA) and the like.
- the mobile communication module 150 can receive electromagnetic waves from the antenna 1, filter and amplify the received electromagnetic waves, and transmit them to the modulation and demodulation processor for demodulation.
- the mobile communication module 150 can also amplify the signal modulated by the modulation and demodulation processor, and then turn it into an electromagnetic wave for radiation through the antenna 1 .
- at least part of the functional modules of the mobile communication module 150 may be provided in the processor 110 .
- at least part of the functional modules of the mobile communication module 150 may be provided in the same device as at least part of the modules of the processor 110 .
- the modem processor may include a modulator and a demodulator.
- the modulator is used to modulate the low frequency baseband signal to be sent into a medium and high frequency signal.
- the demodulator is used to demodulate the received electromagnetic wave signal into a low frequency baseband signal. Then the demodulator transmits the demodulated low-frequency baseband signal to the baseband processor for processing.
- the low frequency baseband signal is processed by the baseband processor and passed to the application processor.
- the application processor outputs sound signals through audio devices (not limited to the speaker 170A, the receiver 170B, etc.), or displays images or videos through the display screen 194 .
- the modem processor may be a stand-alone device.
- the modem processor may be independent of the processor 110, and may be provided in the same device as the mobile communication module 150 or other functional modules.
- the wireless communication module 160 can provide applications on electronic devices including wireless local area networks (WLAN) (such as wireless fidelity (Wi-Fi) networks), bluetooth (BT), global navigation satellite system (global navigation satellite system, GNSS), frequency modulation (frequency modulation, FM), near field communication technology (near field communication, NFC), infrared technology (infrared, IR) and other wireless communication solutions.
- WLAN wireless local area networks
- BT wireless fidelity
- GNSS global navigation satellite system
- frequency modulation frequency modulation
- FM near field communication technology
- NFC near field communication
- IR infrared technology
- the wireless communication module 160 may be one or more devices integrating at least one communication processing module.
- the wireless communication module 160 receives the electromagnetic wave via the antenna 2, demodulates and filters the electromagnetic wave signal, and sends the processed signal to the processor 110.
- the wireless communication module 160 can also receive the signal to be sent from the processor 110 , perform frequency modulation on it, amplify it, and convert it into electromagnetic waves for radiation through the antenna
- the antenna 1 of the electronic device is coupled with the mobile communication module 150, and the antenna 2 is coupled with the wireless communication module 160, so that the electronic device can communicate with the network and other devices through wireless communication technology.
- the wireless communication technology may include global system for mobile communications (GSM), general packet radio service (GPRS), code division multiple access (CDMA), broadband Code Division Multiple Access (WCDMA), Time Division Code Division Multiple Access (TD-SCDMA), Long Term Evolution (LTE), BT, GNSS, WLAN, NFC , FM, and/or IR technology, etc.
- the GNSS may include global positioning system (global positioning system, GPS), global navigation satellite system (global navigation satellite system, GLONASS), Beidou navigation satellite system (beidou navigation satellite system, BDS), quasi-zenith satellite system (quasi -zenith satellite system, QZSS) and/or satellite based augmentation systems (SBAS).
- global positioning system global positioning system, GPS
- global navigation satellite system global navigation satellite system, GLONASS
- Beidou navigation satellite system beidou navigation satellite system, BDS
- quasi-zenith satellite system quadsi -zenith satellite system, QZSS
- SBAS satellite based augmentation systems
- the electronic device realizes the display function through the GPU, the display screen 194, and the application processor.
- the GPU is a microprocessor for image processing, and is connected to the display screen 194 and the application processor.
- the GPU is used to perform mathematical and geometric calculations for graphics rendering.
- Processor 110 may include one or more GPUs that execute program instructions to generate or alter display information.
- Display screen 194 is used to display images, videos, and the like.
- Display screen 194 includes a display panel.
- the display panel can be a liquid crystal display (LCD), an organic light-emitting diode (OLED), an active-matrix organic light-emitting diode or an active-matrix organic light-emitting diode (active-matrix organic light).
- LED diode AMOLED
- flexible light-emitting diode flexible light-emitting diode (flex light-emitting diode, FLED), Miniled, MicroLed, Micro-oLed, quantum dot light-emitting diode (quantum dot light emitting diodes, QLED) and so on.
- the electronic device may include 1 or N display screens 194 , where N is a positive integer greater than 1.
- the electronic device can realize the shooting function through the ISP, the camera 193, the video codec, the GPU, the display screen 194 and the application processor.
- the ISP is used to process the data fed back by the camera 193 .
- the shutter is opened, the light is transmitted to the camera photosensitive element through the lens, the light signal is converted into an electrical signal, and the camera photosensitive element transmits the electrical signal to the ISP for processing, and converts it into an image visible to the naked eye.
- ISP can also perform algorithm optimization on image noise, brightness, and skin tone.
- ISP can also optimize the exposure, color temperature and other parameters of the shooting scene.
- the ISP may be provided in the camera 193 .
- Camera 193 is used to capture still images or video.
- the object is projected through the lens to generate an optical image onto the photosensitive element.
- the photosensitive element may be a charge coupled device (CCD) or a complementary metal-oxide-semiconductor (CMOS) phototransistor.
- CMOS complementary metal-oxide-semiconductor
- the photosensitive element converts the optical signal into an electrical signal, and then transmits the electrical signal to the ISP to convert it into a digital image signal.
- the ISP outputs the digital image signal to the DSP for processing.
- DSP converts digital image signals into standard RGB, YUV and other formats of image signals.
- the electronic device may include 1 or N cameras 193 , where N is a positive integer greater than 1.
- a digital signal processor is used to process digital signals, in addition to processing digital image signals, it can also process other digital signals. For example, when the electronic device selects the frequency point, the digital signal processor is used to perform Fourier transform on the frequency point energy, etc.
- Video codecs are used to compress or decompress digital video.
- An electronic device may support one or more video codecs.
- the electronic device can play or record videos in various encoding formats, such as: moving picture experts group (moving picture experts group, MPEG) 1, MPEG2, MPEG3, MPEG4 and so on.
- MPEG moving picture experts group
- MPEG2 moving picture experts group
- MPEG3 MPEG4
- MPEG4 moving picture experts group
- the NPU is a neural-network (NN) computing processor.
- NN neural-network
- applications such as intelligent cognition of electronic devices can be realized, such as image recognition, face recognition, speech recognition, text understanding, etc.
- the internal memory 121 may include one or more random access memories (RAM) and one or more non-volatile memories (NVM).
- RAM random access memories
- NVM non-volatile memories
- Random access memory can include static random-access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronization Dynamic random access memory (double data rate synchronous dynamic random access memory, DDR SDRAM, such as fifth-generation DDR SDRAM is generally referred to as DDR5 SDRAM), etc.; non-volatile memory can include disk storage devices, flash memory (flash memory).
- SRAM static random-access memory
- DRAM dynamic random access memory
- SDRAM synchronous dynamic random access memory
- DDR SDRAM double data rate synchronization Dynamic random access memory
- non-volatile memory can include disk storage devices, flash memory (flash memory).
- Flash memory can be divided into NOR FLASH, NAND FLASH, 3D NAND FLASH, etc. according to the operating principle, and can include single-level memory cell (SLC), multi-level memory cell (multi-level memory cell, SLC) according to the level of storage cell potential.
- cell, MLC multi-level memory cell
- TLC triple-level cell
- QLC quad-level cell
- UFS universal flash storage
- eMMC embedded multimedia memory card
- the random access memory can be directly read and written by the processor 110, and can be used to store executable programs (eg, machine instructions) of an operating system or other running programs, and can also be used to store data of users and application programs.
- executable programs eg, machine instructions
- the random access memory can be directly read and written by the processor 110, and can be used to store executable programs (eg, machine instructions) of an operating system or other running programs, and can also be used to store data of users and application programs.
- the non-volatile memory can also store executable programs and store data of user and application programs, etc., and can be loaded into the random access memory in advance for the processor 110 to directly read and write.
- the external memory interface 120 can be used to connect an external non-volatile memory to expand the storage capacity of the electronic device.
- the external non-volatile memory communicates with the processor 110 through the external memory interface 120 to realize the data storage function. For example, save music, video, etc. files in external non-volatile memory.
- the electronic device can implement audio functions through the audio module 170, the speaker 170A, the receiver 170B, the microphone 170C, the headphone jack 170D, and the application processor. Such as music playback, recording, etc.
- the audio module 170 is used for converting digital audio information into analog audio signal output, and also for converting analog audio input into digital audio signal. Audio module 170 may also be used to encode and decode audio signals. In some embodiments, the audio module 170 may be provided in the processor 110 , or some functional modules of the audio module 170 may be provided in the processor 110 .
- Speaker 170A also referred to as a "speaker" is used to convert audio electrical signals into sound signals.
- the electronic device can listen to music through the speaker 170A, or listen to a hands-free call.
- the receiver 170B also referred to as "earpiece" is used to convert audio electrical signals into sound signals.
- the voice can be received by placing the receiver 170B close to the human ear.
- the microphone 170C also called “microphone” or “microphone” is used to convert sound signals into electrical signals.
- the user can make a sound by approaching the microphone 170C through a human mouth, and input the sound signal into the microphone 170C.
- the electronic device may be provided with at least one microphone 170C.
- the electronic device may be provided with two microphones 170C, which can implement a noise reduction function in addition to collecting sound signals.
- the electronic device may further be provided with three, four or more microphones 170C to collect sound signals, reduce noise, identify sound sources, and implement directional recording functions.
- the earphone jack 170D is used to connect wired earphones.
- the earphone interface 170D may be the USB interface 130, or may be a 3.5mm open mobile terminal platform (OMTP) standard interface, a cellular telecommunications industry association of the USA (CTIA) standard interface.
- OMTP open mobile terminal platform
- CTIA cellular telecommunications industry association of the USA
- the pressure sensor 180A is used to sense pressure signals, and can convert the pressure signals into electrical signals.
- the pressure sensor 180A may be provided on the display screen 194 .
- the capacitive pressure sensor may be comprised of at least two parallel plates of conductive material. When a force is applied to the pressure sensor 180A, the capacitance between the electrodes changes. The electronic device determines the intensity of the pressure based on the change in capacitance. When a touch operation acts on the display screen 194, the electronic device detects the intensity of the touch operation according to the pressure sensor 180A. The electronic device can also calculate the touched position according to the detection signal of the pressure sensor 180A.
- touch operations acting on the same touch position but with different touch operation intensities may correspond to different operation instructions. For example, when a touch operation whose intensity is less than the first pressure threshold acts on the short message application icon, the instruction for viewing the short message is executed. When a touch operation with a touch operation intensity greater than or equal to the first pressure threshold acts on the short message application icon, the instruction to create a new short message is executed.
- the gyro sensor 180B can be used to determine the motion attitude of the electronic device. In some embodiments, the angular velocity of the electronic device about three axes (ie, the x, y, and z axes) may be determined by the gyro sensor 180B.
- the gyro sensor 180B can be used for image stabilization. Exemplarily, when the shutter is pressed, the gyro sensor 180B detects the shaking angle of the electronic device, calculates the distance to be compensated by the lens module according to the angle, and allows the lens to counteract the shaking of the electronic device through reverse motion to achieve anti-shake.
- the gyro sensor 180B can also be used for navigation and somatosensory game scenarios.
- the air pressure sensor 180C is used to measure air pressure.
- the electronic device calculates the altitude from the air pressure value measured by the air pressure sensor 180C to assist in positioning and navigation.
- the magnetic sensor 180D includes a Hall sensor.
- the electronic device can use the magnetic sensor 180D to detect the opening and closing of the flip holster.
- the electronic device can detect the opening and closing of the flip according to the magnetic sensor 180D. Further, according to the detected opening and closing state of the leather case or the opening and closing state of the flip cover, characteristics such as automatic unlocking of the flip cover are set.
- the acceleration sensor 180E can detect the magnitude of the acceleration of the electronic device in various directions (generally three axes).
- the magnitude and direction of gravity can be detected when the electronic device is stationary. It can also be used to identify the posture of electronic devices, and can be used in applications such as horizontal and vertical screen switching, pedometers, etc.
- Distance sensor 180F for measuring distance.
- Electronic devices can measure distances by infrared or laser. In some embodiments, when shooting a scene, the electronic device can use the distance sensor 180F to measure the distance to achieve fast focusing.
- Proximity light sensor 180G may include, for example, light emitting diodes (LEDs) and light detectors, such as photodiodes.
- the light emitting diodes may be infrared light emitting diodes.
- Electronic devices emit infrared light outward through light-emitting diodes.
- Electronic devices use photodiodes to detect reflected infrared light from nearby objects. When sufficient reflected light is detected, it can be determined that there is an object in the vicinity of the electronic device. When insufficient reflected light is detected, the electronic device can determine that there is no object in the vicinity of the electronic device.
- the electronic device can use the proximity light sensor 180G to detect that the user holds the electronic device close to the ear to talk, so as to automatically turn off the screen to save power.
- Proximity light sensor 180G can also be used in holster mode, pocket mode automatically unlocks and locks the screen.
- the ambient light sensor 180L is used to sense ambient light brightness.
- the electronic device can adaptively adjust the brightness of the display screen 194 according to the perceived ambient light brightness.
- the ambient light sensor 180L can also be used to automatically adjust the white balance when taking pictures.
- the ambient light sensor 180L can also cooperate with the proximity light sensor 180G to detect whether the electronic device is in the pocket to prevent accidental touch.
- the fingerprint sensor 180H is used to collect fingerprints. Electronic devices can use the collected fingerprint characteristics to unlock fingerprints, access application locks, take photos with fingerprints, and answer incoming calls with fingerprints.
- the temperature sensor 180J is used to detect the temperature.
- the electronic device utilizes the temperature detected by the temperature sensor 180J to implement a temperature handling strategy. For example, when the temperature reported by the temperature sensor 180J exceeds a threshold value, the electronic device may reduce the performance of the processor located near the temperature sensor 180J in order to reduce power consumption and implement thermal protection.
- the electronic device when the temperature is lower than another threshold, the electronic device heats the battery 142 to avoid abnormal shutdown of the electronic device caused by the low temperature.
- the electronic device boosts the output voltage of the battery 142 to avoid abnormal shutdown caused by low temperature.
- Touch sensor 180K also called “touch device”.
- the touch sensor 180K may be disposed on the display screen 194 , and the touch sensor 180K and the display screen 194 form a touch screen, also called a “touch screen”.
- the touch sensor 180K is used to detect a touch operation on or near it.
- the touch sensor can pass the detected touch operation to the application processor to determine the type of touch event.
- Visual output related to touch operations may be provided through display screen 194 .
- the touch sensor 180K may also be disposed on the surface of the electronic device, which is different from the location where the display screen 194 is located.
- the bone conduction sensor 180M can acquire vibration signals.
- the bone conduction sensor 180M can acquire the vibration signal of the vibrating bone mass of the human voice.
- the bone conduction sensor 180M can also contact the pulse of the human body and receive the blood pressure beating signal.
- the bone conduction sensor 180M can also be disposed in the earphone, combined with the bone conduction earphone.
- the audio module 170 can analyze the voice signal based on the vibration signal of the vocal vibration bone block obtained by the bone conduction sensor 180M, so as to realize the voice function.
- the application processor can analyze the heart rate information based on the blood pressure beat signal obtained by the bone conduction sensor 180M, and realize the function of heart rate detection.
- the keys 190 include a power-on key, a volume key, and the like. Keys 190 may be mechanical keys. It can also be a touch key.
- the electronic device may receive key input and generate key signal input related to user settings and function control of the electronic device.
- Motor 191 can generate vibrating cues.
- the motor 191 can be used for vibrating alerts for incoming calls, and can also be used for touch vibration feedback.
- touch operations acting on different applications can correspond to different vibration feedback effects.
- the motor 191 can also correspond to different vibration feedback effects for touch operations on different areas of the display screen 194 .
- Different application scenarios for example: time reminder, receiving information, alarm clock, games, etc.
- the touch vibration feedback effect can also support customization.
- the indicator 192 can be an indicator light, which can be used to indicate the charging state, the change of the power, and can also be used to indicate a message, a missed call, a notification, and the like.
- the SIM card interface 195 is used to connect a SIM card.
- the SIM card can be inserted into the SIM card interface 195 or pulled out from the SIM card interface 195 to achieve contact and separation with the electronic device.
- the electronic device can support 1 or N SIM card interfaces, where N is a positive integer greater than 1.
- the SIM card interface 195 can support Nano SIM card, Micro SIM card, SIM card and so on. Multiple cards can be inserted into the same SIM card interface 195 at the same time. The types of the plurality of cards may be the same or different.
- the SIM card interface 195 can also be compatible with different types of SIM cards.
- the SIM card interface 195 is also compatible with external memory cards.
- the electronic device interacts with the network through the SIM card to realize functions such as call and data communication.
- the electronic device employs an eSIM, ie: an embedded SIM card.
- the eSIM card can be embedded in the electronic device and cannot be separated from the electronic device.
- the above-mentioned embodiments it may be implemented in whole or in part by software, hardware, firmware or any combination thereof.
- software it can be implemented in whole or in part in the form of a computer program product.
- the computer program product includes one or more computer instructions.
- the computer program instructions when loaded and executed on a computer, result in whole or in part of the processes or functions described herein.
- the computer may be a general purpose computer, special purpose computer, computer network, or other programmable device.
- the computer instructions may be stored in or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server or data center Transmission to another website site, computer, server, or data center by wire (eg, coaxial cable, optical fiber, digital subscriber line) or wireless (eg, infrared, wireless, microwave, etc.).
- the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that includes an integration of one or more available media.
- the usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVDs), or semiconductor media (eg, solid state disks (SSDs)), and the like.
- the process can be completed by instructing the relevant hardware by a computer program, and the program can be stored in a computer-readable storage medium.
- the program When the program is executed , which may include the processes of the foregoing method embodiments.
- the aforementioned storage medium includes: ROM or random storage memory RAM, magnetic disk or optical disk and other mediums that can store program codes.
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Automation & Control Theory (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Telephonic Communication Services (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本申请提供了访问控制方法、相关装置及系统。在该方法中,同一个被调用者可以启用多个实例,通过不同的实例来为不同的调用者提供服务。由于实例之间的天然隔离属性,不同实例无法互相访问内存数据,这样可以提供系统级的内存数据安全机制,避免了各调用者的内存数据滥用及泄露问题,保证了数据安全。
Description
本申请要求于2021年03月16日提交中国专利局、申请号为202110280096.1、申请名称为“分布式的访问控制方法、相关装置及系统”的中国专利申请,以及,于2022年03月04日提交中国专利局、申请号为202210213077.1、申请名称为“分布式的访问控制方法、相关装置及系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本申请涉及计算机及通信技术领域,尤其涉及分布式的访问控制方法、相关装置及系统。
随着智能终端的发展,用户生活中的设备种类及数量也越来越多。各个设备互通互联的全联接场景正在逐渐实现。在全联接场景中,设备之间互相共享资源,例如共享计算资源、存储资源、网络资源等等,将成为未来的趋势。
如何保障设备之间能够安全地共享资源,确保设备资源能够被充分、合理地利用,为用户提供安全、有效的全联接场景,是一个新的挑战。
发明内容
本申请提供了分布式的访问控制方法、相关装置及系统,可以保障设备之间能够安全地共享资源,确保设备资源能够被充分、合理地利用。
第一方面,本申请提供了一种访问控制方法,该方法应用于包含第一设备、第二设备和第三设备的通信系统,第一设备中安装有第一调用者,第二设备中安装有第二调用者,第三设备中安装有被调用者;第一调用者、第二调用者、被调用者为应用程序APP或功能组件;APP为实现多个功能的程序实体,功能组件为实现单一功能的程序实体。
第一方面的方法包括:第一设备向第三设备发送第一访问请求,第一访问请求用于第一调用者调用被调用者以访问第三设备中的第一资源;第二设备向第三设备发送第二访问请求,第二访问请求用于第二调用者调用被调用者以访问第三设备中的第二资源;第三设备响应于第一访问请求,创建被调用者的第一实例,并运行第一实例,访问第一资源;第三设备响应于第二访问请求,创建被调用者的第二实例,并运行第二实例,访问第二资源,第二实例不同于第一实例,第一实例、第二实例为随机存取存储器RAM中运行的进程或线程,第一实例和第二实例相互隔离。
实施第一方面提供的方法,同一个被调用者可以启用多个实例,通过不同的实例来为不同的调用者提供服务。由于实例之间的天然隔离属性,不同实例无法互相访问内存数据,这样可以提供系统级的内存数据安全机制,避免了各调用者的内存数据滥用及泄露问题,保证了数据安全。
结合第一方面,在一些实施方式中,第三设备创建被调用者的第一实例,创建被调用者的第二实例之后,可以存储第一设备中的第一调用者和第一实例之间的调用关系,以及,第二设备中的第二调用者和第二实例之间的调用关系。
结合第一方面,在一些实施方式中,第一设备向第三设备发送第一访问请求之后,可以 存储第一调用者和被调用者之间的调用关系。
结合第一方面,在一些实施方式中,第二设备向第三设备发送第二访问请求之后,可以存储第二调用者和被调用者之间的调用关系。
在上述实施方式中,各个电子设备存储的调用关系可用于后续在调用过程出现问题时查找原因。
结合第一方面,在一些实施方式中,第三设备可以在第一沙箱中运行第一实例,在第二沙箱中运行第二实例。此外,第三设备在运行第一实例的过程中生成第一应用数据,则可以将第一应用数据存储到第一沙箱中;在运行第二实例的过程中生成第二应用数据,可以将第二应用数据存储到第二沙箱中。
通过上一实施方式,可以为不同的调用者创建不同的沙箱,将来自不同调用者的应用数据存储到对应的沙箱中。由于沙箱之间的天然隔离属性,不同沙箱无法互相访问应用数据,这样可以提供应用数据安全机制,避免了各调用者的应用数据滥用及泄露问题。
结合第一方面,在一些实施方式中,被调用者包含第一部分和第二部分,第一部分部署于第一设备中,第二部分部署于第三设备中;第一资源包括第一设备和第三设备中的资源。第一设备向第三设备发送第一访问请求之前,可以创建第一调用者的第三实例,并在第一权限范围内运行第三实例;第一访问请求由第一设备运行第三实例的过程中生成。第一设备向第三设备发送第一访问请求之后,可以创建第一部分的第四实例,并在第二权限范围内运行第四实例,以访问第一资源;第三实例和第四实例具有相同的用户身份UID,第二权限范围和第一权限范围不同。其中,第一实例为第二部分的实例。
通过上一实施方式,第一设备在不同的权限范围内运行调用者的实例,和,被调用者的实例,可以防止被调用者的实例获取在其权限范围之外的数据,避免了权限扩大化问题,可以保证第一设备中的数据安全。
结合第一方面,在一些实施方式中,第一设备向第三设备发送第一访问请求之后,如果第一调用者由第一运行状态变化为第二运行状态,则第一设备可以将第一调用者的第二运行状态发送给第三设备。第三设备可以将第一实例的运行状态更改为第二运行状态。
通过上一实施方式,被调用者实例的运行状态可以随着任务域中调用者的运行状态进行变化,从而保持被调用的被调用者和调用者的运行状态一致,可以避免被调用者的权限范围扩大,避免数据滥用及泄露等问题。
结合第一方面,在一些实施方式中,第一设备向第三设备发送第一访问请求之后,如果第三设备未成功响应第一访问请求,则第一设备向通信系统中的第四设备发送第三访问请求;第四设备和第三设备相同或不同,第四设备中安装有被调用者。第四设备可以响应于第三访问请求,创建被调用者的第五实例,并运行第五实例,访问第三设备的第三资源。
通过上一实施方式,可以恢复任务域中的执行任务,但是不影响设备间的资源调用,不影响用户体验。
结合第一方面,在一些实施方式中,第一设备向第三设备发送第一访问请求之前,可以申请并获取到第一调用者访问第一资源的权限,并将第一调用者访问第一资源的权限信息发送给第三设备。这样第一设备可以在具备访问请求对应的权限的情况下,向第三设备发送访问请求,保证调用过程中第三设备的数据安全。
结合第一方面,在一些实施方式中,第三设备运行第一实例,访问第一资源之前,可以检查第一调用者是否具有访问第一资源的权限;如果第一调用者没有访问第一资源的权限,第三设备向第一设备申请获取第一调用者访问第一资源的权限;第一设备申请并获取到第一 调用者访问第一资源的权限,并将第一调用者访问第一资源的权限信息发送给第三设备。这样第三设备可以在具备访问请求对应的权限的情况下,响应访问请求,保证调用过程中第三设备的数据安全。
结合上一实施方式,第一设备申请并获取到第一调用者访问第一资源的权限,在第一时间段内有效。这样可以对授予的权限进行时效限制,保证调用过程中的数据安全。
结合上一实施方式,第一设备将第一调用者访问第一资源的权限信息发送给第三设备之后,可以向第三设备发送用于撤销第一调用者访问第一资源的权限的消息。这样可以根据用户需求来撤销权限,避免权限扩大化。
通过上述几个实施方式,可以保证被调用者的实例可以合理地利用调用者传递过来的权限,避免出现权限扩大化的情况。
结合第一方面,在一些实施方式中,第一调用者为第三方应用,第一设备将第一调用者访问第一资源的权限信息发送给第三设备之后,可以记录第一信息,第一信息指示第三设备获取过第一调用者的权限信息;第一设备中的第一调用者的权限发生变化后,可以根据第一信息,将变化后的第一调用者的权限信息,发送给第三设备。
通过上一实施方式,在调用者的权限发生动态变化时,将更新的权限信息同步给获取过该权限的电子设备,这种按照调用需求来同步权限信息的方式,只需要同步调用请求所涉及的权限信息,可以减少同步的数据以及对内存和性能的消耗。
结合第一方面,在一些实施方式中,第一调用者为系统应用,第一设备向第三设备发送第一访问请求之前,可以在和第三设备建立连接后,将安装的各个系统应用的权限信息发送给第三设备。这样通过连接后通过权限信息的方式,可以减轻后续调用过程中权限同步的负担。
结合第一方面,在一些实施方式中,第三设备响应于第二访问请求,创建被调用者的第二实例,并运行第二实例,访问第二资源之前,如果第三设备不具备授权条件、和用户之间的距离超过第一值或当前不适合授权,则可以通知通信系统中的第五设备申请第一权限,第一权限包括调用第三设备中的被调用者以访问第三设备中的第一资源的权限;第五设备申请并获取到第一权限,并向第三设备发送授权结果,授权结果指示用户授予了第一权限。
通过上一实施方式,第三设备可以在分布式系统中灵活选择一个授权设备,然后由授权设备向用户获取访问请求所需的权限,这样可以灵活地选择授权设备,并在不干扰用户的前提下完成授权,保证调用过程中的数据安全。
结合第一方面,在一些实施方式中,第三设备运行第一实例,访问第一资源之前,第一设备可以向第三设备发送第一调用者的身份信息,第一调用者的身份信息包括以下一项或多项:第一调用者的PID、UID、登录到第一设备的账户ID、第一设备在通信系统中的系统ID、第一设备的设备ID;不同的身份信息对应不同的访问权限;第三设备可以确认第一调用者的身份信息对应的访问权限,包括,第一调用者访问被调用者的权限。
通过上一实施方式,第三设备可以根据调用者的身份信息来确定是否响应该调用者发起的访问请求,可以结合调用者的身份信息来决定其权限,进一步满足分布式系统中的资源访问需求,避免调用过程中的数据安全问题。
结合第一方面,在一些实施方式中,第一设备向第三设备发送第一访问请求之前,第一设备可以接收到第三设备发送的第三设备的安全等级;第一设备根据第一设备和第三设备的安全等级,确认发送第一访问请求;其中,设备的安全等级由设备的软硬件提供的安全能力决定,软硬件提供的安全能力越高,设备的安全等级越高。
通过上一实施方式,第一设备可以根据调用者的身份信息来确定是否发送该调用者发起的访问请求,可以结合调用者的身份信息来决定其权限,进一步满足分布式系统中的资源访问需求,避免调用过程中的数据安全问题。
结合第一方面,在一些实施方式中,第三设备运行第一实例,访问第一资源之前,第三设备可以接收到第一设备发送的第一设备的安全等级;第三设备根据第一设备和第三设备的安全等级,确认运行第一实例,访问第一资源;其中,设备的安全等级由设备的软硬件提供的安全能力决定,软硬件提供的安全能力越高,设备的安全等级越高。
通过上一实施方式,第三设备可以根据客体设备和/或主体设备的安全等级来确定是否响应访问请求,这样就可以根据不同设备的安全等级,选择性地开放资源,避免了数据泄露的风险。
结合第一方面,在一些实施方式中,第一设备向第三设备发送第一访问请求之前,第一设备可以接收到第三设备发送的被调用者的安全等级;第一设备根据第一调用者和被调用者的安全等级,确认发送第一访问请求;其中,应用的安全等级由应用提供的安全能力决定,应用提供的安全能力越高,应用的安全等级越高。
通过上一实施方式,第一设备可以根据调用者的安全等级来确定是否发起访问请求,这样就可以根据不同应用的安全等级,选择性地开放资源,避免了数据泄露的风险。
结合第一方面,在一些实施方式中,第三设备运行第一实例,访问第一资源之前,第三设备可以接收到第一设备发送的第一调用者的安全等级;第三设备根据第一调用者和被调用者的安全等级,确认运行第一实例,访问第一资源;其中,应用的安全等级由应用提供的安全能力决定,应用提供的安全能力越高,应用的安全等级越高。
通过上一实施方式,第三设备可以根据调用者的安全等级来确定是否响应该访问请求。这样就可以根据不同应用的安全等级,选择性地开放资源,避免了数据泄露的风险。
结合第一方面,在一些实施方式中,第一设备向第三设备发送第一访问请求之前,第一设备可以根据第一设备和第三设备的安全敏感度,确认发送第一访问请求;其中,设备的安全敏感度由设备中数据的隐私程度决定,数据的隐私程度越高,设备的安全敏感度越高。
通过上一实施方式,第一设备可以根据客体设备和/或主体设备的安全敏感度来确定是否发起访问请求,这样就可以根据不同设备的安全敏感度,选择性地开放资源,避免了数据泄露的风险。
结合第一方面,在一些实施方式中,第三设备运行第一实例,访问第一资源之前,第三设备可以根据第一设备和第三设备的安全敏感度,确认运行第一实例,访问第一资源;其中,设备的安全敏感度由设备中数据的隐私程度决定,数据的隐私程度越高,设备的安全敏感度越高。
通过上一实施方式,第三设备可以根据客体设备和/或主体设备的安全敏感度来确定是否响应该访问请求,这样就可以根据不同设备的安全敏感度,选择性地开放资源,避免了数据泄露的风险。
结合第一方面,在一些实施方式中,上述第一设备、第二设备、第三设备可以是同一个电子设备。这样,单机设备的内部调用过程中,也可以保障调用过程中的数据安全,防止数据滥用及泄露。单机设备执行上述访问控制方法时,设备之间的通信可以省略,其余操作均可参考第一方面或第一方面任意一种实施方式的描述,这里不再赘述。
第二方面,本申请提供了一种跨设备的访问控制方法,该方法应用于包含第一设备、第二设备和第三设备的通信系统,第一设备中安装有第一调用者,第二设备中安装有第二调用 者,第三设备中安装有被调用者;第一调用者、第二调用者、被调用者为应用程序APP或功能组件;APP为实现多个功能的程序实体,功能组件为实现单一功能的程序实体。
第二方面的方法包括:所述第一设备向所述第三设备发送第一访问请求,所述第一访问请求用于所述第一调用者调用所述被调用者,以访问所述第三设备的第一资源;所述第二设备向所述第三设备发送第二访问请求,所述第二访问请求用于所述第二调用者调用所述被调用者,以访问所述第一资源;所述第三设备确定所述第一调用者的优先级高于所述第二调用者的优先级;调用者的优先级由以下一项或多项决定:所述调用者的运行状态、所述调用者所在设备、所述第三设备、登录到所述调用者所在设备的用户、登录到所述第三设备的用户;所述第三设备响应所述第一访问请求,运行所述被调用者以访问所述第一资源。
实施第二方面的方法,当有多个调用者访问客体设备中的资源时,客体设备根据该多个调用者的运行状态、主体设备和客体设备的用户信息,来确认各个调用者的优先级,并优先响应高优先级的资源访问请求。这样可以合理调度资源,满足用户的访问需求,且当共享资源出现不足时,优先释放真正的低优先级实例,确保正在执行调用者的正常运行。
第三方面,本申请提供了一种跨设备的访问控制方法,该方法应用于包含第一设备、第二设备的通信系统,所述第一设备安装有第一操作系统,所述第二设备安装有第二操作系统;所述第一设备中安装有调用者,所述第二设备中安装有被调用者;所述调用者、所述被调用者为应用程序APP或功能组件;所述APP为实现多个功能的程序实体,所述功能组件为实现单一功能的程序实体。
第三方面的方法包括:所述第一设备向所述第二设备发送访问请求,所述访问请求用于所述调用者调用所述被调用者,以访问所述第二设备的第一资源;所述访问请求为第一操作系统中的描述形式;所述第二设备将所述访问请求从所述第一操作系统中的描述形式,映射为所述第二操作系统中的描述形式;所述第二设备根据所述第二操作系统中描述形式的所述访问请求,运行所述被调用者以访问所述第一资源。
实施第三方面的方法,一个设备中的应用跨设备访问其他异构操作系统的设备中的资源时,应用的身份信息、上下文信息、对应的权限信息迁移到对端设备,以支撑应用无缝迁移到其他设备、透明的使用其他设备提供的资源,满足“超级终端”下用户的实际使用需求。
第四方面,本申请提供了一种跨设备的访问控制方法,该方法应用于第一设备。第四方面的方法中该第一设备所执行的操作,可参考第一方面或第一方面的任意一种实施方式中第一设备所执行的操作,这里不再赘述。
第五方面,本申请提供了一种跨设备的访问控制方法,该方法应用于第三设备。第五方面的方法中该第三设备所执行的操作,可参考第一方面或第一方面的任意一种实施方式中第三设备所执行的操作,这里不再赘述。
第六方面,本申请提供了一种跨设备的访问控制方法,该方法应用于第三设备。第六方面的方法中该第三设备所执行的操作,可参考第二方面或第二方面的任意一种实施方式中第三设备所执行的操作,这里不再赘述。
第七方面,本申请提供了一种跨设备的访问控制方法,该方法应用于第二设备。第七方面的方法中该第二设备所执行的操作,可参考第三方面或第三方面的任意一种实施方式中第二设备所执行的操作,这里不再赘述。
第八方面,本申请提供了一种一种电子设备,包括:存储器、一个或多个处理器;存储器与一个或多个处理器耦合,存储器用于存储计算机程序代码,计算机程序代码包括计算机指令,一个或多个处理器调用计算机指令以使得电子设备执行如第五方面或第五方面任意一 种实施方式的方法。
第九方面,本申请提供了一种一种电子设备,包括:存储器、一个或多个处理器;存储器与一个或多个处理器耦合,存储器用于存储计算机程序代码,计算机程序代码包括计算机指令,一个或多个处理器调用计算机指令以使得电子设备执行如第六方面或第六方面任意一种实施方式的方法。
第十方面,本申请提供了一种一种电子设备,包括:存储器、一个或多个处理器;存储器与一个或多个处理器耦合,存储器用于存储计算机程序代码,计算机程序代码包括计算机指令,一个或多个处理器调用计算机指令以使得电子设备执行如第七方面或第七方面任意一种实施方式的方法。
第十一方面,本申请提供了一种通信系统,包括第一设备、第二设备和第三设备,第一设备用于执行如第四方面或第四方面任意一种实施方式的方法,第三设备用于执行如第五方面或第五方面任意一种实施方式的方法。
第十二方面,本申请提供了一种通信系统,包括第一设备、第二设备和第三设备,第三设备用于执行如第六方面或第六方面任意一种实施方式的方法。
第十三方面,本申请提供了一种通信系统,包括第一设备、第二设备,第二设备用于执行如第七方面或第七方面任意一种实施方式的方法。
第十四方面,本申请提供了一种计算机可读存储介质,包括指令,当指令在电子设备上运行时,使得电子设备执行如第四方面或第四方面任意一种实施方式、第五方面或第五方面任意一种实施方式、第六方面或第六方面任意一种实施方式、第七方面或第七方面任意一种实施方式的方法。
第十五方面,本申请提供了一种计算机程序产品,当计算机程序产品在计算机上运行时,使得计算机执行如第四方面或第四方面任意一种实施方式、第五方面或第五方面任意一种实施方式、第六方面或第六方面任意一种实施方式、第七方面或第七方面任意一种实施方式的方法。
实施本申请提供的技术方案,可以保障设备之间能够安全地共享资源,确保设备资源能够被充分、合理地利用。
图1为本申请实施例提供的分布式系统10的结构示意图;
图2为本申请实施例提供的分布式场景;
图3A为单机场景中被调用APP提供服务的两种方式的示意图;
图3B为本申请实施例提供的进程隔离模型;
图3C为本申请实施例提供的访问控制方法的流程图;
图4A为单机场景中对调用者做应用数据隔离的方式的示意图;
图4B为本申请实施例提供的沙箱隔离模型;
图4C为本申请实施例提供的另一种访问控制方法的流程图;
图5A为避免FA泄露数据的几种方式的示意图;
图5B、图6、图7、图8A、图8B、图9分别为本申请实施例提供的一种访问控制方法的流程图;
图10为本申请实施例提供的电子设备300的软件结构图;
图11为本申请实施例提供的电子设备100的软件结构图;
图12A为本申请实施例提供的一种跨设备的访问控制方法的流程图;
图12B为用于实施图12A所示方法的电子设备300的软件结构图;
图13A为本申请实施例提供的一种跨平台的访问控制方法的流程图;
图13B为用于实施图13A所示方法的电子设备300的软件结构图;
图14为本申请实施例提供的电子设备的硬件结构图。
下面将结合附图对本申请实施例中的技术方案进行清楚、详尽地描述。其中,在本申请实施例的描述中,除非另有说明,“/”表示或的意思,例如,A/B可以表示A或B;文本中的“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况,另外,在本申请实施例的描述中,“多个”是指两个或多于两个。
以下,术语“第一”、“第二”仅用于描述目的,而不能理解为暗示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括一个或者更多个该特征,在本申请实施例的描述中,除非另有说明,“多个”的含义是两个或两个以上。
本申请以下实施例中的术语“用户界面(user interface,UI)”,是应用程序或操作系统与用户之间进行交互和信息交换的介质接口,它实现信息的内部形式与用户可以接受形式之间的转换。用户界面是通过java、可扩展标记语言(extensible markup language,XML)等特定计算机语言编写的源代码,界面源代码在电子设备上经过解析,渲染,最终呈现为用户可以识别的内容。用户界面常用的表现形式是图形用户界面(graphic user interface,GUI),是指采用图形方式显示的与计算机操作相关的用户界面。它可以是在电子设备的显示屏中显示的文本、图标、按钮、菜单、选项卡、文本框、对话框、状态栏、导航栏、Widget等可视的界面元素。
首先,介绍本申请实施例提供的通信系统。
如图1所示,本申请实施例提供了通信系统10。通信系统10包括:多个电子设备。通信系统10也可以称为分布式系统10。
分布式系统10中包含的多个电子设备均为智能终端设备,可以为各种类型,本申请实施例对该多个电子设备的具体类型不作特殊限制。例如,该多个电子设备包括手机,还可以包括平板电脑、桌面型计算机、膝上型计算机、手持计算机、笔记本电脑、智慧屏、可穿戴式设备、增强现实(augmented reality,AR)设备、虚拟现实(virtual reality,VR)设备、人工智能(artificial intelligence,AI)设备、车机、智能耳机,游戏机,还可以包括物联网(internet of things,IOT)设备或智能家居设备如智能热水器、智能灯具、智能空调等等。不限于此,分布式系统10中的多个设备还可以包括具有触敏表面或触控面板的膝上型计算机(laptop)、具有触敏表面或触控面板的台式计算机等非便携式终端设备等等。
分布式系统10中的多个电子设备均为部署在家庭中的设备时,分布式系统10也可被称为家庭分布式系统。
分布式系统10中的多个电子设备之间可以通过登录相同的账号进行连接。例如,多个电子设备可以登录同一华为账号,并通过服务器来连接并通信。
分布式系统10中的多个电子设备也可以登录不同账号,但通过绑定的方式进行连接。例如,电子设备100和电子设备200可以登录不同的账号,电子设备100在设备管理应用中, 将电子设备200和本身进行绑定,之后通过该设备管理应用来连接。在本申请以下实施例中,电子设备100可以为分布式系统10中的任意一个电子设备,电子设备200也可以为分布式系统10中的任意一个电子设备。例如,电子设备100为智能手机,电子设备200为智慧屏。
分布式系统10中的多个电子设备之间还可以通过蓝牙(bluetooth,BT)、无线局域网(wireless local area networks,WLAN)例如无线保真点对点(wireless fidelity point to point,Wi-Fi P2P)、近距离无线通信技术(near field communication,NFC),红外技术(infrared,IR)等建立近距离连接并通信。
此外,通信系统中的多个电子设备也可以结合上述任意几种方式来连接并通信,本申请实施例对此不做限制。
在本申请实施例中,分布式系统10中的各个设备可以安装应用程序(application,APP),例如传统的相机应用、图库应用、设置应用等等。后续实施例中,传统APP可以简称为APP。
此外,本申请实施例提供的分布式系统10可以安装分布式应用(distributed application)。该分布式应用可以为系统应用,也可以为第三方应用,这里不做限制。
与包含多种能力(ability)的APP不同,分布式应用支持以单一能力(ability)为单位进行部署。一个分布式应用包括一个或多个功能组件。
功能组件是电子设备中可独立运行的最小能力单元,是对单一能力进行抽象封装的概念。APP将多个功能集合在一起,而功能组件将各个功能作为单独的服务化基础能力,独立存在。即,功能组件是实现单一功能的程序实体。
每个功能组件都可以独立下载、安装并运行。组成同一个分布式应用的多个功能组件,可以部署在分布式系统10中的同一个电子设备中,也可以部署在不同电子设备中。
可理解的,功能组件只是本实施例中所使用的一个词语,其代表的含义在本实施例中已经记载,其名称并不能对本实施例构成任何限制。另外,在本申请其他一些实施例中,功能组件也可以称为系统组件、系统服务、业务功能等其他名词。本申请后续实施例统一以“功能组件”进行描述。
(1)feature ability,FA。
FA是包含一组或若干组UI的功能组件,可以提供与用户交互的能力。例如,地图应用中的导航界面、即时通讯应用中的视频通话界面等,可以实现为FA。
在一些实施例中,FA基于MVVM(model-view-view-model)模式开发,将视图UI和业务逻辑分离。业务逻辑代码和视图UI代码分开部署,视图UI代码则可以集成到其他APP中。视图UI代码在运行过程中,可以和业务逻辑代码通信,获取到UI展示所需要的数据。
FA支持page模板的能力,例如Empty Ability,Login Ability,Setting Ability等。FA采用脚本语言(java script,JS)提供声明式开发模式,采用类HTML和层叠样式表(cascading style sheet,CSS)声明式编程语言作为页面布局和页面样式的开发语言,并支持ECMAScript规范的JS语言提供页面业务逻辑。
FA具有免安装、独立运行、跨设备UI迁移、跨设备二进制迁移等能力。FA还具有多 端部署、分布执行的特性。
FA可以调用AA或APP,实现更多、更复杂的功能。
(2)particle ability,PA。
PA是无UI的功能组件,可以为FA提供支持,例如PA可以作为后台服务提供计算能力,或作为数据仓库提供数据访问能力。例如,美颜功能、定位功能、音视频编解码功能等,可以封装为PA。
PA同样具有多端部署、分布式执行等特性。PA仅对系统服务有依赖关系,和其他PA之间不存在依赖关系。
PA实际上将远程虚拟化、远程调用、PA管理、跨平台兼容、安全等实现做封装,对开发者开放跨设备的服务使能和唤起,以供其他设备调用本设备的计算能力,协同其他设备完成计算工作。PA支持Service Ability,Data Ability等。Service Ability用于提供后台运行任务的能力。Data Ability用于对外部提供统一的数据访问抽象。
PA可以调用FA或APP,实现更多、更复杂的功能。
可以理解的是,“FA”、“PA”只是本实施例中所使用的一个词语,在本申请其他一些实施例中,其还可以被称为其他名词。例如,“PA”、“FA”也可以被称为例如原子能力(atomic ability,AA)、原子应用、元能力、原子化服务、特性能力等其他名词。
组成一个分布式应用的多个功能组件可以由同一个开发者来开发或提供,可以由多个开发者分别开发或提供,这里不做限制。不同开发者共同开发功能组件,可以提高分布式应用的开发效率。
在本申请实施例中,功能组件对外提供标准化的接口,以供调用。APP可调用功能组件。在一些情况下,功能组件也可以调用其他功能组件或APP。此外,被调用的功能组件也可以继续调用另外的功能组件或APP,这样多级调用的方式可称为链式调用。
分布式系统10中的各个设备建立通信连接后,各个设备将同步分布式系统中其他设备的功能组件信息以及APP信息。具体的,各个设备可以将自身安装的功能组件及APP的名称、自己的设备信息(例如设备标识)同步给其他设备,以供后续在分布式系统10中调用其他设备的FA、PA等功能组件。FA、PA等功能组件能够被哪些调用者调用,以及,能够调用哪些其他的功能组件,可以预先设置并记录在各个电子设备中。
参考图2,图2示例性示出了一种可能的分布式的远程教学业务场景。
如图2所示,分布式系统包含智能手机、平板电脑、智慧屏等电子设备。分布式系统中的各个设备两两相互连接。智能手机、平板电脑、智慧屏可以配置不同的软件操作系统(operating system,OS),例如智能手机和平板电脑可以配置
系统,智慧屏可以配置
系统。
智能手机中安装有“在线课堂”。“在线课堂”是一款安装于电子设备中、为老师和学生提供远程上课所需的各项功能的应用程序,本申请实施例对其名称不做限制。“在线课堂”可以包括以下几个功能组件:黑板功能组件、白板功能组件、音视频编解码功能组件、网络连接功能组件。其中,黑板功能组件、白板功能组件属于FA,音视频编解码功能组件、网络连接功能组件属于PA。黑板功能组件提供远程讲解课程的功能。白板功能组件提供远程回答问题的功能。音视频编解码功能组件提供视频音编解码功能。
在老师侧,老师在智能手机上使用“在线课堂”时,可以将黑板功能组件迁移或切换到智慧屏上,从而在智慧屏上讲解课程。
在学生侧,学生在智能手机上使用“在线课堂”时,可以将白板功能组件迁移或切换到平 板电脑上,从而在平板电脑上回答问题。
将功能组件由一个设备A迁移或切换至另一设备B,可以包括以下两种:1,UI迁移。在FA的视图UI和业务逻辑分离时,设备A可以运行业务逻辑代码时,可以触发设备B运行该视图UI的代码,用户看来就好像是将功能组件从设备A迁移到了设备B中。2,整体迁移。整体迁移是指设备B从设备A处或者从网络中下载并安装该功能组件后,运行该功能组件并提供相应的功能。
在该远程教学业务场景中,“在线课堂”为调用者,平板电脑中的白板功能组件、智慧屏中的黑板功能组件为被调用者。
图2还示出了另一种可能的分布式视频通话业务场景。
如图2所示,智能手机还可以安装有其他分布式应用,例如即时通讯应用。即时通讯应用可以提供视频通话、语音通话及其他通信功能。即时通信应用可以包括以下功能组件:视频通话功能组件、音视频编解码功能组件、网络连接功能组件。
用户在智能手机上使用即时通讯应用时,可以将该应用的视频通话功能组件迁移或者切换到智慧屏上,从而利用智慧屏的摄像头和显示屏来进行视频通话。
上述“在线课堂”中的黑板功能组件,和,即时通讯应用中的视频通话功能组件,可以是同一个功能组件。也就是说,智慧屏中的该功能组件可以被智能手机上安装的“在线课堂”和即时通讯应用分别调用。
在该视频通话业务场景中,即时通讯应用为调用者,智慧屏中的视频通话功能组件(即视频通话功能组件)为被调用者。
需要说明的是,如图2所示的业务场景仅用于辅助描述本申请实施例的技术方案。在实际业务场景中,图2所示的分布式系统可以包括更多的终端设备,各个设备中可以部署更多或更少的功能组件,各分布式应用可以包括更多或更少的功能组件。
通过图1所示的分布式系统10,以及,图2所示的分布式场景,可以整合不同设备的软硬件能力,实现智慧化的全场景体验。
在图1所示的分布式系统10以及图2所示的分布式场景中,由于功能组件可以被跨设备调用,如何保证各个功能组件的安全使用,如何保证各设备中数据的安全,如何保证各个功能组件可以合理地访问设备资源等等,都是保障分布式系统中设备间安全共享资源的关键,也是本申请实施例实际要解决的问题。后面将分别详细介绍解决上述问题所采用的具体方案。
这里,分布式系统中设备间共享的资源可包括但不限于:软件资源、硬件资源、设备的外设或者配件资源等。
可理解的,不限于上述图2示出的分布式场景,在单机(即单一设备)场景中,设备内部功能组件以及APP之间也可以相互调用。
在本申请后续实施例中:发起调用功能组件或APP的一方,可以称为调用者。调用者例如可以为APP、FA或PA。整个调用链的初始发起者,可以称为首调者。首调者例如可以为APP或FA。举例来说,调用链为:APP1调用PA1,PA1调用PA2,PA2调用FA1,则APP1为首调者。再举例来说,调用链为:FA1调用PA1,PA1调用PA2,则FA1为首调者。
在整个调用链中,中间被调用的一方以及最后被调用的一方,都可以称为被调用者。被调用者例如可以为APP、FA或PA。
在本申请一些实施例中,调用者也可以称为主体应用,被调用者还可以称为客体应用。
在调用链中,调用者,以及,被调用者,可以部署在同一个电子设备中,也可以部署在不同的电子设备中。也即是说,调用者和被调用者可以位于分布式场景中,也可以位于单机 场景中。
调用者所在设备称为主体设备,被调用者所在设备为客体设备。
后续实施例中所称的应用可包括APP,还可包括分布式应用中的功能组件。
下面,详细介绍本申请实施例所提供的访问控制方法。
应用程序,包括APP和功能组件,其运行过程中生成的数据包括以下两种:
1,内存数据。
电子设备启动或发起应用程序的实例,即会产生对应的内存数据。
实例是运行态的APP或功能组件。在本申请实施例中,实例可以指进程,也可以指线程。进程是应用程序在计算机上的一次执行活动。线程是应用程序执行中一个单一的顺序控制流程。一个进程可以包括多个线程。
也就是说,只要一个应用程序开始运行,就会生成对应的实例,并产生内存数据。
内存数据可以存储在电子设备的随机存取存储器(random access memory,RAM)中。RAM是与处理器直接交换数据的内部存储器,可以随时读写且速度很快,通常作为操作系统或其他正在运行中的程序的临时数据存储媒介。RAM可以包括静态随机存储器(static random-access memory,SRAM)、动态随机存储器(dynamic random access memory,DRAM)、同步动态随机存储器(synchronous dynamic random access memory,SDRAM)、双倍资料率同步动态随机存取存储器(double data rate synchronous dynamic random access memory,DDR SDRAM,例如第五代DDR SDRAM一般称为DDR5SDRAM)等。
2,应用数据。
应用数据是指应用程序运行过程中写入的内容,例如拍照类应用获取到的照片或视频、文档类应用中用户编辑的文本等等。应用数据也可称为文件数据。
应用数据可以存储在非易失性存储器(non-volatile memory,NVM)中。NVM是一种即使电子设备关闭电源也能够保存已保存数据的存储器。NVM可以包括磁盘存储器件、快闪存储器(flash memory)。
参考图3A,图3A示例性示出了单机场景中,APP之间相互调用的两种方式。
如图3A中的(1)所示,APP1和APP2为调用者,APP3以三方库例如软件开发包(software development kit,SDK)库或动态链接库(.so文件)等形式,集成到宿主APP(即调用者)中,为宿主APP提供共享服务。共享服务是指该APP3同时为多个不同的APP提供服务。由于三方库可以获取到宿主APP所有的资源及权限,存在三方库滥用调用者内存数据的问题。
如图3A中的(2)所示,各个APP分别有对应的实例,各个实例之间天然隔离,以图3A中的(2)为例,在电子设备中三个APP实例在安装时,电子设备会为不同的APP实例分配相应的虚拟地址空间,其虚拟地址空间与电子设备内存中不用的物理地址空间相映射。在不同的APP实例运行时,不同的APP实例通过其虚拟地址空间访问对应内存中不同的物理地址空间,且不同的APP实例通过其虚拟地址空间不能访问其他APP实例的物理地址空间,使得不同的APP实例之间隔离。APP3以单实例的形式为调用者(APP1和APP2)提供共享服务。这种方式只能依靠被APP3自己来对APP1和APP2的内存数据做隔离。在APP3出现漏洞或恶意行为时,APP1和APP2各自的内存数据可能被APP3误用。
在分布式场景中,采用上述第(1)或(2)种方式实现调用者和被调用者之间的相互调用,同样存在上述所描述的各个调用者的内存数据发生混淆或误用的问题。例如,在图2所 示的分布式场景中,智慧屏中的黑板能力单元(即视频通话能力单元)可以同时获取到智能手机中的“在线课堂”的数据,和,即时通讯应用的内存数据,这两种内存数据可能会发生误用。
为了避免单机场景和分布式场景中,各个调用者的内存数据发生混淆或误用,本申请以下实施例提供了一种访问控制方法。在该访问控制方法中,同一个被调用者可以启用多个实例,通过不同的实例来为不同的调用者提供服务。由于实例之间的天然隔离属性,不同实例无法互相访问内存数据,这样可以提供系统级的内存数据安全机制,避免了各调用者的内存数据滥用及泄露问题,保证了数据安全。
电子设备会以进程为单位为不同的实例分配RAM中的物理地址。电子设备在需要运行实例时,将根据虚拟地址找到RAM中对应分配给该实例的空间,并在该空间中运行该实例。其中,该虚拟地址与电子设备分配给实例的物理地址相映射,其映射关系存储在电子设备的控制器中。也就是说,实例是通过虚拟地址来实现找到内存数据的实际存储位置的。在这样的机制下,不同的实例之间通过自身的虚拟地址只能访问自身的虚拟地址对应的物理地址,即不能访问对方在RAM中的物理空间,因此实例之间相互隔离。
参考图3B,图3B示例性示出了实施该访问控制方法时,本申请实施例提供的一种实例隔离模型。
如图3B所示,分布式系统10中可以安装有:调用者1、调用者2、被调用者1。各个调用者和被调用者的含义、安装设备可参考图1及图2相关描述。示例性地,调用者1、调用者2和被调用者1可以分别安装在电子设备100、电子设备200和电子设备300中。
如图3B所示,调用者1和调用者2分别调用被调用者1,同时,被调用者1自身也在运行。电子设备300会创建3个被调用者1的实例,分别为调用者1、调用者2和被调用者1自身提供服务。这样,依靠实例之间的隔离属性,可以将调用者1和调用者2的内存数据隔离开来,避免内存数据的滥用及泄露。
参考图3C,图3C示例性示出了该访问控制方法的流程图。图3C所示的方法以电子设备100中的调用者1调用电子设备300中的被调用者1为例进行说明。
如图3C所示,该访问控制方法可包括如下步骤:
S101,电子设备100向电子设备300发起访问请求,该访问请求用于调用者1调用被调用者1并通过被调用者1访问电子设备300中的第一资源。
电子设备100可以响应于接收到的用户操作发起该访问请求,也可以在一些情况下自主地向电子设备300发起该访问请求,这里不做限制。
在一些实施例中,电子设备300中可以提前安装被调用者1。在另一些实施例中,电子设备300可以在接收到电子设备100发送的访问请求之后,从网络中下载并安装被调用者1,或者直接从电子设备100处下载并安装被调用者1。
在本申请实施例中,调用者1调用被调用者1并通过被调用者1访问电子设备300中的第一资源,即调用者1获取到被调用者1提供的服务。该第一资源可以包括电子设备300的软件资源(如美颜算法、定位功能、音视频编解码功能),也可以包括硬件资源(如摄像头、音频设备、显示屏等硬件)。
S102,电子设备300判断是否存在被调用者1的特定实例。
在本申请实施例中,客体设备(即电子设备300)可以为不同的调用者启用不同的实例,分别为各个调用者提供服务。其中,客体设备为某个调用者启用的实例可以持续为该调用者提供服务。
因此,电子设备300在接收到访问请求后,可以先判断是否之前存在为调用者1启用的被调用者1的实例。在一些实施例中,电子设备300可以不仅仅基于调用者来启用不同的实例,在此基础上还可以根据以下一项或多项来启用不同的实例:主体设备、调用者的开发者、调用者所属用户或主体设备的账号等。在上述一项或多项不相同时,电子设备300可以启用不同的被调用者实例来为调用者提供服务。
示例性地,该被调用者1的特定实例可以为以下任意一种:
1,用于为调用者1提供服务的实例。
2,用于为电子设备100中的调用者1提供服务的实例。
3,用于为和调用者1属于相同开发者的各个调用者提供服务的实例。
4,用于为电子设备100中,和调用者1属于相同开发者的各个调用者提供服务的实例。
可理解的,上述被调用者1的特定实例还可以基于调用者所属用户或主体设备的账号等信息来创建,这里不再一一列举。
具体实现中,电子设备300中存储有被调用者1的实例被调用的调用关系,该调用关系指明了被调用者1启用实例并为各个调用者提供服务的情况。因此,电子设备300可以根据该调用关系来判断是否存在被调用者1的特定实例。该调用关系包括:调用关系ID、被调用者的实例信息,和,调用该实例的各个调用者信息。
调用关系ID可以由电子设备100分配。针对同一个调用关系,客体设备(即电子设备300)和主体设备(即电子设备100)可以共享同一个调用关系ID,该调用关系ID可以被携带在S101的访问请求中,由电子设备100分配后发送给电子设备300。
被调用者1的实例信息可包括:被调用者1的APP ID、该实例的用户标识(user ID,UID)和进程标识(process identifier,PID)。PID是实例的身份标识,电子设备运行一个实例即会给该实例分配一个唯一的PID。
调用者信息包括调用者的应用标识(APP ID),还可包括以下一项或多项:主体设备的设备标识(device ID)、调用者的开发者签名、调用者的用户标识(user ID,UID)、主体设备的账户(account ID)。其中:
APP ID,用于标识APP或功能组件。
device ID,用于标识设备。device ID例如可以是设备的名称、序列号、媒体访问控制(media access control,MAC)地址等等。
开发者签名,用于标识开发者。
UID,用于标识APP或功能组件所属用户。通常情况下,电子设备会为安装的不同APP或功能组件分配不同的UID,以作区分。在一些实施例中,电子设备可能为同一开发者开发的各个APP或功能组件分配相同的UID。同一个APP或功能组件在不同电子设备中,可能拥有不同的UID。
account ID,用于标识当前登录到电子设备的用户,例如可以是华为账号。
在本申请实施例中,S101的访问请求中可以携带调用者1的调用者信息,以便电子设备300在被调用者1的实例调用关系中,查找并判断是否存在被调用者1的特定实例。
如果S102判断为否,则执行S103,如果S102判断为是,则执行S104。
S103,电子设备300创建该被调用者1的特定实例。
具体的,电子设备300启动并运行一个新的被调用者1的实例,并将该实例作为被调用者1的特定实例,其作用参考S102中的相关描述。
电子300创建该被调用者1的特定实例时,可以为该特定实例分配UID和PID。
在一些实施例中,电子设备300可以沿用调用者的UID,即将调用者的UID分配给该被调用者1的特定实例。由于不同调用者的UID不同,因此被调用者1为不同调用者创建的实例的UID不同。
在另一些实施例中,电子设备300可以为该被调用者1的特定实例单独分配UID。例如,电子设备300可以在一个数据区间(例如10000-30000)内为各个APP分配UID,而在另一个数据区间(例如30001-50000)内为各个功能组件的实例(包括该被调用者1的特定实例)分配UID,并且,对于针对同一个功能组件的不同实例分配不同的UID。
例如,在图3B所示的实例隔离模型中,电子设备300为被调用者1的实例1、实例2、实例3分配的UID分别为:UID 30000、UID30001。
可见,在上述两种实施例中,电子设备300可以通过UID来区分同一个被调用者的不同实例。
在又一些实施例中,电子设备300可以直接沿用分配给功能组件的UID,即将功能组件的UID直接分配给该功能组件的各个实例。例如,在图3B所示的实例隔离模型中,电子设备300为被调用者1的实例1、实例2、实例3分配的UID均可以为UID10000。
此外,电子设备300为不同的实例分配不同的PID,为该被调用者1的特定实例分配的PID,可以将该特定实例和该被调用者1的其他实例区分开。
电子设备300创建该被调用者1的特定实例后,可以保存调用者1和该被调用者1的特定实例组成的调用关系。该调用关系可用于后续该被调用者1再次被调用时,检查是否已经存在对应的特定实例,还可用于在出现问题时查找原因。
S104,电子设备300运行该被调用者1的特定实例,并响应S101中接收到的访问请求访问第一资源。
具体的,被调用者1的特定实例访问电子设备300中的第一资源,为电子设备100中的调用者1提供服务。该第一资源可以包括电子设备300的软件资源(如美颜算法、定位功能、音视频编解码功能),也可以包括硬件资源(如摄像头、音频设备、显示屏等硬件)。
在一些实施例中,电子设备300访问第一资源后,可以自身根据该资源执行一系列操作,例如通过显示屏显示视频通话界面、通过摄像头采集图像等等。在一些实施例中,电子设备300访问第一资源后,可以将访问结果发送回电子设备100,例如将定位结果或计算结果发送给电子设备100等等。
可理解的,在本申请实施例中,主体设备(即电子设备100)中也可以保存调用者1和该被调用者1的特定实例组成的调用关系,但不必和客体设备一样保存详细的被调用者实例的UID和PID。主体设备、客体设备中存储的调用关系的示例可参考后续表1、表2的相关描述,这里不赘述。
通过图3C所示的方法,电子设备300中的被调用者1被不同的调用者调用时,可以发起多个被调用者1的实例,分别为各个调用者提供服务。并且,在S102中被调用者1的特定实例的定义不同时,分别分别实现不同粒度的内存数据隔离。
例如,上述第1种被调用者1的特定实例,可以实现被调用者1的一个实例,只为同一个调用者提供服务,从而提供系统级别的不同调用者的内存数据隔离。
上述第2种被调用者1的特定实例,可以实现被调用者1的一个实例,只为同一个设备上的同一个调用者提供服务,从而提供系统级别的不同设备和/或不同调用者的内存数据隔离。
上述第3种被调用者1的特定实例,可以实现被调用者1的一个实例,只为同一个开发 者开发的同一个调用者提供服务,从而提供系统级别的不同开发者和/或不同调用者的内存数据隔离。
上述第4种被调用者1的特定实例,可以实现被调用者1的一个实例,只为同一个设备中同一个开发者开发的同一个调用者提供服务。
可理解的,不限于图3C所示的调用者1和被调用者1分别位于不同设备中,在本申请其他一些实施例中,调用者1和被调用者1也可以位于同一个设备中。当调用者1和被调用者1位于同一个设备中时,该设备可以独立执行图3C所示的所有步骤。
在图3B所示的方法中,当有多个电子设备调用同一个电子设备中同一个被调用者时,多个电子设备中的一个电子设备(例如电子设备100)可以称为第一设备,第一设备中的调用者可以称为第一调用者,多个电子设备中的另一个电子设备(例如电子设备200)可以称为第二设备,第二设备中的调用者可以称为第二调用者。被访问的电子设备(例如电子设备300)可以称为第三设备,第三设备中被访问的资源可以称为第一资源。第一设备向第三设备发送的访问请求可以称为第一访问请求,第二设备向第三设备发送的访问请求可以称为第二访问请求。
参考图4A,图4A示例性示出了单机场景中,APP之间相互调用时对应用数据做隔离的方式。
如图4A所示,单一设备中的各个APP分别运行在各自的实例中,同时电子设备为不同APP各自创建独立的沙箱,沙箱用来存放对应APP运行过程中产生的应用数据。沙箱之间互相隔离,无法互相访问,以此达到保护各应用数据的目的。如图4A所示,APP3为APP1和APP2提供服务时,可以接收到APP1和APP2传递的应用数据,这些应用数据都存储在该APP1的沙箱中。这种方式只能只能依赖于该被调用者1自身,对来自APP2和APP3的应用数据做隔离。在APP3出现漏洞或恶意行为时,APP1和APP2各自的应用数据可能被APP3误用,无法提供系统层的安全隔离。
在分布式场景中,采用用图4A中示出的方式,由被调用者本身来对不同调用者的应用数据做隔离,同样存在各个调用者的应用数据发生混淆或误用的问题。
为了避免单机场景和分布式场景中,各个调用者的内存数据发生混淆或误用,在一些实施例中,在执行图3C所示的访问控制方法时,被调用者还可以对各个调用者的应用数据做隔离。具体的,同一个被调用者启用多个实例,通过不同的实例来为不同的调用者提供服务后,还可以为不同的调用者创建不同的沙箱,将来自不同调用者的应用数据存储到对应的沙箱中。由于沙箱之间的天然隔离属性,不同沙箱无法互相访问应用数据,这样可以提供应用数据安全机制,避免了各调用者的应用数据滥用及泄露问题。
沙箱是一种按照安全策略限制程序行为的独立作业环境。实例在沙箱中运行,并且,实例运行过程中产生的应用数据也存储在沙箱中。
沙箱利用访问控制列表(access control list,ACL)来定义自主访问控制(discretionary access control,DAC)策略,DAC策略定义了用户可以在哪些数据库对象上进行哪些类型的操作。具体的,每个用户都可以归属到一个组中,并且每个文件相应的有一个拥有者用户,可以列出可以对某个文件执行某些操作的用户列表,用户标识文件的拥有者用户、同组用户、其他用户对该文件拥有的操作权限。这里的用户是针对文件来说的,实际上表示应用程序或功能组件。
电子设备会以进程为单位为不同的实例分配不同的虚拟地址空间形成沙箱,同一个实例 的沙箱的虚拟地址空间与前文描述的RAM中的物理地址和NVM中的物理地址相映射,具体的映射方式不做限定。电子设备运行实例并生成应用数据时,将根据虚拟地址查询到NVM中对应分配给该实例的物理空间,并在该空间中存储该应用数据。也就是说,实例是通过虚拟地址来实现找到应用数据的实际存储位置的。在这样的机制下,不同的实例之间不能知晓也不能访问其他沙箱的虚拟地址,也就不能访问对方在NVM中的物理空间,因此相互隔离。
不同沙箱之间天然隔离,不能相互访问,因此可提供应用数据安全隔离机制。
可理解的,沙箱只是本申请实施例提供的名词,其含义已经在上文解释清楚,其名称并不对其作用有限制。
参考图4B,图4B示例性示出了本申请实施例提供的一种分布式系统中的沙箱隔离模型。
如图4B所示,电子设备300会创建2个被调用者1的实例后,创建2个沙箱。其中,沙箱1用于运行为调用者1提供服务的实例1,还用于存储来自调用者1的应用数据。沙箱2用于运行为调用者2提供服务的实例2,还用于存储来自调用者2的应用数据。这样,依靠沙箱之间的隔离属性,可以将调用者1和调用者2的应用数据隔离开来,避免应用数据的滥用及泄露。
参考图4C,在图3C所示的访问控制方法中,S104之前还可执行图4C所示的流程。如图4C所示,该流程可包括如下步骤:
S201,电子设备300判断是否存在被调用者1的特定沙箱。
在本申请实施例中,客体设备(即电子设备300)可以为不同的调用者创建不同的沙箱,分别为各个调用者提供应用数据的存储以及实例运行服务。其中,客体设备为某个调用者创建的沙箱可以持续为该调用者提供服务。
因此,电子设备300可以在接收到图3C中S101的访问请求后,或者,在执行S103中创建被调用者1的特定实例之后,可以先判断是否存在为调用者1创建的被调用者1的沙箱。
在一些实施例中,电子设备300可以不仅仅基于调用者来创建不同的沙箱,在此基础上还可以根据以下一项或多项来创建不同的沙箱:主体设备、调用者的开发者、调用者所属用户或主体设备的账号等。在上述一项或多项不相同时,电子设备300可以创建不同的沙箱来为调用者提供应用数据的存储以及实例运行服务。
示例性地,该被调用者1的特定沙箱,可以根据图3C中S103中创建的被调用者1的特定实例来确定。示例性地,该被调用者1的特定沙箱可以为以下任意一种:
1,当被调用者1的特定实例为S102中的第1种时,用于存储来自该第1种特定实例的应用数据的沙箱。
2,当被调用者1的特定实例为S102中的第2种时,用于存储来自该第2种特定实例的应用数据的沙箱。
3,当被调用者1的特定实例为S102中的第3种时,用于存储来自该第3种特定实例的应用数据的沙箱。
4,当被调用者1的特定实例为S102中的第4种时,用于存储来自该第4种特定实例的应用数据的沙箱。
可理解的,上述被调用者1的特定沙箱还可以基于调用者所属用户或主体设备的账号等信息来创建,这里不再一一列举。
具体实现中,电子设备300中存储有被调用者1的沙箱和该沙箱中运行的实例之间的对应关系,该对应关系指明了被调用者1的沙箱提供应用数据的存储以及实例运行服务的情况。因此,电子设备300可以根据该对应关系来判断是否存在被调用者1的特定沙箱。该对应关 系包括:沙箱标识、在该沙箱中运行的被调用者的实例信息,和,调用该实例的各个调用者信息。其中,沙箱中存储的应用数据包括,来自该沙箱中运行实例的调用者的应用数据。
如果S201判断为否,则执行S202,如果S201判断为是,则执行S203。
S202,电子设备300创建该被调用者1的特定沙箱。
具体的,电子设备300创建一个新的调用者1的沙箱,并将该沙箱作为被调用者1的特定沙箱,其作用参考S201中的相关描述。电子设备300创建沙箱是指,电子设备300单独开辟一块存储区域或者作业环境。
电子设备300创建该被调用者1的特定沙箱时,可以为该特定沙箱分配沙箱标识。
电子设备300创建该被调用者1的特定沙箱后,可以保存被调用者1的沙箱和该沙箱中运行的实例之间的对应关系。
S202之后,电子设备300执行图3C中的S104时,将在该调用者1的特定沙箱中运行对应的被调用者1的实例。
S203,电子设备100中的调用者1在调用电子设备300中的被调用者1的过程中,电子设备300中被调用者1的特定实例获取应用数据。
在一些实施例中,该应用数据可以是调用者1直接传递给被调用者1的,还可以是调用过程中被调用者1自主生成的,这里不做限制。
S204,电子设备300将该应用数据存储到该被调用者1的特定沙箱中。
具体的,被调用者1的特定沙箱用于存储对应的特定实例的应用数据,并且只允许该特定实例的调用者访问。
通过上述图4C所示的方法,在被调用者1的特定沙箱的定义不同时,分别可以实现不同粒度的应用数据隔离。
例如,上述第1种被调用者1的特定沙箱,可以实现被调用者1的一个沙箱,只存储来自同一个调用者的应用数据,从而提供不同调用者的应用数据隔离。
上述第2种被调用者1的特定沙箱,可以实现被调用者1的一个沙箱,只存储来自同一个设备上的同一个调用者的应用数据,从而提供不同设备和/或不同调用者的应用数据隔离。
上述第3种被调用者1的特定沙箱,可以实现被调用者1的一个沙箱,只存储来自同一个开发者开发的同一个调用者的应用数据,从而提供不同开发者和/或不同调用者的应用数据隔离。
上述第4种被调用者1的特定沙箱,可以实现被调用者1的一个沙箱,只存储来自同一个设备中同一个开发者开发的同一个调用者的应用数据。
可理解的,不限于图4C所示的调用者1和被调用者1分别位于不同设备中,在本申请其他一些实施例中,调用者1和被调用者1也可以位于同一个设备中。当调用者1和被调用者1位于同一个设备中时,该设备可以独立执行图4C所示的所有步骤。
在图4C所示的方法中,第三设备中用于运行第一实例的沙箱可以称为第一沙箱,用于运行第二实例的沙箱可以称为第二沙箱。第三设备在运行第一实例的过程中生成的应用数据可以称为第一应用数据,在运行第二实例的过程中生成的应用数据可以称为第二应用数据。
FA使用MVVM(model-view-view-model)模式开发,将视图(view)的状态和行为抽象化,将视图UI和业务逻辑分开。也就是说,FA的UI代码和逻辑代码分离,因此FA所在设备只有逻辑代码,而UI代码被集成到调用者的自身代码中。FA在运行时,其UI代码和FA的逻辑代码进行通信,获取数据进行UI展示。
举例来说,分布式系统可以包含手机和智能手表。其中,智能手表上可以安装有外卖类APP,智能手表运行该外卖类APP时,可以提供定位页面以供用户查看外卖员的位置,智能手表展示定位页面时所需的定位数据可以由手机运行逻辑代码得到。也就是说,智能手表中的外卖类APP作为调用者,集成了实现定位功能的FA的UI代码,而逻辑代码部署在手机中。
目前常用的FA的几种运行方式,会带来主体设备潜在的权限扩大化以及数据泄露的风险。例如,FA的UI代码利用调用者自身的权限获取敏感数据,并传递给FA的逻辑代码,导致数据泄露。又例如,FA的逻辑代码将重要业务数据发送给UI代码,该业务数据可能被调用者恶意获取,导致数据泄露。
为了避免由FA的MVVM模式带来的数据泄露问题,常用的几种方式如下:
(1)在调用者中插入监控器(monitor),监控器用于控制FA的UI代码可用的权限。
参考图5A中的(1),其示出了第(1)种方式的场景。该方式在应用层实现对FA的UI代码的权限控制,安全性不足。并且,由于FA的UI代码仍和调用者运行在同一个实例中,无法避免数据泄露风险,。
(2)在框架层插入监控器,监控器用于控制FA的UI代码可用的权限。
参考图5A中的(2),其示出了第(2)种方式的场景。虽然框架层的安全性较高,但是框架层无法很好地区分集成后的代码,且仍然无法避免数据泄露风险。
(3)在调用者的代码和FA的UI代码运行时,拆分为两个完全隔离的应用。
参考图5A中的(3),其示出了第(3)种方式的场景。拆分为两个独立的应用后,为了保证调用者调用FA时的界面的实现,需要将FA的UI代码实现的界面覆盖到调用者上,对于非规则界面,覆盖效果不佳。此外,每个FA的UI代码都单独生成一个新的应用,对系统性能开销过大,不适合实际部署。
在上述3种方式中,FA的UI代码、调用者的代码,属于同一安全域(security domain),在传统自主访问控制(discretionary access control,DAC)策略失效后,调用者和FA之间仍然会有数据泄露风险。
为了避免上面图5A示出的调用者和FA之间的数据泄露风险,在一些实施例中,在执行图3C所示的方法时,如果调用者调用FA,则主体设备为调用者和该调用者的UI代码分别创建一个实例,不改变该两个实例所属的用户身份(UID),但是为该两个实例划分不同的安全域。由于两个实例具有相同的UID,因此可以在不增加新应用、不造成过大系统性能损耗的前提下,基于实例的不同来隔离调用者和FA的UI代码,并通过安全域的隔离来保证两者之间无法恶意获取对方数据,避免数据泄露。
其中,安全域位于内核层,是由在同一工作环境中、具有相同或相似的安全保护需求和保护策略、相互信任、相互关联或相互作用的逻辑区域的集合。安全域可以看做是内核级的沙箱,其提供了内核级的安全隔离,用户或应用都不能更改一个安全域的访问策略。安全域之间基于强制访问控制(mandatory access control,MAC)策略来实现访问控制,MAC策略定义了哪个主体能访问哪个对象,并且该策略只能由设备系统强制执行,任何用户或应用都不能更改。因此,不同的安全域可以实现内核级隔离,提供系统级别的安全制度。
参考图5B,在图3C所示的访问控制方法中,电子设备100在S101之前还可执行图5B所示的流程。在图5B示出的流程中,被调用者1为FA。
如图5B所示,该流程可包括如下步骤:
S301,电子设备100创建调用者1的实例,和,被调用者1的UI实例。
具体的,电子设备100运行调用者1的代码,以创建一个调用者1的实例。同时,电子 设备100还可以运行集成在调用者1中的被调用者1的UI代码,以创建一个被调用者1的UI实例。
在一些实施例中,电子设备100可以为调用者1的实例,和,被调用者1的UI实例分配相同的UID。并且为这两个实例分配不同的PID。
其中,电子设备100在第一权限范围内运行调用者1的实例,在第二权限范围内运行被调用者1的UI实例。第二权限范围和第一权限范围不同。在图5B所示的方法中,被调用者1的UI实例可以称为被调用者的第一部分,第三设备中被调用者的业务逻辑代码可以称为被调用者的第二部分。调用者1的实例可以称为第三实例,被调用者1的UI实例可以称为第四实例。
由于电子设备100在不同的权限范围内运行调用者1的实例,和,被调用者1的UI实例,可以防止被调用者1的UI实例获取在其权限范围之外的数据,避免了权限扩大化问题,可以保证数据安全。
S302,电子设备100为调用者1的实例分配第一安全域身份,为被调用者1的UI实例分配第二安全域身份。
具体的,电子设备100在内核层分配或者创建多个安全域,每个安全域对应一个安全域身份(即标识)。例如,第一安全域对应第一安全域身份,第二安全域对应第二安全域身份。
不同的安全域之间相互隔离。每个安全域都定义用户可以在哪些数据或进程上进行哪些类型的操作。例如,每个新创建的进程都会被分配安全域身份,当进程访问特定文件或目录、与其它进程进行进程间通信时,根据安全策略文件中定义的访问控制规则,来判断是否允许该安全域的进程执行这些操作。不同的安全域所对应的访问控制规则可以不同。对于不同的安全域来说,不同安全域的进程之间不能相互访问。
在一些实施例中,电子设备100可以在确认调用者1和被调用者1的开发者不同时,才为调用者1的实例、被调用者1的UI实例分别分配不同的安全域标识,而在两者开发者相同时,可以为其分配相同的安全域标识。这样可以保证不同开发者的调用者和被调用者之间的数据不发生泄露,在两者开发者相同时,减少分配安全域标识所消耗的资源。
S303,电子设备100根据第一安全域身份,在第一安全域中,运行该调用者1的实例,根据第二安全域身份,在第二安全域中,运行该被调用者1的UI实例。
通过图5B所示的方法,由于两个实例运行在不同的安全域中,相互之间不能通信,因此调用者1在调用电子设备300中的被调用者1时,不会出现FA的UI代码利用调用者自身的权限获取敏感数据后传递给FA的逻辑代码、FA的逻辑代码将重要业务数据发送给FA的UI代码后被调用者恶意获取等情况,避免了数据泄露。
通常情况下,调用者在调用被调用者时,用户可以针对调用者进行授权,然后调用者将该权限传递给被调用者,然后被调用者在该权限下访问设备资源,并提供服务。在调用者的状态(包括前台运行、后台运行、停止运行等)发生变化时,该调用者的权限范围实际也发生了变化。如果被调用者的运行状态不随着调用者进行变化,则该被调用者的权限范围可能和调用者的实际权限范围不同,导致数据滥用及泄露等问题。
参考图3A中的(2),单机场景中,被调用者以独立实例的形式为各个调用者提供服务。这种方式不对调用者进行区分对待,无法根据调用者的状态(如前后台等)同步改变被调用者的运行状态,也无法在被调用者被调用失败时对其执行恢复处理。
为了避免单机场景和分布式场景中,调用者的权限范围被扩大的问题,在一些实施例中, 在执行图3C所示的访问控制方法时,同一个被调用者启用多个实例,通过不同的实例来为不同的调用者提供服务后,调用者调用被调用者的关系可以被称为一个调用任务,该调用任务形成一个任务域。并且,在该任务域中,被调用者实例的运行状态可以随着任务域中调用者的运行状态进行变化。此外,通过该任务域还可以实现被调用者的恢复。
参考图6,在图3C所示的访问控制方法中,S101之后还可执行图6所示的流程。如图6所示,该流程可包括如下步骤:
S401,电子设备100存储调用者1的任务域信息。
在执行图3C所示的S101-S103之后,电子设备100中的调用者,和,电子设备300中运行的被调用者1的特定实例,形成逻辑上的任务域。电子设备100中的调用者1调用电子设备300中的被调用者1的事项可以称为一个任务。
可理解的,一个调用者可以有多个任务域。
电子设备100存储的调用者的任务域信息可包括:任务域ID、调用关系ID、调用者的APP ID、被调用者的APP ID、任务状态等等。
其中,任务域ID、调用关系ID可以由电子设备100分配。
任务状态可以包括:正常、异常等等。任务状态异常又可以细分为更多的类型,例如客体设备关机、被调用者拉起失败等等。
S402,电子设备100监听调用者1的运行状态,根据调用者1的任务域信息中客体设备的device ID,将调用者1的运行状态传递给电子设备300。
调用者(例如调用者1)的运行状态可包括:前台运行、后台运行、停止运行等等。
在一些实施例中,电子设备100可以持续或者周期性地监听调用者1的运行状态。
在一些实施例中,电子设备100可以周期性地将监听到的调用者1的运行状态发送给电子设备300,也可以在监听到调用者1的运行状态发生改变时将调用者1的运行状态发送给电子设备300。
S403,电子设备300根据调用者1的运行状态,同步更改被调用者1的运行状态。
具体的,电子设备300可以将被调用者1的运行状态更改为和调用者1一致。例如,当电子设备100中的调用者1在前台运行时,电子设备300中的被调用者1也在前台运行;当电子设备100中的调用者1在后台运行时,电子设备300中的被调用者1也在后台运行;当电子设备100中的调用者1在停止运行时,电子设备300中的被调用者1也停止运行。
在被调用者1的运行状态更改后,其权限也相应发生变化。保持被调用的被调用者和调用者的运行状态一致,可以避免被调用者的权限范围扩大,避免数据滥用及泄露等问题。
S404,电子设备100监听调用者1的任务域中的任务状态。
调用者1的任务域中的任务状态可包括正常和异常两种。其中,任务状态异常是指该任务不能正常执行的情况,可能由以下任意一项导致:电子设备300关机或故障、电子设备300为电子设备100中的调用者1创建的被调用者1的特定实例异常退出或启动失败等。
S405,在调用者1的任务域中的任务状态出现异常时,电子设备100根据调用者1的任务域信息恢复该任务。
电子设备100恢复调用者1的任务域中的任务状态的方法可包括以下任意一种:
1,电子设备100指示任务域中原本的客体设备(即电子设备300),再次创建图3C的S103中被调用者1的特定实例,并且,将S103中被调用者1的特定实例的标识(包括UID和/或PID)传递给电子设备300。电子设备300可以重新创建被调用者1的特定实例,并为其分配该标识。这样,调用者1的任务域中的任务可以完全恢复,和之前无区别,不影响任 务域中的资源调用。
2,电子设备100指示分布式系统10中合适的电子设备,创建图3C的S103中被调用者1的特定实例,并且,将S103中被调用者1的特定实例的标识(包括UID和/或PID)传递给该合适的电子设备。该合适的电子设备创建该被调用者1的特定实例,并为其分配该标识。这样,在电子设备100看来,调用者1的任务域中的任务可以跨设备恢复,虽然改变了被调用的被调用者1所在的设备,但是不影响任务域中的资源调用。
这里,合适的电子设备可以包括:电子设备100根据选择策略从分布式系统中选择的、安装有被调用者1或者能够安装被调用者1的电子设备。本申请实施例对该选择策略不做限制,例如可以是选择可用资源最多的设备、举例电子设备100最近的设备等等。
可理解的,本申请实施例对S402-S403,和,S404-S405可以择一实施,当两者共同实施时,本申请对两者之间的先后顺序不做限制。
在图6所示的方法中,调用者1变化前的运行状态可以称为第一运行状态,调用者1变化后的运行状态可以称为第二运行状态。
S405中电子设备100恢复任务时的所涉及到的用于重新创建被调用者1的特定实例的电子设备,可以称为第四设备。具体的,第一设备可以向第四设备发送第五访问请求,以使得第四设备创建被调用者1的特定实例,并访问第四设备中的第三资源,该特定实例可以称为被调用者的第五实例。
调用者在调用被调用者时,应当保证被调用者拥有的权限和调用者拥有的权限一致。例如调用者不具有摄像头权限时,被调用者也不具备摄像头权限。因此,客体设备需要维护/获取主体设备中的调用者授予的权限信息,并在接收到调用者发起的访问请求时,对该调用者进行权限检查,在检查通过后才可响应该访问请求。这样可以保证被调用者和调用者的权限一致性,保护用户隐私及数据安全。
目前,有以下几种方案来使得被调用者获取权限:
(1)在分布式系统中,被调用者向用户单独申请权限。但是,由于部分被调用者例如PA并不包含UI,因此无法独立向用户申请权限。
(2)在分布式系统中,调用者APP将自身的权限传递给被调用者。但是,在分布式系统中,被调用者以类似图3A中的(2)的形式,以单实例的方式为不同的调用者APP提供服务,则被调用者的单实例可以获取到不同调用者APP的权限,存在权限扩大化的问题。
(3)在单机系统中,通过独立的权限管理服务来管理调用过程中的权限。具体的,被调用者为调用者提供服务时,会向权限管理服务确认自身是否具备对应的权限。这需要权限管理服务同步各个设备的授权状态和访问策略,会产生额外的时间开销。
(4)在云服务平台中,调用者访问资源时,将自身的权限传递给被调用者。但是,这种方案同样存在同一被调用者为不同调用者服务时的权限扩大化问题。并且,这种权限传递方案,不能精准地撤销传递的权限,不能准确保证权限的生命周期。
为了避免单机场景和分布式场景中出现上述问题,在一些实施例中,在执行图3C所示的访问控制方法时,同一个被调用者启用多个实例,通过不同的实例来为不同的调用者提供服务。之后,调用者可以将自身的权限传递给对应的被调用者实例,该调用者实例只能利用该权限来为对应的调用者提供服务,而不能为其他调用者提供服务。这样可以使得被调用者的权限和调用者的权限一致,可以消除单实例带来的权限扩大化风险,保证数据安全,并且穿线传递的方式可以避免时间开销。
参考图7,在图3C所示的访问控制方法中,S104之前还可执行图7所示的流程。如图7所示,该流程可包括如下步骤:
S501,电子设备300检查是否具有S101中接收到的访问请求所要求的权限。
例如,电子设备100发起的访问请求用于在电子设备300侧实现视频通话时,则电子设备300先要获取访问摄像头、音频设备的权限。
具体的,电子设备300在执行图3C中的S104之前,可以首先确认自身是否有该访问请求所对应的权限,若没有该权限,则可以执行后续步骤。
S502,电子设备300根据调用关系,向电子设备100中的调用者1申请获取该访问请求所要求的权限。
S503,电子设备300向用户申请获取该访问请求所要求的权限。
本申请实施例对电子设备100向用户申请权限的方式不做限制,例如可以通过UI、语音来申请等等。用户在授予权限时,可以设定该权限的生命周期,即时效。时效例如可包括:临时有效、永久有效。临时有效是指电子设备100的调用者1仅在临时期间(例如本次调用期间)内有权限访问该访问请求对应的资源。永久有效是指电子设备100的调用者1在运行期间都有权限访问该访问请求对应的资源。这里,用户授予该权限的生命舟曲可以是第一时间段,即第一调用者在第一时间段内具备访问第一资源的权限。
S504,电子设备100将申请到的访问请求所需的权限,传递给电子设备300中被调用者1的特定实例。
在一些实施例中,电子设备100可以创建路由代理。路由代理代表电子设备100的调用者1指向电子设备300中的被调用者1的路径。电子设备100可以根据该路由代理,将调用者1获取到的权限传递给电子设备300中的被调用者1。
电子设备300接收到电子设备100传递的权限后,可以获知,该被调用者1的特定实例在为电子设备100中的调用者1提供服务时,具备该权限,而为其他调用者提供服务时,不具备该权限。
因此,在一些实施例中,电子设备300在执行S104时,可以先确认被调用者1的特定实例具有访问请求所需的权限之后,再运行该被调用者1的特定实例,并响应S101中接收到的访问请求访问第一资源。
在其他一些实施例中,电子设备100可以在发送图3C中是101中的访问请求之前,即执行S503,并将申请到的权限信息携带在访问请求中,一并发送给电子设备300。
通过上述几个步骤,电子设备300可以独立完成权限的检查,电子设备100可以独立完成权限申请,不需要向第三方设备或模块申请进行权限检查,也就不需要第三方设备来同步双方的权限信息,这样可以降低调用过程的时延,提高设备的数据安全性。
在其他一些实施例中,电子设备100、电子设备300还可以依靠第三方的权限管理服务来管理调用过程中的权限。具体的,权限管理服务可以先同步电子设备100、电子设备300的权限信息,之后电子设备100申请权限,电子设备300检查权限都依靠权限管理服务来实现。
在一些实施例中,图7所示的方法还可包括如下步骤:
S505,电子设备100撤销S501中传递给电子设备300中被调用者1的特定实例的权限。
在一些实施例中,电子设备100可以在该权限的生命周期结束后即刻撤销该权限。
在一些实施例中,电子设备100可以通过创建的路由代理,将电子设备100中的调用者1传递给电子设备300中的被调用者1的权限撤销。
具体的,电子设备100可以向电子设备300发送消息,通知电子设备300撤销该权限,以使得电子设备300不再拥有该权限。
这样可以保证被调用者1的特定实例可以合理地利用调用者1传递过来的权限,避免出现权限扩大化的情况。
为了让被调用者获取到调用者的权限信息,一种可能的方案是,分布式系统中的各个设备建立连接后,均同步本地所有APP的权限信息到对端设备。并且,在本地APP的权限发生动态变化时(例如,用户收回权限、开放权限等),本地设备根据维护的已连接设备列表,逐个跨设备进行权限信息同步或更新。这种整体同步方式数据量大且操作频繁,对内存、性能的消耗极大。
为了减轻权限同步的负担,在一些实施例中,在执行图3C所示的访问控制方法时,电子设备100向电子设备300发起访问请求时,电子设备300可以主动从电子设备100处获取该调用者的权限信息,同时电子设备100记录该电子设备300获取了该调用者的权限信息。并且,在调用者的权限发生动态变化时,将更新的权限信息同步给记录的电子设备300。这种按照调用需求来同步权限信息的方式,只需要同步调用请求所涉及的权限信息,可以减少同步的数据以及对内存和性能的消耗。
参考图8A,在图3C所示的访问控制方法中,S101之后还可执行图8A所示的流程。如图8A所示,该流程可包括如下步骤:
S601,电子设备300查找是否存储有S101中将要发送的访问请求所要求的调用者1的权限信息。
若无,则执行S602-S603。
S602,电子设备300从电子设备100处获取调用者1的权限信息,并记录该电子设备100中的调用者1的权限信息。
具体的,电子设备300可以先向电子设备100发送权限请求,然后电子设备100响应于该请求,将电子设备100中调用者1的权限信息发送给电子设备300。
电子设备100中的调用者1的权限信息记录了可访问的设备资源,该权限可以由用户在操控电子设备100的过程中设置,也可以由调用者1默认设置。
不限于S602-S603所示的操作,在其他一些实施例中,电子设备100也可以在向电子设备300发起访问请求后,直接将电子设备100中调用者1的权限信息发送给电子设备300。
S603,电子设备100记录电子设备300获取调用者1的权限信息的情况。
具体的,电子设备100可以将电子设备300的标识和调用者1的标识关联存储,以表明电子设备300获取了调用者1的权限信息。
S603中,电子设备100记录的电子设备300获取调用者1的权限信息的情况,可以称为第一信息。
可理解的,电子设备300从电子设备100处获取调用者1的权限信息后,可以在执行图3C中的S104时,根据该权限信息是否响应S101中电子设备100发起的访问请求。
如果S101中电子设备100发起的访问请求所要访问的设备资源,不在电子设备100中的调用者1的权限信息内,则电子设备300可以拒绝响应该访问请求。这样可以保证被调用者为调用者提供服务时,和调用者拥有一致的权限,避免权限扩大化带来的数据安全问题,保护用户隐私及数据安全。
S604,电子设备100中的调用者1的权限信息发生变化。
电子设备100中的调用者1的权限信息发生变化的情况有多种,例如可包括:用户更改电子设备100中的调用者1的权限信息、由于电子设备100中调用者1的状态变化带来的权限信息变化、由于时间段的变化带来的权限信息等等,这里不做限制。
S605,电子设备100将变化后的电子设备100中的调用者1的权限信息,发送给S603中记录的电子设备300。
具体的,当电子设备100中的调用者1的权限信息发生变化时,电子设备100可以将变化后的调用者1的权限信息更新给之前曾经获取过该调用者1的权限信息的设备,从而保持权限的一致性。
S606,电子设备300更新电子设备100中的调用者1的权限信息。
在一些实施例中,图8A所示的权限同步方法可以应用于任意类型的调用者中。也就是说,无论调用者是系统应用还是第三方应用,分布式系统都可以执行图8A所示的方法。系统应用是指电子设备的生产商所提供或研发的应用程序,第三方应用是指非电子设备的生产商所提供或研发的应用程序。电子设备的生产商可以包括该电子设备的制造商、供应商、提供商或运营商等。制造商可以是指以自制或采购的零件及原料来加工制造电子设备的生产厂商。供应商可以是指提供该电子设备的整机、原料或零件的厂商。运营商可以是指负责该电子设备的经销的厂商。
在一些实施例中,图8A所示的权限同步方法可以仅用于第三方应用,而针对系统应用则采取整体同步的方式来进行权限同步。也即是说,在一些实施例中,分布式系统在执行图8A所示方法前,要先确认电子设备100中的调用者1为第三方应用。
参考图8B,为了减轻权限同步的负担,在一些实施例中,S101之前还可执行图8B所示的流程。在图8B所示的流程中,电子设备100中的调用者1为系统应用。如图8B所示,该流程可包括如下步骤:
S701,分布式系统中的电子设备100和电子设备300建立连接。
电子设备100和电子设备300建立连接的方式可以参考图1中对于分布式系统的相关描述。
S702,电子设备300查找是否存储有电子设备100中的各个系统应用的权限信息。
具体的,电子设备300和电子设备100建立连接后,可以同步对端设备所安装的应用程序的信息,从而获知对端设备安装有哪些传统应用以及功能组件。
若S702的结果为是,则执行S705,若S702的结果为无,则执行S703-S704。
S703,电子设备100将安装的各个系统应用的权限信息发送给电子设备300。
S704,电子设备300记录获取到的电子设备100中的各个系统应用的权限信息。
S705,电子设备100记录电子设备300获取各个系统应用的权限信息的情况。
S706-S708,参考S604-S606。
在图8A或图8B所示的过程中,电子设备100和电子设备300之间可以相互调用,具体可参考图3C中的相关描述。
调用者在调用被调用者时,被调用者必须显示地获取用户的授权,从而保证敏感数据的安全。在分布式系统中,主体设备访问客体设备的资源时,通常情况下由客体设备向用户获取授权。但是,在客体设备不具备授权条件,例如没有用于弹框授权的显示屏等,客体设备锁屏且用户不在旁边时,客体设备无法向用户获取授权。此外,如果客体设备正在执行其他任务如用户正在玩游戏,此时向用户要求授权(例如弹框形式要求授权)会严重影响了主客 体侧用户的体验。
为了避免分布式场景中出现上述问题,在一些实施例中,在执行图3C所示的访问控制方法时,主体设备向客体设备发起访问请求时,如果客体设备并不具备发起该访问请求的权限,则根据设备的属性在分布式系统中灵活选择一个授权设备,然后由授权设备向用户获取该主体设备向客体设备发起访问请求的权限。这样可以灵活地选择授权设备,并在不干扰用户的前提下完成授权。
参考图9,在图3C所示的访问控制方法中,S101之后还可执行图9所示的流程。如图9所示,该流程可包括如下步骤:
S801,电子设备300检查是否拥有该访问请求所需的权限,该权限包括调用第一调用者以访问第一资源的权限。
S802,如果没有权限,电子设备300在不具备授权条件、和用户之间的距离超过第一值或当前不适合授权的情况下,在分布式系统中根据各个设备的设备属性,选择授权设备。
分布式系统中的各个设备可以包括:分布式系统中和电子设备300建立连接的其他各个设备。
设备属性可包括但不限于以下一项或多项:
(1)是否具备授权条件。设备向用户要求授权的方式可包括以下几种:弹框授权、指纹授权、语音授权、人脸识别授权等,每一种授权方式需要对应的条件。例如,弹框授权要求设备具有显示屏,指纹授权要求设备具有指纹识别传感器,语音授权要求设备具有麦克风,人脸识别授权要求设备具有摄像头。
(2)支持的授权方式。参考第1点的相关描述。
(3)设备当前的运行状态。运行状态例如可包括设备是否锁屏、是否正在运行游戏、是否正在播放视频等等。
(4)设备与用户之间的距离。
在本申请实施例中,电子设备300可以周期性获取各个设备的属性,也可以在需要获取权限时获取各个设备的属性,还可以在加入分布式系统时获取各个设备的属性。在其他一些实施例中,若其他设备的属性发生更改,则其他设备还可以主动将更新的属性发送给电子设备300。
电子设备300根据设备属性选择授权设备的策略可以有多种,这里不做限制。例如,电子设备300可以选择具备授权条件、距离用户最近,且显示屏未被占用的设备作为授权设备。
在一些实施例中,电子设备300还可以同步选择授权方式,这里不限制电子设备100选择授权方式的策略。
S803,电子设备300通知授权设备进行授权操作。
在一些实施例中,电子设备100还可以将确定的授权方式通知给授权设备。
S804,授权设备向用户要求调用者1发起该访问请求所需的权限。
在一些实施例中,授权设备可以使用电子设备300通知的授权方式来向用户要求授权。在其他一些实施例中,如果电子设备300未通知授权方式,则授权设备可以根据自身的策略来选择一种授权方式向用户要求授权。
S805,在授权通过后,授权设备将用户授权结果发送给电子设备300。
电子设备300获知用户授权结果之后,如果用户准许授权,则电子设备300可以执行图3C的S101中的S102-S104。
在图9所示方法中,授权设备可以称为第五设备。
在单机场景中,客体设备将根据调用者的APP ID,从“应用身份—访问策略”的映射库中找到相应的资源访问策略,并根据策略决定是否同意该调用者发起的本次调用。
在分布式系统中,各调用者可以透明地使用其他设备所提供能力、数据和服务。对于上层应用的实际操作体验来说,这种资源共享与在传统单机设备中没有差异。但是,由于分布式系统中涉及了不同的设备,以及来自不同设备的调用者,不同设备所具备的安全能力各不相同,依靠APP ID的资源访问策略无法满足分布式系统中的资源访问需求,可能会带来数据安全问题。
例如,音箱、手表的安全级别较低,手机上的调用者调用手表上的功能组件时,如果不考虑手表的低安全等级而将手机上的隐私数据传给手表,则会出现数据安全问题。又例如,如果不考虑手表上无安全环境的事实,手机调用手表进行银行类支付行为,则可能会发生严重的数据泄露。
为了使得单机场景以及分布式场景中的调用更加安全,在一些实施例中,在执行图3C所示的访问控制方法时,电子设备100还可以向电子设备300发送调用者1的身份信息。
调用者的身份信息除了包括APP ID,还可包括以下一项或多项:调用者的PID、UID、主体设备的account ID、调用者所在主体设备的系统标识(system ID)、主体设备的deviceID。
其中,PID、UID、account ID、deviceID可参考前文相关描述。
系统标识(system ID)可以是电子设备加入分布式系统后,由分布式系统为该电子设备分配的在该分布式系统中的标识。
在一些实施例中,如果电子设备100之前曾经向电子设备300发送过调用者1的身份信息,则电子设备100无需再次向电子设备300发送完整的调用者1的身份信息,而只需要向电子设备300发送身份信息中动态变化的部分即可。具体的,电子设备100可以将调用者1身份信息中的动态变化信息处理为哈希(hash)值,如果hash值发生变化,则可以在S901中发送变化后的hash值。
在执行图3C中的S104时,电子设备300可以先根据调用者1的身份信息和访问控制策略,判断电子设备100的调用者1是否有权限访问该请求对应的资源。在确定有权限之后,再响应S101中接收到的访问请求访问第一资源。
具体的,电子设备300中可以预先制定访问控制策略,该访问控制策略描述了电子设备300中的各个资源和有权限访问这些资源的APP的身份信息之间的映射关系。这里不对该访问控制策略作具体限制。
举例来说,该访问控制策略可以包括:1,BLP(Bell-LaPadual)原则,即调用者不可读安全级别高于它的被调用者的数据,并且,调用者不可写安全级别低于它的被调用者的数据。2,Biba原则,即调用者不能读取安全级别低于它的被调用者的数据,并且,调用者不能写入安全级别高于它的被调用者的数据。
在分布式系统中,一个设备可以跨设备访问其他设备中的各类资源。由于不同设备所具备的安全能力各有高低,不同设备可访问的数据类型不同,跨设备访问资源存在潜在的机密性和可用性风险。例如,高安全等级的手机将数据给低安全等级的音箱会发生数据泄露。
为了避免由于设备安全等级带来的数据泄露风险,在一些实施例中,在执行图3C所示的访问控制方法时,主体设备可以根据客体设备和/或主体设备的安全等级来确定是否发起访问请求,客体设备可以根据客体设备和/或主体设备的安全等级来确定是否响应该访问请求。 这样就可以根据不同设备的安全等级,选择性地开放资源,避免了数据泄露的风险。
在一些实施例中,在执行图3C所示的方法时,分布式系统中的电子设备100和电子设备300建立连接后,电子设备100和电子设备300可以相互同步对方的设备安全等级。
设备的安全等级主要由设备本身的软硬件提供的基础安全能力决定。电子设备的基础安全能力越高,设备的安全等级也就越高。影响基础安全能力的基础安全要素如设备完整性保护、加密及数据安全、安全隔离、访问权限控制、漏洞防利用等。例如,设备A运行LiteOS轻量级OS,硬件采用低端处理器,不支持复杂的虚拟内存隔离,也不支持基于硬件的安全隔离;设备B运行Android系统,硬件采用高端处理器,设备支持硬件的安全隔离和虚拟内存隔离等安全能力。那么设备B的安全等级要高于设备A。又例如,通常来说,手机、平板电脑、智能手表、大屏的安全等级可以依次降低。
在一些实施例中,在执行图3C中的S101时,电子设备100可以先根据客体设备和/或主体设备的安全等级,确定是否发起该访问请求。这里,本申请实施例对客体设备和/或主体设备根据电子设备300的安全等级是否发起访问请求的策略不做具体限制。例如,当该访问请求所请求的资源属于敏感资源,并且,电子设备300的安全等级较低时,电子设备100可以拒绝发起该访问请求,从而避免电子设备100的机密数据流向电子设备300。
在一些实施例中,在执行图3C中的S104时,电子设备300可以先根据客体设备和/或主体设备的安全等级,确定是否响应该访问请求。这里,本申请实施例对电子设备300根据客体设备和/或主体设备的安全等级,确定是否响应该访问请求的策略不做具体限制。例如,当该访问请求所请求的资源属于敏感资源,并且,电子设备300的安全等级较低时,电子设备300可以拒绝响应该访问请求,从而避免数据泄露。
通过上述可选实施例,可以根据不同设备的安全等级,选择性的开放相应的资源给分布式系统中的其他设备,确保各设备中敏感资源的机密性和完整性。
此外,在主客体设备双重鉴权时,可以保障设备资源的机密性和完整性,减小攻击面。
在分布式系统中,一个设备可以跨设备访问其他设备中的各类资源。不同应用对安全的需求有高有低。例如,银行类APP要求设备具备可信执行环境(trusted execution environment,TEE),音乐类APP只要求设备具备基本的隔离与访问能力,而音乐类APP访问银行类APP的数据或资源,存在潜在的机密性和可用性风险。
为了避免由于应用安全等级带来的数据泄露风险,在一些实施例中,在执行图3C所示的访问控制方法时,主体设备可以根据调用者的安全等级来确定是否发起访问请求,客体设备可以根据调用者的安全等级来确定是否响应该访问请求。这样就可以根据不同应用的安全等级,选择性地开放资源,避免了数据泄露的风险。
在一些实施例中,在执行图3C所示的方法时,分布式系统中的电子设备100和电子设备300建立连接后,电子设备100和电子设备300可以相互同步各个应用的安全等级。
在本申请实施例中,应用(包括APP和功能组件)的安全等级可以预先设定。
在一些实施例中,电子设备可以根据默认的分级分类规则来为各个应用制定安全等级。例如,可以按照应用的类别来区分安全等级,例如系统应用的安全等级高于三方应用,购物类应用的安全等级高于阅读类应用等等。
在一些实施例中,各个应用的安全等级还可以由用户手动设置,例如用户可以根据自身需求自定义各个应用的安全等级。
在一些实施例中,在执行图3C中的S101时,电子设备100可以先根据调用者1和/或被 调用者1的安全等级,确定是否发起该访问请求。这里,本申请实施例对电子设备100根据调用者1和/或被调用者1的安全等级是否发起访问请求的策略不做具体限制。例如,当该访问请求所请求的资源属于敏感资源,并且,被调用者1的安全等级较低时,电子设备100可以拒绝发起该访问请求,从而避免调用者1的机密数据流向被调用者1。
在一些实施例中,在执行图3C中的S104时,电子设备300可以先根据调用者1和/或被调用者1的安全等级,确定是否响应该访问请求。这里,本申请实施例对电子设备300根据调用者1和/或被调用者1的安全等级的安全等级,确定是否响应该访问请求的策略不做具体限制。例如,当该访问请求所请求的资源属于敏感资源,并且,被调用者1的安全等级较低时,电子设备300可以拒绝响应该访问请求,从而避免调用者1的机密数据流向被调用者1。
通过上述可选实施例,可以根据不同应用的安全等级,选择性的开放相应的资源给分布式系统中的其他应用,确保各设备中敏感资源的机密性和完整性。
此外,在主客体设备双重鉴权时,可以保障设备资源的机密性和完整性,减小攻击面。
在分布式系统中,一个设备可以跨设备访问其他设备中的各类资源。由于不同设备所具备的安全敏感度不同,具有不同的安全保护需求。例如,智能门锁和卧室摄像头的安全敏感度,高于智能台灯等低安全敏感度设备,则智能台灯或其应用不能控制卧室摄像头或智能门锁,而智能音箱可以控制智能台灯。不考虑各个设备的安全敏感度,会带来跨设备访问的数据安全问题。
为了避免由于设备安全敏感度带来的数据泄露风险,在一些实施例中,在执行图3C所示的访问控制方法时,主体设备可以根据客体设备和/或主体设备的安全敏感度来确定是否发起访问请求,客体设备可以根据客体设备和/或主体设备的安全敏感度来确定是否响应该访问请求。这样就可以根据不同设备的安全敏感度,选择性地开放资源,避免了数据泄露的风险。
在一些实施例中,在执行图3C所示的方法时,分布式系统中的电子设备100和电子设备300建立连接后,电子设备100和电子设备300可以相互同步对方的设备安全等级。
各个设备的安全敏感度是指设备中数据泄露后,给用户带来的隐私风险程度。设备中的数据隐私度越高,则设备被攻破或设备中的数据泄露后的风险程度越高,安全敏感度越高。例如,设备A为客厅中的台灯,它被攻破所导致的后果为“台灯被随意打开或关闭”;设备B为卧室摄像头,它被攻破或数据泄露所导致的后果为“卧室的视频录像泄露”。二者相比,设备B的安全敏感度对用户来说显然更高。
综上,和前文的设备安全等级相对比,设备安全等级是从设备本身的软硬件安全能力来划分,而设备安全敏感度是从设备被破坏,给用户带来的隐私威胁程度高低来划分。
各个设备的安全敏感度可以预先设定。
在一些实施例中,各个设备可以根据默认的分级分类规则来为各个设备制定安全敏感度。例如,可以预先根据以下一项或多项来设定设备的安全敏感度:设备所处位置(例如厨房、卧室、户外灯)、设备是否被用户携带、设备类型、设备中存储的数据类型等等。例如,用户佩戴手表时,手表的安全敏感度高,但是当检测到手表脱离用户时,手表安全敏感等级降低。又例如,卧室的摄像头的安全敏感度,高于厨房的智能台灯的安全敏感度。
在另一些实施例中,各个设备的安全敏感度还可以由用户手动设置,例如用户可以根据自身需求自定义各个设备的安全敏感度。
在一些实施例中,在执行图3C中的S101时,电子设备100可以先根据客体设备和/或主体设备的安全敏感度,确定是否发起该访问请求。这里,本申请实施例对客体设备和/或主体 设备根据电子设备300的安全敏感度是否发起访问请求的策略不做具体限制。例如,当该访问请求所请求的资源属于敏感资源,并且,电子设备300的安全敏感度较低时,电子设备100可以拒绝发起该访问请求,从而避免电子设备100的机密数据流向电子设备300。
在一些实施例中,在执行图3C中的S104时,电子设备300可以先根据客体设备和/或主体设备的安全敏感度,确定是否响应该访问请求。这里,本申请实施例对电子设备300根据客体设备和/或主体设备的安全敏感度,确定是否响应该访问请求的策略不做具体限制。例如,当该访问请求所请求的资源属于敏感资源,并且,电子设备300的安全敏感度较低时,电子设备300可以拒绝响应该访问请求,从而避免数据泄露。
通过上述可选实施例,可以根据不同设备的安全敏感度,选择性的开放相应的资源给分布式系统中的其他设备,确保各设备中敏感资源的机密性和完整性。
此外,在主客体设备双重鉴权时,可以保障设备资源的机密性和完整性,减小攻击面。
下面介绍本申请实施例提供的用于执行上述图3C中的访问控制方法以及上述可选实施例中方案的电子设备100和电子设备300的软件结构。
电子设备100和电子设备300的软件系统均可以采用分层架构,事件驱动架构,微核架构,微服务架构,或云架构等。示例性地,电子设备100和电子设备300的软件系统包括但不限于
Linux或者其它操作系统。
分层架构将软件分成若干个层,每一层都有清晰的角色和分工。层与层之间通过软件接口通信。在一些实施例中,从上至下可包括:应用程序层,应用程序框架层、系统服务层、内核层等等。
其中,应用程序层可以包括一系列应用程序包,包括APP如相机,图库,日历,通话,地图,还可以包括FA、PA等功能组件。
应用程序框架层为应用程序层的应用程序提供应用编程接口(application programming interface,API)和编程框架。应用程序框架层包括一些预先定义的函数。
应用程序框架层可以包括窗口管理器,内容提供器,视图系统,电话管理器,资源管理器,通知管理器等。
窗口管理器用于管理窗口程序。窗口管理器可以获取显示屏大小,判断是否有状态栏,锁定屏幕,截取屏幕等。
内容提供器用来存放和获取数据,并使这些数据可以被应用程序访问。所述数据可以包括视频,图像,音频,拨打和接听的电话,浏览历史和书签,电话簿等。
视图系统包括可视控件,例如显示文字的控件,显示图片的控件等。视图系统可用于构建应用程序。显示界面可以由一个或多个视图组成的。例如,包括短信通知图标的显示界面,可以包括显示文字的视图以及显示图片的视图。
电话管理器用于提供电子设备的通信功能。例如通话状态的管理(包括接通,挂断等)。
资源管理器为应用程序提供各种资源,比如本地化字符串,图标,图片,布局文件,视频文件等等。
通知管理器使应用程序可以在状态栏中显示通知信息,可以用于传达告知类型的消息,可以短暂停留后自动消失,无需用户交互。比如通知管理器被用于告知下载完成,消息提醒等。通知管理器还可以是以图表或者滚动条文本形式出现在系统顶部状态栏的通知,例如后台运行的应用程序的通知,还可以是以对话窗口形式出现在屏幕上的通知。例如在状态栏提示文本信息,发出提示音,电子设备振动,指示灯闪烁等。
核心库包含两部分:一部分是java语言需要调用的功能函数,另一部分是安卓的核心库。
应用程序层和应用程序框架层运行在虚拟机中。虚拟机将应用程序层和应用程序框架层的java文件执行为二进制文件。虚拟机用于执行对象生命周期的管理,堆栈管理,线程管理,安全和异常的管理,以及垃圾回收等功能。
系统库可以包括多个功能模块。例如:表面管理器(surface manager),媒体库(Media Libraries),三维图形处理库(例如:OpenGL ES),2D图形引擎(例如:SGL)等。
表面管理器用于对显示子系统进行管理,并且为多个应用程序提供了2D和3D图层的融合。
媒体库支持多种常用的音频,视频格式回放和录制,以及静态图像文件等。媒体库可以支持多种音视频编码格式,例如:MPEG4,H.264,MP3,AAC,AMR,JPG,PNG等。
三维图形处理库用于实现三维图形绘图,图像渲染,合成,和图层处理等。
2D图形引擎是2D绘图的绘图引擎。
内核层是硬件和软件之间的层。内核层至少包含显示驱动,摄像头驱动,音频驱动,传感器驱动。
参考图10,图10示例性示出了用于执行上述图3C中的访问控制方法以及上述可选实施例中方案的电子设备100的软件结构。
如图10所示,电子设备300包括以下几个模块:应用信息管理模块、应用启动管理模块、实例管理模块、调用关系管理模块、调用关系库、功能组件信息管理模块、功能组件信息同步模块、访问控制模块、应用权限管理模块、权限信息库、
其中:
应用信息管理模块,用于管理电子设备300所安装的各个APP、功能组件的信息。例如管理各个APP以及功能组件的PID等等。
应用启动管理模块,用于管理各个APP、功能组件的启动工作。例如,当电子设备300接收到其他设备调用某个应用程序的请求时,应用启动管理模块可以启动该应用程序。
功能组件信息管理模块,用于维护本机及其他设备同步来的功能组件信息,包括功能组件的名称、类型、所在设备等等。
功能组件信息同步模块,用于将本机的功能组件信息同步到其他设备中,同时接收其他设备同步来的功能组件信息。
实例管理模块,负责根据调用者的信息,动态启用被调用者的实例,为该调用者提供服务。实例管理模块启用被调用者的实例的具体策略,可参考图3C中S102-S104的详细描述。实例管理模块还用于管理启用的各个实例的生命周期,例如停止、销毁、重启实例等等。
调用关系管理模块,负责维护调用者、为该调用者提供服务的被调用者实例组成的调用关系,并将其存储到调用关系库中。
调用关系库,用于存储调用者和被调用者实例组成的调用关系。该调用关系包括:被调用者的实例信息,和,调用该实例的各个调用者信息。调用者的实例信息、调用者信息,可参考图3C中S102的相关描述,这里不赘述。
在一些实施例中,调用关系库还可用于存储被调用者的沙箱和该沙箱中运行的实例之间的对应关系。
在其他一些实施例中,调用关系库中的信息不仅可以存储在客体设备(即电子设备300)中,还可以存储于调用者所在的主体设备(例如电子设备100)中。
参考下表1,其示例性示出了调用关系库中存储的该电子设备300的被调用者及其调用者的相关信息。
表1
从表1可以看出,电子设备300中的标识为“ID4”的传统应用或功能组件,被3个调用者调用。电子设备300创建了2个示例,一个实例为电子设备100中的调用者提供服务,另一个实例我电子设备200和电子设备400中由同一开发者开发的两个调用者提供服务。
此外,电子设备300创建了2个沙箱,沙箱1用于运行为调用者1提供服务的被调用者1实例,以及,存储来自调用者1的应用数据。沙箱2用于运行为调用者2和调用者3提供服务的被调用者1实例,以及,存储来自调用者2和调用者3的应用数据。
访问控制模块,用于对电子设备300收到的访问请求进行管理,决定是否响应接收到的访问请求。具体实现中,访问控制模块可根据电子设备100中的调用者1是否有权限调用调用者1、是否有权限访问第一资源、电子设备100及电子设备300的设备安全等级、调用者1和被调用者1的安全等级等等,来决定是否发起该访问请求。
访问控制模块可包括本地访问控制模块和DMS。DMS用于在电子设备300中的被调用者接收到其他设备中的调用者的访问请求时,根据对应调用者的权限信息来负责被调用者的调用。本地访问控制模块用于在电子设备300中的调用者调用被调用者时,根据对应调用者的权限信息来负责被调用者的调用。
应用权限管理模块,用于管理本地应用(包括APP和功能组件)的权限信息。应用权限管理模块可包括用于管理本地应用权限信息的本地权限管理模块,还包括用于管理分布式系统中其他设备中应用权限信息的分布式权限管理模块。本地权限管理模块还用于侦听本地应用的权限信息变化。应用的本地权限可以由用户决定或者应用自主更新,例如用户开放/关闭摄像头、麦克风、访问相册等权限,应用更新开放权限等。
权限信息库,用于存储、维护应用的权限信息。权限信息库可包括用于维护本地应用的权限信息的本地权限信息库,和,用于维护分布式系统中其他设备中应用的权限信息的分布式权限信息库。
在一些实施例中,电子设备300还可包括以下模块:文件管理服务,负责管理应用数据的存储。具体用于根据调用者的信息,动态创建被调用者的沙箱,为调用者提供应用数据的存储服务。文件管理服务创建被调用者沙箱的具体策略,可参考图4C中S201-S202的详细描述。文件管理服务还用于管理被调用者的各个沙箱的生命周期,例如创建、删除等等。
在一些实施例中,电子设备300还可以包括以下模块:应用运行态身份管理模块,用于管理电子设备300中各个应用的运行态身份。
在一些实施例中,电子设备300还可以包括以下模块:设备安全等级评估模块,用于评估电子设备300的设备安全等级。应用安全等级评估模块,用于评估电子设备300中各个应用(包括APP和功能组件)的安全等级。设备安全敏感度评估模块,用于评估电子设备300的安全敏感度。
在一些实施例中,电子设备300还可以包括以下模块:设备信息管理模块,用于同步分布式系统中其他设备的设备信息,例如设备的安全等级、安全敏感度、设备中各个应用的安全等级等。设备信息库,用于存储分布式系统中其他设备的设备信息。
在一些实施例中,电子设备300还可以包括以下模块:
授权模块,用于确认电子设备300是否具备授权条件,或者,该电子设备300当前是否适合授权,或者,该客体设备是否能及时得到用户的授权。
若电子设备300不具备授权条件,或者,该电子设备300当前正在执行第一任务,或者,该电子设备300不能及时得到用户的授权,则授权模块可以通过授权决策模块来选择授权设备。并向授权设备发送授权请求,以及,接收该授权设备返回的授权结果。当该授权结果表示用户允许授予该访问请求所要求的权限时,授权模块获取到该访问请求所需的权限。
若电子设备300具备授权条件,并且,该电子设备300当前适合授权,并且,该电子设备300当前能及时得到用户的授权,则授权模块可以调用电子设备300的软硬件资源,提供授权方式,以获取用户授予的该访问请求所要求的权限。
授权决策模块,用于根据电子设备300的类型、分布式系统中其他电子设备的属性,选择分布式系统中的一个电子设备作为授权设备。在一些实施例中,授权决策模块还可用于确认授权设备所使用的授权方式。
设备属性管理模块,用于将电子设备300的设备属性同步到分布式系统中的其他设备中,还用于将其他设备的设备属性同步到电子设备300中。
设备属性库,用于存储、维护分布式系统中各个设备的设备属性。
可理解的,上述提及的电子设备300中的模块,可以位于电子设备300中的应用程序层、应用程序框架层、系统服务层、内核层等等,这里不做限制。
参考图11,图11示例性示出了用于执行上述图3C中的访问控制方法以及上述可选实施例中方案的电子设备100的软件结构。
如图11所示,电子设备100包括以下几个模块:电子设备100包括以下几个模块:应用信息管理模块、应用启动管理模块、功能组件信息管理模块、功能组件信息同步模块、调用关系管理模块、调用关系库、应用权限管理模块、权限信息库。
其中,应用信息管理模块、应用启动管理模块、功能组件信息管理模块、功能组件信息同步模块、应用权限管理模块、权限信息库均可参考前文关于电子设备300中的相关描述。
调用关系管理模块,负责维护调用者、为该调用者提供服务的被调用者实例组成的调用关系,并将其存储到调用关系库中。
调用关系库,用于存储调用者和被调用者实例组成的调用关系。该调用关系包括:被调用者的实例信息,和,调用该实例的各个调用者信息。调用者的实例信息、调用者信息,可参考图3C中S102的相关描述,这里不赘述。
参考下表2,其示例性示出了调用关系库中存储的该电子设备100的调用者及其被调用者的相关信息。
表2
对比表1可知,针对同一个调用关系,电子设备300和电子设备100可以共享相同的调 用关系ID,并且该调用关系ID可以由主体设备(即电子设备100)分配。
在一些实施例中,调用关系管理模块包括调用关系映射模块,该模块作为一个虚拟代理,对内屏蔽被调用者的实际信息例如所在设备,对外根据需求找到正确的设备调用被调用者。对于电子设备100中的调用者而言,其并不知道被调用者的实际信息,通过调用关系映射模块才能获知该被调用者的实际信息,并发起调用。
访问控制模块,用于对电子设备100发起的访问请求进行管理,决定是否发起该访问请求。具体实现中,访问控制模块可根据电子设备100中的调用者1是否有权限调用调用者1、是否有权限访问第一资源、电子设备100及电子设备300的设备安全等级、调用者1和被调用者1的安全等级等等,来决定是否发起该访问请求。
在一些实施例中,电子设备100还可以包括以下几个模块:实例管理模块、安全域管理模块、安全域策略管理模块、安全策略库、组管理模块。
实例管理模块,用于调用者启动时创建该调用者的实例,还用于调用者调用FA时,创建新的实例来运行FA的UI代码。实例管理模块还用于管理FA UI实例的生命周期,例如启动、停止、销毁、重启等。
安全域管理模块,用于为各个实例分配安全上下文信息,以便内核创建相应内核安全域。FA UI实例创建以后,该模块根据默认机制,动态决定是否需要额外创建新的安全域。
安全域策略管理模块,用于提供安全域的安全策略,供内核层的安全域加载并使能。
安全策略库,用于存储各个安全域的安全策略,例如可包括允许FA的UI实例与该FA的逻辑代码实例通信,拒绝FA的UI实例与集成该UI代码的调用者进程通信等等。
组管理模块,用于为FA的UI实例添加、修改、删除实例组信息。在创建FA UI实例时赋予其相应组ID信息,在调用者权限动态变更时,也同步更新FA UI实例的组ID信息。
上述访问控制模块,用于控制FA UI实例对系统敏感资源的访问。具体的,该模块根据调用者授予FA的UI实例的权限信息,进行实例级的权限管控。
在一些实施例中,电子设备100还可包括以下模块:
任务管理模块,负责管理调用者的任务域中的任务,并对外提供该调用者所对应的任务状态。任务管理模块还用于在任务域中的任务出现异常时,恢复该任务。恢复任务的具体实现可参考前文方法实施例中的描述。
任务信息库,用于存储调用者相关联的任务信息,包括任务域ID、调用关系ID、任务状态、调用者的APP ID、被调用者的APP ID等信息。
参考下表3,其示例性示出了任务信息中存储的该电子设备100的一个任务域信息。
任务域ID | 调用关系ID | 任务状态 | 调用者的APP ID | 被调用者的APP ID |
1 | 1 | 正常 | ID1 | ID4 |
表3
运行状态管理模块,用于管理调用者、被调用者的运行状态信息,并根据调用者的运行状态同步改变被调用者实例的运行状态。
在一些实施例中,电子设备100还可以包括以下几个模块:
传递权限申请模块,用于向用户申请调用者1向电子设备300中的被调用者1发起的访问请求所要求的权限。
权限传递模块,用于将调用者1通过传递权限申请模块申请到的权限,传递给电子设备300中的被调用者1。
路由代理模块,用于根据电子设备100发起的访问请求,动态创建指定服务的路由和撤 销代理对象,例如创建电子设备100中的调用者1到电子设备300中的被调用者1的路径。
权限撤销模块,负责撤销电子设备100中的调用者传递给其他电子设备(例如电子设备300中的被调用者1)的权限。
在一些实施例中,电子设备100还可以包括:同步设备列表,用于记录或者存储其他设备获取电子设备100中应用的权限信息的情况,例如可以记录电子设备300获取了调用者1的权限信息。
在一些实施例中,电子设备100还可以包括:应用运行态身份管理模块,用于管理电子设备100中各个应用的运行态身份。
在一些实施例中,电子设备100还可以包括以下几个模块:设备安全等级评估模块、应用安全等级评估模块、设备安全敏感度评估模块。设备安全等级评估模块,用于评估电子设备100的设备安全等级。应用安全等级评估模块,用于评估电子设备100中各个应用(包括APP和功能组件)的安全等级。设备安全敏感度评估模块,用于评估电子设备100的设备安全敏感度。
在一些实施例中,电子设备100还可以包括以下几个模块:设备信息管理模块、设备信息库。设备信息管理模块,用于同步分布式系统中其他设备的设备信息,例如设备的安全等级、安全敏感度、设备中各个应用的安全等级等。设备信息库,用于存储分布式系统中其他设备的设备信息。
在一些实施例中,电子设备100还可以包括以下几个模块:
设备属性管理模块,用于将电子设备100的设备属性同步到分布式系统中的其他设备中,还用于将其他设备的设备属性同步到电子设备100中。
设备属性库,用于存储、维护分布式系统中各个设备的设备属性。
可理解的,上述提及的电子设备100中的模块,可以位于电子设备100中的应用程序层、应用程序框架层、系统服务层、内核层等等,这里不做限制。
可理解的,图10及图11仅为示意性举例,本申请实施例提供的电子设备100及电子设备300的软件结构还可采用其他形式,或者,可以包括更多或更少的模块,这里不做限制。
传统单机场景下,系统应用、第三方应用等在通过访问控制模块的权限检查之后,可以访问系统中的各类资源。当多个调用者同时访问某个资源时,系统的资源调度管理模块会根据本设备调用者的状态以及资源的类型进行调度管理,以合理使用资源,满足用户需求。例如,当有两个调用者同时请求访问摄像头时,由于摄像头属于独占式资源,不能同时为2个调用者提供共享服务,单机场景将会决策一个调用者来优先访问该摄像头。
在分布式系统中,跨设备调用资源是非常常见的场景。当本机和跨设备调用者同时访问某个资源,如何合理的进行资源调度,尽量满足用户需求,是一个亟待解决的问题。
本申请实施例提供了一种跨设备的访问控制方法,该方法调用者于图1所示的分布式系统10以及图2所示的分布式场景。在该方法中,当有多个调用者访问客体设备中的资源时,客体设备根据该多个调用者的运行状态、主体设备和客体设备的用户信息,来确认各个调用者的优先级,并优先响应高优先级的资源访问请求。这样可以合理调度资源,满足用户的访问需求,且当共享资源出现不足时,优先释放真正的低优先级实例,确保正在执行调用者的正常运行。
这里,本申请实施例不限制调用者所访问的客体设备中的资源的类型。调用者访问的客体设备的资源可以是独占式资源,例如摄像头、音频设备等等,还可以是共享式资源,例如 存储的文件或数据、内存资源等等。
调用者的运行状态可包括前台运行、后台运行等。
主体设备或客体设备的用户信息包括当前登录该设备的用户等。
客体设备确认各个调用者的优先级的策略可以有多种,这里不做限制。例如,该优先级策略可包括:被访问资源所在设备的调用者的优先级高于其他设备的调用者的优先级、前台调用者高于后台调用者、和被访问资源所在设备同一用户的设备中的调用者的优先级高于其他设备中调用者的优先级等等。
该优先级策略可以预存在客体设备中,还可以由用户自主设置或更改,这里不做限制。
参考图12A,图12A示例性示出了本申请实施例提供的跨设备的访问控制方法的流程图。
如图12A所示,该方法可包括如下步骤:
S901,电子设备100向电子设备300发起访问请求,该访问请求用于调用者1调用被调用者1并通过被调用者1访问电子设备300中的第一资源。
S901可参考图3C中的S101。
S902,电子设备300根据优先级策略,判断是否响应该访问请求。
该优先级策略可参考前文。
示例性地,电子设备300接收到该访问请求后,可以确定该调用者1的优先级,以及,当前正在访问电子设备300中该访问请求所对应资源的调用者的优先级。其中,当前正在访问电子设备300中该访问请求所对应资源的调用者可以是其他电子设备上的调用者,也可以是电子设备300本身的调用者。
当该访问请求所对应的资源为独占式资源时,电子设备300可以选择优先级最高的调用者为其提供服务,而暂时拒绝为其他调用者提供服务,从而保证优先级最高的调用者能够优先使用资源。
当该访问请求所对应的资源为共享式资源时,电子设备300可以为该调用者1、以及当前正在访问该资源的多个调用者进行优先级排序,在该共享式资源能够提供的最大服务内,先为优先级高的调用者的提供服务,而终止为优先级低的调用者提供服务。
S903,电子设备300运行被调用者1的实例,并响应S101中接收到的访问请求访问第一资源。
S903的具体实现可参考图3C中S104的描述。
在图12A所示的方法中,当有多个电子设备调用同一个电子设备中同一个被调用者时,多个电子设备中的一个电子设备(例如电子设备100)可以称为第一设备,第一设备中的调用者可以称为第一调用者,多个电子设备中的另一个电子设备(例如电子设备200)可以称为第二设备,第二设备中的调用者可以称为第二调用者。被访问的电子设备(例如电子设备300)可以称为第三设备,第三设备中被访问的资源可以称为第一资源。第一设备向第三设备发送的访问请求可以称为第一访问请求,第二设备向第三设备发送的访问请求可以称为第二访问请求。
图12B示例性示出了用于执行本申请实施例提供的跨设备的访问控制方法的电子设备300的软件结构。
分层架构将软件分成若干个层,每一层都有清晰的角色和分工。层与层之间通过软件接 口通信。在一些实施例中,从上至下可包括:应用程序层,应用程序框架层、系统服务层、内核层等等。
如图12B所示,电子设备300可包括:设备信息管理模块、设备信息库、应用状态管理模块、应用状态库、调用关系管理模块、调用关系库、优先级策略管理模块、策略库、分布式资源调度模块。其中:
设备信息管理模块,用于同步分布式系统中其他设备的用户信息,还用于将本设备的用户信息同步给分布式系统中的其他设备。
设备信息库,用于存储分布式系统中其他设备的用户信息。
应用状态管理模块,用于同步分布式系统中其他设备中各个应用的状态信息,还用于将本设备中各个应用的状态信息同步给分布式系统中的其他设备。
应用状态库,用于存储分布式系统中其他设备中各个应用的状态信息。
调用关系管理模块、调用关系库,可参考图10中的相关描述。
优先级策略管理模块,用于管理电子设备300中对于各个调用者制定优先级的策略。该优先级策略具体可参考前文相关描述。
策略库,用于存储电子设备300中的优先级策略。
分布式资源调度模块,用于根据应用状态信息、设备的用户信息等等,根据优先级策略,来确定调用者1的优先级,以及,当前正在访问电子设备300中访问请求所对应资源的调用者的优先级,并决定如何调度资源。
可理解的,上述提及的电子设备300中的模块,可以位于电子设备300中的应用程序层、应用程序框架层、系统服务层、内核层等等,这里不做限制。
可理解的,图12B仅为示意性举例,本申请实施例提供的电子设备300的软件结构还可采用其他形式,或者,可以包括更多或更少的模块,这里不做限制。
在分布式系统中,搭载不同OS平台的各类智能设备组成了逻辑上的“超级终端”。从设备中的应用视角来看,应用可以透明的使用其他设备所提供的资源,感知不到底层平台的变化。如手机中的即时通讯类APP,可以使用智慧屏的摄像头来进行视频通话。分布式系统向应用层屏蔽了跨设备的底层细节,只对上层应用提供获取视频流接口。从用户视角来看,某一个设备中安装的功能组件可以无缝的迁移到其他设备中运行,省去安装和启动流程。如上述手机的即时通讯类APP访问智慧屏的摄像头时会进行权限校验,检查失败则提示用户“该应用无权限访问摄像头”,检查通过,则提示用户“该应用正在访问摄像头“。由于组成”超级终端”各设备的底层操作系统不同,各自所具有的访问控制机制和能力也存在差异,因此,如何跨平台进行访问控制策略的适配和协同,以便给用户带来透明、无缝的新型体验,是一项新的挑战。
本申请实施例提供了一种跨平台的访问控制方法,该方法应用于图1所示的分布式系统10以及图2所示的分布式场景。在多个异构OS设备组成的分布式系统中,一个设备中的应用跨设备访问其他异构OS设备中的资源时,应用的身份信息、上下文信息、对应的权限信息迁移到对端设备,以支撑应用无缝迁移到其他设备、透明的使用其他设备提供的资源,满足“超级终端”下用户的实际使用需求。
参考图13A,图13A示例性示出了本申请实施例提供的跨平台的访问控制方法的流程图。
如图13A所示,该方法可包括如下步骤:
S1001,电子设备100向电子设备300发起访问请求,该访问请求用于调用者1调用被调 用者1并通过被调用者1访问电子设备300中的第一资源。
S1002,电子设备100将该访问请求,以及,调用者1的身份信息如UID,发送给电子设备300。
在一些实施例中,S1001之后,电子设备100还可以根据用户授予的权限,确定是否有权限发起该访问请求。在有权限的情况下,电子设备100执行S1002。
S1003,电子设备300将调用者1在电子设备100中的身份映射为本地中的应用身份,并根据该调用者1在本地的应用身份,获取该调用者1的权限信息和上下文信息。
在本申请一些实施例中,电子设备100和电子设备300建立连接后,电子设备300可以同步电子设备100中的信息,这些信息可包括以下一项或多项信息:安装的各应用的身份信息如UID、各个应用所获取到的权限信息、各个应用的上下文信息例如前后台状态等等。
在本申请另一些实施例中,电子设备300接收到访问请求后,可以检查同步的电子设备100的信息中是否包含访问请求所需的权限信息,如果没有,还可以触发电子设备100获取该权限。电子设备100获取权限后,可以将其传递给电子设备300。
电子设备300同步到电子设备100的信息后,这些信息将被存储为该电子设备300的OS能够访问的形式。由于各不同OS存储信息的形式不同,其他OS的设备并不能直接访问这些信息。
电子设备300将调用者1在电子设备100中的身份映射为本地中的应用身份,相当于一个翻译过程,将电子设备100中的访问请求翻译为电子设备300的OS能够理解的形式,之后再决定是否响应该访问请求。
电子设备300可以根据调用者1在电子设备300本地中的身份信息,在存储的电子设备100的信息中,获取到该调用者1对应的权限信息和上下文信息。具体的,电子设备300为了区分自身安装的应用程序和映射过来的其他设备的应用程序,可以在第一区间(如10000-19999)内来为自身安装的应用程序分配身份信息,而在第二区间(例如100000-199990)内为映射过来的其他设备的应用分配身份信息,便于区分本机应用其他设备中的应用。
S1004,电子设备300根据该调用者1的权限信息和上下文信息,判断是否响应该访问请求。
具体的,电子设备300可以对该访问请求进行权限检查,如果权限检查通过,则可以响应该访问请求。电子设备300还可以根据该调用者1的上下文信息,来判断是否响应该访问请求。
S1005,在S1004的判断结果为是的情况下,电子设备300响应该访问请求。
在图13A所示的方法中,电子设备100可以称为第一设备,调用者1可以称为第一调用者,电子设备300可以称为第二设备。电子设备100的操作系统可以称为第一操作系统,电子设备300的操作系统可以称为第二操作系统。
图13B示例性示出了用于执行本申请实施例提供的跨平台的访问控制方法的电子设备300的软件结构。
分层架构将软件分成若干个层,每一层都有清晰的角色和分工。层与层之间通过软件接口通信。在一些实施例中,电子设备300从上至下可包括:应用程序层,应用程序框架层。不限于此,在其他一些实施例中,电子设备300的软件系统还可包括内核层、系统服务层等 等。
如图13B所示,电子设备300可以包括:应用管理模块、访问控制模块、应用信息管理模块。其中:
应用管理模块包括:本地应用管理模块、跨设备应用管理模块。本地应用管理模块,用于管理本地设备的应用,在发起访问控制的应用为本地应用时,选择本地访问控制模块进行访问控制。跨设备应用管理模块,用于管理主体设备映射过来的应用,在发起访问控制的应用为其他设备映射过来的应用时,选择跨设备访问控制模块进行访问控制。
访问控制模块包括:本地访问控制模块、跨设备访问控制模块。本地访问控制模块,用于对本地设备发起的访问请求进行鉴权。跨设备访问控制模块,用于对其他设备发起的访问请求进行鉴权。
应用信息管理模块包括:应用身份映射模块、应用上下文信息管理模块、应用权限映射管理模块、信息同步模块。
应用身份映射模块,用于将其他设备中的应用身份映射为本地的应用身份。
应用上下文信息管理模块,用于管理各个应用(包括本地应用和映射过来的应用)的上下文信息。
应用权限映射管理模块,用于将其他设备中应用的权限映射为本地权限。
信息同步模块,用于将其他设备中的应用信息,例如应用身份、上下文信息和同步信息等,同步到电子设备300中。
可理解的,上述提及的电子设备300中的模块,可以位于电子设备300中的应用程序层、应用程序框架层、系统服务层、内核层等等,这里不做限制。
可理解的,图13B仅为示意性举例,本申请实施例提供的电子设备300的软件结构还可采用其他形式,或者,可以包括更多或更少的模块,这里不做限制。
参考图14,图14示出了本申请实施例提供的电子设备的结构示意图。
图14所示的电子设备可以为图1所示分布式系统10中的任意一个电子设备,也可以是上述各个实施例中的电子设备100或电子设备300,这里不做限制。
如图14所示,该电子设备可以包括处理器110,外部存储器接口120,内部存储器121,通用串行总线(universal serial bus,USB)接口130,充电管理模块140,电源管理模块141,电池142,天线1,天线2,移动通信模块150,无线通信模块160,音频模块170,扬声器170A,受话器170B,麦克风170C,耳机接口170D,传感器模块180,按键190,马达191,指示器192,摄像头193,显示屏194,以及用户标识模块(subscriber identification module,SIM)卡接口195等。其中传感器模块180可以包括压力传感器180A,陀螺仪传感器180B,气压传感器180C,磁传感器180D,加速度传感器180E,距离传感器180F,接近光传感器180G,指纹传感器180H,温度传感器180J,触摸传感器180K,环境光传感器180L,骨传导传感器180M等。
可以理解的是,本申请实施例示意的结构并不构成对电子设备的具体限定。在本申请另一些实施例中,电子设备可以包括比图示更多或更少的部件,或者组合某些部件,或者拆分某些部件,或者不同的部件布置。图示的部件可以以硬件,软件或软件和硬件的组合实现。
处理器110可以包括一个或多个处理单元,例如:处理器110可以包括应用处理器(application processor,AP),调制解调处理器,图形处理器(graphics processing unit,GPU),图像信号处理器(image signal processor,ISP),控制器,视频编解码器,数字信号处理器(digital signal processor,DSP),基带处理器,和/或神经网络处理器(neural-network processing unit,NPU)等。其中,不同的处理单元可以是独立的器件,也可以集成在一个或多个处理器中。
控制器可以根据指令操作码和时序信号,产生操作控制信号,完成取指令和执行指令的控制。
处理器110中还可以设置存储器,用于存储指令和数据。在一些实施例中,处理器110中的存储器为高速缓冲存储器。该存储器可以保存处理器110刚用过或循环使用的指令或数据。如果处理器110需要再次使用该指令或数据,可从所述存储器中直接调用。避免了重复存取,减少了处理器110的等待时间,因而提高了系统的效率。
在一些实施例中,处理器110可以包括一个或多个接口。接口可以包括集成电路(inter-integrated circuit,I2C)接口,集成电路内置音频(inter-integrated circuit sound,I2S)接口,脉冲编码调制(pulse code modulation,PCM)接口,通用异步收发传输器(universal asynchronous receiver/transmitter,UART)接口,移动产业处理器接口(mobile industry processor interface,MIPI),通用输入输出(general-purpose input/output,GPIO)接口,用户标识模块(subscriber identity module,SIM)接口,和/或通用串行总线(universal serial bus,USB)接口等。
I2C接口是一种双向同步串行总线,包括一根串行数据线(serial data line,SDA)和一根串行时钟线(derail clock line,SCL)。在一些实施例中,处理器110可以包含多组I2C总线。处理器110可以通过不同的I2C总线接口分别耦合触摸传感器180K,充电器,闪光灯,摄像头193等。例如:处理器110可以通过I2C接口耦合触摸传感器180K,使处理器110与触摸传感器180K通过I2C总线接口通信,实现电子设备的触摸功能。
I2S接口可以用于音频通信。在一些实施例中,处理器110可以包含多组I2S总线。处理器110可以通过I2S总线与音频模块170耦合,实现处理器110与音频模块170之间的通信。在一些实施例中,音频模块170可以通过I2S接口向无线通信模块160传递音频信号,实现通过蓝牙耳机接听电话的功能。
PCM接口也可以用于音频通信,将模拟信号抽样,量化和编码。在一些实施例中,音频模块170与无线通信模块160可以通过PCM总线接口耦合。在一些实施例中,音频模块170也可以通过PCM接口向无线通信模块160传递音频信号,实现通过蓝牙耳机接听电话的功能。所述I2S接口和所述PCM接口都可以用于音频通信。
UART接口是一种通用串行数据总线,用于异步通信。该总线可以为双向通信总线。它将要传输的数据在串行通信与并行通信之间转换。在一些实施例中,UART接口通常被用于连接处理器110与无线通信模块160。例如:处理器110通过UART接口与无线通信模块160中的蓝牙模块通信,实现蓝牙功能。在一些实施例中,音频模块170可以通过UART接口向无线通信模块160传递音频信号,实现通过蓝牙耳机播放音乐的功能。
MIPI接口可以被用于连接处理器110与显示屏194,摄像头193等外围器件。MIPI接口包括摄像头串行接口(camera serial interface,CSI),显示屏串行接口(display serial interface,DSI)等。在一些实施例中,处理器110和摄像头193通过CSI接口通信,实现电子设备的拍摄功能。处理器110和显示屏194通过DSI接口通信,实现电子设备的显示功能。
GPIO接口可以通过软件配置。GPIO接口可以被配置为控制信号,也可被配置为数据信号。在一些实施例中,GPIO接口可以用于连接处理器110与摄像头193,显示屏194,无线通信模块160,音频模块170,传感器模块180等。GPIO接口还可以被配置为I2C接口,I2S接口,UART接口,MIPI接口等。
USB接口130是符合USB标准规范的接口,具体可以是Mini USB接口,Micro USB接 口,USB Type C接口等。USB接口130可以用于连接充电器为电子设备充电,也可以用于电子设备与外围设备之间传输数据。也可以用于连接耳机,通过耳机播放音频。该接口还可以用于连接其他电子设备,例如AR设备等。
可以理解的是,本申请实施例示意的各模块间的接口连接关系,只是示意性说明,并不构成对电子设备的结构限定。在本申请另一些实施例中,电子设备也可以采用上述实施例中不同的接口连接方式,或多种接口连接方式的组合。
充电管理模块140用于从充电器接收充电输入。其中,充电器可以是无线充电器,也可以是有线充电器。在一些有线充电的实施例中,充电管理模块140可以通过USB接口130接收有线充电器的充电输入。在一些无线充电的实施例中,充电管理模块140可以通过电子设备的无线充电线圈接收无线充电输入。充电管理模块140为电池142充电的同时,还可以通过电源管理模块141为电子设备供电。
电源管理模块141用于连接电池142,充电管理模块140与处理器110。电源管理模块141接收电池142和/或充电管理模块140的输入,为处理器110,内部存储器121,显示屏194,摄像头193,和无线通信模块160等供电。电源管理模块141还可以用于监测电池容量,电池循环次数,电池健康状态(漏电,阻抗)等参数。在其他一些实施例中,电源管理模块141也可以设置于处理器110中。在另一些实施例中,电源管理模块141和充电管理模块140也可以设置于同一个器件中。
电子设备的无线通信功能可以通过天线1,天线2,移动通信模块150,无线通信模块160,调制解调处理器以及基带处理器等实现。
天线1和天线2用于发射和接收电磁波信号。电子设备中的每个天线可用于覆盖单个或多个通信频带。不同的天线还可以复用,以提高天线的利用率。例如:可以将天线1复用为无线局域网的分集天线。在另外一些实施例中,天线可以和调谐开关结合使用。
移动通信模块150可以提供应用在电子设备上的包括2G/3G/4G/5G等无线通信的解决方案。移动通信模块150可以包括至少一个滤波器,开关,功率放大器,低噪声放大器(low noise amplifier,LNA)等。移动通信模块150可以由天线1接收电磁波,并对接收的电磁波进行滤波,放大等处理,传送至调制解调处理器进行解调。移动通信模块150还可以对经调制解调处理器调制后的信号放大,经天线1转为电磁波辐射出去。在一些实施例中,移动通信模块150的至少部分功能模块可以被设置于处理器110中。在一些实施例中,移动通信模块150的至少部分功能模块可以与处理器110的至少部分模块被设置在同一个器件中。
调制解调处理器可以包括调制器和解调器。其中,调制器用于将待发送的低频基带信号调制成中高频信号。解调器用于将接收的电磁波信号解调为低频基带信号。随后解调器将解调得到的低频基带信号传送至基带处理器处理。低频基带信号经基带处理器处理后,被传递给应用处理器。应用处理器通过音频设备(不限于扬声器170A,受话器170B等)输出声音信号,或通过显示屏194显示图像或视频。在一些实施例中,调制解调处理器可以是独立的器件。在另一些实施例中,调制解调处理器可以独立于处理器110,与移动通信模块150或其他功能模块设置在同一个器件中。
无线通信模块160可以提供应用在电子设备上的包括无线局域网(wireless local area networks,WLAN)(如无线保真(wireless fidelity,Wi-Fi)网络),蓝牙(bluetooth,BT),全球导航卫星系统(global navigation satellite system,GNSS),调频(frequency modulation,FM),近距离无线通信技术(near field communication,NFC),红外技术(infrared,IR)等无线通信的解决方案。无线通信模块160可以是集成至少一个通信处理模块的一个或多个器件。无线通信模 块160经由天线2接收电磁波,将电磁波信号解调以及滤波处理,将处理后的信号发送到处理器110。无线通信模块160还可以从处理器110接收待发送的信号,对其进行调频,放大,经天线2转为电磁波辐射出去。
在一些实施例中,电子设备的天线1和移动通信模块150耦合,天线2和无线通信模块160耦合,使得电子设备可以通过无线通信技术与网络以及其他设备通信。所述无线通信技术可以包括全球移动通讯系统(global system for mobile communications,GSM),通用分组无线服务(general packet radio service,GPRS),码分多址接入(code division multiple access,CDMA),宽带码分多址(wideband code division multiple access,WCDMA),时分码分多址(time-division code division multiple access,TD-SCDMA),长期演进(long term evolution,LTE),BT,GNSS,WLAN,NFC,FM,和/或IR技术等。所述GNSS可以包括全球卫星定位系统(global positioning system,GPS),全球导航卫星系统(global navigation satellite system,GLONASS),北斗卫星导航系统(beidou navigation satellite system,BDS),准天顶卫星系统(quasi-zenith satellite system,QZSS)和/或星基增强系统(satellite based augmentation systems,SBAS)。
电子设备通过GPU,显示屏194,以及应用处理器等实现显示功能。GPU为图像处理的微处理器,连接显示屏194和应用处理器。GPU用于执行数学和几何计算,用于图形渲染。处理器110可包括一个或多个GPU,其执行程序指令以生成或改变显示信息。
显示屏194用于显示图像,视频等。显示屏194包括显示面板。显示面板可以采用液晶显示屏(liquid crystal display,LCD),有机发光二极管(organic light-emitting diode,OLED),有源矩阵有机发光二极体或主动矩阵有机发光二极体(active-matrix organic light emitting diode的,AMOLED),柔性发光二极管(flex light-emitting diode,FLED),Miniled,MicroLed,Micro-oLed,量子点发光二极管(quantum dot light emitting diodes,QLED)等。在一些实施例中,电子设备可以包括1个或N个显示屏194,N为大于1的正整数。
电子设备可以通过ISP,摄像头193,视频编解码器,GPU,显示屏194以及应用处理器等实现拍摄功能。
ISP用于处理摄像头193反馈的数据。例如,拍照时,打开快门,光线通过镜头被传递到摄像头感光元件上,光信号转换为电信号,摄像头感光元件将所述电信号传递给ISP处理,转化为肉眼可见的图像。ISP还可以对图像的噪点,亮度,肤色进行算法优化。ISP还可以对拍摄场景的曝光,色温等参数优化。在一些实施例中,ISP可以设置在摄像头193中。
摄像头193用于捕获静态图像或视频。物体通过镜头生成光学图像投射到感光元件。感光元件可以是电荷耦合器件(charge coupled device,CCD)或互补金属氧化物半导体(complementary metal-oxide-semiconductor,CMOS)光电晶体管。感光元件把光信号转换成电信号,之后将电信号传递给ISP转换成数字图像信号。ISP将数字图像信号输出到DSP加工处理。DSP将数字图像信号转换成标准的RGB,YUV等格式的图像信号。在一些实施例中,电子设备可以包括1个或N个摄像头193,N为大于1的正整数。
数字信号处理器用于处理数字信号,除了可以处理数字图像信号,还可以处理其他数字信号。例如,当电子设备在频点选择时,数字信号处理器用于对频点能量进行傅里叶变换等。
视频编解码器用于对数字视频压缩或解压缩。电子设备可以支持一种或多种视频编解码器。这样,电子设备可以播放或录制多种编码格式的视频,例如:动态图像专家组(moving picture experts group,MPEG)1,MPEG2,MPEG3,MPEG4等。
NPU为神经网络(neural-network,NN)计算处理器,通过借鉴生物神经网络结构,例如 借鉴人脑神经元之间传递模式,对输入信息快速处理,还可以不断的自学习。通过NPU可以实现电子设备的智能认知等应用,例如:图像识别,人脸识别,语音识别,文本理解等。
内部存储器121可以包括一个或多个随机存取存储器(random access memory,RAM)和一个或多个非易失性存储器(non-volatile memory,NVM)。
随机存取存储器可以包括静态随机存储器(static random-access memory,SRAM)、动态随机存储器(dynamic random access memory,DRAM)、同步动态随机存储器(synchronous dynamic random access memory,SDRAM)、双倍资料率同步动态随机存取存储器(double data rate synchronous dynamic random access memory,DDR SDRAM,例如第五代DDR SDRAM一般称为DDR5SDRAM)等;非易失性存储器可以包括磁盘存储器件、快闪存储器(flash memory)。
快闪存储器按照运作原理划分可以包括NOR FLASH、NAND FLASH、3D NAND FLASH等,按照存储单元电位阶数划分可以包括单阶存储单元(single-level cell,SLC)、多阶存储单元(multi-level cell,MLC)、三阶储存单元(triple-level cell,TLC)、四阶储存单元(quad-level cell,QLC)等,按照存储规范划分可以包括通用闪存存储(英文:universal flash storage,UFS)、嵌入式多媒体存储卡(embedded multi media Card,eMMC)等。
随机存取存储器可以由处理器110直接进行读写,可以用于存储操作系统或其他正在运行中的程序的可执行程序(例如机器指令),还可以用于存储用户及应用程序的数据等。
非易失性存储器也可以存储可执行程序和存储用户及应用程序的数据等,可以提前加载到随机存取存储器中,用于处理器110直接进行读写。
外部存储器接口120可以用于连接外部的非易失性存储器,实现扩展电子设备的存储能力。外部的非易失性存储器通过外部存储器接口120与处理器110通信,实现数据存储功能。例如将音乐,视频等文件保存在外部的非易失性存储器中。
电子设备可以通过音频模块170,扬声器170A,受话器170B,麦克风170C,耳机接口170D,以及应用处理器等实现音频功能。例如音乐播放,录音等。
音频模块170用于将数字音频信息转换成模拟音频信号输出,也用于将模拟音频输入转换为数字音频信号。音频模块170还可以用于对音频信号编码和解码。在一些实施例中,音频模块170可以设置于处理器110中,或将音频模块170的部分功能模块设置于处理器110中。
扬声器170A,也称“喇叭”,用于将音频电信号转换为声音信号。电子设备可以通过扬声器170A收听音乐,或收听免提通话。
受话器170B,也称“听筒”,用于将音频电信号转换成声音信号。当电子设备接听电话或语音信息时,可以通过将受话器170B靠近人耳接听语音。
麦克风170C,也称“话筒”,“传声器”,用于将声音信号转换为电信号。当拨打电话或发送语音信息时,用户可以通过人嘴靠近麦克风170C发声,将声音信号输入到麦克风170C。电子设备可以设置至少一个麦克风170C。在另一些实施例中,电子设备可以设置两个麦克风170C,除了采集声音信号,还可以实现降噪功能。在另一些实施例中,电子设备还可以设置三个,四个或更多麦克风170C,实现采集声音信号,降噪,还可以识别声音来源,实现定向录音功能等。
耳机接口170D用于连接有线耳机。耳机接口170D可以是USB接口130,也可以是3.5mm的开放移动电子设备平台(open mobile terminal platform,OMTP)标准接口,美国蜂窝电信工业协会(cellular telecommunications industry association of the USA,CTIA)标准接口。
压力传感器180A用于感受压力信号,可以将压力信号转换成电信号。在一些实施例中,压力传感器180A可以设置于显示屏194。压力传感器180A的种类很多,如电阻式压力传感器,电感式压力传感器,电容式压力传感器等。电容式压力传感器可以是包括至少两个具有导电材料的平行板。当有力作用于压力传感器180A,电极之间的电容改变。电子设备根据电容的变化确定压力的强度。当有触摸操作作用于显示屏194,电子设备根据压力传感器180A检测所述触摸操作强度。电子设备也可以根据压力传感器180A的检测信号计算触摸的位置。在一些实施例中,作用于相同触摸位置,但不同触摸操作强度的触摸操作,可以对应不同的操作指令。例如:当有触摸操作强度小于第一压力阈值的触摸操作作用于短消息应用图标时,执行查看短消息的指令。当有触摸操作强度大于或等于第一压力阈值的触摸操作作用于短消息应用图标时,执行新建短消息的指令。
陀螺仪传感器180B可以用于确定电子设备的运动姿态。在一些实施例中,可以通过陀螺仪传感器180B确定电子设备围绕三个轴(即,x,y和z轴)的角速度。陀螺仪传感器180B可以用于拍摄防抖。示例性的,当按下快门,陀螺仪传感器180B检测电子设备抖动的角度,根据角度计算出镜头模组需要补偿的距离,让镜头通过反向运动抵消电子设备的抖动,实现防抖。陀螺仪传感器180B还可以用于导航,体感游戏场景。
气压传感器180C用于测量气压。在一些实施例中,电子设备通过气压传感器180C测得的气压值计算海拔高度,辅助定位和导航。
磁传感器180D包括霍尔传感器。电子设备可以利用磁传感器180D检测翻盖皮套的开合。在一些实施例中,当电子设备是翻盖机时,电子设备可以根据磁传感器180D检测翻盖的开合。进而根据检测到的皮套的开合状态或翻盖的开合状态,设置翻盖自动解锁等特性。
加速度传感器180E可检测电子设备在各个方向上(一般为三轴)加速度的大小。当电子设备静止时可检测出重力的大小及方向。还可以用于识别电子设备姿态,应用于横竖屏切换,计步器等应用。
距离传感器180F,用于测量距离。电子设备可以通过红外或激光测量距离。在一些实施例中,拍摄场景,电子设备可以利用距离传感器180F测距以实现快速对焦。
接近光传感器180G可以包括例如发光二极管(LED)和光检测器,例如光电二极管。发光二极管可以是红外发光二极管。电子设备通过发光二极管向外发射红外光。电子设备使用光电二极管检测来自附近物体的红外反射光。当检测到充分的反射光时,可以确定电子设备附近有物体。当检测到不充分的反射光时,电子设备可以确定电子设备附近没有物体。电子设备可以利用接近光传感器180G检测用户手持电子设备贴近耳朵通话,以便自动熄灭屏幕达到省电的目的。接近光传感器180G也可用于皮套模式,口袋模式自动解锁与锁屏。
环境光传感器180L用于感知环境光亮度。电子设备可以根据感知的环境光亮度自适应调节显示屏194亮度。环境光传感器180L也可用于拍照时自动调节白平衡。环境光传感器180L还可以与接近光传感器180G配合,检测电子设备是否在口袋里,以防误触。
指纹传感器180H用于采集指纹。电子设备可以利用采集的指纹特性实现指纹解锁,访问应用锁,指纹拍照,指纹接听来电等。
温度传感器180J用于检测温度。在一些实施例中,电子设备利用温度传感器180J检测的温度,执行温度处理策略。例如,当温度传感器180J上报的温度超过阈值,电子设备执行降低位于温度传感器180J附近的处理器的性能,以便降低功耗实施热保护。在另一些实施例中,当温度低于另一阈值时,电子设备对电池142加热,以避免低温导致电子设备异常关机。在其他一些实施例中,当温度低于又一阈值时,电子设备对电池142的输出电压执行升压, 以避免低温导致的异常关机。
触摸传感器180K,也称“触控器件”。触摸传感器180K可以设置于显示屏194,由触摸传感器180K与显示屏194组成触摸屏,也称“触控屏”。触摸传感器180K用于检测作用于其上或附近的触摸操作。触摸传感器可以将检测到的触摸操作传递给应用处理器,以确定触摸事件类型。可以通过显示屏194提供与触摸操作相关的视觉输出。在另一些实施例中,触摸传感器180K也可以设置于电子设备的表面,与显示屏194所处的位置不同。
骨传导传感器180M可以获取振动信号。在一些实施例中,骨传导传感器180M可以获取人体声部振动骨块的振动信号。骨传导传感器180M也可以接触人体脉搏,接收血压跳动信号。在一些实施例中,骨传导传感器180M也可以设置于耳机中,结合成骨传导耳机。音频模块170可以基于所述骨传导传感器180M获取的声部振动骨块的振动信号,解析出语音信号,实现语音功能。应用处理器可以基于所述骨传导传感器180M获取的血压跳动信号解析心率信息,实现心率检测功能。
按键190包括开机键,音量键等。按键190可以是机械按键。也可以是触摸式按键。电子设备可以接收按键输入,产生与电子设备的用户设置以及功能控制有关的键信号输入。
马达191可以产生振动提示。马达191可以用于来电振动提示,也可以用于触摸振动反馈。例如,作用于不同应用(例如拍照,音频播放等)的触摸操作,可以对应不同的振动反馈效果。作用于显示屏194不同区域的触摸操作,马达191也可对应不同的振动反馈效果。不同的应用场景(例如:时间提醒,接收信息,闹钟,游戏等)也可以对应不同的振动反馈效果。触摸振动反馈效果还可以支持自定义。
指示器192可以是指示灯,可以用于指示充电状态,电量变化,也可以用于指示消息,未接来电,通知等。
SIM卡接口195用于连接SIM卡。SIM卡可以通过插入SIM卡接口195,或从SIM卡接口195拔出,实现和电子设备的接触和分离。电子设备可以支持1个或N个SIM卡接口,N为大于1的正整数。SIM卡接口195可以支持Nano SIM卡,Micro SIM卡,SIM卡等。同一个SIM卡接口195可以同时插入多张卡。所述多张卡的类型可以相同,也可以不同。SIM卡接口195也可以兼容不同类型的SIM卡。SIM卡接口195也可以兼容外部存储卡。电子设备通过SIM卡和网络交互,实现通话以及数据通信等功能。在一些实施例中,电子设备采用eSIM,即:嵌入式SIM卡。eSIM卡可以嵌在电子设备中,不能和电子设备分离。
本申请的各实施方式可以任意进行组合,以实现不同的技术效果。
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线)或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘(solid state disk,SSD))等。
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,该流程可以由计算机程序来指令相关的硬件完成,该程序可存储于计算机可读取存储介质中,该程序在执行时,可包括如上述各方法实施例的流程。而前述的存储介质包括:ROM或随机存储记忆体RAM、磁碟或者光盘等各种可存储程序代码的介质。
总之,以上所述仅为本申请技术方案的实施例而已,并非用于限定本申请的保护范围。凡根据本申请的揭露,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。
Claims (55)
- 一种访问控制方法,其特征在于,所述方法应用于包含第一设备、第二设备和第三设备的通信系统,所述第一设备中安装有第一调用者,所述第二设备中安装有第二调用者,所述第三设备中安装有被调用者;所述第一调用者、所述第二调用者、所述被调用者为应用程序APP或功能组件;所述APP为实现多个功能的程序实体,所述功能组件为实现单一功能的程序实体;所述方法包括:所述第一设备向所述第三设备发送第一访问请求,所述第一访问请求用于所述第一调用者调用所述被调用者以访问所述第三设备中的第一资源;所述第二设备向所述第三设备发送第二访问请求,所述第二访问请求用于所述第二调用者调用所述被调用者以访问所述第三设备中的第二资源;所述第三设备响应于所述第一访问请求,创建所述被调用者的第一实例,并运行所述第一实例,访问所述第一资源;所述第三设备响应于所述第二访问请求,创建所述被调用者的第二实例,并运行所述第二实例,访问所述第二资源,所述第二实例不同于所述第一实例,所述第一实例、所述第二实例为随机存取存储器RAM中运行的进程或线程,所述第一实例和所述第二实例相互隔离。
- 根据权利要求1所述的方法,其特征在于,所述第三设备创建所述被调用者的第一实例,创建所述被调用者的第二实例之后,所述方法还包括:所述第三设备存储所述第一设备中的所述第一调用者和所述第一实例之间的调用关系,以及,所述第二设备中的所述第二调用者和所述第二实例之间的调用关系;所述第一设备向所述第三设备发送第一访问请求之后,所述方法还包括:所述第一设备存储所述第一调用者和所述被调用者之间的调用关系;所述第二设备向所述第三设备发送第二访问请求之后,所述方法还包括:所述第二设备存储所述第二调用者和所述被调用者之间的调用关系。
- 根据权利要求1或2所述的方法,其特征在于,所述第三设备运行所述第一实例,具体包括:所述第三设备在第一沙箱中运行所述第一实例;所述第三设备运行所述第二实例,具体包括:所述第三设备在第二沙箱中运行所述第二实例;所述第三设备运行所述第一实例,所述第三设备运行所述第二实例之后,所述方法还包括:所述第三设备运行所述第一实例的过程中生成第一应用数据,将所述第一应用数据存储到所述第一沙箱中;所述第三设备运行所述第二实例的过程中生成第二应用数据,将所述第二应用数据存储到所述第二沙箱中。
- 根据权利要求1-3任一项所述的方法,其特征在于,所述被调用者包含第一部分和第二部分,所述第一部分部署于所述第一设备中,所述第二部分部署于所述第三设备中;所述第一资源包括所述第一设备和所述第三设备中的资源;所述第一设备向所述第三设备发送第一访问请求之前,所述方法还包括:所述第一设备创建所述第一调用者的第三实例,并在第一权限范围内运行所述第三实例;所述第一访问请求由所述第一设备运行所述第三实例的过程中生成;所述第一设备向所述第三设备发送第一访问请求之后,所述方法还包括:所述第一设备创建所述第一部分的第四实例,并在第二权限范围内运行所述第四实例,以访问所述第一资源;所述第三实例和所述第四实例具有相同的用户身份UID,所述第二权限范围和所述第一权限范围不同;其中,所述第一实例为所述第二部分的实例。
- 根据权利要求1-4任一项所述的方法,其特征在于,所述第一设备向所述第三设备发送第一访问请求之后,所述方法还包括:所述第一设备中的所述第一调用者由第一运行状态变化为第二运行状态;所述第一设备将所述第一调用者的所述第二运行状态发送给所述第三设备;所述第三设备将所述第一实例的运行状态更改为所述第二运行状态。
- 根据权利要求1-5任一项所述的方法,其特征在于,所述第一设备向所述第三设备发送第一访问请求之后,所述方法还包括:如果所述第三设备未成功响应所述第一访问请求,则所述第一设备向所述通信系统中的第四设备发送第三访问请求;所述第四设备和所述第三设备相同或不同,所述第四设备中安装有所述被调用者;所述第四设备响应于所述第三访问请求,创建所述被调用者的第五实例,并运行所述第五实例,访问所述第三设备的第三资源。
- 根据权利要求1-6任一项所述的方法,其特征在于,所述第一设备向所述第三设备发送第一访问请求之前,所述方法还包括:所述第一设备申请并获取到所述第一调用者访问所述第一资源的权限,并将所述第一调用者访问所述第一资源的权限信息发送给所述第三设备。
- 根据权利要求1-6任一项所述的方法,其特征在于,所述第三设备运行所述第一实例,访问所述第一资源之前,所述方法还包括:所述第三设备检查所述第一调用者是否具有访问所述第一资源的权限;如果所述第一调用者没有访问所述第一资源的权限,所述第三设备向所述第一设备申请获取所述第一调用者访问所述第一资源的权限;所述第一设备申请并获取到所述第一调用者访问所述第一资源的权限,并将所述第一调用者访问所述第一资源的权限信息发送给所述第三设备。
- 根据权利要求8所述的方法,其特征在于,所述第一设备申请并获取到所述第一调用者访问所述第一资源的权限,在第一时间段内有效;或者,所述第一设备将所述第一调用者访问所述第一资源的权限信息发送给所述第三设备之 后,所述方法还包括:所述第一设备向所述第三设备发送用于撤销所述第一调用者访问所述第一资源的权限的消息。
- 根据权利要求7-9中任一项所述的方法,其特征在于,所述第一调用者为第三方应用,所述第一设备将所述第一调用者访问所述第一资源的权限信息发送给所述第三设备之后,所述方法还包括:所述第一设备记录第一信息,所述第一信息指示所述第三设备获取过所述第一调用者的权限信息;所述第一设备中的所述第一调用者的权限发生变化;所述第一设备根据所述第一信息,将变化后的所述第一调用者的权限信息,发送给所述第三设备。
- 根据权利要求1-10中任一项所述的方法,其特征在于,所述第一调用者为系统应用,所述第一设备向所述第三设备发送第一访问请求之前,所述方法还包括:所述第一设备和所述第三设备建立连接后,所述第一设备将安装的各个系统应用的权限信息发送给所述第三设备。
- 根据权利要求1-11任一项所述的方法,其特征在于,所述第三设备响应于所述第二访问请求,创建所述被调用者的第二实例,并运行所述第二实例,访问所述第二资源之前,所述方法还包括:所述第三设备在不具备授权条件、和用户之间的距离超过第一值或当前不适合授权的情况下,通知所述通信系统中的第五设备申请第一权限,所述第一权限包括调用所述第三设备中的所述被调用者以访问所述第三设备中的所述第一资源的权限;所述第五设备申请并获取到所述第一权限,并向所述第三设备发送授权结果,所述授权结果指示用户授予了所述第一权限。
- 根据权利要求1-12任一项所述的方法,其特征在于,所述第三设备运行所述第一实例,访问所述第一资源之前,所述方法还包括:所述第一设备向所述第三设备发送所述第一调用者的身份信息,所述第一调用者的身份信息包括以下一项或多项:所述第一调用者的PID、UID、登录到所述第一设备的账户ID、所述第一设备在所述通信系统中的系统ID、所述第一设备的设备ID;不同的身份信息对应不同的访问权限;所述第三设备确认所述第一调用者的身份信息对应的访问权限,包括,所述第一调用者访问所述被调用者的权限。
- 根据权利要求1-13任一项所述的方法,其特征在于,所述第一设备向所述第三设备发送第一访问请求之前,所述方法还包括:所述第一设备接收到所述第三设备发送的所述第三设备的安全等级;所述第一设备根据所述第一设备和所述第三设备的安全等级,确认发送所述第一访问请求;其中,设备的安全等级由设备的软硬件提供的安全能力决定,软硬件提供的安全能力越 高,设备的安全等级越高。
- 根据权利要求1-14任一项所述的方法,其特征在于,所述第三设备运行所述第一实例,访问所述第一资源之前,所述方法还包括:所述第三设备接收到所述第一设备发送的所述第一设备的安全等级;所述第三设备根据所述第一设备和所述第三设备的安全等级,确认运行所述第一实例,访问所述第一资源;其中,设备的安全等级由设备的软硬件提供的安全能力决定,软硬件提供的安全能力越高,设备的安全等级越高。
- 根据权利要求1-15任一项所述的方法,其特征在于,所述第一设备向所述第三设备发送第一访问请求之前,所述方法还包括:所述第一设备接收到所述第三设备发送的所述被调用者的安全等级;所述第一设备根据所述第一调用者和所述被调用者的安全等级,确认发送所述第一访问请求;其中,应用的安全等级由应用提供的安全能力决定,应用提供的安全能力越高,应用的安全等级越高。
- 根据权利要求1-16任一项所述的方法,其特征在于,所述第三设备运行所述第一实例,访问所述第一资源之前,所述方法还包括:所述第三设备接收到所述第一设备发送的所述第一调用者的安全等级;所述第三设备根据所述第一调用者和所述被调用者的安全等级,确认运行所述第一实例,访问所述第一资源;其中,应用的安全等级由应用提供的安全能力决定,应用提供的安全能力越高,应用的安全等级越高。
- 根据权利要求1-17任一项所述的方法,其特征在于,所述第一设备向所述第三设备发送第一访问请求之前,所述方法还包括:所述第一设备根据所述第一设备和所述第三设备的安全敏感度,确认发送所述第一访问请求;其中,设备的安全敏感度由设备中数据的隐私程度决定,数据的隐私程度越高,设备的安全敏感度越高。
- 根据权利要求1-18任一项所述的方法,其特征在于,所述第三设备运行所述第一实例,访问所述第一资源之前,所述方法还包括:所述第三设备根据所述第一设备和所述第三设备的安全敏感度,确认运行所述第一实例,访问所述第一资源;其中,设备的安全敏感度由设备中数据的隐私程度决定,数据的隐私程度越高,设备的安全敏感度越高。
- 一种跨设备的访问控制方法,其特征在于,所述方法应用于包含第一设备、第二设 备和第三设备的通信系统,所述第一设备中安装有第一调用者,所述第二设备中安装有第二调用者,所述第三设备中安装有被调用者;所述第一调用者、所述第二调用者、所述被调用者为应用程序APP或功能组件;所述APP为实现多个功能的程序实体,所述功能组件为实现单一功能的程序实体;所述方法包括:所述第一设备向所述第三设备发送第一访问请求,所述第一访问请求用于所述第一调用者调用所述被调用者,以访问所述第三设备的第一资源;所述第二设备向所述第三设备发送第二访问请求,所述第二访问请求用于所述第二调用者调用所述被调用者,以访问所述第一资源;所述第三设备确定所述第一调用者的优先级高于所述第二调用者的优先级;调用者的优先级由以下一项或多项决定:所述调用者的运行状态、所述调用者所在设备、所述第三设备、登录到所述调用者所在设备的用户、登录到所述第三设备的用户;所述第三设备响应所述第一访问请求,运行所述被调用者以访问所述第一资源。
- 一种跨平台的访问控制方法,其特征在于,所述方法应用于包含第一设备、第二设备的通信系统,所述第一设备安装有第一操作系统,所述第二设备安装有第二操作系统;所述第一设备中安装有调用者,所述第二设备中安装有被调用者;所述调用者、所述被调用者为应用程序APP或功能组件;所述APP为实现多个功能的程序实体,所述功能组件为实现单一功能的程序实体;所述方法包括:所述第一设备向所述第二设备发送访问请求,所述访问请求用于所述调用者调用所述被调用者,以访问所述第二设备的第一资源;所述访问请求为第一操作系统中的描述形式;所述第二设备将所述访问请求从所述第一操作系统中的描述形式,映射为所述第二操作系统中的描述形式;所述第二设备根据所述第二操作系统中描述形式的所述访问请求,运行所述被调用者以访问所述第一资源。
- 一种访问控制方法,其特征在于,所述方法应用于第三设备,所述第三设备中安装有被调用者,所述被调用者为应用程序APP或功能组件;所述APP为实现多个功能的程序实体,所述功能组件为实现单一功能的程序实体;所述方法包括:所述第三设备接收到第一设备发送的第一访问请求,所述第一访问请求用于第一设备安装的第一调用者调用所述被调用者以访问所述第三设备中的第一资源,所述第一调用者为所述APP或所述功能组件;所述第三设备接收到第二设备发送的第二访问请求,所述第二访问请求用于第二设备安装的第二调用者调用所述被调用者以访问所述第三设备中的第二资源,所述第二调用者为所述APP或所述功能组件;所述第三设备响应于所述第一访问请求,创建所述被调用者的第一实例,并运行所述第一实例,访问所述第一资源;所述第三设备响应于所述第二访问请求,创建所述被调用者的第二实例,并运行所述第二实例,访问所述第二资源,所述第二实例不同于所述第一实例,所述第一实例、所述第二 实例为随机存取存储器RAM中运行的进程或线程,所述第一实例和所述第二实例相互隔离。
- 根据权利要求22所述的方法,其特征在于,所述第三设备创建所述被调用者的第一实例,创建所述被调用者的第二实例之后,所述方法还包括:所述第三设备存储所述第一设备中的所述第一调用者和所述第一实例之间的调用关系,以及,所述第二设备中的所述第二调用者和所述第二实例之间的调用关系。
- 根据权利要求22或23所述的方法,其特征在于,所述第三设备运行所述第一实例,具体包括:所述第三设备在第一沙箱中运行所述第一实例;所述第三设备运行所述第二实例,具体包括:所述第三设备在第二沙箱中运行所述第二实例;所述第三设备运行所述第一实例,所述第三设备运行所述第二实例之后,所述方法还包括:所述第三设备运行所述第一实例的过程中生成第一应用数据,将所述第一应用数据存储到所述第一沙箱中;所述第三设备运行所述第二实例的过程中生成第二应用数据,将所述第二应用数据存储到所述第二沙箱中。
- 根据权利要求22-24任一项所述的方法,其特征在于,所述第三设备接收到第一设备发送的第一访问请求之后,所述方法还包括:所述第三设备接收到所述第一设备发送的所述第一调用者变化后的第二运行状态;所述第三设备将所述第一实例的运行状态更改为所述第二运行状态。
- 根据权利要求22-25任一项所述的方法,其特征在于,所述第三设备接收到第一设备发送的第一访问请求之前,所述方法还包括:所述第三设备接收到所述第一设备发送的所述第一调用者访问所述第一资源的权限信息。
- 根据权利要求22-26任一项所述的方法,其特征在于,所述第三设备运行所述第一实例,访问所述第一资源之前,所述方法还包括:所述第三设备检查所述第一调用者是否具有访问所述第一资源的权限;如果所述第一调用者没有访问所述第一资源的权限,所述第三设备向所述第一设备申请获取所述第一调用者访问所述第一资源的权限;所述第三设备接收到所述第一设备发送的所述第一调用者访问所述第一资源的权限信息。
- 根据权利要求27所述的方法,其特征在于,所述第一调用者访问所述第一资源的权限,在第一时间段内有效;或者,所述第三设备接收到所述第一设备发送的所述第一调用者访问所述第一资源的权限信息之后,所述方法还包括:所述第三设备接收到所述第一设备发送的用于撤销所述第一调用者访问所述第一资源的权限的消息。
- 根据权利要求26-28任一项所述的方法,其特征在于,所述第一调用者为第三方应用,所述第三设备接收到所述第一设备发送的所述第一调用者访问所述第一资源的权限信息之后,所述第三设备接收到所述第一设备发送的变化后的所述第一调用者的权限信息。
- 根据根据权利要求22-29任一项所述的方法,其特征在于,所述第一调用者为系统应用,所述第三设备接收到第一设备发送的第一访问请求之前,所述方法还包括:所述第三设备和所述第一设备建立连接后,所述第三设备接收到所述所述第一设备发送的所述第一设备安装的各个系统应用的权限信息。
- 根据根据权利要求22-30任一项所述的方法,其特征在于,所述第三设备响应于所述第二访问请求,创建所述被调用者的第二实例,并运行所述第二实例,访问所述第二资源之前,所述方法还包括:所述第三设备在不具备授权条件、和用户之间的距离超过第一值或当前不适合授权的情况下,通知所述通信系统中的第五设备申请第一权限,所述第一权限包括调用所述第三设备中的所述被调用者以访问所述第三设备中的所述第一资源的权限;所述第三设备接收到所述第五设备发送的授权结果,所述授权结果指示用户授予了所述第一权限。
- 根据权利要求22-31任一项所述的方法,其特征在于,所述第三设备运行所述第一实例,访问所述第一资源之前,所述方法还包括:所述第三设备接收到所述第一设备发送的所述第一调用者的身份信息,所述第一调用者的身份信息包括以下一项或多项:所述第一调用者的PID、UID、登录到所述第一设备的账户ID、所述第一设备在所述通信系统中的系统ID、所述第一设备的设备ID;不同的身份信息对应不同的访问权限;所述第三设备确认所述第一调用者的身份信息对应的访问权限,包括,所述第一调用者访问所述被调用者的权限。
- 根据权利要求22-32任一项所述的方法,其特征在于,所述第三设备运行所述第一实例,访问所述第一资源之前,所述方法还包括:所述第三设备接收到所述第一设备发送的所述第一设备的安全等级;所述第三设备根据所述第一设备和所述第三设备的安全等级,确认运行所述第一实例,访问所述第一资源;其中,设备的安全等级由设备的软硬件提供的安全能力决定,软硬件提供的安全能力越高,设备的安全等级越高。
- 根据权利要求22-33任一项所述的方法,其特征在于,所述第三设备运行所述第一实例,访问所述第一资源之前,所述方法还包括:所述第三设备接收到所述第一设备发送的所述第一调用者的安全等级;所述第三设备根据所述第一调用者和所述被调用者的安全等级,确认运行所述第一实例,访问所述第一资源;其中,应用的安全等级由应用提供的安全能力决定,应用提供的安全能力越高,应用的安全等级越高。
- 根据权利要求22-34任一项所述的方法,其特征在于,所述第三设备运行所述第一实例,访问所述第一资源之前,所述方法还包括:所述第三设备根据所述第一设备和所述第三设备的安全敏感度,确认运行所述第一实例,访问所述第一资源;其中,设备的安全敏感度由设备中数据的隐私程度决定,数据的隐私程度越高,设备的安全敏感度越高。
- 一种访问控制方法,其特征在于,所述方法应用于包含第一设备、第三设备的通信系统,所述第一设备中安装有第一调用者和被调用者的第一部分,所述第三设备中安装有被调用者的第二部分;所述第一调用者、所述被调用者为应用程序APP或功能组件;所述APP为实现多个功能的程序实体,所述功能组件为实现单一功能的程序实体;所述方法包括:所述第一设备创建所述第一调用者的第三实例,并在第一权限范围内运行所述第三实例;所述第一设备在运行所述第三实例的过程中,向所述第三设备发送第一访问请求,所述第一访问请求用于所述第一调用者调用所述被调用者以访问第一资源,所述第一资源包括所述第一设备和/或所述第二设备中的资源;所述第一设备创建所述被调用者的所述第一部分的第四实例,并在第二权限范围内运行所述第四实例,以访问所述第一资源;所述第三实例和所述第四实例具有相同的用户身份UID,所述第二权限范围和所述第一权限范围不同。
- 根据权利要求36所述的方法,其特征在于,所述第一设备向所述第三设备发送第一访问请求之后,所述方法还包括:所述第一设备中的所述第一调用者由第一运行状态变化为第二运行状态;所述第一设备将所述第一调用者的所述第二运行状态发送给所述第三设备。
- 根据权利要求36或37所示的方法,其特征在于,所述第一设备向所述第三设备发送第一访问请求之后,所述方法还包括:如果所述第三设备未成功响应所述第一访问请求,则所述第一设备向所述通信系统中的第四设备发送第三访问请求;所述第四设备和所述第三设备相同或不同,所述第四设备中安装有所述被调用者。
- 根据权利要求36-38任一项所述的方法,其特征在于,所述第一设备向所述第三设备发送第一访问请求之前,所述方法还包括:所述第一设备申请并获取到所述第一调用者访问所述第一资源的权限,并将所述第一调用者访问所述第一资源的权限信息发送给所述第三设备。
- 根据权利要求36-39任一项所述的方法,其特征在于,所述第一设备向所述第三设备发送第一访问请求之后,所述方法还包括:所述第一设备接收到所述第三设备发送的用于申请获取所述第一调用者访问所述第一资源的权限的请求;所述第一设备申请并获取到所述第一调用者访问所述第一资源的权限,并将所述第一调用者访问所述第一资源的权限信息发送给所述第三设备。
- 根据权利要求36-39任一项所述的方法,其特征在于,所述第一设备申请并获取到所述第一调用者访问所述第一资源的权限,在第一时间段内有效;或者,所述第一设备将所述第一调用者访问所述第一资源的权限信息发送给所述第三设备之后,所述方法还包括:所述第一设备向所述第三设备发送用于撤销所述第一调用者访问所述第一资源的权限的消息。
- 根据权利要求39-41任一项所述的方法,其特征在于,所述第一调用者为第三方应用,所述第一设备将所述第一调用者访问所述第一资源的权限信息发送给所述第三设备之后,所述方法还包括:所述第一设备记录第一信息,所述第一信息指示所述第三设备获取过所述第一调用者的权限信息;所述第一设备中的所述第一调用者的权限发生变化;所述第一设备根据所述第一信息,将变化后的所述第一调用者的权限信息,发送给所述第三设备。
- 根据权利要求36-42任一项所述的方法,其特征在于,所述第一调用者为系统应用,所述第一设备向所述第三设备发送第一访问请求之前,所述方法还包括:所述第一设备和所述第三设备建立连接后,所述第一设备将安装的各个系统应用的权限信息发送给所述第三设备。
- 根据权利要求36-43任一项所述的方法,其特征在于,所述方法还包括:所述第一设备向所述第三设备发送所述第一调用者的身份信息,所述第一调用者的身份信息包括以下一项或多项:所述第一调用者的PID、UID、登录到所述第一设备的账户ID、所述第一设备在所述通信系统中的系统ID、所述第一设备的设备ID;不同的身份信息对应不同的访问权限。
- 根据权利要求36-44任一项所述的方法,其特征在于,所述第一设备向所述第三设备发送第一访问请求之前,所述方法还包括:所述第一设备接收到所述第三设备发送的所述第三设备的安全等级;所述第一设备根据所述第一设备和所述第三设备的安全等级,确认发送所述第一访问请求;其中,设备的安全等级由设备的软硬件提供的安全能力决定,软硬件提供的安全能力越高,设备的安全等级越高。
- 根据权利要求36-45任一项所述的方法,其特征在于,所述第一设备向所述第三设备发送第一访问请求之前,所述方法还包括:所述第一设备接收到所述第三设备发送的所述被调用者的安全等级;所述第一设备根据所述第一调用者和所述被调用者的安全等级,确认发送所述第一访问请求;其中,应用的安全等级由应用提供的安全能力决定,应用提供的安全能力越高,应用的安全等级越高。
- 根据权利要求36-46任一项所述的方法,其特征在于,所述第一设备向所述第三设备发送第一访问请求之前,所述方法还包括:所述第一设备根据所述第一设备和所述第三设备的安全敏感度,确认发送所述第一访问请求;其中,设备的安全敏感度由设备中数据的隐私程度决定,数据的隐私程度越高,设备的安全敏感度越高。
- 一种访问控制方法,其特征在于,所述方法应用于第三设备,所述第三设备中安装有被调用者;所述被调用者为应用程序APP或功能组件;APP为实现多个功能的程序实体,功能组件为实现单一功能的程序实体;所述方法包括:所述第三设备接收到第一设备发送的第一访问请求,所述第一访问请求用于所述第一设备安装的第一调用者调用所述被调用者以访问所述第三设备的第一资源;所述第一调用者为 所述APP或所述功能组件;所述第三设备接收到第二设备发送的第二访问请求,所述第二访问请求用于所述第二设备安装的第二调用者调用所述被调用者以访问所述第三设备的第二资源;所述第二调用者为所述APP或所述功能组件;所述第三设备确定所述第一调用者的优先级高于所述第二调用者的优先级;调用者的优先级由以下一项或多项决定:所述调用者的运行状态、所述调用者所在设备、所述第三设备、登录到所述调用者所在设备的用户、登录到所述第三设备的用户;所述第三设备响应所述第一访问请求,运行所述被调用者以访问所述第一资源。
- 一种访问控制方法,其特征在于,所述方法应用于第二设备,所述第二设备安装有第二操作系统;所述第二设备安装有被调用者,所述被调用者为应用程序APP或功能组件;所述APP为实现多个功能的程序实体,所述功能组件为实现单一功能的程序实体;所述方法包括:所述第二设备接收到所述第一设备发送的访问请求,所述访问请求用于第一设备安装的调用者调用所述被调用者以访问所述第二设备的第一资源;所述调用者为所述APP或所述功能组件,所述第一设备安装有第一操作系统,所述访问请求为第一操作系统中的描述形式;所述第二设备将所述访问请求从所述第一操作系统中的描述形式,映射为所述第二操作系统中的描述形式;所述第二设备根据所述第二操作系统中描述形式的所述访问请求,运行所述被调用者以访问所述第一资源。
- 一种电子设备,其特征在于,包括:存储器、一个或多个处理器;所述存储器与所述一个或多个处理器耦合,所述存储器用于存储计算机程序代码,所述计算机程序代码包括计算机指令,所述一个或多个处理器调用所述计算机指令以使得所述电子设备执行如权利要求22-35、36-47、48或49中任一项所述的方法。
- 一种计算机可读存储介质,包括指令,其特征在于,当所述指令在电子设备上运行时,使得所述电子设备执行如权利要求22-35、36-47、48或49中任一项所述的方法。
- 一种计算机程序产品,其特征在于,当所述计算机程序产品在计算机上运行时,使得计算机执行如权利要求22-35、36-47、48或49中任一项所述的方法。
- 一种通信系统,包括:第一设备、第二设备和第三设备,所述第一设备用于执行如权利要求36-47中任一项所述的方法,所述第三设备用于执行如权利要求22-35中任一项所述的方法。
- 一种通信系统,包括:第一设备、第二设备和第三设备,所述第三设备用于执行如权利要求48所述的方法。
- 一种通信系统,包括:第一设备、第二设备,所述第二设备用于执行如权利要求49所述的方法。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP22770509.2A EP4277213A4 (en) | 2021-03-16 | 2022-03-15 | METHOD FOR CONTROLLING DISTRIBUTED ACCESS AND ASSOCIATED DEVICE AND SYSTEM |
US18/549,353 US20240154966A1 (en) | 2021-03-16 | 2022-03-15 | Distributed access control method and related apparatus and system |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110280096.1 | 2021-03-16 | ||
CN202110280096 | 2021-03-16 | ||
CN202210213077.1A CN115081010A (zh) | 2021-03-16 | 2022-03-04 | 分布式的访问控制方法、相关装置及系统 |
CN202210213077.1 | 2022-03-04 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022194156A1 true WO2022194156A1 (zh) | 2022-09-22 |
Family
ID=83246354
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2022/080973 WO2022194156A1 (zh) | 2021-03-16 | 2022-03-15 | 分布式的访问控制方法、相关装置及系统 |
Country Status (4)
Country | Link |
---|---|
US (1) | US20240154966A1 (zh) |
EP (1) | EP4277213A4 (zh) |
CN (1) | CN115081010A (zh) |
WO (1) | WO2022194156A1 (zh) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN118282694A (zh) * | 2022-12-30 | 2024-07-02 | 华为技术有限公司 | 服务访问方法和服务访问装置 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1482772A (zh) * | 2002-12-20 | 2004-03-17 | 联想(北京)有限公司 | 在家庭网络中设备间进行服务调用的方法 |
CN1613059A (zh) * | 2001-12-20 | 2005-05-04 | 诺基亚有限公司 | 一种执行操作系统功能的方法和系统以及电子设备 |
US20120023503A1 (en) * | 2010-05-18 | 2012-01-26 | Google Inc. | Management of computing resources for applications |
CN107077377A (zh) * | 2016-12-29 | 2017-08-18 | 深圳前海达闼云端智能科技有限公司 | 一种设备虚拟化方法、装置、系统及电子设备、计算机程序产品 |
US20190171488A1 (en) * | 2017-12-01 | 2019-06-06 | International Business Machines Corporation | Data token management in distributed arbitration systems |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2696303B1 (en) * | 2012-08-03 | 2017-05-10 | Alcatel Lucent | Mandatory access control (MAC) in virtual machines |
US11516663B2 (en) * | 2019-07-09 | 2022-11-29 | T-Mobile Usa, Inc. | Systems and methods for secure endpoint connection and communication |
CN114969769A (zh) * | 2021-02-24 | 2022-08-30 | 华为技术有限公司 | 一种访问控制方法、电子设备及系统 |
-
2022
- 2022-03-04 CN CN202210213077.1A patent/CN115081010A/zh active Pending
- 2022-03-15 US US18/549,353 patent/US20240154966A1/en active Pending
- 2022-03-15 EP EP22770509.2A patent/EP4277213A4/en active Pending
- 2022-03-15 WO PCT/CN2022/080973 patent/WO2022194156A1/zh active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1613059A (zh) * | 2001-12-20 | 2005-05-04 | 诺基亚有限公司 | 一种执行操作系统功能的方法和系统以及电子设备 |
CN1482772A (zh) * | 2002-12-20 | 2004-03-17 | 联想(北京)有限公司 | 在家庭网络中设备间进行服务调用的方法 |
US20120023503A1 (en) * | 2010-05-18 | 2012-01-26 | Google Inc. | Management of computing resources for applications |
CN107077377A (zh) * | 2016-12-29 | 2017-08-18 | 深圳前海达闼云端智能科技有限公司 | 一种设备虚拟化方法、装置、系统及电子设备、计算机程序产品 |
US20190171488A1 (en) * | 2017-12-01 | 2019-06-06 | International Business Machines Corporation | Data token management in distributed arbitration systems |
Non-Patent Citations (1)
Title |
---|
See also references of EP4277213A4 |
Also Published As
Publication number | Publication date |
---|---|
EP4277213A1 (en) | 2023-11-15 |
US20240154966A1 (en) | 2024-05-09 |
EP4277213A4 (en) | 2024-10-02 |
CN115081010A (zh) | 2022-09-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20240232428A9 (en) | Access control method, electronic device, and system | |
US20150100890A1 (en) | User interface management method and system | |
CN113553130B (zh) | 应用执行绘制操作的方法及电子设备 | |
WO2021253975A1 (zh) | 应用程序的权限管理方法、装置和电子设备 | |
WO2020150917A1 (zh) | 一种应用权限的管理方法及电子设备 | |
WO2022111469A1 (zh) | 一种文件共享方法、装置及电子设备 | |
US20240176872A1 (en) | Access Control Method, Electronic Device, and System | |
WO2022022422A1 (zh) | 一种权限管理方法及终端设备 | |
WO2022247626A1 (zh) | 基于应用身份的访问控制方法、相关装置及系统 | |
WO2022253158A1 (zh) | 一种用户隐私保护方法及装置 | |
CN115238299A (zh) | 基于安全等级的访问控制方法、相关装置及系统 | |
WO2022194156A1 (zh) | 分布式的访问控制方法、相关装置及系统 | |
WO2022199672A1 (zh) | 精准撤销权限的访问控制方法、相关装置及系统 | |
WO2022188683A1 (zh) | 灵活授权的访问控制方法、相关装置及系统 | |
CN115203731A (zh) | 基于安全敏感度的访问控制方法、相关装置及系统 | |
CN115426122A (zh) | 基于权限适配的访问控制方法、相关装置及系统 | |
CN115203716A (zh) | 权限同步方法、相关装置及系统 | |
CN115114637A (zh) | 基于权限传递的访问控制方法、相关装置及系统 | |
WO2022068578A1 (zh) | 文件共享方法和电子设备 | |
WO2023179682A1 (zh) | 一种设备协同方法 | |
WO2024061326A1 (zh) | 一种数据保护方法及电子设备 | |
CN115146305A (zh) | 基于访问策略的访问控制方法、相关装置及系统 | |
WO2024045841A1 (zh) | 存储的方法、装置和电子设备 | |
WO2024041456A1 (zh) | 一种应用数据保存方法及电子设备 | |
WO2024022310A1 (zh) | 一种设备安全处理方法及电子设备 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22770509 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2022770509 Country of ref document: EP Effective date: 20230811 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 18549353 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |