WO2023051355A1 - Permission check method and electronic device - Google Patents

Permission check method and electronic device Download PDF

Info

Publication number
WO2023051355A1
WO2023051355A1 PCT/CN2022/120260 CN2022120260W WO2023051355A1 WO 2023051355 A1 WO2023051355 A1 WO 2023051355A1 CN 2022120260 W CN2022120260 W CN 2022120260W WO 2023051355 A1 WO2023051355 A1 WO 2023051355A1
Authority
WO
WIPO (PCT)
Prior art keywords
electronic device
file
identification information
account
application
Prior art date
Application number
PCT/CN2022/120260
Other languages
French (fr)
Chinese (zh)
Inventor
沈晴霓
付鹏程
冒晶晶
李家欣
陈涛
汪硕
吴闻博
杨雅辉
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2023051355A1 publication Critical patent/WO2023051355A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/172Caching, prefetching or hoarding of files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/176Support for shared access to files; File sharing support
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/182Distributed file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers

Definitions

  • the present application relates to the field of electronic technology, and more specifically, relates to a method for checking authority and an electronic device.
  • the distributed file system (distributed file system, DFS) expands the file systems distributed in different locations into a system network.
  • the distributed file system in the point-to-point network mode has no concept of client or server, and different terminal devices are nodes at the same level. , when the user requests a file on his terminal device, if the local node owns the file, it will be directly obtained from the local file system, otherwise, the file will be requested from other nodes.
  • the data on the distributed file system needs to be protected according to the corresponding access control policy during its storage, use, and transmission from its generation. Therefore, how to improve the security of file sharing and data access in the distributed file system , becomes a problem to be solved.
  • the present application provides a method and an electronic device related to permission checking, in order to improve the security of file sharing and data access.
  • a permission checking method is provided, the method is applied to a first electronic device, and the method includes:
  • the first electronic device receives an access request message for the first file sent by the second electronic device, where the access request message includes the account of the second electronic device and identification information of the application program, wherein the identification information is for the The application identifier is obtained by performing a first calculation, and the first file is located in the first electronic device;
  • the first electronic device parses the access request message to obtain the account and the identification information
  • the first electronic device determines whether the permission value corresponding to the account and the access permission of the application program to the first file matches a target permission value according to the account and the identification information;
  • the first electronic device sends a different result corresponding to the access request message to the second electronic device according to the matching result.
  • the first electronic device parses the access request message to obtain the identification information of the account and application of the second electronic device, and determines that the account and application Whether the permission value corresponding to the access permission of the file matches the target permission value, and different results are sent to another electronic device according to the matching result.
  • the technical solution can prevent unauthorized accounts and applications from accessing files, thereby improving the security of cross-device access to data.
  • the method further includes:
  • the first electronic device reads the ACL of the first file from the disk
  • the first electronic device acquires the target permission value from the access control list according to the account and the identification information.
  • the account, the identification information and the authority value may be regarded as one record, or may be regarded as multiple records.
  • the ACL may include account, authority value; identification information, authority value; account, identification information, authority value.
  • the access request message further includes the path of the first file, and the first electronic device reads the access path of the first file from the disk.
  • Control list ACL including:
  • the first electronic device reads the ACL of the first file from the disk according to the path.
  • the method further includes:
  • the first electronic device stores the target authority value in a cache.
  • the first electronic device stores the acquired target authority value in the cache, so that when the second electronic device sends the same access request message next time, the first electronic device does not need to obtain the target authority value from the disk value, which is conducive to improving the efficiency of data access.
  • the method further includes:
  • the first electronic device acquires the target authority value from a cache according to the account and the identification information.
  • the first electronic device does not need to obtain the target permission value from the disk, which is beneficial to improve the efficiency of data access.
  • the identification information of the application program includes a package name of the application program.
  • the identification information of the application program may be the package name of the application program, or the name of the application program.
  • the first calculation is a hash calculation
  • the identification information of the application is obtained by performing the hash calculation on the package name of the application A message with a length of 32 bits.
  • the hash calculation in the embodiment of the present application may also be replaced by other algorithms, and the length of the calculated information may also be other lengths, such as 64 bits.
  • a permission checking method is provided, the method is applied to a second electronic device, and the method includes:
  • the second electronic device detects the first operation of the application on the first file
  • the second electronic device In response to the first operation, the second electronic device performs a first calculation on the identification of the application to obtain identification information of the application;
  • the second electronic device sends an access request message of the first file to the first electronic device, where the access request message includes the identification information and an account of the second electronic device.
  • the access request message sent by the second electronic device to the first electronic device includes the identification information of the account and the application program of the second electronic device, so that the security of cross-device data access can be further improved.
  • an apparatus for permission checking including: a transceiver unit, configured to receive an access request message of a first file sent by a second electronic device, where the access request message includes the account of the second electronic device and Identification information of an application program, wherein the identification information is obtained by performing a first calculation on the application program identification, and the first file is located in the device; a processing unit is configured to parse the access request message to obtain The account and the identification information; the processing unit is further configured to determine, according to the account and the identification information, whether the authority value corresponding to the account and the access authority of the application program to the first file matches the target authority value; the transceiving unit is further configured to send a different result corresponding to the access request message to the second electronic device according to the matching result.
  • the processing unit is further configured to: read the access control list ACL of the first file from the disk; The account and the identification information obtain the target permission value from the access control list.
  • the access request message further includes a path of the first file
  • the processing unit is specifically configured to: read the path of the first file from the disk according to the path Specify the ACL of the first file.
  • the processing unit is further configured to: store the target permission value in a cache.
  • the processing unit is further configured to: acquire the target authority from the cache according to the account and the identification information value.
  • the identification information of the application program includes a package name of the application program.
  • the first calculation is a hash calculation
  • the identification information of the application is obtained by performing the hash calculation on the package name of the application A message with a length of 32 bits.
  • an apparatus for checking permissions including: a processing unit configured to detect a first operation performed by an application program on a first file; the processing unit is also configured to respond to the first operation to the The identification information of the application program is obtained by performing a first calculation on the identification of the application program; the transceiver unit is configured to send an access request message of the first file to the first electronic device, and the access request message includes the identification information and account .
  • an electronic device including one or more processors; one or more memories; the one or more memories store one or more computer programs, and the one or more computer programs include Instructions, when the instructions are executed by one or more processors, make the authority described in the first aspect and any possible implementation thereof or in the second aspect and any possible implementation thereof The checked method is executed.
  • a chip includes a processor and a communication interface, the communication interface is used to receive a signal, and transmit the signal to the processor, and the processor processes the signal so that The permission checking method described in the above first aspect and any possible implementation thereof or in the second aspect and any possible implementation thereof is executed.
  • a computer-readable storage medium is provided.
  • Computer instructions are stored in the computer-readable storage medium.
  • the above-mentioned first aspect and any possible The permission checking method described in the implementation manner or in the second aspect and any possible implementation manner thereof is executed.
  • a computer program product including computer instructions.
  • the computer instructions When the computer instructions are run on a computer, the above-mentioned first aspect and any possible implementation thereof or the second aspect and any one of the above-mentioned The permission checking method described in a possible implementation manner is executed.
  • FIG. 1 is a schematic structural diagram of an electronic device provided by an embodiment of the present application.
  • FIG. 2 is a schematic diagram of a software structure of an electronic device provided by an embodiment of the present application.
  • Fig. 3 is a schematic flowchart of a cross-device permission check provided by an embodiment of the present application.
  • Fig. 4 is a schematic flowchart of a permission check provided by the embodiment of the present application.
  • Fig. 5 is a schematic flowchart of another permission check provided by the embodiment of the present application.
  • FIG. 6 is a schematic flowchart of another permission check provided by the embodiment of the present application.
  • Fig. 7 is a schematic block diagram of an electronic device provided by an embodiment of the present application.
  • the method for establishing a connection in the embodiment of the present application can be applied to a smart phone, a tablet computer, a notebook computer, a personal computer (personal computer, PC), an ultra-mobile personal computer (ultra-mobile personal computer, UMPC), a netbook, a personal digital assistant (personal digital assistant, PDA), vehicle-mounted equipment, wearable equipment and other electronic equipment, the embodiments of the present application are not limited to this.
  • FIG. 1 shows a schematic structural diagram of an electronic device 100 .
  • the electronic device 100 may include a processor 110, an external memory interface 120, an internal memory 121, a universal serial bus (universal serial bus, USB) interface 130, a charging management module 140, a power management module 141, a battery 142, an antenna 1, and an antenna 2 , mobile communication module 150, wireless communication module 160, audio module 170, speaker 170A, receiver 170B, microphone 170C, earphone jack 170D, sensor module 180, button 190, motor 191, indicator 192, camera 193, display screen 194, and A subscriber identification module (subscriber identification module, SIM) card interface 195 and the like.
  • SIM subscriber identification module
  • the sensor module 180 may include a pressure sensor 180A, a gyroscope sensor 180B, an air pressure sensor 180C, a magnetic sensor 180D, an acceleration sensor 180E, a distance sensor 180F, a proximity light sensor 180G, a fingerprint sensor 180H, a temperature sensor 180J, a touch sensor 180K, an ambient light sensor 180L, bone conduction sensor 180M, etc.
  • the structure illustrated in the embodiment of the present application does not constitute a specific limitation on the electronic device 100 .
  • the electronic device 100 may include more or fewer components than shown in the figure, or combine certain components, or separate certain components, or arrange different components.
  • the illustrated components can be realized in hardware, software or a combination of software and hardware.
  • the processor 110 may include one or more processing units, for example: the processor 110 may include an application processor (application processor, AP), a modem processor, a graphics processing unit (graphics processing unit, GPU), an image signal processor (image signal processor, ISP), controller, memory, video codec, digital signal processor (digital signal processor, DSP), baseband processor, and/or neural network processor (neural-network processing unit, NPU) wait. Wherein, different processing units may be independent devices, or may be integrated in one or more processors.
  • application processor application processor, AP
  • modem processor graphics processing unit
  • GPU graphics processing unit
  • image signal processor image signal processor
  • ISP image signal processor
  • controller memory
  • video codec digital signal processor
  • DSP digital signal processor
  • baseband processor baseband processor
  • neural network processor neural-network processing unit, NPU
  • the controller may be the nerve center and command center of the electronic device 100 .
  • the controller can generate an operation control signal according to the instruction opcode and timing signal, and complete the control of fetching and executing the instruction.
  • a memory may also be provided in the processor 110 for storing instructions and data.
  • the memory in processor 110 is a cache memory.
  • the memory may hold instructions or data that the processor 110 has just used or recycled. If the processor 110 needs to use the instruction or data again, it can be called directly from the memory. Repeated access is avoided, and the waiting time of the processor 110 is reduced, thereby improving the efficiency of the system.
  • processor 110 may include one or more interfaces.
  • the interface may include an integrated circuit (inter-integrated circuit, I2C) interface, an integrated circuit built-in audio (inter-integrated circuit sound, I2S) interface, a pulse code modulation (pulse code modulation, PCM) interface, a universal asynchronous transmitter (universal asynchronous receiver/transmitter, UART) interface, mobile industry processor interface (mobile industry processor interface, MIPI), general-purpose input and output (general-purpose input/output, GPIO) interface, subscriber identity module (subscriber identity module, SIM) interface, and /or universal serial bus (universal serial bus, USB) interface, etc.
  • I2C integrated circuit
  • I2S integrated circuit built-in audio
  • PCM pulse code modulation
  • PCM pulse code modulation
  • UART universal asynchronous transmitter
  • MIPI mobile industry processor interface
  • GPIO general-purpose input and output
  • subscriber identity module subscriber identity module
  • SIM subscriber identity module
  • USB universal serial bus
  • the I2C interface is a bidirectional synchronous serial bus, including a serial data line (serial data line, SDA) and a serial clock line (derail clock line, SCL).
  • SDA serial data line
  • SCL serial clock line
  • the I2S interface can be used for audio communication.
  • processor 110 may include multiple sets of I2S buses.
  • the processor 110 may be coupled to the audio module 170 through an I2S bus to implement communication between the processor 110 and the audio module 170 .
  • the PCM interface can also be used for audio communication, sampling, quantizing and encoding the analog signal.
  • the audio module 170 and the wireless communication module 160 may be coupled through a PCM bus interface.
  • the UART interface is a universal serial data bus used for asynchronous communication.
  • the bus can be a bidirectional communication bus. It converts the data to be transmitted between serial communication and parallel communication.
  • a UART interface is generally used to connect the processor 110 and the wireless communication module 160 .
  • the MIPI interface can be used to connect the processor 110 with peripheral devices such as the display screen 194 and the camera 193 .
  • the GPIO interface can be configured by software.
  • the GPIO interface can be configured as a control signal or as a data signal.
  • the GPIO interface can be used to connect the processor 110 with the camera 193 , the display screen 194 , the wireless communication module 160 , the audio module 170 , the sensor module 180 and so on.
  • the USB interface 130 is an interface conforming to the USB standard specification, specifically, it can be a Mini USB interface, a Micro USB interface, a USB Type C interface, and the like.
  • the USB interface 130 can be used to connect a charger to charge the electronic device 100 , and can also be used to transmit data between the electronic device 100 and peripheral devices.
  • the interface connection relationship between the modules shown in the embodiment of the present application is only a schematic illustration, and does not constitute a structural limitation of the electronic device 100 .
  • the electronic device 100 may also adopt different interface connection manners in the foregoing embodiments, or a combination of multiple interface connection manners.
  • the charging management module 140 is configured to receive a charging input from a charger.
  • the charger may be a wireless charger or a wired charger.
  • the charging management module 140 can receive charging input from the wired charger through the USB interface 130 .
  • the charging management module 140 may receive a wireless charging input through a wireless charging coil of the electronic device 100 . While the charging management module 140 is charging the battery 142 , it can also provide power for electronic devices through the power management module 141 .
  • the power management module 141 is used for connecting the battery 142 , the charging management module 140 and the processor 110 .
  • the wireless communication function of the electronic device 100 can be realized by the antenna 1 , the antenna 2 , the mobile communication module 150 , the wireless communication module 160 , a modem processor, a baseband processor, and the like.
  • the mobile communication module 150 can provide wireless communication solutions including 2G/3G/4G/5G applied on the electronic device 100 .
  • a modem processor may include a modulator and a demodulator.
  • the modulator is used for modulating the low-frequency baseband signal to be transmitted into a medium-high frequency signal.
  • the demodulator is used to demodulate the received electromagnetic wave signal into a low frequency baseband signal. Then the demodulator sends the demodulated low-frequency baseband signal to the baseband processor for processing.
  • the low-frequency baseband signal is passed to the application processor after being processed by the baseband processor.
  • the application processor outputs sound signals through audio equipment (not limited to speaker 170A, receiver 170B, etc.), or displays images or videos through display screen 194 .
  • the modem processor may be a stand-alone device.
  • the modem processor may be independent from the processor 110, and be set in the same device as the mobile communication module 150 or other functional modules.
  • the wireless communication module 160 can provide wireless local area networks (wireless local area networks, WLAN) (such as wireless fidelity (Wireless Fidelity, Wi-Fi) network), bluetooth (bluetooth, BT), global navigation satellite, etc. applied on the electronic device 100.
  • WLAN wireless local area networks
  • System global navigation satellite system, GNSS
  • frequency modulation frequency modulation, FM
  • near field communication technology near field communication, NFC
  • infrared technology infrared, IR
  • the antenna 1 of the electronic device 100 is coupled to the mobile communication module 150, and the antenna 2 is coupled to the wireless communication module 160, so that the electronic device 100 can communicate with the network and other devices through wireless communication technology.
  • the electronic device 100 realizes the display function through the GPU, the display screen 194 , and the application processor.
  • the GPU is a microprocessor for image processing, and is connected to the display screen 194 and the application processor. GPUs are used to perform mathematical and geometric calculations for graphics rendering.
  • Processor 110 may include one or more GPUs that execute program instructions to generate or change display information.
  • the display screen 194 is used to display images, videos and the like.
  • the display screen 194 includes a display panel.
  • the display panel can be a liquid crystal display (LCD), or an organic light-emitting diode (OLED), an active-matrix organic light-emitting diode, or an active-matrix organic light-emitting diode (active-matrix organic light-emitting diode).
  • LCD liquid crystal display
  • OLED organic light-emitting diode
  • AMOLED organic light emitting diode
  • flexible light-emitting diode flexible light-emitting diode (flex light-emitting diode, FLED), Miniled, MicroLed, Micro-oLed or quantum dot light emitting diodes (quantum dot light emitting diodes, QLED) and other materials. Fabricated display panels.
  • the electronic device 100 may include 1 or N display screens 194 , where N is a positive integer greater than 1.
  • the electronic device 100 can realize the shooting function through the ISP, the camera 193 , the video codec, the GPU, the display screen 194 and the application processor.
  • the ISP is used for processing the data fed back by the camera 193 .
  • Camera 193 is used to capture still images or video.
  • Digital signal processors are used to process digital signals. In addition to digital image signals, they can also process other digital signals.
  • Video codecs are used to compress or decompress digital video.
  • the electronic device 100 may support one or more video codecs.
  • the external memory interface 120 can be used to connect an external memory card, such as a Micro SD card, so as to expand the storage capacity of the electronic device 100.
  • an external memory card such as a Micro SD card
  • the internal memory 121 may be used to store computer-executable program codes including instructions.
  • the processor 110 executes various functional applications and data processing of the electronic device 100 by executing instructions stored in the internal memory 121 .
  • the electronic device 100 can implement audio functions through the audio module 170 , the speaker 170A, the receiver 170B, the microphone 170C, the earphone interface 170D, and the application processor. Such as music playback, recording, etc.
  • the audio module 170 is used to convert digital audio information into analog audio signal output, and is also used to convert analog audio input into digital audio signal.
  • Speaker 170A also referred to as a "horn" is used to convert audio electrical signals into sound signals.
  • Receiver 170B also called “earpiece” is used to convert audio electrical signals into sound signals.
  • the microphone 170C also called “microphone” or “microphone”, is used to convert sound signals into electrical signals.
  • the earphone interface 170D is used for connecting wired earphones.
  • the pressure sensor 180A is used to sense the pressure signal and convert the pressure signal into an electrical signal.
  • pressure sensor 180A may be disposed on display screen 194 .
  • the gyro sensor 180B can be used to determine the motion posture of the electronic device 100 .
  • the air pressure sensor 180C is used to measure air pressure.
  • the electronic device 100 calculates the altitude based on the air pressure value measured by the air pressure sensor 180C to assist positioning and navigation.
  • the acceleration sensor 180E can detect the acceleration of the electronic device 100 in various directions (generally three axes).
  • the distance sensor 180F is used to measure the distance.
  • the fingerprint sensor 180H is used to collect fingerprints.
  • Touch sensor 180K also known as "touch panel”.
  • the touch sensor 180K can be disposed on the display screen 194, and the touch sensor 180K and the display screen 194 form a touch screen, also called a “touch screen”.
  • the bone conduction sensor 180M can acquire vibration signals.
  • the bone conduction sensor 180M can acquire the vibration signal of the vibrating bone mass of the human voice.
  • the bone conduction sensor 180M can also contact the human pulse and receive the blood pressure beating signal.
  • the keys 190 include a power key, a volume key and the like.
  • the motor 191 can generate a vibrating reminder.
  • the indicator 192 can be an indicator light, and can be used to indicate charging status, power change, and can also be used to indicate messages, missed calls, notifications, and the like.
  • the SIM card interface 195 is used for connecting a SIM card.
  • the software system of the electronic device 100 may adopt a layered architecture, an event-driven architecture, a micro-kernel architecture, a micro-service architecture, or a cloud architecture.
  • the embodiment of the present application takes the Android system with a layered architecture as an example to illustrate the software structure of the electronic device 100 .
  • FIG. 2 is a block diagram of the software structure of the electronic device 100 according to the embodiment of the present application.
  • the layered architecture divides the software into several layers, and each layer has a clear role and division of labor. Layers communicate through software interfaces.
  • the Android system is divided into four layers, which are respectively the application program layer, the application program framework layer, the Android runtime (Android runtime) and the system library, and the kernel layer from top to bottom.
  • the application layer can consist of a series of application packages.
  • the application package may include applications such as camera, gallery, calendar, call, map, navigation, WLAN, Bluetooth, music, video, and short message.
  • the application framework layer provides an application programming interface (application programming interface, API) and a programming framework for applications in the application layer.
  • the application framework layer includes some predefined functions.
  • the application framework layer can include window managers, content providers, view systems, phone managers, resource managers, notification managers, and so on.
  • a window manager is used to manage window programs.
  • the window manager can get the size of the display screen, determine whether there is a status bar, lock the screen, capture the screen, etc.
  • Content providers are used to store and retrieve data and make it accessible to applications.
  • Said data may include video, images, audio, calls made and received, browsing history and bookmarks, phonebook, etc.
  • the view system includes visual controls, such as controls for displaying text, controls for displaying pictures, and so on.
  • the view system can be used to build applications.
  • a display interface can consist of one or more views.
  • a display interface including a text message notification icon may include a view for displaying text and a view for displaying pictures.
  • the phone manager is used to provide communication functions of the electronic device 100 . For example, the management of call status (including connected, hung up, etc.).
  • the resource manager provides various resources for the application, such as localized strings, icons, pictures, layout files, video files, and so on.
  • the notification manager enables the application to display notification information in the status bar, which can be used to convey notification-type messages, and can automatically disappear after a short stay without user interaction.
  • the notification manager is used to notify the download completion, message reminder, etc.
  • the notification manager can also be a notification that appears on the top status bar of the system in the form of a chart or scroll bar text, such as a notification of an application running in the background, or a notification that appears on the screen in the form of a dialog window.
  • prompting text information in the status bar issuing a prompt sound, vibrating the electronic device, and flashing the indicator light, etc.
  • Android runtime includes core library and virtual machine. The Android runtime is responsible for the scheduling and management of the Android system.
  • the core library consists of two parts: one part is the function function that the java language needs to call, and the other part is the core library of Android.
  • the application layer and the application framework layer run in virtual machines.
  • the virtual machine executes the java files of the application program layer and the application program framework layer as binary files.
  • the virtual machine is used to perform functions such as object life cycle management, stack management, thread management, security and exception management, and garbage collection.
  • a system library can include multiple function modules. For example: surface manager (surface manager), media library (media libraries), 3D graphics processing library (eg: OpenGL ES), 2D graphics engine (eg: SGL), etc.
  • the surface manager is used to manage the display subsystem and provides the fusion of 2D and 3D layers for multiple applications.
  • the media library supports playback and recording of various commonly used audio and video formats, as well as still image files, etc.
  • the media library can support a variety of audio and video encoding formats, such as: MPEG4, H.264, MP3, AAC, AMR, JPG, PNG, etc.
  • the 3D graphics processing library is used to implement 3D graphics drawing, image rendering, synthesis and layer processing, etc.
  • 2D graphics engine is a drawing engine for 2D drawing.
  • the kernel layer is the layer between hardware and software.
  • the kernel layer includes at least a display driver, a camera driver, an audio driver, and a sensor driver.
  • the electronic device in the embodiment of the present application may also be an electronic device installed with operating systems such as Hongmeng and Apple.
  • the distributed file system arbitrarily expands different types of files distributed in different places into a system network, allowing many device nodes to connect and transmit information through the network between nodes, so that users can access data at any time in places with a network. Without being limited by equipment and location.
  • the traditional distributed file system is based on the client/server model.
  • This model uses a centralized multi-machine server.
  • the server uses load balancing, hash sharding and other technologies to store the client's data, and then the client sends a file request through the network. retrieve data.
  • P2P peer-to-peer
  • Different terminal devices are equal peer nodes, and this node can serve as client/server at the same time, without a center Server, all terminal devices are connected to a file system, when the user requests a file on the terminal device where the user is located, if the local node owns the file, it will be obtained directly from the local file system, if the file does not exist in the local node, then Request the file from other nodes.
  • the terminal device may set some access permissions for other users who access files on the terminal device.
  • the access control list is a mechanism under autonomous access control, and the file owner can freely grant the permissions of the objects he owns to other users.
  • ACL is a fine-grained access control mechanism. Users can configure multiple access control rules for specific files, allowing or denying specified applications to access specific files, so that even if the application obtains storage permissions, it cannot read and write protected files. Operation, which realizes the granularity of access control on the file system from the entire file system to a single file.
  • ACL_USER and ACL_GROUP types ACL can implement authorization to specified users or user groups.
  • An ACL policy can be represented by a ⁇ tag, perm, id>, where tag represents the user type; perm represents the granted permission; id represents the user identification (user identification, uid) or gid of the application.
  • the ACL access control rule perm includes three types of access rights: read (read, r), write (write, w) and execute (execute, x), so the permission information of an object can be expressed as a combination of these three types.
  • the permission information "rwxr--r---" of the file means that the owner of the file is allowed to read, write and execute the file, the users of the same group of the file are allowed to read the file, and other users or groups have read permission for the file.
  • the ACL access control rules of a file are stored in the extended attribute "system.posix_acl_access" of the file inode.
  • the ACL access control rule of the file is configured by calling the setacl() method, which finally converts the ACL access control rule into an extended attribute by calling the setxattr() method and saves it in the extended attribute "system.posix_acl_access” of the file middle.
  • the system will call the getacl() method to obtain the access control rules of the file.
  • This method converts the extended attributes stored in the file into specific ACL access control rules by calling the getxattr() method.
  • the functions and methods related to ACL access control rules are defined in the inode_operations structure of the file system.
  • the Linux Security Module is a lightweight general-purpose access control framework for the Linux kernel. It enables various security access control models to be implemented in the form of Linux loadable kernel modules, and users can choose appropriate security modules to load into the Linux kernel according to their needs, thus greatly improving the flexibility of Linux security access control mechanisms and ease of use.
  • LSM followed the following principles: decoupling, detachability and high efficiency. This enables the module to do: minimal impact on the operation and replacement of existing modules under the condition of providing a security mechanism; when the user or developer does not need the security mechanism, the module can be uninstalled without causing other negative effects on the system ; Minimal negative impact on performance when running in-kernel.
  • the distributed file system used on the operating systems of mobile phones, tablets, smart TVs, routers, cars, watches and other devices relies on upper-layer services to realize user and distributed management of application data.
  • the requirement of a distributed system is to use user/application data no longer bound to the device, and to separate data storage and business logic on devices scattered in the cluster. While performing unified management of these device data to achieve fast connection, mutual assistance and resource sharing between different terminal devices, the data on the distributed file system starts from generation and is stored, used and transmitted. The whole process needs to provide security protection according to the corresponding access control policy.
  • the embodiment of the present application provides a permission checking method, and the technical solution can improve the security of file sharing and data access.
  • Fig. 3 is a schematic flowchart of a method for cross-device permission checking provided by an embodiment of the present application.
  • the method may be applied to the first electronic device and the second electronic device, and the method may include steps 601 to 608 .
  • An application program in a second electronic device triggers a first operation on a first file.
  • the first file may exist in the second electronic device; the first operation may be the reading, writing or execution mentioned above.
  • the application program A in the second electronic device accesses the file B located in the first electronic device, eg, performs a read operation on the file B.
  • the trigger here may be that the user clicks a certain function control during the use of the application program B, or it may be that the application program B needs to access the file B during the running process, etc., which is not limited in this embodiment of the present application.
  • the upper-level account triggers the first operation on the first file.
  • the account is an account after passing cloud authentication, such as a Huawei account.
  • VFS virtual file system
  • the dfs_read_remote function in the second DFS may be called; if the first operation is a write operation, the dfs_write_remote function in the second DFS may be called.
  • the second DFS calculates the identifier of the application program to obtain the identifier information.
  • the identifier of the application program may be an App ID such as an identifier of an application program source (sourceid), an application program package name (packagename), an application name (appname) and the like.
  • the identifier is an application package name
  • a first calculation such as a hash calculation, may be performed on the application package name to convert the application package name into identification information with a length of 32 bits. It should be understood that the package name of the application program may also have other lengths.
  • the second DFS sends an access request message to the first DFS, where the access request message includes identification information.
  • the access request message may also include an account logged in on the second electronic device.
  • the account is an account that has passed cloud authentication, such as a Huawei account.
  • the access request message may also include the path where the first file is located, and the access request message may also include the above-mentioned first operation.
  • the first DFS of the first electronic device receives the access request message, and parses the access request message.
  • the first DFS may parse the access request message to obtain identification information in the access request message, such as a 32-bit application package name. 606.
  • the first DFS sends the identification information to the security module (secDFS) in the kernel.
  • secDFS security module
  • the security module can be called through a hook function.
  • This security module belongs to the LSM.
  • the first DFS parses the access request message and obtains account information, such as a Huawei account authenticated by the cloud.
  • the security module performs a permission check on the access request.
  • the first electronic device may obtain the ACL of the first file from the disk file, and according to the identification information Obtain the permission value corresponding to the application.
  • the second electronic device stores the permission value of the application program on the first file in the cache.
  • the application program A of the second electronic device accesses the first file again, the first electronic device can obtain its corresponding permission value from the cache instead of from the disk, thereby reducing the need for the second electronic device.
  • the communication overhead of the device accessing the first file multiple times in a short period of time improves the efficiency of file access in distributed scenarios.
  • the ACL may include information such as the user who accesses the first file, the authority of the application program, for example, the authority value of the corresponding authority may be stored in the ACL, such as, the authority value corresponding to the read authority is 4, and the authority value corresponding to the write authority is 4.
  • the permission value is 2, and the permission value corresponding to the execution permission is 1.
  • the ACL may include the identification information of the application program A, and the authority corresponding to the identification information, which can be used to characterize the authority of the application program A, for example, the identification information of the application program A is a 32-bit application package name, the ACL may include the 32-bit application package name and permission value.
  • the application program A of the second electronic device may have a permission value of 4 for the first file, and the application program A has read permission for the first file.
  • the ACL may also include the account, the identification information of the application A and the corresponding permissions, so as to further ensure data security.
  • ACL may be an extended attribute of the first file.
  • Each file can have an ACL.
  • the first electronic device may obtain the permission of the application program A to access the first file from the cache value.
  • the application program A stored in the cache has a permission value of 2 for accessing the first file, and the application program has a write permission for the first file.
  • the access request message indicates that the application A requests to read the first file, and the permission value of the application A for the first file acquired by the second electronic device is 4, then the second The first file in the second electronic device allows the application program A to read it, and then the read first file can be returned to the second electronic device.
  • the read first file may be sent from the first DFS to the second DFS, and the second DFS sends the read first file to the application program A.
  • the access request message indicates that the application A requests to perform a write operation on the first file, and the permission value of the application A on the first file acquired by the second electronic device is 4, then
  • the first file in the second electronic device only allows the application program A to read it, but cannot write or execute the first file. At this time, it means that the first file in the second electronic device does not allow the application program When A writes it, the first electronic device can return the error value to the second electronic device, thereby ensuring the data security of the first file.
  • the identification information of the application program A can be carried in the access request message, so that the first electronic device receives
  • the security module can be invoked to obtain its corresponding permission value according to the identification information, so as to determine whether the application program A has the corresponding permission to access the first file. This improves the security of cross-device data access.
  • Fig. 4 is a schematic flowchart of a method for checking permissions provided by an embodiment of the present application.
  • the method may be applied to an electronic device, and the method may include steps 701 to 706 .
  • An application program B in an electronic device triggers a second operation on a second file.
  • the second file is stored locally in the electronic device, such as in a memory of the electronic device.
  • the first operation may be the above-mentioned read, write, or execute, etc.
  • the application program B in the electronic device accesses the file B locally stored in the electronic device, such as performing a write operation on the file B.
  • the trigger here may be that the user clicks a certain function control during the use of the application program B, or it may be that the application program B needs to access the file B during the running process, etc., which is not limited in this embodiment of the present application.
  • the upper-level account triggers the second operation on the second file.
  • the account is an account after passing cloud authentication, such as a Huawei account.
  • the dfs_read_local function in DFS may be called; if the second operation is a write operation, the dfs_write_local function in DFS may be called.
  • the DFS calculates the identifier of the application program B to obtain identifier information.
  • the identifier of the application program B may be an App ID such as an identifier of an application program source (sourceid), an application program package name (packagename), an application name (appname) and the like.
  • the identifier is an application package name
  • a first calculation such as a hash calculation, may be performed on the application package name to convert the application package name into identification information with a length of 32 bits.
  • package name of the application program may also have other lengths.
  • the security module can be called through a hook function.
  • This security module belongs to the LSM.
  • the security module performs permission check on the second operation.
  • the electronic device may obtain the ACL of the second file from the disk file, and obtain the corresponding authority of the application B according to the identification information value.
  • the ACL may include information such as the user who accesses the second file, the authority of the application program, for example, the authority value of the corresponding authority may be stored in the ACL, such as, the authority value corresponding to the read authority is 4, and the authority value corresponding to the write authority is 4.
  • the permission value is 2, and the permission value corresponding to the execution permission is 1.
  • the ACL may include the identification information of application B and the authority corresponding to the identification information, which may be used to characterize the authority of the application B.
  • the identification information of application B is a 32-bit application package name
  • the ACL may include the 32-bit application package name and permission value.
  • the application B in the ACL has a permission value of 4 for the second file, which means that the application B has read permission for the second file.
  • the electronic device stores the permission value of the application program B on the second file in the cache.
  • the electronic device can obtain its corresponding permission value from the cache instead of from the disk, thereby reducing the number of times application B accesses the second file communication overhead, improving the efficiency of file access in distributed scenarios.
  • the electronic device may acquire the permission value for the application program B to access the second file from the cache.
  • the application program B stored in the cache has a permission value of 2 for accessing the second file, and the application program B has the write permission for the second file.
  • the electronic device obtains a permission value of 4 for the application program B on the second file, then The second file in the electronic device allows the application program B to read it, and then the read second file can be returned to the application program B.
  • the electronic device acquires the application program B's permission value for the second file as 4, then It means that the second file in the electronic device only allows application B to read it, but cannot write or execute the second file. At this time, it means that the second file in the electronic device does not allow application B If it is written, the error value can be returned to the application program B, so that the data security of the second file can be guaranteed.
  • the electronic device when the application program B in the electronic device needs to access the second local file, the electronic device can call the security module to perform permission check, so as to improve the security of data access.
  • Fig. 5 is a schematic flowchart of a permission check provided by the embodiment of the present application.
  • the method may be applied to the first electronic device, and the method may include steps 810 to 840 .
  • the first electronic device receives an access request message for the first file sent by the second electronic device, where the access request message includes an account of the second electronic device and identification information of an application program, where the identification information
  • the first file is obtained by performing the first calculation on the application identifier, and the first file is located in the first electronic device.
  • the account may be an account logged in on the second electronic device, and the account may be an account authenticated by the cloud, such as a Huawei account.
  • the account may also be an account registered on an application program, etc., which is not limited in this embodiment of the present application.
  • the application program identifier may be a package name of the application program.
  • the identification information may be information with a length of 32 bits obtained by hashing the package name of the application program.
  • the application identifier may also include an application name, an identifier of an application source, and the like.
  • the length of the identification information may also be other values.
  • the first electronic device parses the access request message to obtain the account and the identification information.
  • the first electronic device parses the received access request message to obtain the above account and identification information.
  • the first electronic device determines whether the permission value corresponding to the account and the access permission of the application program to the first file matches a target permission value according to the account and the identification information.
  • the target authority value is the authority value stored in the first electronic device.
  • the ACL of the first file is stored in the first electronic device, and the ACL includes accounts and application programs that can access the first file, and their corresponding authority values.
  • the ACL may include accounts and permission values; application identification information and permission values; or account and application identification information and permission values.
  • the account and application are bound together and share The permission value indicates the access permission of the application under the account.
  • the first electronic device sends a different result corresponding to the access request message to the second electronic device according to the matching result.
  • the first electronic device determines that the permission value corresponding to the account and the application program's access permission to the first file matches the target permission value, it means that the first file allows the above account and When the application program makes corresponding access to it, a corresponding result can be returned to the second electronic device.
  • the access request message indicates that account A and application A request to read the first file
  • the first electronic device checks the permissions of account A and application A and finds that the account A and application A If the authority value is 4, then the first electronic device can send the read first file to the second electronic device at this time.
  • the first electronic device determines that the permission value corresponding to the account and the access permission of the application program to the first file does not match the target permission value, it means that the first file does not allow If the above-mentioned account and/or application programs access it accordingly, an error may be returned to the second electronic device.
  • the access request message indicates that account A and application A request to perform a write operation on the first file.
  • the first electronic device checks the permission values of account A and application A, and finds that account A or the permission value of application A is 4, or the permission value of account A and application A as a whole is 4, then it can be determined that account A and/or application A only have read permission for the first file , does not have the write permission, then the first electronic device may send an error to the second electronic device at this time.
  • the first electronic device parses the access request message to obtain the identification information of the account and application program of the second electronic device, and determines that the account and application program are relevant to the second electronic device. Whether the permission value corresponding to the access permission of the file matches the target permission value, and different results are sent to the second electronic device according to the matching result.
  • the technical solution can prevent unauthorized accounts and application programs from accessing files, thereby improving the security of cross-device access to data.
  • the access request message received by the first electronic device carries the identification information of the application program, so that the first electronic device can uniquely determine the application program according to the identification information, and the identification information is also stored in the first electronic device The permission value corresponding to the information, so that when the second electronic device accesses data across devices, other electronic devices (such as the first electronic device) identify the same identification information of the application program.
  • the method further includes: the first electronic device reads the ACL of the first file from a disk; An electronic device acquires the target permission value from the access control list ACL according to the account and the identification information.
  • the account, the identification information and the authority value may be regarded as one record, or may be regarded as multiple records.
  • the ACL may include account, authority value; identification information, authority value; account, identification information, authority value.
  • the access request message further includes the path of the first file, and the first electronic device reads the ACL of the first file from the disk, including: the first electronic device Reading the ACL of the first file from the disk according to the path.
  • the method further includes: storing the target authority value in a cache by the first electronic device.
  • the first electronic device may store the target authority value corresponding to the account and the application program in the buffer, so that when the first electronic device receives the access request message next time For the same access request message, the target permission value can be obtained from the cache, instead of obtaining from the location of the first file in the disk file every time, which is beneficial to improve the efficiency of data access.
  • the method further includes: the first electronic device acquires the target authority value from cache according to the account and the identification information .
  • the first electronic device does not need to obtain the target permission value from the disk, which is beneficial to improve the efficiency of data access.
  • the first calculation is a hash calculation
  • the identification information of the application is 32-bit information obtained through the hash calculation on the package name of the application.
  • the hash calculation in the embodiment of the present application may also be replaced by other algorithms, and the length of the calculated information may also be other lengths, such as 64 bits.
  • Fig. 6 is a schematic flowchart of a permission check provided by the embodiment of the present application.
  • the method may be applied to the second electronic device, and the method may include steps 910 to 930 .
  • the second electronic device detects a first operation performed by an application program on a first file, where the first file is located in the first electronic device.
  • the first operation may be the above-mentioned reading, writing, or executing.
  • the second electronic device performs a first calculation on the identification of the application program to obtain identification information of the application program.
  • the identifier of the application program may be a package name of the application program.
  • the identification information may be information with a length of 32 bits obtained by performing hash calculation on the package name of the application program.
  • the identifier of the application program may also include the name of the application program, the identifier of the source of the application program, and the like.
  • the length of the identification information may also be other values.
  • the second electronic device sends an access request message of the first file to the first electronic device, where the access request message includes the identification information and an account of the second electronic device.
  • the account may be an account logged in on the second electronic device, and the account may be an account authenticated by the cloud, such as a Huawei account.
  • the account may also be an account registered on an application program, etc., which is not limited in this embodiment of the present application.
  • the access request message sent by the second electronic device to the first electronic device includes the identification information of the account and the application program of the second electronic device, so that the cross-device data can be further improved. Security of Access.
  • Fig. 7 is a schematic block diagram of an electronic device provided by an embodiment of the present application.
  • the electronic device 1000 may include one or more memories 1010, one or more processors 1020, one or more computer programs are stored in the one or more memories 1010, and the one or more computers
  • the program includes instructions, and when the instructions are executed by one or more processors 1020, the permission checking method described in any possible implementation manner in the foregoing embodiments is executed.
  • An embodiment of the present application also provides an apparatus for checking permissions, including: a transceiver unit configured to receive an access request message for a first file sent by a second electronic device, where the access request message includes the account and the account number of the second electronic device Identification information of an application program, wherein the identification information is obtained by performing a first calculation on the application program identification, and the first file is located in the device; a processing unit is configured to parse the access request message to obtain The account and the identification information; the processing unit is further configured to determine, according to the account and the identification information, whether the authority value corresponding to the account and the access authority of the application program to the first file matches the target authority value; the transceiving unit is further configured to send a different result corresponding to the access request message to the second electronic device according to the matching result.
  • the processing unit is further configured to: read the ACL of the first file from the disk; Obtain the target permission value in the control list.
  • the access request message further includes the path of the first file
  • the processing unit is specifically configured to: read the access control list ACL of the first file from the disk according to the path
  • the processing unit is further configured to: store the target authority value in a cache.
  • the processing unit is further configured to: obtain the target authority value from cache according to the account and the identification information.
  • the identification information of the application program includes a package name of the application program.
  • the first calculation is a hash calculation
  • the identification information of the application is 32-bit information obtained through the hash calculation on the package name of the application.
  • the embodiment of the present application also provides a permission checking device, including: a processing unit, configured to detect a first operation performed by an application program on a first file; the processing unit is also configured to, in response to the first operation, The identification information of the application program is obtained by performing a first calculation on the identification of the application program; the transceiver unit is configured to send an access request message of the first file to the first electronic device, and the access request message includes the identification information and account.
  • a permission checking device including: a processing unit, configured to detect a first operation performed by an application program on a first file; the processing unit is also configured to, in response to the first operation, The identification information of the application program is obtained by performing a first calculation on the identification of the application program; the transceiver unit is configured to send an access request message of the first file to the first electronic device, and the access request message includes the identification information and account.
  • the embodiment of the present application also provides a chip, the chip includes a processor and a communication interface, the communication interface is used to receive a signal, and transmit the signal to the processor, and the processor processes the signal,
  • the permission checking method described in any possible implementation manner in the foregoing embodiments is executed.
  • This embodiment also provides a computer-readable storage medium, where computer instructions are stored in the computer-readable storage medium.
  • the computer instructions are run on a computer, the The method of permission checking described above is executed.
  • This embodiment also provides a computer program product, which, when running on a computer, causes the computer to execute the above-mentioned related steps, so as to realize the method for checking the authority in the above-mentioned embodiment.
  • an embodiment of the present application also provides a device, which may specifically be a chip, a component or a module, and the device may include a connected processor and a memory; wherein the memory is used to store computer-executable instructions, and when the device is running, The processor can execute the computer-executable instructions stored in the memory, so that the chip executes the permission checking method in the above method embodiments.
  • the electronic device, computer-readable storage medium, computer program product or chip provided in this embodiment is all used to execute the corresponding method provided above, therefore, the beneficial effects it can achieve can refer to the above-mentioned The beneficial effects of the corresponding method will not be repeated here.
  • the disclosed systems, devices and methods may be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.
  • the functions described above are realized in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium.
  • the technical solution of the present application is essentially or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disc and other media that can store program codes. .

Abstract

Provided in the present application are a permission check method and an electronic device, wherein the method is applied to a first electronic device. The method comprises: a first electronic device receiving an access request message of a first file, which is sent by a second electronic device, wherein the access request message comprises an account of the second electronic device and identification information of an application program, the identification information is obtained by performing a first instance of calculation on an application program identifier, and the first file is located in the first electronic device; the first electronic device parsing the access request message, so as to obtain the account and the identification information; the first electronic device determining, according to the account and the identification information, whether a permission value corresponding to an access permission of the account and the application program for the first file matches a target permission value; and according to a matching result, the first electronic device sending, to the second electronic device, different results corresponding to the access request message. By means of the technical solution, the security of file sharing and data access can be improved.

Description

权限检查的方法和电子设备Method and electronic device for authority check
本申请要求于2021年09月29日提交中国专利局、申请号为202111150947.7、申请名称为“权限检查的方法和电子设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number 202111150947.7 and the title of "Authority Checking Method and Electronic Device" filed with the China Patent Office on September 29, 2021, the entire contents of which are incorporated by reference in this application .
技术领域technical field
本申请涉及电子技术领域,并且更具体地,涉及一种权限检查的方法和电子设备。The present application relates to the field of electronic technology, and more specifically, relates to a method for checking authority and an electronic device.
背景技术Background technique
分布式文件系统(distributed file system,DFS)将分布于不同地点的文件系统扩展成一个系统网络,点对点网络模式的分布式文件系统没有客户端或服务器的概念,不同的终端设备均为同级节点,当用户在其所在的终端设备请求文件时,若本地节点拥有该文件,则直接从本地文件系统获取,否则向其他节点请求该文件。The distributed file system (distributed file system, DFS) expands the file systems distributed in different locations into a system network. The distributed file system in the point-to-point network mode has no concept of client or server, and different terminal devices are nodes at the same level. , when the user requests a file on his terminal device, if the local node owns the file, it will be directly obtained from the local file system, otherwise, the file will be requested from other nodes.
分布式文件系统上的数据从生成开始,在其存储、使用、传输的过程中都需要根据对应的访问控制策略进行安全防护,因此,如何提升分布式文件系统中文件共享和数据访问的安全性,成为需要解决的问题。The data on the distributed file system needs to be protected according to the corresponding access control policy during its storage, use, and transmission from its generation. Therefore, how to improve the security of file sharing and data access in the distributed file system , becomes a problem to be solved.
发明内容Contents of the invention
本申请提供一种涉及一种权限检查的方法和电子设备,以期提升文件共享和数据访问的安全性。The present application provides a method and an electronic device related to permission checking, in order to improve the security of file sharing and data access.
第一方面,提供了一种权限检查的方法,所述方法应用于第一电子设备,所述方法包括:In a first aspect, a permission checking method is provided, the method is applied to a first electronic device, and the method includes:
所述第一电子设备接收第二电子设备发送的第一文件的访问请求消息,所述访问请求消息包括所述第二电子设备的账户和应用程序的标识信息,其中,所述标识信息为对所述应用程序标识进行第一计算得到的,所述第一文件位于所述第一电子设备中;The first electronic device receives an access request message for the first file sent by the second electronic device, where the access request message includes the account of the second electronic device and identification information of the application program, wherein the identification information is for the The application identifier is obtained by performing a first calculation, and the first file is located in the first electronic device;
所述第一电子设备解析所述访问请求消息,得到所述账户和所述标识信息;The first electronic device parses the access request message to obtain the account and the identification information;
所述第一电子设备根据所述账户和所述标识信息确定所述账户和应用程序对所述第一文件的访问权限对应的权限值是否匹配目标权限值;The first electronic device determines whether the permission value corresponding to the account and the access permission of the application program to the first file matches a target permission value according to the account and the identification information;
所述第一电子设备根据所述匹配的结果,向所述第二电子设备发送所述访问请求消息对应的不同结果。The first electronic device sends a different result corresponding to the access request message to the second electronic device according to the matching result.
基于本申请实施例,第一电子设备接收到另一电子设备的访问请求消息后,解析该访问请求消息获取到第二电子设备的账户和应用程序的标识信息,并确定该账户和应用程序对文件的访问权限对应的权限值是否匹配目标权限值,并根据匹配结果向另一电子设备发送不同的结果。该技术方案可以避免非授权的账户和应用程序对文件的访问,从而提升跨设备访问数据的安全性。Based on the embodiment of this application, after receiving an access request message from another electronic device, the first electronic device parses the access request message to obtain the identification information of the account and application of the second electronic device, and determines that the account and application Whether the permission value corresponding to the access permission of the file matches the target permission value, and different results are sent to another electronic device according to the matching result. The technical solution can prevent unauthorized accounts and applications from accessing files, thereby improving the security of cross-device access to data.
结合第一方面,在第一方面的某些实现方式中,若所述第一电子设备首次接收所述访问请求消息,所述方法还包括:With reference to the first aspect, in some implementation manners of the first aspect, if the first electronic device receives the access request message for the first time, the method further includes:
所述第一电子设备从磁盘中读取所述第一文件的访问控制列表ACL;The first electronic device reads the ACL of the first file from the disk;
所述第一电子设备根据所述账户和所述标识信息从所述访问控制列表中获取所述目标权限值。The first electronic device acquires the target permission value from the access control list according to the account and the identification information.
其中,该账户和所述标识信息以及权限值可以作为一条记录,也可以作为多条记录。例如,该ACL中可以包括账户、权限值;标识信息、权限值;账户、标识信息、权限值。Wherein, the account, the identification information and the authority value may be regarded as one record, or may be regarded as multiple records. For example, the ACL may include account, authority value; identification information, authority value; account, identification information, authority value.
结合第一方面,在第一方面的某些实现方式中,所述访问请求消息中还包括所述第一文件的路径,所述第一电子设备从磁盘中读取所述第一文件的访问控制列表ACL,包括:With reference to the first aspect, in some implementation manners of the first aspect, the access request message further includes the path of the first file, and the first electronic device reads the access path of the first file from the disk. Control list ACL, including:
所述第一电子设备根据所述路径从磁盘中读取所述第一文件的访问控制列表ACL。The first electronic device reads the ACL of the first file from the disk according to the path.
结合第一方面,在第一方面的某些实现方式中,所述方法还包括:With reference to the first aspect, in some implementation manners of the first aspect, the method further includes:
所述第一电子设备将所述目标权限值存入缓存中。The first electronic device stores the target authority value in a cache.
基于本申请实施例,第一电子设备将获取到的目标权限值存入缓存中,从而在下一次第二电子设备发送同样的访问请求消息时,该第一电子设备无需从磁盘中获取该目标权限值,从而有利于提升数据访问的效率。Based on the embodiment of the present application, the first electronic device stores the acquired target authority value in the cache, so that when the second electronic device sends the same access request message next time, the first electronic device does not need to obtain the target authority value from the disk value, which is conducive to improving the efficiency of data access.
结合第一方面,在第一方面的某些实现方式中,若所述第一电子设备非首次接收所述访问请求消息,所述方法还包括:With reference to the first aspect, in some implementations of the first aspect, if the first electronic device does not receive the access request message for the first time, the method further includes:
所述第一电子设备根据所述账户和所述标识信息从缓存中获取所述目标权限值。The first electronic device acquires the target authority value from a cache according to the account and the identification information.
基于本申请实施例,该第一电子设备无需从磁盘中获取该目标权限值,从而有利于提升数据访问的效率。Based on the embodiment of the present application, the first electronic device does not need to obtain the target permission value from the disk, which is beneficial to improve the efficiency of data access.
结合第一方面,在第一方面的某些实现方式中,所述应用程序的标识信息包括应用程序的包名。With reference to the first aspect, in some implementation manners of the first aspect, the identification information of the application program includes a package name of the application program.
其中,该应用程序的标识信息可以为应用程序的包名,也可以为应用程序名等。Wherein, the identification information of the application program may be the package name of the application program, or the name of the application program.
结合第一方面,在第一方面的某些实现方式中,所述第一计算为哈希计算,所述应用程序的标识信息为对所述应用程序的包名经过所述哈希计算得到的长度为32比特的信息。With reference to the first aspect, in some implementation manners of the first aspect, the first calculation is a hash calculation, and the identification information of the application is obtained by performing the hash calculation on the package name of the application A message with a length of 32 bits.
应理解,本申请实施例中的哈希计算还可以用其他算法进行替代,该计算后的信息的长度也可以为其他长度,如64比特等。It should be understood that the hash calculation in the embodiment of the present application may also be replaced by other algorithms, and the length of the calculated information may also be other lengths, such as 64 bits.
第二方面,提供了一种权限检查的方法,所述方法应用于第二电子设备,所述方法包括:In a second aspect, a permission checking method is provided, the method is applied to a second electronic device, and the method includes:
所述第二电子设备检测应用程序对第一文件的第一操作;The second electronic device detects the first operation of the application on the first file;
响应于所述第一操作,所述第二电子设备对所述应用程序的标识进行第一计算得到所述应用程序的标识信息;In response to the first operation, the second electronic device performs a first calculation on the identification of the application to obtain identification information of the application;
所述第二电子设备向所述第一电子设备发送所述第一文件的访问请求消息,所述访问请求消息包括所述标识信息和所述第二电子设备的账户。The second electronic device sends an access request message of the first file to the first electronic device, where the access request message includes the identification information and an account of the second electronic device.
基于本申请实施例,第二电子设备向第一电子设备发送的访问请求消息中,包括该第二电子设备的账户和应用程序的标识信息,从而可以进一步提升跨设备数据访问的安全性。Based on the embodiment of the present application, the access request message sent by the second electronic device to the first electronic device includes the identification information of the account and the application program of the second electronic device, so that the security of cross-device data access can be further improved.
第三方面,提供了一种权限检查的装置,包括:收发单元,用于接收第二电子设备发送的第一文件的访问请求消息,所述访问请求消息包括所述第二电子设备的账户和应用程序的标识信息,其中,所述标识信息为对所述应用程序标识进行第一计算得到的,所述第一文件位于所述装置中;处理单元,用于解析所述访问请求消息,得到所述账户和所述标 识信息;所述处理单元,还用于根据所述账户和所述标识信息确定所述账户和应用程序对所述第一文件的访问权限对应的权限值是否匹配目标权限值;所述收发单元,还用于根据所述匹配的结果,向所述第二电子设备发送所述访问请求消息对应的不同结果。According to a third aspect, there is provided an apparatus for permission checking, including: a transceiver unit, configured to receive an access request message of a first file sent by a second electronic device, where the access request message includes the account of the second electronic device and Identification information of an application program, wherein the identification information is obtained by performing a first calculation on the application program identification, and the first file is located in the device; a processing unit is configured to parse the access request message to obtain The account and the identification information; the processing unit is further configured to determine, according to the account and the identification information, whether the authority value corresponding to the account and the access authority of the application program to the first file matches the target authority value; the transceiving unit is further configured to send a different result corresponding to the access request message to the second electronic device according to the matching result.
结合第三方面,在第三方面的某些实现方式中,若首次接收所述访问请求消息,所述处理单元还用于:从磁盘中读取所述第一文件的访问控制列表ACL;根据所述账户和所述标识信息从所述访问控制列表中获取所述目标权限值。With reference to the third aspect, in some implementation manners of the third aspect, if the access request message is received for the first time, the processing unit is further configured to: read the access control list ACL of the first file from the disk; The account and the identification information obtain the target permission value from the access control list.
结合第三方面,在第三方面的某些实现方式中,所述访问请求消息中还包括所述第一文件的路径,所述处理单元具体用于:根据所述路径从磁盘中读取所述第一文件的访问控制列表ACL。With reference to the third aspect, in some implementation manners of the third aspect, the access request message further includes a path of the first file, and the processing unit is specifically configured to: read the path of the first file from the disk according to the path Specify the ACL of the first file.
结合第三方面,在第三方面的某些实现方式中,所述处理单元还用于:将所述目标权限值存入缓存中。With reference to the third aspect, in some implementation manners of the third aspect, the processing unit is further configured to: store the target permission value in a cache.
结合第三方面,在第三方面的某些实现方式中,若非首次接收所述访问请求消息,所述处理单元还用于:根据所述账户和所述标识信息从缓存中获取所述目标权限值。With reference to the third aspect, in some implementation manners of the third aspect, if the access request message is not received for the first time, the processing unit is further configured to: acquire the target authority from the cache according to the account and the identification information value.
结合第三方面,在第三方面的某些实现方式中,所述应用程序的标识信息包括应用程序的包名。With reference to the third aspect, in some implementation manners of the third aspect, the identification information of the application program includes a package name of the application program.
结合第三方面,在第三方面的某些实现方式中,所述第一计算为哈希计算,所述应用程序的标识信息为对所述应用程序的包名经过所述哈希计算得到的长度为32比特的信息。With reference to the third aspect, in some implementation manners of the third aspect, the first calculation is a hash calculation, and the identification information of the application is obtained by performing the hash calculation on the package name of the application A message with a length of 32 bits.
第四方面,提供一种权限检查的装置,包括:处理单元,用于检测应用程序对第一文件的第一操作;所述处理单元,还用于响应于所述第一操作,对所述应用程序的标识进行第一计算得到所述应用程序的标识信息;收发单元,用于向第一电子设备发送所述第一文件的访问请求消息,所述访问请求消息包括所述标识信息和账户。In a fourth aspect, an apparatus for checking permissions is provided, including: a processing unit configured to detect a first operation performed by an application program on a first file; the processing unit is also configured to respond to the first operation to the The identification information of the application program is obtained by performing a first calculation on the identification of the application program; the transceiver unit is configured to send an access request message of the first file to the first electronic device, and the access request message includes the identification information and account .
第五方面,提供了一种电子设备,包括一个或多个处理器;一个或多个存储器;所述一个或多个存储器存储有一个或多个计算机程序,所述一个或多个计算机程序包括指令,当所述指令被一个或多个处理器执行时,使得如上述第一方面及其任一种可能的实现方式中或第二方面及其任一种可能的实现方式中所述的权限检查的方法被执行。In a fifth aspect, an electronic device is provided, including one or more processors; one or more memories; the one or more memories store one or more computer programs, and the one or more computer programs include Instructions, when the instructions are executed by one or more processors, make the authority described in the first aspect and any possible implementation thereof or in the second aspect and any possible implementation thereof The checked method is executed.
第六方面,提供一种芯片,所述芯片包括处理器和通信接口,所述通信接口用于接收信号,并将所述信号传输至所述处理器,所述处理器处理所述信号,使得如上述第一方面及其任一种可能的实现方式中或第二方面及其任一种可能的实现方式中所述的权限检查的方法被执行。According to a sixth aspect, a chip is provided, the chip includes a processor and a communication interface, the communication interface is used to receive a signal, and transmit the signal to the processor, and the processor processes the signal so that The permission checking method described in the above first aspect and any possible implementation thereof or in the second aspect and any possible implementation thereof is executed.
第七方面,提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机指令,当所述计算机指令在计算机上运行时,使得如上述第一方面及其任一种可能的实现方式中或第二方面及其任一种可能的实现方式中所述的权限检查的方法被执行。In a seventh aspect, a computer-readable storage medium is provided. Computer instructions are stored in the computer-readable storage medium. When the computer instructions are run on a computer, the above-mentioned first aspect and any possible The permission checking method described in the implementation manner or in the second aspect and any possible implementation manner thereof is executed.
第八方面,提供一种计算机程序产品,包括计算机指令,当所述计算机指令在计算机上运行时,使得如上述第一方面及其任一种可能的实现方式中或第二方面及其任一种可能的实现方式中所述的权限检查的方法被执行。In an eighth aspect, a computer program product is provided, including computer instructions. When the computer instructions are run on a computer, the above-mentioned first aspect and any possible implementation thereof or the second aspect and any one of the above-mentioned The permission checking method described in a possible implementation manner is executed.
附图说明Description of drawings
图1是本申请实施例提供的电子设备的结构示意图。FIG. 1 is a schematic structural diagram of an electronic device provided by an embodiment of the present application.
图2是本申请实施例提供的电子设备的软件结构示意图。FIG. 2 is a schematic diagram of a software structure of an electronic device provided by an embodiment of the present application.
图3是本申请实施例提供的一种跨设备权限检查的示意性流程图。Fig. 3 is a schematic flowchart of a cross-device permission check provided by an embodiment of the present application.
图4是本申请实施例提供的一种权限检查的示意性流程图。Fig. 4 is a schematic flowchart of a permission check provided by the embodiment of the present application.
图5是本申请实施例提供的另一种权限检查的示意性流程图。Fig. 5 is a schematic flowchart of another permission check provided by the embodiment of the present application.
图6是本申请实施例提供的另一种权限检查的示意性流程图。FIG. 6 is a schematic flowchart of another permission check provided by the embodiment of the present application.
图7是本申请实施例提供的一种电子设备的示意性框图。Fig. 7 is a schematic block diagram of an electronic device provided by an embodiment of the present application.
具体实施方式Detailed ways
下面将结合附图,对本申请中的技术方案进行描述。The technical solution in this application will be described below with reference to the accompanying drawings.
本申请实施例中的建立连接的方法可以应用于智能手机、平板电脑、笔记本电脑、个人计算机(personal computer,PC)、超级移动个人计算机(ultra-mobile personal computer,UMPC)、上网本、个人数字助理(personal digital assistant,PDA)、车载设备、可穿戴设备等电子设备中,本申请实施例对此并不限定。The method for establishing a connection in the embodiment of the present application can be applied to a smart phone, a tablet computer, a notebook computer, a personal computer (personal computer, PC), an ultra-mobile personal computer (ultra-mobile personal computer, UMPC), a netbook, a personal digital assistant (personal digital assistant, PDA), vehicle-mounted equipment, wearable equipment and other electronic equipment, the embodiments of the present application are not limited to this.
图1示出了电子设备100的结构示意图。电子设备100可以包括处理器110,外部存储器接口120,内部存储器121,通用串行总线(universal serial bus,USB)接口130,充电管理模块140,电源管理模块141,电池142,天线1,天线2,移动通信模块150,无线通信模块160,音频模块170,扬声器170A,受话器170B,麦克风170C,耳机接口170D,传感器模块180,按键190,马达191,指示器192,摄像头193,显示屏194,以及用户标识模块(subscriber identification module,SIM)卡接口195等。其中传感器模块180可以包括压力传感器180A,陀螺仪传感器180B,气压传感器180C,磁传感器180D,加速度传感器180E,距离传感器180F,接近光传感器180G,指纹传感器180H,温度传感器180J,触摸传感器180K,环境光传感器180L,骨传导传感器180M等。FIG. 1 shows a schematic structural diagram of an electronic device 100 . The electronic device 100 may include a processor 110, an external memory interface 120, an internal memory 121, a universal serial bus (universal serial bus, USB) interface 130, a charging management module 140, a power management module 141, a battery 142, an antenna 1, and an antenna 2 , mobile communication module 150, wireless communication module 160, audio module 170, speaker 170A, receiver 170B, microphone 170C, earphone jack 170D, sensor module 180, button 190, motor 191, indicator 192, camera 193, display screen 194, and A subscriber identification module (subscriber identification module, SIM) card interface 195 and the like. The sensor module 180 may include a pressure sensor 180A, a gyroscope sensor 180B, an air pressure sensor 180C, a magnetic sensor 180D, an acceleration sensor 180E, a distance sensor 180F, a proximity light sensor 180G, a fingerprint sensor 180H, a temperature sensor 180J, a touch sensor 180K, an ambient light sensor 180L, bone conduction sensor 180M, etc.
可以理解的是,本申请实施例示意的结构并不构成对电子设备100的具体限定。在本申请另一些实施例中,电子设备100可以包括比图示更多或更少的部件,或者组合某些部件,或者拆分某些部件,或者不同的部件布置。图示的部件可以以硬件,软件或软件和硬件的组合实现。It can be understood that, the structure illustrated in the embodiment of the present application does not constitute a specific limitation on the electronic device 100 . In other embodiments of the present application, the electronic device 100 may include more or fewer components than shown in the figure, or combine certain components, or separate certain components, or arrange different components. The illustrated components can be realized in hardware, software or a combination of software and hardware.
处理器110可以包括一个或多个处理单元,例如:处理器110可以包括应用处理器(application processor,AP),调制解调处理器,图形处理器(graphics processing unit,GPU),图像信号处理器(image signal processor,ISP),控制器,存储器,视频编解码器,数字信号处理器(digital signal processor,DSP),基带处理器,和/或神经网络处理器(neural-network processing unit,NPU)等。其中,不同的处理单元可以是独立的器件,也可以集成在一个或多个处理器中。The processor 110 may include one or more processing units, for example: the processor 110 may include an application processor (application processor, AP), a modem processor, a graphics processing unit (graphics processing unit, GPU), an image signal processor (image signal processor, ISP), controller, memory, video codec, digital signal processor (digital signal processor, DSP), baseband processor, and/or neural network processor (neural-network processing unit, NPU) wait. Wherein, different processing units may be independent devices, or may be integrated in one or more processors.
其中,控制器可以是电子设备100的神经中枢和指挥中心。控制器可以根据指令操作码和时序信号,产生操作控制信号,完成取指令和执行指令的控制。Wherein, the controller may be the nerve center and command center of the electronic device 100 . The controller can generate an operation control signal according to the instruction opcode and timing signal, and complete the control of fetching and executing the instruction.
处理器110中还可以设置存储器,用于存储指令和数据。在一些实施例中,处理器110中的存储器为高速缓冲存储器。该存储器可以保存处理器110刚用过或循环使用的指令或数据。如果处理器110需要再次使用该指令或数据,可从所述存储器中直接调用。避免了重复存取,减少了处理器110的等待时间,因而提高了系统的效率。A memory may also be provided in the processor 110 for storing instructions and data. In some embodiments, the memory in processor 110 is a cache memory. The memory may hold instructions or data that the processor 110 has just used or recycled. If the processor 110 needs to use the instruction or data again, it can be called directly from the memory. Repeated access is avoided, and the waiting time of the processor 110 is reduced, thereby improving the efficiency of the system.
在一些实施例中,处理器110可以包括一个或多个接口。接口可以包括集成电路(inter-integrated circuit,I2C)接口,集成电路内置音频(inter-integrated circuit sound,I2S)接口,脉冲编码调制(pulse code modulation,PCM)接口,通用异步收发传输器(universal asynchronous receiver/transmitter,UART)接口,移动产业处理器接口(mobile industry  processor interface,MIPI),通用输入输出(general-purpose input/output,GPIO)接口,用户标识模块(subscriber identity module,SIM)接口,和/或通用串行总线(universal serial bus,USB)接口等。In some embodiments, processor 110 may include one or more interfaces. The interface may include an integrated circuit (inter-integrated circuit, I2C) interface, an integrated circuit built-in audio (inter-integrated circuit sound, I2S) interface, a pulse code modulation (pulse code modulation, PCM) interface, a universal asynchronous transmitter (universal asynchronous receiver/transmitter, UART) interface, mobile industry processor interface (mobile industry processor interface, MIPI), general-purpose input and output (general-purpose input/output, GPIO) interface, subscriber identity module (subscriber identity module, SIM) interface, and /or universal serial bus (universal serial bus, USB) interface, etc.
I2C接口是一种双向同步串行总线,包括一根串行数据线(serial data line,SDA)和一根串行时钟线(derail clock line,SCL)。The I2C interface is a bidirectional synchronous serial bus, including a serial data line (serial data line, SDA) and a serial clock line (derail clock line, SCL).
I2S接口可以用于音频通信。在一些实施例中,处理器110可以包含多组I2S总线。处理器110可以通过I2S总线与音频模块170耦合,实现处理器110与音频模块170之间的通信。The I2S interface can be used for audio communication. In some embodiments, processor 110 may include multiple sets of I2S buses. The processor 110 may be coupled to the audio module 170 through an I2S bus to implement communication between the processor 110 and the audio module 170 .
PCM接口也可以用于音频通信,将模拟信号抽样,量化和编码。在一些实施例中,音频模块170与无线通信模块160可以通过PCM总线接口耦合。The PCM interface can also be used for audio communication, sampling, quantizing and encoding the analog signal. In some embodiments, the audio module 170 and the wireless communication module 160 may be coupled through a PCM bus interface.
UART接口是一种通用串行数据总线,用于异步通信。该总线可以为双向通信总线。它将要传输的数据在串行通信与并行通信之间转换。在一些实施例中,UART接口通常被用于连接处理器110与无线通信模块160。The UART interface is a universal serial data bus used for asynchronous communication. The bus can be a bidirectional communication bus. It converts the data to be transmitted between serial communication and parallel communication. In some embodiments, a UART interface is generally used to connect the processor 110 and the wireless communication module 160 .
MIPI接口可以被用于连接处理器110与显示屏194,摄像头193等外围器件。The MIPI interface can be used to connect the processor 110 with peripheral devices such as the display screen 194 and the camera 193 .
GPIO接口可以通过软件配置。GPIO接口可以被配置为控制信号,也可被配置为数据信号。在一些实施例中,GPIO接口可以用于连接处理器110与摄像头193,显示屏194,无线通信模块160,音频模块170,传感器模块180等。The GPIO interface can be configured by software. The GPIO interface can be configured as a control signal or as a data signal. In some embodiments, the GPIO interface can be used to connect the processor 110 with the camera 193 , the display screen 194 , the wireless communication module 160 , the audio module 170 , the sensor module 180 and so on.
USB接口130是符合USB标准规范的接口,具体可以是Mini USB接口,Micro USB接口,USB Type C接口等。USB接口130可以用于连接充电器为电子设备100充电,也可以用于电子设备100与外围设备之间传输数据。The USB interface 130 is an interface conforming to the USB standard specification, specifically, it can be a Mini USB interface, a Micro USB interface, a USB Type C interface, and the like. The USB interface 130 can be used to connect a charger to charge the electronic device 100 , and can also be used to transmit data between the electronic device 100 and peripheral devices.
可以理解的是,本申请实施例示意的各模块间的接口连接关系,只是示意性说明,并不构成对电子设备100的结构限定。在本申请另一些实施例中,电子设备100也可以采用上述实施例中不同的接口连接方式,或多种接口连接方式的组合。It can be understood that the interface connection relationship between the modules shown in the embodiment of the present application is only a schematic illustration, and does not constitute a structural limitation of the electronic device 100 . In other embodiments of the present application, the electronic device 100 may also adopt different interface connection manners in the foregoing embodiments, or a combination of multiple interface connection manners.
充电管理模块140用于从充电器接收充电输入。其中,充电器可以是无线充电器,也可以是有线充电器。在一些有线充电的实施例中,充电管理模块140可以通过USB接口130接收有线充电器的充电输入。在一些无线充电的实施例中,充电管理模块140可以通过电子设备100的无线充电线圈接收无线充电输入。充电管理模块140为电池142充电的同时,还可以通过电源管理模块141为电子设备供电。The charging management module 140 is configured to receive a charging input from a charger. Wherein, the charger may be a wireless charger or a wired charger. In some wired charging embodiments, the charging management module 140 can receive charging input from the wired charger through the USB interface 130 . In some wireless charging embodiments, the charging management module 140 may receive a wireless charging input through a wireless charging coil of the electronic device 100 . While the charging management module 140 is charging the battery 142 , it can also provide power for electronic devices through the power management module 141 .
电源管理模块141用于连接电池142,充电管理模块140与处理器110。The power management module 141 is used for connecting the battery 142 , the charging management module 140 and the processor 110 .
电子设备100的无线通信功能可以通过天线1,天线2,移动通信模块150,无线通信模块160,调制解调处理器以及基带处理器等实现。The wireless communication function of the electronic device 100 can be realized by the antenna 1 , the antenna 2 , the mobile communication module 150 , the wireless communication module 160 , a modem processor, a baseband processor, and the like.
移动通信模块150可以提供应用在电子设备100上的包括2G/3G/4G/5G等无线通信的解决方案。The mobile communication module 150 can provide wireless communication solutions including 2G/3G/4G/5G applied on the electronic device 100 .
调制解调处理器可以包括调制器和解调器。其中,调制器用于将待发送的低频基带信号调制成中高频信号。解调器用于将接收的电磁波信号解调为低频基带信号。随后解调器将解调得到的低频基带信号传送至基带处理器处理。低频基带信号经基带处理器处理后,被传递给应用处理器。应用处理器通过音频设备(不限于扬声器170A,受话器170B等)输出声音信号,或通过显示屏194显示图像或视频。在一些实施例中,调制解调处理器可以是独立的器件。在另一些实施例中,调制解调处理器可以独立于处理器110,与移动通信模块150或其他功能模块设置在同一个器件中。A modem processor may include a modulator and a demodulator. Wherein, the modulator is used for modulating the low-frequency baseband signal to be transmitted into a medium-high frequency signal. The demodulator is used to demodulate the received electromagnetic wave signal into a low frequency baseband signal. Then the demodulator sends the demodulated low-frequency baseband signal to the baseband processor for processing. The low-frequency baseband signal is passed to the application processor after being processed by the baseband processor. The application processor outputs sound signals through audio equipment (not limited to speaker 170A, receiver 170B, etc.), or displays images or videos through display screen 194 . In some embodiments, the modem processor may be a stand-alone device. In some other embodiments, the modem processor may be independent from the processor 110, and be set in the same device as the mobile communication module 150 or other functional modules.
无线通信模块160可以提供应用在电子设备100上的包括无线局域网(wireless local area networks,WLAN)(如无线保真(wireless fidelity,Wi-Fi)网络),蓝牙(bluetooth,BT),全球导航卫星系统(global navigation satellite system,GNSS),调频(frequency modulation,FM),近距离无线通信技术(near field communication,NFC),红外技术(infrared,IR)等无线通信的解决方案。The wireless communication module 160 can provide wireless local area networks (wireless local area networks, WLAN) (such as wireless fidelity (Wireless Fidelity, Wi-Fi) network), bluetooth (bluetooth, BT), global navigation satellite, etc. applied on the electronic device 100. System (global navigation satellite system, GNSS), frequency modulation (frequency modulation, FM), near field communication technology (near field communication, NFC), infrared technology (infrared, IR) and other wireless communication solutions.
在一些实施例中,电子设备100的天线1和移动通信模块150耦合,天线2和无线通信模块160耦合,使得电子设备100可以通过无线通信技术与网络以及其他设备通信。In some embodiments, the antenna 1 of the electronic device 100 is coupled to the mobile communication module 150, and the antenna 2 is coupled to the wireless communication module 160, so that the electronic device 100 can communicate with the network and other devices through wireless communication technology.
电子设备100通过GPU,显示屏194,以及应用处理器等实现显示功能。GPU为图像处理的微处理器,连接显示屏194和应用处理器。GPU用于执行数学和几何计算,用于图形渲染。处理器110可包括一个或多个GPU,其执行程序指令以生成或改变显示信息。The electronic device 100 realizes the display function through the GPU, the display screen 194 , and the application processor. The GPU is a microprocessor for image processing, and is connected to the display screen 194 and the application processor. GPUs are used to perform mathematical and geometric calculations for graphics rendering. Processor 110 may include one or more GPUs that execute program instructions to generate or change display information.
显示屏194用于显示图像,视频等。显示屏194包括显示面板。显示面板可以采用液晶显示屏(liquid crystal display,LCD),也可以采用有机发光二极管(organic light-emitting diode,OLED)、有源矩阵有机发光二极体或主动矩阵有机发光二极体(active-matrix organic light emitting diode,AMOLED)、柔性发光二极管(flex light-emitting diode,FLED)、Miniled、MicroLed、Micro-oLed或量子点发光二极管(quantum dot light emitting diodes,QLED)等材料中的一种所制作的显示面板。在一些实施例中,电子设备100可以包括1个或N个显示屏194,N为大于1的正整数。The display screen 194 is used to display images, videos and the like. The display screen 194 includes a display panel. The display panel can be a liquid crystal display (LCD), or an organic light-emitting diode (OLED), an active-matrix organic light-emitting diode, or an active-matrix organic light-emitting diode (active-matrix organic light-emitting diode). Matrix organic light emitting diode (AMOLED), flexible light-emitting diode (flex light-emitting diode, FLED), Miniled, MicroLed, Micro-oLed or quantum dot light emitting diodes (quantum dot light emitting diodes, QLED) and other materials. Fabricated display panels. In some embodiments, the electronic device 100 may include 1 or N display screens 194 , where N is a positive integer greater than 1.
电子设备100可以通过ISP,摄像头193,视频编解码器,GPU,显示屏194以及应用处理器等实现拍摄功能。The electronic device 100 can realize the shooting function through the ISP, the camera 193 , the video codec, the GPU, the display screen 194 and the application processor.
ISP用于处理摄像头193反馈的数据。摄像头193用于捕获静态图像或视频。The ISP is used for processing the data fed back by the camera 193 . Camera 193 is used to capture still images or video.
数字信号处理器用于处理数字信号,除了可以处理数字图像信号,还可以处理其他数字信号。Digital signal processors are used to process digital signals. In addition to digital image signals, they can also process other digital signals.
视频编解码器用于对数字视频压缩或解压缩。电子设备100可以支持一种或多种视频编解码器。Video codecs are used to compress or decompress digital video. The electronic device 100 may support one or more video codecs.
外部存储器接口120可以用于连接外部存储卡,例如Micro SD卡,实现扩展电子设备100的存储能力。The external memory interface 120 can be used to connect an external memory card, such as a Micro SD card, so as to expand the storage capacity of the electronic device 100.
内部存储器121可以用于存储计算机可执行程序代码,所述可执行程序代码包括指令。处理器110通过运行存储在内部存储器121的指令,从而执行电子设备100的各种功能应用以及数据处理。The internal memory 121 may be used to store computer-executable program codes including instructions. The processor 110 executes various functional applications and data processing of the electronic device 100 by executing instructions stored in the internal memory 121 .
电子设备100可以通过音频模块170,扬声器170A,受话器170B,麦克风170C,耳机接口170D,以及应用处理器等实现音频功能。例如音乐播放,录音等。The electronic device 100 can implement audio functions through the audio module 170 , the speaker 170A, the receiver 170B, the microphone 170C, the earphone interface 170D, and the application processor. Such as music playback, recording, etc.
音频模块170用于将数字音频信息转换成模拟音频信号输出,也用于将模拟音频输入转换为数字音频信号。The audio module 170 is used to convert digital audio information into analog audio signal output, and is also used to convert analog audio input into digital audio signal.
扬声器170A,也称“喇叭”,用于将音频电信号转换为声音信号。 Speaker 170A, also referred to as a "horn", is used to convert audio electrical signals into sound signals.
受话器170B,也称“听筒”,用于将音频电信号转换成声音信号。 Receiver 170B, also called "earpiece", is used to convert audio electrical signals into sound signals.
麦克风170C,也称“话筒”,“传声器”,用于将声音信号转换为电信号。The microphone 170C, also called "microphone" or "microphone", is used to convert sound signals into electrical signals.
耳机接口170D用于连接有线耳机。The earphone interface 170D is used for connecting wired earphones.
压力传感器180A用于感受压力信号,可以将压力信号转换成电信号。在一些实施例中,压力传感器180A可以设置于显示屏194。The pressure sensor 180A is used to sense the pressure signal and convert the pressure signal into an electrical signal. In some embodiments, pressure sensor 180A may be disposed on display screen 194 .
陀螺仪传感器180B可以用于确定电子设备100的运动姿态。The gyro sensor 180B can be used to determine the motion posture of the electronic device 100 .
气压传感器180C用于测量气压。在一些实施例中,电子设备100通过气压传感器180C测得的气压值计算海拔高度,辅助定位和导航。The air pressure sensor 180C is used to measure air pressure. In some embodiments, the electronic device 100 calculates the altitude based on the air pressure value measured by the air pressure sensor 180C to assist positioning and navigation.
加速度传感器180E可检测电子设备100在各个方向上(一般为三轴)加速度的大小。The acceleration sensor 180E can detect the acceleration of the electronic device 100 in various directions (generally three axes).
距离传感器180F,用于测量距离。The distance sensor 180F is used to measure the distance.
指纹传感器180H用于采集指纹。The fingerprint sensor 180H is used to collect fingerprints.
触摸传感器180K,也称“触控面板”。触摸传感器180K可以设置于显示屏194,由触摸传感器180K与显示屏194组成触摸屏,也称“触控屏”。Touch sensor 180K, also known as "touch panel". The touch sensor 180K can be disposed on the display screen 194, and the touch sensor 180K and the display screen 194 form a touch screen, also called a “touch screen”.
骨传导传感器180M可以获取振动信号。在一些实施例中,骨传导传感器180M可以获取人体声部振动骨块的振动信号。骨传导传感器180M也可以接触人体脉搏,接收血压跳动信号。The bone conduction sensor 180M can acquire vibration signals. In some embodiments, the bone conduction sensor 180M can acquire the vibration signal of the vibrating bone mass of the human voice. The bone conduction sensor 180M can also contact the human pulse and receive the blood pressure beating signal.
按键190包括开机键,音量键等。The keys 190 include a power key, a volume key and the like.
马达191可以产生振动提示。The motor 191 can generate a vibrating reminder.
指示器192可以是指示灯,可以用于指示充电状态,电量变化,也可以用于指示消息,未接来电,通知等。The indicator 192 can be an indicator light, and can be used to indicate charging status, power change, and can also be used to indicate messages, missed calls, notifications, and the like.
SIM卡接口195用于连接SIM卡。The SIM card interface 195 is used for connecting a SIM card.
电子设备100的软件系统可以采用分层架构,事件驱动架构,微核架构,微服务架构,或云架构。本申请实施例以分层架构的Android系统为例,示例性说明电子设备100的软件结构。The software system of the electronic device 100 may adopt a layered architecture, an event-driven architecture, a micro-kernel architecture, a micro-service architecture, or a cloud architecture. The embodiment of the present application takes the Android system with a layered architecture as an example to illustrate the software structure of the electronic device 100 .
图2是本申请实施例的电子设备100的软件结构框图。分层架构将软件分成若干个层,每一层都有清晰的角色和分工。层与层之间通过软件接口通信。在一些实施例中,将Android系统分为四层,从上至下分别为应用程序层,应用程序框架层,安卓运行时(Android runtime)和系统库,以及内核层。应用程序层可以包括一系列应用程序包。FIG. 2 is a block diagram of the software structure of the electronic device 100 according to the embodiment of the present application. The layered architecture divides the software into several layers, and each layer has a clear role and division of labor. Layers communicate through software interfaces. In some embodiments, the Android system is divided into four layers, which are respectively the application program layer, the application program framework layer, the Android runtime (Android runtime) and the system library, and the kernel layer from top to bottom. The application layer can consist of a series of application packages.
如图2所示,应用程序包可以包括相机,图库,日历,通话,地图,导航,WLAN,蓝牙,音乐,视频,短信息等应用程序。As shown in Figure 2, the application package may include applications such as camera, gallery, calendar, call, map, navigation, WLAN, Bluetooth, music, video, and short message.
应用程序框架层为应用程序层的应用程序提供应用编程接口(application programming interface,API)和编程框架。应用程序框架层包括一些预先定义的函数。The application framework layer provides an application programming interface (application programming interface, API) and a programming framework for applications in the application layer. The application framework layer includes some predefined functions.
如图2所示,应用程序框架层可以包括窗口管理器,内容提供器,视图系统,电话管理器,资源管理器,通知管理器等。As shown in Figure 2, the application framework layer can include window managers, content providers, view systems, phone managers, resource managers, notification managers, and so on.
窗口管理器用于管理窗口程序。窗口管理器可以获取显示屏大小,判断是否有状态栏,锁定屏幕,截取屏幕等。A window manager is used to manage window programs. The window manager can get the size of the display screen, determine whether there is a status bar, lock the screen, capture the screen, etc.
内容提供器用来存放和获取数据,并使这些数据可以被应用程序访问。所述数据可以包括视频,图像,音频,拨打和接听的电话,浏览历史和书签,电话簿等。Content providers are used to store and retrieve data and make it accessible to applications. Said data may include video, images, audio, calls made and received, browsing history and bookmarks, phonebook, etc.
视图系统包括可视控件,例如显示文字的控件,显示图片的控件等。视图系统可用于构建应用程序。显示界面可以由一个或多个视图组成的。例如,包括短信通知图标的显示界面,可以包括显示文字的视图以及显示图片的视图。The view system includes visual controls, such as controls for displaying text, controls for displaying pictures, and so on. The view system can be used to build applications. A display interface can consist of one or more views. For example, a display interface including a text message notification icon may include a view for displaying text and a view for displaying pictures.
电话管理器用于提供电子设备100的通信功能。例如通话状态的管理(包括接通,挂断等)。The phone manager is used to provide communication functions of the electronic device 100 . For example, the management of call status (including connected, hung up, etc.).
资源管理器为应用程序提供各种资源,比如本地化字符串,图标,图片,布局文件,视频文件等等。The resource manager provides various resources for the application, such as localized strings, icons, pictures, layout files, video files, and so on.
通知管理器使应用程序可以在状态栏中显示通知信息,可以用于传达告知类型的消息,可以短暂停留后自动消失,无需用户交互。比如通知管理器被用于告知下载完成,消息提醒等。通知管理器还可以是以图表或者滚动条文本形式出现在系统顶部状态栏的通知,例如后台运行的应用程序的通知,还可以是以对话窗口形式出现在屏幕上的通知。例如在状态栏提示文本信息,发出提示音,电子设备振动,指示灯闪烁等。The notification manager enables the application to display notification information in the status bar, which can be used to convey notification-type messages, and can automatically disappear after a short stay without user interaction. For example, the notification manager is used to notify the download completion, message reminder, etc. The notification manager can also be a notification that appears on the top status bar of the system in the form of a chart or scroll bar text, such as a notification of an application running in the background, or a notification that appears on the screen in the form of a dialog window. For example, prompting text information in the status bar, issuing a prompt sound, vibrating the electronic device, and flashing the indicator light, etc.
Android runtime包括核心库和虚拟机。Android runtime负责安卓系统的调度和管理。Android runtime includes core library and virtual machine. The Android runtime is responsible for the scheduling and management of the Android system.
核心库包含两部分:一部分是java语言需要调用的功能函数,另一部分是安卓的核心库。The core library consists of two parts: one part is the function function that the java language needs to call, and the other part is the core library of Android.
应用程序层和应用程序框架层运行在虚拟机中。虚拟机将应用程序层和应用程序框架层的java文件执行为二进制文件。虚拟机用于执行对象生命周期的管理,堆栈管理,线程管理,安全和异常的管理,以及垃圾回收等功能。The application layer and the application framework layer run in virtual machines. The virtual machine executes the java files of the application program layer and the application program framework layer as binary files. The virtual machine is used to perform functions such as object life cycle management, stack management, thread management, security and exception management, and garbage collection.
系统库可以包括多个功能模块。例如:表面管理器(surface manager),媒体库(media libraries),三维图形处理库(例如:OpenGL ES),2D图形引擎(例如:SGL)等。A system library can include multiple function modules. For example: surface manager (surface manager), media library (media libraries), 3D graphics processing library (eg: OpenGL ES), 2D graphics engine (eg: SGL), etc.
表面管理器用于对显示子系统进行管理,并且为多个应用程序提供了2D和3D图层的融合。The surface manager is used to manage the display subsystem and provides the fusion of 2D and 3D layers for multiple applications.
媒体库支持多种常用的音频,视频格式回放和录制,以及静态图像文件等。媒体库可以支持多种音视频编码格式,例如:MPEG4,H.264,MP3,AAC,AMR,JPG,PNG等。The media library supports playback and recording of various commonly used audio and video formats, as well as still image files, etc. The media library can support a variety of audio and video encoding formats, such as: MPEG4, H.264, MP3, AAC, AMR, JPG, PNG, etc.
三维图形处理库用于实现三维图形绘图、图像渲染、合成和图层处理等。The 3D graphics processing library is used to implement 3D graphics drawing, image rendering, synthesis and layer processing, etc.
2D图形引擎是2D绘图的绘图引擎。2D graphics engine is a drawing engine for 2D drawing.
内核层是硬件和软件之间的层。内核层至少包含显示驱动,摄像头驱动,音频驱动,传感器驱动。The kernel layer is the layer between hardware and software. The kernel layer includes at least a display driver, a camera driver, an audio driver, and a sensor driver.
应理解,本申请实施例中的电子设备也可以是安装有鸿蒙、苹果等操作系统的电子设备。It should be understood that the electronic device in the embodiment of the present application may also be an electronic device installed with operating systems such as Hongmeng and Apple.
分布式文件系统将分布在不同地点的不同类型的文件任意地扩展成一个系统网络,让众多的设备节点通过节点间的网络连接和信息传递,达到让用户在具有网络的地方可以随时访问数据,而不需受到设备和地点的限制。The distributed file system arbitrarily expands different types of files distributed in different places into a system network, allowing many device nodes to connect and transmit information through the network between nodes, so that users can access data at any time in places with a network. Without being limited by equipment and location.
传统的分布式文件系统基于客户端/服务器模式,该模式采用中心化的多机服务器,服务器利用负载均衡、哈希分片等技术来存储客户端的数据,然后由客户端通过网络发送文件请求来获取数据。The traditional distributed file system is based on the client/server model. This model uses a centralized multi-machine server. The server uses load balancing, hash sharding and other technologies to store the client's data, and then the client sends a file request through the network. retrieve data.
点对点(peer-to-peer,P2P)网络模式下的分布式文件系统中没有客户端/服务器的概念,不同终端设备均为平等的同级节点,该节点可以同时作为客户端/服务器,没有中心服务器,所有的终端设备连接到一个文件系统中,当用户在其所在的终端设备请求文件时,若本地节点拥有该文件,则直接从本地文件系统获取,若本地节点中不存在该文件,则向其他节点请求该文件。There is no concept of client/server in the distributed file system under the peer-to-peer (P2P) network mode. Different terminal devices are equal peer nodes, and this node can serve as client/server at the same time, without a center Server, all terminal devices are connected to a file system, when the user requests a file on the terminal device where the user is located, if the local node owns the file, it will be obtained directly from the local file system, if the file does not exist in the local node, then Request the file from other nodes.
在上述文件访问的过程中,为了提升数据安全性,终端设备可以对访问该终端设备上的文件的其他用户设置一些访问权限。In the above file access process, in order to improve data security, the terminal device may set some access permissions for other users who access files on the terminal device.
访问控制列表(access control list,ACL)属于自主访问控制下的一种机制,文件拥有者可以自主的将其拥有的客体的权限给予其他的用户。ACL是一种细粒度的访问控制机制,用户可以针对具体文件配置多种访问控制规则,允许或拒绝指定应用程序访问特定文件,从而即使应用程序获得了存储权限也不能对保护的文件进行读写操作,这实现了文件 系统上访问控制粒度从整个文件系统细化到了单个文件。ACL通过增加ACL_USER和ACL_GROUP类型,可以实现对指定用户或用户组授权。一条ACL策略可以用一个<tag,perm,id>来表示,其中,tag表示用户类型;perm表示授予的权限;id表示应用程序的用户身份证明(user identification,uid)或gid。ACL访问控制规则perm包括三种类型的访问权限:读(read,r)、写(write,w)和执行(execute,x),从而一个客体的权限信息可以表示为这三种类型的组合。例如,文件的权限信息“rwxr--r--”代表允许文件的拥有者读写执行该文件,允许这个文件的同组用户读该文件,其他用户或组对该文件有读权限。对于访问控制信息的存储,一个文件的ACL访问控制规则是存储在文件inode的扩展属性“system.posix_acl_access”中。在Linux系统中,通过调用setacl()方法来配置文件的ACL访问控制规则,该方法最终通过调用setxattr()方法来将ACL访问控制规则转换为扩展属性保存在文件的扩展属性“system.posix_acl_access”中。在执行文件的ACL权限检查时,系统会调用getacl()方法获取该文件的访问控制规则,该方法通过调用getxattr()方法来将保存在文件中的扩展属性转化为具体的ACL访问控制规则,与ACL访问控制规则相关的函数方法都定义在文件系统的inode_operations结构体中。The access control list (ACL) is a mechanism under autonomous access control, and the file owner can freely grant the permissions of the objects he owns to other users. ACL is a fine-grained access control mechanism. Users can configure multiple access control rules for specific files, allowing or denying specified applications to access specific files, so that even if the application obtains storage permissions, it cannot read and write protected files. Operation, which realizes the granularity of access control on the file system from the entire file system to a single file. By adding ACL_USER and ACL_GROUP types, ACL can implement authorization to specified users or user groups. An ACL policy can be represented by a <tag, perm, id>, where tag represents the user type; perm represents the granted permission; id represents the user identification (user identification, uid) or gid of the application. The ACL access control rule perm includes three types of access rights: read (read, r), write (write, w) and execute (execute, x), so the permission information of an object can be expressed as a combination of these three types. For example, the permission information "rwxr--r--" of the file means that the owner of the file is allowed to read, write and execute the file, the users of the same group of the file are allowed to read the file, and other users or groups have read permission for the file. For the storage of access control information, the ACL access control rules of a file are stored in the extended attribute "system.posix_acl_access" of the file inode. In the Linux system, the ACL access control rule of the file is configured by calling the setacl() method, which finally converts the ACL access control rule into an extended attribute by calling the setxattr() method and saves it in the extended attribute "system.posix_acl_access" of the file middle. When performing the ACL permission check of a file, the system will call the getacl() method to obtain the access control rules of the file. This method converts the extended attributes stored in the file into specific ACL access control rules by calling the getxattr() method. The functions and methods related to ACL access control rules are defined in the inode_operations structure of the file system.
Linux安全模块(linux security module,LSM)是Linux内核的一个轻量级通用访问控制框架。它使得各种不同的安全访问控制模型能够以Linux可加载内核模块的形式实现出来,用户可以根据其需求选择适合的安全模块加载到Linux内核中,从而大大提高了Linux安全访问控制机制的灵活性和易用性。LSM在设计之初就遵循了以下原则:解耦合、可装卸性与高效性。这使得模块可以做到:在提供安全机制的条件下对现有模块的运行与更迭产生最小影响;在用户或开发者不需要该安全机制时,可以将该模块卸载且不对系统产生其他负面影响;在内核中运行时对性能产生最小的负面影响。这些特性使得当系统对内核出现了新的安全需求时,使用LSM开发有着更广泛的使用场景和更高的效率。The Linux Security Module (LSM) is a lightweight general-purpose access control framework for the Linux kernel. It enables various security access control models to be implemented in the form of Linux loadable kernel modules, and users can choose appropriate security modules to load into the Linux kernel according to their needs, thus greatly improving the flexibility of Linux security access control mechanisms and ease of use. At the beginning of the design, LSM followed the following principles: decoupling, detachability and high efficiency. This enables the module to do: minimal impact on the operation and replacement of existing modules under the condition of providing a security mechanism; when the user or developer does not need the security mechanism, the module can be uninstalled without causing other negative effects on the system ; Minimal negative impact on performance when running in-kernel. These features make it possible to use LSM to develop a wider range of usage scenarios and higher efficiency when the system has new security requirements for the kernel.
随着物联网技术的发展,跨设备场景下的数据共享需求增加,在手机、平板、智能电视、路由器、车机、手表等设备的操作系统上使用的分布式文件系统依赖上层服务,来实现用户和应用程序数据的分布式管理。分布式系统的需求是利用用户/应用程序的数据不再与设备绑定、在集群中分散的设备上数据存储与业务逻辑分离。在对这些设备数据进行统一化的管理,来实现不同的终端设备之间的快速连接、能力互助和资源共享的同时,分布式文件系统上的数据从生成开始,在其存储、使用、传输的整个过程都需要根据对应的访问控制策略提供安全防护。With the development of Internet of Things technology, the demand for data sharing in cross-device scenarios increases. The distributed file system used on the operating systems of mobile phones, tablets, smart TVs, routers, cars, watches and other devices relies on upper-layer services to realize user and distributed management of application data. The requirement of a distributed system is to use user/application data no longer bound to the device, and to separate data storage and business logic on devices scattered in the cluster. While performing unified management of these device data to achieve fast connection, mutual assistance and resource sharing between different terminal devices, the data on the distributed file system starts from generation and is stored, used and transmitted. The whole process needs to provide security protection according to the corresponding access control policy.
有鉴于此,本申请实施例提供一种权限检查的方法,该技术方案能够提升文件共享和数据访问的安全性。In view of this, the embodiment of the present application provides a permission checking method, and the technical solution can improve the security of file sharing and data access.
下文将结合图3-图5介绍本申请实施例中的权限检查的方法。The following will introduce the permission checking method in the embodiment of the present application with reference to FIGS. 3-5 .
图3是本申请实施例提供的一种跨设备权限检查的方法的示意性流程图。Fig. 3 is a schematic flowchart of a method for cross-device permission checking provided by an embodiment of the present application.
如图3所示,该方法可以应用于第一电子设备和第二电子设备中,该方法可以包括步骤601至步骤608。As shown in FIG. 3 , the method may be applied to the first electronic device and the second electronic device, and the method may include steps 601 to 608 .
601,第二电子设备中的应用程序触发对第一文件的第一操作。601. An application program in a second electronic device triggers a first operation on a first file.
应理解,该第一文件可以存在于第二电子设备中;该第一操作可以是前文中的读、写或执行等。It should be understood that the first file may exist in the second electronic device; the first operation may be the reading, writing or execution mentioned above.
示例性地,第二电子设备中的应用程序A访问位于第一电子设备中的文件B,如,对文件B进行读操作。Exemplarily, the application program A in the second electronic device accesses the file B located in the first electronic device, eg, performs a read operation on the file B.
这里的触发可以是用户在使用应用程序B的过程中,点击某个功能控件,也可以是应用程序B在运行的过程中需要访问文件B等等,本申请实施例对此不予限定。The trigger here may be that the user clicks a certain function control during the use of the application program B, or it may be that the application program B needs to access the file B during the running process, etc., which is not limited in this embodiment of the present application.
可选地,上层账户触发对第一文件的第一操作。应理解,该账户为通过云端认证之后的账户,如,华为账户。Optionally, the upper-level account triggers the first operation on the first file. It should be understood that the account is an account after passing cloud authentication, such as a Huawei account.
602,调用第二DFS。602. Call the second DFS.
通过系统调用,即通过系统接口调用位于内核虚拟文件系统(virtual file system,VFS)层中的第二DFS。Through the system call, that is, through the system interface, the second DFS located in the kernel virtual file system (virtual file system, VFS) layer is called.
示例性地,若该第一操作为读操作,则可以调用第二DFS中的dfs_read_remote函数;若该第一操作为写操作,则可以调用第二DFS中的dfs_write_remote函数。Exemplarily, if the first operation is a read operation, the dfs_read_remote function in the second DFS may be called; if the first operation is a write operation, the dfs_write_remote function in the second DFS may be called.
603,第二DFS对应用程序的标识进行计算,得到标识信息。603. The second DFS calculates the identifier of the application program to obtain the identifier information.
应理解,该应用程序的标识可以为App ID如,应用程序源的标识符(sourceid),应用程序包名(packagename),应用名(appname)等等。It should be understood that the identifier of the application program may be an App ID such as an identifier of an application program source (sourceid), an application program package name (packagename), an application name (appname) and the like.
示例性地,该标识为应用程序包名,则可以对该应用程序包名进行第一计算,如哈希计算,将该应用程序包名转换为长度为32比特的标识信息。应理解,该应用程序的包名也可以为其他长度。Exemplarily, the identifier is an application package name, and a first calculation, such as a hash calculation, may be performed on the application package name to convert the application package name into identification information with a length of 32 bits. It should be understood that the package name of the application program may also have other lengths.
应理解,还可以对该应用程序包名进行别的运算,以得到该标识信息。It should be understood that other calculations may also be performed on the application package name to obtain the identification information.
604,第二DFS向第一DFS发送访问请求消息,该访问请求消息中包括标识信息。604. The second DFS sends an access request message to the first DFS, where the access request message includes identification information.
可选地,该访问请求消息中还可以包括第二电子设备上登录的账户,应理解,该账户为通过云端认证之后的账户,如,华为账户。Optionally, the access request message may also include an account logged in on the second electronic device. It should be understood that the account is an account that has passed cloud authentication, such as a Huawei account.
可选地,该访问请求消息中还可以包括第一文件所在的路径等,该访问请求消息中还包括上述第一操作。Optionally, the access request message may also include the path where the first file is located, and the access request message may also include the above-mentioned first operation.
605,第一电子设备的第一DFS接收到该访问请求消息,并解析该访问请求消息。605. The first DFS of the first electronic device receives the access request message, and parses the access request message.
其中,该第一DFS接收到访问请求消息后,可以对该访问请求消息进行解析,以获取该访问请求消息中的标识信息,如长度为32比特的应用程序包名。606,第一DFS将该标识信息发送至内核中的安全模块(secDFS)中。Wherein, after receiving the access request message, the first DFS may parse the access request message to obtain identification information in the access request message, such as a 32-bit application package name. 606. The first DFS sends the identification information to the security module (secDFS) in the kernel.
示例性地,可以通过hook函数调用该安全模块。该安全模块属于LSM。Exemplarily, the security module can be called through a hook function. This security module belongs to the LSM.
可选地,第一DFS解析该访问请求消息,并得到账户信息,如经过云端认证的华为账户。Optionally, the first DFS parses the access request message and obtains account information, such as a Huawei account authenticated by the cloud.
607,安全模块对该访问请求进行权限检查。607. The security module performs a permission check on the access request.
在一种可能的实现方式中,若第二电子设备是首次访问第一电子设备中的第一文件,则该第一电子设备可以从磁盘文件中获取该第一文件的ACL,根据该标识信息获取该应用程序对应的权限值。In a possible implementation, if the second electronic device accesses the first file in the first electronic device for the first time, the first electronic device may obtain the ACL of the first file from the disk file, and according to the identification information Obtain the permission value corresponding to the application.
可选地,第二电子设备将该应用程序对该第一文件的权限值存入缓存中。这种情况下,当第二电子设备的应用程序A再次访问该第一文件时,第一电子设备可以从该缓存中获取其对应的权限值,无需从磁盘中获取,从而可以减少第二电子设备短时间多次访问该第一文件的通信开销,提升分布式场景下文件访问的效率。Optionally, the second electronic device stores the permission value of the application program on the first file in the cache. In this case, when the application program A of the second electronic device accesses the first file again, the first electronic device can obtain its corresponding permission value from the cache instead of from the disk, thereby reducing the need for the second electronic device. The communication overhead of the device accessing the first file multiple times in a short period of time improves the efficiency of file access in distributed scenarios.
该ACL中可以包括对该第一文件访问的用户、应用程序的权限等信息,例如,该ACL中可以保存有对应权限的权限值,如,读权限对应的权限值为4、写权限对应的权限值为2、执行权限对应的权限值为1。The ACL may include information such as the user who accesses the first file, the authority of the application program, for example, the authority value of the corresponding authority may be stored in the ACL, such as, the authority value corresponding to the read authority is 4, and the authority value corresponding to the write authority is 4. The permission value is 2, and the permission value corresponding to the execution permission is 1.
应理解,该ACL可以包括有应用程序A的标识信息,以及该标识信息对应的权限, 则可以用于表征该应用程序A的权限,例如,应用程序A的标识信息为32比特的应用程序包名,则该ACL中可以包括该32比特的应用程序包名以及权限值。It should be understood that the ACL may include the identification information of the application program A, and the authority corresponding to the identification information, which can be used to characterize the authority of the application program A, for example, the identification information of the application program A is a 32-bit application package name, the ACL may include the 32-bit application package name and permission value.
示例性地,该ACL中可能为第二电子设备的应用程序A对该第一文件的权限值为4,则对应该应用程序A对该第一文件具有读权限。Exemplarily, in the ACL, the application program A of the second electronic device may have a permission value of 4 for the first file, and the application program A has read permission for the first file.
可选地,该ACL中还可能包括有账户、应用程序A的标识信息以及对应的权限,从而可以进一步保证数据的安全性。Optionally, the ACL may also include the account, the identification information of the application A and the corresponding permissions, so as to further ensure data security.
应理解,该ACL可以为该第一文件的拓展属性。每个文件可以具有一个ACL。It should be understood that the ACL may be an extended attribute of the first file. Each file can have an ACL.
在另一种可能的实现方式中,若第二电子设备不是首次访问第一电子设备中的第一文件,则第一电子设备可以从缓存中获取该应用程序A对该第一文件访问的权限值。In another possible implementation, if it is not the first time for the second electronic device to access the first file in the first electronic device, the first electronic device may obtain the permission of the application program A to access the first file from the cache value.
示例性地,该缓存中存储的该应用程序A对该第一文件访问的权限值为2,则该应用程序对该第一文件具有写权限。Exemplarily, the application program A stored in the cache has a permission value of 2 for accessing the first file, and the application program has a write permission for the first file.
608,将结果返回第二电子设备中。608. Return the result to the second electronic device.
在一个示例中,若该访问请求消息中指示该应用程序A请求对第一文件进行读操作,而第二电子设备获取到的该应用程序A对第一文件的权限值为4,则说明第二电子设备中的第一文件允许应用程序A对其进行读操作,则可以将读取到的第一文件返回至第二电子设备中。In an example, if the access request message indicates that the application A requests to read the first file, and the permission value of the application A for the first file acquired by the second electronic device is 4, then the second The first file in the second electronic device allows the application program A to read it, and then the read first file can be returned to the second electronic device.
具体地,可以将该读取到的第一文件从第一DFS发送至第二DFS,该第二DFS将该读取到的第一文件发送至应用程序A中。Specifically, the read first file may be sent from the first DFS to the second DFS, and the second DFS sends the read first file to the application program A.
在另一个示例中,若该访问请求消息中指示该应用程序A请求对第一文件进行写操作,而第二电子设备获取到的该应用程序A对第一文件的权限值为4,则说明第二电子设备中的第一文件仅允许应用程序A对其进行读操作,而不能对第一文件进行写操作或执行,此时,意味着第二电子设备中的第一文件不允许应用程序A对其进行写操作,那么第一电子设备可以将错误值返回至第二电子设备中,从而可以保证该第一文件的数据安全。In another example, if the access request message indicates that the application A requests to perform a write operation on the first file, and the permission value of the application A on the first file acquired by the second electronic device is 4, then The first file in the second electronic device only allows the application program A to read it, but cannot write or execute the first file. At this time, it means that the first file in the second electronic device does not allow the application program When A writes it, the first electronic device can return the error value to the second electronic device, thereby ensuring the data security of the first file.
基于本申请实施例,当第二电子设备中应用程序A希望访问第一电子设备中的第一文件时,可以在访问请求消息中携带该应用程序A的标识信息,从而第一电子设备在接收到该访问请求消息之后,可以调用安全模块根据该标识信息获取其对应的权限值,从而可以确定该应用程序A是否有相应的权限访问该第一文件。从而可以提升跨设备数据访问的安全性。Based on the embodiment of this application, when the application program A in the second electronic device wishes to access the first file in the first electronic device, the identification information of the application program A can be carried in the access request message, so that the first electronic device receives After receiving the access request message, the security module can be invoked to obtain its corresponding permission value according to the identification information, so as to determine whether the application program A has the corresponding permission to access the first file. This improves the security of cross-device data access.
上文介绍了第二电子设备跨设备访问第一电子设备上的文件,下面将结合图4介绍电子设备中的应用程序访问本地的第二文件的技术方案。The above describes the cross-device access of the second electronic device to the file on the first electronic device. The following will introduce the technical solution for the application program in the electronic device to access the local second file in conjunction with FIG. 4 .
图4是本申请实施例提供的一种权限检查的方法的示意性流程图。Fig. 4 is a schematic flowchart of a method for checking permissions provided by an embodiment of the present application.
如图4所示,该方法可以应用于电子设备中,该方法可以包括步骤701至步骤706。As shown in FIG. 4 , the method may be applied to an electronic device, and the method may include steps 701 to 706 .
701,电子设备中的应用程序B触发对第二文件的第二操作。701. An application program B in an electronic device triggers a second operation on a second file.
应理解,该第二文件存储在该电子设备的本地,如存储在该电子设备的存储器中。该第一操作可以是上文中的读、写或执行等。It should be understood that the second file is stored locally in the electronic device, such as in a memory of the electronic device. The first operation may be the above-mentioned read, write, or execute, etc.
示例性地,该电子设备中的应用程序B访问电子设备本地存储的文件B,如对文件B进行写操作。Exemplarily, the application program B in the electronic device accesses the file B locally stored in the electronic device, such as performing a write operation on the file B.
这里的触发可以是用户在使用应用程序B的过程中,点击某个功能控件,也可以是应用程序B在运行的过程中需要访问文件B等等,本申请实施例对此不予限定。The trigger here may be that the user clicks a certain function control during the use of the application program B, or it may be that the application program B needs to access the file B during the running process, etc., which is not limited in this embodiment of the present application.
可选地,上层账户触发对第二文件的第二操作。应理解,该账户为通过云端认证之后 的账户,如,华为账户。Optionally, the upper-level account triggers the second operation on the second file. It should be understood that the account is an account after passing cloud authentication, such as a Huawei account.
702,调用DFS。702. Call DFS.
通过系统调用,即通过系统接口调用位于内核VFS层中的DFS。Through the system call, that is, through the system interface to call the DFS located in the kernel VFS layer.
示例性地,若该第二操作为读操作,则可以调用DFS中的dfs_read_local函数;若该第二操作为写操作,则可以调用DFS中的dfs_write_local函数。Exemplarily, if the second operation is a read operation, the dfs_read_local function in DFS may be called; if the second operation is a write operation, the dfs_write_local function in DFS may be called.
703,DFS对应用程序B的标识进行计算,得到标识信息。703. The DFS calculates the identifier of the application program B to obtain identifier information.
应理解,该应用程序B的标识可以为App ID如,应用程序源的标识符(sourceid),应用程序包名(packagename),应用名(appname)等等。It should be understood that the identifier of the application program B may be an App ID such as an identifier of an application program source (sourceid), an application program package name (packagename), an application name (appname) and the like.
示例性地,该标识为应用程序包名,则可以对该应用程序包名进行第一计算,如哈希计算,将该应用程序包名转换为长度为32比特的标识信息。Exemplarily, the identifier is an application package name, and a first calculation, such as a hash calculation, may be performed on the application package name to convert the application package name into identification information with a length of 32 bits.
应理解,该应用程序的包名也可以为其他长度。It should be understood that the package name of the application program may also have other lengths.
应理解,还可以对该应用程序包名进行别的运算,以得到该标识信息。It should be understood that other calculations may also be performed on the application package name to obtain the identification information.
704,调用安全模块。704. Call the security module.
示例性地,可以通过hook函数调用该安全模块。该安全模块属于LSM。Exemplarily, the security module can be called through a hook function. This security module belongs to the LSM.
705,安全模块对该第二操作进行权限检查。705. The security module performs permission check on the second operation.
在一种可能的实现方式中,若应用程序B是首次访问该第二文件,则该电子设备可以从磁盘文件中获取该第二文件的ACL,根据该标识信息获取该应用程序B对应的权限值。In a possible implementation, if the application B accesses the second file for the first time, the electronic device may obtain the ACL of the second file from the disk file, and obtain the corresponding authority of the application B according to the identification information value.
该ACL中可以包括对该第二文件访问的用户、应用程序的权限等信息,例如,该ACL中可以保存有对应权限的权限值,如,读权限对应的权限值为4、写权限对应的权限值为2、执行权限对应的权限值为1。The ACL may include information such as the user who accesses the second file, the authority of the application program, for example, the authority value of the corresponding authority may be stored in the ACL, such as, the authority value corresponding to the read authority is 4, and the authority value corresponding to the write authority is 4. The permission value is 2, and the permission value corresponding to the execution permission is 1.
应理解,该ACL可以包括有应用程序B的标识信息,以及该标识信息对应的权限,则可以用于表征该应用程序B的权限,例如,应用程序B的标识信息为32比特的应用程序包名,则该ACL中可以包括该32比特的应用程序包名以及权限值。It should be understood that the ACL may include the identification information of application B and the authority corresponding to the identification information, which may be used to characterize the authority of the application B. For example, the identification information of application B is a 32-bit application package name, the ACL may include the 32-bit application package name and permission value.
示例性地,该ACL中的应用程序B对该第二文件的权限值为4,则对应该应用程序B对该第二文件具有读权限。Exemplarily, the application B in the ACL has a permission value of 4 for the second file, which means that the application B has read permission for the second file.
可选地,电子设备将该应用程序B对该第二文件的权限值存入缓存中。这种情况下,当应用程序B再次访问该第二文件时,电子设备可以从该缓存中获取其对应的权限值,无需从磁盘中获取,从而可以减少应用程序B多次访问该第二文件的通信开销,提升分布式场景下文件访问的效率。Optionally, the electronic device stores the permission value of the application program B on the second file in the cache. In this case, when application B accesses the second file again, the electronic device can obtain its corresponding permission value from the cache instead of from the disk, thereby reducing the number of times application B accesses the second file communication overhead, improving the efficiency of file access in distributed scenarios.
在另一种可能的实现方式中,若应用程序B不是首次访问该第二文件,则电子设备可以从缓存中获取该应用程序B对该第二文件访问的权限值。In another possible implementation manner, if it is not the first time for the application program B to access the second file, the electronic device may acquire the permission value for the application program B to access the second file from the cache.
示例性地,该缓存中存储的该应用程序B对该第二文件访问的权限值为2,则该应用程序B对该第二文件具有写权限。Exemplarily, the application program B stored in the cache has a permission value of 2 for accessing the second file, and the application program B has the write permission for the second file.
706,将结果返回应用程序B中。706. Return the result to the application program B.
在一种可能的实现方式中,若该第二操作为该应用程序B请求对第二文件进行读操作,而电子设备获取到的该应用程序B对第二文件的权限值为4,则说明该电子设备中的第二文件允许应用程序B对其进行读操作,则可以将读取到的第二文件返回至应用程序B中。In a possible implementation, if the second operation is that the application program B requests to perform a read operation on the second file, and the electronic device obtains a permission value of 4 for the application program B on the second file, then The second file in the electronic device allows the application program B to read it, and then the read second file can be returned to the application program B.
在另一种可能的实现方式中,若该第二操作为该应用程序B请求对第二文件进行写操作,而电子设备获取到的该应用程序B对第二文件的权限值为4,则说明该电子设备中的第二文件仅允许应用程序B对其进行读操作,而不能对第二文件进行写操作或执行,此时, 意味着该电子设备中的第二文件不允许应用程序B对其进行写操作,那么可以将错误值返回至应用程序B中,从而可以保证该第二文件的数据安全。In another possible implementation, if the second operation is that the application program B requests to perform a write operation on the second file, and the electronic device acquires the application program B's permission value for the second file as 4, then It means that the second file in the electronic device only allows application B to read it, but cannot write or execute the second file. At this time, it means that the second file in the electronic device does not allow application B If it is written, the error value can be returned to the application program B, so that the data security of the second file can be guaranteed.
基于本申请实施例,当电子设备中的应用程序B需要访问本地的第二文件时,该电子设备可以调用安全模块执行权限检查,以提升数据访问的安全性。Based on the embodiment of the present application, when the application program B in the electronic device needs to access the second local file, the electronic device can call the security module to perform permission check, so as to improve the security of data access.
图5是本申请实施例提供的一种权限检查的示意性流程图。Fig. 5 is a schematic flowchart of a permission check provided by the embodiment of the present application.
如图5所示,该方法可以应用于第一电子设备,该方法可以包括步骤810至步骤840。As shown in FIG. 5 , the method may be applied to the first electronic device, and the method may include steps 810 to 840 .
810,所述第一电子设备接收第二电子设备发送的第一文件的访问请求消息,所述访问请求消息包括所述第二电子设备的账户和应用程序的标识信息,其中,所述标识信息为对所述应用程序标识进行第一计算得到的,所述第一文件位于所述第一电子设备中。810. The first electronic device receives an access request message for the first file sent by the second electronic device, where the access request message includes an account of the second electronic device and identification information of an application program, where the identification information The first file is obtained by performing the first calculation on the application identifier, and the first file is located in the first electronic device.
其中,该账户可以是第二电子设备上登录的账户,该账户可以为经过云端认证的账户,如华为账户。该账户也可以是应用程序上登录的账户等,本申请实施例对此不予限定。Wherein, the account may be an account logged in on the second electronic device, and the account may be an account authenticated by the cloud, such as a Huawei account. The account may also be an account registered on an application program, etc., which is not limited in this embodiment of the present application.
该应用程序标识可以为应用程序的包名,在这种情况下,该标识信息可以为对该应用程序的包名进行哈希计算得到的长度为32比特的信息。The application program identifier may be a package name of the application program. In this case, the identification information may be information with a length of 32 bits obtained by hashing the package name of the application program.
应理解,该应用程序标识还可以包括应用程序名、应用程序源的标识符等等。该标识信息的长度也可以为其他值。It should be understood that the application identifier may also include an application name, an identifier of an application source, and the like. The length of the identification information may also be other values.
820,所述第一电子设备解析所述访问请求消息,得到所述账户和所述标识信息。820. The first electronic device parses the access request message to obtain the account and the identification information.
第一电子设备对接收到的访问请求消息进行解析,以得到上述账户和标识信息。The first electronic device parses the received access request message to obtain the above account and identification information.
830,所述第一电子设备根据所述账户和所述标识信息确定所述账户和应用程序对所述第一文件的访问权限对应的权限值是否匹配目标权限值。830. The first electronic device determines whether the permission value corresponding to the account and the access permission of the application program to the first file matches a target permission value according to the account and the identification information.
该目标权限值即第一电子设备中存储的权限值。The target authority value is the authority value stored in the first electronic device.
示例性地,该第一电子设备中存储有第一文件的ACL,该ACL中包括了可以访问第一文件的账户和应用程序,及其对应的权限值。例如,该ACL中可以包括账户以及权限值;应用程序的标识信息以及权限值;或者账户、应用程序的标识信息以及权限值,这种情况下,账户和应用程序是绑定一体的,共同具有该权限值,即表示该账户下的应用程序具有的访问权限。Exemplarily, the ACL of the first file is stored in the first electronic device, and the ACL includes accounts and application programs that can access the first file, and their corresponding authority values. For example, the ACL may include accounts and permission values; application identification information and permission values; or account and application identification information and permission values. In this case, the account and application are bound together and share The permission value indicates the access permission of the application under the account.
840,所述第一电子设备根据所述匹配的结果,向所述第二电子设备发送所述访问请求消息对应的不同结果。840. The first electronic device sends a different result corresponding to the access request message to the second electronic device according to the matching result.
在一种可能的实现方式中,该第一电子设备确定所述账户和应用程序对所述第一文件的访问权限对应的权限值与目标权限值匹配,则说明该第一文件允许上述账户和应用程序对其进行相应的访问,则可以向第二电子设备返回相应的结果。In a possible implementation manner, when the first electronic device determines that the permission value corresponding to the account and the application program's access permission to the first file matches the target permission value, it means that the first file allows the above account and When the application program makes corresponding access to it, a corresponding result can be returned to the second electronic device.
示例性地,该访问请求消息中指示账户A、应用程序A请求对第一文件进行读操作,第一电子设备通过对账户A、应用程序A进行权限检查,发现该账户A、应用程序A的权限值为4,则此时第一电子设备可以将读到的第一文件发送至第二电子设备中。Exemplarily, the access request message indicates that account A and application A request to read the first file, and the first electronic device checks the permissions of account A and application A and finds that the account A and application A If the authority value is 4, then the first electronic device can send the read first file to the second electronic device at this time.
在另一种可能的实现方式中,该第一电子设备确定所述账户和应用程序对所述第一文件的访问权限对应的权限值与目标权限值不匹配,则说明该第一文件不允许上述账户和/或应用程序对其进行相应的访问,则可以向第二电子设备返回错误。In another possible implementation manner, when the first electronic device determines that the permission value corresponding to the account and the access permission of the application program to the first file does not match the target permission value, it means that the first file does not allow If the above-mentioned account and/or application programs access it accordingly, an error may be returned to the second electronic device.
示例性地,该访问请求消息中指示账户A、应用程序A请求对第一文件进行写操作,此时,第一电子设备通过对账户A、应用程序A的权限值进行校验,发现账户A的权限值为4、或者应用程序A的权限值为4、或者账户A以及应用程序A整体的权限值为4,则可以确定账户A和/或应用程序A对该第一文件仅有读权限,不具有写权限,则此时第 一电子设备可以向第二电子设备发送错误。Exemplarily, the access request message indicates that account A and application A request to perform a write operation on the first file. At this time, the first electronic device checks the permission values of account A and application A, and finds that account A or the permission value of application A is 4, or the permission value of account A and application A as a whole is 4, then it can be determined that account A and/or application A only have read permission for the first file , does not have the write permission, then the first electronic device may send an error to the second electronic device at this time.
基于本申请实施例,第一电子设备接收到第二电子设备的访问请求消息后,解析该访问请求消息获取到第二电子设备的账户和应用程序的标识信息,并确定该账户和应用程序对文件的访问权限对应的权限值是否匹配目标权限值,并根据匹配结果向第二电子设备发送不同的结果。该技术方案可以避免非授权的账户和应用程序对文件的访问,从而可以提升跨设备访问数据的安全性。Based on the embodiment of the present application, after receiving the access request message from the second electronic device, the first electronic device parses the access request message to obtain the identification information of the account and application program of the second electronic device, and determines that the account and application program are relevant to the second electronic device. Whether the permission value corresponding to the access permission of the file matches the target permission value, and different results are sent to the second electronic device according to the matching result. The technical solution can prevent unauthorized accounts and application programs from accessing files, thereby improving the security of cross-device access to data.
该技术方案中,第一电子设备接收的访问请求消息中携带了应用程序的标识信息,从而该第一电子设备可以根据该标识信息唯一确定该应用程序,第一电子设备中也存储了该标识信息对应的权限值,从而使得在第二电子设备在跨设备访问数据时,其他的电子设备(如第一电子设备)标识该应用程序的标识信息一致。In this technical solution, the access request message received by the first electronic device carries the identification information of the application program, so that the first electronic device can uniquely determine the application program according to the identification information, and the identification information is also stored in the first electronic device The permission value corresponding to the information, so that when the second electronic device accesses data across devices, other electronic devices (such as the first electronic device) identify the same identification information of the application program.
可选地,若所述第一电子设备首次接收所述访问请求消息,所述方法还包括:所述第一电子设备从磁盘中读取所述第一文件的访问控制列表ACL;所述第一电子设备根据所述账户和所述标识信息从所述访问控制列表ACL中获取所述目标权限值。Optionally, if the first electronic device receives the access request message for the first time, the method further includes: the first electronic device reads the ACL of the first file from a disk; An electronic device acquires the target permission value from the access control list ACL according to the account and the identification information.
其中,该账户和所述标识信息以及权限值可以作为一条记录,也可以作为多条记录。例如,该ACL中可以包括账户、权限值;标识信息、权限值;账户、标识信息、权限值。Wherein, the account, the identification information and the authority value may be regarded as one record, or may be regarded as multiple records. For example, the ACL may include account, authority value; identification information, authority value; account, identification information, authority value.
可选地,所述访问请求消息中还包括所述第一文件的路径,所述第一电子设备从磁盘中读取所述第一文件的访问控制列表ACL,包括:所述第一电子设备根据所述路径从磁盘中读取所述第一文件的访问控制列表ACL。Optionally, the access request message further includes the path of the first file, and the first electronic device reads the ACL of the first file from the disk, including: the first electronic device Reading the ACL of the first file from the disk according to the path.
可选地,所述方法还包括:所述第一电子设备将所述目标权限值存入缓存中。Optionally, the method further includes: storing the target authority value in a cache by the first electronic device.
应理解,在第一电子设备首次接收到该访问请求消息的情况下,该第一电子设备可以将账户和应用程序对应的目标权限值存入缓冲中,从而在第一电子设备下次接收到同样的访问请求消息时,可以从该缓存中获取到目标权限值,无需每次从磁盘文件中第一文件所在的位置处获取,进而有利于提升数据访问的效率。It should be understood that, when the first electronic device receives the access request message for the first time, the first electronic device may store the target authority value corresponding to the account and the application program in the buffer, so that when the first electronic device receives the access request message next time For the same access request message, the target permission value can be obtained from the cache, instead of obtaining from the location of the first file in the disk file every time, which is beneficial to improve the efficiency of data access.
可选地,若所述第一电子设备非首次接收所述访问请求消息,所述方法还包括:所述第一电子设备根据所述账户和所述标识信息从缓存中获取所述目标权限值。Optionally, if it is not the first time for the first electronic device to receive the access request message, the method further includes: the first electronic device acquires the target authority value from cache according to the account and the identification information .
基于本申请实施例,该第一电子设备无需从磁盘中获取该目标权限值,从而有利于提升数据访问的效率。Based on the embodiment of the present application, the first electronic device does not need to obtain the target permission value from the disk, which is beneficial to improve the efficiency of data access.
可选地,所述第一计算为哈希计算,所述应用程序的标识信息为对所述应用程序的包名经过所述哈希计算得到的长度为32比特的信息。Optionally, the first calculation is a hash calculation, and the identification information of the application is 32-bit information obtained through the hash calculation on the package name of the application.
应理解,本申请实施例中的哈希计算还可以用其他算法进行替代,该计算后的信息的长度也可以为其他长度,如64比特等。It should be understood that the hash calculation in the embodiment of the present application may also be replaced by other algorithms, and the length of the calculated information may also be other lengths, such as 64 bits.
图6是本申请实施例提供的一种权限检查的示意性流程图。Fig. 6 is a schematic flowchart of a permission check provided by the embodiment of the present application.
如图6所示,该方法可以应用于第二电子设备,该方法可以包括步骤910至步骤930。As shown in FIG. 6 , the method may be applied to the second electronic device, and the method may include steps 910 to 930 .
910,所述第二电子设备检测应用程序对第一文件的第一操作,所述第一文件位于第一电子设备中。910. The second electronic device detects a first operation performed by an application program on a first file, where the first file is located in the first electronic device.
该第一操纵可以为前文中的读、写或执行等。The first operation may be the above-mentioned reading, writing, or executing.
920,响应于所述第一操作,所述第二电子设备对所述应用程序的标识进行第一计算得到所述应用程序的标识信息。920. In response to the first operation, the second electronic device performs a first calculation on the identification of the application program to obtain identification information of the application program.
该应用程序的标识可以为应用程序的包名,在这种情况下,该标识信息可以为对该应用程序的包名进行哈希计算得到的长度为32比特的信息。The identifier of the application program may be a package name of the application program. In this case, the identification information may be information with a length of 32 bits obtained by performing hash calculation on the package name of the application program.
应理解,该应用程序的标识还可以包括应用程序名、应用程序源的标识符等等。该标识信息的长度也可以为其他值。It should be understood that the identifier of the application program may also include the name of the application program, the identifier of the source of the application program, and the like. The length of the identification information may also be other values.
930,所述第二电子设备向所述第一电子设备发送所述第一文件的访问请求消息,所述访问请求消息包括所述标识信息和所述第二电子设备的账户。930. The second electronic device sends an access request message of the first file to the first electronic device, where the access request message includes the identification information and an account of the second electronic device.
其中,该账户可以是第二电子设备上登录的账户,该账户可以为经过云端认证的账户,如华为账户。该账户也可以是应用程序上登录的账户等,本申请实施例对此不予限定。Wherein, the account may be an account logged in on the second electronic device, and the account may be an account authenticated by the cloud, such as a Huawei account. The account may also be an account registered on an application program, etc., which is not limited in this embodiment of the present application.
基于本申请实施例,基于本申请实施例,第二电子设备向第一电子设备发送的访问请求消息中,包括该第二电子设备的账户和应用程序的标识信息,从而可以进一步提升跨设备数据访问的安全性。Based on the embodiment of the present application, based on the embodiment of the present application, the access request message sent by the second electronic device to the first electronic device includes the identification information of the account and the application program of the second electronic device, so that the cross-device data can be further improved. Security of Access.
图7是本申请实施例提供的一种电子设备的示意性框图。Fig. 7 is a schematic block diagram of an electronic device provided by an embodiment of the present application.
如图7所示,该电子设备1000可以包括一个或多个存储器1010,一个或多个处理器1020,该一个或多个存储器1010中存储有一个或多个计算机程序,该一个或多个计算机程序包括指令,当该指令被一个或多个处理器1020执行时,使得如前文实施例中任一种可能的实现方式中所述的权限检查的方法被执行。As shown in FIG. 7 , the electronic device 1000 may include one or more memories 1010, one or more processors 1020, one or more computer programs are stored in the one or more memories 1010, and the one or more computers The program includes instructions, and when the instructions are executed by one or more processors 1020, the permission checking method described in any possible implementation manner in the foregoing embodiments is executed.
本申请实施例还提供一种权限检查的装置,包括:收发单元,用于接收第二电子设备发送的第一文件的访问请求消息,所述访问请求消息包括所述第二电子设备的账户和应用程序的标识信息,其中,所述标识信息为对所述应用程序标识进行第一计算得到的,所述第一文件位于所述装置中;处理单元,用于解析所述访问请求消息,得到所述账户和所述标识信息;所述处理单元,还用于根据所述账户和所述标识信息确定所述账户和应用程序对所述第一文件的访问权限对应的权限值是否匹配目标权限值;所述收发单元,还用于根据所述匹配的结果,向所述第二电子设备发送所述访问请求消息对应的不同结果。An embodiment of the present application also provides an apparatus for checking permissions, including: a transceiver unit configured to receive an access request message for a first file sent by a second electronic device, where the access request message includes the account and the account number of the second electronic device Identification information of an application program, wherein the identification information is obtained by performing a first calculation on the application program identification, and the first file is located in the device; a processing unit is configured to parse the access request message to obtain The account and the identification information; the processing unit is further configured to determine, according to the account and the identification information, whether the authority value corresponding to the account and the access authority of the application program to the first file matches the target authority value; the transceiving unit is further configured to send a different result corresponding to the access request message to the second electronic device according to the matching result.
可选地,若首次接收所述访问请求消息,所述处理单元还用于:从磁盘中读取所述第一文件的访问控制列表ACL;根据所述账户和所述标识信息从所述访问控制列表中获取所述目标权限值。Optionally, if the access request message is received for the first time, the processing unit is further configured to: read the ACL of the first file from the disk; Obtain the target permission value in the control list.
可选地,所述访问请求消息中还包括所述第一文件的路径,所述处理单元具体用于:根据所述路径从磁盘中读取所述第一文件的访问控制列表ACLOptionally, the access request message further includes the path of the first file, and the processing unit is specifically configured to: read the access control list ACL of the first file from the disk according to the path
可选地,所述处理单元还用于:将所述目标权限值存入缓存中。Optionally, the processing unit is further configured to: store the target authority value in a cache.
可选地,若非首次接收所述访问请求消息,所述处理单元还用于:根据所述账户和所述标识信息从缓存中获取所述目标权限值。Optionally, if the access request message is not received for the first time, the processing unit is further configured to: obtain the target authority value from cache according to the account and the identification information.
可选地,所述应用程序的标识信息包括应用程序的包名。Optionally, the identification information of the application program includes a package name of the application program.
可选地,所述第一计算为哈希计算,所述应用程序的标识信息为对所述应用程序的包名经过所述哈希计算得到的长度为32比特的信息。Optionally, the first calculation is a hash calculation, and the identification information of the application is 32-bit information obtained through the hash calculation on the package name of the application.
本申请实施例还提供一种权限检查的装置,包括:处理单元,用于检测应用程序对第一文件的第一操作;所述处理单元,还用于响应于所述第一操作,对所述应用程序的标识进行第一计算得到所述应用程序的标识信息;收发单元,用于向第一电子设备发送所述第一文件的访问请求消息,所述访问请求消息包括所述标识信息和账户。The embodiment of the present application also provides a permission checking device, including: a processing unit, configured to detect a first operation performed by an application program on a first file; the processing unit is also configured to, in response to the first operation, The identification information of the application program is obtained by performing a first calculation on the identification of the application program; the transceiver unit is configured to send an access request message of the first file to the first electronic device, and the access request message includes the identification information and account.
本申请实施例还提供一种芯片,所述芯片包括处理器和通信接口,所述通信接口用于接收信号,并将所述信号传输至所述处理器,所述处理器处理所述信号,使得如前文实施例中任一种可能的实现方式中所述的权限检查的方法被执行。The embodiment of the present application also provides a chip, the chip includes a processor and a communication interface, the communication interface is used to receive a signal, and transmit the signal to the processor, and the processor processes the signal, The permission checking method described in any possible implementation manner in the foregoing embodiments is executed.
本实施例还提供一种计算机可读存储介质,该计算机可读存储介质中存储有计算机指 令,当该计算机指令在计算机上运行时,使得如前文实施例中任一种可能的实现方式中所述的权限检查的方法被执行。This embodiment also provides a computer-readable storage medium, where computer instructions are stored in the computer-readable storage medium. When the computer instructions are run on a computer, the The method of permission checking described above is executed.
本实施例还提供了一种计算机程序产品,当该计算机程序产品在计算机上运行时,使得计算机执行上述相关步骤,以实现上述实施例中的权限检查的方法。This embodiment also provides a computer program product, which, when running on a computer, causes the computer to execute the above-mentioned related steps, so as to realize the method for checking the authority in the above-mentioned embodiment.
另外,本申请的实施例还提供一种装置,这个装置具体可以是芯片,组件或模块,该装置可包括相连的处理器和存储器;其中,存储器用于存储计算机执行指令,当装置运行时,处理器可执行存储器存储的计算机执行指令,以使芯片执行上述各方法实施例中的权限检查的方法。In addition, an embodiment of the present application also provides a device, which may specifically be a chip, a component or a module, and the device may include a connected processor and a memory; wherein the memory is used to store computer-executable instructions, and when the device is running, The processor can execute the computer-executable instructions stored in the memory, so that the chip executes the permission checking method in the above method embodiments.
其中,本实施例提供的电子设备、计算机可读存储介质、计算机程序产品或芯片均用于执行上文所提供的对应的方法,因此,其所能达到的有益效果可参考上文所提供的对应的方法中的有益效果,此处不再赘述。Wherein, the electronic device, computer-readable storage medium, computer program product or chip provided in this embodiment is all used to execute the corresponding method provided above, therefore, the beneficial effects it can achieve can refer to the above-mentioned The beneficial effects of the corresponding method will not be repeated here.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those skilled in the art can appreciate that the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein can be implemented by electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be regarded as exceeding the scope of the present application.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the functions described above are realized in the form of software function units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disc and other media that can store program codes. .
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above is only a specific implementation of the application, but the scope of protection of the application is not limited thereto. Anyone familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the application. Should be covered within the protection scope of this application. Therefore, the protection scope of the present application should be determined by the protection scope of the claims.

Claims (11)

  1. 一种权限检查的方法,其特征在于,所述方法应用于第一电子设备,所述方法包括:A method for permission checking, characterized in that the method is applied to a first electronic device, and the method includes:
    所述第一电子设备接收第二电子设备发送的第一文件的访问请求消息,所述访问请求消息包括所述第二电子设备的账户和应用程序的标识信息,其中,所述标识信息为对所述应用程序标识进行第一计算得到的,所述第一文件位于所述第一电子设备中;The first electronic device receives an access request message for the first file sent by the second electronic device, where the access request message includes the account of the second electronic device and identification information of the application program, wherein the identification information is for the The application identifier is obtained by performing a first calculation, and the first file is located in the first electronic device;
    所述第一电子设备解析所述访问请求消息,得到所述账户和所述标识信息;The first electronic device parses the access request message to obtain the account and the identification information;
    所述第一电子设备根据所述账户和所述标识信息确定所述账户和应用程序对所述第一文件的访问权限对应的权限值是否匹配目标权限值;The first electronic device determines whether the permission value corresponding to the account and the access permission of the application program to the first file matches a target permission value according to the account and the identification information;
    所述第一电子设备根据所述匹配的结果,向所述第二电子设备发送所述访问请求消息对应的不同结果。The first electronic device sends a different result corresponding to the access request message to the second electronic device according to the matching result.
  2. 根据权利要求1所述的方法,其特征在于,若所述第一电子设备首次接收所述访问请求消息,所述方法还包括:The method according to claim 1, wherein if the first electronic device receives the access request message for the first time, the method further comprises:
    所述第一电子设备从磁盘中读取所述第一文件的访问控制列表ACL;The first electronic device reads the ACL of the first file from the disk;
    所述第一电子设备根据所述账户和所述标识信息从所述访问控制列表中获取所述目标权限值。The first electronic device acquires the target permission value from the access control list according to the account and the identification information.
  3. 根据权利要求2所述的方法,其特征在于,所述访问请求消息中还包括所述第一文件的路径,所述第一电子设备从磁盘中读取所述第一文件的访问控制列表ACL,包括:The method according to claim 2, wherein the access request message further includes the path of the first file, and the first electronic device reads the access control list (ACL) of the first file from the disk ,include:
    所述第一电子设备根据所述路径从磁盘中读取所述第一文件的访问控制列表ACL。The first electronic device reads the ACL of the first file from the disk according to the path.
  4. 根据权利要求2或3所述的方法,其特征在于,所述方法还包括:The method according to claim 2 or 3, characterized in that the method further comprises:
    所述第一电子设备将所述目标权限值存入缓存中。The first electronic device stores the target authority value in a cache.
  5. 根据权利要求1所述的方法,其特征在于,若所述第一电子设备非首次接收所述访问请求消息,所述方法还包括:The method according to claim 1, wherein if the first electronic device does not receive the access request message for the first time, the method further comprises:
    所述第一电子设备根据所述账户和所述标识信息从缓存中获取所述目标权限值。The first electronic device acquires the target authority value from a cache according to the account and the identification information.
  6. 根据权利要求1-5中任一项所述的方法,其特征在于,所述应用程序的标识信息包括应用程序的包名。The method according to any one of claims 1-5, wherein the identification information of the application program includes a package name of the application program.
  7. 根据权利要求6所述的方法,其特征在于,所述第一计算为哈希计算,所述应用程序的标识信息为对所述应用程序的包名经过所述哈希计算得到的长度为32比特的信息。The method according to claim 6, wherein the first calculation is a hash calculation, and the identification information of the application program is a package name of the application program obtained through the hash calculation and has a length of 32 bits of information.
  8. 一种权限检查的方法,其特征在于,所述方法应用于第二电子设备,所述方法包括:A method for permission checking, characterized in that the method is applied to a second electronic device, and the method includes:
    所述第二电子设备检测应用程序对第一文件的第一操作;The second electronic device detects the first operation of the application on the first file;
    响应于所述第一操作,所述第二电子设备对所述应用程序的标识进行第一计算得到所述应用程序的标识信息;In response to the first operation, the second electronic device performs a first calculation on the identification of the application to obtain identification information of the application;
    所述第二电子设备向所述第一电子设备发送所述第一文件的访问请求消息,所述访问请求消息包括所述标识信息和所述第二电子设备的账户。The second electronic device sends an access request message of the first file to the first electronic device, where the access request message includes the identification information and an account of the second electronic device.
  9. 一种电子设备,其特征在于,包括一个或多个处理器;一个或多个存储器;所述一个或多个存储器存储有一个或多个计算机程序,所述一个或多个计算机程序包括指令,当所述指令被一个或多个处理器执行时,使得如权利要求1-7、或8中任一项所述的权限 检查的方法被执行。An electronic device, characterized in that it includes one or more processors; one or more memories; the one or more memories store one or more computer programs, and the one or more computer programs include instructions, When the instructions are executed by one or more processors, the permission checking method according to any one of claims 1-7 or 8 is executed.
  10. 一种芯片,其特征在于,所述芯片包括处理器和通信接口,所述通信接口用于接收信号,并将所述信号传输至所述处理器,所述处理器处理所述信号,使得如权利要求1-7、或8中任一项所述的权限检查的方法被执行。A kind of chip, it is characterized in that, described chip comprises processor and communication interface, and described communication interface is used for receiving signal, and described signal is transmitted to described processor, and described processor processes described signal, makes as follows The permission checking method described in any one of claims 1-7 or 8 is executed.
  11. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有计算机指令,当所述计算机指令在计算机上运行时,使得如权利要求1-7、或8中任一项所述的权限检查的方法被执行。A computer-readable storage medium, characterized in that, computer instructions are stored in the computer-readable storage medium, and when the computer instructions are run on a computer, any one of claims 1-7 or 8 The method of permission checking described above is executed.
PCT/CN2022/120260 2021-09-29 2022-09-21 Permission check method and electronic device WO2023051355A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111150947.7A CN115879088A (en) 2021-09-29 2021-09-29 Authority checking method and electronic equipment
CN202111150947.7 2021-09-29

Publications (1)

Publication Number Publication Date
WO2023051355A1 true WO2023051355A1 (en) 2023-04-06

Family

ID=85756103

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/120260 WO2023051355A1 (en) 2021-09-29 2022-09-21 Permission check method and electronic device

Country Status (2)

Country Link
CN (1) CN115879088A (en)
WO (1) WO2023051355A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116415281B (en) * 2023-04-18 2023-10-20 青海省第三地质勘查院 Authority control method and system based on improved last-bit checksum double hash function

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080162343A1 (en) * 2006-12-29 2008-07-03 Ebay Inc. Method and system for user payment account management
CN105956426A (en) * 2016-04-26 2016-09-21 上海斐讯数据通信技术有限公司 Application program authority authentication and authorization method and intelligent equipment
CN106998551A (en) * 2016-01-25 2017-08-01 中兴通讯股份有限公司 A kind of method, system, device and the terminal of application access authentication
US20190121999A1 (en) * 2017-10-24 2019-04-25 Mastercard International Incorporated Method and system for securely controlling access to data
CN112364308A (en) * 2020-11-13 2021-02-12 四川长虹电器股份有限公司 Online authorized android APK signature method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080162343A1 (en) * 2006-12-29 2008-07-03 Ebay Inc. Method and system for user payment account management
CN106998551A (en) * 2016-01-25 2017-08-01 中兴通讯股份有限公司 A kind of method, system, device and the terminal of application access authentication
CN105956426A (en) * 2016-04-26 2016-09-21 上海斐讯数据通信技术有限公司 Application program authority authentication and authorization method and intelligent equipment
US20190121999A1 (en) * 2017-10-24 2019-04-25 Mastercard International Incorporated Method and system for securely controlling access to data
CN112364308A (en) * 2020-11-13 2021-02-12 四川长虹电器股份有限公司 Online authorized android APK signature method and device

Also Published As

Publication number Publication date
CN115879088A (en) 2023-03-31

Similar Documents

Publication Publication Date Title
WO2021083378A1 (en) Method for accelerating starting of application, and electronic device
CN113434288B (en) Memory management method and electronic equipment
WO2021253975A1 (en) Permission management method and apparatus for application, and electronic device
CN113032766B (en) Application authority management method and device
WO2023024900A1 (en) Method for secure boot checking and electronic device
WO2022089121A1 (en) Method and apparatus for processing push message
WO2022022422A1 (en) Permission management method and terminal device
WO2021238399A1 (en) Method for securely accessing data, and electronic device
WO2022179275A1 (en) Terminal application control method, terminal device, and chip system
WO2023051355A1 (en) Permission check method and electronic device
CN115629884A (en) Thread scheduling method, electronic device and storage medium
WO2021169379A1 (en) Permission reuse method, permission reuse-based resource access method, and related device
US20230216732A1 (en) Network Configuration Method and Device
CN115481444B (en) File protection method and electronic equipment
CN110602689B (en) Method and device for safely operating equipment
WO2023284555A1 (en) Method for securely calling service, and method and apparatus for securely registering service
WO2022253158A1 (en) User privacy protection method and apparatus
WO2021238376A1 (en) Function pack loading method and apparatus, and server and electronic device
WO2020147859A1 (en) Decentralized fat lock deflation
WO2023155588A1 (en) Method for processing ear temperature data, and electronic device
WO2023077975A1 (en) File migration method, electronic device, and storage medium
WO2022052962A1 (en) Application module startup method and electronic device
WO2024055867A1 (en) Application cloning-based interface display method and related apparatus
WO2023061357A1 (en) Data processing method, related apparatus, and communication system
WO2023001208A1 (en) Multi-file synchronization method and electronic device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22874742

Country of ref document: EP

Kind code of ref document: A1