[go: up one dir, main page]

CN117908991A - System access method, device, equipment and medium based on security policy loading - Google Patents

System access method, device, equipment and medium based on security policy loading Download PDF

Info

Publication number
CN117908991A
CN117908991A CN202410114802.9A CN202410114802A CN117908991A CN 117908991 A CN117908991 A CN 117908991A CN 202410114802 A CN202410114802 A CN 202410114802A CN 117908991 A CN117908991 A CN 117908991A
Authority
CN
China
Prior art keywords
security policy
scenario
hook function
lsm
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410114802.9A
Other languages
Chinese (zh)
Inventor
童宇翔
钟忻
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Unicom Digital Technology Co Ltd
Unicom Cloud Data Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Unicom Digital Technology Co Ltd
Unicom Cloud Data Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd, Unicom Digital Technology Co Ltd, Unicom Cloud Data Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202410114802.9A priority Critical patent/CN117908991A/en
Publication of CN117908991A publication Critical patent/CN117908991A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a system access method, device, equipment and medium based on security policy loading. The method is applied to the technical field of computers and comprises the following steps: responding to a security policy loading instruction, and displaying a plurality of first scene identifications; responding to the selection operation of the second scene identifier in the plurality of first scene identifiers, and displaying at least one first security policy under the second scene identifier; determining a second security policy from the at least one first security policy and determining an LSM hook function associated with the second security policy; starting the Linux system, loading the associated LSM hook function and eBPF programs corresponding to the second security policy, and running eBPF programs corresponding to the second security policy based on the associated LSM hook function to realize access to the Linux system. The method of the application not only can realize the rapid and flexible loading and unloading of the security policy, but also ensures the security and stability of the system.

Description

基于安全策略加载的系统访问方法、装置、设备及介质System access method, device, equipment and medium based on security policy loading

技术领域Technical Field

本申请涉及计算机技术领域,尤其涉及一种基于安全策略加载的系统访问方法、装置、设备及介质。The present application relates to the field of computer technology, and in particular to a system access method, device, equipment and medium based on security policy loading.

背景技术Background technique

随着互联网技术和信息化程度的不断提升,系统安全性愈发重要。一般可以通过加载安全策略,对系统进行安全性检查。With the continuous improvement of Internet technology and information technology, system security is becoming more and more important. Generally, the system security can be checked by loading security policies.

目前,在系统加载安全策略时,一种方式是静态的安全策略加载方法,另一种是基于内核模块的动态加载方法。Currently, when a system loads a security policy, one method is a static security policy loading method, and the other is a dynamic loading method based on a kernel module.

其中,静态的安全策略加载方法,主要是在系统启动时,将所有的安全策略均加载到系统的内核中,这会占用大量的系统资源,影响了系统的性能。基于内核模块的动态加载方式,通常需要重启系统以加载安全策略模块,在安全策略模块与系统内的其他模块冲突的情况下,还需要先卸载系统内的其他模块,再加载安全策略模块。这不仅影响了系统加载安全策略的效率,还使系统存在内核崩溃或者被恶意篡改的风险。Among them, the static security policy loading method mainly loads all security policies into the system kernel when the system starts, which will occupy a large amount of system resources and affect the performance of the system. The dynamic loading method based on the kernel module usually requires restarting the system to load the security policy module. In the case of a conflict between the security policy module and other modules in the system, it is necessary to first uninstall other modules in the system and then load the security policy module. This not only affects the efficiency of the system in loading security policies, but also puts the system at risk of kernel crash or malicious tampering.

发明内容Summary of the invention

本申请提供一种基于安全策略加载的系统访问方法、装置、设备及介质,用以解决现有技术中,在系统进行安全检查时,安全策略的加载速度慢、灵活度差、安全性低的技术问题。The present application provides a system access method, device, equipment and medium based on security policy loading, which is used to solve the technical problems in the prior art that the security policy loading speed is slow, the flexibility is poor, and the security is low when the system performs a security check.

第一方面,本申请提供一种基于安全策略加载的系统访问方法,应用于Linux系统,包括:In a first aspect, the present application provides a system access method based on security policy loading, which is applied to a Linux system, including:

响应于安全策略加载指令,展示多个第一场景标识;其中,所述第一场景标识表征预先设置的,在进行系统访问时,Linux系统对应的应用场景;In response to the security policy loading instruction, a plurality of first scenario identifiers are displayed; wherein the first scenario identifier represents a preset application scenario corresponding to the Linux system when performing system access;

响应于对所述多个第一场景标识中,第二场景标识的选择操作,展示所述第二场景标识下的至少一个第一安全策略;其中,所述第二场景标识表征所述Linux系统当前对应的应用场景;所述第一安全策略表征所述第二场景标识所表征的应用场景下能够进行的安全检查;In response to a selection operation of a second scenario identifier among the multiple first scenario identifiers, at least one first security policy under the second scenario identifier is displayed; wherein the second scenario identifier represents an application scenario currently corresponding to the Linux system; and the first security policy represents a security check that can be performed under the application scenario represented by the second scenario identifier;

从所述至少一个第一安全策略中确定第二安全策略,并确定与所述第二安全策略相关联的LSM钩子函数;其中,所述LSM钩子函数表征预先设置的安全检查点;Determine a second security policy from the at least one first security policy, and determine an LSM hook function associated with the second security policy; wherein the LSM hook function represents a pre-set security checkpoint;

启动所述Linux系统,并加载所述相关联的LSM钩子函数和所述第二安全策略对应的eBPF程序,以基于所述相关联的LSM钩子函数,运行所述第二安全策略对应的eBPF程序,实现对所述Linux系统的访问。Start the Linux system, and load the associated LSM hook function and the eBPF program corresponding to the second security policy, so as to run the eBPF program corresponding to the second security policy based on the associated LSM hook function to achieve access to the Linux system.

一个示例中,所述第二场景标识表征预先设置的场景标识;所述确定与所述第二安全策略相关联的LSM钩子函数,包括:In one example, the second scenario identifier represents a preset scenario identifier; and the determining of the LSM hook function associated with the second security policy includes:

从所述至少一个第一安全策略中确定第二安全策略之后,从所述Linux系统对应的数据库中,确定关系映射表;其中,所述关系映射表中保存有预先设置的应用场景与该应用场景下的预设的LSM钩子函数之间的关联关系;After determining the second security policy from the at least one first security policy, determining a relationship mapping table from a database corresponding to the Linux system; wherein the relationship mapping table stores an association relationship between a preset application scenario and a preset LSM hook function under the application scenario;

基于所述关系映射表中所包含的关联关系,确定与所述第二场景标识所表征的应用场景相匹配的至少一个预设的LSM钩子函数;Based on the association relationship included in the relationship mapping table, determine at least one preset LSM hook function that matches the application scenario represented by the second scenario identifier;

从所述至少一个预设的LSM钩子函数中,确定与所述第二安全策略相关联的LSM钩子函数。From the at least one preset LSM hook function, determine the LSM hook function associated with the second security policy.

一个示例中,所述预先设置的场景标识表征至少以下应用场景:云计算场景或容器化场景、物联网场景或边缘计算场景、网络安全场景或防火墙场景。In one example, the pre-set scenario identifier represents at least the following application scenarios: a cloud computing scenario or a containerization scenario, an Internet of Things scenario or an edge computing scenario, a network security scenario or a firewall scenario.

一个示例中,所述第二场景标识表征自定义的场景标识;所述确定与所述第二安全策略相关联的LSM钩子函数,包括:In one example, the second scenario identifier represents a custom scenario identifier; and the determining of the LSM hook function associated with the second security policy includes:

从所述至少一个第一安全策略中确定第二安全策略之后,展示位图选择结构;其中,所述位图选择结构中包括至少一个预设的LSM钩子函数;After determining the second security policy from the at least one first security policy, displaying a bitmap selection structure; wherein the bitmap selection structure includes at least one preset LSM hook function;

基于对所述位图选择结构中的,至少一个预设的LSM钩子函数的选择操作,确定与所述第二安全策略相关联的LSM钩子函数。Based on a selection operation of at least one preset LSM hook function in the bitmap selection structure, an LSM hook function associated with the second security policy is determined.

一个示例中,所述加载所述相关联的LSM钩子函数和所述第二安全策略对应的eBPF程序,包括:In one example, loading the associated LSM hook function and the eBPF program corresponding to the second security policy includes:

基于安全策略加载器,将所述相关联的LSM钩子函数加载至所述Linux系统中,并将所述第二安全策略对应的eBPF程序编译至对应的LSM钩子函数中,完成对所述相关联的LSM钩子函数和所述第二安全策略对应的eBPF程序的加载。Based on the security policy loader, the associated LSM hook function is loaded into the Linux system, and the eBPF program corresponding to the second security policy is compiled into the corresponding LSM hook function, thereby completing the loading of the associated LSM hook function and the eBPF program corresponding to the second security policy.

一个示例中,所述Linux系统中包括安全策略管理接口;所述方法还包括:In one example, the Linux system includes a security policy management interface; the method further includes:

响应于对所述安全策略管理接口的触发操作,展示安全策略管理界面,以在所述安全策略管理界面中,执行对所述Linux系统中各安全策略的管理操作;其中,所述管理操作包括:增加操作、修改操作、删除操作。In response to a trigger operation on the security policy management interface, a security policy management interface is displayed to perform management operations on each security policy in the Linux system in the security policy management interface; wherein the management operations include: adding operations, modifying operations, and deleting operations.

一个示例中,所述Linux系统中包括安全策略查看接口;所述方法还包括:In one example, the Linux system includes a security policy viewing interface; the method further includes:

响应于对所述安全策略查看接口的触发操作,展示安全策略查看界面,以在所述安全策略查看界面中,执行对所述Linux系统中各安全策略的查看操作;其中,所述查看操作包括:查询操作和统计操作。In response to a trigger operation on the security policy viewing interface, a security policy viewing interface is displayed, so that a viewing operation on each security policy in the Linux system is performed in the security policy viewing interface; wherein the viewing operation includes: a query operation and a statistical operation.

第二方面,本申请提供一种基于安全策略加载的系统访问装置,包括:In a second aspect, the present application provides a system access device based on security policy loading, comprising:

第一展示单元,用于响应于安全策略加载指令,展示多个第一场景标识;其中,所述第一场景标识表征预先设置的,在进行系统访问时,Linux系统对应的应用场景;A first display unit, configured to display a plurality of first scenario identifiers in response to a security policy loading instruction; wherein the first scenario identifiers represent pre-set application scenarios corresponding to the Linux system when performing system access;

第二展示单元,用于响应于对所述多个第一场景标识中,第二场景标识的选择操作,展示所述第二场景标识下的至少一个第一安全策略;其中,所述第二场景标识表征所述Linux系统当前对应的应用场景;所述第一安全策略表征所述第二场景标识所表征的应用场景下能够进行的安全检查;A second display unit is used to display at least one first security policy under a second scene identifier in response to a selection operation of the second scene identifier among the multiple first scene identifiers; wherein the second scene identifier represents an application scenario currently corresponding to the Linux system; and the first security policy represents a security check that can be performed under the application scenario represented by the second scene identifier;

确定单元,用于从所述至少一个第一安全策略中确定第二安全策略,并确定与所述第二安全策略相关联的LSM钩子函数;其中,所述LSM钩子函数表征预先设置的安全检查点;A determination unit, configured to determine a second security policy from the at least one first security policy, and determine an LSM hook function associated with the second security policy; wherein the LSM hook function represents a pre-set security checkpoint;

访问单元,用于启动所述Linux系统,并加载所述相关联的LSM钩子函数和所述第二安全策略对应的eBPF程序,以基于所述相关联的LSM钩子函数,运行所述第二安全策略对应的eBPF程序,实现对所述Linux系统的访问。An access unit is used to start the Linux system and load the associated LSM hook function and the eBPF program corresponding to the second security policy, so as to run the eBPF program corresponding to the second security policy based on the associated LSM hook function to achieve access to the Linux system.

一个示例中,在所述第二场景标识表征预先设置的场景标识的情况下,确定单元,用于:In one example, when the second scene identifier represents a preset scene identifier, the determining unit is configured to:

从所述至少一个第一安全策略中确定第二安全策略之后,从所述Linux系统对应的数据库中,确定关系映射表;其中,所述关系映射表中保存有预先设置的应用场景与该应用场景下的预设的LSM钩子函数之间的关联关系;After determining the second security policy from the at least one first security policy, determining a relationship mapping table from a database corresponding to the Linux system; wherein the relationship mapping table stores an association relationship between a preset application scenario and a preset LSM hook function under the application scenario;

基于所述关系映射表中所包含的关联关系,确定与所述第二场景标识所表征的应用场景相匹配的至少一个预设的LSM钩子函数;Based on the association relationship included in the relationship mapping table, determine at least one preset LSM hook function that matches the application scenario represented by the second scenario identifier;

从所述至少一个预设的LSM钩子函数中,确定与所述第二安全策略相关联的LSM钩子函数。From the at least one preset LSM hook function, determine the LSM hook function associated with the second security policy.

一个示例中,所述预先设置的场景标识表征至少以下应用场景:云计算场景或容器化场景、物联网场景或边缘计算场景、网络安全场景或防火墙场景。In one example, the pre-set scenario identifier represents at least the following application scenarios: a cloud computing scenario or a containerization scenario, an Internet of Things scenario or an edge computing scenario, a network security scenario or a firewall scenario.

一个示例中,在所述第二场景标识表征自定义的场景标识的情况下,确定单元,用于:In one example, when the second scene identifier represents a customized scene identifier, the determining unit is configured to:

从所述至少一个第一安全策略中确定第二安全策略之后,展示位图选择结构;其中,所述位图选择结构中包括至少一个预设的LSM钩子函数;After determining the second security policy from the at least one first security policy, displaying a bitmap selection structure; wherein the bitmap selection structure includes at least one preset LSM hook function;

基于对所述位图选择结构中的,至少一个预设的LSM钩子函数的选择操作,确定与所述第二安全策略相关联的LSM钩子函数。Based on a selection operation of at least one preset LSM hook function in the bitmap selection structure, an LSM hook function associated with the second security policy is determined.

一个示例中,访问单元,用于:In one example, the access unit is used to:

基于安全策略加载器,将所述相关联的LSM钩子函数加载至所述Linux系统中,并将所述第二安全策略对应的eBPF程序编译至对应的LSM钩子函数中,完成对所述相关联的LSM钩子函数和所述第二安全策略对应的eBPF程序的加载。Based on the security policy loader, the associated LSM hook function is loaded into the Linux system, and the eBPF program corresponding to the second security policy is compiled into the corresponding LSM hook function, thereby completing the loading of the associated LSM hook function and the eBPF program corresponding to the second security policy.

一个示例中,该装置还包括管理模块,用于:In one example, the device further includes a management module, configured to:

在所述Linux系统中包括安全策略管理接口的情况下,响应于对所述安全策略管理接口的触发操作,展示安全策略管理界面,以在所述安全策略管理界面中,执行对所述Linux系统中各安全策略的管理操作;其中,所述管理操作包括:增加操作、修改操作、删除操作。In the case where the Linux system includes a security policy management interface, in response to a triggering operation on the security policy management interface, a security policy management interface is displayed so that management operations on each security policy in the Linux system are performed in the security policy management interface; wherein the management operations include: adding operations, modifying operations, and deleting operations.

一个示例中,该装置还包括查看模块,用于:In one example, the device further includes a viewing module, configured to:

在所述Linux系统中包括安全策略查看接口的情况下,响应于对所述安全策略查看接口的触发操作,展示安全策略查看界面,以在所述安全策略查看界面中,执行对所述Linux系统中各安全策略的查看操作;其中,所述查看操作包括:查询操作和统计操作。In the case where the Linux system includes a security policy viewing interface, in response to a triggering operation on the security policy viewing interface, a security policy viewing interface is displayed so that a viewing operation on each security policy in the Linux system is performed in the security policy viewing interface; wherein the viewing operation includes: a query operation and a statistical operation.

第三方面,本申请提供一种计算机设备,包括:处理器,以及与所述处理器通信连接的存储器;In a third aspect, the present application provides a computer device, comprising: a processor, and a memory communicatively connected to the processor;

所述存储器存储计算机执行指令;The memory stores computer-executable instructions;

所述处理器执行所述存储器存储的计算机执行指令,以实现第一方面所述的方法。The processor executes the computer-executable instructions stored in the memory to implement the method described in the first aspect.

第四方面,本申请提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机执行指令,所述计算机执行指令被处理器执行时用于实现第一方面所述的方法。In a fourth aspect, the present application provides a computer-readable storage medium, wherein the computer-readable storage medium stores computer-executable instructions, and when the computer-executable instructions are executed by a processor, they are used to implement the method described in the first aspect.

第五方面,本申请提供一种计算机程序产品,所述计算机程序产品包括:计算机执行指令,所述计算机执行指令存储在可读存储介质中,计算机设备的至少一个处理器可以从所述可读存储介质读取所述计算机执行指令,所述至少一个处理器执行所述计算机执行指令,使得计算机设备执行第一方面所述的方法。In a fifth aspect, the present application provides a computer program product, comprising: computer execution instructions, the computer execution instructions are stored in a readable storage medium, at least one processor of a computer device can read the computer execution instructions from the readable storage medium, and the at least one processor executes the computer execution instructions, so that the computer device executes the method described in the first aspect.

本申请提供的基于安全策略加载的系统访问方法、装置、设备及介质,可以响应于安全策略加载指令,展示多个第一场景标识,此时,可以响应于对多个第一场景标识中,第二场景标识的选择操作,展示第二场景标识下的至少一个第一安全策略。接着,可以从至少一个第一安全策略中确定第二安全策略,并确定与第二安全策略相关联的LSM钩子函数。此时,在启动Linux系统之后,可以加载相关联的LSM钩子函数和第二安全策略对应的eBPF程序,以基于相关联的LSM钩子函数,运行第二安全策略对应的eBPF程序,实现对Linux系统的访问。这种实施方式,可以结合eBPF和LSM,来实现需动态加载安全策略,并按需加载LSM钩子函数,能够节省Linux系统的性能。同时,通过eBPF技术,还能提升加载安全策略的安全性和可靠性,避免内核崩溃或者被恶意篡改。The system access method, device, equipment and medium based on security policy loading provided by the present application can display multiple first scene identifiers in response to the security policy loading instruction. At this time, it can display at least one first security policy under the second scene identifier in response to the selection operation of the second scene identifier among the multiple first scene identifiers. Then, the second security policy can be determined from at least one first security policy, and the LSM hook function associated with the second security policy can be determined. At this time, after starting the Linux system, the associated LSM hook function and the eBPF program corresponding to the second security policy can be loaded to run the eBPF program corresponding to the second security policy based on the associated LSM hook function to achieve access to the Linux system. This implementation method can combine eBPF and LSM to realize the need to dynamically load security policies and load LSM hook functions on demand, which can save the performance of the Linux system. At the same time, through eBPF technology, the security and reliability of loading security policies can also be improved to avoid kernel crashes or malicious tampering.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本申请的实施例,并与说明书一起用于解释本申请的原理。The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and, together with the description, serve to explain the principles of the present application.

图1为本申请实施例提供的一种基于安全策略加载的系统访问方法的流程示意图;FIG1 is a schematic diagram of a flow chart of a system access method based on security policy loading provided in an embodiment of the present application;

图2为本申请实施例提供的另一种基于安全策略加载的系统访问方法的流程示意图;FIG2 is a flow chart of another system access method based on security policy loading provided in an embodiment of the present application;

图3为本申请实施例提供的一种基于安全策略加载的系统访问方法的实施流程图;FIG3 is a flowchart of an implementation of a system access method based on security policy loading provided in an embodiment of the present application;

图4为本申请实施例提供的一种基于安全策略加载的系统访问装置的结构示意图;FIG4 is a schematic diagram of the structure of a system access device based on security policy loading provided in an embodiment of the present application;

图5为本申请实施例提供的另一种基于安全策略加载的系统访问装置的结构示意图;5 is a schematic diagram of the structure of another system access device based on security policy loading provided in an embodiment of the present application;

图6为本申请实施例提供的一种计算机设备的结构示意图。FIG6 is a schematic diagram of the structure of a computer device provided in an embodiment of the present application.

通过上述附图,已示出本申请明确的实施例,后文中将有更详细的描述。这些附图和文字描述并不是为了通过任何方式限制本申请构思的范围,而是通过参考特定实施例为本领域技术人员说明本申请的概念。The above drawings have shown clear embodiments of the present application, which will be described in more detail later. These drawings and text descriptions are not intended to limit the scope of the present application in any way, but to illustrate the concept of the present application to those skilled in the art by referring to specific embodiments.

具体实施方式Detailed ways

这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本申请相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本申请的一些方面相一致的装置和方法的例子。Exemplary embodiments will be described in detail herein, examples of which are shown in the accompanying drawings. When the following description refers to the drawings, unless otherwise indicated, the same numbers in different drawings represent the same or similar elements. The implementations described in the following exemplary embodiments do not represent all implementations consistent with the present application. Instead, they are merely examples of devices and methods consistent with some aspects of the present application as detailed in the appended claims.

本文中术语“和/或”,仅仅是描述一种关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中术语“至少一种”表示多种中的任意一种或多种中的至少两种的任意组合,例如,包括A、B、C中的至少一种,可以表示包括从A、B和C构成的集合中选择的任意一个或多个元素。The term "and/or" herein only describes an association relationship, indicating that three relationships may exist. For example, A and/or B may represent the following three situations: A exists alone, A and B exist at the same time, and B exists alone. In addition, the term "at least one" herein represents any combination of at least two of any one or more of a plurality of. For example, at least one of A, B, and C may represent any one or more elements selected from the set consisting of A, B, and C.

现有技术中,在系统加载安全策略时,一种方式是静态的安全策略加载方法,另一种是基于内核模块的动态加载方法。In the prior art, when a system loads a security policy, one method is a static security policy loading method, and the other is a dynamic loading method based on a kernel module.

其中,静态的安全策略加载方法,主要是在系统启动时,将所有的安全策略均加载到系统的内核中。这种安全策略加载方式,不能满足动态安全策略的需求,并且会占用大量的系统资源,影响了系统的性能。Among them, the static security policy loading method mainly loads all security policies into the system kernel when the system starts. This security policy loading method cannot meet the needs of dynamic security policies, and will occupy a large amount of system resources, affecting the performance of the system.

基于内核模块的动态加载方式,通过在内核空间编写一个模块,来实现所需的安全策略逻辑。此时,可以按需加载或者卸载该内核模块。第一方面,这种方式在加载内核模块时,通常需要重启系统以加载内核模块(也即安全策略模块),而且,在安全策略模块与内核的其他模块冲突的情况下,需要先卸载内核中发生冲突的模块,再加载安全策略模块。此时,不仅无法实现安全策略的快速加载和卸载,进而影响了内核模块的加载效率,而且在重启系统或者加载内核模块的过程中,还使系统存在内核崩溃或者被恶意篡改的风险,进而影响了系统的稳定性和安全性。第二方面,在系统版本发生变化的情况下,需要重新编译安全策略模块,以适应不同版本的系统,进一步影响了系统加载内核模块的效率。第三方面,通过内核模块来加载安全策略的方式,依赖与内核空间提供的接口和功能,导致内核模块不能访问内核空间中没有暴露接口的资源,进而使安全检查具有一定的局限性。Based on the dynamic loading method of kernel modules, a module is written in the kernel space to implement the required security policy logic. At this time, the kernel module can be loaded or unloaded on demand. First, when loading the kernel module, this method usually requires restarting the system to load the kernel module (that is, the security policy module). Moreover, when the security policy module conflicts with other modules of the kernel, the conflicting module in the kernel needs to be unloaded first, and then the security policy module is loaded. At this time, not only can the rapid loading and unloading of the security policy not be realized, which affects the loading efficiency of the kernel module, but also in the process of restarting the system or loading the kernel module, the system is at risk of kernel crash or malicious tampering, which affects the stability and security of the system. Second, when the system version changes, the security policy module needs to be recompiled to adapt to different versions of the system, which further affects the efficiency of the system loading the kernel module. Third, the method of loading security policies through kernel modules relies on the interfaces and functions provided by the kernel space, resulting in the kernel module being unable to access resources in the kernel space that do not have exposed interfaces, thereby making security checks have certain limitations.

同时,上述两种加载安全策略的方法比较单一,无法满足不同应用场景下的安全策略配置要求。At the same time, the above two methods of loading security policies are relatively simple and cannot meet the security policy configuration requirements in different application scenarios.

本申请提供的基于安全策略加载的系统访问方法,旨结合eBPF(extendedBerkeley Packet Filter,扩展的伯克利数据包过滤器)和LSM(Linux Security Modules,Linux安全模块),来实现安全策略的动态加载,以解决现有技术的如上技术问题。The system access method based on security policy loading provided in this application aims to combine eBPF (extended Berkeley Packet Filter) and LSM (Linux Security Modules) to realize dynamic loading of security policies to solve the above technical problems of the prior art.

下面以具体地实施例对本申请的技术方案以及本申请的技术方案如何解决上述技术问题进行详细说明。下面这几个具体的实施例可以相互结合,对于相同或相似的概念或过程可能在某些实施例中不再赘述。下面将结合附图,对本申请的实施例进行描述。The technical solution of the present application and how the technical solution of the present application solves the above-mentioned technical problems are described in detail below with specific embodiments. The following specific embodiments can be combined with each other, and the same or similar concepts or processes may not be repeated in some embodiments. The embodiments of the present application will be described below in conjunction with the accompanying drawings.

图1为本申请实施例提供的一种基于安全策略加载的系统访问方法的流程示意图,如图1所示,该基于安全策略加载的系统访问方法,包括:FIG1 is a flow chart of a system access method based on security policy loading provided by an embodiment of the present application. As shown in FIG1 , the system access method based on security policy loading includes:

S101、响应于安全策略加载指令,展示多个第一场景标识。S101. In response to a security policy loading instruction, display a plurality of first scenario identifiers.

其中,第一场景标识表征预先设置的,在进行系统访问时,Linux系统对应的应用场景。The first scenario identifier represents a preset application scenario corresponding to the Linux system when the system is accessed.

一个示例中,第一场景标识可以表征预先设置的Linux系统对应的应用场景,例如,该第一场景标识所表征的应用场景可以为云计算场景,也可以为网络安全场景等。或者,第一场景标识也可以表征新增/自定义应用场景的标识。In one example, the first scenario identifier may represent an application scenario corresponding to a preset Linux system, for example, the application scenario represented by the first scenario identifier may be a cloud computing scenario, or a network security scenario, etc. Alternatively, the first scenario identifier may also represent an identifier of a newly added/customized application scenario.

一个示例中,第一场景标识可以通过文字,和/或,图片的形式进行展示,这里对第一场景标识的展示形式不作限定,以能实现为准。In one example, the first scene identifier may be displayed in the form of text and/or a picture. The display form of the first scene identifier is not limited here, and is subject to practicability.

一个示例中,本申请实施例可以在响应于安全策略加载指令之前,可以预制安全策略规则库。此时,可以通过预制安全策略规则库,来描述预先定义的应用场景下的各个安全策略配置文件。同时,还可以通过预先设置的应用场景和LSM钩子函数之间的关联关系,生成对应的位图选择结构,以根据安全策略配置文件和LSM钩子函数对应的位图选择结构,对Linux系统进行安全检查。In one example, the embodiment of the present application can pre-fabricate a security policy rule base before responding to a security policy loading instruction. At this time, the pre-fabricated security policy rule base can be used to describe various security policy configuration files under pre-defined application scenarios. At the same time, the corresponding bitmap selection structure can be generated through the association relationship between the pre-set application scenario and the LSM hook function, so as to perform a security check on the Linux system according to the bitmap selection structure corresponding to the security policy configuration file and the LSM hook function.

一个示例中,安全策略配置文件中可以包括安全策略的名称、安全策略的描述信息(例如,该安全策略的用途)、安全策略对应的eBPF程序文件名称、需要执行的操作等。例如,安全策略配置文件中的安全策略可以用于文件保护,此时,安全策略的名称可以为“文件保护”,安全策略的描述信息可以为“阻止堆内存的执行”,安全策略对应的eBPF程序文件名称可以为“文件保护程序”,需要执行的操作“阻止”。这里对安全策略配置文件中所包括的内容不作限定,以能实现为准,同时,这里以中文的形式进行说明,实际使用中可以使用编程语言来描述安全策略配置文件。In one example, the security policy configuration file may include the name of the security policy, the description of the security policy (e.g., the purpose of the security policy), the name of the eBPF program file corresponding to the security policy, the operation to be performed, etc. For example, the security policy in the security policy configuration file may be used for file protection. In this case, the name of the security policy may be "file protection", the description of the security policy may be "blocking the execution of heap memory", the name of the eBPF program file corresponding to the security policy may be "file protection program", and the operation to be performed may be "blocking". The content included in the security policy configuration file is not limited here, and is subject to implementation. At the same time, it is described in Chinese here, and in actual use, a programming language may be used to describe the security policy configuration file.

S102、响应于对多个第一场景标识中,第二场景标识的选择操作,展示第二场景标识下的至少一个第一安全策略。S102: In response to a selection operation of a second scenario identifier among a plurality of first scenario identifiers, display at least one first security policy under the second scenario identifier.

其中,第二场景标识表征Linux系统当前对应的应用场景;第一安全策略表征第二场景标识所表征的应用场景下所能够进行的安全检查。The second scenario identifier represents the application scenario currently corresponding to the Linux system; and the first security policy represents the security check that can be performed in the application scenario represented by the second scenario identifier.

一个示例中,至少一个第一安全策略可以表征预制安全策略规则库所描述的,第二场景标识所表征的应用场景下的安全策略,或者,至少一个第一安全策略还可以表征Linux系统内的全部安全策略,或者,至少一个第一安全策略还可以表征新自定义的安全策略等。In one example, at least one first security policy can represent the security policy in the application scenario described by the prefabricated security policy rule base and represented by the second scenario identifier, or at least one first security policy can also represent all security policies within the Linux system, or at least one first security policy can also represent a newly customized security policy, etc.

S103、从至少一个第一安全策略中确定第二安全策略,并确定与第二安全策略相关联的LSM钩子函数。S103. Determine a second security policy from at least one first security policy, and determine an LSM hook function associated with the second security policy.

其中,LSM钩子函数表征预先设置的安全检查点。Among them, the LSM hook function represents the pre-set security checkpoint.

其中,第二安全策略可以理解为在进行系统访问时需要进行的安全检查,此时,第二安全策略可以为至少一个安全策略中的至少部分安全策略。The second security policy may be understood as a security check that needs to be performed when accessing the system. In this case, the second security policy may be at least a part of the at least one security policy.

S104、启动Linux系统,并加载相关联的LSM钩子函数和第二安全策略对应的eBPF程序,以基于相关联的LSM钩子函数,运行第二安全策略对应的eBPF程序,实现对Linux系统的访问。S104, start the Linux system, and load the associated LSM hook function and the eBPF program corresponding to the second security policy, so as to run the eBPF program corresponding to the second security policy based on the associated LSM hook function to achieve access to the Linux system.

通过上述描述可知,本申请实施例,可以响应于安全策略加载指令,展示多个第一场景标识,此时,可以响应于对多个第一场景标识中,第二场景标识的选择操作,展示第二场景标识下的至少一个第一安全策略。接着,可以从至少一个第一安全策略中确定第二安全策略,并确定与第二安全策略相关联的LSM钩子函数。此时,在启动Linux系统之后,可以加载相关联的LSM钩子函数和第二安全策略对应的eBPF程序,以基于相关联的LSM钩子函数,运行第二安全策略对应的eBPF程序,实现对Linux系统的访问。这种实施方式,可以结合eBPF和LSM,来实现需动态加载安全策略,并按需加载LSM钩子函数,能够节省Linux系统的性能。同时,通过eBPF技术,还能提升加载安全策略的安全性和可靠性,避免内核崩溃或者被恶意篡改。It can be seen from the above description that the embodiment of the present application can display multiple first scene identifiers in response to the security policy loading instruction. At this time, in response to the selection operation of the second scene identifier among the multiple first scene identifiers, at least one first security policy under the second scene identifier can be displayed. Then, the second security policy can be determined from the at least one first security policy, and the LSM hook function associated with the second security policy can be determined. At this time, after starting the Linux system, the associated LSM hook function and the eBPF program corresponding to the second security policy can be loaded to run the eBPF program corresponding to the second security policy based on the associated LSM hook function to achieve access to the Linux system. This implementation method can combine eBPF and LSM to realize the need to dynamically load security policies and load LSM hook functions on demand, which can save the performance of the Linux system. At the same time, through eBPF technology, the security and reliability of loading security policies can also be improved to avoid kernel crashes or malicious tampering.

图2为本申请实施例提供的另一种基于安全策略加载的系统访问方法的流程示意图,如图2所示,该基于安全策略加载的系统访问方法,包括:FIG2 is a flow chart of another system access method based on security policy loading provided in an embodiment of the present application. As shown in FIG2 , the system access method based on security policy loading includes:

S201、响应于安全策略加载指令,展示多个第一场景标识。S201. In response to a security policy loading instruction, display a plurality of first scenario identifiers.

其中,第一场景标识表征预先设置的,在进行系统访问时,Linux系统对应的应用场景。The first scenario identifier represents a preset application scenario corresponding to the Linux system when the system is accessed.

一个示例中,本步骤可以参见上述S101所描述的内容,这里不再详细赘述。In an example, this step can refer to the content described in S101 above, and will not be described in detail here.

S202、响应于对多个第一场景标识中,第二场景标识的选择操作,展示第二场景标识下的至少一个第一安全策略。S202: In response to a selection operation of a second scenario identifier among a plurality of first scenario identifiers, display at least one first security policy under the second scenario identifier.

其中,第二场景标识表征Linux系统当前对应的应用场景;第一安全策略表征第二场景标识所表征的应用场景下能够进行的安全检查。The second scenario identifier represents the application scenario currently corresponding to the Linux system; and the first security policy represents the security check that can be performed in the application scenario represented by the second scenario identifier.

一个示例中,本步骤可以参见上述S102所描述的内容,这里不再详细赘述。In an example, this step can refer to the content described in S102 above, and will not be described in detail here.

S203、从至少一个第一安全策略中确定第二安全策略,并确定与第二安全策略相关联的LSM钩子函数。S203. Determine a second security policy from at least one first security policy, and determine an LSM hook function associated with the second security policy.

其中,LSM钩子函数表征预先设置的安全检查点。Among them, the LSM hook function represents the pre-set security checkpoint.

一个示例中,由上述描述可知,第一场景标识可以表征预先设置的Linux系统对应的应用场景,也可以表征新增/自定义应用场景的标识。In one example, it can be seen from the above description that the first scenario identifier can represent an application scenario corresponding to a preset Linux system, or can represent an identifier of a newly added/customized application scenario.

其中,预先设置的场景标识表征至少以下应用场景:云计算场景或容器化场景、物联网场景或边缘计算场景、网络安全场景或防火墙场景。这里对预先设置的应用场景不作具体限定,以能实现为准。The pre-set scenario identifier represents at least the following application scenarios: cloud computing scenario or containerization scenario, Internet of Things scenario or edge computing scenario, network security scenario or firewall scenario. The pre-set application scenario is not specifically limited here, and it is subject to what can be realized.

一个示例中,在自定义应用场景之后,可以将该自定义应用场景添加至预先设置的应用场景中,以逐渐扩充预先设置的应用场景,从而拓宽安全策略加载的应用场景,提升基于安全策略加载的系统访问方法的鲁棒性。In one example, after customizing an application scenario, the customized application scenario can be added to the pre-set application scenario to gradually expand the pre-set application scenario, thereby broadening the application scenario of security policy loading and improving the robustness of the system access method based on security policy loading.

此时,在第二场景标识表征预先设置的场景标识的情况下,可以根据下述过程确定与第二安全策略相关联的LSM钩子函数。At this time, in the case where the second scene identifier represents a preset scene identifier, the LSM hook function associated with the second security policy can be determined according to the following process.

首先,从至少一个第一安全策略中确定第二安全策略之后,从Linux系统对应的数据库中,确定关系映射表。其中,关系映射表中保存有预先设置的应用场景与该应用场景下的预设的LSM钩子函数之间的关联关系。First, after determining the second security policy from at least one first security policy, a relationship mapping table is determined from a database corresponding to the Linux system, wherein the relationship mapping table stores the association relationship between the preset application scenario and the preset LSM hook function in the application scenario.

接着,基于关系映射表中所包含的关联关系,确定与第二场景标识所表征的应用场景相匹配的至少一个预设的LSM钩子函数。Next, based on the association relationship included in the relationship mapping table, at least one preset LSM hook function matching the application scenario represented by the second scenario identifier is determined.

然后,从至少一个预设的LSM钩子函数中,确定与第二安全策略相关联的LSM钩子函数。Then, from at least one preset LSM hook function, determine the LSM hook function associated with the second security policy.

这种实施方式,可以通过在数据库中存储包含预先设置的应用场景与该应用场景下的预设的LSM钩子函数之间的关联关系的关系映射表,不仅加快了确定与第二安全策略相关联的LSM钩子函数的速度,提高了效率,还能降低基于安全策略加载进行系统访问的工作人员的专业要求。This implementation can store in a database a relationship mapping table containing the association relationship between a preset application scenario and a preset LSM hook function under the application scenario. This not only speeds up the process of determining the LSM hook function associated with the second security policy and improves efficiency, but also reduces the professional requirements for staff who access the system based on security policy loading.

一个示例中,在第二场景标识表征自定义的场景标识的情况下,则可以按照下面所描述的过程确定与第二安全策略相关联的LSM钩子函数。In one example, when the second scenario identifier represents a customized scenario identifier, the LSM hook function associated with the second security policy may be determined according to the process described below.

首先,从至少一个第一安全策略中确定第二安全策略之后,展示位图选择结构。其中,位图选择结构中包括至少一个预设的LSM钩子函数。此时,位图选择结构中所包括的至少一个预设的LSM钩子函数可以为全部的预设的LSM钩子函数,以供相关人员从全部的预设的LSM钩子函数中按需进行选择。First, after determining the second security policy from at least one first security policy, a bitmap selection structure is displayed. The bitmap selection structure includes at least one preset LSM hook function. At this time, the at least one preset LSM hook function included in the bitmap selection structure can be all preset LSM hook functions, so that relevant personnel can select from all preset LSM hook functions as needed.

然后,基于对位图选择结构中的,至少一个预设的LSM钩子函数的选择操作,确定与第二安全策略相关联的LSM钩子函数。Then, based on a selection operation of at least one preset LSM hook function in the bitmap selection structure, an LSM hook function associated with the second security policy is determined.

一个示例中,可以在位图选择结构中显示新增标识,此时,若Linux系统的全部的预设的LSM钩子函数均不符合要求,则可以通过响应于对该新增标识的触发操作新增预设的LSM钩子函数。In one example, a newly added identifier may be displayed in a bitmap selection structure. At this time, if all preset LSM hook functions of the Linux system do not meet the requirements, a preset LSM hook function may be added in response to a trigger operation on the newly added identifier.

上述实施方式中,可以通过位图选择结构,直观、清晰的展示课选择的预设的LSM钩子函数,以通过对预设的LSM钩子函数的选择操作,方便、快捷的确定与第二安全策略相关联的LSM钩子函数。In the above implementation, the bitmap selection structure can be used to intuitively and clearly display the preset LSM hook function that can be selected, so that the LSM hook function associated with the second security policy can be conveniently and quickly determined through the selection operation of the preset LSM hook function.

S204、启动Linux系统。S204. Start the Linux system.

S205、基于安全策略加载器,将相关联的LSM钩子函数加载至Linux系统中,并将第二安全策略对应的eBPF程序编译至对应的LSM钩子函数中,完成对相关联的LSM钩子函数和第二安全策略对应的eBPF程序的加载。S205. Based on the security policy loader, the associated LSM hook function is loaded into the Linux system, and the eBPF program corresponding to the second security policy is compiled into the corresponding LSM hook function, thereby completing the loading of the associated LSM hook function and the eBPF program corresponding to the second security policy.

其中,第二安全策略对应的eBPF程序用于实现二安全策略中定义的逻辑,此时,该第二安全策略对应的eBPF程序为在预制安全策略规则库时提前编写好的程序,这里可以使用C语言编写安全策略对应的eBPF程序。Among them, the eBPF program corresponding to the second security policy is used to implement the logic defined in the second security policy. At this time, the eBPF program corresponding to the second security policy is a program written in advance when the security policy rule base is prefabricated. Here, the eBPF program corresponding to the security policy can be written in C language.

一个示例中,在将第二安全策略对应的eBPF程序编译至对应的LSM钩子函数中时,可以先通过编译工具(例如,clang或bpftool等工具)将第二安全策略对应的eBPF程序编译为ELF格式(Executable and Linkable Format,可执行可链接文件格式)的文件,并将该ELF格式文件与相关联的LSM钩子函数相连接,以使LSM钩子函数可以调用第二安全策略对应的eBPF程序。In one example, when compiling the eBPF program corresponding to the second security policy into the corresponding LSM hook function, the eBPF program corresponding to the second security policy can be first compiled into an ELF format (Executable and Linkable Format) file through a compilation tool (for example, tools such as clang or bpftool), and the ELF format file is connected to the associated LSM hook function so that the LSM hook function can call the eBPF program corresponding to the second security policy.

S206、基于相关联的LSM钩子函数,运行第二安全策略对应的eBPF程序,实现对Linux系统的访问。S206. Based on the associated LSM hook function, run the eBPF program corresponding to the second security policy to achieve access to the Linux system.

一个示例中,图3为本申请实施例提供的一种基于安全策略加载的系统访问方法的实施流程图,如图3所示,在响应于安全策略加载指令之后,可以通过展示的多个第一场景标识,来选择应用场景(也即,确定第二场景标识),例如,可以选择预先设置的应用场景,也可以选择自定义的应用场景。In one example, Figure 3 is an implementation flow chart of a system access method based on security policy loading provided in an embodiment of the present application. As shown in Figure 3, after responding to the security policy loading instruction, an application scenario can be selected (i.e., a second scenario identifier is determined) by displaying multiple first scenario identifiers. For example, a pre-set application scenario can be selected, or a custom application scenario can be selected.

之后,可以根据预制安全策略规则库,展示的与选择的应用场景所对应的至少一个安全策略,选择并确定安全策略文件(也即,确定第二安全策略)。同时,通过位图选择结构,来确定与安全策略配置文件相关联的LSM钩子函数。Afterwards, the security policy file can be selected and determined (i.e., the second security policy is determined) according to the prefabricated security policy rule base and at least one security policy corresponding to the selected application scenario. At the same time, the LSM hook function associated with the security policy configuration file is determined through the bitmap selection structure.

之后,可以启动Linux系统,并加载与安全策略配置文件相关联的LSM钩子函数,并编译安全策略配置文件对应的eBPF程序,实现安全策略配置文件以及相关联的LSM钩子函数注入至内核空间,从而可以基于以及相关联的LSM钩子函数,运行安全策略配置文件对应的eBPF程序,实现对Linux系统的访问。After that, you can start the Linux system, load the LSM hook function associated with the security policy configuration file, and compile the eBPF program corresponding to the security policy configuration file to inject the security policy configuration file and the associated LSM hook function into the kernel space. Based on the associated LSM hook function, you can run the eBPF program corresponding to the security policy configuration file to access the Linux system.

一个示例中,Linux系统中可以包括安全策略管理接口,此时,可以响应于对安全策略管理接口的触发操作,展示安全策略管理界面,以在安全策略管理界面中,执行对Linux系统中各安全策略的管理操作。其中,管理操作包括:增加操作、修改操作、删除操作。In one example, a Linux system may include a security policy management interface. In this case, in response to a trigger operation on the security policy management interface, the security policy management interface may be displayed so that management operations on various security policies in the Linux system may be performed in the security policy management interface. The management operations include: adding operations, modifying operations, and deleting operations.

这种实施方式,可以通过安全策略管理接口实现对安全策略的管理,以及时根据系统访问的实际需求对安全策略进行更新。例如,可以及时删除不需要的安全策略,节省资源,可以及时增加新的安全策略,以满足系统访问的新的需求,可以实时对现有安全策略进行修改,以使系统访问更加安全有效,进而实现了对安全策略的动态管理。This implementation method can manage security policies through the security policy management interface and update security policies in a timely manner according to the actual needs of system access. For example, unnecessary security policies can be deleted in a timely manner to save resources, new security policies can be added in a timely manner to meet new needs of system access, and existing security policies can be modified in real time to make system access more secure and effective, thereby realizing dynamic management of security policies.

一个示例中,Linux系统中可以包括安全策略查看接口,此时,可以响应于对安全策略查看接口的触发操作,展示安全策略查看界面,以在安全策略查看界面中,执行对Linux系统中各安全策略的查看操作。其中,查看操作包括:查询操作和统计操作。In one example, the Linux system may include a security policy viewing interface. In this case, in response to a trigger operation on the security policy viewing interface, a security policy viewing interface may be displayed, so that a viewing operation on each security policy in the Linux system may be performed in the security policy viewing interface. The viewing operation includes: a query operation and a statistical operation.

一个示例中,查询操作可以用于查询安全策略的具体内容;统计操作可以用于统计部分或者全部的安全策略。这种实施方式,可以通过安全策略查看接口,实时查询现有的安全策略,或者,统计现有的安全策略,从而可以通过现有的安全策略的统计信息/查看信息,来确定对安全策略的调整方法,及时对安全策略进行管理/调整。In one example, the query operation can be used to query the specific content of the security policy; the statistical operation can be used to count part or all of the security policies. In this implementation, the existing security policy can be queried in real time through the security policy viewing interface, or the existing security policy can be counted, so that the adjustment method of the security policy can be determined through the statistical information/viewing information of the existing security policy, and the security policy can be managed/adjusted in time.

图4为本申请实施例提供的一种基于安全策略加载的系统访问装置的结构示意图,如图4所示,该基于安全策略加载的系统访问装置400包括:FIG4 is a schematic diagram of the structure of a system access device based on security policy loading provided in an embodiment of the present application. As shown in FIG4 , the system access device 400 based on security policy loading includes:

第一展示单元401,用于响应于安全策略加载指令,展示多个第一场景标识;其中,第一场景标识表征预先设置的,在进行系统访问时,Linux系统对应的应用场景。The first display unit 401 is used to display a plurality of first scenario identifiers in response to a security policy loading instruction; wherein the first scenario identifier represents a pre-set application scenario corresponding to the Linux system when performing system access.

第二展示单元402,用于响应于对多个第一场景标识中,第二场景标识的选择操作,展示第二场景标识下的至少一个第一安全策略;其中,第二场景标识表征Linux系统当前对应的应用场景;第一安全策略表征第二场景标识所表征的应用场景下能够进行的安全检查。The second display unit 402 is used to display at least one first security policy under the second scene identifier in response to a selection operation of the second scene identifier among multiple first scene identifiers; wherein the second scene identifier represents the application scenario currently corresponding to the Linux system; and the first security policy represents the security check that can be performed in the application scenario represented by the second scene identifier.

确定单元403,用于从至少一个第一安全策略中确定第二安全策略,并确定与第二安全策略相关联的LSM钩子函数;其中,LSM钩子函数表征预先设置的安全检查点。The determination unit 403 is used to determine a second security policy from at least one first security policy, and determine an LSM hook function associated with the second security policy; wherein the LSM hook function represents a pre-set security checkpoint.

访问单元404,用于启动Linux系统,并加载相关联的LSM钩子函数和第二安全策略对应的eBPF程序,以基于相关联的LSM钩子函数,运行第二安全策略对应的eBPF程序,实现对Linux系统的访问。The access unit 404 is used to start the Linux system and load the associated LSM hook function and the eBPF program corresponding to the second security policy, so as to run the eBPF program corresponding to the second security policy based on the associated LSM hook function to achieve access to the Linux system.

图5为本申请实施例提供的另一种基于安全策略加载的系统访问装置的结构示意图,如图5所示,该基于安全策略加载的系统访问装置500包括:FIG5 is a schematic diagram of the structure of another system access device based on security policy loading provided in an embodiment of the present application. As shown in FIG5 , the system access device 500 based on security policy loading includes:

第一展示单元501,用于响应于安全策略加载指令,展示多个第一场景标识;其中,第一场景标识表征预先设置的,在进行系统访问时,Linux系统对应的应用场景。The first display unit 501 is used to display a plurality of first scenario identifiers in response to a security policy loading instruction; wherein the first scenario identifier represents a pre-set application scenario corresponding to the Linux system when performing system access.

第二展示单元502,用于响应于对多个第一场景标识中,第二场景标识的选择操作,展示第二场景标识下的至少一个第一安全策略;其中,第二场景标识表征Linux系统当前对应的应用场景;第一安全策略表征第二场景标识所表征的应用场景下能够进行的安全检查。The second display unit 502 is used to display at least one first security policy under the second scene identifier in response to a selection operation of the second scene identifier among multiple first scene identifiers; wherein the second scene identifier represents the application scenario currently corresponding to the Linux system; and the first security policy represents the security check that can be performed in the application scenario represented by the second scene identifier.

确定单元503,用于从至少一个第一安全策略中确定第二安全策略,并确定与第二安全策略相关联的LSM钩子函数;其中,LSM钩子函数表征预先设置的安全检查点。The determination unit 503 is used to determine a second security policy from at least one first security policy, and determine an LSM hook function associated with the second security policy; wherein the LSM hook function represents a pre-set security checkpoint.

访问单元504,用于启动Linux系统,并加载相关联的LSM钩子函数和第二安全策略对应的eBPF程序,以基于相关联的LSM钩子函数,运行第二安全策略对应的eBPF程序,实现对Linux系统的访问。The access unit 504 is used to start the Linux system and load the associated LSM hook function and the eBPF program corresponding to the second security policy, so as to run the eBPF program corresponding to the second security policy based on the associated LSM hook function to achieve access to the Linux system.

一个示例中,在第二场景标识表征预先设置的场景标识的情况下,确定单元503,用于:In one example, when the second scene identifier represents a preset scene identifier, the determining unit 503 is configured to:

从至少一个第一安全策略中确定第二安全策略之后,从Linux系统对应的数据库中,确定关系映射表;其中,关系映射表中保存有预先设置的应用场景与该应用场景下的预设的LSM钩子函数之间的关联关系;After determining the second security policy from at least one first security policy, determining a relationship mapping table from a database corresponding to the Linux system; wherein the relationship mapping table stores an association relationship between a preset application scenario and a preset LSM hook function under the application scenario;

基于关系映射表中所包含的关联关系,确定与第二场景标识所表征的应用场景相匹配的至少一个预设的LSM钩子函数;Based on the association relationship included in the relationship mapping table, determine at least one preset LSM hook function that matches the application scenario represented by the second scenario identifier;

从至少一个预设的LSM钩子函数中,确定与第二安全策略相关联的LSM钩子函数。From at least one preset LSM hook function, determine an LSM hook function associated with the second security policy.

一个示例中,预先设置的场景标识表征至少以下应用场景:云计算场景或容器化场景、物联网场景或边缘计算场景、网络安全场景或防火墙场景。In one example, the pre-set scenario identifier represents at least the following application scenarios: a cloud computing scenario or a containerization scenario, an Internet of Things scenario or an edge computing scenario, a network security scenario or a firewall scenario.

一个示例中,在第二场景标识表征自定义的场景标识的情况下,确定单元503,用于:In one example, when the second scene identifier represents a customized scene identifier, the determining unit 503 is configured to:

从至少一个第一安全策略中确定第二安全策略之后,展示位图选择结构;其中,位图选择结构中包括至少一个预设的LSM钩子函数;After determining the second security policy from at least one first security policy, displaying a bitmap selection structure; wherein the bitmap selection structure includes at least one preset LSM hook function;

基于对位图选择结构中的,至少一个预设的LSM钩子函数的选择操作,确定与第二安全策略相关联的LSM钩子函数。Based on a selection operation of at least one preset LSM hook function in the bitmap selection structure, an LSM hook function associated with the second security policy is determined.

一个示例中,访问单元504,用于:In one example, the access unit 504 is configured to:

基于安全策略加载器,将相关联的LSM钩子函数加载至Linux系统中,并将第二安全策略对应的eBPF程序编译至对应的LSM钩子函数中,完成对相关联的LSM钩子函数和第二安全策略对应的eBPF程序的加载。Based on the security policy loader, the associated LSM hook function is loaded into the Linux system, and the eBPF program corresponding to the second security policy is compiled into the corresponding LSM hook function, completing the loading of the associated LSM hook function and the eBPF program corresponding to the second security policy.

一个示例中,该装置还包括管理模块505,用于:In one example, the device further includes a management module 505, configured to:

在Linux系统中包括安全策略管理接口的情况下,响应于对安全策略管理接口的触发操作,展示安全策略管理界面,以在安全策略管理界面中,执行对Linux系统中各安全策略的管理操作;其中,管理操作包括:增加操作、修改操作、删除操作。In the case where a security policy management interface is included in the Linux system, in response to a trigger operation on the security policy management interface, the security policy management interface is displayed so that management operations on various security policies in the Linux system can be performed in the security policy management interface; wherein the management operations include: adding operations, modifying operations, and deleting operations.

一个示例中,该装置还包括查看模块506,用于:In one example, the apparatus further includes a viewing module 506, configured to:

在Linux系统中包括安全策略查看接口的情况下,响应于对安全策略查看接口的触发操作,展示安全策略查看界面,以在安全策略查看界面中,执行对Linux系统中各安全策略的查看操作;其中,查看操作包括:查询操作和统计操作。In the case where a security policy viewing interface is included in the Linux system, in response to a trigger operation on the security policy viewing interface, a security policy viewing interface is displayed so that viewing operations on various security policies in the Linux system can be performed in the security policy viewing interface; wherein the viewing operations include: query operations and statistical operations.

图6为本申请实施例提供的一种计算机设备的结构示意图,如图6所示,计算机设备600包括:存储器601,处理器602。FIG6 is a schematic diagram of the structure of a computer device provided in an embodiment of the present application. As shown in FIG6 , the computer device 600 includes: a memory 601 and a processor 602 .

存储器601;用于存储处理器602可执行指令的存储器。Memory 601 is a memory used to store instructions executable by processor 602 .

其中,处理器602被配置为执行如上述实施例提供的方法。The processor 602 is configured to execute the method provided in the above embodiment.

计算机设备还包括接收器603和发送器604。接收器603用于接收外部设备发送的指令和数据,发送器604用于向外部设备发送指令和数据。The computer device further includes a receiver 603 and a transmitter 604. The receiver 603 is used to receive instructions and data sent by an external device, and the transmitter 604 is used to send instructions and data to the external device.

本申请实施例还提供一种计算机可读存储介质,该计算机可读存储介质上存储有计算机执行指令,该计算机执行指令被处理器运行时执行上述方法实施例中的基于安全策略加载的系统访问方法的步骤。其中,该存储介质可以是易失性或非易失的计算机可读取存储介质。The embodiment of the present application also provides a computer-readable storage medium, on which a computer-executable instruction is stored, and when the computer-executable instruction is executed by a processor, the steps of the system access method based on security policy loading in the above method embodiment are executed. The storage medium can be a volatile or non-volatile computer-readable storage medium.

本申请实施例还提供一种计算机程序产品,该计算机程序产品承载有计算机执行指令,计算机执行指令包括的指令可用于执行上述方法实施例中的基于安全策略加载的系统访问方法的步骤,具体可参见上述方法实施例,在此不再赘述。An embodiment of the present application also provides a computer program product, which carries computer execution instructions. The instructions included in the computer execution instructions can be used to execute the steps of the system access method based on security policy loading in the above method embodiment. For details, please refer to the above method embodiment, which will not be repeated here.

需要说明的是,对于前述的各方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本申请并不受所描述的动作顺序的限制,因为依据本申请,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于可选实施例,所涉及的动作和模块并不一定是本申请所必须的。It should be noted that, for the aforementioned method embodiments, for the sake of simplicity, they are all expressed as a series of action combinations, but those skilled in the art should be aware that the present application is not limited by the described order of actions, because according to the present application, certain steps can be performed in other orders or simultaneously. Secondly, those skilled in the art should also be aware that the embodiments described in the specification are all optional embodiments, and the actions and modules involved are not necessarily required by the present application.

进一步需要说明的是,虽然流程图中的各个步骤按照箭头的指示依次显示,但是这些步骤并不是必然按照箭头指示的顺序依次执行。除非本文中有明确的说明,这些步骤的执行并没有严格的顺序限制,这些步骤可以以其它的顺序执行。而且,流程图中的至少一部分步骤可以包括多个子步骤或者多个阶段,这些子步骤或者阶段并不必然是在同一时刻执行完成,而是可以在不同的时刻执行,这些子步骤或者阶段的执行顺序也不必然是依次进行,而是可以与其它步骤或者其它步骤的子步骤或者阶段的至少一部分轮流或者交替地执行。It should be further noted that, although the various steps in the flow chart are displayed in sequence according to the indication of the arrows, these steps are not necessarily executed in sequence according to the order indicated by the arrows. Unless there is a clear explanation in this article, the execution of these steps is not strictly limited in order, and these steps can be executed in other orders. Moreover, at least a portion of the steps in the flow chart may include multiple sub-steps or multiple stages, and these sub-steps or stages are not necessarily executed at the same time, but can be executed at different times, and the execution order of these sub-steps or stages is not necessarily to be carried out in sequence, but can be executed in turn or alternately with other steps or at least a portion of the sub-steps or stages of other steps.

应该理解,上述的装置实施例仅是示意性的,本申请的装置还可通过其它的方式实现。例如,上述实施例中单元/模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。例如,多个单元、模块或组件可以结合,或者可以集成到另一个系统,或一些特征可以忽略或不执行。It should be understood that the above-mentioned device embodiments are only illustrative, and the device of the present application can also be implemented in other ways. For example, the division of units/modules in the above-mentioned embodiments is only a logical function division, and there may be other division methods in actual implementation. For example, multiple units, modules or components can be combined, or can be integrated into another system, or some features can be ignored or not executed.

另外,若无特别说明,在本申请各个实施例中的各功能单元/模块可以集成在一个单元/模块中,也可以是各个单元/模块单独物理存在,也可以两个或两个以上单元/模块集成在一起。上述集成的单元/模块既可以采用硬件的形式实现,也可以采用软件程序模块的形式实现。In addition, unless otherwise specified, each functional unit/module in each embodiment of the present application may be integrated into one unit/module, each unit/module may exist physically separately, or two or more units/modules may be integrated together. The above-mentioned integrated unit/module may be implemented in the form of hardware or in the form of a software program module.

集成的单元/模块如果以硬件的形式实现时,该硬件可以是数字电路,模拟电路等等。硬件结构的物理实现包括但不局限于晶体管,忆阻器等等。若无特别说明,处理器可以是任何适当的硬件处理器,比如CPU、GPU、FPGA、DSP和ASIC等等。若无特别说明,存储单元可以是任何适当的磁存储介质或者磁光存储介质,比如,阻变式存储器RRAM(ResistiveRandom Access Memory)、动态随机存取存储器DRAM(Dynamic Random Access Memory)、静态随机存取存储器SRAM(Static Random-Access Memory)、增强动态随机存取存储器EDRAM(Enhanced Dynamic Random Access Memory)、高带宽内存HBM(High-Bandwidth Memory)、混合存储立方HMC(Hybrid Memory Cube)等等。If the integrated unit/module is implemented in the form of hardware, the hardware may be a digital circuit, an analog circuit, etc. The physical implementation of the hardware structure includes but is not limited to transistors, memristors, etc. If not specifically stated, the processor may be any appropriate hardware processor, such as a CPU, a GPU, an FPGA, a DSP, an ASIC, etc. If not specifically stated, the storage unit may be any appropriate magnetic storage medium or magneto-optical storage medium, such as a resistive random access memory RRAM (Resistive Random Access Memory), a dynamic random access memory DRAM (Dynamic Random Access Memory), a static random access memory SRAM (Static Random-Access Memory), an enhanced dynamic random access memory EDRAM (Enhanced Dynamic Random Access Memory), a high-bandwidth memory HBM (High-Bandwidth Memory), a hybrid memory cube HMC (Hybrid Memory Cube), etc.

集成的单元/模块如果以软件程序模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储器中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储器中,包括若干指令用以使得一台计算机设备(可为个人计算机、服务器或者网络设备等)执行本申请各个实施例方法的全部或部分步骤。而前述的存储器包括:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit/module is implemented in the form of a software program module and sold or used as an independent product, it can be stored in a computer-readable memory. Based on this understanding, the technical solution of the present application, or the part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, which is stored in a memory and includes several instructions for a computer device (which can be a personal computer, server or network device, etc.) to perform all or part of the steps of each embodiment method of the present application. The aforementioned memory includes: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, disk or optical disk and other media that can store program codes.

在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。上述实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。In the above embodiments, the description of each embodiment has its own emphasis. For the part not described in detail in a certain embodiment, please refer to the relevant description of other embodiments. The technical features of the above embodiments can be combined arbitrarily. In order to make the description concise, all possible combinations of the technical features in the above embodiments are not described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.

本领域技术人员在考虑说明书及实践这里公开的发明后,将容易想到本申请的其它实施方案。本申请旨在涵盖本申请的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本申请的一般性原理并包括本申请未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本申请的真正范围和精神由下面的权利要求书指出。Those skilled in the art will readily appreciate other embodiments of the present application after considering the specification and practicing the invention disclosed herein. The present application is intended to cover any modification, use or adaptation of the present application, which follows the general principles of the present application and includes common knowledge or customary techniques in the art that are not disclosed in the present application. The specification and examples are intended to be exemplary only, and the true scope and spirit of the present application are indicated by the following claims.

应当理解的是,本申请并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本申请的范围仅由所附的权利要求书来限制。It should be understood that the present application is not limited to the precise structures that have been described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present application is limited only by the appended claims.

Claims (10)

1.一种基于安全策略加载的系统访问方法,其特征在于,应用于Linux系统,包括:1. A system access method based on security policy loading, characterized in that it is applied to a Linux system and comprises: 响应于安全策略加载指令,展示多个第一场景标识;其中,所述第一场景标识表征预先设置的,在进行系统访问时,Linux系统对应的应用场景;In response to the security policy loading instruction, a plurality of first scenario identifiers are displayed; wherein the first scenario identifier represents a preset application scenario corresponding to the Linux system when performing system access; 响应于对所述多个第一场景标识中,第二场景标识的选择操作,展示所述第二场景标识下的至少一个第一安全策略;其中,所述第二场景标识表征所述Linux系统当前对应的应用场景;所述第一安全策略表征所述第二场景标识所表征的应用场景下能够进行的安全检查;In response to a selection operation of a second scenario identifier among the multiple first scenario identifiers, at least one first security policy under the second scenario identifier is displayed; wherein the second scenario identifier represents an application scenario currently corresponding to the Linux system; and the first security policy represents a security check that can be performed under the application scenario represented by the second scenario identifier; 从所述至少一个第一安全策略中确定第二安全策略,并确定与所述第二安全策略相关联的LSM钩子函数;其中,所述LSM钩子函数表征预先设置的安全检查点;Determine a second security policy from the at least one first security policy, and determine an LSM hook function associated with the second security policy; wherein the LSM hook function represents a pre-set security checkpoint; 启动所述Linux系统,并加载所述相关联的LSM钩子函数和所述第二安全策略对应的eBPF程序,以基于所述相关联的LSM钩子函数,运行所述第二安全策略对应的eBPF程序,实现对所述Linux系统的访问。Start the Linux system, and load the associated LSM hook function and the eBPF program corresponding to the second security policy, so as to run the eBPF program corresponding to the second security policy based on the associated LSM hook function to achieve access to the Linux system. 2.根据权利要求1所述的方法,其特征在于,所述第二场景标识表征预先设置的场景标识;所述确定与所述第二安全策略相关联的LSM钩子函数,包括:2. The method according to claim 1, characterized in that the second scenario identifier represents a preset scenario identifier; and the determining of the LSM hook function associated with the second security policy comprises: 从所述至少一个第一安全策略中确定第二安全策略之后,从所述Linux系统对应的数据库中,确定关系映射表;其中,所述关系映射表中保存有预先设置的应用场景与该应用场景下的预设的LSM钩子函数之间的关联关系;After determining the second security policy from the at least one first security policy, determining a relationship mapping table from a database corresponding to the Linux system; wherein the relationship mapping table stores an association relationship between a preset application scenario and a preset LSM hook function under the application scenario; 基于所述关系映射表中所包含的关联关系,确定与所述第二场景标识所表征的应用场景相匹配的至少一个预设的LSM钩子函数;Based on the association relationship included in the relationship mapping table, determine at least one preset LSM hook function that matches the application scenario represented by the second scenario identifier; 从所述至少一个预设的LSM钩子函数中,确定与所述第二安全策略相关联的LSM钩子函数。From the at least one preset LSM hook function, determine the LSM hook function associated with the second security policy. 3.根据权利要求2所述的方法,其特征在于,所述预先设置的场景标识表征至少以下应用场景:云计算场景或容器化场景、物联网场景或边缘计算场景、网络安全场景或防火墙场景。3. The method according to claim 2 is characterized in that the pre-set scenario identifier represents at least the following application scenarios: cloud computing scenario or containerization scenario, Internet of Things scenario or edge computing scenario, network security scenario or firewall scenario. 4.根据权利要求1所述的方法,其特征在于,所述第二场景标识表征自定义的场景标识;所述确定与所述第二安全策略相关联的LSM钩子函数,包括:4. The method according to claim 1, wherein the second scenario identifier represents a custom scenario identifier; and the determining of the LSM hook function associated with the second security policy comprises: 从所述至少一个第一安全策略中确定第二安全策略之后,展示位图选择结构;其中,所述位图选择结构中包括至少一个预设的LSM钩子函数;After determining the second security policy from the at least one first security policy, displaying a bitmap selection structure; wherein the bitmap selection structure includes at least one preset LSM hook function; 基于对所述位图选择结构中的,至少一个预设的LSM钩子函数的选择操作,确定与所述第二安全策略相关联的LSM钩子函数。Based on a selection operation of at least one preset LSM hook function in the bitmap selection structure, an LSM hook function associated with the second security policy is determined. 5.根据权利要求1所述的方法,其特征在于,所述加载所述相关联的LSM钩子函数和所述第二安全策略对应的eBPF程序,包括:5. The method according to claim 1, characterized in that the loading of the associated LSM hook function and the eBPF program corresponding to the second security policy comprises: 基于安全策略加载器,将所述相关联的LSM钩子函数加载至所述Linux系统中,并将所述第二安全策略对应的eBPF程序编译至对应的LSM钩子函数中,完成对所述相关联的LSM钩子函数和所述第二安全策略对应的eBPF程序的加载。Based on the security policy loader, the associated LSM hook function is loaded into the Linux system, and the eBPF program corresponding to the second security policy is compiled into the corresponding LSM hook function, thereby completing the loading of the associated LSM hook function and the eBPF program corresponding to the second security policy. 6.根据权利要求1-5中任一项所述的方法,其特征在于,所述Linux系统中包括安全策略管理接口;所述方法还包括:6. The method according to any one of claims 1 to 5, characterized in that the Linux system includes a security policy management interface; the method further comprises: 响应于对所述安全策略管理接口的触发操作,展示安全策略管理界面,以在所述安全策略管理界面中,执行对所述Linux系统中各安全策略的管理操作;其中,所述管理操作包括:增加操作、修改操作、删除操作。In response to a trigger operation on the security policy management interface, a security policy management interface is displayed to perform management operations on each security policy in the Linux system in the security policy management interface; wherein the management operations include: adding operations, modifying operations, and deleting operations. 7.根据权利要求1-5中任一项所述的方法,其特征在于,所述Linux系统中包括安全策略查看接口;所述方法还包括:7. The method according to any one of claims 1 to 5, characterized in that the Linux system includes a security policy viewing interface; the method further comprises: 响应于对所述安全策略查看接口的触发操作,展示安全策略查看界面,以在所述安全策略查看界面中,执行对所述Linux系统中各安全策略的查看操作;其中,所述查看操作包括:查询操作和统计操作。In response to a trigger operation on the security policy viewing interface, a security policy viewing interface is displayed, so that a viewing operation on each security policy in the Linux system is performed in the security policy viewing interface; wherein the viewing operation includes: a query operation and a statistical operation. 8.一种基于安全策略加载的系统访问装置,其特征在于,包括:8. A system access device based on security policy loading, characterized by comprising: 第一展示单元,用于响应于安全策略加载指令,展示多个第一场景标识;其中,所述第一场景标识表征预先设置的,在进行系统访问时,Linux系统对应的应用场景;A first display unit, configured to display a plurality of first scenario identifiers in response to a security policy loading instruction; wherein the first scenario identifiers represent pre-set application scenarios corresponding to the Linux system when performing system access; 第二展示单元,用于响应于对所述多个第一场景标识中,第二场景标识的选择操作,展示所述第二场景标识下的至少一个第一安全策略;其中,所述第二场景标识表征所述Linux系统当前对应的应用场景;所述第一安全策略表征所述第二场景标识所表征的应用场景下能够进行的安全检查;A second display unit is used to display at least one first security policy under a second scene identifier in response to a selection operation of the second scene identifier among the multiple first scene identifiers; wherein the second scene identifier represents an application scenario currently corresponding to the Linux system; and the first security policy represents a security check that can be performed under the application scenario represented by the second scene identifier; 确定单元,用于从所述至少一个第一安全策略中确定第二安全策略,并确定与所述第二安全策略相关联的LSM钩子函数;其中,所述LSM钩子函数表征预先设置的安全检查点;A determination unit, configured to determine a second security policy from the at least one first security policy, and determine an LSM hook function associated with the second security policy; wherein the LSM hook function represents a pre-set security checkpoint; 访问单元,用于启动所述Linux系统,并加载所述相关联的LSM钩子函数和所述第二安全策略对应的eBPF程序,以基于所述相关联的LSM钩子函数,运行所述第二安全策略对应的eBPF程序,实现对所述Linux系统的访问。An access unit is used to start the Linux system and load the associated LSM hook function and the eBPF program corresponding to the second security policy, so as to run the eBPF program corresponding to the second security policy based on the associated LSM hook function to achieve access to the Linux system. 9.一种计算机设备,其特征在于,包括:处理器,以及与所述处理器通信连接的存储器;9. A computer device, comprising: a processor, and a memory communicatively connected to the processor; 所述存储器存储计算机执行指令;The memory stores computer-executable instructions; 所述处理器执行所述存储器存储的计算机执行指令,以实现如权利要求1至7中任一项所述的基于安全策略加载的系统访问方法。The processor executes the computer-executable instructions stored in the memory to implement the system access method based on security policy loading according to any one of claims 1 to 7. 10.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有计算机执行指令,所述计算机执行指令被处理器执行时用于实现如权利要求1至7中任一项所述的基于安全策略加载的系统访问方法。10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores computer-executable instructions, and when the computer-executable instructions are executed by a processor, they are used to implement the system access method based on security policy loading as described in any one of claims 1 to 7.
CN202410114802.9A 2024-01-26 2024-01-26 System access method, device, equipment and medium based on security policy loading Pending CN117908991A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410114802.9A CN117908991A (en) 2024-01-26 2024-01-26 System access method, device, equipment and medium based on security policy loading

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410114802.9A CN117908991A (en) 2024-01-26 2024-01-26 System access method, device, equipment and medium based on security policy loading

Publications (1)

Publication Number Publication Date
CN117908991A true CN117908991A (en) 2024-04-19

Family

ID=90694382

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410114802.9A Pending CN117908991A (en) 2024-01-26 2024-01-26 System access method, device, equipment and medium based on security policy loading

Country Status (1)

Country Link
CN (1) CN117908991A (en)

Similar Documents

Publication Publication Date Title
CN110865888A (en) Resource loading method and device, server and storage medium
CN107832062A (en) A kind of method for updating program and terminal device
US20220342983A1 (en) Shadow stack violation enforcement at module granularity
CN113296891B (en) Platform-based multi-scenario knowledge graph processing method and device
US20210311740A1 (en) Circular shadow stack in audit mode
US9104567B2 (en) Memory-leak identification
CN109359092B (en) File management method, desktop display method, device, terminal and medium
US8429395B2 (en) Controlling access to software component state
CN102646079A (en) Disk data protection method for Linux-like operating system
CN113254470A (en) Data change method and device, computer equipment and storage medium
JP2016533588A (en) Storage processing method, apparatus and terminal
CN114995839A (en) Application resource processing method and device, electronic equipment and storage medium
CN106201595A (en) The cleaning control method of a kind of application program and device
CN114637969A (en) Authentication method and device for target object
CN108520401A (en) User list management method, device, platform and storage medium
CN118568743A (en) Data encryption and decryption method, device, medium and equipment based on hardware encryption card
CN117908991A (en) System access method, device, equipment and medium based on security policy loading
CN105610908B (en) A kind of samba service implementing method and system based on Android device
CN111796972B (en) File hot-repair method, device, equipment and storage medium
CN114816482A (en) Upgrading method, device, computer equipment and storage medium for block storage service
CN111752682A (en) A network port resource management method, device, electronic device and storage medium
CN114675995A (en) Data backup method, device and electronic device
CN113110846A (en) Method and device for acquiring environment variable
CN111737964A (en) Form dynamic processing method, equipment and medium
CN112379968B (en) Method, device, equipment and storage medium for applying multiple openings

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination