[go: up one dir, main page]

CN112269986B - Process management method, device and storage medium - Google Patents

Process management method, device and storage medium Download PDF

Info

Publication number
CN112269986B
CN112269986B CN202011186959.0A CN202011186959A CN112269986B CN 112269986 B CN112269986 B CN 112269986B CN 202011186959 A CN202011186959 A CN 202011186959A CN 112269986 B CN112269986 B CN 112269986B
Authority
CN
China
Prior art keywords
desktop
terminal
file
desktops
under
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011186959.0A
Other languages
Chinese (zh)
Other versions
CN112269986A (en
Inventor
杨峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202011186959.0A priority Critical patent/CN112269986B/en
Publication of CN112269986A publication Critical patent/CN112269986A/en
Application granted granted Critical
Publication of CN112269986B publication Critical patent/CN112269986B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a process management method, a process management device and a storage medium. The method comprises the steps of monitoring a process of a terminal, determining a first desktop corresponding to the first process in a plurality of desktops contained in the terminal according to desktop identifications carried by the first process when the first process is monitored, enabling or disabling the terminal to execute operation corresponding to the first process according to the first strategy, wherein system operation authorities corresponding to the desktops in the plurality of desktops contained in the terminal are the same or different, the processes corresponding to the desktops in the plurality of desktops are isolated based on sandboxes, and determining the first strategy corresponding to the first desktop by utilizing a corresponding relation between the desktops and process treatment strategies.

Description

Process management method, device and storage medium
Technical Field
The present application relates to the field of information security, and in particular, to a process management method, apparatus, and storage medium.
Background
With the development of technology, more and more mobile office (BYOD, bring Your Own Device or Become Your Office Device) scenes appear in the work of people, and the proportion of corresponding BYOD devices also continuously rises.
However, due to cost, network, user privacy protection, and other factors, the data protection (i.e., data disclosure protection) scheme in the related art can only cover a part of users of personal computers (PCs, personal Computer) of the enterprise, and cannot perform data protection in BYOD scenes and small micro branch office scenes (such as file transmission with the staff of the research and development department and the staff of the sales department in the company).
Disclosure of Invention
In order to solve the related technical problems, the embodiment of the application provides a process management method, a device and a storage medium.
The technical scheme of the embodiment of the application is realized as follows:
the embodiment of the application provides a process management method, which comprises the following steps:
When a first process is monitored, determining a first desktop corresponding to the first process in a plurality of desktops contained in the terminal according to desktop identifications carried by the first process, wherein the system operation rights corresponding to each desktop in the plurality of desktops contained in the terminal are the same or different;
Determining a first strategy corresponding to the first desktop by utilizing a corresponding relation between the desktop and the process treatment strategy; and according to the first strategy, allowing or prohibiting the terminal to execute the operation corresponding to the first process.
In the above scheme, the method further comprises:
And acquiring the corresponding relation between the desktop and the process processing strategy and the first strategy from the shared memory of the desktops.
In the scheme, the plurality of desktops included in the terminal comprise a first type desktop and a second type desktop, wherein the system operation authority corresponding to the first type desktop is lower than the system operation authority corresponding to the second type desktop;
The enabling or disabling, according to the first policy, the terminal to execute the operation corresponding to the first process includes:
allowing the terminal to execute the operation corresponding to the first process under the condition that the operation corresponding to the first process comprises the operation of the second type desktop aiming at the file under the file directory corresponding to the first type desktop;
Under the condition that the operation corresponding to the first process comprises the operation of the first type desktop aiming at the file under the file directory corresponding to the second type desktop, prohibiting the terminal from executing the operation corresponding to the first process, wherein,
Files under the file directories corresponding to the desktops are isolated based on the sandboxes.
In the above scheme, the operation corresponding to the first process includes the operation of the second type desktop for the first file under the file directory corresponding to the first type desktop, and when the terminal is allowed to execute the operation corresponding to the first process, the method further includes:
under the condition that a redirection file corresponding to the first file exists in a file directory corresponding to the second type desktop, controlling the terminal to execute an operation corresponding to the first process aiming at the redirection file;
Under the condition that the redirection file corresponding to the first file does not exist under the file directory corresponding to the second type desktop, generating the redirection file corresponding to the first file under the file directory corresponding to the second type desktop, and controlling the terminal to execute the operation corresponding to the first process aiming at the redirection file.
In the above scheme, the method further comprises:
And when the terminal is controlled to execute the operation corresponding to the first process aiming at the redirection file, encrypting the redirection file.
In the above solution, the enabling or disabling, according to the first policy, the terminal to execute the operation corresponding to the first process includes:
under the condition that the operation corresponding to the first process comprises the operation that the first type desktop pastes the text or the image copied from the second type desktop, the terminal is forbidden to execute the operation corresponding to the first process;
And allowing the terminal to execute the operation corresponding to the first process under the condition that the operation corresponding to the first process comprises the operation of pasting the text or the image copied from the first desktop by the second desktop, wherein,
The shear plates of each of the plurality of desktops are isolated based on sandboxes.
In the above solution, the enabling or disabling, according to the first policy, the terminal to execute the operation corresponding to the first process includes:
Allowing the terminal to execute the operation corresponding to the first process under the condition that the first desktop is determined to have the authority for executing the operation corresponding to the first process according to the first strategy;
under the condition that the first desktop does not have the right to execute the operation corresponding to the first process according to the first strategy, prohibiting the terminal from executing the operation corresponding to the first process, wherein,
The system service interfaces and the network connection functions corresponding to the desktops are isolated based on sandboxes;
The operation corresponding to the first process comprises one of the following steps:
Accessing a first local area network;
Accessing a second local area network;
A system service interface is invoked.
In the above scheme, the operation corresponding to the first process includes a screenshot operation;
The enabling or disabling, according to the first policy, the terminal to execute the operation corresponding to the first process includes:
allowing the terminal to execute the operation corresponding to the first process under the condition that the first desktop has the screenshot authority;
And prohibiting the terminal from executing the operation corresponding to the first process under the condition that the first desktop does not have the screenshot authority, or generating a screenshot picture containing traceable watermark information.
The embodiment of the application also provides a process management device, which comprises:
The system comprises a monitoring unit, a control unit and a control unit, wherein the monitoring unit is used for monitoring the process of a terminal, and determining a first desktop corresponding to the first process in a plurality of desktops contained in the terminal according to a desktop identifier carried by the first process when the first process is monitored;
The processing unit is used for determining a first strategy corresponding to the first desktop by utilizing the corresponding relation between the desktop and the process processing strategy, and allowing or prohibiting the terminal to execute the operation corresponding to the first process according to the first strategy.
The embodiment of the application also provides a process management device, which comprises a processor and a memory for storing a computer program capable of running on the processor;
Wherein the processor is configured to execute the steps of any of the methods described above when the computer program is run.
The embodiment of the application also provides a storage medium, wherein the storage medium stores a computer program, and the computer program realizes the steps of any method when being executed by a processor.
The process management method, device and storage medium provided by the embodiment of the application monitor the process of the terminal, when the first process is monitored, the first desktop corresponding to the first process in a plurality of desktops contained in the terminal is determined according to the desktop identification carried by the first process, the system operation authority corresponding to each desktop in the plurality of desktops contained in the terminal is the same or different, the processes corresponding to each desktop in the plurality of desktops are isolated based on sandboxes, the first strategy corresponding to the first desktop is determined by utilizing the corresponding relation between the desktops and the process treatment strategies, and the terminal is allowed or forbidden to execute the operation corresponding to the first process according to the first strategy. According to the scheme provided by the embodiment of the application, processes corresponding to the desktops with different authorities contained in the user terminal are isolated based on the sandboxes, when the processes of the terminal are monitored, the process processing strategy corresponding to the corresponding desktops is determined, and the terminal is allowed or forbidden to execute the operation corresponding to the corresponding processes based on the determined strategy, so that when a BYOD scene and a small micro branch office scene are realized by a user based on the multi-desktop form of the terminal, office data leakage can be avoided, the safety of office data is improved, and further the user experience is improved.
Drawings
FIG. 1 is a flow chart of a process management method according to an embodiment of the application;
Fig. 2 is a schematic diagram of an application scenario according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a process management device according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a process management device according to an embodiment of the present application;
Fig. 5 is a schematic hardware structure of a process management device according to an embodiment of the application.
Detailed Description
The technical scheme of the application is further elaborated below with reference to the drawings and examples.
In the related art, office data protection (i.e., office data disclosure prevention) schemes of enterprises can be divided into hardware type schemes and software type schemes. The deployment cost of the hardware scheme is generally high, and an external device for office data protection may need to be configured for each PC user in the enterprise, and the device generally has high requirements on a network and cannot support ultra-low bandwidth office and offline office. The software scheme generally comprises functions of screen recording, remote control, behavior audit and the like, privacy infringement exists for PC users in enterprises, and the popularization difficulty is high in BYOD scenes and small micro branch office scenes. Meanwhile, some hardware class schemes and software class schemes may have complex operation and maintenance and compatibility problems when applied to low-bandwidth and manager-free scenes such as small-differential branch office scenes. Therefore, the office data protection scheme in the related technology has the problems of high deployment cost, complex deployment mode and operation and maintenance and poor user experience.
In addition, when designing the office data protection scheme in the BYOD scene and the small micro branch office scene, consideration needs to be given to the worry of the user about the security of the office data in the BYOD scene and the small micro branch office scene, for example, the worry of the user about the use of the virtual private network (VPN, virtual Private Network) caused by the influence of the lux virus event may cause the infection event of the intranet virus, so the requirement of the user about the security control of the office data flow, for example, the requirement of the user about the security control of the office data flow after the use of the VPN needs to be considered. At the same time, user concerns about operating system security need to be taken into account.
Based on the above, in various embodiments of the present application, processes corresponding to multiple desktops with different rights included in a user terminal are isolated based on sandboxes, when the process of the terminal is monitored, a process processing policy corresponding to the corresponding desktop is determined, and the terminal is allowed or prohibited to execute operations corresponding to the corresponding process based on the determined policy, so that when a user realizes a BYOD scene and a small micro branch office scene based on a multi-desktop form of the terminal, office data leakage can be avoided, office data security is improved, and user experience is further improved.
Meanwhile, various embodiments of the application are realized based on the multi-desktop form of the terminal, and the protection of office data is not needed through external equipment, so that the deployment cost is greatly reduced, and the difficulty of a deployment mode and the difficulty of subsequent operation and maintenance are also reduced.
In addition, because the various embodiments of the application are realized based on the multi-desktop form of the terminal, a user can directly realize the switching of the BYOD scene and/or the small micro branch office scene and other application scenes (such as the personal application scene of the user) through desktop switching, and the operation is simple and convenient, so the user experience is further improved.
The embodiment of the application provides a process management method, as shown in fig. 1, comprising the following steps:
Step 101, monitoring a process of a terminal, and determining a first desktop corresponding to the first process in a plurality of desktops contained in the terminal according to a desktop identifier carried by the first process when the first process is monitored;
the system operation authorities corresponding to the desktops are the same or different, and the processes corresponding to the desktops are isolated based on sandboxes;
step 102, determining a first strategy corresponding to the first desktop by utilizing a corresponding relation between the desktop and a process processing strategy, and allowing or prohibiting the terminal to execute the operation corresponding to the first process according to the first strategy.
Here, it should be noted that the terminal may be any electronic device having a multi-desktop mode, such as a PC, a mobile phone, etc., and the PC may include a desktop computer, a notebook computer, a tablet computer, etc. In addition, the desktops use the same physical disk, the use area of each desktop is not divided on the disk, and the picture presented by the terminal when the user operates the corresponding desktop is the corresponding working space of the corresponding desktop.
Specifically, in practical application, processes corresponding to each desktop in the plurality of desktops may be isolated by using sandboxes implemented based on unified endpoint management (UEM, unified Endpoint Management), so that each desktop can correspond to one virtual workspace.
In practical application, the method for monitoring the progress of the terminal can be set according to the operating system of the terminal and the requirements of the user. For example, in the case that the operating system of the terminal is a microsoft windows (Microsoft Windows) operating system, the process of the terminal may be monitored by a process callback mode.
In practical application, the shared memory of the plurality of desktops can be arranged in the terminal, after the first desktop is determined, the corresponding relation between the desktop and the process processing strategy can be obtained from the shared memory, for example, a first configuration file is obtained, the first configuration file comprises the corresponding relation between the desktop and the process processing strategy, and after the first strategy is determined, the first strategy can be obtained from the shared memory, for example, a second configuration file is obtained, and the second configuration file comprises the first strategy.
Based on this, in an embodiment, the method may further include:
And acquiring the corresponding relation between the desktop and the process processing strategy and the first strategy from the shared memory of the desktops.
In practical application, a user may set system operation rights corresponding to each desktop in the plurality of desktops included in the terminal according to requirements, and as shown in fig. 2, the user may set three desktops, namely, desktop a, desktop B and desktop C, in the terminal 200, where desktop a may have rights to log in an intranet of a first enterprise but not have rights to browse a common webpage, desktop B may have rights to browse a common webpage but not have rights to log in an intranet of the first enterprise, and desktop C may have video and audio playing rights but not have rights to log in an intranet of the first enterprise and rights to browse a common webpage. The process processing policy corresponding to the corresponding desktop reflects the system operation authority corresponding to the corresponding desktop, and for example, the desktop B does not have the authority to log in the intranet of the first enterprise, and the process processing policy corresponding to the desktop B may include prohibiting the terminal from executing the operation corresponding to the monitored process, that is, prohibiting the user from accessing the intranet of the first enterprise through the desktop B, if the monitored process includes the operation of accessing the intranet of the first enterprise. Here, the taskbar 201 of each desktop of the plurality of desktops may include a desktop switching button 202, and the user may implement switching of the desktops, such as switching of desktop a to desktop C, switching of desktop C to desktop B, and the like, through the desktop switching button 202.
In practical application, in order to further ensure the security of office data, a user can grade the system operation authorities corresponding to each desktop in a plurality of desktops contained in the terminal according to needs, so that the user cannot open or edit files under the file directory corresponding to the desktop with the higher level of the system operation authorities through the desktop with the lower level of the system operation authorities. The user may set the desktop a and the desktop D as office desktops, where the desktop D has the authority to log in the intranet of the second enterprise, but does not have the authority to browse the common web page, and set the system operation authorities corresponding to the desktop a and the desktop D as one level, and set the desktop B, the desktop C, and the desktop E as personal desktops, where the desktop E has the authority to browse the common web page, but does not have the authority to log in the intranet of the second enterprise, and set the system operation authorities corresponding to the desktop B, the desktop C, and the desktop E as two levels. The method comprises the steps that the working spaces corresponding to the desktop B, the desktop C and the desktop E can be collectively called as personal domains, the working spaces corresponding to the desktop A and the desktop D can be collectively called as security domains, the use modes (such as file storage modes) of the personal domains and the security domains are completely the same (namely, the original file storage modes of the terminal) and the personal domains cannot be perceived by users to use differences between the personal domains and the security domains without changing the use habit of the personal domains, the personal domains and the security domains can directly access disk files of the terminal and can realize isolation based on file redirection, but the files before and after redirection are stored on the same disk (namely, the disk currently arranged by the terminal), and files under the file directory corresponding to the desktop A and the desktop D cannot be opened or edited by the users through the corresponding desktop B, the desktop C and the desktop E through a process processing strategy, namely, the personal domains cannot access and use files of the security domains, the security domains can access and use files of the personal domains, and the user cannot copy files. Therefore, the isolation of files under the file directory corresponding to each desktop in the desktops contained in the terminal is realized, and the safety of office data is further ensured.
Based on this, in an embodiment, the plurality of desktops included in the terminal may include a first type desktop and a second type desktop, where a system operation authority corresponding to the first type desktop is lower than a system operation authority corresponding to the second type desktop, and the enabling or disabling, according to the first policy, the terminal to execute an operation corresponding to the first process may include:
allowing the terminal to execute the operation corresponding to the first process under the condition that the operation corresponding to the first process comprises the operation of the second type desktop aiming at the file under the file directory corresponding to the first type desktop;
Under the condition that the operation corresponding to the first process comprises the operation of the first type desktop aiming at the file under the file directory corresponding to the second type desktop, prohibiting the terminal from executing the operation corresponding to the first process, wherein,
Files under the file directories corresponding to the desktops are isolated based on the sandboxes.
Specifically, in actual application, each desktop in the plurality of desktops included in the terminal may correspond to a different file directory, and a user cannot view or edit a file under the file directory corresponding to the second type desktop through the first type desktop, but the user can view or edit a file under the file directory corresponding to the first type desktop through the second type desktop. Here, when the user views or edits the file under the file directory corresponding to the first type desktop through the second type desktop, in order to make the user invisible to the first type desktop through the second type desktop for editing the file under the file directory corresponding to the first type desktop, the file under the file directory corresponding to the first type desktop that the user views and/or edits can be redirected to the file directory corresponding to the second type desktop, so that the security of office data can be further ensured.
Based on this, in an embodiment, when the operation corresponding to the first process includes the operation of the second type desktop for the first file under the file directory corresponding to the first type desktop, the method may further include:
under the condition that a redirection file corresponding to the first file exists in a file directory corresponding to the second type desktop, controlling the terminal to execute an operation corresponding to the first process aiming at the redirection file;
Under the condition that the redirection file corresponding to the first file does not exist under the file directory corresponding to the second type desktop, generating the redirection file corresponding to the first file under the file directory corresponding to the second type desktop, and controlling the terminal to execute the operation corresponding to the first process aiming at the redirection file.
In practical application, in order to further guarantee the security of office data, when controlling the terminal to execute the operation corresponding to the first process to the redirection file, encryption processing can be performed on the redirection file, so that even if the terminal is lost, the redirection file cannot be leaked, and the security of office data is further guaranteed.
Based on this, in an embodiment, the method may further include:
And when the terminal is controlled to execute the operation corresponding to the first process aiming at the redirection file, encrypting the redirection file.
Specifically, in actual application, after the terminal is controlled to execute the operation corresponding to the first process on the redirection file, encryption is performed before the redirection file is written into a disk, and when the terminal is controlled to execute the operation corresponding to the first process on the redirection file, the redirection file is decrypted when the redirection file is read from the disk.
In practical application, the redirection of the file and the encryption and decryption of the redirected file can be realized through a micro-filtration framework (MINIFILTER) technology.
In practical application, for each desktop of the plurality of desktops included in the terminal, a large file can be allocated in advance for the corresponding desktop to serve as a file storage space of a working space corresponding to the corresponding desktop, namely, a virtual disk of the working space corresponding to the corresponding desktop, files generated by the working space corresponding to the corresponding desktop are stored in the corresponding virtual disk, encryption is conducted on the whole virtual disk, encryption is not needed for a single file, and therefore, only one large file needs to be migrated when data migration is conducted, and convenience of data migration is improved.
In practical application, the registry corresponding to each desktop in the desktops can be isolated in the same way as file isolation, namely, the registries under the registry directory corresponding to each desktop in the desktops are isolated based on sandboxes. The enabling or disabling the operation corresponding to the first process by the terminal according to the first policy may include enabling the terminal to perform the operation corresponding to the first process if the operation corresponding to the first process includes an operation of the second type desktop with respect to a registry under a registry corresponding to the first type desktop, and disabling the terminal to perform the operation corresponding to the first process if the operation corresponding to the first process includes an operation of the first type desktop with respect to a registry under a registry corresponding to the second type desktop.
Meanwhile, when the operation corresponding to the first process is allowed to be executed by the terminal under the condition that the operation corresponding to the first process comprises the operation of the second type desktop aiming at the first registry under the registry corresponding to the first type desktop, the method can further comprise the steps of controlling the terminal to execute the operation corresponding to the first process aiming at the redirection registry under the condition that the redirection registry corresponding to the first registry exists under the registry corresponding to the second type desktop, and generating the redirection registry corresponding to the first registry under the registry corresponding to the second type desktop under the condition that the redirection registry corresponding to the first file does not exist under the registry corresponding to the second type desktop.
In practical application, in order to further ensure the security of office data, it is necessary to avoid users from pasting content (text or pictures) copied from the second type desktop onto the first type desktop.
Based on this, in an embodiment, the enabling or disabling, according to the first policy, the terminal to perform the operation corresponding to the first process may include:
under the condition that the operation corresponding to the first process comprises the operation that the first type desktop pastes the text or the image copied from the second type desktop, the terminal is forbidden to execute the operation corresponding to the first process;
And allowing the terminal to execute the operation corresponding to the first process under the condition that the operation corresponding to the first process comprises the operation of pasting the text or the image copied from the first desktop by the second desktop, wherein,
The shear plates of each of the plurality of desktops are isolated based on sandboxes.
In practical application, in order to further ensure the security of office data, the first policy may include authority of the first desktop to access the network, authority to call a system service interface, and the like, so that leakage of office data through interfaces such as a network or a printer when a user uses a desktop for office can be avoided.
Based on this, in an embodiment, the enabling or disabling, according to the first policy, the terminal to perform the operation corresponding to the first process may include:
Allowing the terminal to execute the operation corresponding to the first process under the condition that the first desktop is determined to have the authority for executing the operation corresponding to the first process according to the first strategy;
under the condition that the first desktop does not have the right to execute the operation corresponding to the first process according to the first strategy, prohibiting the terminal from executing the operation corresponding to the first process, wherein,
The system service interfaces and the network connection functions corresponding to the desktops are isolated based on sandboxes;
The operation corresponding to the first process comprises one of the following steps:
Accessing a first local area network;
Accessing a second local area network;
A system service interface is invoked.
In practical application, the first local area network may be an enterprise intranet, and the second local area network may be a wireless local area network such as a wireless Bluetooth local area network or a wireless infrared local area network. The system service interface can comprise a printer interface, a universal serial bus (USB, universal Serial Bus) interface and the like, so that a user can be prevented from revealing office data in a network, a printer or USB mode and the like, and the safety of the office data is further improved.
In practical application, in order to further guarantee the security of office data, the first policy may further include a screenshot authority, so that the user can be prevented from revealing office data through the screenshot when using a desktop for office.
Based on this, in an embodiment, the operation corresponding to the first process includes a screenshot operation, and the enabling or disabling, according to the first policy, the terminal to execute the operation corresponding to the first process may include:
allowing the terminal to execute the operation corresponding to the first process under the condition that the first desktop has the screenshot authority;
And prohibiting the terminal from executing the operation corresponding to the first process under the condition that the first desktop does not have the screenshot authority, or generating a screenshot picture containing traceable watermark information.
The process management method provided by the embodiment of the application monitors the process of the terminal, determines a first desktop corresponding to the first process in a plurality of desktops contained in the terminal according to the desktop identification carried by the first process when the first process is monitored, wherein the system operation authority corresponding to each desktop in the plurality of desktops contained in the terminal is the same or different, the processes corresponding to each desktop in the plurality of desktops are isolated based on sandboxes, the corresponding relation between the desktops and the process processing strategies is utilized to determine the first strategy corresponding to the first desktop, and the terminal is allowed or forbidden to execute the operation corresponding to the first process according to the first strategy.
Meanwhile, the process management method provided by the embodiment of the application is realized based on the multi-desktop form of the terminal, and office data protection is not needed through external equipment, so that the deployment cost is greatly reduced, and the difficulty of a deployment mode and the difficulty of subsequent operation and maintenance are also reduced.
In addition, because the process management method provided by the embodiment of the application is realized based on the multi-desktop form of the terminal, a user can directly realize the switching of a BYOD scene and/or a small micro branch office scene and other application scenes (such as the personal application scene of the user) through desktop switching, and the operation is simple and convenient, so that the user experience is further improved.
The present application will be described in further detail with reference to examples of application.
The embodiment of the application provides a data anti-disclosure scheme based on a UEM sandbox, which integrally protects data (namely protects office data) of a user terminal in a BYOD scene and a small micro branch office scene from multiple angles. Specifically, one or more specialized desktop workspaces are created based on the personal desktop space of the user's own operating system of the user terminal, i.e., a multi-desktop modality is built in the user terminal. Meanwhile, as shown in fig. 3, a UEM data anti-disclosure control unit 301, a multi-desktop morphology unit 302, a process identification and isolation unit 303, a file isolation unit 304, a file encryption and decryption unit 305, a VPN and network isolation unit 306, a registry isolation unit 307, a clipboard isolation unit 308, a screen watermark and anti-screen capture unit 309, a service isolation unit 310, and an infrared and bluetooth device isolation unit 311 are provided in the user terminal, so as to implement data protection functions such as VPN security link isolation, file encryption, network isolation, clipboard isolation, process isolation, registry isolation, screen watermark, service isolation, and infrared and bluetooth device isolation for software (applications) running in a working space corresponding to each of the plurality of desktops.
Specifically, the UEM data anti-disclosure control unit 301 is configured to provide a sandbox function implemented based on UEM, as a basis of the process identification and isolation unit 303, the file isolation unit 304, the file encryption and decryption unit 305, the VPN and network isolation unit 306, the registry isolation unit 307, the clipboard isolation unit 308, the screen watermark and anti-screen capture unit 309, the service isolation unit 310, and the infrared and bluetooth device isolation unit 311, and meanwhile, the UEM data anti-disclosure control unit 301 is configured to obtain a correspondence between a desktop and a data protection policy (i.e., the above process processing policy) and a data protection policy corresponding to each desktop from a shared memory (may be referred to as a global shared memory) of the plurality of desktops, and provide the obtained correspondence to other units.
The multi-desktop modality unit 302 is configured to construct a multi-desktop modality including a personal desktop (i.e., the first type desktop described above) and a secure desktop (i.e., the second type desktop described above). Here, the data protection of the user needs to be embodied in the secure desktop, and the key technologies such as process identification, file encryption and decryption, file isolation, registry isolation, network isolation, and clipboard isolation can be adopted for guaranteeing. Meanwhile, desktop switching buttons are displayed on the task bars of each desktop and used for rapidly switching the personal desktops and the safety desktops.
The process identifying and isolating unit 303 is configured to accurately identify whether the process of operating data belongs to the personal desktop or the secure desktop, so as to protect the data in the secure desktop. In a Windows system, a process space belonging to a certain desktop includes corresponding desktop information (i.e., the desktop identifier, english may be denoted as Desktop Information, abbreviated as DesktopInfo) so as to mark whether a process is a personal process (i.e., a process corresponding to a personal desktop) or a secure process (i.e., a process corresponding to a secure desktop), and meanwhile, a process callback function may be registered in a Windows driver by calling a corresponding application program interface (API, application Programming Interface) PsSetCreateProcessNotifyRoutineEx, when a process starts and exits, the system may call the registered callback function to notify the driver, and then acquire PEB information (characterizing PEB structure) of the process through an EPROCESS object (characterizing EPROCESS structure) of the process, and acquire DesktopInfo from the PEB information so as to determine the desktop to which the process belongs.
A file isolation unit 304, configured to perform file isolation. Specifically, in the initial state, the file in the personal desktop and the file in the secure desktop are the same, and then when the secure process opens the file in a manner with writing authority, before the file is really opened, the file can be copied to a redirection directory belonging to the secure desktop through MINIFILTER technology, the file is subsequently opened corresponding to the file under the redirection directory, and the subsequent operation on the file is changed into the operation on the corresponding file under the redirection directory.
The file encrypting and decrypting unit 305 is used for encrypting and decrypting the file under the redirected directory. Specifically, in the initial state, the files in the personal desktop and the files in the secure desktop are the same and are in an unencrypted state, and by means of MINIFILTER technology, when a subsequent security process performs writing operation on the files under the redirection directory, the corresponding files are encrypted before being written into the disk, and when the security process performs reading operation on the files under the redirection directory, the read data of the corresponding files are decrypted before being returned to the security process.
A VPN and network isolation unit 306, configured to perform VPN and network isolation. Specifically, the secure desktop needs to have a function of accessing the intranet, the network protocol support degree of software in the secure desktop is not different from that of the intranet PC, the transmission control protocol (TCP, transmission Control Protocol), the user datagram protocol (UDP, user Datagram Protocol) and the network control message protocol (ICMP, internet Control Message Protocol) are required to be supported, meanwhile, only the software in the secure desktop needs to be ensured to access the intranet, the software in the personal desktop cannot access the intranet, and in addition, the software in the secure desktop needs to support Domain name system (DNS, domain NAME SYSTEM) resolution. Here, network driver of Windows filter platform (WFP, windows Filtering Platform) based on sslVPN (VPN technology for establishing remote secure access channel based on secure socket layer protocol (SSL, security Socket Layer)) may be specifically used to perform network isolation between the security process and the personal process.
A registry isolation unit 307, configured to perform registry isolation. Specifically, in the initial state, the registry in the personal desktop and the registry in the secure desktop are the same, and then when the secure process opens the registry in a manner with write permission, before the corresponding registry is truly opened, the path of the corresponding registry can be replaced by the redirection registry path of the secure desktop through a driving technology, so that the registry under the redirection path corresponding to the corresponding registry path is opened, and the subsequent operation on the corresponding registry is replaced by the operation on the registry under the redirection registry path. Illustratively, a registry callback may be registered in the Windows driver by calling CmRegisterCallbackEx API, and the system may call the registered callback notification driver when a registry operation occurs.
And a shear plate isolation unit 308 for isolating the shear plates. Specifically, the data in the secure desktop is not allowed to be copied to the personal desktop, the Hook (Hook) technology is adopted to perform Hook on the API (including user32.dll | GetClipboardData and user32.dll | SetClipboardData) of the process operation cut board, when the process calls the user32.dll | SetClipboardData to copy, the security attribute of the currently copied process can be set in the global shared memory, when the process calls the user32.dll | GetClipboardData to paste, the security attribute of the process triggering the copy is obtained from the global shared memory, and the security attribute of the currently pasted process is compared to determine whether the current pasting behavior is trusted. The method comprises the steps of triggering the security attribute of a copied process to be a security process, determining that the current pasting behavior is not trusted and refusing to execute the pasted process when the security attribute of the current pasting process is a personal process, and determining that the current pasting behavior can be trusted and allowing to execute the pasted process when the security attribute of the current pasting process is a security process when the security attribute of the current pasting process is a personal process.
A screen watermarking and anti-screenshot unit 309 for preventing the user from revealing a secret through a screenshot. Specifically, a highlighted watermark (such as DesktopInfo, a user name, a user account, etc.) may be displayed in the corresponding workspace, and the screenshot pictures generated after the screenshot may include watermark information for subsequent tracking.
And a service isolation unit 310 for performing service isolation. Specifically, it is possible to prevent a user from divulging a secret by printing by prohibiting a process within the security desktop from using the printing function. Illustratively, with the Hook technique, the APIs calling the printer service (including Winspool.drvl!OpenPrinter、Winspool.drv!AddPrinter、Winspool.drv!StartDocPrinter、Winspool.drv!StartPagePrinter and Winspinol. Drv| WritePrinter) are Hook-backed, and when the security process calls these APIs operating the printer, a failure is returned directly.
The infrared and bluetooth device isolation unit 311 is configured to isolate the wireless infrared lan from the wireless bluetooth lan. Specifically, similar to network isolation, WFP is used to isolate the wireless infrared lan from the wireless bluetooth lan. Here, a protocol family (english may be expressed as AF) for implementing isolated use of the wireless infrared local area network is af_ IRDR (26), AF for implementing isolated use of the wireless bluetooth local area network is af_bth (32), and AF for implementing isolated use of a general network (such as an enterprise intranet) is af_inet and af_inet6. Here, the infrared and bluetooth device isolation unit 311 determines whether to turn on the interception of infrared and bluetooth devices according to the data protection policy corresponding to the corresponding desktop, and if the corresponding interception is turned on, the security process will be denied access to the infrared and bluetooth devices, and the non-security process is not controlled (i.e., the non-security process can access to the infrared and bluetooth devices).
In practical application, compared with the construction of multiple desktop forms at a user terminal, the method can also adopt a Widget (English can be expressed as Web widgets, which can be simply called widgets) form, a new working space (namely a desktop) is added, namely a Widget is added, and isolation of the working spaces corresponding to the widgets is realized through a UEM sandbox.
According to the data anti-disclosure scheme based on the UEM sandbox, one or more safety workspaces (namely the safety domains) which are completely and logically isolated from a personal desktop (namely the personal domains) are created in the user terminal, and software (application) running in the safety workspaces has data protection functions such as VPN safety link isolation, file encryption, network isolation, shear plate isolation, process isolation, registry isolation, screen watermarking, service isolation, infrared and Bluetooth equipment isolation and the like. Compared with the data anti-disclosure scheme in the related art, the method has the advantages that the existing desktop use habit of the user is not changed, and meanwhile, the network, the file and other operations aiming at the safe working space are completely isolated from the personal working space, so that the safety is higher.
In order to implement the method of the embodiment of the present application, the embodiment of the present application further provides a process management device, which is disposed on a terminal, as shown in fig. 4, and the device includes:
The monitoring unit 401 is used for monitoring the process of the terminal, determining a first desktop corresponding to the first process in a plurality of desktops contained in the terminal according to the desktop identification carried by the first process when the first process is monitored, wherein the system operation authority corresponding to each desktop in the plurality of desktops contained in the terminal is the same or different;
And the processing unit 402 is configured to determine a first policy corresponding to the first desktop by using a correspondence between a desktop and a process processing policy, and enable or disable the terminal to execute an operation corresponding to the first process according to the first policy.
Wherein, in an embodiment, the process management device further comprises:
the obtaining unit is used for obtaining the corresponding relation between the desktop and the process processing strategy and the first strategy from the shared memory of the desktops.
In an embodiment, the plurality of desktops included in the terminal comprise a first type desktop and a second type desktop, wherein the system operation authority corresponding to the first type desktop is lower than the system operation authority corresponding to the second type desktop;
The processing unit 402 is configured to:
allowing the terminal to execute the operation corresponding to the first process under the condition that the operation corresponding to the first process comprises the operation of the second type desktop aiming at the file under the file directory corresponding to the first type desktop;
Under the condition that the operation corresponding to the first process comprises the operation of the first type desktop aiming at the file under the file directory corresponding to the second type desktop, prohibiting the terminal from executing the operation corresponding to the first process, wherein,
Files under the file directories corresponding to the desktops are isolated based on the sandboxes.
In an embodiment, the operation corresponding to the first process includes an operation of the second type desktop for a first file in the file directory corresponding to the first type desktop, and when the terminal is allowed to execute the operation corresponding to the first process, the processing unit 402 is configured to:
under the condition that a redirection file corresponding to the first file exists in a file directory corresponding to the second type desktop, controlling the terminal to execute an operation corresponding to the first process aiming at the redirection file;
Under the condition that the redirection file corresponding to the first file does not exist under the file directory corresponding to the second type desktop, generating the redirection file corresponding to the first file under the file directory corresponding to the second type desktop, and controlling the terminal to execute the operation corresponding to the first process aiming at the redirection file.
In an embodiment, the processing unit 402 is configured to encrypt the redirection file when controlling the terminal to execute, for the redirection file, an operation corresponding to the first process.
In an embodiment, the processing unit 402 is configured to:
under the condition that the operation corresponding to the first process comprises the operation that the first type desktop pastes the text or the image copied from the second type desktop, the terminal is forbidden to execute the operation corresponding to the first process;
And allowing the terminal to execute the operation corresponding to the first process under the condition that the operation corresponding to the first process comprises the operation of pasting the text or the image copied from the first desktop by the second desktop, wherein,
The shear plates of each of the plurality of desktops are isolated based on sandboxes.
In an embodiment, the processing unit 402 is configured to:
Allowing the terminal to execute the operation corresponding to the first process under the condition that the first desktop is determined to have the authority for executing the operation corresponding to the first process according to the first strategy;
under the condition that the first desktop does not have the right to execute the operation corresponding to the first process according to the first strategy, prohibiting the terminal from executing the operation corresponding to the first process, wherein,
The system service interfaces and the network connection functions corresponding to the desktops are isolated based on sandboxes;
The operation corresponding to the first process comprises one of the following steps:
Accessing a first local area network;
Accessing a second local area network;
A system service interface is invoked.
In an embodiment, the operation corresponding to the first process includes a screenshot operation, and the processing unit 402 is configured to:
allowing the terminal to execute the operation corresponding to the first process under the condition that the first desktop has the screenshot authority;
And prohibiting the terminal from executing the operation corresponding to the first process under the condition that the first desktop does not have the screenshot authority, or generating a screenshot picture containing traceable watermark information.
Here, the functions of the monitoring unit 401 are equivalent to part of the functions of the process identification and isolation unit 303 in the application embodiment of the present application, the functions of the obtaining unit are equivalent to part of the functions of the UEM data anti-disclosure control unit 301 in the application embodiment of the present application, and the functions of the processing unit 402 are equivalent to other functions of the UEM data anti-disclosure control unit 301 and the process identification and isolation unit 303 in the application embodiment of the present application, as well as the functions of the multi-desktop morphology unit 302, the file isolation unit 304, the file encryption and decryption unit 305, the VPN and network isolation unit 306, the registry isolation unit 307, the shear plate isolation unit 308, the screen watermark and anti-screen capture unit 309, the service isolation unit 310 and the infrared and bluetooth device isolation unit 311.
The monitoring unit 401 and the obtaining unit may be implemented by a processor in the process management device in combination with a communication interface, and the processing unit 402 may be implemented by a processor in the process management device.
It should be noted that, when the process management device provided in the above embodiment manages a process, only the division of each program module is used for illustration, and in practical application, the process allocation may be completed by different program modules according to needs, i.e. the internal structure of the process management device is divided into different program modules to complete all or part of the processes described above. In addition, the process management device and the process management method provided in the foregoing embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.
Based on the hardware implementation of the program modules, and in order to implement the method of the embodiment of the present application, the embodiment of the present application further provides a process management device, which is disposed on a terminal, as shown in fig. 5, where the process management device 500 includes:
a communication interface 501 capable of information interaction with other electronic devices;
A processor 502, connected to the communication interface 501, for implementing information interaction with other electronic devices, and configured to execute the methods provided by one or more of the above technical solutions when running a computer program;
a memory 503 for storing a computer program capable of running on the processor 502.
Specifically, the processor 502 is configured to perform the following operations:
When a first process is monitored, determining a first desktop corresponding to the first process in a plurality of desktops contained in the terminal according to desktop identifications carried by the first process, wherein the system operation rights corresponding to each desktop in the plurality of desktops contained in the terminal are the same or different;
Determining a first strategy corresponding to the first desktop by utilizing a corresponding relation between the desktop and the process treatment strategy; and according to the first strategy, allowing or prohibiting the terminal to execute the operation corresponding to the first process.
Wherein, in one embodiment, the processor 502 is configured to perform the following operations:
And acquiring the corresponding relation between the desktop and the process processing strategy and the first strategy from the shared memory of the desktops.
In an embodiment, the plurality of desktops included in the terminal include a first type desktop and a second type desktop, a system operation authority corresponding to the first type desktop is lower than a system operation authority corresponding to the second type desktop, and the processor 502 is configured to perform the following operations:
allowing the terminal to execute the operation corresponding to the first process under the condition that the operation corresponding to the first process comprises the operation of the second type desktop aiming at the file under the file directory corresponding to the first type desktop;
Under the condition that the operation corresponding to the first process comprises the operation of the first type desktop aiming at the file under the file directory corresponding to the second type desktop, prohibiting the terminal from executing the operation corresponding to the first process, wherein,
Files under the file directories corresponding to the desktops are isolated based on the sandboxes.
In an embodiment, the operation corresponding to the first process includes an operation of the second type desktop for a first file in a file directory corresponding to the first type desktop, and when the terminal is allowed to execute the operation corresponding to the first process, the processor 502 is configured to execute the following operations:
under the condition that a redirection file corresponding to the first file exists in a file directory corresponding to the second type desktop, controlling the terminal to execute an operation corresponding to the first process aiming at the redirection file;
Under the condition that the redirection file corresponding to the first file does not exist under the file directory corresponding to the second type desktop, generating the redirection file corresponding to the first file under the file directory corresponding to the second type desktop, and controlling the terminal to execute the operation corresponding to the first process aiming at the redirection file.
In one embodiment, the processor 502 is configured to perform the following operations:
And when the terminal is controlled to execute the operation corresponding to the first process aiming at the redirection file, encrypting the redirection file.
In one embodiment, the processor 502 is configured to perform the following operations:
under the condition that the operation corresponding to the first process comprises the operation that the first type desktop pastes the text or the image copied from the second type desktop, the terminal is forbidden to execute the operation corresponding to the first process;
And allowing the terminal to execute the operation corresponding to the first process under the condition that the operation corresponding to the first process comprises the operation of pasting the text or the image copied from the first desktop by the second desktop, wherein,
The shear plates of each of the plurality of desktops are isolated based on sandboxes.
In one embodiment, the processor 502 is configured to perform the following operations:
Allowing the terminal to execute the operation corresponding to the first process under the condition that the first desktop is determined to have the authority for executing the operation corresponding to the first process according to the first strategy;
under the condition that the first desktop does not have the right to execute the operation corresponding to the first process according to the first strategy, prohibiting the terminal from executing the operation corresponding to the first process, wherein,
The system service interfaces and the network connection functions corresponding to the desktops are isolated based on sandboxes;
The operation corresponding to the first process comprises one of the following steps:
Accessing a first local area network;
Accessing a second local area network;
A system service interface is invoked.
In an embodiment, the operation corresponding to the first process includes a screenshot operation, and the processor 502 is configured to perform the following operations:
allowing the terminal to execute the operation corresponding to the first process under the condition that the first desktop has the screenshot authority;
And prohibiting the terminal from executing the operation corresponding to the first process under the condition that the first desktop does not have the screenshot authority, or generating a screenshot picture containing traceable watermark information.
It should be noted that, the detailed process of the processor 502 for executing the above operation is described in the method embodiment, and will not be described herein.
Of course, in actual practice, the various components of process management device 500 are coupled together via bus system 504. It is to be appreciated that bus system 504 is employed to enable connected communications between these components. The bus system 504 includes a power bus, a control bus, and a status signal bus in addition to the data bus. But for clarity of illustration, the various buses are labeled as bus system 504 in fig. 5.
The memory 503 in the embodiment of the present application is used to store various types of data to support the operation of the process management apparatus 500. Examples of such data include any computer program for operation on the process management device 500.
The method disclosed in the above embodiment of the present application may be applied to the processor 502 or implemented by the processor 502. The processor 502 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the methods described above may be performed by integrated logic circuitry in hardware or instructions in software in the processor 502. The Processor 502 may be a general purpose Processor, a digital signal Processor (DSP, digital Signal Processor), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 502 may implement or perform the methods, steps and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiment of the application can be directly embodied in the hardware of the decoding processor or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium in a memory 503 and the processor 502 reads information in the memory 503 to perform the steps of the method described above in connection with its hardware.
In an exemplary embodiment, the process management apparatus 500 may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, programmable logic devices (PLDs, programmable Logic Device), complex Programmable logic devices (CPLDs, complex Programmable Logic Device), field-Programmable gate arrays (FPGAs), general purpose processors, controllers, microcontrollers (MCUs, micro Controller Unit), microprocessors (microprocessors), or other electronic elements for performing the aforementioned methods.
It will be appreciated that the memory 503 of embodiments of the present application may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. The non-volatile Memory may be, among other things, a Read Only Memory (ROM), a programmable Read Only Memory (PROM, programmable Read-Only Memory), erasable programmable Read-Only Memory (EPROM, erasable Programmable Read-Only Memory), electrically erasable programmable Read-Only Memory (EEPROM, ELECTRICALLY ERASABLE PROGRAMMABLE READ-Only Memory), Magnetic random access Memory (FRAM, ferromagnetic random access Memory), flash Memory (Flash Memory), magnetic surface Memory, optical disk, or compact disk-Only Memory (CD-ROM, compact Disc Read-Only Memory), which may be disk Memory or tape Memory. The volatile memory may be random access memory (RAM, random Access Memory) which acts as external cache memory. By way of example and not limitation, many forms of RAM are available, such as static random access memory (SRAM, static Random Access Memory), synchronous static random access memory (SSRAM, synchronous Static Random Access Memory), dynamic random access memory (DRAM, dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, synchronous Dynamic Random Access Memory), and, Double data rate synchronous dynamic random access memory (DDRSDRAM, double Data Rate Synchronous Dynamic Random Access Memory), enhanced synchronous dynamic random access memory (ESDRAM, enhanced Synchronous Dynamic Random Access Memory), synchronous link dynamic random access memory (SLDRAM, syncLink Dynamic Random Access Memory), Direct memory bus random access memory (DRRAM, direct Rambus Random Access Memory). The memory described by embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.
In an exemplary embodiment, the present application also provides a storage medium, i.e. a computer storage medium, in particular a computer readable storage medium, for example, including a memory 503 storing a computer program, which is executable by the processor 502 of the process management device 500 to perform the steps of the aforementioned method. The computer readable storage medium may be FRAM, ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
It should be noted that "first," "second," etc. are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order.
In addition, the embodiments of the present application may be arbitrarily combined without any collision.
The foregoing description is only of the preferred embodiments of the present application, and is not intended to limit the scope of the present application.

Claims (10)

1. A process management method, comprising:
The method comprises the steps of monitoring a process of a terminal, determining a first desktop corresponding to the first process in a plurality of desktops contained in the terminal according to a desktop identifier carried by the first process when the first process is monitored, wherein the plurality of desktops contained in the terminal comprise a first type desktop and a second type desktop, the system operation authority corresponding to the first type desktop is lower than the system operation authority corresponding to the second type desktop, the system operation authorities corresponding to all desktops in the plurality of desktops contained in the terminal are the same or different, and the processes corresponding to all desktops in the plurality of desktops are isolated based on sandboxes;
Determining a first strategy corresponding to the first desktop by utilizing a corresponding relation between the desktop and a process processing strategy, and allowing or prohibiting the terminal to execute the operation corresponding to the first process according to the first strategy;
The enabling or disabling, according to the first policy, the terminal to execute the operation corresponding to the first process includes:
allowing the terminal to execute the operation corresponding to the first process under the condition that the operation corresponding to the first process comprises the operation of the second type desktop aiming at the file under the file directory corresponding to the first type desktop;
Under the condition that the operation corresponding to the first process comprises the operation of the first type desktop aiming at the file under the file directory corresponding to the second type desktop, prohibiting the terminal from executing the operation corresponding to the first process, wherein,
Files under the file directories corresponding to the desktops are isolated based on the sandboxes.
2. The method according to claim 1, wherein the method further comprises:
And acquiring the corresponding relation between the desktop and the process processing strategy and the first strategy from the shared memory of the desktops.
3. The method of claim 1, wherein the operation corresponding to the first process includes an operation of the second type desktop for a first file under a file directory corresponding to the first type desktop, and wherein when the terminal is allowed to execute the operation corresponding to the first process, the method further comprises:
under the condition that a redirection file corresponding to the first file exists in a file directory corresponding to the second type desktop, controlling the terminal to execute an operation corresponding to the first process aiming at the redirection file;
Under the condition that the redirection file corresponding to the first file does not exist under the file directory corresponding to the second type desktop, generating the redirection file corresponding to the first file under the file directory corresponding to the second type desktop, and controlling the terminal to execute the operation corresponding to the first process aiming at the redirection file.
4. A method according to claim 3, characterized in that the method further comprises:
And when the terminal is controlled to execute the operation corresponding to the first process aiming at the redirection file, encrypting the redirection file.
5. The method of claim 1, wherein the enabling or disabling the terminal from performing the operation corresponding to the first process according to the first policy includes:
under the condition that the operation corresponding to the first process comprises the operation that the first type desktop pastes the text or the image copied from the second type desktop, the terminal is forbidden to execute the operation corresponding to the first process;
And allowing the terminal to execute the operation corresponding to the first process under the condition that the operation corresponding to the first process comprises the operation of pasting the text or the image copied from the first desktop by the second desktop, wherein,
The shear plates of each of the plurality of desktops are isolated based on sandboxes.
6. The method according to claim 1 or 2, wherein the enabling or disabling the terminal from performing the operation corresponding to the first process according to the first policy includes:
Allowing the terminal to execute the operation corresponding to the first process under the condition that the first desktop is determined to have the authority for executing the operation corresponding to the first process according to the first strategy;
under the condition that the first desktop does not have the right to execute the operation corresponding to the first process according to the first strategy, prohibiting the terminal from executing the operation corresponding to the first process, wherein,
The system service interfaces and the network connection functions corresponding to the desktops are isolated based on sandboxes;
The operation corresponding to the first process comprises one of the following steps:
Accessing a first local area network;
Accessing a second local area network;
A system service interface is invoked.
7. The method according to claim 1 or 2, wherein the operation corresponding to the first process comprises a screenshot operation;
The enabling or disabling, according to the first policy, the terminal to execute the operation corresponding to the first process includes:
allowing the terminal to execute the operation corresponding to the first process under the condition that the first desktop has the screenshot authority;
And prohibiting the terminal from executing the operation corresponding to the first process under the condition that the first desktop does not have the screenshot authority, or generating a screenshot picture containing traceable watermark information.
8. A process management apparatus, comprising:
The system comprises a monitoring unit, a control unit and a control unit, wherein the monitoring unit is used for monitoring the process of a terminal, when a first process is monitored, a first desktop corresponding to the first process in a plurality of desktops contained in the terminal is determined according to desktop identifications carried by the first process, the plurality of desktops contained in the terminal comprise a first type desktop and a second type desktop, the system operation authority corresponding to the first type desktop is lower than the system operation authority corresponding to the second type desktop, the system operation authority corresponding to each desktop in the plurality of desktops contained in the terminal is the same or different, and the processes corresponding to each desktop in the plurality of desktops are isolated based on a sandbox;
The processing unit is used for determining a first strategy corresponding to the first desktop by utilizing the corresponding relation between the desktop and the process processing strategy, and allowing or prohibiting the terminal to execute the operation corresponding to the first process according to the first strategy;
The processing unit is specifically configured to allow the terminal to execute the operation corresponding to the first process when the operation corresponding to the first process includes the operation of the second type desktop for the file under the file directory corresponding to the first type desktop, and prohibit the terminal from executing the operation corresponding to the first process when the operation corresponding to the first process includes the operation of the first type desktop for the file under the file directory corresponding to the second type desktop, where the files under the file directory corresponding to each desktop in the plurality of desktops are isolated based on sandboxes.
9. A process management apparatus includes a processor and a memory for storing a computer program capable of running on the processor;
wherein the processor is adapted to perform the steps of the method of any of claims 1 to 7 when the computer program is run.
10. A storage medium storing a computer program, which when executed by a processor performs the steps of the method of any one of claims 1 to 7.
CN202011186959.0A 2020-10-29 2020-10-29 Process management method, device and storage medium Active CN112269986B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011186959.0A CN112269986B (en) 2020-10-29 2020-10-29 Process management method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011186959.0A CN112269986B (en) 2020-10-29 2020-10-29 Process management method, device and storage medium

Publications (2)

Publication Number Publication Date
CN112269986A CN112269986A (en) 2021-01-26
CN112269986B true CN112269986B (en) 2025-01-17

Family

ID=74344933

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011186959.0A Active CN112269986B (en) 2020-10-29 2020-10-29 Process management method, device and storage medium

Country Status (1)

Country Link
CN (1) CN112269986B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113918359B (en) * 2021-09-29 2024-10-22 西安万像电子科技有限公司 Data copy and paste system, method and device
CN118916918B (en) * 2024-10-10 2025-01-03 北京时代亿信科技股份有限公司 File processing method and electronic equipment
CN119475287B (en) * 2025-01-14 2025-08-01 江苏意源科技有限公司 Tracing method, device and equipment based on digital certificate and hidden watermark

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7246374B1 (en) * 2000-03-13 2007-07-17 Microsoft Corporation Enhancing computer system security via multiple user desktops
CN104318179A (en) * 2014-10-30 2015-01-28 成都卫士通信息产业股份有限公司 File redirection technology based virtualized security desktop
CN109117664A (en) * 2018-07-19 2019-01-01 北京明朝万达科技股份有限公司 The access control method and device of application program

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7725737B2 (en) * 2005-10-14 2010-05-25 Check Point Software Technologies, Inc. System and methodology providing secure workspace environment
CN102024110A (en) * 2010-12-14 2011-04-20 汉柏科技有限公司 Method and system for safely isolating desktop
CN102043927B (en) * 2010-12-29 2013-04-10 北京深思洛克软件技术股份有限公司 Data divulgence protection method for computer system
US9378391B2 (en) * 2013-10-11 2016-06-28 Centrify Corporation Method and apparatus for creating switchable desktops with separate authorizations
GB201318723D0 (en) * 2013-10-23 2013-12-04 Avecto Ltd Computer device and method for isolating untrusted content
CN104008330B (en) * 2014-05-23 2017-06-27 武汉华工安鼎信息技术有限责任公司 Data leakage prevention system and method based on file centralized storage and isolation technology
US10263986B1 (en) * 2014-07-07 2019-04-16 Quest Software Inc. Privilege elevation system and method for desktop administration
DE102015111625A1 (en) * 2015-07-17 2017-01-19 Backes Srt Gmbh A method for forming a virtual environment in an operating system of a computer
US10917390B2 (en) * 2017-04-28 2021-02-09 Dell Products L.P. Browser drag and drop file upload encryption enforcement
CN107358097A (en) * 2017-07-23 2017-11-17 宣以政 A kind of method and system in open environment Computer protecting information safety
CN111158857B (en) * 2019-12-24 2024-05-24 深信服科技股份有限公司 Data encryption method, device, equipment and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7246374B1 (en) * 2000-03-13 2007-07-17 Microsoft Corporation Enhancing computer system security via multiple user desktops
CN104318179A (en) * 2014-10-30 2015-01-28 成都卫士通信息产业股份有限公司 File redirection technology based virtualized security desktop
CN109117664A (en) * 2018-07-19 2019-01-01 北京明朝万达科技股份有限公司 The access control method and device of application program

Also Published As

Publication number Publication date
CN112269986A (en) 2021-01-26

Similar Documents

Publication Publication Date Title
US10645091B2 (en) Methods and systems for a portable data locker
US9165139B2 (en) System and method for creating secure applications
CN112269986B (en) Process management method, device and storage medium
JP5429157B2 (en) Confidential information leakage prevention system and confidential information leakage prevention method
CN102043927B (en) Data divulgence protection method for computer system
US9825945B2 (en) Preserving data protection with policy
KR100596135B1 (en) Access Control System for Each Application Using Virtual Disk and Its Control Method
US20090319786A1 (en) Electronic data security system and method
US20210117546A1 (en) Secured computer system
CN109117664B (en) Access control method and device for application program
CN104077244A (en) Process isolation and encryption mechanism based security disc model and generation method thereof
US20080162948A1 (en) Digital Information Storage System, Digital Information Security System, Method for Storing Digital Information and Method for Service Digital Information
CN105303074A (en) Method for protecting security of Web application
CN110807191B (en) Method and device for safe operation of application programs
Sadeghi et al. Taming “trusted platforms” by operating system design
CN108319867A (en) Dualized file divulgence prevention method and system based on HOOK and window filter
US20090150682A1 (en) Third Party Secured Storage for Web Services and Web Applications
CN112434285B (en) File management method, device, electronic equipment and storage medium
CN105205403A (en) Method and system for managing and controlling file data of local area network based on file filtering
JP2007148466A (en) Portable storage device and os
AT&T
CN116800403A (en) Document leak prevention methods, devices, electronic equipment and products
CN112632518A (en) Data access method, device, terminal and storage medium
KR20050077664A (en) Secure kernel system supporting encryption
KR102592625B1 (en) Content security system based on sandbox technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant