[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN113935014A - Method and device for controlling starting of equipment node, electronic equipment and storage medium - Google Patents

Method and device for controlling starting of equipment node, electronic equipment and storage medium Download PDF

Info

Publication number
CN113935014A
CN113935014A CN202111196556.9A CN202111196556A CN113935014A CN 113935014 A CN113935014 A CN 113935014A CN 202111196556 A CN202111196556 A CN 202111196556A CN 113935014 A CN113935014 A CN 113935014A
Authority
CN
China
Prior art keywords
application
set authority
node
state
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111196556.9A
Other languages
Chinese (zh)
Inventor
王锐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing ByteDance Network Technology Co Ltd
Original Assignee
Beijing Jingling Information System Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingling Information System Technology Co Ltd filed Critical Beijing Jingling Information System Technology Co Ltd
Priority to CN202111196556.9A priority Critical patent/CN113935014A/en
Publication of CN113935014A publication Critical patent/CN113935014A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The application relates to a method and a device for controlling the opening of a device node, an electronic device and a storage medium. The method comprises the following steps: in response to an access request of an application for a device node, creating a start function for the device node; executing the starting function, calling a process identification obtaining function, and obtaining the PID of the process of the application accessing the equipment node; generating a query instruction aiming at the set authority state of the equipment node based on the PID, and calling a set authority service to query the state information of the set authority of the application for accessing the equipment node in response to the query instruction; and responding to the state information, and controlling the starting of the equipment node. The method and the device limit the possibility of accessing the device node by the unknown code, standardize and limit the way of opening the device node, and ensure the security of the user privacy data.

Description

Method and device for controlling starting of equipment node, electronic equipment and storage medium
Technical Field
The present disclosure relates to technologies for managing the opening of device nodes in an operating system, and in particular, to a method and an apparatus for controlling the opening of device nodes, an electronic device, and a storage medium.
Background
In some operating systems, access control for device nodes in the operating system is not set, for example, if a developer does not use an access device node such as a dynamic library or a Software Development Kit (SDK) provided by the operating system, but calls an open function to open the device node, the developer can normally open the device node to access the device node, and therefore, some operating systems cannot effectively prevent unknown codes from accessing the device node in the operating system, and thus cannot achieve the function of controlling and managing the device node. This causes the operating system to have very big unsafe factor, makes equipment nodes such as the camera of electronic equipment, microphone can be opened at will, and user's privacy data reveals.
Disclosure of Invention
In view of the above, embodiments of the present application provide a method and an apparatus for controlling the opening of a device node, an electronic device, and a storage medium, so as to at least partially solve the above technical problems in the prior art.
According to a first aspect of an embodiment of the present application, a method for controlling starting of a device node is provided, including:
in response to an access request of an application for a device node, creating a start function for the device node;
executing the starting function, calling a process identification obtaining function, and obtaining the PID of the process of the application accessing the equipment node;
generating a query instruction aiming at the set authority state of the equipment node based on the PID, and calling a set authority service to query the state information of the set authority of the application for accessing the equipment node in response to the query instruction;
and responding to the state information, and controlling the starting of the equipment node.
In one embodiment, said controlling the turning on of said device node in response to said state information comprises:
under the condition that the state information is in a first state, generating first feedback information and outputting the first feedback information to the application; receiving indication information of the application aiming at the first feedback information, and responding to the indication information to execute starting control of the equipment node;
starting the equipment node for the application under the condition that the state information is in a second state;
and under the condition that the state information is in the third state, the starting of the equipment node is refused, second feedback information is generated, and the second feedback information is output to the application.
In one embodiment, the invoking the set authority service to query the state information of the set authority of the application to access the device node includes:
the set authority service inquires the access state of the device node to the set authority of the application in a database of the set authority service, and the inquired access state of the set authority is used as a response result of the inquiry instruction;
the database is pre-stored with access states of more than one device node respectively aiming at setting authority of more than one application.
In one embodiment, after the performing of the turn-on control of the device node in response to the indication information, the method further includes:
and the set authority service modifies the access state of the set authority of the device node to the application in the database based on the indication information.
In one embodiment, the method further comprises:
in response to an inquiry request aiming at set authority, the set authority service searches all data items about the set authority in a database of the set authority service, or the data items about the set authority related to application identification information in the inquiry request, or the data items about the set authority related to equipment node identification information in the inquiry request, or the data items about the set authority related to process identification in the inquiry request, and outputs the data items.
In one embodiment, the method further comprises:
and responding to a modification request aiming at the data item with the set authority, modifying the corresponding data item with the set authority in the database by the set authority service, and saving the modified data item with the set authority.
According to a second aspect of the embodiments of the present application, there is provided an apparatus for controlling a device node, including:
the device comprises a creating unit, a starting unit and a judging unit, wherein the creating unit is used for responding to an access request of an application to a device node and creating a starting function to the device node;
the calling unit is used for executing the starting function, calling a process identification obtaining function and obtaining the PID of the process of the application accessing the equipment node;
a generating unit, configured to generate a query instruction for a set permission state of the device node based on the PID;
the first query unit is used for responding to the query instruction and calling a set authority service to query the state information of the set authority of the application for accessing the equipment node;
and the control unit is used for responding to the state information and controlling the starting of the equipment node.
In one embodiment, the control unit is further configured to:
under the condition that the state information is in a first state, generating first feedback information and outputting the first feedback information to the application; receiving indication information of the application aiming at the first feedback information, and responding to the indication information to execute starting control of the equipment node;
opening the device node for the application under the condition that the state information is in a second state;
and under the condition that the state information is in the third state, the starting of the equipment node is refused, second feedback information is generated, and the second feedback information is output to the application.
In one embodiment, the first query unit is further configured to:
triggering the set authority service to inquire the access state of the device node to the set authority of the application in a database of the device node, and taking the inquired access state of the set authority as a response result of the inquiry instruction;
the database is pre-stored with access states of more than one device node respectively aiming at setting authority of more than one application.
In one embodiment, the apparatus further comprises:
and the first modification unit is used for triggering the set authority service to modify the access state of the set authority of the equipment node to the application in the database based on the indication information after the control unit executes the control on the equipment node.
In one embodiment, the apparatus further comprises:
and the second query unit is used for responding to a query request aiming at the set authority, triggering the set authority service to search all data items related to the set authority in a database of the set authority service, or the data items related to the set authority related to the application identification information in the query request, or the data items related to the set authority related to the equipment node identification information in the query request, or the data items related to the set authority related to the process identification in the query request, and outputting the data items.
In one embodiment, the apparatus further comprises:
and the second modification unit is used for responding to a modification request aiming at the data item with the set authority, triggering the set authority service to modify the corresponding data item with the set authority in the database, and storing the modified data item with the set authority.
According to a third aspect of the embodiments of the present application, there is provided an electronic device, including a processor, a memory, and an executable program stored on the memory and capable of being executed by the processor, where the processor executes the steps of the method for controlling the turn-on of the device node when executing the executable program.
According to a fourth aspect of embodiments of the present application, there is provided a storage medium on which an executable program is stored, the executable program, when executed by a processor, implementing the steps of the method for controlling the turn-on of a device node.
In the embodiment of the application, for any starting function created by an application, when the starting function is executed, the PID of the process of the corresponding application needs to be called, the access state of the device node to the current process is searched through the set permission service, and the starting of the device node is correspondingly controlled based on the access state. According to the method and the device for starting the device node, the possibility that the unknown code accesses the device node is limited through the starting control of the management device node, meanwhile, the way of starting the device node is fundamentally specified and limited, the safety and the robustness of the device node are greatly improved, and the safety of user privacy data is guaranteed.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below. It is obvious that the drawings in the following description are some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
Fig. 1 is a schematic flowchart of a method for controlling the activation of a device node according to an embodiment of the present application;
fig. 2 is a schematic diagram illustrating an architecture of an activation control of a device node according to an embodiment of the present application;
fig. 3 is a flowchart illustrating a method for controlling the activation of a device node according to an embodiment of the present application;
FIG. 4 is a block diagram illustrating an architecture of privilege settings in an operating system according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a start control device of an equipment node according to an embodiment of the present application;
fig. 6 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The essence of the technical solution of the embodiments of the present application is explained in detail below with reference to the accompanying drawings.
Fig. 1 is a schematic flowchart of a method for controlling the start of a device node according to an embodiment of the present application, and as shown in fig. 1, the method for controlling the start of the device node according to the embodiment of the present application includes the following processing steps:
step 101, responding to an access request of an application to a device node, and creating a starting function for the device node.
The technical solution of the embodiment of the present application may be applied to a Linux system, and those skilled in the art should understand that the technical solution of the embodiment of the present application is applicable to all other operating systems without device node access management.
In embodiments of the present invention, the Linux system, also known as the GNU/Linux operating system, includes, but is not limited to, various releases of Ubuntu, Redhat, Debian, and the like.
When the relevant application needs to access the device node, such as a microphone, a camera or the like, an access request for the device node to be accessed is generated by the application, namely, a corresponding access process of the application is generated, and the access request for the device node to be accessed is sent to the device service. An open function, such as an open () function, is triggered at the kernel layer of an operating system, such as Linux, in preparation for opening the corresponding device node. As an example, the open () function includes a do _ sys _ open () function and the like.
And 102, executing the starting function, calling a process identification obtaining function, and obtaining the PID of the process of the application accessing the equipment node.
When an open function is created, the open function, such as the open () function, is executed to call the corresponding device node. However, in the embodiment of the present application, when the kernel layer of the operating system triggers the open () function interface to prepare to open the device node, a plug-in for permission query is further added, that is, a permission service program for saving an access state of the device permission is created in the operating system, such as a Linux system, through which an access state of the set permission of the device node to be accessed is obtained, and whether the corresponding application has permission to continue the opening operation of the device node is determined based on the obtained access state of the set permission.
In order to obtain the access state of the set authority of the application to the equipment node to be accessed, a judgment authority plug-in interface is added when an inner core do _ sys _ open () function accesses the equipment node, and identification information of a caller, namely the corresponding process of the application, is obtained through a process identification obtaining function such as a sys _ getpid () function, so that the authority plug-in interface can conveniently inquire the corresponding authority access state in a database of the authority plug-in interface based on the identification information, and whether the process or the corresponding application has the authority of accessing the equipment node or not is judged.
Step 103, generating a query instruction aiming at the set authority state of the equipment node based on the PID, and calling a set authority service to query the state information of the set authority of the application for accessing the equipment node in response to the query instruction.
In the embodiment of the application, after the identification information PID of the process corresponding to the application is acquired through the process identification acquisition function, the inquiry instruction of the set permission state for the equipment node to be accessed is generated according to the identification information of the equipment node to be accessed, so that the set permission service inquires whether the access application has the permission of accessing the identification node through a database of the set permission service. In the embodiment of the application, the set permission particularly refers to a sensitive permission, and correspondingly, the set permission service is a sensitive permission service program.
In the embodiment of the application, the permission setting service queries the access state of the device node to the set permission of the application in a database of the device node, and takes the queried access state of the set permission as a response result of the query instruction; the database is pre-stored with access states of more than one device node respectively aiming at setting authority of more than one application. Specifically, when an operating system is loaded, a sensitive authority service and a database of the sensitive authority service are generated, and the access state of the sensitive authority of the equipment node is set as a default value in the database. The default value here means that all applications need user authorization for the device node whose sensitivity authority is set as the default value for the first access, that is, the device node can be opened only according to the user authorization, otherwise, the current application is denied to be opened for the device node.
And 104, responding to the state information, and controlling the starting of the equipment node.
Specifically, when the state information is in a first state, generating first feedback information, and outputting the first feedback information to the application; receiving indication information of the application aiming at the first feedback information, and responding to the indication information to execute control of starting the equipment node; the first state here refers to a state in which the aforementioned sensitive permission is set as a default value, and at this time, the access of the application to the device node is performed for the first time, and first feedback information needs to be returned to the application accessing the device node through the sensitive permission service. And when the user authorizes the application to allow the access to the equipment node, starting the equipment node for the corresponding application, otherwise, outputting information of refusing the access to the equipment node to the corresponding application.
And after the user allows the corresponding application to access the equipment node, the set permission service modifies the access state of the set permission of the equipment node to the application in the database based on the indication information. That is, the sensitive permission service needs to modify the sensitive permission access state corresponding to the device node which the user allows to access from a default value to allow to access, and when the corresponding application subsequently starts and calls the device node, the sensitive permission service allows the device node to start and call. Certainly, if the user does not allow the application to access the device node, the sensitive permission access state corresponding to the device node is modified from a default value to deny access, when the corresponding application subsequently starts and calls the device node, the sensitive permission service returns prompt information of denying the start to the application, at this time, the user can still perform access authorization on the application, so that the corresponding application can access the device node, and after the authorization is obtained, the access denial state is modified to allow access.
Opening the device node for the application under the condition that the state information is in a second state; the second state is that the sensitive authority of the device node is a state allowing access, that is, the corresponding application has previously obtained the authority that the user allows the corresponding application to access the device node, and the sensitive authority service has set the sensitive authority of the device node to the application in the permission state in the database.
And under the condition that the state information is in the third state, the starting of the equipment node is refused, second feedback information is generated, and the second feedback information is output to the application. The third state is that the sensitive authority of the device node is a state of denying access, that is, the corresponding application does not obtain the authority that the user allows the user to access the device node before, and the sensitive authority service sets the sensitive authority of the device node to be a state of denying access to the application in the database.
In the embodiment of the present application, on the basis of the foregoing processing steps, the method may further include: in response to an inquiry request aiming at set authority, the set authority service searches all data items about the set authority in a database of the set authority service, or the data items about the set authority related to application identification information in the inquiry request, or the data items about the set authority related to equipment node identification information in the inquiry request, or the data items about the set authority related to process identification in the inquiry request, and outputs the data items. That is, the embodiment of the present application further supports a query request for setting permissions, where the query request may be to query all sensitive permission information by default, including both sensitive permission information of a device node and sensitive permission information of an application, or the query request is to query state information of a sensitive permission of an application to the device node, or query state information of a sensitive permission of a Process (based on Process identification (Process ID, PID)) to the device node, or query state information of a sensitive permission of a device node to which applications are sensitive to. The embodiment of the application supports the query of the set authority information and the access state thereof at any time, and the supported query mode is wider.
In the embodiment of the present application, on the basis of the foregoing processing steps, the method may further include: and responding to a modification request aiming at the data item with the set authority, modifying the corresponding data item with the set authority in the set database by the set authority service, and saving the modified data item with the set authority. After the access state of the sensitive authority of the relevant application for the equipment node or the sensitive authority access state of the equipment node for the application or the process thereof is inquired, the user can modify the access state of the sensitive authority at any time based on the corresponding scene, and the modified sensitive authority access state is stored in a database of the user by the sensitive authority service record. The modification includes modification of the relevant value of the access state of the original sensitive authority, such as modification from a default state to allow or deny access, and also includes modification of addition or deletion of the access state of the sensitive authority.
The technical solutions of the embodiments of the present application are further described in detail below with reference to specific examples. Here, taking the operating system as a Linux system as an example, other operating systems are also applicable to the technical solution of the embodiment of the present application.
In the embodiment of the application, a service program (the permission setting service) of the sensitive permission is created in the Linux system to store information for dynamically adjusting the sensitive permission of the application. In the embodiment of the application, the access state of the sensitive authority of the equipment node is mainly set and managed. Besides the sensitive permission, the Linux system also comprises a common permission, a signature permission, a system signature permission and the like. Wherein:
the normal authority (normal permission) is also called as normal authority, and even if the normal authority is possessed, the risk that the private data of the user is revealed and tampered is high. For example, the right to set the time zone is the normal right. If the application declares that it needs normal permissions, the system automatically grants the permissions to the application.
The sensitive permission (dangerous permission) is also called a dangerous permission, the permission access state of the application is opposite to that of the normal permission during running, and once a certain application acquires the permission, the private data of a user is exposed and tampered. For example, the READ _ CONTACTS right belongs to the dangerous right. If an application declares that it requires dangerous rights, the user must explicitly grant the rights to the application.
Signature authority (signature permission): the authority is only opened for applications with the same signature, for example, a permission (permission) is customized for the mobile phone QQ, and an android is added to the authority label, and when certain data of the authority is accessed, the authority must be possessed. Then the WeChat and the QQ adopt the same signature when releasing, the WeChat can apply for accessing the authority in the QQ and use the data controlled by the corresponding authority. Even if other programs know the interface of the open data, the other programs register the authority in the Manifest, but the other programs cannot access the corresponding data because of different application signatures.
System signature authority (signatureor system permission): similar to signature permission, the signature is required to be the same, and the system level application of the same type is also required, and the permission can be used in a prefabricated scene developed by a general mobile phone manufacturer.
In the embodiment of the present application, the Linux device node means: in Linux, all devices are stored in a file form in a/dev directory, device nodes are accessed in a file form, a device node is an abstraction of Linux kernel to a device, and one device node is a file. The application executes the access device through a standardized set of calls that are independent of any particular driver. And the driver is responsible for mapping these standard calls to the specific operations of the actual hardware. The file nodes under the/dev directory are called special equipment nodes. Nodes are portals through which the purpose of operating (reading, writing, etc.) a device is achieved, and the corresponding portals are to be uniformly set at/dev because the Linux system provides a corresponding virtual file system, which can operate various devices using consistent function interfaces (open (), read (), write (), close () … …, etc.), which can greatly reduce the complexity of applications accessing Linux peripherals.
The embodiment of the application aims at the situation that when the dynamic library or the SDK interface is not used for accessing the equipment node, the authority management function of the equipment node can be bypassed, so that private data of the equipment node cannot be correspondingly protected, and calling conflict of application in an operating system to the equipment node can be caused in serious situations. According to the technical scheme of the embodiment of the application, the unknown code can be limited from accessing the equipment node by controlling the starting of the management equipment node, and meanwhile, the way of starting the equipment node is fundamentally specified and limited, so that the safety and the robustness of the Linux system are greatly improved.
Fig. 2 is a schematic diagram of an architecture of an open control of a device node according to an embodiment of the present application, as shown in fig. 2, in the embodiment of the present application, when a related application (App) in an operating system accesses a Linux device node, since an access state of a sensitive authority of the Linux device node is managed and controlled, when the App calls the Linux device node, the App needs to obtain, through a device service, the access state of the sensitive authority of the Linux device node to be called, specifically, the device service sends a query request to the sensitive authority service, and the sensitive authority service queries a database of the App itself, obtains an access state of the sensitive authority of the current application to the Linux device node to be accessed, and performs corresponding access management based on the corresponding access state.
The method comprises the steps that a service program of sensitive authority is created in a Linux system, a corresponding database is set for sensitive authority service, and information of dynamic adjustment of the access state of the sensitive authority of the application is stored in the database so as to control the relevant application to access the corresponding equipment node based on the access state of the sensitive authority. Moreover, the application can only access the device node through the access mode provided by the embodiment of the application, and for unknown applications, the device node can only be accessed by obtaining the authorization of the user, so that the possibility that other code programs directly call the device node is avoided.
In the context of the inquiry state, a system dialog box can be popped up, a user selects whether the relevant application is allowed to access the device node, and after the user selects the sensitive authority, the access state of the sensitive authority selected by the user is stored in a database of a sensitive authority service program.
Fig. 3 is a flowchart illustrating a method for controlling the activation of a device node according to an embodiment of the present application, where as shown in fig. 3, the method for controlling the permission according to the embodiment of the present application includes:
when the Linux system is started, the sensitive authority service program is operated, and the sensitive authority service program generates a database so as to store the corresponding relation between the name information of the application package and the sensitive authority information.
When App accesses a device node with sensitive authority, for example, when an application requests to use a system device node such as a camera, a microphone and the like, a public library interface/system service interface is called, the public library/system service requests to open a Linux device node through an open function, the open function interface is led into a Linux kernel function do _ sys _ open () interface, when the Linux kernel do _ sys _ open () is executed, a caller, namely the PID of an applied process, is acquired through calling the Linux kernel system function sys _ getpid (), a query instruction is generated through the acquired PID and the identification information of the device node, the query instruction is sent to a sensitive authority service program, the sensitive authority service program acquires the process name according to the PID, the access state of the sensitive authority of the corresponding device node pair in a database of the sensitive authority service is queried through the process name and the sensitive authority information, and returning a query result to the application corresponding to the process, and controlling whether the equipment node is allowed to be opened or not by the Linux kernel according to the result returned by the sensitive authority service.
When the Linux device node is opened, the access sensitive authority service program inquires the access state of the sensitive authority of the application. Namely, when the App needs to access the device node with the sensitive authority, the Linux device service acquires the process PID information of the current App.
The sensitive authority service program can inquire information such as application packet names and the like according to the PID, and inquire the access state of the sensitive authority service program on the equipment node based on the related information such as the application packet names and the like. In the embodiment of the present application, the access state of the sensitive permission includes at least three states: default state, deny state, allow state.
And when the sensitive authority inquires that the access authority of the application to the equipment node is in a default state, popping up a system pop-up box, and inquiring whether the user agrees or refuses to access the function of the Linux equipment node. And proceeds with the following flow according to the running access or the access denial selected by the user.
And when the sensitive authority inquires that the access authority of the application to the equipment node is in a refused state, returning the relevant information of refusing to access the equipment node, and forbidding starting the function of the Linux equipment node.
And when the sensitive authority inquires that the access authority of the application to the equipment node is in an allowable state, normally starting the function of the Linux equipment node.
In the previous step, after the user selects the sensitive permission state in the system popup box, the user executes the opening or refuses to open the equipment node, at this time, the sensitive permission service program stores the information such as the application package name and the like in the database aiming at the selected sensitive permission access state of the access of the equipment node, so as to manage the sensitive permission of the equipment node based on the selected sensitive permission access state when the application is accessed next time.
Fig. 4 is a schematic diagram of an architecture of permission setting in an operating system according to an embodiment of the present application, and as shown in fig. 4, in the embodiment of the present application, a function of querying and modifying a setting for a sensitive permission access state is also supported, and through a system setting function in an App, an access state of a sensitive permission of an application for a device node may be queried in a database (may also be referred to as an encrypted database) through a sensitive permission service. That is, the embodiment of the present application may provide a corresponding query interface for the App to query all sensitive permission information, for example, the sensitive permission information of a certain application package may be queried, the sensitive permission information of a certain PID may be queried, the sensitive permission information of a certain application package may be set, the sensitive permission information of a certain application package may be deleted, the sensitive permission information may be created and stored in a database, and the like. The stored data of the access state of the sensitive authority in the database comprises information such as an application package name, a binary executable file name, a sensitive authority name and a sensitive authority state. In the embodiment of the application, the application process name is queried according to the PID, the application package name information is queried according to the process name, and the sensitive permission state specifically includes:
Figure BDA0003303206680000121
it should be understood by those skilled in the art that the access state of the sensitive authority is only an exemplary illustration, and is not used to limit the access state of the sensitive authority, and other state settings are also supported.
In the embodiment of the application, the system setting in the App can call the sensitive authority service interface to inquire the application sensitive authority information and modify the relevant information of the sensitive authority in the database.
Fig. 5 is a schematic structural diagram of a start control device of an equipment node according to an embodiment of the present application, and as shown in fig. 5, the start control device of the equipment node according to the embodiment of the present application includes:
a creating unit 50, configured to create a start function for a device node in response to an access request of an application for the device node;
a calling unit 51, configured to execute the start function, call a process identifier obtaining function, and obtain a PID of a process in which the application accesses the device node;
a generating unit 52, configured to generate a query instruction for a set permission state of the device node based on the PID;
a first query unit 53, configured to invoke a permission setting service to query status information of permission settings for the application to access the device node in response to the query instruction;
a control unit 54, configured to control the turning on of the device node in response to the state information.
In one embodiment, the control unit 54 is further configured to:
under the condition that the state information is in a first state, generating first feedback information and outputting the first feedback information to the application; receiving indication information of the application aiming at the first feedback information, and responding to the indication information to execute starting control of the equipment node;
opening the device node for the application under the condition that the state information is in a second state;
and under the condition that the state information is in the third state, the starting of the equipment node is refused, second feedback information is generated, and the second feedback information is output to the application.
In one embodiment, the first querying unit 53 is further configured to:
triggering the set authority service to inquire the access state of the device node to the set authority of the application in a database of the device node, and taking the inquired access state of the set authority as a response result of the inquiry instruction;
the database is pre-stored with access states of more than one device node respectively aiming at setting authority of more than one application.
In an embodiment, on the basis of the device node start control apparatus shown in fig. 5, the device node start control apparatus according to the embodiment of the present application further includes:
a first modifying unit (not shown in fig. 5), configured to trigger the permission setting service to modify, based on the indication information, an access state of the permission setting of the application by the device node in the database after the control unit performs control on the device node.
In an embodiment, on the basis of the device node start control apparatus shown in fig. 5, the device node start control apparatus according to the embodiment of the present application further includes:
and a second query unit (not shown in fig. 5) configured to, in response to a query request for setting authority, trigger the setting authority service to search all data items about setting authority, or data items of setting authority related to application identification information in the query request, or data items of setting authority related to device node identification information in the query request, or data items of setting authority related to process identification in the query request, in a database of the setting authority service, and output the data items.
In an embodiment, on the basis of the device node start control apparatus shown in fig. 5, the device node start control apparatus according to the embodiment of the present application further includes:
and a second modification unit (not shown in fig. 5) configured to, in response to a modification request for a data item with set permissions, trigger the set permission service to modify the corresponding data item with set permissions in the database, and store the modified data item with set permissions.
In an exemplary embodiment, the creating Unit 50, the calling Unit 51, the generating Unit 52, the first inquiring Unit 53, the controlling Unit 54, the first modifying Unit, the second inquiring Unit, the second modifying Unit, and the like may be implemented by one or more Central Processing Units (CPUs), Application Specific Integrated Circuits (ASICs), Application Specific Integrated circuits (DSPs), Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), Field Programmable Gate Arrays (FPGAs), general purpose processors, controllers, Micro Controllers (MCUs), microprocessors (microprocessors), or other electronic elements for performing the steps of the method of controlling the turning on of the Device nodes of the foregoing embodiments.
In the embodiment of the present disclosure, the specific manner in which each unit in the start control device of the device node shown in fig. 5 performs operations has been described in detail in the embodiment related to the method, and will not be elaborated here.
Next, an electronic apparatus 11 according to an embodiment of the present application is described with reference to fig. 6.
As shown in fig. 6, the electronic device 11 includes one or more processors 111 and memory 112.
The processor 111 may be a Central Processing Unit (CPU) or other form of processing unit having data processing capabilities and/or instruction execution capabilities, and may control other components in the electronic device 11 to perform desired functions.
Memory 112 may include one or more computer program products that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, Random Access Memory (RAM), cache memory (cache), and/or the like. The non-volatile memory may include, for example, Read Only Memory (ROM), hard disk, flash memory, etc. One or more computer program instructions may be stored on the computer-readable storage medium and executed by the processor 111 to implement the turn-on control method of the device node of the various embodiments of the present application described above and/or other desired functions. Various contents such as an input signal, a signal component, a noise component, etc. may also be stored in the computer-readable storage medium.
In one example, the electronic device 11 may further include: an input device 113 and an output device 114, which are interconnected by a bus system and/or other form of connection mechanism (not shown in fig. 6).
The input device 113 may include, for example, a keyboard, a mouse, and the like.
The output device 114 may output various information including the determined distance information, direction information, and the like to the outside. The output devices 114 may include, for example, a display, speakers, a printer, and a communication network and remote output devices connected thereto, among others.
Of course, for the sake of simplicity, only some of the components of the electronic device 11 relevant to the present application are shown in fig. 6, and components such as buses, input/output interfaces, and the like are omitted. In addition, the electronic device 11 may include any other suitable components, depending on the particular application.
The embodiment of the present application further describes a storage medium, on which an executable program is stored, and the executable program is executed by a processor to perform the steps of the method for controlling the opening of the device node according to the foregoing embodiment.
In addition to the above-described methods and apparatus, embodiments of the present application may also be a computer program product comprising computer program instructions that, when executed by a processor, cause the processor to perform the steps in the methods according to the various embodiments of the present application described in the "exemplary methods" section of this specification, above.
The computer program product may be written with program code for performing the operations of embodiments of the present application in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present application may also be a computer-readable storage medium having stored thereon computer program instructions that, when executed by a processor, cause the processor to perform steps in a method according to various embodiments of the present application described in the "exemplary methods" section above of this specification.
The computer-readable storage medium may take any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The foregoing describes the general principles of the present application in conjunction with specific embodiments, however, it is noted that the advantages, effects, etc. mentioned in the present application are merely examples and are not limiting, and they should not be considered essential to the various embodiments of the present application. Furthermore, the foregoing disclosure of specific details is for the purpose of illustration and description and is not intended to be limiting, since the foregoing disclosure is not intended to be exhaustive or to limit the disclosure to the precise details disclosed.
The block diagrams of devices, apparatuses, systems referred to in this application are only given as illustrative examples and are not intended to require or imply that the connections, arrangements, configurations, etc. must be made in the manner shown in the block diagrams. These devices, apparatuses, devices, systems may be connected, arranged, configured in any manner, as will be appreciated by those skilled in the art. Words such as "including," "comprising," "having," and the like are open-ended words that mean "including, but not limited to," and are used interchangeably therewith. The words "or" and "as used herein mean, and are used interchangeably with, the word" and/or, "unless the context clearly dictates otherwise. The word "such as" is used herein to mean, and is used interchangeably with, the phrase "such as but not limited to".
It should also be noted that in the devices, apparatuses, and methods of the present application, the components or steps may be decomposed and/or recombined. These decompositions and/or recombinations are to be considered as equivalents of the present application.
The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present application. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the application. Thus, the present application is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing description has been presented for purposes of illustration and description. Furthermore, the description is not intended to limit embodiments of the application to the form disclosed herein. While a number of example aspects and embodiments have been discussed above, those of skill in the art will recognize certain variations, modifications, alterations, additions and sub-combinations thereof.

Claims (14)

1. A method for controlling the opening of a device node is characterized in that the method comprises the following steps:
in response to an access request of an application for a device node, creating a start function for the device node;
executing the starting function, calling a process identification obtaining function, and obtaining identification information PID of the process of the application accessing the equipment node;
generating a query instruction aiming at the set authority state of the equipment node based on the PID, and calling a set authority service to query the state information of the set authority of the application for accessing the equipment node in response to the query instruction;
and responding to the state information, and controlling the starting of the equipment node.
2. The method of claim 1, wherein said controlling the turning on of the device node in response to the status information comprises:
under the condition that the state information is in a first state, generating first feedback information and outputting the first feedback information to the application; receiving indication information of the application aiming at the first feedback information, and responding to the indication information to execute control of starting the equipment node;
starting the equipment node for the application under the condition that the state information is in a second state;
and under the condition that the state information is in the third state, the starting of the equipment node is refused, second feedback information is generated, and the second feedback information is output to the application.
3. The method of claim 2, wherein invoking the set authority service to query state information of set authority of the application to access the device node comprises:
the set authority service inquires the access state of the device node to the set authority of the application in a database of the set authority service, and the inquired access state of the set authority is used as a response result of the inquiry instruction;
the database is pre-stored with access states of more than one device node respectively aiming at setting authority of more than one application.
4. The method of claim 2, wherein after performing the control of the device node being turned on in response to the indication information, the method further comprises:
and the set authority service modifies the access state of the set authority of the device node to the application in the database based on the indication information.
5. The method according to any one of claims 1 to 4, further comprising:
in response to an inquiry request aiming at set authority, the set authority service searches all data items about the set authority in a database of the set authority service, or the data items about the set authority related to application identification information in the inquiry request, or the data items about the set authority related to equipment node identification information in the inquiry request, or the data items about the set authority related to process identification in the inquiry request, and outputs the data items.
6. The method of claim 5, further comprising:
and responding to a modification request aiming at the data item with the set authority, modifying the corresponding data item with the set authority in the database by the set authority service, and saving the modified data item with the set authority.
7. An apparatus for controlling the opening of a device node, the apparatus comprising:
the device comprises a creating unit, a starting unit and a judging unit, wherein the creating unit is used for responding to an access request of an application to a device node and creating a starting function to the device node;
the calling unit is used for executing the starting function, calling a process identification obtaining function and obtaining the PID of the process of the application accessing the equipment node;
a generating unit, configured to generate a query instruction for a set permission state of the device node based on the PID;
the first query unit is used for responding to the query instruction and calling a set authority service to query the state information of the set authority of the application for accessing the equipment node;
and the control unit is used for responding to the state information and controlling the starting of the equipment node.
8. The apparatus of claim 7, wherein the control unit is further configured to:
under the condition that the state information is in a first state, generating first feedback information and outputting the first feedback information to the application; receiving indication information of the application aiming at the first feedback information, and responding to the indication information to execute starting control of the equipment node;
opening the device node for the application under the condition that the state information is in a second state;
and under the condition that the state information is in the third state, the starting of the equipment node is refused, second feedback information is generated, and the second feedback information is output to the application.
9. The apparatus of claim 8, wherein the first query unit is further configured to:
triggering the set authority service to inquire the access state of the device node to the set authority of the application in a database of the device node, and taking the inquired access state of the set authority as a response result of the inquiry instruction;
the database is pre-stored with access states of more than one device node respectively aiming at setting authority of more than one application.
10. The apparatus of claim 8, further comprising:
and the first modification unit is used for triggering the set authority service to modify the access state of the set authority of the equipment node to the application in the database based on the indication information after the control unit executes the control on the equipment node.
11. The apparatus of any one of claims 7 to 10, further comprising:
and the second query unit is used for responding to a query request aiming at the set authority, triggering the set authority service to search all data items related to the set authority in a database of the set authority service, or the data items related to the set authority related to the application identification information in the query request, or the data items related to the set authority related to the equipment node identification information in the query request, or the data items related to the set authority related to the process identification in the query request, and outputting the data items.
12. The apparatus of claim 11, further comprising:
and the second modification unit is used for responding to a modification request aiming at the data item with the set authority, triggering the set authority service to modify the corresponding data item with the set authority in the database, and storing the modified data item with the set authority.
13. An electronic device comprising a processor, a memory and an executable program stored on the memory and executable by the processor, the processor executing the executable program to perform the steps of the method of turn-on control of a device node according to any of claims 1 to 6.
14. A storage medium on which is stored an executable program which, when executed by a processor, carries out the steps of the method of turn-on control of a device node according to any one of claims 1 to 6.
CN202111196556.9A 2021-10-14 2021-10-14 Method and device for controlling starting of equipment node, electronic equipment and storage medium Pending CN113935014A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111196556.9A CN113935014A (en) 2021-10-14 2021-10-14 Method and device for controlling starting of equipment node, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111196556.9A CN113935014A (en) 2021-10-14 2021-10-14 Method and device for controlling starting of equipment node, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN113935014A true CN113935014A (en) 2022-01-14

Family

ID=79279362

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111196556.9A Pending CN113935014A (en) 2021-10-14 2021-10-14 Method and device for controlling starting of equipment node, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113935014A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118133266A (en) * 2024-05-10 2024-06-04 中移(杭州)信息技术有限公司 Authority control method, device, equipment, medium and product based on function level

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160063017A1 (en) * 2014-08-26 2016-03-03 International Business Machines Corporation Access control for unprotected data storage system endpoints
CN107944258A (en) * 2017-11-21 2018-04-20 广东欧珀移动通信有限公司 Start control method, device, storage medium and the terminal of application with method of service
CN111523136A (en) * 2020-07-06 2020-08-11 腾讯科技(深圳)有限公司 Authority management method, device and equipment of application program and storage medium
WO2021022433A1 (en) * 2019-08-05 2021-02-11 宇龙计算机通信科技(深圳)有限公司 Application monitoring method and apparatus, and storage medium and electronic device
CN112765663A (en) * 2021-01-25 2021-05-07 北京北信源信息安全技术有限公司 File access control method, device, equipment, server and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160063017A1 (en) * 2014-08-26 2016-03-03 International Business Machines Corporation Access control for unprotected data storage system endpoints
CN107944258A (en) * 2017-11-21 2018-04-20 广东欧珀移动通信有限公司 Start control method, device, storage medium and the terminal of application with method of service
WO2021022433A1 (en) * 2019-08-05 2021-02-11 宇龙计算机通信科技(深圳)有限公司 Application monitoring method and apparatus, and storage medium and electronic device
CN111523136A (en) * 2020-07-06 2020-08-11 腾讯科技(深圳)有限公司 Authority management method, device and equipment of application program and storage medium
CN112765663A (en) * 2021-01-25 2021-05-07 北京北信源信息安全技术有限公司 File access control method, device, equipment, server and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118133266A (en) * 2024-05-10 2024-06-04 中移(杭州)信息技术有限公司 Authority control method, device, equipment, medium and product based on function level

Similar Documents

Publication Publication Date Title
WO2023060957A1 (en) Operating system permission control method and apparatus, electronic device, and storage medium
US20180307860A1 (en) Managing configurations of computing terminals
US9465955B1 (en) System for and methods of controlling user access to applications and/or programs of a computer
US5572711A (en) Mechanism for linking together the files of emulated and host system for access by emulated system users
KR101384085B1 (en) Secure browser-based applications
US8689344B2 (en) System and method of integrating modules for execution on a computing device and controlling during runtime an ability of a first module to access a service provided by a second module
US7647629B2 (en) Hosted code runtime protection
WO2009148647A2 (en) Centralized enforcement of name-based computer system security rules
KR20020036696A (en) Method to use secure passwords in an unsecure program environment
KR20180019057A (en) Methods and apparatus for protecting domains of a device from unauthorised accesses
CN115185534A (en) Data desensitization method and device, readable storage medium and electronic equipment
US7596694B1 (en) System and method for safely executing downloaded code on a computer system
CN113268450A (en) File access method and device, electronic equipment and storage medium
CN115185643A (en) Access control method and device, computer readable storage medium and electronic equipment
US8732811B2 (en) Systems and methods for implementing security services
CN113935014A (en) Method and device for controlling starting of equipment node, electronic equipment and storage medium
KR101321479B1 (en) Method and Apparatus for preventing illegal copy of application software using access control of process
US7444624B2 (en) Method for the secure interpretation of programs in electronic devices
JP2012033189A (en) Integrated access authorization
US5742826A (en) Object encapsulation protection apparatus
KR20060050768A (en) Access authorization api
KR101207434B1 (en) System and Method for Preventing Collision Between Different Digital Documents Protection System
US20120254968A1 (en) Systems and methods for implementing security services
US8959616B2 (en) System and method for accessing a restricted object
WO2019237864A1 (en) Security user architecture and authority control method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20220331

Address after: 100041 B-0035, 2 floor, 3 building, 30 Shixing street, Shijingshan District, Beijing.

Applicant after: BEIJING BYTEDANCE NETWORK TECHNOLOGY Co.,Ltd.

Address before: 2005, floor 2, No. 39, West Street, Haidian District, Beijing 100080

Applicant before: Beijing jingling Information System Technology Co.,Ltd.