CN-121997312-A - System authority control method, system and storage medium based on name space

Abstract

The invention discloses a system authority control method, a system and a storage medium based on a naming space, wherein the system authority control method based on the naming space comprises the steps of obtaining the naming space of a current process of a system, judging whether the naming space is a root naming space when the current system is started, judging whether a file operated by the current process is a preset path file name if the execution of the process is refused, refusing the execution of the process if the operated file is the preset path file name, otherwise allowing the execution of the process, and finally starting an abnormality detection mechanism of the system, judging whether the process is a preset abnormality mode or not, executing rollback operation and recording a log if the operation is refused. The method can solve the technical problem that the core parameters of the server operating system cannot be modified at will even if the cloud mobile phone enterprise user owns the system-level account, so that the influence is brought to other users of the full server.

Inventors

• XIAO JIANJUN
• HUANG JIAN
• ZHANG CONGBING
• WANG JINQUAN

Assignees

• 广东芯巢科技有限公司

Dates

Publication Date

20260508

Application Date

20251231

Claims (10)

1. 1. A namespace-based system rights control method, the system being configured with a number of virtual containers, the virtual containers being provided with a number of namespaces, comprising: s1, acquiring a naming space to which a current process of a system belongs; s2, judging whether the name space is a root name space when the current system is started, if so, jumping to S3, otherwise, refusing the execution of the process and jumping to S4; s3, judging whether an object operated by the current process is a preset path or file name, refusing the execution of the process when the operated object is the preset path or file name, otherwise, allowing the execution of the process; and S4, starting an abnormality detection mechanism of the system, judging whether the process is in a preset abnormality mode or not, and if so, executing rollback operation and recording a log.
2. 2. The system authority control method according to claim 1, wherein before rejecting execution of the process in S2, further comprising: S21, acquiring an orphan process in a name space to which the current process belongs, judging whether the orphan process exists, if not, jumping to S3, and if yes, refusing the execution of the process.
3. 3. The system authority control method according to claim 2, wherein before rejecting the execution of the process in S21, further comprising: s22, obtaining the domain name value of the current virtual container, judging whether the domain name value is a host identity in the local network environment of the system, if not, jumping to S3, and if so, refusing the execution of the process.
4. 4. The system authority control method as claimed in claim 3, wherein before rejecting the execution of the process in S22, further comprising: S23, acquiring an operation object of the current process, judging whether the operation object is a device object or a file object actually stored on the device, if not, jumping to S3, and if so, refusing the execution of the process.
5. 5. The system authority control method according to claim 4, wherein before rejecting the execution of the process in S23, further comprising: S24, acquiring an operation file name of the current process, judging whether the memory storage required by the operation file name is the preset memory storage space size, if not, jumping to S3, and if so, refusing the execution of the process.
6. 6. The system permission control method of claim 1, wherein after said S3 is executed, before said S4 is executed, further comprising determining whether a namespace to which a current process belongs is changed, if so, rejecting execution of said process, and if not, allowing execution of said process.
7. 7. The system entitlement control method of claim 6 further comprising recording operational information for said process for system maintenance and information auditing by a system administrator, said operational information including a time stamp, a container ID, a PID, a parameter name.
8. 8. The system authority control method according to any one of claims 1 to 7, wherein when the operation of the process is a read, the refusing of the execution of the process becomes returning to a preset virtualized configuration value, and the allowing of the execution of the process becomes returning to a true configuration value of the system.
9. 9. A namespace-based system rights control system, comprising: the information acquisition module is used for acquiring a name space to which the current process of the system belongs; The first judging module is used for judging whether the name space is a root name space when the current system is started, if yes, jumping to the second judging module, otherwise, refusing the execution of the process and jumping to the exception handling module; The second judging module is used for judging whether the object operated by the current process is a preset path or file name, and refusing the execution of the process when the operated object is the preset path or file name, otherwise, allowing the execution of the process; and the exception handling module is used for starting an exception detection mechanism of the system, judging whether the process is in a preset exception mode or not, and if so, executing rollback operation and recording a log.
10. 10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a program of a namespace-based system authority control method, the program implements the namespace-based system permission control method of any one of claims 1 to 7.

Description

System authority control method, system and storage medium based on name space Technical Field The invention relates to the technical field of virtualization technology and computer operating system application and management, in particular to a system authority control method, a system and a storage medium based on a naming space. Background The mobile phone is not needed in the daily life of modern people, so that not only can much content of life be finished on the mobile phone, but also even much work can be realized. With the rapid development of mobile internet and the maturation of cloud computing and virtualization technologies, the requirements for cloud mobile phone services have been rapidly increased in recent years due to the advent of personal application requirements (such as mobile game multi-open and on-hook) and enterprise application requirements (such as mobile application test and multi-open, digital marketing, social account matrix operation, etc.). The cloud mobile phone service is mainly realized by constructing a plurality of virtualized spaces by using a virtualization technology through an operating system (generally using an open-source linux system) on a server. Each virtual space corresponds to a cloud mobile phone. According to the different processing capacities of the servers, each server can virtually display tens of cloud mobile phones or even hundreds of cloud mobile phones. These cloud handsets are provided for different users, and although the users are different from one another (isolated from one another by a user layer), they share the same server hardware resources and operating system environment. If any user modifies parameters at the operating system level, not only will it have an impact on itself, but also all other users on the server, even if the parameters are improperly modified, the server is down and all users' services are forced to stop, producing immeasurable disaster results. In view of the above problems, it is common practice in the industry to strictly control the permissions of account numbers, and not allow users to have permission to access and modify operating system parameters. This approach is viable for individual users, but is clearly not viable for enterprise users, especially those mobile phone application test vendors (which are large customers using cloud mobile phone services), which on the one hand involve many aspects, often requiring support of system level accounts that can modify system core parameters (linux is typically root account rights). On the other hand, most of these manufacturers have technology development capability, and even if the cloud mobile phone service provider controls its rights through a rights management program or a management program carried by the system at an application layer, these manufacturers can still bypass or even break the rights management program to directly obtain the rights at the system level. Disclosure of Invention The invention mainly aims to provide a system authority control method, a system and a storage medium based on a name space, and aims to solve the technical problem that a cloud mobile phone enterprise user in the background art can randomly modify core parameters of a server operating system to influence a full server when the user owns a system-level account. To achieve the above object, the present invention provides a system authority control method based on namespaces, the system is configured with a plurality of virtual containers, the virtual containers are provided with a plurality of namespaces, including: s1, acquiring a naming space to which a current process of a system belongs; s2, judging whether the name space is a root name space when the current system is started, if so, jumping to S3, otherwise, refusing the execution of the process and jumping to S4; s3, judging whether an object operated by the current process is a preset path or file name, refusing the execution of the process when the operated object is the preset path or file name, otherwise, allowing the execution of the process; and S4, starting an abnormality detection mechanism of the system, judging whether the process is in a preset abnormality mode or not, and if so, executing rollback operation and recording a log. Optionally, before rejecting the execution of the process in S2, the method further includes: S21, acquiring an orphan process in a name space to which the current process belongs, judging whether the orphan process exists, if not, jumping to S3, and if yes, refusing the execution of the process. Optionally, before rejecting the execution of the process in S21, the method further includes: s22, obtaining the domain name value of the current virtual container, judging whether the domain name value is a host identity in the local network environment of the system, if not, jumping to S3, and if so, refusing the execution of the process. Optionally, before rejecting the execution of the pro