Method, apparatus and device for processing permission and medium

By obtaining the process identifier in the kernel space and using the eBPF module to manage the key-value pair set, the problem of incorrect network permission selection caused by user selection is solved, achieving accurate network permission management and reducing the risk of modifying the kernel space and maintenance costs.

CN113886447BActive Publication Date: 2026-06-30MEIZU TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
MEIZU TECH CO LTD
Filing Date
2021-10-25
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

In existing technologies, users may make incorrect selections when choosing to manage network access permissions after application installation, making it impossible to manage network access permissions for pre-installed applications and resulting in low granularity of network access permission management.

Method used

By obtaining the process identifier in the kernel space, the eBPF module's query interface manages the key-value pair set, determines the process's network access permission value, and sends out a message to allow or deny network access.

Benefits of technology

It achieves precise network access control based on process granularity, reduces the risk and maintenance cost of modifying the kernel space, and improves the accuracy of network access control.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN113886447B_ABST
    Figure CN113886447B_ABST
Patent Text Reader

Abstract

Embodiments of the present disclosure relate to a permission processing method, apparatus, device and medium, wherein the method comprises: in response to a call request for a preset networking function in a kernel space, obtaining a first process identifier for calling the networking function; calling a query interface of a preset network packet filtering eBPF module to query whether the first process identifier is contained in a preset key-value pair set; if the first process identifier is contained, querying and obtaining a current networking permission value corresponding to the first process identifier in the key-value pair set through the query interface; and if the current networking permission value belongs to a preset first networking permission value, feeding back a networking permission message. In the embodiments of the present disclosure, the networking permission can be managed with process granularity, thereby improving the accuracy of networking permission management.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of computer technology, and in particular to a method, apparatus, device and medium for handling permissions. Background Technology

[0002] With the development of computer technology, applications are becoming increasingly diverse. To ensure system security and prevent applications from maliciously consuming network traffic, it is common practice to manage the network access permissions of applications.

[0003] In related technologies, after the application is installed, the user is asked whether they want the application to access the internet, and then the application is authorized to access the internet based on the user's choice.

[0004] However, the above-mentioned method of determining network permissions for applications based on user selection may result in situations such as user misselection, and users cannot manage network permissions for pre-installed applications. Therefore, the granularity of network permission management is relatively low. Summary of the Invention

[0005] In order to solve the above-mentioned technical problems, or at least partially solve the above-mentioned technical problems, this disclosure provides a method, apparatus, device and medium for handling permissions.

[0006] In a first aspect, embodiments of this disclosure provide a permission processing method, the method comprising:

[0007] In response to a call request for a pre-defined networking function in the kernel space, the identifier of the first process that calls the networking function is obtained;

[0008] Call the query interface of the preset network packet filtering eBPF module to query whether the preset key-value pair set contains the first process identifier;

[0009] If the first process identifier is included, the current network access permission value corresponding to the first process identifier is obtained by querying the key-value pair set through the query interface;

[0010] If the current network access permission value is a preset first network access permission value, then a network access permission message is sent.

[0011] In one optional implementation, before querying whether the preset set of key-value pairs contains the first process identifier, the following steps are included:

[0012] Obtain the shared application identifier in the system, and all process identifiers corresponding to the shared application identifier;

[0013] Construct a key-value pair corresponding to each process identifier to generate a set of key-value pairs corresponding to all process identifiers, wherein the key and value of the key-value pair are each process identifier and the corresponding first network permission value, respectively;

[0014] The key-value pair set is stored in a preset virtual file system, and a query interface for the key-value pair set is constructed in the eBPF module.

[0015] In one optional implementation, it further includes:

[0016] In response to a network permission closure request carrying a second process identifier, the query interface of the eBPF module is invoked to query whether the preset key-value pair set contains the second process identifier;

[0017] If the second process identifier is included, the first network access restriction in the key-value pair of the second process identifier is modified to the second network access permission value.

[0018] In one optional implementation, obtaining the identifier of the first process that called the networking function includes:

[0019] Obtain the process data structure that called the networking function;

[0020] The first process identifier is obtained based on the process data structure.

[0021] In one optional implementation, obtaining the process data structure that calls the networking function includes:

[0022] Extract the process name from the process name field of the process data structure to obtain the first process identifier; or,

[0023] Extract the process identification number from the process data structure, and read the first process identifier corresponding to the process identification number from the process data structure.

[0024] In one optional implementation, it further includes:

[0025] If the current network access permission value does not belong to the first network access permission value, a network access denial message is sent.

[0026] Secondly, embodiments of this disclosure also provide an access control device, the device comprising:

[0027] The first acquisition module is used to acquire the identifier of the first process that calls the network function in response to a call request for a preset network function in the kernel space.

[0028] The first query module is used to call the query interface of the preset network packet filtering eBPF module to query whether the preset key-value pair set contains the first process identifier.

[0029] The second query module is used to query the key-value pair set to obtain the current network access permission value corresponding to the first process identifier if the first process identifier is included, through the query interface.

[0030] The first processing module is used to send a network access permission message if the current network access permission value belongs to a preset first network access permission value.

[0031] Thirdly, this disclosure provides a computer-readable storage medium storing instructions that, when executed on a terminal device, cause the terminal device to implement the above-described method.

[0032] Fourthly, this disclosure provides an apparatus comprising: a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the computer program, implements the method described above.

[0033] Fifthly, this disclosure provides a computer program product comprising a computer program / instruction that, when executed by a processor, implements the method described above.

[0034] The technical solution provided in this disclosure has the following advantages compared with the prior art:

[0035] In this embodiment, in response to a call request to a preset networking function in the kernel space, the first process identifier calling the networking function is obtained; the query interface of a preset network packet filtering eBPF module is called to query whether a preset key-value pair set contains the first process identifier; if the first process identifier is contained, the current networking permission value corresponding to the first process identifier is obtained by querying the key-value pair set through the query interface; if the current networking permission value belongs to the preset first networking permission value, a network access permission message is returned. This embodiment enables network permission management based on processes, thereby improving the accuracy of network permission management. Furthermore, this method uses the eBPF module to process the kernel space, resulting in minimal modification to the kernel space and reducing the risk of subsequent maintenance operations damaging the kernel space, as well as reducing the investment required for subsequent maintenance operations. Attached Figure Description

[0036] The accompanying drawings, which are incorporated in and form a part of this specification, illustrate embodiments consistent with this disclosure and, together with the description, serve to explain the principles of this disclosure.

[0037] To more clearly illustrate the technical solutions in the embodiments of this disclosure or the prior art, the accompanying drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, for those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0038] Figure 1 A flowchart illustrating a permission handling method provided for the implementation of this disclosure;

[0039] Figure 2 A schematic diagram illustrating the interaction between user space and kernel space based on an eBPF module provided for this disclosure implementation;

[0040] Figure 3 A flowchart illustrating another permission handling method provided for implementation of this disclosure;

[0041] Figure 4 A flowchart illustrating yet another permission handling method provided for implementation of this disclosure;

[0042] Figure 5 This is a schematic diagram of the structure of a permission processing device provided in an embodiment of the present disclosure;

[0043] Figure 6 This is a schematic diagram of the structure of a terminal device provided in an embodiment of this disclosure. Detailed Implementation

[0044] To better understand the above-mentioned objectives, features, and advantages of this disclosure, the solutions disclosed herein will be further described below. It should be noted that, unless otherwise specified, the embodiments and features described herein can be combined with each other.

[0045] Numerous specific details are set forth in the following description in order to provide a full understanding of this disclosure, but this disclosure may also be implemented in other ways different from those described herein; obviously, the embodiments in the specification are only some, and not all, of the embodiments of this disclosure.

[0046] Figure 1 This is a flowchart illustrating a permission processing method provided in an embodiment of the present disclosure. The method can be executed by a permission processing device, which can be implemented in software and / or hardware, and is generally integrated into an electronic device, such as... Figure 1 As shown, the permission handling method provided in this embodiment includes:

[0047] Step 101: In response to a call request for a pre-defined networking function in the kernel space, obtain the identifier of the first process calling the networking function.

[0048] In actual execution, when a process needs to connect to the network, it will call the network function to establish the corresponding network connection. Therefore, in order to confirm the network permissions of the relevant process in a timely manner, the network function called by the process when requesting to connect to the network is pre-set. For example, it can be the network control function in system / netd / bpf_progs / netd.c used to control whether the process can connect to the network.

[0049] In this embodiment, in response to a call request to a preset networking function in the kernel space, the first process identifier of the calling networking function is obtained. The first process identifier can be any unique identifier information indicating a process, such as process name, process ID (PID), etc.

[0050] In some possible implementations, logic for obtaining the corresponding first process identifier can be added to the execution logic of the network control function. For example, this logic can be added to the network control function in system / netd / bpf_progs / netd.c.

[0051] Therefore, in this embodiment, the current network access permission is obtained based on the process granularity. Since an application contains multiple processes, the network access permission of the corresponding application can be accurately determined based on the process, thus providing corresponding technical support.

[0052] It should be noted that in different application scenarios, there may be corresponding ways to obtain the first process identifier of the calling network function. For example, in one embodiment of this disclosure, the process data structure of the calling network function is obtained. Since each process has a unique corresponding process data structure in the kernel space, the process data structure of the calling network function is obtained in the kernel space, and the first process identifier is obtained based on the process data structure.

[0053] There are several methods for obtaining the first process identifier based on the process data structure. In one optional implementation, the process name field of the process name field in the process data structure is extracted to obtain the first process identifier. In this example, the logic added in advance in the network control function and other functions in system / netd / bpf_progs / netd.c is charname

[256] = bpf_get_socket_name(skb). Based on this logic, the process data structure taste_struct structure that calls the network function can be obtained in the eBPF module, and the process name field comm field in the process data structure is extracted. The comm field is used as the value of "skb" in the above execution logic, and the corresponding first process identifier is returned through bpf_get_socket_name.

[0054] In another optional implementation, the process ID is extracted from the process data structure, and the first process identifier corresponding to the process ID is read from the process data structure. In this example, when the process ID pid is extracted from the process data structure tast_struct, the corresponding first process identifier is obtained based on proc / pid / status or proc / pid / cmdline, etc.

[0055] Step 102: Call the query interface of the preset network packet filtering eBPF module to query whether the preset key-value pair set contains the first process identifier.

[0056] like Figure 2 As shown in this embodiment, data interaction between kernel space and user space can be achieved through the eBPF (extended Berkeley PacketFilter) module. Specifically, high-level language code implementing network access control can be written in user space. After being converted into bytecode in user space, this high-level language code is passed to the eBPF module in kernel space. The eBPF module can generate machine code corresponding to the bytecode and associate the machine code with a network function. When a process needs to connect to the network, the kernel calls the network function and implements the network access control functionality implemented by the high-level language code written in user space.

[0057] In this embodiment, network access control statistics and management are implemented based on the eBPF module, because... Figure 2 As shown, in the application scenarios of the eBPF module, it can include kernel space and user space. Without changing the source code of kernel space, it can support bidirectional data writing and reading between kernel space and user space, thereby expanding the functions that can be implemented in kernel space.

[0058] Therefore, in this embodiment, in order to achieve network permission management in user space, network permissions can be managed at the process level in kernel space. A set of key-value pairs of process identifiers and current network permission values ​​is pre-established in user space according to the standard interface of the eBPF module. The eBPF module can run the set of key-value pairs written in user space as a virtual machine. The set of key-value pairs includes multiple key-value pairs, where the key of each key-value pair is the process identifier and the value is the corresponding network permission value. It interacts with the kernel space based on relevant interfaces and processes the network requests of the corresponding process in application scenarios where the network control function is triggered, based on relevant kernel source code.

[0059] Furthermore, in this embodiment, since a set of key-value pairs containing process identifiers and current network access permissions has already been mapped and stored in the eBPF module, the query interface of the preset network packet filtering eBPF module is called to query whether the preset set of key-value pairs contains the first process identifier. If the first process identifier is contained, the network access requests of the first process are managed based on the logic added in this embodiment to ensure the security of the system.

[0060] For example, if the first process identifier is A, the query interface of the eBPF module, namely the bpf query interface, can be called. Based on the return value of the bpf_shared_uid_permission_map_lookup_elem(A) function, it can be determined whether the first process identifier A belongs to the key-value pair set. For example, if the return value is empty, it can be determined that the first process identifier A does not belong to the key-value pair set.

[0061] Step 103: If the first process identifier is included, the current network access permission value corresponding to the first process identifier is obtained by querying the key-value pair set through the query interface.

[0062] In this embodiment, the key-value pair set records the process identifier and the current network permission value. Therefore, the key-value pair set can be queried according to the first process identifier corresponding to the first process to determine the current network permission value corresponding to the process. If the first process identifier is requesting network access for the first time or is installing for the first time, the corresponding current network permission value is the default network permission value, which can be a value of 0 representing that the application is allowed to access the network.

[0063] If the first process identifier is not included, an error message can be sent to the user indicating that the process identifier does not exist in the key-value pair set, so that network access management can be carried out in other existing ways.

[0064] Continuing with the example of calling the `bpf_shared_uid_permission_map_lookup_elem(A)` function, where A is the first process identifier, the function returns 0 to allow network connections and 1 to deny them. Using the first process identifier as the query condition, the current network permission value corresponding to that first process identifier is retrieved from the key-value pair set, thus determining whether the process can connect to the network.

[0065] Step 104: If the current network access permission value belongs to the preset first network access permission value, then a network access permission message is sent.

[0066] In this embodiment, a preset first network access permission value is used to indicate whether a process is allowed to connect to the network. Therefore, after obtaining the current network access permission value of the first process, this current network access permission value can be compared with the preset first network access permission value. If the current network access permission value belongs to the preset first network access permission value, a network access permission message is returned; if the current network access permission value does not belong to the preset first network access permission value, a network access denial message is returned. The network access permission message and network access denial information can be the return values ​​obtained by calling the query interface of the eBPF module. An example is given below:

[0067] The first network access permission limit can be preset to 0. If the current network access permission value obtained through the query interface is 0, this current network access permission value belongs to the first network access permission value, and a network access permission message is returned; if the current network access permission value obtained through the query interface is 1, this current network access permission value does not belong to the first network access permission value, and a network access denial message is returned.

[0068] In an alternative implementation, the functionality described in the above steps can be achieved by adding the following logic code to the network control function in system / netd / bpf_progs / netd.c:

[0069] DEFINE_BPF_PROG_KVER("cgroupsock / inet / create",AID_ROOT,AID_ROOT,inet_socket_create,KVER(4,14,0))

[0070] (struct bpf_sock *sk){

[0071] uint64_t gid_uid=bpf_get_current_uid_gid();

[0072] / / In this example code, the corresponding process identifier is checked during process runtime.

[0073] uint32_t appId=(gid_uid&0xffffffff)%PER_USER_RANGE;

[0074] uint8_t*permissions

[0075] =bpf_uid_permission_map_lookup_elem(&appId);

[0076] if(!permissions){

[0077] return 1;

[0078] }

[0079] / / In this example code, a return value of 1 indicates that the network connection is allowed, while a return value of any other indicates that the network connection is denied.

[0080] return(*permissions&BPF_PERMISSION_INTERNET)===BPF_PERMISSION_INTERNET;

[0081] }

[0082] Correspondingly, in user space, the eBPF module can be used to call the query interface to obtain the current network access permission value obtained from the kernel space.

[0083] In summary, the permission processing method of this disclosure, in response to a call request for a preset network function in the kernel space, obtains the first process identifier of the calling network function, calls the query interface of a preset network packet filtering eBPF module, queries whether a preset key-value pair set contains the first process identifier, if the first process identifier is contained, then queries the key-value pair set through the query interface to obtain the current network permission value corresponding to the first process identifier, and if the current network permission value belongs to the preset first network permission value, then a network access permission message is returned. This disclosure embodiment can manage network permissions based on processes, thereby improving the accuracy of network permission management. Furthermore, this method uses the eBPF module to process the kernel space, resulting in minimal modification to the kernel space, reducing the risk of subsequent maintenance operations damaging the kernel space, and also reducing the investment required for subsequent maintenance operations.

[0084] Based on the above embodiments, while managing network access permissions at the process level, in addition to facilitating process-level network access permission management, it also provides technical support for managing the network access permissions of each application among multiple applications sharing a common application identifier. For example, based on the key-value pair set of the application identifier and process identifier, all process identifiers corresponding to each application sharing the common application identifier can be obtained. Then, based on the network access permissions corresponding to all process identifiers, the network access permissions of each application sharing the common application identifier can be obtained, thereby achieving the management of network access permissions for a single application. Figure 3 As shown, specifically, before querying whether the preset key-value pair set contains the first process identifier in the above embodiment, the method further includes:

[0085] Step 301: Obtain the shared application identifier in the system, and all process identifiers corresponding to the shared application identifier.

[0086] The shared application identifier can be a specific UID (userID, user identity identifier) ​​value, such as 1000. Multiple applications can share the same shared application identifier. Therefore, it is not possible to manage the network access permissions of a single application based on multiple applications with the same shared application identifier.

[0087] It should be noted that, in order to traverse the corresponding shared application identifiers, the shared application identifiers in the system can be obtained when the system meets the preset permission management conditions. In some possible embodiments, when the system is detected to be activated for the first time, it is considered that the preset permission management conditions are met, and the shared application identifiers in the system are obtained. In other possible embodiments, in order to avoid the addition or update of shared applications after the system is first turned on, when a new application is detected to be installed or uninstalled, it is considered that the preset permission management conditions are met, and the shared application identifiers in the system are obtained.

[0088] Step 302: Construct key-value pairs corresponding to each process identifier to generate a set of key-value pairs corresponding to all process identifiers, wherein the key and value of the key-value pairs are each process identifier and the corresponding first network permission value, respectively.

[0089] In this embodiment, all process identifiers corresponding to the shared application identifier are obtained. These process identifiers can be obtained statistically from experimental data or pre-defined. The first network permission value corresponding to each process identifier is obtained. The process identifier is used as the key of the key-value pair, and the corresponding first network permission value is used as the value of the key-value pair. Then, a set of key-value pairs is generated according to each process identifier.

[0090] Step 303: Store the key-value pair set in the preset virtual file system, and build the query interface with the key-value pair set in the eBPF module.

[0091] In this embodiment, to achieve process-level network permission management based on the eBPF module, a set of key-value pairs containing each process identifier and its corresponding first network permission value is written into a preset virtual file system. Using a virtual file system allows for the storage of more key-value pair sets, thereby providing more comprehensive network permission management covering processes.

[0092] For example, when the virtual file system is the proc file system, the storage and persistence path in the proc file system is determined based on the eBPF standard: SHARED_UID_NET_PERMISSION_PATH: " / sys / fs / bpf / map_netd_shareuid_net_permisison". This path stores a set of key-value pairs that record process identifiers and their corresponding first network permission values. / sys / fs / bpf / is defined by the eBPF standard and can be used with the eBPF standard interface to achieve querying of the key-value pair set, etc. map_netd_shareuid_net_permisison in the above path is a user-defined name.

[0093] In this embodiment, in the virtual file system of the eBPF module, a custom data structure stores the mapping created in the kernel space for the key-value pair set. Thus, the custom data structure can realize the agreed communication data structure between the kernel space and the user space, realizing the storage of the key-value pair set in the kernel space and its transfer to the user space.

[0094] For example, the name field in the SharedUidPermisisonValue data structure can be used to represent the process identifier, and the value field can be used to represent the corresponding first network access permission value.

[0095] One possible code for the SharedUidPermisisonValue data structure is:

[0096] typedef struct{

[0097] / / process name(pkg name). / / process identifier

[0098] char name[MAX_LEN]

[0099] / / permisison account.

[0100] uint32_t value; / / First network access permission value

[0101] SharedUidPermisisonValue;

[0102] User space can use the eBPF query interface syscall(__NR_bpf, BPF_MAP_CREATE, &attr, sizeof(attr));

[0103] mSharedUidPermissionMap.init(SHARED_UID_PERMISSION_PATH) calls BpfMap<uint32_t,SharedUidPermisisonValue> The set of key-value pairs corresponding to mSharedUidPermisisonMapGUARDED_BY(mMutex).

[0104] In practice, in order to accurately obtain the first network access permission value of the corresponding shared application, all process identifiers of the shared application can be written from the upper-level user space to the kernel space.

[0105] Based on the SharedUidPermissionValue data structure mentioned above, the list of application process name identifiers with shared UIDs is queried through the upper-layer Android interface (for system applications with shared UID1000, these process identifiers are known and can be statistically determined), and then written to the key-value pair set through eBPF system calls when the system meets the preset permission management conditions.

[0106] In summary, the permission processing method of this disclosure embodiment realizes communication between user space and kernel space through a virtual file system. The entire process involves minimal modification to the kernel space source code and is non-intrusive to the kernel space, avoiding risks and investments associated with subsequent maintenance. Simultaneously, it also manages the network permissions of each application among multiple applications sharing a common application identifier, thereby improving the accuracy of network permission management.

[0107] Based on the above embodiments, in order to manage the network access permissions of processes, the values ​​representing network access permissions in the corresponding key-value pairs in the virtual file system can be modified, such as... Figure 4 As shown, it specifically includes:

[0108] Step 401: In response to the network permission closure request carrying the second process identifier, call the query interface of the eBPF module to query whether the preset key-value pair set contains the second process identifier.

[0109] In some application scenarios, it is necessary to change the network access permission of the second process from allowed to denied. Users can disable the network access permission of the second process through pop-up windows, modification settings, etc. The user's above operation can trigger the sending of the corresponding network access permission disabling request. In response to the request, the query interface of the eBPF module is called to query whether the preset key-value pair set contains the identifier of the second process.

[0110] For example, if the second process identifier is B, the eBPF module's query interface, namely the bpf query interface, can be called. The bpf_shared_uid_permission_map_lookup_elem(B) function can be called. The return value of this function determines whether the second process identifier B belongs to the key-value pair set. If the function returns an empty value, it means that the second process identifier B does not belong to the key-value pair set.

[0111] Step 402: If a second process identifier is included, modify the first network access restriction in the key-value pair of the second process identifier to the second network access permission value.

[0112] If a second process identifier is included, the first network access restriction in the key-value pair of the second process identifier will be modified to the second network access permission value. The second network access restriction indicates that the process does not have permission to connect to the network. For example, the second network access restriction can be 1; if the value corresponding to the second process identifier in the key-value pair is 0, then that value will be changed from 0 to 1.

[0113] If the second process identifier is not included, an error message can be sent to the user indicating that the second process identifier does not exist in the key-value pair set, so that network access management can be carried out in other existing ways.

[0114] In summary, the permission processing method of this disclosure provides a method for changing the network access permissions of a process, achieving efficient management of process network access, low-cost network access permission management, and ensuring the accuracy of network access management.

[0115] Figure 5 This is a schematic diagram of a permission processing device provided in an embodiment of the present disclosure. This device can be implemented by software and / or hardware, and is generally integrated into a terminal device. Figure 5 As shown, the device 500 includes:

[0116] The first acquisition module 501 is used to acquire the identifier of the first process that calls the network function in response to a call request for a preset network function in the kernel space.

[0117] The first query module 502 is used to call the query interface of the preset network packet filtering eBPF module to query whether the preset key-value pair set contains the first process identifier.

[0118] The second query module 503 is used to query the key-value pair set to obtain the current network access permission value corresponding to the first process identifier if the first process identifier is included, through the query interface.

[0119] The first processing module 504 is used to send a network access permission message if the current network access permission value belongs to a preset first network access permission value.

[0120] Optionally, the device further includes:

[0121] The second acquisition module is used to acquire the shared application identifier in the system, and all process identifiers corresponding to the shared application identifier;

[0122] The first construction module is used to construct key-value pairs corresponding to each process identifier to generate a set of key-value pairs corresponding to all process identifiers, wherein the key and value of the key-value pairs are each process identifier and the corresponding first network permission value, respectively.

[0123] The second construction module is used to store the key-value pair set in a preset virtual file system and to construct the query interface with the key-value pair set in the eBPF module.

[0124] Optionally, the device further includes:

[0125] The calling module is used to respond to a network permission closure request carrying a second process identifier by calling the query interface of the eBPF module to query whether the preset key-value pair set contains the second process identifier;

[0126] The second processing module is configured to, if the second process identifier is included, modify the first network access restriction in the key-value pair of the second process identifier to the second network access permission value.

[0127] Optionally, the first acquisition module 501 includes:

[0128] The first acquisition unit is used to acquire the process data structure that calls the networking function;

[0129] The second acquisition unit is used to acquire the first process identifier according to the process data structure.

[0130] Optionally, the second acquisition unit is configured to:

[0131] Extract the process name from the process name field of the process data structure to obtain the first process identifier; or,

[0132] Extract the process identification number from the process data structure, and read the first process identifier corresponding to the process identification number from the process data structure.

[0133] Optionally, the device further includes:

[0134] The feedback module is used to send a network access denied message if the current network access permission value does not belong to the first network access permission value.

[0135] The permission processing device provided in this disclosure can execute the permission processing method provided in any embodiment of this disclosure, and has the corresponding functional modules and beneficial effects of the execution method.

[0136] This disclosure also provides a computer program product, including a computer program / instruction that, when executed by a processor, implements the permission handling method provided in any embodiment of this disclosure.

[0137] Figure 6 This is a schematic diagram of the structure of a terminal device provided in an embodiment of this disclosure.

[0138] The following is a detailed reference. Figure 6 The diagram illustrates a structural schematic suitable for implementing the terminal device 600 in the embodiments of this disclosure. The terminal device 600 in the embodiments of this disclosure may include, but is not limited to, mobile terminals such as mobile phones, laptops, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and fixed terminals such as digital TVs and desktop computers. Figure 6 The terminal device shown is merely an example and should not be construed as limiting the functionality and scope of use of the embodiments disclosed herein.

[0139] like Figure 6 As shown, the terminal device 600 may include a processing unit (e.g., a central processing unit, a graphics processing unit, etc.) 601, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 602 or a program loaded from a storage device 608 into a random access memory (RAM) 603. The RAM 603 also stores various programs and data required for the operation of the terminal device 600. The processing unit 601, ROM 602, and RAM 603 are interconnected via a bus 604. An input / output (I / O) interface 605 is also connected to the bus 604.

[0140] Typically, the following devices can be connected to I / O interface 605: input devices 606 including, for example, touchscreens, touchpads, keyboards, mice, cameras, microphones, accelerometers, gyroscopes, etc.; output devices 607 including, for example, liquid crystal displays (LCDs), speakers, vibrators, etc.; storage devices 608 including, for example, magnetic tapes, hard disks, etc.; and communication devices 609. Communication device 609 allows terminal device 600 to communicate wirelessly or wiredly with other devices to exchange data. Although Figure 6 A terminal device 600 with various devices is shown; however, it should be understood that it is not required to implement or possess all of the devices shown. More or fewer devices may be implemented or possessed alternatively.

[0141] In particular, according to embodiments of this disclosure, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of this disclosure include a computer program product comprising a computer program carried on a non-transitory computer-readable medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via a communication device 609, or installed from a storage device 608, or installed from a ROM 602. When the computer program is executed by the processing device 601, it performs the functions defined in the permission processing method of embodiments of this disclosure.

[0142] It should be noted that the computer-readable medium described in this disclosure can be a computer-readable signal medium or a computer-readable storage medium, or any combination thereof. A computer-readable storage medium can be, for example,—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of a computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof. In this disclosure, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in connection with an instruction execution system, apparatus, or device. In this disclosure, a computer-readable signal medium can include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such propagated data signals can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A computer-readable signal medium can be any computer-readable medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. The program code contained on the computer-readable medium can be transmitted using any suitable medium, including but not limited to: wires, optical fibers, RF (radio frequency), etc., or any suitable combination thereof.

[0143] In some implementations, clients and servers can communicate using any currently known or future-developed network protocol such as HTTP (Hypertext Transfer Protocol) and can interconnect with digital data communication (e.g., communication networks) of any form or medium. Examples of communication networks include local area networks (“LANs”), wide area networks (“WANs”), the Internet (e.g., the Internet of Things), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future-developed networks.

[0144] The aforementioned computer-readable medium may be included in the aforementioned terminal device; or it may exist independently and not assembled into the terminal device.

[0145] The aforementioned computer-readable medium carries one or more programs. When these programs are executed by the terminal device, the terminal device: in response to a call request to a preset networking function in the kernel space, obtains the identifier of the first process calling the networking function; calls the query interface of a preset network packet filtering eBPF module to query whether a preset key-value pair set contains the first process identifier; if the first process identifier is contained, it queries the key-value pair set through the query interface to obtain the current networking permission value corresponding to the first process identifier; if the current networking permission value belongs to the preset first networking permission value, it feeds back a network access permission message. In this embodiment of the present disclosure, networking permissions can be managed at the process level, thereby improving the accuracy of networking permission management.

[0146] Computer program code for performing the operations of this disclosure can be written in one or more programming languages ​​or a combination thereof, including but not limited to object-oriented programming languages ​​such as Java, Smalltalk, and C++, as well as conventional procedural programming languages ​​such as the "C" language or similar programming languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a local area network (LAN) or a wide area network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider).

[0147] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this disclosure. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0148] The units described in the embodiments of this disclosure can be implemented in software or hardware. The names of the units are not, in some cases, intended to limit the specific unit.

[0149] The functions described above in this document can be performed, at least in part, by one or more hardware logic components. For example, exemplary types of hardware logic components that can be used, without limitation, include: Field Programmable Gate Arrays (FPGAs), Application-Specific Integrated Circuits (ASICs), Application Standard Products (ASSPs), System-on-Chip (SoCs), Complex Programmable Logic Devices (CPLDs), and so on.

[0150] In the context of this disclosure, a machine-readable medium can be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, apparatus, or device. A machine-readable medium can be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium can be, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination of the foregoing. More specific examples of machine-readable storage media include electrical connections based on one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.

[0151] It should be noted that, in this document, relational terms such as "first" and "second" are used merely to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0152] The above description is merely a specific embodiment of this disclosure, enabling those skilled in the art to understand or implement it. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be implemented in other embodiments without departing from the spirit or scope of this disclosure. Therefore, this disclosure is not to be limited to the embodiments described herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. A permission handling method, characterized in that, Includes the following steps: In response to a call request for a pre-defined networking function in the kernel space, the identifier of the first process that calls the networking function is obtained; Call the query interface of the preset network packet filtering eBPF module to query whether the preset key-value pair set contains the first process identifier; If the first process identifier is included, the current network access permission value corresponding to the first process identifier is obtained by querying the key-value pair set through the query interface; If the current network access permission value is a preset first network access permission value, then a network access permission message is returned; Before querying whether the preset set of key-value pairs contains the first process identifier, the process includes: Obtain the shared application identifier in the system, and all process identifiers corresponding to the shared application identifier; Construct a key-value pair corresponding to each process identifier to generate a set of key-value pairs corresponding to all process identifiers, wherein the key and value of the key-value pair are each process identifier and the corresponding current network permission value, respectively; The key-value pair set is stored in a preset virtual file system, and a query interface for the key-value pair set is constructed in the eBPF module.

2. The method as described in claim 1, characterized in that, Also includes: In response to a network permission closure request carrying a second process identifier, the query interface of the eBPF module is invoked to query whether the preset key-value pair set contains the second process identifier; If the second process identifier is included, the first network access restriction in the key-value pair of the second process identifier is modified to the second network access permission value.

3. The method as described in claim 1, characterized in that, The step of obtaining the identifier of the first process that called the networking function includes: Obtain the process data structure that called the networking function; The first process identifier is obtained based on the process data structure.

4. The method as described in claim 3, characterized in that, Obtaining the first process identifier based on the process data structure includes: Extract the process name from the process name field of the process data structure to obtain the first process identifier; or, Extract the process identification number from the process data structure, and read the first process identifier corresponding to the process identification number from the process data structure.

5. The method as described in claim 1, characterized in that, Also includes: If the current network access permission value does not belong to the first network access permission value, a network access denial message is sent.

6. An access control device, characterized in that... include: The first acquisition module is used to acquire the identifier of the first process that calls the network function in response to a call request for a preset network function in the kernel space. The first query module is used to call the query interface of the preset network packet filtering eBPF module to query whether the preset key-value pair set contains the first process identifier. The second query module is used to query the key-value pair set to obtain the current network access permission value corresponding to the first process identifier if the first process identifier is included, through the query interface. The first processing module is used to send a network access permission message if the current network access permission value belongs to a preset first network access permission value; The device further includes: The second acquisition module is used to acquire the shared application identifier in the system, and all process identifiers corresponding to the shared application identifier; The first construction module is used to construct key-value pairs corresponding to each process identifier to generate a set of key-value pairs corresponding to all process identifiers, wherein the key and value of the key-value pairs are each process identifier and the corresponding current network permission value, respectively. The second construction module is used to store the key-value pair set in a preset virtual file system and to construct the query interface with the key-value pair set in the eBPF module.

7. An electronic device, characterized in that, The electronic device includes: processor; Memory for storing processor-executable instructions; The processor is configured to read the executable instructions from the memory and execute the instructions to implement the permission processing method according to any one of claims 1-5.

8. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores instructions that, when executed on a terminal device, cause the terminal device to implement the permission processing method as described in any one of claims 1-5.

9. A computer program product, characterized in that, The computer program product includes a computer program / instruction, which, when executed by a processor, implements the permission processing method as described in any one of claims 1-5.