A virtual device isolation method, apparatus and electronic device

By creating isolation policies in the operating system, associating the device identifier and session identifier of virtual devices, and using isolated devices and interfaces to handle operation requests, the problem of data security between sessions during virtual device redirection is solved, and effective device isolation between multiple sessions is achieved.

CN118363711BActive Publication Date: 2026-07-03RUIJIE NETWORKS CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
RUIJIE NETWORKS CO LTD
Filing Date
2023-01-18
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Existing technologies make it difficult to effectively isolate data security between user sessions during virtual device redirection, especially when users have administrator privileges, virtual device isolation is prone to failure.

Method used

By creating isolation policies in the operating system, associating the device identifier and session identifier of virtual devices, determining whether to forward operation requests based on the consistency of session identifiers, using isolated devices and isolated interfaces to handle different types of operation requests, and determining the target device stack step by step to achieve device isolation.

Benefits of technology

It achieves effective isolation of virtual devices between multiple sessions, prevents unauthorized access, improves data security, and avoids isolation failures caused by administrator privileges.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN118363711B_ABST
    Figure CN118363711B_ABST
Patent Text Reader

Abstract

A virtual device isolation method, apparatus, and electronic device are disclosed. The method includes: receiving an operation request for a virtual device in an operating system; searching for a second session identifier associated with a first device identifier in the isolation policy corresponding to the operating system; determining that the first session identifier and the second session identifier are consistent; forwarding the operation request to the virtual device for processing; and rejecting the forwarding of the operation request if the first session identifier and the second session identifier are inconsistent. Through this method, device isolation of the virtual device is achieved in the operating system by comparing the consistency of the first session identifier and the second session identifier, ensuring that the virtual device in the operating system can only be accessed by the session with the first session identifier, thereby realizing device isolation of virtual devices across multiple sessions.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of computer technology, and in particular to a virtual device isolation method, apparatus and electronic device. Background Technology

[0002] With the development of computing technology, the use of shared desktops and shared application virtualization in networks has become increasingly common. Since the use of shared desktops and shared application virtualization requires an operating system to run on a server or virtual machine, when users use the operating system, they need to connect the virtual device to the remote desktop based on the transmission protocol and establish a device session corresponding to the virtual device in the operating system. This device session is a user session that allows the virtual device to be used, so that the virtual device can be redirected to the operating system, or the virtual device can be created directly on the operating system, thereby ensuring that users can use the virtual device in the operating system.

[0003] During the process of redirecting virtual devices to the operating system, since any user session in the operating system will be redirected to all virtual devices, when a user accesses a redirected virtual device in the operating system, that user can also access the virtual devices of other users in the operating system, thereby affecting the security of the data of the user's redirected virtual device.

[0004] Currently, to ensure the security of data on user-redirected virtual devices, a multi-user isolation method based on device redirection is adopted. This method includes: redirecting the actual physical device to the operating system using device redirection technology and creating a corresponding virtual device. Since the virtual device has storage capabilities, the physical drive letter corresponding to the virtual device can be obtained. Then, the physical drive letter of the virtual device is filtered, preventing the virtual device from generating a physical drive letter, hiding the physical drive letter corresponding to the virtual device, and preventing other users from accessing the physical drive letter corresponding to the virtual device. When a user connects to a remote virtual desktop, the virtual device redirected to the operating system is directly mounted to the session drive letter associated with that user. Other users' remote virtual desktops will not be able to access this session drive letter, thus achieving the purpose of isolating virtual devices based on the user's session drive letter.

[0005] Based on the above description, although it can prevent other users from accessing the session drive letter of the virtual device, it only supports devices mapped to the operating system through device redirection and virtual devices holding session drive letters. When a user has administrator privileges, they can access data in other users' virtual devices through Device Manager, Disk Manager, or third-party device management software, or the session drive letter of the virtual device fails to be generated, which will cause the device isolation between virtual devices to fail. Summary of the Invention

[0006] This application provides a virtual device isolation method, apparatus, and electronic device for realizing device isolation of virtual devices across multiple sessions.

[0007] In a first aspect, this application provides a virtual device isolation method, the method comprising:

[0008] Receive an operation request for a virtual device in the operating system. The operation request carries a first session identifier and a first device identifier for the virtual device. Each session identifier of the operating system is an identifier of a session created when each user logs into the operating system.

[0009] The isolation policy corresponding to the operating system searches for the second session identifier associated with the first device identifier and determines whether the first session identifier and the second session identifier are consistent. The isolation policy includes the association relationship between each session identifier and each device identifier.

[0010] If it is determined that the first session identifier and the second session identifier are consistent, the operation request is forwarded to the virtual device for processing;

[0011] If it is determined that the first session identifier and the second session identifier are inconsistent, the operation request will be rejected.

[0012] By using the above method, after determining that the first session identifier and the second session identifier of the virtual device are consistent, the user can only access the virtual device corresponding to the first session identifier, thereby achieving device isolation of virtual devices between multiple sessions.

[0013] In one possible design, before receiving an operation request for a virtual device in the operating system, the method further includes:

[0014] After the virtual device is created in the operating system, the first device identifier and the second session identifier corresponding to the virtual device are obtained.

[0015] Create an association between the first device identifier and the second session identifier;

[0016] Add an association between the first device identifier and the second session identifier in the isolation policy.

[0017] By using the above method, the association between the first device identifier and the second session identifier is determined, and this association is added to the isolation policy. This allows the first session identifier of the virtual device to be determined based on the isolation policy, thereby determining the first device identifier corresponding to the first session identifier, which is beneficial for achieving device isolation of the virtual device.

[0018] In one possible design, the process of finding the second session identifier associated with the first device identifier using the isolation policy corresponding to the operating system includes:

[0019] Determine the type of the operation request;

[0020] If the operation request is determined to be of the first request type, the isolation policy is obtained through the first selected isolation device corresponding to the virtual device, and the second session identifier associated with the first device identifier is searched in the isolation policy through the first selected isolation device.

[0021] If the operation request is determined to be the second request type, the isolation policy is obtained through the isolation interface corresponding to the operating system, and the second session identifier associated with the first device identifier is found in the isolation policy through the isolation interface.

[0022] By using the methods described above, different approaches are taken to find the isolation strategy for virtual devices based on different operation types, ensuring that multiple types of operation requests can be responded to, thereby ensuring that device isolation of virtual devices can be achieved.

[0023] In one possible design, forwarding the operation request to the virtual device for processing includes:

[0024] If the operation request is determined to be of the first request type, the operation request is forwarded to the virtual device for processing via the isolation device.

[0025] If the operation request is determined to be of the second request type, the operation request is forwarded to the second isolation device corresponding to the virtual device through the isolation interface, and the operation request is forwarded to the virtual device for processing through the second isolation device.

[0026] By using the methods described above, different approaches are taken to isolate virtual devices based on different request types, thus ensuring that device isolation of virtual devices can be successfully achieved.

[0027] In one possible design, obtaining the isolation policy through a first selected isolation device corresponding to the virtual device includes:

[0028] In each level of the device stack corresponding to the virtual device, the target device stack for processing the operation request is determined level by level;

[0029] The isolation strategy is obtained through the first selected isolation device corresponding to the target device stack.

[0030] By using the above method, the target device stack for responding to operation requests is determined step by step from the device stacks corresponding to the virtual device, and then the isolation policy corresponding to the first selected isolation device is obtained through the target device stack, thereby improving the efficiency of obtaining the isolation policy.

[0031] In one possible design, before determining the target device stack for processing the first request type, the method further includes:

[0032] Determine the various levels of the device stack in the virtual device;

[0033] Create corresponding isolation devices for each level of the device stack.

[0034] By using the above method, isolated devices are created in each level of the virtual device's device stack, ensuring that device isolation of the virtual device can be achieved based on the isolated devices in each level of the device stack.

[0035] Secondly, this application provides a virtual device isolation device, the device comprising:

[0036] A receiving module is configured to receive an operation request for a virtual device in the operating system. The operation request carries a first session identifier and a first device identifier of the virtual device. Each session identifier of the operating system is an identifier of a session created when each user logs into the operating system.

[0037] An isolation module is used to search for the second session identifier associated with the first device identifier in the isolation policy corresponding to the operating system, and to determine whether the first session identifier and the second session identifier are consistent. The isolation policy includes the association relationship between each session identifier and each device identifier.

[0038] If it is determined that the first session identifier and the second session identifier are consistent, the operation request is forwarded to the virtual device for processing;

[0039] If it is determined that the first session identifier and the second session identifier are inconsistent, the operation request will be rejected.

[0040] In one possible design, the receiving module is specifically configured to detect after the operating system creates the virtual device, obtain the first device identifier and the second session identifier corresponding to the virtual device, create an association between the first device identifier and the second session identifier, and add the association between the first device identifier and the second session identifier to the isolation policy.

[0041] In one possible design, the isolation module is specifically used to determine the type of the operation request;

[0042] If the operation request is determined to be a first request type, the isolation policy is obtained through the first selected isolation device corresponding to the virtual device, and the second session identifier associated with the first device identifier is searched in the isolation policy through the first selected isolation device. If the operation request is determined to be a second request type, the isolation policy is obtained through the isolation interface corresponding to the operating system, and the second session identifier associated with the first device identifier is searched in the isolation policy through the isolation interface.

[0043] In one possible design, the isolation module is further configured to, if the operation request is determined to be a first request type, forward the operation request to the virtual device for processing through the isolation device; and if the operation request is determined to be a second request type, forward the operation request to a second isolation device corresponding to the virtual device through the isolation interface, and then forward the operation request to the virtual device for processing through the second isolation device.

[0044] In one possible design, the isolation module is further configured to determine the target device stack for processing the operation request level by level in the device stacks corresponding to the virtual device, and obtain the isolation strategy through the first selected isolation device corresponding to the target device stack.

[0045] In one possible design, the isolation module is further configured to determine the various levels of device stacks in the virtual device and create corresponding isolation devices for each level of device stack.

[0046] Thirdly, this application provides an electronic device, comprising:

[0047] Memory, used to store computer programs;

[0048] When the processor executes the computer program stored in the memory, it implements the steps of the virtual device isolation method described above.

[0049] Fourthly, a computer-readable storage medium storing a computer program that, when executed by a processor, implements the steps of the virtual device isolation method described above.

[0050] For details on each of the above-mentioned aspects one through four, and the technical effects that each aspect may achieve, please refer to the above description of the technical effects that can be achieved for the first aspect or the various possible solutions in the first aspect. These details will not be repeated here. Attached Figure Description

[0051] Figure 1 A flowchart of the steps of a virtual device isolation method provided in this application;

[0052] Figure 2A schematic diagram of the physical architecture corresponding to the virtual device provided in this application;

[0053] Figure 3 This application provides a schematic diagram of the structure of a virtual device isolation device;

[0054] Figure 4 This is a schematic diagram of the structure of an electronic device provided in this application. Detailed Implementation

[0055] To make the objectives, technical solutions, and advantages of this application clearer, the application will be further described in detail below with reference to the accompanying drawings. The specific operational methods in the method embodiments can also be applied to the device embodiments or system embodiments. It should be noted that in the description of this application, "multiple" is understood as "at least two". "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A existing alone, A and B existing simultaneously, and B existing alone. A connected to B can represent: A and B directly connected, and A and B connected through C. Furthermore, in the description of this application, terms such as "first" and "second" are used only for distinguishing the purpose of description and should not be construed as indicating or implying relative importance or order.

[0056] To address the issue of device isolation failure between virtual devices, this application provides a virtual device isolation method to achieve device isolation between virtual devices across multiple sessions, ensuring that users or applications can only access the virtual device corresponding to the target session. The methods and apparatus described in this application are based on the same technical concept. Since the principles by which the methods and apparatus solve the problems are similar, embodiments of the apparatus and methods can be referred to interchangeably, and repeated details will not be elaborated further.

[0057] The embodiments of this application will now be described in detail with reference to the accompanying drawings.

[0058] Reference Figure 1 This application provides a virtual device isolation method, the implementation process of which is as follows:

[0059] S1 receives operation requests for virtual devices in the operating system;

[0060] Firstly, the purpose of this application embodiment is to achieve device isolation of virtual devices between multiple sessions. When a user uses remote shared desktop, the operating system needs to isolate each virtual device, that is, when different users use remote shared desktop, they can only access the corresponding virtual device.

[0061] To achieve device isolation, the operating system in this embodiment creates an isolation policy. When creating the isolation policy, the association between the device identifier and the session identifier is added to the isolation policy. Here, the session identifier is the identifier corresponding to the session created by the operating system when each user logs in; the device identifier is a unique identifier that identifies the virtual device.

[0062] Specifically, after detecting the creation of a virtual device, the operating system obtains the first device identifier and the corresponding second session identifier of the virtual device. Then, it establishes an association between the first device identifier and the second session identifier. Finally, it adds the association between the first device identifier and the second session identifier to the isolation policy.

[0063] After generating the isolation policy, the operating system will check whether it has received any operation requests for virtual devices within the operating system. It should be noted that these operation requests are generated when a user logs into the shared desktop of the operating system and attempts to operate a virtual device; therefore, these requests will carry the first session identifier and the first device identifier corresponding to the virtual device.

[0064] Furthermore, based on the operation request, the operating system will retrieve the isolation policy and execute step S2.

[0065] S2, search for the second session identifier associated with the first device identifier in the isolation policy corresponding to the operating system, and determine whether the first session identifier and the second session identifier are consistent;

[0066] In this embodiment, when the operating system retrieves the isolation policy, it can do so either through an isolation device or through an isolation interface. Therefore, before retrieving the isolation policy, an isolation device and an isolation interface will be created in the operating system, as specifically implemented below:

[0067] When a virtual device is created, the operating system creates at least one level of device stack corresponding to the virtual device, such as... Figure 2 The diagram shown is a schematic of the physical architecture corresponding to the virtual device. Figure 2 The document describes the connection relationships between the application layer, device stack, and system kernel. The device stack contains various levels of device stacks, such as: Figure 2 The boxes in the USB VOLUMEDEVICE STACK and USBSTORAGEDEVICE STACK columns represent the device stack names, while the FiDo and Upper FiDo columns represent the structure of the device stack.

[0068] When creating at least one level of device stack in a virtual device, in order to achieve device isolation between virtual devices in multiple sessions, each level of device stack will create its own corresponding isolation device, and each level of isolation device can handle the corresponding type of operation request.

[0069] After the isolation device is created, the operating system will register its isolation interface with the isolation device. That is, when the operating system starts, it loads the isolation driver corresponding to the isolation device and registers an isolation interface with the operating system through this driver.

[0070] It should be noted that the types of operation requests handled by the isolation device and the isolation interface are different. For example, when a virtual USB drive is created in the operating system, requests to open the virtual USB drive or to move files in the virtual USB drive are the first type of request; requests to modify or delete registry entries of the virtual USB drive are the second type of request.

[0071] Therefore, upon receiving an operation request for a virtual device in the operating system, the operating system first determines the type of the operation request. If the operation request is of the first request type, the isolation policy is obtained through the first selected isolation device corresponding to the virtual device. If the operation request is of the second request type, the isolation policy is obtained through the corresponding isolation interface of the operating system.

[0072] If the isolation policy is obtained through an isolation device, the first device identifier in the operation request is matched with the device identifier in the isolation policy using that isolation device to determine the device identifier that is identical to the first device identifier, and further determine the second session identifier associated with that device identifier. Then, it is further determined whether the first session identifier and the second session identifier are consistent.

[0073] It's important to note that since virtual devices correspond to multi-level device stacks, with each stack corresponding to an isolation device, upon receiving an operation request, the operating system first determines the target device stack to handle the request through a step-by-step polling process. The isolation policy is then obtained through the first selected isolation device corresponding to that target stack. In other words, each device stack handles different operation requests. The operating system first determines whether the first-level device stack can handle the request. If it can, the isolation policy is directly obtained through the corresponding isolation device. If not, the system determines that the second-level device stack can handle the request. This process accurately identifies the isolation device that will handle the operation request, ensuring accurate isolation of the virtual device. This example only illustrates the step-by-step polling method starting from the first level to determine the target device stack; other methods can also be used, such as polling from the last level or polling every other level.

[0074] If the isolation policy is obtained through an isolation interface, the first device identifier in the operation request is matched with the device identifier in the isolation policy through the isolation interface to determine the device identifier that is the same as the first device identifier, and then the second session identifier associated with the device identifier is further determined. Then, it is further determined whether the first session identifier and the second session identifier are consistent.

[0075] If the first session identifier and the second session identifier are the same, proceed to step S3; if the first session identifier and the second session identifier are different, proceed to step S4.

[0076] S3 forwards the operation request to the virtual device for processing;

[0077] If the isolation policy is obtained through the isolation device and the first session identifier is found to be consistent with the second session identifier, then the operation request is forwarded to the virtual device for response processing through isolation.

[0078] If the isolation policy is obtained through the isolation interface and it is determined that the first session identifier and the second session identifier are consistent, then the operation request is forwarded to the isolation device through the isolation interface, and then the operation request is forwarded to the virtual device for response processing through the isolation device.

[0079] S4, refuse to forward the operation request.

[0080] Based on the above description, after the operating system obtains the isolation policy through the isolation device or isolation interface, it can determine whether the current session can access the corresponding virtual device through the association between the session identifier and the device identifier in the isolation policy. This ensures that the user can only access the virtual device associated with the session identifier corresponding to the current session, solves the problem of device isolation failure caused by administrator privileges, and thus realizes the operating system's device isolation of virtual devices between multiple sessions.

[0081] Furthermore, both the method of device isolation based on isolation devices and the method of device isolation based on isolation interfaces only locate the first device identifier corresponding to the virtual device based on the first session identifier. Therefore, after adding virtual devices, it is not necessary to assign a corresponding disk letter to each virtual device, so the number of virtual devices created is not limited by the disk letter.

[0082] Based on the same inventive concept, this application also provides a virtual device isolation device, which implements the function of a virtual device isolation method, as described above. Figure 3 The device includes:

[0083] The receiving module 301 is configured to receive an operation request for a virtual device in the operating system. The operation request carries a first session identifier and a first device identifier of the virtual device. Each session identifier of the operating system is an identifier of a session created when each user logs into the operating system.

[0084] The isolation module 302 is used to search for the second session identifier associated with the first device identifier in the isolation policy corresponding to the operating system, and to determine whether the first session identifier and the second session identifier are consistent. The isolation policy includes the association relationship between each session identifier and each device identifier.

[0085] If it is determined that the first session identifier and the second session identifier are consistent, the operation request is forwarded to the virtual device for processing;

[0086] If it is determined that the first session identifier and the second session identifier are inconsistent, the operation request will be rejected.

[0087] In one possible design, the receiving module 301 is specifically used to detect that after the virtual device is created by the operating system, obtain the first device identifier and the second session identifier corresponding to the virtual device, create an association between the first device identifier and the second session identifier, and add the association between the first device identifier and the second session identifier to the isolation policy.

[0088] In one possible design, the isolation module 302 is specifically used to determine the type of the operation request. If the operation request is determined to be a first request type, the isolation policy is obtained through the first selected isolation device corresponding to the virtual device, and the second session identifier associated with the first device identifier is searched in the isolation policy through the first selected isolation device. If the operation request is determined to be a second request type, the isolation policy is obtained through the isolation interface corresponding to the operating system, and the second session identifier associated with the first device identifier is searched in the isolation policy through the isolation interface.

[0089] In one possible design, the isolation module 302 is further configured to, if the operation request is determined to be a first request type, forward the operation request to the virtual device for processing through the isolation device; if the operation request is determined to be a second request type, forward the operation request to the second isolation device corresponding to the virtual device through the isolation interface, and forward the operation request to the virtual device for processing through the second isolation device.

[0090] In one possible design, the isolation module 302 is further configured to determine the target device stack for processing the operation request level by level in the device stacks corresponding to the virtual device, and obtain the isolation strategy through the first selected isolation device corresponding to the target device stack.

[0091] In one possible design, the isolation module 302 is further configured to determine the various levels of device stacks in the virtual device and create corresponding isolation devices for each level of device stack.

[0092] Based on the same inventive concept, this application also provides an electronic device that can realize the function of the aforementioned virtual device isolation device. (Refer to...) Figure 4 The electronic device includes:

[0093] At least one processor 401 and a memory 402 connected to at least one processor 401. In this embodiment, the specific connection medium between the processor 401 and the memory 402 is not limited. Figure 4 The example shown is the connection between processor 401 and memory 402 via bus 400. Bus 400 is... Figure 4 The connections between other components are indicated by thick lines and are for illustrative purposes only, not as limiting information. The 400 bus can be divided into address bus, data bus, control bus, etc., for ease of representation. Figure 4 The term is represented by a single thick line, but this does not imply that there is only one bus or one type of bus. Alternatively, processor 401 can also be called a controller; there is no restriction on the name.

[0094] In this embodiment, memory 402 stores instructions executable by at least one processor 401. By executing the instructions stored in memory 402, at least one processor 401 can execute a virtual device isolation method described above. Processor 401 can implement... Figure 3 The functions of each module in the device shown.

[0095] The processor 401 is the control center of the device. It can connect to various parts of the control device through various interfaces and lines. By running or executing instructions stored in memory 402 and calling data stored in memory 402, the processor can perform various functions and process data, thereby monitoring the device as a whole.

[0096] In one possible design, processor 401 may include one or more processing units. Processor 401 may integrate an application processor and a modem processor, wherein the application processor mainly handles the operating system, user interface, and applications, and the modem processor mainly handles wireless communication. It is understood that the modem processor may also not be integrated into processor 401. In some embodiments, processor 401 and memory 402 may be implemented on the same chip; in some embodiments, they may also be implemented separately on separate chips.

[0097] Processor 401 can be a general-purpose processor, such as a central processing unit (CPU), digital signal processor, application-specific integrated circuit, field-programmable gate array or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component, capable of implementing or executing the methods, steps, and logic block diagrams disclosed in the embodiments of this application. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the virtual device isolation method disclosed in the embodiments of this application can be directly manifested as execution by a hardware processor, or execution by a combination of hardware and software modules within the processor.

[0098] Memory 402, as a non-volatile computer-readable storage medium, can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. Memory 402 may include at least one type of storage medium, such as flash memory, hard disk, multimedia card, card-type memory, random access memory (RAM), static random access memory (SRAM), programmable read-only memory (PROM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), magnetic storage, magnetic disk, optical disk, etc. Memory 402 can be any other medium capable of carrying or storing desired program code in the form of instructions or data structures that can be accessed by a computer, but is not limited thereto. In the embodiments of this application, memory 402 can also be a circuit or any other device capable of implementing storage functions for storing program instructions and / or data.

[0099] By designing and programming the processor 401, the code corresponding to the virtual device isolation method described in the foregoing embodiments can be embedded into the chip, thereby enabling the chip to execute the code during runtime. Figure 1The illustrated embodiment presents a virtual device isolation step. How to design and program the processor 401 is a technique well-known to those skilled in the art and will not be described further here.

[0100] Based on the same inventive concept, embodiments of this application also provide a storage medium storing computer instructions that, when executed on a computer, cause the computer to perform a virtual device isolation method described above.

[0101] In some possible implementations, various aspects of the virtual device isolation method provided by this application can also be implemented in the form of a program product, which includes program code that, when the program product is run on a device, causes the control device to perform the steps in a virtual device isolation method according to various exemplary embodiments of this application described above.

[0102] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0103] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to this application. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0104] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0105] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0106] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.

Claims

1. A method for virtual device isolation, the method comprising: include: Receive an operation request for a virtual device in the operating system. The operation request carries a first session identifier and a first device identifier for the virtual device. Each session identifier of the operating system is an identifier of a session created when each user logs into the operating system. The isolation policy corresponding to the operating system searches for the second session identifier associated with the first device identifier and determines whether the first session identifier and the second session identifier are consistent. The isolation policy includes the association relationship between each session identifier and each device identifier. The isolation policy is obtained by using an isolation device or an isolation interface according to the type of the operation request. The isolation device and the isolation interface are deployed in the operating system. If it is determined that the first session identifier and the second session identifier are consistent, the operation request is forwarded to the virtual device for processing; If it is determined that the first session identifier and the second session identifier are inconsistent, the operation request will be rejected.

2. The method of claim 1, wherein, Before receiving an operation request for a virtual device in the operating system, the method further includes: After the virtual device is created in the operating system, the first device identifier and the second session identifier corresponding to the virtual device are obtained. Create an association between the first device identifier and the second session identifier; Add an association between the first device identifier and the second session identifier in the isolation policy.

3. The method of claim 1 or 2, wherein, The process of finding the second session identifier associated with the first device identifier using the isolation policy corresponding to the operating system includes: Determine the type of the operation request; If the operation request is determined to be of the first request type, the isolation policy is obtained through the first selected isolation device corresponding to the virtual device, and the second session identifier associated with the first device identifier is searched in the isolation policy through the first selected isolation device. If the operation request is determined to be the second request type, the isolation policy is obtained through the isolation interface corresponding to the operating system, and the second session identifier associated with the first device identifier is found in the isolation policy through the isolation interface.

4. The method as described in claim 3, characterized in that, Forwarding the operation request to the virtual device for processing includes: If the operation request is determined to be of the first request type, the operation request is forwarded to the virtual device for processing via the isolation device. If the operation request is determined to be of the second request type, the operation request is forwarded to the second isolation device corresponding to the virtual device through the isolation interface, and the operation request is forwarded to the virtual device for processing through the second isolation device.

5. The method as described in claim 3, characterized in that, Obtaining the isolation policy through the first selected isolation device corresponding to the virtual device includes: In each level of the device stack corresponding to the virtual device, the target device stack for processing the operation request is determined level by level; The isolation strategy is obtained through the first selected isolation device corresponding to the target device stack.

6. The method as described in claim 5, characterized in that, Before determining the target device stack for processing the first request type step by step, the method further includes: Determine the various levels of the device stack in the virtual device; Create corresponding isolation devices for each level of the device stack.

7. A virtual device isolation device, characterized in that, include: A receiving module is configured to receive an operation request for a virtual device in the operating system. The operation request carries a first session identifier and a first device identifier of the virtual device. Each session identifier of the operating system is an identifier of a session created when each user logs into the operating system. An isolation module is used to search for the second session identifier associated with the first device identifier in the isolation policy corresponding to the operating system, and to determine whether the first session identifier and the second session identifier are consistent. The isolation policy includes the association relationship between each session identifier and each device identifier. The isolation policy is obtained by using an isolation device or an isolation interface according to the type of the operation request. The isolation device and the isolation interface are deployed in the operating system. If it is determined that the first session identifier and the second session identifier are consistent, the operation request is forwarded to the virtual device for processing; If it is determined that the first session identifier and the second session identifier are inconsistent, the operation request will be rejected.

8. The apparatus as claimed in claim 7, characterized in that, The receiving module is specifically configured to detect after the virtual device is created by the operating system, obtain the first device identifier and the second session identifier corresponding to the virtual device, create an association between the first device identifier and the second session identifier, and add the association between the first device identifier and the second session identifier to the isolation policy.

9. An electronic device, characterized in that, include: Memory, used to store computer programs; A processor, when executing a computer program stored in the memory, implements the steps of the method according to any one of claims 1-6.

10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, implements the steps of the method described in any one of claims 1-6.