Linux system folder recursive management method and device, equipment and medium
By parsing the parent-child hierarchy of folders in the Linux system and automatically copying and merging security policies at the kernel level, the complexity of recursive control of multi-level folder permissions is resolved, enabling flexible access control and transparent processing of security policies.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- KYLIN CORP
- Filing Date
- 2026-03-13
- Publication Date
- 2026-06-12
AI Technical Summary
Existing Linux systems struggle to implement flexible and varied access control in multi-level folder permission recursion, especially in sub-paths of folders, where it is difficult to flexibly manage access permissions for folders at different levels.
By obtaining the path information and security policy of the target folder, the parent-child hierarchy between folders is parsed, and the kernel layer automatically copies and merges security policies to form a merged security policy, which is then sent to the target folder, and an independent multi-policy security identity is assigned to it.
It achieves transparent handling of recursive folder management, reduces the probability of human error, avoids security vulnerabilities caused by policy configuration conflicts, and ensures the continued effectiveness of parent folder policies on child folders.
Smart Images

Figure CN122197098A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of Linux system file access permission technology, and in particular to a method, apparatus, device and medium for recursive management of Linux system folders. Background Technology
[0002] As computer users become increasingly concerned about the privacy of their personal data, mainstream operating systems, especially Linux systems, include various data and file access restriction mechanisms. Common system file protection mechanisms in Linux distributions include two types: DAC and MAC. DAC uses basic file attributes for file permission control, with a fixed format and relatively simple control method, only allowing for coarse-grained control based on the file's owner and group. MAC, on the other hand, uses extended file attributes for file permission control. The extended attribute format is arbitrary, allowing for more professional and granular security policy configuration, and strictly restricting file access permissions at a fine-grained level.
[0003] However, among various permission restriction mechanisms based on extended attributes, since file extended attributes can be set arbitrarily, when managing permissions through extended attributes, files with configured security policies are often assigned a security identity stored in the file's extended attributes to manage permissions for ordinary single files. But when it comes to recursively managing permissions for subfolders within folders, especially multi-level file paths, it is difficult to implement flexible and varied access control for folders at different levels. Summary of the Invention
[0004] This invention provides a method, apparatus, device, and medium for recursive management of Linux system folders, to solve the technical problem of complex and difficult-to-flexible access control of recursive management security policies for subfolders at various levels of multi-level file paths.
[0005] In a first aspect, embodiments of the present invention provide a method for recursive management of Linux system folders, including: S101, Obtain the path information and security policies of all target folders with configured security policies; S102, Based on the obtained path information, extract and parse the parent-child hierarchical relationship between the paths of each level of folder to form hierarchical relationship information; S103, the hierarchical relationship information is sent down to the kernel layer for storage. The kernel layer automatically copies the security policy of the parent folder of the target folder and merges it with the security policy of the target folder according to the hierarchical relationship information and security policy, and copies the security policy of the target folder and merges it with the configured security policy of its subfolders to form a merged security policy. S104 distributes the integrated security policy to the corresponding target folder and assigns a corresponding independent multi-policy security identity to the target folder.
[0006] Secondly, embodiments of the present invention provide a Linux system folder recursive management device, comprising: The file information acquisition module is used to obtain the path information and security policies of all target folders with configured security policies; The hierarchy parsing module is used to extract and parse the parent-child hierarchy relationships between folder paths at all levels based on the obtained path information, forming hierarchy relationship information; The security policy fusion module is used to send hierarchical relationship information down to the kernel layer and automatically copy and merge the security policy of the parent folder of the target folder with the security policy of the target folder, and copy and merge the security policy of the target folder with the security policies of its subfolders to form a fused security policy. The security policy distribution module is used to distribute the integrated security policies to the corresponding target folders and assign corresponding independent multi-policy security identities to the target folders.
[0007] Thirdly, embodiments of the present invention provide an electronic device, including: One or more processors; Storage device for storing one or more programs. When the one or more programs are executed by the one or more processors, the one or more processors implement the above-described recursive management method for Linux system folders.
[0008] Fourthly, embodiments of the present invention provide a storage medium containing computer-executable instructions, which, when executed by a computer processor, are used to execute the above-described Linux system folder recursive management method.
[0009] This invention provides a method, apparatus, device, and medium for recursive folder management in a Linux system. The method acquires the path information of all target folders with configured security policies and their corresponding security policies. Then, based on the path information, it parses and extracts the parent-child hierarchical relationship between folders and sends this hierarchical relationship information to the kernel layer for storage. When the kernel layer receives a security policy for a target folder, it automatically identifies the parent folder with configured policies based on the hierarchical relationship information, copies the parent folder's security policy, merges it with the existing policies of the child folders, and sends the merged security policy to the target folder, assigning it an independent multi-policy security identity for access control. Security policy configuration personnel only need to send security policies to the target folder, eliminating the need to manually copy the security policies of its parent folders, simplifying security policy configuration and reducing the probability of human error. The kernel layer automatically completes the copying and merging of policies based on the hierarchical relationship, achieving transparent processing of recursive folder management policies, ensuring that parent folder policies remain effective for child folders, and avoiding security vulnerabilities caused by policy configuration conflicts. Through a seamless security policy copying and merging process, recursive folder management is automatically performed without manual intervention. Attached Figure Description
[0010] The accompanying drawings, which form part of this invention, are used to provide a further understanding of the invention. The illustrative embodiments of the invention and their descriptions are used to explain the invention and do not constitute an undue limitation of the invention. In the drawings: Figure 1 This is a flowchart of a Linux system folder recursive management method according to Embodiment 1 of the present invention; Figure 2 This is a flowchart of a Linux system folder recursive management method according to Embodiment 2 of the present invention; Figure 3 This is a schematic diagram of the structure of a Linux system folder recursive management device according to Embodiment 3 of the present invention; Figure 4 This is a structural diagram of the electronic device described in Embodiment 4 of the present invention. Detailed Implementation
[0011] The present invention will now be described in further detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and not intended to limit it. Furthermore, it should be noted that, for ease of description, the accompanying drawings show only the parts relevant to the present invention, and not all of the structures.
[0012] Example 1 Figure 1The flowchart below illustrates a recursive folder management method for Linux systems according to Embodiment 1 of the present invention. It involves extracting the path information of the target folder and analyzing its parent-child hierarchical relationship with the path information of other folders. The security policies of the parent folder are then progressively integrated with the security policies of the child folders. An independent multi-policy security identity is assigned to the target folder and simultaneously integrated into its child folders. Specifically, the method includes the following steps: S101: Obtain the path information and security policies of all target folders with configured security policies.
[0013] In Linux systems, security policies are typically configured manually by policy configuration personnel using policy management tools (semanage, custom tools). Configured security policies are generally stored in a security policy database. This database can be accessed to retrieve information about all target folders with configured security policies, and to extract the corresponding path information and security policy fields. For example, the path information is the complete absolute path of the folder in the file system, such as " / home / user / My Documents" and its subfolder " / home / user / My Documents / Work Summary," etc.; the security policy is the permission control rule for each folder, such as the definition of operation permissions like "prohibit modification" and "prohibit deletion," along with the corresponding security identity. For instance, a security policy configuration personnel might first issue a "prohibit modification" security policy to " / home / user / My Documents," and then issue a "prohibit deletion" policy to its subfolder " / home / user / My Documents / Work Summary." In this case, the security policy database records both issued security policies, with each record containing the complete absolute path of the target folder and the corresponding security policy rule. When recursive folder management is required, you can first use the policy configuration tool to read the security policy database and obtain all the entries recorded therein. This will give you the path information of the target folder and the security policy configured for it.
[0014] S102, Based on the obtained path information, extract and parse the parent-child hierarchical relationship between the paths of folders at all levels to form hierarchical relationship information.
[0015] The obtained path information of each folder can be analyzed using strategy configuration tools, string comparison, and other methods to identify the prefix inclusion relationship between the folder paths and determine the parent-child relationship between folders, forming hierarchical relationship information that records the parent-child relationship of each level of folders. For example, if the obtained path information includes " / home / user / My Documents" and " / home / user / My Documents / Work Summary", comparing the two to identify the prefix inclusion relationship shows that the latter's path prefix completely includes the former's path. Therefore, the folder corresponding to the former path is the parent folder of the folder corresponding to the latter path. The same method can be used to identify multi-level folder paths, ultimately constructing a folder hierarchy tree that represents the parent-child relationship between folder paths at each level. The resulting hierarchical relationship information can also be represented in the form of a parent-child pair list.
[0016] S103, the hierarchical relationship information is sent down to the kernel layer for storage. The kernel layer automatically copies the security policy of the parent folder of the target folder and merges it with the security policy of the target folder according to the hierarchical relationship information and security policy, and copies the security policy of the target folder and merges it with the configured security policies of its subfolders to form a merged security policy.
[0017] After the hierarchical relationship information is formed, it is converted into a data format recognizable by the Linux kernel. For example, the hierarchical relationship information is serialized and transmitted to the kernel layer via Netlink sockets or the ioctl system call. The security policy management module in the kernel layer establishes parent-child mapping relationships between folders at each level based on the received hierarchical relationship information and stores it in the kernel layer's storage space. The security policy management module can be a custom kernel module with the ability to receive, parse, and query security policies issued from the upper layer. When a security policy is received for a target folder, the parent-child mapping relationships between folders at each level are first queried to determine if any subfolders under the target folder have already been configured with security policies. If a security policy is found in a subfolder, the security policy of the target folder is copied and merged with the security policy issued to the current subfolder, forming a merged security policy that includes both the subfolder's security policy and the target folder's security policy. Similarly, the parent-child mapping relationships are queried to determine if the target folder's parent folder has already been configured with a security policy. The security policy of the parent folder with a configured security policy is copied and merged with the target folder's security policy, forming a merged security policy that includes both the parent folder's security policy and the target folder's security policy. Similarly, when multiple levels of parent-child relationships exist, all security policies configured in the parent folder need to be copied and merged into the security policies of its direct subfolders. This process is repeated level by level, with lower-level folders containing more rules in the merged security policies. It's important to note that during the copying and merging process of security policies from higher-level parent folders to lower-level subfolders, a deduplication mechanism is also included to remove duplicate security policies, keeping only one to ensure that multiple rules do not conflict. For example, a user simultaneously issues a "prohibit deletion" policy for " / home / user / My Documents" and a "prohibit modification" policy for the subfolder " / home / user / My Documents / Work Summary". When the kernel receives the "prohibit deletion" security policy for " / home / user / My Documents", it first checks if there is a parent-child mapping relationship. It will find that there is a subfolder path " / home / user / My Documents / Work Summary". At this time, the kernel automatically copies the "prohibit deletion" security policy of the parent folder and merges it with the "prohibit modification" policy of the subfolder to obtain a merged security policy for the subfolder " / home / user / My Documents / Work Summary" that includes both "prohibit modification" and "prohibit deletion" rules.
[0018] S104 distributes the integrated security policy to the corresponding target folder and assigns a corresponding independent multi-policy security identity to the target folder.
[0019] The kernel assigns a corresponding independent multi-policy security identity to the target folder based on the merged security policy. For example, each independent multi-policy security identity contains the merged security rules. By assigning this independent multi-policy security identity to a specific target folder, multiple security rule constraints can be applied to that folder based on a single security identity. For instance, when a merged security policy containing two rules, "prohibit modification" and "prohibit deletion," is issued to " / home / user / My Documents / Work Summary," this folder has both rules prohibiting modification and deletion. When a process subsequently accesses the folder, the kernel will recursively manage the target folder based on this independent multi-policy security identity.
[0020] Optionally, the security policy implements access control based on the security identity in the file extended attributes. The copying and merging of the security policy are both displayed to the security policy configuration personnel, who only need to configure the security policy for the target folder.
[0021] In this embodiment, access control can be implemented based on Linux Security Modules (LSM) through a unique security identity field in the file's extended attributes. This security identity is a unique code assigned to distinguish various processes and resources, stored in the corresponding field of the file's extended attributes, typically located in the `security` namespace. When a process accesses a file, security hooks in the Linux Security Modules framework check whether the process's security context matches the file's security identity to determine whether access is permitted. Security policy configuration personnel can issue security policies to target folders using user-space security policy configuration tools (semanage, custom tools). Unlike traditional methods, the copying and merging of security policies is automatically completed by the kernel without manual intervention, and security policy administrators are completely unaware of the process. This transparent copying and merging of security policies enables automated, unobtrusive recursive folder management.
[0022] This embodiment obtains the path information of all target folders with configured security policies and their corresponding security policies. Then, based on the path information, it parses and extracts the parent-child hierarchical relationship between folders and sends this hierarchical relationship information to the kernel layer for storage. When the kernel layer receives a security policy for a target folder, it automatically identifies the parent folder with configured policies based on the hierarchical relationship information, copies the parent folder's security policy, merges it with the existing policies of the child folders, and sends the merged security policy to the target folder, assigning it an independent multi-policy security identity for access control. Security policy configuration personnel only need to send security policies to the target folder, without manually copying the security policies of its parent folders, simplifying the security policy configuration operation and reducing the probability of human error. The kernel layer automatically completes the copying and merging of policies based on the hierarchical relationship, achieving transparent processing of recursive folder management policies, ensuring that parent folder policies remain effective for child folders, and avoiding security vulnerabilities caused by policy configuration conflicts. Through the imperceptible process of copying and merging security policies, recursive folder management is automatically performed without manual intervention.
[0023] Example 2 Figure 2 This is a flowchart of a Linux system folder recursive management method according to Embodiment 2 of the present invention. This embodiment is based on the above embodiment and optimized. In this embodiment, S103 is specifically optimized as follows: The hierarchical relationship information is serialized according to a preset data format and transmitted to the kernel layer through a system call interface; In the kernel-level security policy management module, a parent-child hierarchy lookup table is established to store the serialized hierarchy information. The kernel layer queries a table based on the parent-child hierarchy to obtain the security policy of the parent folder of the target folder; Copy the security policy of the parent folder and merge it with the security policy of the target folder to form a merged security policy.
[0024] Accordingly, the recursive management method for Linux system folders provided in this embodiment specifically includes: S201: Obtain the path information and security policies of all target folders with configured security policies.
[0025] Specifically, the system reads the security policy database and extracts the path information of the target folder for the issued security policies and the corresponding issued security policies.
[0026] Configured security policies, their corresponding target folders, and their paths can be stored in a security policy database. This database can be queried to retrieve folders with configured security policies, their full absolute paths, etc., for analyzing the parent-child hierarchical relationships between folders, thus providing a data foundation for flexible security policy configuration. For example, the security policy database can be a local file (such as ` / etc / selinux / targeted / contexts / files / file_contexts`) or a relational database table. Security policy configuration personnel can add, modify, or delete security policies using policy configuration tools, which will simultaneously update the records in the database. When it is necessary to construct folder hierarchical relationships, the policy configuration tool can directly query the database to retrieve the folder paths and corresponding policy content of all configured policies.
[0027] S202, Based on the obtained path information, extract and parse the parent-child hierarchical relationship between folder paths at all levels to form hierarchical relationship information.
[0028] Specifically, based on the path information of the target folder, a complete path string comparison is performed on the path information to identify the prefix inclusion relationship in the path, extract the parent-child hierarchy relationship of the target folder, and form the hierarchy relationship information.
[0029] After retrieving the path information of all folders from the database, each path is traversed. The path information within the target folder is compared with the complete path strings of other folders. The system identifies whether the path information of other folders contains a prefix corresponding to the target folder, and whether the target folder and the prefix appear immediately after each other (i.e., the target folder and the prefix path differ by a directory separator). If such a prefix is found, the identified folder is determined as the parent folder of the target folder. This process can be executed level by level to construct a multi-level parent folder structure, forming a hierarchical relationship.
[0030] An optional implementation of this embodiment involves comparing the path information of the target folder with the path information of other folders with configured security policies, extracting the parent path information contained in the path information prefix of the target folder, determining the folder corresponding to the parent path information as the parent folder of the target folder, and extracting the child path information contained in the path information prefix of other folders, determining the folder corresponding to the child path information as the child folder of the target folder.
[0031] For example, the complete path string comparison includes: first, storing the complete absolute path information of all obtained folders into a sorted comparison array; then, sorting the array in ascending order of string length, and sorting strings of the same length in lexicographical order; then, initializing an empty parent-child mapping table, with the key being the subfolder path and the value being the parent folder path; for each complete absolute path information in the sorted comparison array, traversing all other complete absolute path information with a shorter string length and judging whether the other complete absolute path information is a prefix of the current complete absolute path information, and the first character after the complete absolute path information used as the prefix is the path separator " / ", then recording the complete absolute path information used as the prefix as the candidate parent path of the current complete absolute path information; then selecting the longest string length from the candidate parent paths as its direct parent path, and so on if there are multiple levels of ancestors, finally obtaining the direct parent folder mapping of each non-root folder (if there are multiple levels of ancestors, a parent-child hierarchical relationship tree can be obtained). Similarly, the same method can be used to identify subfolders and direct subfolders of the target folder. This can be achieved by determining whether the complete absolute path information of the target folder is a prefix of the complete absolute path information of other folders, thereby resolving the parent-child hierarchy of each folder.
[0032] S203, the hierarchical relationship information is serialized according to a preset data format and transmitted to the kernel layer through the system call interface.
[0033] To facilitate reading by the kernel layer, the hierarchical relationship information needs to be serialized according to a predefined protocol format. For example, this can be achieved by constructing an array of structures, each containing the sub-path length, sub-path string, parent path length, and parent path string, and then packaging this data and sending it to the security policy management module in the kernel via Netlink messages.
[0034] S204: Establish a parent-child hierarchy lookup table in the kernel-level security policy management module and store the serialized hierarchy information.
[0035] After receiving the transmitted serialized data, the kernel layer parses it and constructs a parent-child hierarchy lookup table. This table can be implemented using a hash table or a red-black tree, storing the direct parent folder path and possible multi-level ancestor paths, with the subfolder path as the key. For efficient lookup, paths can be converted to inode numbers managed in the kernel or path hash values can be used.
[0036] S205, when issuing security policies to the target folder, the kernel layer queries the parent-child hierarchy table to obtain the security policies of the configured parent and child folders of the target folder respectively.
[0037] When the kernel receives a request to issue a security policy to a target folder, it first checks whether the target folder has a parent folder and child folders in the parent-child hierarchy lookup table. This can be done by traversing the lookup table to find all paths whose parent paths (path prefixes) match the target folder, and all paths whose child path prefixes match the target folder. Simultaneously, it checks whether security policies have been configured in each level of folder, preparing for subsequent security policy integration.
[0038] S206: Copy the security policy of the parent folder and merge it with the security policy of the target folder; copy the security policy of the target folder and merge it with the security policies of its subfolders to form a merged security policy.
[0039] For each parent folder found, the kernel retrieves the configured security policy of the parent folder, then copies the parent folder's security policy and merges it with the target folder's security policy. For each subfolder found, the kernel retrieves the configured security policy of the subfolder, then copies the target folder's security policy and merges it with the subfolder's security policy. For folders without configured security policies, the kernel simply copies the security policy of its direct parent folder. The merging process can be an overlay approach, where the access control vectors of the parent folder are overlaid onto the operations restricted by the target folder's security policy to form a merged security policy. The kernel then rewrites the merged new policy into the target folder's security policy data structure and updates the extended attribute cache.
[0040] S207 distributes the integrated security policy to the corresponding target folder and assigns a corresponding independent multi-policy security identity to the target folder.
[0041] Specifically, the kernel layer assigns a new security identity to the target folder based on the converged security policy, which includes the security policy of its parent folder, thus forming an independent multi-policy security identity for the target folder.
[0042] For example, a file's extended attributes can record a single, multi-policy security identity, inherited and merged from its parent folder, containing multiple rules. When performing appropriate permission control, the kernel simultaneously reads this security identity field in the extended attributes to identify the various rules corresponding to the independent multi-policy security identity, thus achieving recursive folder control. For instance, for " / home / user / My Documents / Work Summary," its security identity is B, corresponding to the rules "Deletion Prohibited" and "Modification Prohibited." This new security identity is formed by merging the security identity A (containing the "Modification Prohibited" rule) of its direct parent folder with the old security identity (containing the "Deletion Prohibited" rule) to be assigned to it. Subsequently, when a process attempts to modify this folder, the kernel checks the security policy corresponding to its new security identity and finds that it contains both "Deletion Prohibited" and "Modification Prohibited" rules, therefore the modification operation is rejected. Similarly, when the process attempts to delete the folder, it finds that deletion is prohibited, and the deletion operation is also rejected, thus achieving dual (multi) security policy control for a single security identity.
[0043] This embodiment retrieves folder information for all configured policies by reading the security policy database; it accurately identifies the parent-child hierarchical relationship between folders using a complete path string comparison method, forming hierarchical relationship information; after serializing the hierarchical relationship information according to a preset format, it transmits it to the kernel layer through a system call interface, and stores it in a parent-child hierarchical relationship lookup table in the kernel layer; when the kernel receives a folder policy distribution request, it locates the subfolder according to the lookup table, automatically copies the parent folder policy and merges it with the existing policy of the subfolder; finally, it assigns independent multi-policy security identities to files under the target folder through extended attributes, enabling multiple rules to be superimposed and effective.
[0044] Example 3 Figure 3 This is a schematic diagram of a Linux system folder recursive management device according to Embodiment 3 of the present invention. In this embodiment, the Linux system folder recursive management device includes: The file information acquisition module 810 is used to acquire the path information and security policies of all target folders with configured security policies; The hierarchy parsing module 820 is used to extract and parse the parent-child hierarchy relationship between folder paths at all levels based on the obtained path information, and form hierarchy relationship information. The security policy fusion module 830 is used to send hierarchical relationship information to the kernel layer and automatically merge the security policy of the parent folder of the target folder with the security policy of the target folder to form a fused security policy. The security policy distribution module 840 is used to distribute the integrated security policy to the corresponding target folder and assign a corresponding independent multi-policy security identity to the target folder.
[0045] This embodiment acquires and stores the path information and security policies of all target folders with configured security policies through a file information acquisition module. A hierarchy parsing module extracts and parses the parent-child hierarchical relationships between folder paths at each level. A security policy fusion module sends the extracted hierarchy information to the kernel layer for automatic fusion of the parent folder's security policy and the target file's security policy. A security policy distribution module distributes the fused security policy to the target folder, assigning it an independent multi-policy security identity. Security policy configuration personnel only need to distribute security policies to the target folder, eliminating the need to manually copy the security policies of its parent folders, simplifying security policy configuration and reducing the probability of human error. The kernel layer automatically completes policy copying and fusion based on the hierarchy, achieving transparent processing of recursive folder management policies, ensuring the continued effectiveness of parent folder policies on child folders, and avoiding security vulnerabilities caused by policy configuration conflicts.
[0046] The Linux system folder recursive management device provided in this embodiment of the invention can execute the Linux system folder recursive management method provided in any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the method.
[0047] Example 4 Figure 4 This is a structural diagram of an electronic device according to Embodiment 4 of the present invention. Figure 4 A block diagram is shown of an exemplary electronic device 12 suitable for implementing embodiments of the present invention. Figure 4 The electronic device 12 shown is merely an example and should not impose any limitation on the functionality and scope of use of the embodiments of the present invention.
[0048] like Figure 4 As shown, the electronic device 12 is represented in the form of a general-purpose computing device. The components of the electronic device 12 may include, but are not limited to: one or more processors or processing units 16, system memory 28, and bus 18 connecting different system components (including system memory 28 and processing unit 16).
[0049] Bus 18 represents one or more of several bus architectures, including a memory bus or memory controller, a peripheral bus, a graphics acceleration port, a processor, or a local bus using any of the various bus architectures. For example, these architectures include, but are not limited to, the Industry Standard Architecture (ISA) bus, the Micro Channel Architecture (MAC) bus, the Enhanced ISA bus, the Video Electronics Standards Association (VESA) local bus, and the Peripheral Component Interconnect (PCI) bus.
[0050] Electronic device 12 typically includes a variety of computer system readable media. These media can be any available media that can be accessed by electronic device 12, including volatile and non-volatile media, removable and non-removable media.
[0051] System memory 28 may include computer system readable media in the form of volatile memory, such as random access memory (RAM) 30 and / or cache memory 32. Electronic device 12 may further include other removable / non-removable, volatile / non-volatile computer system storage media. By way of example only, storage system 34 may be used to read and write non-removable, non-volatile magnetic media (… Figure 4 Not shown; usually referred to as a "hard drive"). Although Figure 4 Not shown, a disk drive for reading and writing to a removable non-volatile disk (e.g., a "floppy disk") and an optical disk drive for reading and writing to a removable non-volatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 18 via one or more data media interfaces. System memory 28 may include at least one program product having a set (e.g., at least one) of program modules configured to perform the functions of the embodiments of the present invention.
[0052] A program / utility 40 having a set (at least one) of program modules 42 may be stored, for example, in system memory 28. Such program modules 42 include, but are not limited to, an operating system, one or more application programs, other program modules, and program data. Each or some combination of these examples may include an implementation of a network environment. Program modules 42 typically perform the functions and / or methods described in the embodiments of the present invention.
[0053] Electronic device 12 can also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), and with one or more devices that enable a user to interact with the electronic device 12 / server / computer, and / or with any device that enables the electronic device 12 to communicate with one or more other computing devices (e.g., network card, modem, etc.). This communication can be performed through input / output (I / O) interface 22. Furthermore, electronic device 12 can also communicate with one or more networks (e.g., local area network (LAN), wide area network (WAN), and / or public networks, such as the Internet) via network adapter 20. Figure 4 As shown, network adapter 20 communicates with other modules of electronic device 12 via bus 18. It should be understood that, although... Figure 4 As not shown, other hardware and / or software modules may be used in conjunction with electronic device 12, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems.
[0054] The processing unit 16 executes various functional applications and data processing by running programs stored in the system memory 28, such as implementing the Linux system folder recursive management method provided in the embodiments of the present invention.
[0055] Example 5 Embodiment 5 of the present invention also provides a storage medium containing computer-executable instructions, which, when executed by a computer processor, are used to execute the Linux system folder recursive management method provided in the above embodiments.
[0056] The computer storage medium of this invention can be any combination of one or more computer-readable media. A computer-readable medium can be a computer-readable signal medium or a computer-readable storage medium. A computer-readable storage medium can be, for example,—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of computer-readable storage media (a non-exhaustive list) include: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof. In this document, a computer-readable storage medium can be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device.
[0057] Computer-readable signal media may include data signals propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such propagated data signals may take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. Computer-readable signal media may also be any computer-readable medium other than computer-readable storage media, capable of sending, propagating, or transmitting programs for use by or in connection with an instruction execution system, apparatus, or device.
[0058] Program code contained on a computer-readable medium may be transmitted using any suitable medium, including—but not limited to—wireless, wire, optical fiber, RF, etc., or any suitable combination thereof.
[0059] Computer program code for performing the operations of this invention can be written in one or more programming languages or a combination thereof, including object-oriented programming languages such as Java, Smalltalk, and C++, as well as conventional procedural programming languages such as "C" or similar programming languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a local area network (LAN) or a wide area network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider).
[0060] Note that the above description is merely a preferred embodiment of the present invention and the technical principles employed. Those skilled in the art will understand that the present invention is not limited to the specific embodiments described herein, and various obvious changes, readjustments, and substitutions can be made without departing from the scope of protection of the present invention. Therefore, although the present invention has been described in detail through the above embodiments, the present invention is not limited to the above embodiments, and may include many other equivalent embodiments without departing from the concept of the present invention, the scope of which is determined by the scope of the appended claims.
Claims
1. A method for recursively managing folders in a Linux system, characterized in that, include: S101, Obtain the path information and security policies of all target folders with configured security policies; S102, Based on the obtained path information, extract and parse the parent-child hierarchical relationship between the paths of each level of folder to form hierarchical relationship information; S103, the hierarchical relationship information is sent down to the kernel layer for storage. The kernel layer automatically copies the security policy of the parent folder of the target folder and merges it with the security policy of the target folder according to the hierarchical relationship information and security policy, and copies the security policy of the target folder and merges it with the configured security policy of its subfolders to form a merged security policy. S104 distributes the integrated security policy to the corresponding target folder and assigns a corresponding independent multi-policy security identity to the target folder.
2. The method according to claim 1, characterized in that, The method further includes: The security policy implements access control based on the security identity in the file extended attributes. The copying and merging process of the security policy is automatically executed by the kernel and remains unknown to the security policy configuration personnel. The security policy configuration personnel only need to configure the security policy for the target folder.
3. The method according to claim 1, characterized in that, S101 further includes: Read the security policy database and extract the path information of the target folder for the issued security policies and the corresponding issued security policies.
4. The method according to claim 1, characterized in that, S102 includes: Based on the path information of the target folder, a complete path string comparison is performed on the path information to identify the prefix inclusion relationship in the path, extract the parent-child hierarchy relationship of the target folder, and form the hierarchy relationship information.
5. The method according to claim 4, characterized in that, The complete path string comparison includes: The path information of the target folder is compared with the path information of other folders with configured security policies. The parent path information contained in the path information prefix of the target folder is extracted, and the folder corresponding to the parent path information is determined as the parent folder of the target folder. The child path information contained in the path information prefix of other folders is extracted, and the folder corresponding to the child path information is determined as the child folder of the target folder.
6. The method according to claim 1, characterized in that, S103 includes: The hierarchical relationship information is serialized according to a preset data format and transmitted to the kernel layer through a system call interface; In the kernel-level security policy management module, a parent-child hierarchy lookup table is established to store the serialized hierarchy information. When issuing security policies to the target folder, the kernel layer queries the table according to the parent-child hierarchy relationship to obtain the security policies of the parent folder and child folder of the target folder that have been configured. Copy the security policy of the parent folder and merge it with the security policy of the target folder. Copy the security policy of the target folder and merge it with the security policies of its subfolders to form a merged security policy.
7. The method according to claim 1, characterized in that, S104 includes: Based on the converged security policy, the kernel layer assigns a new security identity to the target folder that includes the security policy of its parent folder, thus forming an independent multi-policy security identity for the target folder.
8. A Linux system folder recursive management device, used to implement the Linux system folder recursive management method as described in any one of claims 1-7, characterized in that, include: The file information acquisition module is used to obtain the path information and security policies of all target folders with configured security policies; The hierarchy parsing module is used to extract and parse the parent-child hierarchy relationships between folder paths at all levels based on the obtained path information, forming hierarchy relationship information; The security policy fusion module is used to send hierarchical relationship information down to the kernel layer and automatically copy and merge the security policy of the parent folder of the target folder with the security policy of the target folder, and copy and merge the security policy of the target folder with the security policies of its subfolders to form a fused security policy. The security policy distribution module is used to distribute the integrated security policies to the corresponding target folders and assign corresponding independent multi-policy security identities to the target folders.
9. An electronic device, characterized in that, The electronic device includes: One or more processors; Storage device for storing one or more programs. When the one or more programs are executed by the one or more processors, the one or more processors implement the Linux system folder recursive management method as described in any one of claims 1-7.
10. A storage medium containing computer-executable instructions, which, when executed by a computer processor, are used to perform the Linux system folder recursive management method as described in any one of claims 1-7.