CN110673849B - Method and device for presetting file security contexts in batches - Google Patents
Method and device for presetting file security contexts in batches Download PDFInfo
- Publication number
- CN110673849B CN110673849B CN201910747300.9A CN201910747300A CN110673849B CN 110673849 B CN110673849 B CN 110673849B CN 201910747300 A CN201910747300 A CN 201910747300A CN 110673849 B CN110673849 B CN 110673849B
- Authority
- CN
- China
- Prior art keywords
- file
- files
- directory
- security
- security context
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000012545 processing Methods 0.000 claims abstract description 15
- 230000008569 process Effects 0.000 claims description 14
- 238000012856 packing Methods 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 12
- 238000004590 computer program Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000004806 packaging method and process Methods 0.000 description 3
- 230000005012 migration Effects 0.000 description 2
- 238000013508 migration Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/61—Installation
- G06F8/63—Image based installation; Cloning; Build to order
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to a method and a device for presetting file security contexts in batches, wherein the method comprises the following steps: traversing a total directory, wherein the total directory comprises all files and directories to be processed; searching a strategy file of the system according to the file name, and searching a security context corresponding to the file to be processed; setting a corresponding security context for each file through a security context setting tool according to the search result; circularly processing all files and catalogues; after the setting of the security contexts of all the files is completed, the general directory is packed into a compressed package, and since the security contexts are metadata of the files, the security context of each file can be packed into the compressed package together with the files; and placing the compressed package into a software upgrading package. The method and the device can avoid setting and mounting the file system attribute for a plurality of times in the system starting stage, reduce the risk of intrusion of the system and improve the setting efficiency of the security context.
Description
Technical Field
The invention relates to the field of communication, in particular to a method and a device for presetting file security contexts in batches.
Background
In a system using SELinux, everything objects (objects), and all files, port resources and processes that are accessed by the security element stored in the extended attribute field of the inode are provided with security tags: security context (security context).
Currently, the security context of a markup document is typically in the following manner: the kernel marks the security context for each file through definition in a SELinux strategy file in the system starting process, and the marked operation is actually to modify the metadata of the file and belongs to the writing operation on the file. In embedded systems, the file system is usually set to a read-only attribute based on security, so that the kernel cannot mark the security attribute of the file on the read-only file system. Therefore, the file system can be set as the readable and writable attribute temporarily only in the process of starting the system, and the kernel can re-mount the file system as the read-only attribute after finishing the task of marking the security context. According to the method, the file system is temporarily set to be readable and writable in the system starting process, so that the risk of intrusion of the system is increased on one hand, and the attribute of the file system is temporarily set for a plurality of times in the system starting process, so that system starting failure is easy to cause.
In addition, when the software is upgraded to the embedded system, the files to be upgraded to the embedded system are preset for the security context before the software upgrading package is generated, and then are packaged into the compressed package and put into the software upgrading package, so that the files in the software upgrading package have the security context, and when the software upgrading package is burnt to the system, the compressed package is decompressed, and the files have the security context. However, the compressed package contains a very large number of files required by the whole system, and the files are distributed under different sub-directories, so that the time for manually setting the security attribute of the files is very long.
Disclosure of Invention
The invention aims to provide a method and a device for presetting file security contexts in batches, which can solve the problem that a read-only file system cannot mark the file security contexts under the condition that the attribute of the file system is not changed and the file system is re-mounted in the system starting process, avoid setting and mounting the attribute of the file system for a plurality of times in the system starting stage, reduce the risk of intrusion of the system and improve the setting efficiency of the security contexts.
A method for batch presetting of file security contexts, comprising: traversing a total directory, wherein the total directory comprises all files and directories to be processed; searching a strategy file of the system according to the file name, and searching a security context corresponding to the file to be processed; setting a corresponding security context for each file through a security context setting tool according to the search result; circularly processing all files and catalogues; after the setting of the security contexts of all the files is completed, the general directory is packed into a compressed package, and since the security contexts are metadata of the files, the security context of each file can be packed into the compressed package together with the files; and placing the compressed package into a software upgrading package.
Further, in the process of circularly processing all files and directories, if the subdirectories are encountered, the subdirectories are entered, and all files under the subdirectories are processed until the traversal of the whole total directory is completed.
Further, the method further comprises the step of burning the software upgrading package into equipment to upgrade the software.
Further, the device is an embedded device.
Further, the traversing of the total directory is performed during the compiling of the software.
Further, the system is a SELinux system.
The invention also provides a device for presetting file security contexts in batches, which comprises: the searching module is used for traversing the total directory, searching the strategy file of the system according to the file name of the file to be processed in the total directory, and searching the security context corresponding to the file to be processed; the generation module is used for setting a corresponding security context for each file through the security context setting tool; and the packing module is used for packing the total catalogue into a compressed package and placing the compressed package into a software upgrading package.
Further, the system also comprises a storage module, wherein the storage module is used for storing the software upgrade package.
Compared with the prior art, the invention has the beneficial effects that:
1. the problem that the security context of the file can be marked only by changing the attribute of the file system and re-mounting the file system by the read-only file system in the system starting process is solved;
2. the file system attribute is prevented from being set and mounted for a plurality of times in the system starting stage, so that the risk of intrusion of the system is prevented from being increased when the file system attribute is set as a writable attribute;
3. the security context of the files is automatically preset in batches, so that the security context of each file is prevented from being searched and set manually, and the setting efficiency of the security rest files is improved;
4. and the work of setting the file security context is scripted and integrated into a software compiling and publishing process, so that the migration of a subsequent Linux platform is facilitated.
Drawings
FIG. 1 is a general flow chart of a method of batch presettinga file security context of the present invention.
FIG. 2 is a script flow diagram of a method of batch presettingfile security context of the present invention.
FIG. 3 is a flow chart of compiling a method for batch presettinga file security context according to the invention.
FIG. 4 is a block diagram of an apparatus for batch provisioning of file security contexts in accordance with the present invention.
Detailed Description
The following detailed description is provided for a better understanding of the above objects, aspects and advantages of embodiments of the present application. The detailed description sets forth various embodiments of the devices and/or methods via the use of block diagrams, flowcharts, etc., of the figures and/or examples. In these block diagrams, flowcharts, and/or examples, one or more functions and/or operations are included. Those skilled in the art will appreciate that: the various functions and/or operations within the block diagrams, flowcharts, or examples can be implemented solely or jointly by a wide variety of hardware, software, firmware, or any combination of hardware, software, and firmware.
As shown in fig. 1, in one embodiment, a method for presetting file security contexts in batches according to the present invention includes the following steps:
s11: traversing a total directory, wherein the total directory comprises all files and directories to be processed. In particular, traversing the general catalog is preferably performed during the compilation of the software.
S12: and searching the strategy file of the system according to the file name, and searching the security context corresponding to the file to be processed. Wherein the system is a SELinux system.
S13: and setting a corresponding security context for each file through a security context setting tool according to the search result. The security context setting tool is a prior art, and will not be described herein.
S14: and circularly processing all files and directories. And if the subdirectory is encountered in the process of circularly processing all files and catalogs, entering the subdirectory, and processing all files under the subdirectory until the traversal of the whole total catalogue is completed.
S15: after the security context setting of all the files is completed, the total directory is packed into a compressed package, and since the security context is metadata of the files, the security context of each file is packed into the compressed package together with the files.
S16: and placing the compressed package into a software upgrading package.
S17: and burning the software upgrading package to equipment to upgrade the software. The device may be one of a computer, a special purpose computer, and an embedded device.
In specific implementation, the method for presetting the file security context in batches can be written into a script through python, and the file security context in batches is preset through executing the script. Referring to fig. 2, a script flow diagram for batch presetting of file security contexts includes:
s21: the path of the total directory is entered.
S22: and traversing the total directory to obtain the path of the current processing directory or file. If the total directory contains the sub-directory, the sub-directory is entered, and all files under the sub-directory are processed until the traversal of the whole total directory is completed.
S23: the security context of the current file is looked up from the security context definition file.
S24: a security context is set for the current file.
S25: it is detected whether there are unprocessed files or directories, and if so, the process returns to step S22, otherwise, the script ends.
The script can be integrated into the process of compiling and packaging the software so as to facilitate the migration of a subsequent Linux platform, please refer to fig. 3, a compiling flow chart for presetting file security contexts in batches, which includes:
s31: and compiling software.
S32: and searching the corresponding security context from the security context definition file according to the compiled file.
S33: and setting a security context for the file according to the search result.
S34: and generating a software upgrading package.
S35: and burning the software upgrading package into the embedded equipment to upgrade the software.
The invention provides a device 100 for presetting file security contexts in batches, which is used for presetting file security contexts in batches and comprises the following steps: the searching module 101 is configured to traverse the total directory, search a policy file of the system according to a file name of a file to be processed in the total directory, and find a security context corresponding to the file to be processed. A generating module 102, configured to set, by a security context setting tool, a corresponding security context for each file. And the packaging module 103 is used for packaging the total catalogue into a compressed package and placing the compressed package into a software upgrading package. And a storage module 104 for storing a software upgrade package.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various modifications and variations can be made to the embodiments of the present application without departing from the spirit and scope of the embodiments of the present application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to encompass such modifications and variations.
Claims (8)
1. A method for batch presetting of file security contexts, comprising:
traversing a total directory, wherein the total directory comprises all files and directories to be processed, acquiring a current processing directory or a path of the files, entering the sub-directory if the total directory contains the sub-directory, and processing all files under the sub-directory until the traversing of the whole total directory is completed;
searching a strategy file of the system according to the file name, and searching a security context corresponding to the file to be processed;
setting a corresponding security context for each file through a security context setting tool according to the search result;
circularly processing all files and catalogues;
after the setting of the security contexts of all the files is completed, the general directory is packed into a compressed package, and since the security contexts are metadata of the files, the security context of each file can be packed into the compressed package together with the files;
and placing the compressed package into a software upgrading package.
2. The method for batch presetting of file security context according to claim 1, wherein in the process of circularly processing all files and directories, if a subdirectory is encountered, the subdirectory is entered, and all files under the subdirectory are processed until the traversal of the whole total directory is completed.
3. The method for batch provisioning of file security contexts of claim 1, further comprising burning the software upgrade package into a device to upgrade software.
4. A method of batch pre-setting of file security contexts as claimed in claim 3 wherein said device is an embedded device.
5. The method for batch pre-setting of file security contexts of claim 1, wherein said traversing the master catalog occurs during compilation of software.
6. The method for batch pre-setting of file security contexts of claim 1, wherein said system is a SELinux system.
7. An apparatus for batch presetting of document security contexts, comprising:
the searching module is used for traversing the total directory, searching the strategy file of the system according to the file name of the file to be processed in the total directory, and searching the security context corresponding to the file to be processed;
the generation module is used for setting a corresponding security context for each file through the security context setting tool;
and the packing module is used for packing the total catalogue into a compressed package and placing the compressed package into a software upgrading package.
8. The apparatus for batch presettig of file security contexts of claim 7, further comprising a storage module for storing a software upgrade package.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910747300.9A CN110673849B (en) | 2019-08-14 | 2019-08-14 | Method and device for presetting file security contexts in batches |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910747300.9A CN110673849B (en) | 2019-08-14 | 2019-08-14 | Method and device for presetting file security contexts in batches |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110673849A CN110673849A (en) | 2020-01-10 |
CN110673849B true CN110673849B (en) | 2023-04-21 |
Family
ID=69068570
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910747300.9A Active CN110673849B (en) | 2019-08-14 | 2019-08-14 | Method and device for presetting file security contexts in batches |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110673849B (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116601985A (en) * | 2020-12-25 | 2023-08-15 | 华为技术有限公司 | Security context generation method, device and computer readable storage medium |
CN114760276B (en) * | 2022-06-13 | 2022-09-09 | 深圳市汇顶科技股份有限公司 | Method and device for downloading data and secure element |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7685183B2 (en) * | 2000-09-01 | 2010-03-23 | OP40, Inc | System and method for synchronizing assets on multi-tiered networks |
US8458765B2 (en) * | 2009-12-07 | 2013-06-04 | Samsung Electronics Co., Ltd. | Browser security standards via access control |
US9405896B2 (en) * | 2011-04-12 | 2016-08-02 | Salesforce.Com, Inc. | Inter-application management of user credential data |
US8966572B2 (en) * | 2011-09-30 | 2015-02-24 | Oracle International Corporation | Dynamic identity context propagation |
US9230128B2 (en) * | 2013-03-13 | 2016-01-05 | Protegrity Corporation | Assignment of security contexts to define access permissions for file system objects |
CN109690545B (en) * | 2016-06-24 | 2023-08-11 | 西门子股份公司 | Automatic distribution of PLC virtual patches and security context |
CN108062483B (en) * | 2016-11-09 | 2020-11-17 | 中国移动通信有限公司研究院 | Method, device and terminal for accessing system resources by application |
CN106453413B (en) * | 2016-11-29 | 2019-06-25 | 北京元心科技有限公司 | Method and device for applying SELinux security policy in multi-system |
-
2019
- 2019-08-14 CN CN201910747300.9A patent/CN110673849B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN110673849A (en) | 2020-01-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
RU2565109C2 (en) | Method and apparatus for recovering backup database | |
CN106775723B (en) | Android platform-based system firmware customization method and Android device | |
CN109491695A (en) | A kind of increment updating method of integrated Android application | |
EP3528149A1 (en) | Software repackaging prevention method and device | |
CN110673849B (en) | Method and device for presetting file security contexts in batches | |
CN109101244B (en) | Integrated automatic packaging method for ios system | |
WO2019041891A1 (en) | Method and device for generating upgrade package | |
CN105404691A (en) | File storage method and apparatus | |
CN109634682A (en) | The configuration file update method and device of application program | |
CN104376073A (en) | Database recovery method and device | |
CN104484240A (en) | Method and device for storing terminal data | |
CN105867903A (en) | Method and device or splitting code library | |
CN105224361A (en) | A kind of method and system that sqlite3 type embedded database is upgraded | |
CN111026455B (en) | Plug-in generation method, electronic device and storage medium | |
CN105320577B (en) | A kind of data backup and resume method, system and device | |
CN103678715A (en) | Snapshot supporting metadata information management method for distributed file system | |
US9917697B2 (en) | Performing incremental upgrade on APK base file corresponding to APK eigenvalue value | |
CN108628632B (en) | A packaging method and device | |
CN111984666B (en) | Database access method, apparatus, computer readable storage medium and computer device | |
CN112451972A (en) | Game engine-based resource compression package construction method, device, system and medium | |
CN105893068A (en) | Offline upgrading method and device of intelligent equipment | |
CN112230947A (en) | An operating system upgrade method and upgrade system | |
US9626371B2 (en) | Attribute selectable file operation | |
CN106649081A (en) | Method and apparatus for debugging offline package running in client application | |
CN104572876A (en) | Method and device for reading configuration file corresponding to software |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |