[go: up one dir, main page]

CN120145434A - A method and device for fine-grained access control of container-oriented processes - Google Patents

A method and device for fine-grained access control of container-oriented processes Download PDF

Info

Publication number
CN120145434A
CN120145434A CN202510160357.4A CN202510160357A CN120145434A CN 120145434 A CN120145434 A CN 120145434A CN 202510160357 A CN202510160357 A CN 202510160357A CN 120145434 A CN120145434 A CN 120145434A
Authority
CN
China
Prior art keywords
target container
container
kernel
access control
current
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202510160357.4A
Other languages
Chinese (zh)
Inventor
宋振宇
贾广琛
贾晓启
宋晨
郭璇
刘歌
张正
王勇攀
张伟娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN202510160357.4A priority Critical patent/CN120145434A/en
Publication of CN120145434A publication Critical patent/CN120145434A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/448Execution paradigms, e.g. implementations of programming paradigms
    • G06F9/4482Procedural
    • G06F9/4484Executing subprograms
    • G06F9/4486Formation of subprogram jump address
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a method and a device for controlling fine-granularity access of a process oriented to a container. The invention hooks LSM kernel functions of a Linux system based on eBPF technology, adopts a parent process backtracking mode to distinguish whether the process intercepted by a eBPF program mounted to the LSM is an original process or a non-original process in a container, judges a process command name identifier in the process of the parent process backtracking recursively to divide the non-original process into a range which needs to be matched with an access control rule, and allows a user to set the non-original process expected in the container into a white list, thereby achieving the aim of not implementing the access control rule matching on the non-original process and the non-original process in the container, and realizing the rule matching of the non-original process and the non-original process only in the container. The invention further refines the granularity of the access control so as to achieve the effect that the original business process in the container is not influenced when the access control rule is implemented.

Description

Method and device for controlling fine granularity access of process oriented to container
Technical Field
The invention relates to the technical field of computer security, in particular to a method and a device for implementing a fine-grained access control rule for a container, and particularly provides a fine-grained access control rule implementation mechanism for a process in a containerized environment so as to ensure the security of the container environment.
Background
With the rapid development of cloud computing and containerization technologies, containers have become an essential technology for many enterprises in application deployment and management. The container is widely applied to various scenes by virtue of the excellent characteristics of lightweight, quick start and the like. However, the popularity of container technology also presents corresponding security challenges. Once an attacker successfully invades the container and gains control of the container, it is possible to perform malicious operations, such as reading sensitive files in the container, breaking through its isolation mechanism, executing a rebound shell, etc. Thus, ensuring secure access control of process behavior in a container environment has become an important security issue.
The container technology is a lightweight virtualization mode, and the core principle is that isolation and resource management of application programs are realized through kernel characteristics of an operating system. Unlike traditional virtualization techniques, such as virtual machines, containers do not rely on complete operating system virtualization, but rather utilize kernel functions of the operating system, such as namespaces (Namespace) and control groups (Cgroups), to create an isolated environment. Namespaces ensure isolation of processes, networks, file systems, etc. resources between containers such that each container appears to be running in a separate system. The control group is used to limit and monitor the resources used by the containers, such as CPU, memory, and I/O bandwidth, to ensure allocation of resources and prevent the individual containers from consuming excessive resources. The kernel of the host machine operating system is shared by the container, so that the overhead of running the complete operating system by the virtual machine is avoided, and compared with the virtual machine, the container is lighter, the starting speed is faster, and the host machine resources can be efficiently utilized.
Conventional access control schemes for containers have Capabilities, seccomp, etc., and these security measures lack some flexibility. Security policies for container access control are also AppArmor and eBPF, both of which are based on LSM (Linux Security Modules) of Linux, which can implement access control to processes within a container from the perspective of process behavior. LSM is a framework provided by Linux kernel for implementing various security policies, with the goal of expanding the security of Linux kernel through a unified interface. The design of LSM allows the security module to insert hook functions in the kernel that are called when system operations (e.g., file access, process creation, network operations, etc.) occur, thereby deciding whether to allow execution of an operation, the access control procedure of which is shown in fig. 1.
However, the access control rule implemented based on the LSM module is usually specific to all processes in the target container, if the access control rule is too strict, the original business process in the container is affected, and if the corresponding access control rule is not formulated and implemented, when an attacker successfully invades the container, the corresponding sensitive operation can be executed, so that the container faces a potential safety hazard, and a threat model of the potential safety hazard is shown in fig. 2. Therefore, when implementing access control rules on a target container, it is important to distinguish an original process (a service process started when the container is created) from a non-original process (e.g., a process attached by a dock command) in the container, so as to ensure that the original business process in the container is not affected by the access control.
EBPF (Extended Berkeley PACKET FILTER) is a powerful and flexible technique that can extend the kernel functionality in a secure manner without modifying the kernel code, avoiding complex operations such as adding kernel modules. Fig. 3 illustrates the implementation principle and architecture of eBPF programs, and eBPF programs are divided into two parts, user mode and kernel mode. The user-state program is mainly responsible for loading the eBPF byte codes after compiling into the kernel through the loader, and the eBPF program in the kernel state is executed when triggered by a specific event through being mounted on the kernel function. By mounting eBPF programs to specific kernel hooks or event points, a user can realize efficient and accurate operation aiming at specific scenes, and meanwhile, data interaction and transfer between a user mode and a kernel mode can be realized by taking Maps provided by eBPF technology as media of data exchange.
Taking the process of creating an nginx container and attaching to the container by a docker exec command as an example, the process model of the container is illustrated. When an nginx container is created, a main process of the container is created by containerd-shim-run processes, and each naming space is set to isolate the container process from a host, and meanwhile, a sub-process running the container service is generated by the main process. When attached to the container by a docker exec command, a flash process is newly created within the container, having the same types of namespaces as the original process within the container, and having the same parent process (containerd-shim-run process), the container process tree model of which is shown in fig. 4.
Disclosure of Invention
Aiming at the technical problems in the prior art, the invention aims to divide the processes in the container into the original processes and the non-original processes in the container, and distinguish the processes in the container environment by tracing back the parent processes, so that fine-granularity access control can be effectively performed on the processes in the container environment, and an access control scheme which does not influence the behaviors of the original processes in the container is realized.
The invention hooks the LSM kernel function of the Linux system based on eBPF technology, and distinguishes the original process and the non-original process in the container by tracing back the father process, thereby further refining the granularity of the access control, and achieving the effect that the original business process in the container is not affected when the access control rule is implemented. Based on a container process tree model, the invention adopts a parent process backtracking mode to distinguish whether the process intercepted by the eBPF program mounted to the LSM is an original process or a non-original process in the container, and simultaneously judges a process command name identifier (a command for executing the process) in the process of the parent process backtracking recursively to divide the non-expected original process (set by a user) into a range which needs to accept access control rule matching, and simultaneously allows the user to set the non-original process in the container to a white list, thereby achieving the aim of not implementing access control rule matching on the non-original process in the container and the non-expected original process, and realizing rule matching only on the non-original process in the container, wherein the access control model is shown in figure 5.
To achieve the above object, the present invention provides a method for fine-grained access control for a container, comprising the steps of:
Step one, when the container is created, a Namespace (NAMESPACES) is created for each container in view of the Linux system to isolate the container from the host. The invention uses the name space identification number (such as MNT NAMESPACE identification number) of the target container as the target container identification to realize the corresponding access control rule (for example, the target container is restricted not to execute a certain command or the target container is restricted not to access a certain file) configured for different target containers, namely, the default permission shown in fig. 6 and the access control rule refused if the matching is successful. The method comprises the steps of taking a process identifier of a parent process (corresponding containerd-shim process) of a target container main process as a boundary of a backtracking parent process in a subsequent step, taking an original main process of the target container generated by the parent process as a judging basis for judging whether a captured process is a container original process or not, wherein the original process comprises an original main process, the original main process is a No. 0 process in a container, child processes generated by the No. 0 process and child processes generated by the child processes are original processes, and additionally adding a process (expected non-original process) identifier which is added into the container by a container administrator after the container is started into a white list according to requirements so as to allow the process to be not influenced by access control rules.
Step two, the user transfers the above access control rule (for example, not allowing access to a certain file or not allowing execution of a certain command) and the corresponding process identification information in the parent process identification, the original main process identification and the white list of the target container from the user layer to the kernel layer through the Map provided by the eBPF program by using the user mode eBPF program, and realizes the corresponding kernel mode eBPF program, and mounts the corresponding kernel mode eBPF program on the corresponding LSM kernel hook function, so as to check the behavior of the process in the target container and implement access control according to the access control rule. The process of determining whether an acquisition process needs to perform an access control matching and an access control rule matching process starts in step three, where the process of determining whether to perform an access control rule matching corresponds to the flowchart shown in fig. 7.
Step three, when the process executes to the eBPF program which is realized by mounting the LSM kernel hook function, the eBPF program firstly judges whether the name space identifier of the captured process is the name space identifier of the target container in the access control rule. If not, it indicates that the currently intercepted process is not a process within the target container, allowing the triggering eBPF of the current behavior of the process, ending the current access control checking process. Otherwise, the currently captured process is the process in the target container, and the step four is continued.
Step four, eBPF program obtains the process control block structure of the current process, obtains the command name identification of the current process (i.e. the command information for executing the process) from the process control block, if the current command name identification is the unexpected command name identification preset in eBPF program (which can be set according to the actual requirement, for example, can be the flash process created after the attacker invades the container), marks the captured process as an abnormal process, otherwise, does not process. And continuing to step five.
Step five, eBPF program obtains the process control block of the parent process of the current process according to the process control block of the current process, and repeatedly executes step four, namely backtracking the parent process. And (3) ending the backtracking process until the parent process of the current process is the parent process (corresponding containerd-shim process) generating the target container in the step one, simultaneously acquiring the process identifier of the current process (the process at the last time in the backtracking process, namely the process when reaching the backtracking boundary) and the belonging group identifier (tgid), and continuing the step six.
Step six, the eBPF program checks whether the process identification number or the group identification (tgid) of the current process is the original master process of the target container in the step one, if yes, the process captured by the eBPF program is the original process in the container, continuously checks whether the process has an abnormal process mark in the backtracking process, if no abnormal process mark, the process behavior captured by the eBPF program is not influenced by the access control rule, the captured process behavior is allowed to finish the current access control check, and if the process behavior has the abnormal mark, the process is not the expected process generated by the original service in the container, so that the access control rule matching is needed to be carried out, namely, the step seven is continuously executed. If the current process identification number or the group identification is not the original master process of the container, the process is indicated to be a non-original process in the container, whether the process is in the process white list set in the step one is checked continuously, if so, the process is indicated to be an expected non-original process in the container, access control rule matching is not needed, current access control checking is ended, otherwise, the current process is indicated to be an unexpected non-original process, and therefore the access control rule matching is needed, namely, the step seven is executed continuously.
And step seven, matching the process behaviors needing to be matched with the access control rules according to the access control rules formulated in the step one, and rejecting the strategy of the current behavior to implement access control if the matching is successful, namely, stopping the current behavior of the process captured by the eBPF program in the step three and recording the corresponding log if the matching is successful.
The invention also provides a container-oriented process fine-granularity access control device which comprises an input module, a mapping module, a target container process judging module, an abnormal command name marking module, a backtracking father process module, a process classifying module and an access control rule processing module.
The input module corresponds to the first step, and determines a target container for implementing the access control rule and related information thereof according to input information of a user;
The mapping module corresponds to step two, and transfers the mapping module to the implemented kernel-mode eBPF program through a Map provided by the eBPF program.
And step three, the target container process judging module is corresponding to the step eBPF, and judges whether the currently captured process is a process in the target container according to the name space identification of the current process in the eBPF program.
And step four, the abnormal command name marking module is used for judging whether the current process command name is an unexpected command name mark preset in eBPF programs.
And step five, backtracking the parent process by the parent process module until the parent process backtracking the current process is the parent process generating the target container in the step one.
And step six, the process classification module classifies the process captured by eBPF initially according to the result after backtracking and whether the abnormal command name mark exists in the backtracking process.
And step seven, the access control rule processing module is corresponding to the step seven, rule matching is carried out on the behaviors of the process needing to carry out access control rule matching, and response is carried out according to the matching result.
A server comprising a memory and a processor, the memory storing a computer program configured to be executed by the processor, the computer program comprising instructions for performing the above method.
A computer readable storage medium having stored thereon a computer program, characterized in that the computer program, when executed by a processor, implements the above method.
Compared with the prior art, the invention has the following beneficial effects:
1. The invention realizes the distinction between the original process and the non-original process of the process in the container by backtracking the father process and comparing with the mark of the main process of the container.
2. According to the invention, based on eBPF technology, the LSM kernel function is mounted, and after a scheme of backtracking a parent process is introduced, the access control granularity is thinned from the range of the naming space of the container to the granularity of the original process and the non-original process in the container. Meanwhile, by means of eBPF technology, flexible loading of changed access control rules can be achieved.
3. The invention can implement the access control rule on the container and simultaneously ensure that the original business process in the container is not influenced by the access control rule.
4. The invention can flexibly update the process range in the container aimed by the access control rule by adding the expected non-original process identifier into the process hundred-name list.
4. In the process of backtracking, the invention can flexibly bring unexpected original processes in the container into a range which needs to accept access control rule matching according to the abnormal process command name identification (such as a flash process created after an attacker invades the container) set by a user.
In summary, the invention provides a method and a device for fine-grained access control for a container, which hook an LSM kernel function of Linux based on eBPF technology, and distinguish whether a captured process is an original process in the container and an unexpected process in the original process by tracing back a parent process to the captured process before matching an access control rule, so that the access control granularity is thinned from the range of a naming space of the container to the granularity of the original process and a non-original process in the container, and further an access control scheme which does not affect the behavior of the original process in the container is realized.
Drawings
Fig. 1 is a diagram of an LSM-based access control process.
FIG. 2 is a diagram of a threat model corresponding to the current container access control granularity.
FIG. 3 is a eBPF block diagram.
FIG. 4 is an exemplary diagram of a container process tree model.
Fig. 5 is a diagram of an access control model structure.
Fig. 6 is an access control policy diagram.
Fig. 7 is a flowchart for determining whether to perform access control rule matching.
Detailed Description
The invention will now be described in further detail with reference to the accompanying drawings, which are given by way of illustration only and are not intended to limit the scope of the invention.
The embodiment discloses a method and a device for implementing a process fine-grained access control rule for a container. Taking an example of creating a target container and setting an unexpected original process and a non-original process in the container to not allow access to the secret file for the container, the implementation steps are as follows:
Step one, after a target container is created, setting an access control rule for the target container, wherein the access control rule does not allow access to a file named secret, taking a process identifier of a parent process (a corresponding containerd-shim process) for generating the target container as a boundary of a backtracking parent process in a subsequent step, and taking an original main process of the target container generated by the parent process as a judging basis for judging whether the captured process is a container original process.
And step two, the access control rule is transferred from the user layer to the kernel layer through a Map (Map) provided by eBPF programs, and a corresponding kernel mode eBPF program is realized, and is mounted on a corresponding LSM kernel hook function (the LSM function is LSM/file_open) for capturing the behavior of the process in the target container and implementing access control according to the access control rule.
After the above-described first and second steps are completed, the access control rule is validated, and this embodiment will be explained from three cases, respectively.
In case one, the original process within the container needs to access the secret file due to the business function. This behavior is captured by eBPF program, and in eBPF program, the namespace to which the captured process belongs is first determined to be the process of accessing the target container in the control rule, and thus the subsequent checking process is entered. Acquiring a process control block structure of the current process, acquiring a process control block of a parent process of the current process according to the process control block of the current process, performing backtracking of the parent process until the parent process of the current process is the parent process (corresponding containerd-shim process) generating the target container, and simultaneously acquiring a group identifier (tgid) to which the current process belongs, wherein at the moment, a process identifier number or a group identifier (tgid) of the current process is the container master process mentioned in the step one, namely, the process captured by the eBPF program is the original process in the container, and no abnormal process command name is detected in the backtracking process of the parent process. Thus, no access control rule matching process is required for the currently eBPF captured process, i.e., the act of directly allowing current access to the secret file.
In case two, an unexpected original process within the container accesses the secret file. This behavior is captured by eBPF program, and in eBPF program, the namespace to which the captured process belongs is first determined to be the process of the target container in the policy rules, thus entering the subsequent inspection process. Acquiring a process control block structure body of the current process, acquiring a process control block of a parent process of the current process according to the process control block of the current process, performing backtracking of the parent process until the parent process of the current process is the parent process (corresponding containerd-shim process) generating the target container, and simultaneously acquiring a group identifier (tgid) to which the current process belongs, wherein at the moment, a process identifier number or a group identifier (tgid) of the current process is the container master process mentioned in the step one, namely, the process captured by the eBPF program is the original process in the container. However, in the backtracking process, since the command name of a certain process is detected as an exception and marked for an exception, it is determined that an unexpected original process is required to perform an access control rule matching process, and if the matching rule hits, the behavior is rejected.
In case three, a non-original process within the container accesses the secret file. This behavior is captured by eBPF program, and in eBPF program, the namespace to which the captured process belongs is first determined to be the process of the target container in the policy rules, thus entering the subsequent inspection process. Acquiring a process control block structure body of the current process, acquiring a process control block of a parent process of the current process according to the process control block of the current process, performing backtracking of the parent process until the parent process of the current process is the parent process (corresponding containerd-shim process) generating the target container, and simultaneously acquiring a group identifier (tgid) to which the current process belongs, wherein at the moment, the process identifier number or the group identifier (tgid) of the current process is different from the container main process mentioned in the step one, and the captured process is the non-original process in the container. Since the process identification number is not added to the process whitelist, it is stated that an unexpected non-original process within the container requires an access control rule matching process, and if the matching rule hits, the action is rejected.
A server comprising a memory and a processor, the memory storing a computer program configured to be executed by the processor, the computer program comprising instructions for performing the above method.
A computer readable storage medium having stored thereon a computer program, characterized in that the computer program, when executed by a processor, implements the above method.
Although specific embodiments of the invention have been disclosed for illustrative purposes, it will be appreciated by those skilled in the art that various substitutions, changes and modifications are possible without departing from the spirit and scope of the invention and the appended claims. Therefore, it is intended that the invention not be limited to the particular embodiment disclosed as the best mode contemplated for carrying out this invention, but that the invention will have the scope indicated by the scope of the appended claims.

Claims (9)

1. A method for container-oriented process fine-grained access control, comprising the steps of:
1) Configuring access control rules of the target container according to the application requirements and the security policy of the target container, taking a process needing to be added into the target container after the target container is started as an expected non-original process, and adding the mark of the process into a white list;
2) Mapping an access control rule of the target container, a father process identifier of a main process of the target container, an original main process identifier of the target container and a process identifier in the white list in a user layer to a kernel layer, realizing a corresponding kernel-mode eBPF program, and mounting the kernel-mode eBPF program to a corresponding LSM kernel hook function;
3) When the kernel-mode eBPF program captures a process, judging whether the process is the process of the target container, if not, allowing the current behavior of the process, otherwise, executing the step 4);
4) The kernel-mode eBPF program obtains the command name identification of the current process, if the command name identification of the current process is the unexpected command name identification preset in the kernel-mode eBPF program, the current process is marked as an abnormal process and the step 5) is executed;
5) The kernel eBPF program backtracks the parent process of the process as the current process, and step 4) is executed until the parent process of the current process is the parent process for generating the target container, and the backtracking process is ended and the process identification number of the current process and the belonging group identification tgid are acquired;
6) Checking whether the process identification number or the group identification tgid of the current process is the original master process of the target container by the kernel-state eBPF program, if so, checking whether the trace-back process has an abnormal process mark, if not, allowing the current behavior of the process captured by the kernel-state eBPF program in the step 3), otherwise, judging that the process captured by the kernel-state eBPF program in the step 3) is the original process in the target container but not the expected process generated by the original service in the target container, executing the step 7), if not, judging that the current process is the non-original process in the target container, detecting whether the current process is the process in the white list, if so, judging that the current process is the expected non-original process in the container, allowing the current behavior, otherwise, judging that the current process is the unexpected non-original process, executing the step 7);
7) And controlling the current behavior of the process captured by the kernel-mode eBPF program in the step 3) according to the access control rule.
2. The method of claim 1, wherein a namespace identification of the target container is used as a container identification of the access control rule.
3. The method of claim 2, wherein the process is determined not to be a process within the target container by determining whether a namespace identifier to which the process belongs is a namespace identifier of the target container, and if not, determining that the process is a process within the target container, otherwise determining that the process is a process within the target container.
4. A method according to claim 1, 2 or 3, wherein the kernel mode eBPF program obtains a process control block for a process, and obtains a command name identification for the process from the process control block.
5. A method according to claim 1, 2 or 3, wherein the current process is matched according to the access control rules, and if the matching is successful, the current behaviour of the process captured by the kernel-mode eBPF program in step 3) is prevented while the corresponding log is recorded.
6. A method according to claim 1, 2 or 3, characterized in that the access control rules of the target container, the parent process identity of the target container's main process, the original main process identity of the target container and the process identities in the whitelist in the user layer are mapped to the kernel layer by means of a mapping provided by the user mode eBPF program.
7. The device for fine-granularity access control of the process oriented to the container is characterized by comprising an input module, a mapping module, a target container process judging module, an abnormal command name marking module, a backtracking father process module, a process classifying module and an access control rule processing module;
The input configuration module configures the access control rule of the target container according to the application requirement and the security policy of the target container, takes the process needing to be added into the target container after the target container is started as the expected non-original process and adds the mark thereof into a white list;
the mapping module is configured to map an access control rule of the target container in a user layer, a parent process identifier of a main process of the target container, an original main process identifier of the target container, and a process identifier in the white list to a kernel layer, implement a corresponding kernel-mode eBPF program, and mount the kernel-mode eBPF program to a corresponding LSM kernel hook function;
the target container process judging module is used for judging whether the process is the process of the target container when the kernel-mode eBPF program captures the process, if not, allowing the current behavior of the process, otherwise, executing the abnormal command name marking module;
The abnormal command name marking module is used for acquiring a command name identifier of a current process by using the kernel-mode eBPF program, marking the current process as an abnormal process if the command name identifier of the current process is an unexpected command name identifier preset in the kernel-mode eBPF program, otherwise, executing a backtracking father process module without processing;
The backtracking parent process module is used for backtracking the parent process of the process as the current process, executing the abnormal command name marking module until the parent process of the current process is the parent process for generating the target container, ending the backtracking process and obtaining the process identification number of the current process and the group identification tgid to which the current process belongs;
The process classification module is used for checking whether the process identification number or the group identification tgid of the current process is the original master process of the target container, if so, checking whether the current process is an abnormal process mark in the backtracking process, if not, allowing the current behavior of the process captured by the kernel mode eBPF program, otherwise, judging that the process captured by the kernel mode eBPF program is the original process in the target container but is not an expected process generated by the original service in the target container, executing the access control rule processing module;
the access control rule processing module is configured to control, according to the access control rule, a current behavior of a process captured by the kernel-mode eBPF program.
8. A server comprising a memory and a processor, the memory storing a computer program configured to be executed by the processor, the computer program comprising instructions for performing the method of any of claims 1 to 6.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the method of any of claims 1 to 6.
CN202510160357.4A 2025-02-13 2025-02-13 A method and device for fine-grained access control of container-oriented processes Pending CN120145434A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510160357.4A CN120145434A (en) 2025-02-13 2025-02-13 A method and device for fine-grained access control of container-oriented processes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510160357.4A CN120145434A (en) 2025-02-13 2025-02-13 A method and device for fine-grained access control of container-oriented processes

Publications (1)

Publication Number Publication Date
CN120145434A true CN120145434A (en) 2025-06-13

Family

ID=95960293

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510160357.4A Pending CN120145434A (en) 2025-02-13 2025-02-13 A method and device for fine-grained access control of container-oriented processes

Country Status (1)

Country Link
CN (1) CN120145434A (en)

Similar Documents

Publication Publication Date Title
CN109871691B (en) Permission-based process management method, system, device and readable storage medium
CN111324891B (en) System and method for container file integrity monitoring
US9239921B2 (en) System and methods of performing antivirus checking in a virtual environment using different antivirus checking techniques
CN114556348B (en) Method and apparatus for operating a computing device
CN113051034B (en) A container access control method and system based on kprobes
US11159393B1 (en) System and method of unifying and deploying a microservice-based application platform
CN109873804A (en) Behavior-based service identification method, apparatus, device, and readable storage medium
KR20200052957A (en) Security control method and computer system
CN113791865B (en) Container security processing method and device, storage medium and processor
CN113051038A (en) Data access method and device under cloud service multi-tenant environment
CN116204458A (en) Method and device for running process
US11734430B2 (en) Configuration of a memory controller for copy-on-write with a resource controller
US11714896B2 (en) Information processing apparatus, information processing method, and computer program
RU2649794C1 (en) System and method for log forming in virtual machine for anti-virus file checking
CN114661427B (en) Node management method and system for computing cluster for deploying containerized application service
US12450080B2 (en) Controlling container commands issued in a distributed computing environment
CN120145434A (en) A method and device for fine-grained access control of container-oriented processes
US9015797B1 (en) System and method of isolation of resources using resource manager
US10809924B2 (en) Executable memory protection
US20140380328A1 (en) Software management system and computer system
WO2022183912A1 (en) Mandatory access control mac method and related device
CN119442282B (en) Cluster detection method, device, equipment, medium and product
CN113127148B (en) Active dynamic measurement method and system for virtualized environment
CN120874040A (en) Method, device and equipment for confidential calculation
CN115062280A (en) Block chain based rights management method and related product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination