JPH07200317A - Operation right management device - Google Patents

Abstract

(57) [Summary] [Purpose] The purpose is to make the management of thread operation rights flexible. According to the present invention, there are means for executing a program by a plurality of threads that are executed in parallel, and a thread or a user who is an entity that performs this operation, or an entity that performs this operation. In an operation right management device including a means for storing operation right information for instructing whether to permit or not based on at least one of a memory area and a program, the operation right information is changed by a main body that makes this change. Becomes a thread or
Based on the memory area and / or program where the user or the entity making this change exists,
Means for storing change right information indicating whether or not to permit, and before executing the change of the operation right information, refer to the stored change right information to determine whether or not this change is permitted. And means for verifying.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an operation right management device for managing an operation right to a memory area or a thread in a computer system.

[0002]

2. Description of the Related Art In recent years, it has become common to use a plurality of small computers by connecting them to a network due to improvement in the performance of microprocessors, and it becomes possible for computers and users connected to each other to cooperate with each other.
It has become necessary to strictly manage the operation right.

Further, due to the progress of the object-oriented technology and the emergence of a new paradigm such as the server / client model, it has become impossible to obtain sufficient performance in the conventional operation right management for each storage device or file.

In order to solve such a problem, by using a technique such as a single virtual memory, a memory, a storage device such as a CD-ROM or a hard disk drive, and all computer resources such as a display and a keyboard have the same concept. Attempts have been made to design an operating system that is managed by. Among them, the technique of single virtual memory in which various resources are arranged in the same virtual space is characteristic. Further, a method has been proposed in which this single virtual memory is divided into several blocks and the operation right is managed in block units. This management unit is called a "memory area" and is used as a unit for managing the operation right of all storage devices.

On the other hand, with the establishment of the micro kernel technology, the operating system is generally managed by using a unit called a thread for managing the execution of a program. That is, a control unit called a process or thread is used as a control target of program execution. Each thread has its own register value, stack, etc. of the processor, executes the program only while the processor is allocated by the operating system, and the operating system after a certain period of time or when a hardware interrupt occurs. Deallocates a processor to a thread and allocates a processor to another thread. Since each thread has an independent register value, it can be regarded as a processor that operates virtually in parallel.

In such an operating system, a computer resource is configured in units of two concepts of a memory area and a thread, and information for managing operation right to the computer resource is also in the form of ACL (Access Control List). Management is performed in association with each thread.

For example, in the case of threads, when it is desired to operate the threads themselves, that is, to suspend or resume the execution of the threads, to forcibly delete the threads, or information on the threads. The operating system is provided with a thread operation instruction group in order to examine (internal state of register value, stack, etc.), and one thread can operate another thread. Such a thread operation instruction group can be used by instructing the operating system as a system call from a user program.

If any thread can issue a thread operation instruction when there is such a thread operation instruction, an illegal operation can be performed, so a protection function is required. For example, it is necessary to allow a thread to be forcibly killed only by a thread with a specific privilege.

Furthermore, there are a plurality of virtual spaces, one program and one data are arranged in each virtual space, and the threads are moved only within that space.
(Reference: "Distributed Operating Systems" edited by Mamoru Maekawa et al., Kyoritsu Shuppan)
In the case of the system, the protection of threads existing in the same space is made the same, and the protection of threads depends on the protection of memory space.

However, the threads cannot be protected separately. When all programs are placed in one address space and there are multiple threads, as in a single virtual space system, thread protection requires not only memory protection but also permission setting by the operating system. become.

One solution to this problem is to determine the owner of a thread and allow the threads to operate between threads of the same owner, and the signal of the Unix operating system corresponds to this. However, this lacks the flexibility of protection between threads of the same owner, and further, cannot pass the operation privilege to threads of other owners.
In addition, there is a lack of a thread protection function that enables flexible thread operation, such as enabling or disabling thread operations from threads owned by multiple owners.

On the other hand, various information such as information addition right, deletion right, ACL change right, etc. are added to the ACL for the file or directory so that various operation rights can be set for the data file. DCE (Reference: OSF DCE technical explanation,
Although there is an attempt by the Soft Research Center), a flexible protection function that allows a plurality of owners to manage the ACL of the memory area is also lacking.

[0013]

Based on the above, the main problems of the conventional operation right management device are summarized as follows.

(1) Conventionally, there has been attempted a method of instructing whether or not a thread operation is permitted based on the subject who performs this operation, the memory area in which the subject who performs this operation exists, and the like. However, with respect to the right to change the operation right information for a thread, for example, the owner of the thread is allowed, or only a special user called a root is allowed to perform a simple management.

(2) Further, conventionally, whether or not to permit is based on the entity that operates the memory area such as the real memory, virtual memory, and data file, and the memory area where the entity that performs this operation exists. The method of directing is being tried. However, with regard to the right to change this operation right information for a memory area, for example, the owner of the memory area is allowed, or only a special user called the root is allowed to perform a simple management. .

(3) Furthermore, if the operation right to the thread and the memory is flexibly described and the change right is also flexibly described, the flexible description becomes possible, but for the protection of the thread and the memory. However, there is a problem that it has a drawback that the amount of data is large and its management becomes complicated.

As described above, in the conventional operation right management device,
You can not set the operation authority in the memory area unit,
It was inflexible in the setting of operation authority, or there was no protection between threads sharing the same virtual address space, or there was a strong restriction.

The present invention has been made in consideration of the above problems, and it is not only for threads in different virtual spaces but also for thread operation instructions or individual memories between threads sharing the same virtual address space. It is an object of the present invention to provide an operation right management device that is flexible in the same way and sufficiently protects an area.

[0019]

In order to achieve the above object, the present invention (Claim 1) includes means for executing a program by a plurality of threads executed in parallel, and operation for each thread. An operation including a thread or a user who is a main body for performing an operation, or a means for storing operation right information for instructing whether or not to permit based on at least one of a memory area and a program in which the main body performing the operation exists. In the right management device, whether or not to permit the change of the operation right information based on at least one of a thread as a main body of the change, a memory area in which the user or the main body of the change exists, or a program. Means for storing change right information indicating the stored change right information before executing the change of the operation right information. Irradiation to, characterized by comprising a means for verifying whether the change is allowed.

According to the present invention (claim 2), a means for managing the real memory or the virtual memory as a set of a plurality of memory areas, and an operation for each memory area, a thread or a user who is a main body of the operation, Alternatively, in the operation right management device provided with a means for storing operation right information for instructing whether to permit or not based on at least one of a memory area or a program in which an entity performing this operation exists, A means for storing change right information indicating whether or not to permit a change based on at least one of a thread which is a main body of the change, a user or a memory area where the main body of the change exists, or a program. Before the change of the operation right information is performed, the change is permitted by referring to the stored change right information. Characterized by comprising a means for verifying whether or not.

Preferably, the above invention (Claim 1)
In (1), when the thread is created, a predetermined default change right information is set.

Preferably, the above invention (claim 2).
In the above, when the memory area is created, a predetermined default change right information is set.

Further, in each of the above operation right management devices,
The change of the information of the means for storing the change right information may be prohibited so that the information of the means for storing the operation right information cannot be changed.

The present invention (Claim 3) is characterized in that, in the above-mentioned invention (Claim 1 or 2), the change right information is stored in association with the operation right information.

Further, in each of the above operation right management devices,
The operation right management authority storing means for storing a plurality of conditions capable of changing the information of the means for storing the operation right information, and the operation right managing means for storing the change right information when the information of the means for storing the change right information is to be changed. Means for verifying whether or not there is an authority to make this change based on the information in the operation right management authority storage means, and means for permitting the change when it is verified that this authority is provided may be further provided. Further, in this case, the change of the information of the operation right change right management authority storage means may be prohibited so that the information of the means for storing the change right information cannot be changed.

[0026]

According to the present invention (Claim 1), not only the management of the operation right to the thread, but also the change right which is the management right of the operation right can be flexibly expressed and managed by combining various conditions. You will be able to.

With this mechanism, regarding the operation right of a thread, only a specific thread can change the operation right,
Also, it is possible to express by combining a plurality of these conditions.

In particular, when creating a computer collaborative work application called a groupware, which has been widely used in recent years, thread sharing, exclusive control,
It is necessary to easily describe detailed control such as protection from other programs, but this description can be flexibly performed by using the present invention.

Further, it is possible to prevent the operation right to the thread from being abnormally rewritten due to an error in the program, an illegal call to the system call, or the like. The reliability of thread operation is dramatically improved.

Further, according to the present invention (Claim 2), not only the management of the operation right to the memory area but also the change right which is the authority of the management of the operation right can be flexibly set by combining various conditions. You will be able to express and manage.

Using this mechanism, with respect to the operation right to the memory area, the change can be strengthened only to a specific thread, only the thread existing in the specific memory area can be allowed to change, and a plurality of them can be changed. Conditions can be combined and expressed.

Particularly, in an operating system called a single virtual memory, which has been attempted to be used in recent years, in which a plurality of applications operate in the same virtual space, memory area sharing, exclusive control, and other programs are used. It is necessary to describe detailed control such as protection of the above, but this description can be flexibly performed by using the present invention.

Further, since it is possible to prevent the operation right to the memory area from being abnormally rewritten due to an error in the program, an illegal call of the system call, etc., the data written in the memory area can be prevented. Is not accidentally rewritten, and the reliability of the data written in the memory area is dramatically improved while the memory area is shared.

Further, according to the present invention (Claim 3), the operation right information for the thread and the memory and the change right information for changing the operation right information generally have a lot in common and the data structures are similar. Often becomes a thing. In the present invention, since the change right information is stored in association with the operation right information, common data is managed as one as much as possible, so that the data amount can be reduced and the change right and the operation right can be verified. The procedure for doing this is also standardized.

The management of the operation right and the change right for the threads and the memory can be improved in execution performance by using hardware generally called a memory management unit. In such a case, providing different hardware for the operation right and the change right may complicate the configuration of the computer. But,
According to the present invention, necessary hardware can be simplified by managing the operation right and the change right in the same manner.

[0036]

Embodiments of the present invention will be described below with reference to the drawings.

The operation right management device according to the present invention is a part of the constituent elements of an operating system (OS) that controls the execution of the entire computer system. O
The S manages a memory, a processor, and a peripheral device which are computer resources, and controls the execution of a program called a user program for performing practical processing instructed by the user. A plurality of user programs are loaded on one device, and the OS also controls these programs.

The user program secures resources such as a physical memory necessary for execution, inputs / outputs data to / from a peripheral device, transfers data to another user program, requests processing, OS to control execution
It is necessary to give instructions to. This OS is instructed by a special means called a system call.
In the present embodiment, control of a user program that takes into account the operation right among system calls will be described.

The operation right includes thread management and memory area management. Since the management of these memory areas and the management of threads are often the same, avoid duplicative description of the same mechanism, and mainly using the operation right management for threads as an example, the same terms will be used for the same parts. Will be explained.

In this embodiment, the "operation" of the memory means access (read / write execution).

First, the features of this embodiment will be briefly described. In this embodiment, for each memory area or thread, a list in which information on what condition the operation is permitted is registered is provided, and the operation is permitted only when the list permits the operation. , The authority to change the information itself is managed in the same format, similar format or common format as the list. Also, a mechanism that allows this change only under specific conditions is added. Further, the change of authority for making this change is managed in the same format, a similar format, or a common format.

As a result, the present embodiment protects the memory area and threads from illegal operation instructions and program errors,
Further, in order to facilitate detection of a program error by detecting such an erroneous operation instruction, the right itself to change the information indicating whether the operation is permitted or not provided for each memory area or thread is also the memory area or thread. Since it has, the management of not only the operation right but also the authority of the operation right management can be managed in the same format, a similar format, or a common format, and can be flexibly performed to delete, add, or change. It is possible to achieve the above-mentioned effect.

Since the operation right management authority has a plurality of operations in the same format as a normal access control list by a mechanism completely different from the owner of the memory area and the thread, a plurality of operation right management rights are provided. Flexible management of operation rights is possible, such as sharing with other threads, and transfer of management rights of the memory area and thread created by itself to other threads.

(First Embodiment) A first embodiment of the present invention will be described below.

FIG. 1 is an overall configuration diagram of this embodiment. In the program storage unit 1, a user program in which instructions to be processed by a computer are written, data to be processed, data such as a stack for temporarily storing results during processing by the computer, and the like are stored in a memory space. . The memory space is
It is managed by being divided into a plurality of areas (memory areas), and each area is provided with an identifier for distinguishing each other, and programs, data, and stacks are arranged in each memory area.

Further, the processor 2 which is an execution subject for interpreting and executing the program stored in the program storage unit 1 and processing data, the thread management unit 3 for managing the state in the processor, and switching of the execution state of the processor There is an execution state switching unit 4 that performs processing.

In the processor 2, the registers temporarily used during the execution of the instruction, the program counter (PC) for indicating the position of the currently executed instruction in the program storage unit, the top position of the stack data There is a stack pointer (SP) or the like that indicates that, and by exchanging a series of these data, it is possible to perform processing of a plurality of different user programs in parallel in a time-sharing manner.

A thread refers to a series of data used in the above processor. A plurality of sets of this data are prepared, and the threads are switched and set in the processor to be actually executed, thereby enabling time division processing. Become.

The memory area ID storage unit 5 stores in which memory area of the program storage unit 1 the program currently being executed exists as an ID of the memory area. This uses the value of the PC in the processor 2 to find and store the memory area ID currently being executed. This memory area ID can also be regarded as the program ID currently being executed.

The thread management unit 3 has a table called a thread management table, in which information on registers set in the processor 2 and other information is managed for each thread. Threads are provided with an identifier (thread ID) to distinguish them from each other.

The execution state switching unit 4 suspends the thread (for example, thread ID = 1) currently being executed on the processor 2, and changes the state of the thread (thread ID = 1) to a predetermined position (thread It is saved in the storage area of ID = 1) and another thread (for example, thread ID =
In order to activate 2), the information of the thread (thread ID = 2) in the thread management table is reset in the processor 2, and the execution of the thread (thread ID = 2) is restarted. The execution state switching unit 4 further includes a thread scheduling mechanism (not shown) that determines which thread is set and saved, and a timer unit (not shown) that instructs when to schedule.

The thread ID storage unit 6 is for storing the thread ID.

The operation right list storage unit 7 holds a table relating to thread protection and stores the authority to execute an operation for each thread, and is used by the operation authority determination unit 12. Although the present embodiment has been described by taking the operation right management of threads as an example, in the case of the operation right management of the memory area, the operation right list storage unit 7 holds a table relating to the protection of the memory area, and for each thread. It stores what is the authority to execute an operation on the memory area. Similarly, the description of the same parts of the thread-related mechanism and the memory area-related mechanism will be omitted, and only the thread-related mechanism will be described as a representative.

As an example in which a thread executing a user program as a system call attempts to control another thread, Thread Get How to issue the Status system call is explained.

This system call notifies the state of the thread designated by the thread ID, that is, the information about the registers of the thread to the user program that called the system call. Now, thread 1 (thread ID = 1) is assigned to program A (memory area I
D = A is being executed, and thread 2 (thread ID =
Suppose that you tried to obtain the information in 2) with this system call. In the program A written in C language, it is written as follows. err = Thread Get Status (2, & Thread Status); where the function Thread Get Status is a system call that obtains thread information, the first argument 2 indicates that thread 2 (thread ID = 2) information is obtained, and the second argument & Thread Status indicates the start position of the memory area for storing the information of the thread 2 obtained as a result of the system call. In addition, whether the execution of this system call succeeded is variable as the return value of this function.
Enter err.

When the thread 1 of the program A executes this function, the execution mode of the thread 1 transits from the user level to the privilege level by a system call and calls the OS. The privilege level is a dedicated level for processing by the OS.

In the called OS, the processing moves to the system call accepting unit 8 in the OS. Here, the original user program that called this system call is interrupted, the type of the requested system call and the specified argument are received, and the information is respectively received by the argument detection unit 9 and the type determination unit of the system call. Send to 10.

In this example, the instructed system call is
Thread Get Since it is Status, in the system call type determination unit 10, next, Thread Get Status processing unit 11
Call.

The processing there is performed using the operation right list storage unit 7 shown in FIG. In this example, the operation right list storage unit 7 stores an operation right list for threads. The storage unit holds a table as shown in FIG. In the table, the operation thread ID,
The target thread ID, the memory area ID in which the operation thread exists, the thread operation authority, and the thread operation authority change authority areas are provided.

As a similar area, it is possible to specify the memory area ID in which the target thread exists,
In this example, a case without such an area will be described as an example.

The operation right list storage section for the memory area is similar, but the contents of the table are slightly different. Details of this will be described in the second embodiment.

The operation thread ID is the thread ID of the thread that is about to execute the thread operation system call, and the target thread ID is the thread ID of the operation target specified by the argument of this system call.
Further, the memory area ID in which the operation thread exists is the memory area ID in which the program including the system call to be executed exists, and the thread operation authority indicates what kind of thread operation is possible. With, it is possible to independently specify three authorities: authority to read the internal state of the thread, authority to change the internal state of the thread, and authority to stop / resume execution of the thread.
The thread operation authority change authority is the authority to change the information in the field in which the thread operation authority is entered.When this authority is specified, the information in the thread operation authority field written in that column is Not only can it be changed, but all thread operation authority field information relating to the target thread ID written in that column can be changed.

For example, in the example shown in the figure, in the system call issued by thread 1 (thread ID = 1), thread 2
Although it is possible to refer to and change the internal state of (thread ID = 2), it is indicated that the execution / stopping of the execution of the thread 2 and the operation authority of the thread 2 cannot be changed. Also, the thread 1 can stop / resume execution of the thread 3 (thread ID = 3), but cannot perform other operations. Further, it is shown that the thread 1 cannot perform any operation on the threads other than the threads 2 and 3. Also, thread 100 (thread ID = 10
0) indicates that the internal state of the thread 2 can be read and the operation authority can be changed.

In the example when the thread 1 is the target thread,
The information "all" is held in the memory area ID portion where the operation thread exists in the table.
This system call is the same regardless of which user program is executed, indicating that the execution authority depends only on the thread ID that executes the system call.

When the memory area ID column is not all, the operation authority when the system call is executed from the program existing in the memory area of the ID is defined. For example, the thread 3 is the program A (memory area ID
= A) is being executed, all operations can be performed on the thread 1, but otherwise, the operations are not possible.
That is, thread 3 is program B (memory area ID =
During the execution of B), it is impossible to operate even if a similar system call is executed for thread 1, and it is operated even if thread 5 (thread ID = 5) executes the same system call for thread 1 in program A. Can not. That is, thread operations not listed in this table cannot be performed at all.

In the example of FIG. 2, there is only one thread operation authority change authority field, but the operation authority change authority may be specified separately for each of the three authorities.

The thread operation authority may be other than the three authorities mentioned in the previous example. For example, the user ID of the operating user, the effective period start time for time-limiting the corresponding field, the effective time end time, and the like can be considered. Even in that case, the right to change those authorities can be set.

Further, in this embodiment, the thread operation authority and the thread operation authority change authority are expressed in the same table by sharing the operation thread ID, the target thread ID, and the memory area ID in which the operation thread exists. However, the thread operation authority and the thread operation authority change authority are described in separate tables, and the operation thread I
The D, the target thread ID, and the memory area ID in which the operation thread exists may be designated.

Next, Thread Get The flow of processing of the Status processing unit 11 is shown in FIG.

First, in step S1, the operation thread ID and the memory area ID that have executed this system call are assigned to the thread ID storage section 6 and the memory area ID storage section 5, respectively.
Get information from. As described above, the thread ID currently being executed is set by the execution state switching unit 4, and the memory area ID currently being executed is set from the information of the PC inside the processor. Furthermore, the target thread ID detection unit 13 obtains the target thread ID from the first argument of the system call. From the second argument, the thread information storage position detector 14 detects the memory position of the user program that stores the execution result of this system call.

In step S2, the table of the operation right storage unit 71 is drawn based on the above three pieces of information, the corresponding entry is searched, and the thread operation right is checked. If found, the process proceeds to step S3, and if not found, the process proceeds to the error processing unit 15 which performs step S8.

In the search, the comparison is performed in order from the top of the table, and the information of the first matching entry is used in the subsequent steps. The all part of the table field is
Means match everything. If the last entry in the table is compared and no match is found, the search fails.

In step S3, of the portion representing the thread operation authority of the found entry, the information of the portion corresponding to the thread internal state reading authority is read to determine whether it is permitted. This determination is performed by the operation authority determination unit 12. If the determination is permitted, the process proceeds to step S4, and if the determination is not permitted, the process proceeds to the error processing of step S8.

In the next step S4, the reference operation of the thread management table for reading the internal state of the permitted thread is executed for the target thread. This processing is performed by the thread state reference execution unit 16. Here, the thread information, which is the internal state of the thread, is stored in the memory designated by the thread information storage position detection unit 14.

In step S5, the processing result in step S4 is determined. If the processing is successful, in step S6,
A code indicating success is transmitted to the system call termination unit 17. If it fails, a code indicating the failure is transmitted to the system call termination unit 17 in step S7.

In step S8, the error code is transmitted to the system call termination section 17.

Thread Get When the processing in the Status processing unit 11 is completed, the process finally proceeds to the system call ending unit 17. The return value returned to the user program that executed this system call is returned as the return value of the system call, and the return processing is performed so that the interrupted caller user program can be executed. Perform processing to return from the level to the user level.

Next, a system system call for changing the thread operation authority written in the operation authority storage unit 71 will be described.

Thread Add Acl (specified operation thread I
D, designated thread ID, designated memory area ID, designated operation authority to be added) newly adds the thread operation authority described above.

Now, thread 100 (thread ID = 1
It is assumed that 00) tries to give the thread 1 (thread ID = 1) the right to stop / resume execution of the thread 2 (thread ID = 2). In the program C written in the C language, it is written as follows.

Err = Thread Add Acl (1, 2, all, THR
EAD SUSPEND); where the function Thread Add Acl is
This is a system call for adding an operation right to a thread, and the first argument 1 is that the specified operation thread number (target thread ID) is 1, that is, the authority is given to the thread ID = 1. Is instructing. The second argument of 2 indicates that the designated target thread number (designated target thread ID) is 2, that is, the authority to operate the thread ID = 2. The third argument all indicates that the memory area ID (specified memory area ID) in which the specified operation thread exists is all, that is, the authority given by the memory area ID in which the operation thread exists is not restricted. Instructing. THREAD of the 4th argument SUSPEND indicates the operation authority (specified operation authority) to be added to these three specified combinations. In this example, it means that the authority to stop / resume the execution of the thread is added. Multiple types of authority can be specified at the same time as the fourth argument.

This function is called by the thread 100 of the program C.
Is executed, the thread 100 changes the execution mode of the processor from the user level to the privilege level by a system call, and calls the OS. The privilege level is a dedicated level for processing by the OS.

In the called OS, the processing moves to the system call accepting unit 8 in the OS. Here, the original user program that called this system call is interrupted, the type of the requested system call and the designated argument are received, and the information is respectively received by the argument detection unit 9 and the system call type determination unit 10. Send to.

In this example, the instructed system call is
Thread Add Since it is an Acl, the type of system call
Part 10, Thread Add Call the Acl processing unit 21.
Thread Add The Acl processing unit 21 is Thread in FIG.
Get The status processing part 11 is replaced as shown in FIG.
Is. In addition, Thread Add Acl processor 21 and Thread
Get The Status processing unit 11 is originally an integrated block diagram.
Although it should be shown, it is a convenience of explanation because the figure becomes complicated.
For convenience, it is provided as a separate view of FIGS.

The processing there is performed using the thread operation right list storage unit 7 shown in FIG. The content and meaning are as described above.

Next, FIG. 5 shows Thread. Add Acl processing unit 2
1 shows the flow of processing 1.

First, in step S11, the execution thread ID and memory area ID that executed this system call are obtained from the thread ID storage section 6 and the memory area ID storage section 5, respectively. Further, from the second argument of the system call, the designated thread ID detection unit 23 obtains the ID of the thread for which the thread operation authority is changed by this system call.

Next, in step S12, the table of the thread operation right list storage unit 7 is pulled based on the above three pieces of information, and the corresponding entry is searched. If found,
If it does not proceed to step S13, the process proceeds to the error processing unit 15 which carries out step S19. In the search, the comparison is performed in order from the top of the table, and the information of the first matching entry is used in the subsequent steps. Table field a
The ll part means match everything. if,
The last entry in the table is compared, and if there is no match, the search fails.

In step S13, the information of the portion corresponding to the thread operation right changing authority of the found entry is read out and it is determined whether or not it is permitted. This determination is performed by the operation right change right determination unit 26. If the judgment permits, step S
If it is not permitted, the process proceeds to step S19 for error processing.

In step S14, the target thread ID designated by the designated thread ID detector 23 is obtained from the first argument of the system call. Also, the memory area ID in which the operation thread specified by the specified memory area ID detection unit 24 exists is obtained from the third argument of the system call. Further, the operation authority to be added specified by the specified operation authority detecting unit 25 is obtained from the fourth argument of the system call.

In step S15, the operation right list changing unit 27 operates the operation right list storage unit 7 based on the target thread ID, the specified target thread ID, the specified memory area ID, and the specified operation authority obtained in steps S11 and S14.
Rewrite. That is, first, the table of the operation right list storage unit 7 is sequentially searched, and if there is a column in which all three of the target thread ID, the designated target thread ID, and the designated memory area ID match, the field of the thread manipulation authority of that column is rewritten. If not, a column showing the three designated IDs is newly added to the table of the operation right list storage unit 7.
In this example, the column that matches the three specified IDs is found first, so the thread execution stop / resume authority in the thread operation authority field in that column is changed from x to o.

In step S16, the processing result in step S15 is determined. If the processing is successful, step S17
Then, a code indicating success is transmitted to the system call termination unit 17. If it fails, a code indicating the failure is transmitted to the system call termination unit 17 in step S18. Step S
At 19, the error code is transmitted to the system call termination section 17.

Thread Add When the processing in the Acl execution unit 21 is completed, the process finally proceeds to the system call end unit 17. The return value returned to the user program that executed this system call is returned as the return value of the system call, and the return processing is performed so that the interrupted caller user program can be executed. Perform processing to return from the level to the user level.

Thread as in this example Add As a result of the successful execution of the Acl system call, the data in the operation right list storage unit 7 shown in FIG. 2 is changed as shown in FIG.

In this example, the operation right list changing unit 27 only needs to rewrite the corresponding fields that need to be rewritten. Add I was able to execute the request from the Acl system call, but Thread Add Depending on the contents of the argument given to the Acl system call, it cannot be expressed simply by rewriting the corresponding field, and the data in the operation right list storage unit 7 must be increased.

For example, when the data in the operation right list storage unit 7 is as shown in FIG. Add
Acl (3, 2, A, THREAD SUSPEND * THREAD GET STATU
Consider the case of executing S).

Here, the first argument 3 indicates that the designated operation thread number (target thread ID) is 3, that is, the authority is given to the thread ID = 3, and the second argument 3 2 indicates that the designated target thread number (designated target thread ID) is 2, that is, the authority to operate the thread ID = 2, and the third argument A is the designated memory area ID. Is A, that is, the authority changed by the execution of this system call indicates that it is valid only while the program A (memory area ID = A) is being executed.
THREAD SUSPEND adds the permission to suspend / resume the execution of threads to these three specified combinations, and THREAD GET STATUS indicates that the thread internal status read authority is added.

When this system call is issued, the operation right list changing unit 27 sequentially searches the tables of the operation right list storage unit 7, and all three of the target thread ID, the specified target thread ID, and the specified memory area ID are found. Find the matching column, but in this case there is no such column, so
This system call cannot be executed only by rewriting a part of the fields of the table of the operation right list storage unit 7. A column indicating the three designated IDs is newly added to the table of the operation right list storage unit 7. When the execution of this system call is completed by performing such a procedure, the data in the operation right list storage unit 7 shown in FIG. 2 is changed as shown in FIG. Is one longer.

In the above description, there is no description about where to specify the operation right changing authority first. Generally, this can be realized by giving this authority to some privileged threads at the time of booting the OS and then increasing the authority hierarchically.

However, since it is necessary to specify the right to change the operation right when creating a thread, it may increase the effort of programming. Therefore, at the time of creating the memory area or the thread, the right to change the operation right specified in advance is changed. The right may be set. There are various possible defaults, but in the simplest case, it is conceivable to give the operation right change right to the memory area or the thread that started the thread. This method uses the concept of the owner in the conventional OS as a default, and the operation right management device of the present invention realizes more flexible operation right management by the method described in the present embodiment.

In the previous example, Thread Add Acl No
There is no restriction on the specified operation authority that can be specified in 4 arguments.
Since it was described as a new item, THREAD is set as the fourth argument. CHANGE
ACL can be specified. That is, thread manipulation
You can also change the authority to change the copyright. Also, the above theory
Thread revealed Add Like Acl, Thread Del Acl
System call, for example Thread Del Acl (3,1, A, THREAD CHANGE ACL), is the thread a memory area with memory area ID = A?
The thread operation authority of the thread with thread ID = 1
It means removing. In this case forever
A thread that cannot change the operation authority change authority.
It is possible that such changes will be made.
The operating system
The operation right when changing the information in the operation right change right storage unit.
It becomes impossible to change the information in the copyright memory
The change may be prohibited. For example, the Thread I mentioned earlier Del Acl (3,1, A, THREAD CHANGE ACL) is executed, it will no longer match the thread with thread ID = 1.
And the thread that can change the thread operation authority
No more. Such a system call is executed
Then, the operation right list changing unit 27 detects an error.
Then, the code indicating the failure is added to the system call end part.
17 and do not change the data in the operation right list storage section.
Yes.

Further, the right to change the operation right change right is treated as a separate one, and a field for the operation right change right management authority (operation right change right management authority storage section) is prepared in the operation right list storage unit 7, Reliable operation right management may be performed.

Furthermore, it is possible to prohibit the change of the information in the operation right change right management authority storage unit so that the information in the operation right change right storage unit cannot be changed.

The "thread ID" is set to "user I".
It is also possible to replace it with "D". In this case, the thread ID storage unit 6 in FIG.
It suffices to make a correction that replaces the storage unit.

It is also possible to replace the above-mentioned "memory area ID where the operation thread exists" with the "program ID executed by the operation thread".
In this case, the memory area ID storage unit 5 in FIG. 1 may be modified by replacing it with the program ID storage unit.

(Second Embodiment) Next, a second embodiment of the present invention will be described.

The operation right management device of the present invention does not perform the operation right management for the memory area or the thread by a fixed concept such as the owner, but gives the operation right change right to the operation right list itself and freely. It is intended to be flexible by deleting and adding. Here, as an example of utilizing this mechanism, an embodiment will be described in which the operation right management is flexibly performed when an application for collaborative work by a plurality of people operates.

User A newly added thread 10 (thread ID = 1 to hold an electronic conference using a computer.
0) was created. More specifically, the thread 10 that is the login shell that the user A was running created the thread 10. At this time, the data of the relevant portion of the operation right list storage unit 7 is as shown in FIG. In the following figures, of the table of the operation right list storage unit 7, only the portions necessary for explaining the present embodiment are described, and the other portions are omitted.

The thread 11 (thread ID = 11) can read the internal state of the thread 10 (thread ID = 10) and change the thread operation right. However, it is not possible to change the internal state or stop / resume execution. That is, the thread 10 that has already started to move (thread I
D = 10) is not erroneously interrupted by the thread 11 (thread ID = 11) that created it. These initial states shall be specified as arguments of the system call that creates the thread.

The created thread 10 executes the electronic conference program and controls the interface with the user A. Further, the thread 10 is a memory area 30 (memory area ID) as a memory area for supporting the electronic conference.
= 30) is created.

The operation right list storage unit 7 is used to manage the operation right of the memory area 30, as in the case of managing the thread operation right. However, the target thread ID, the thread operation authority, the thread internal state read authority, the thread internal state change authority, the thread execution stop / resume authority, and the thread operation authority change authority described in the description of the thread operation authority management are In the operation right management of the memory area, the target memory area ID, the memory area operation right, the internal data read right of the memory area, the internal data change right of the memory area,
It has the authority to execute the program in the memory area and the authority to change the memory area operation authority.

The operation right list storage unit shown in FIG. 9 means that the thread 10 can read and change the internal data in the memory area 30 and change the operation right.

Next, user B and user C announce their participation in the electronic conference, and thread 10 newly creates user B.
And thread 12 for user C (thread ID
= 12) and thread 13 (thread ID = 13) were created. As a result, the data in the operation right list storage unit 7 of FIG. 8 is added as shown in FIG. Further, since the memory area 30 which is a memory area for supporting the electronic conference is also used by the threads 12 and 13, the data of the operation right list storage unit 7 of FIG. 9 is added as shown in FIG.

That is, thread 12 and thread 13
Is controlled by the thread 10, and all operations related to the thread can be performed, but the thread 12 and the thread 13 cannot control other threads. This allows the thread 10 to take the lead in executing the progress of the electronic conference as programmed.

The memory area 30 used as a common memory area is a thread 10, a thread 12, and a thread 13.
Data can be read and changed from any of the above, but only the thread 10 can change who (from which thread) and what operation can perform the area.

With such a mechanism, a communication program such as an electronic conference having a complicated dependency can be surely described by using the operating right management mechanism of the OS.

Next, let us consider a case where the thread 10 of the user A who was leading the conference leaves the conference on the way and the conference is in progress.

If the thread 10 simply terminates its own execution, there will be no thread that can change the operation right of the memory area 30, and the conference cannot proceed correctly. In such a case, the user A once has the right to proceed with the meeting to another person (for example, user B).
Must be handed over to.

First, the operation right of the memory area 30 is set to the thread 12 (thread of user B, thread ID = 12). Then, the management right of the thread 13 is assigned to the thread 1
Transfer to 2 and then terminate execution. If the operation thread ID is 10 other than that, the thread 1
Automatically disappear at the end of 0.

As a result, the operation right list storage units of FIGS. 10 and 11 are as shown in FIGS. 12 and 13, respectively. That is, the memory area 30 can be accessed by both the thread 12 and the thread 13, but the thread 12 inherits the right to manage the thread itself. It should be noted that, since the execution of the thread 10 is finished, the thread 11 which is the login shell of the user A has no right to any program that executes the electronic conference.

The example shown here shows one method of realizing the electronic conference program, and does not necessarily mean that the program cannot be described unless the operation right is transferred in such a procedure. .

In this way, it is possible to realize the change of the administrator while managing the operation right to the thread and the memory area.

Using the operation right management device of the present invention, an ambiguous operation in the case of "joining a conference" or "leaving from a conference" as described in the concrete example of this embodiment The right management can also be flexibly and surely realized by the support of the OS, without having to describe the application one by one.

Further, the present invention is not limited to the above-mentioned embodiments, but can be carried out in various modified forms without departing from the gist thereof.

[0125]

According to the operation right management device of the present invention, the operation right management for protecting the operation on the thread or the memory area can be performed flexibly and surely.

[Brief description of drawings]

[Figure 1] Thread Get Configuration diagram for explaining Status

FIG. 2 is a diagram showing an internal configuration example of an operation right list storage unit 7 in FIG.

FIG. 3 is a flowchart showing an operation for changing an operation right in the operation right management device according to the present embodiment.

[Figure 4] Thread Add Block diagram to explain Acl

FIG. 5 is a flowchart showing an operation of changing the operation right change right in the operation right management device according to the present embodiment.

FIG. 6 is a first diagram showing an internal configuration example of an operation right list storage unit 7 in FIG.

FIG. 7 is a second diagram showing an internal configuration example of an operation right list storage unit 7 in FIG.

FIG. 8 is a diagram showing a thread operation right list when an electronic conference is held.

FIG. 9 is a diagram showing a memory area operation right list immediately after the electronic conference is held.

FIG. 10 is a diagram showing a thread operation right list when a new member participates in an electronic conference.

FIG. 11 is a diagram showing a memory area operation right list when a new member participates in an electronic conference.

FIG. 12: User A gives the lead right of the electronic conference to user B
Of the thread operation right list when delegating to

FIG. 13: User A gives the lead of the electronic conference to user B
Of memory area operation right list when delegating to

[Explanation of symbols]

1 ... Program storage unit, 2 ... Processor, 3 ... Thread management unit, 4 ... Execution state switching unit, 5 ... Memory area ID storage unit, 6 ... Thread ID storage unit, 7 ... Operation right list storage unit, 8 ... System call Reception unit, 9 ... Argument detection unit, 10
System call type determination unit 11, 21 ... System call execution unit 12, Operation authority determination unit 13, Target thread ID detection unit 14, Thread information storage position detection unit,
15 ... Error processing unit, 16 ... Thread state reference execution unit,
Reference numeral 17 ... System call end unit, 22 ... Designated operation thread ID detection unit, 23 ... Designation target thread ID detection unit, 24
Specified memory area ID detection unit, 25 ... Specified operation authority detection unit, 26 ... Operation right change right determination unit, 27 ... Operation right list change unit

 ─────────────────────────────────────────────────── ─── Continuation of the front page (72) The inventor, Mr. Shoujo Shin, Komukai, Kawasaki City, Kanagawa Prefecture, No. 1, Toshiba-cho, Toshiba Research & Development Center (72) Inventor, Hideki Yoshida, Komukai, Saitama-ku, Kawasaki, Kanagawa Prefecture Toshiba Town No. 1 Inside Toshiba Research and Development Center

Claims (3)

[Claims] 1. A means for executing a program by a plurality of threads which are executed in parallel, and a memory area in which a thread or a user who is the subject of performing this operation, or a subject who performs this operation exists, for each thread. Or, in the operation right management device provided with means for storing operation right information for instructing whether to permit or not based on at least one of the programs, a thread which is a main body for changing the operation right information. Alternatively, a means for storing change right information indicating whether to permit or not based on at least one of a memory area and a program in which a user or a subject who makes this change exists, and before executing the change of the operation right information. Means for verifying whether or not the change is permitted by referring to the stored change right information. Operation right management device according to claim. 2. There is a means for managing a real memory or a virtual memory as a set of a plurality of memory areas, and a thread or a user who is an entity that performs the operation for each memory area, or an entity that performs this operation. In an operation right management device including means for storing operation right information for instructing whether to permit or not based on at least one of a memory area and a program, the operation right information is changed by a main body that makes this change. Means for storing change right information indicating whether to permit or not based on at least one of a thread, a memory area in which a user or a subject who performs this change exists, and / or a program, and a change in the operation right information. Before the change, by referring to the stored change right information, it is possible to verify whether or not the change is permitted. Operation right management device, characterized in that the. 3. The operation right management device according to claim 1, wherein the change right information is stored in association with the operation right information.