| 发明名称 |
METHOD AND APPARATUS FOR CAPTURING OPERATION IN A CONTAINER-BASED VIRTUALIZATION SYSTEM |
| 摘要 |
The present application discloses a method and apparatus for capturing an operation, and security control in a container-based virtualization system. A specific implementation of the method for capturing the operation includes: detecting, in a user mode, a process launch operation in a container of the container-based virtualization system; and performing, in a kernel mode, a step of capturing a signal processing operation, if the process launch operation is detected, the step of capturing the signal processing operation comprising: determining a presence of an unprocessed signal in the process; causing an executable instruction indicated by the unprocessed signal to jump to an entry address of a self-defined first function, and passing a signal number of the unprocessed signal to the first function, if the unprocessed signal exists; and capturing a signal processing operation corresponding to the passed signal number, if the first function is called. This implementation implements the capture of an access operation by a process in a container to a host kernel, so that security control can be subsequently performed on the captured operation to ensure the security of the system. |
| 申请公布号 |
US2017103206(A1) |
申请公布日期 |
2017.04.13 |
| 申请号 |
US201615237940 |
申请日期 |
2016.08.16 |
| 申请人 |
BEIJING BAIDU NETCOM SCIENCE AND TECHNOLOGY CO., LTD. |
发明人 |
Ma Liang;Qu Ning;Wang Baisheng;Wang Zhipeng |
| 分类号 |
G06F21/56;G06F9/445 |
主分类号 |
G06F21/56 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A method for capturing an operation in a container-based virtualization system, comprising:
detecting, in a user mode, a process launch operation in a container of the container-based virtualization system; and performing, in a kernel mode, a step of capturing a signal processing operation, if the process launch operation is detected, the step of capturing the signal processing operation comprising:
determining a presence of an unprocessed signal in the process;causing an executable instruction indicated by the unprocessed signal to jump to an entry address of a self-defined first function, and passing a signal number of the unprocessed signal to the first function, if the unprocessed signal exists; andcapturing a signal processing operation corresponding to the passed signal number, if the first function is called. |
| 地址 |
Beijing CN |
