公开(公告)号：US10102373B2

公开(公告)日：2018-10-16

申请号：US15237940

申请日：2016-08-16

Applicant: BEIJING BAIDU NETCOM SCIENCE AND TECHNOLOGY CO., LTD.

Inventor： Liang Ma ,  Ning Qu ,  Baisheng Wang ,  Zhipeng Wang

IPC: G06F21/56 ,  G06F9/48 ,  G06F9/445 ,  G06F9/455

Abstract: The present application discloses a method and apparatus for capturing an operation, and security control in a container-based virtualization system. A specific implementation of the method for capturing the operation includes: detecting, in a user mode, a process launch operation in a container of the container-based virtualization system; and performing, in a kernel mode, a step of capturing a signal processing operation, if the process launch operation is detected, the step of capturing the signal processing operation comprising: determining a presence of an unprocessed signal in the process; causing an executable instruction indicated by the unprocessed signal to jump to an entry address of a self-defined first function, and passing a signal number of the unprocessed signal to the first function, if the unprocessed signal exists; and capturing a signal processing operation corresponding to the passed signal number, if the first function is called. This implementation implements the capture of an access operation by a process in a container to a host kernel, so that security control can be subsequently performed on the captured operation to ensure the security of the system.

公开(公告)号：US20170103206A1

公开(公告)日：2017-04-13

申请号：US15237940

申请日：2016-08-16

Applicant: BEIJING BAIDU NETCOM SCIENCE AND TECHNOLOGY CO., LTD.

Inventor： Liang Ma ,  Ning Qu ,  Baisheng Wang ,  Zhipeng Wang

IPC: G06F21/56 ,  G06F9/445

CPC classification number: G06F21/566 ,  G06F9/445 ,  G06F9/44505 ,  G06F9/455 ,  G06F9/48 ,  G06F21/53

Abstract: The present application discloses a method and apparatus for capturing an operation, and security control in a container-based virtualization system. A specific implementation of the method for capturing the operation includes: detecting, in a user mode, a process launch operation in a container of the container-based virtualization system; and performing, in a kernel mode, a step of capturing a signal processing operation, if the process launch operation is detected, the step of capturing the signal processing operation comprising: determining a presence of an unprocessed signal in the process; causing an executable instruction indicated by the unprocessed signal to jump to an entry address of a self-defined first function, and passing a signal number of the unprocessed signal to the first function, if the unprocessed signal exists; and capturing a signal processing operation corresponding to the passed signal number, if the first function is called. This implementation implements the capture of an access operation by a process in a container to a host kernel, so that security control can be subsequently performed on the captured operation to ensure the security of the system.