Container sandbox rule generation method and system, electronic equipment and storage medium

Container sandbox rule generation method and system, electronic equipment and storage medium

The invention discloses a container sandbox rule generation method and system, electronic equipment and a storage medium, and belongs to the technical field of cloud computing, the generation method comprises the steps that system calling information of a container is monitored based on an eBPF meth...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: LIU SENZE, SHEN HONGJIE, XU YUNYUAN, WANG YU, HUA ZHENG
Format: Patent
Sprache:chi ; eng
Schlagworte:
CALCULATING
COMPUTING
COUNTING
ELECTRIC DIGITAL DATA PROCESSING
PHYSICS
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:The invention discloses a container sandbox rule generation method and system, electronic equipment and a storage medium, and belongs to the technical field of cloud computing, the generation method comprises the steps that system calling information of a container is monitored based on an eBPF method, and the system calling information comprises process runtime data; according to the process runtime data, a sandbox rule is generated, the sandbox rule comprises a Seccomp-BPF rule, and the Seccomp-BPF rule is used for blocking or releasing system calling. Based on an eBPF method, monitoring system calling in the container; by analyzing the monitored process running data, a security policy is favorably formed, security control is performed on the process in the container based on the Secomp-BPF, a security monitoring closed loop of the container is formed, resource occupation of the container is reduced, and the service performance is improved; and the system call information in the container can be fully mined