+

CN112269986A - Process management method, device and storage medium - Google Patents

Process management method, device and storage medium Download PDF

Info

Publication number
CN112269986A
CN112269986A CN202011186959.0A CN202011186959A CN112269986A CN 112269986 A CN112269986 A CN 112269986A CN 202011186959 A CN202011186959 A CN 202011186959A CN 112269986 A CN112269986 A CN 112269986A
Authority
CN
China
Prior art keywords
desktop
terminal
file
operation corresponding
desktops
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011186959.0A
Other languages
Chinese (zh)
Other versions
CN112269986B (en
Inventor
杨峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202011186959.0A priority Critical patent/CN112269986B/en
Publication of CN112269986A publication Critical patent/CN112269986A/en
Application granted granted Critical
Publication of CN112269986B publication Critical patent/CN112269986B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Databases & Information Systems (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Storage Device Security (AREA)

Abstract

本申请公开了一种进程管理方法、装置及存储介质。其中,方法包括:监测终端的进程;监测到第一进程时,根据所述第一进程携带的桌面标识,确定所述第一进程在所述终端包含的多个桌面中对应的第一桌面;所述终端包含的多个桌面中各桌面对应的系统操作权限相同或不同;所述多个桌面中各桌面对应的进程基于沙箱进行了隔离;利用桌面与进程处理策略之间的对应关系,确定所述第一桌面对应的第一策略;并根据所述第一策略,允许或禁止所述终端执行所述第一进程对应的操作。

Figure 202011186959

The present application discloses a process management method, device and storage medium. Wherein, the method includes: monitoring a process of a terminal; when a first process is monitored, determining a first desktop corresponding to the first process among multiple desktops included in the terminal according to a desktop identifier carried by the first process; The system operation authority corresponding to each desktop in the multiple desktops included in the terminal is the same or different; the processes corresponding to each desktop in the multiple desktops are isolated based on the sandbox; using the corresponding relationship between the desktop and the process processing strategy, determining a first policy corresponding to the first desktop; and allowing or prohibiting the terminal to perform an operation corresponding to the first process according to the first policy.

Figure 202011186959

Description

进程管理方法、装置及存储介质Process management method, device and storage medium

技术领域technical field

本申请涉及信息安全领域,尤其涉及一种进程管理方法、装置及存储介质。The present application relates to the field of information security, and in particular, to a process management method, device and storage medium.

背景技术Background technique

随着科技的发展,人们的工作中出现越来越多的移动办公(BYOD,Bring Your OwnDevice或Become Your Office Device)场景,相应的BYOD设备比例也持续上升。With the development of technology, more and more mobile office (BYOD, Bring Your Own Device or Become Your Office Device) scenarios appear in people's work, and the proportion of corresponding BYOD devices continues to rise.

然而,由于成本、网络以及用户隐私保护等因素,相关技术中的数据保护(即数据防泄密)方案只能覆盖企业的一部分个人电脑(PC,Personal Computer)用户,无法在BYOD场景和小微分支办公场景(比如同公司内研发部门的工作人员与销售部门的工作人员进行文件传输)进行数据保护。However, due to factors such as cost, network, and user privacy protection, the data protection (that is, data leakage prevention) solutions in related technologies can only cover a part of the enterprise's personal computer (PC, Personal Computer) users, and cannot be used in BYOD scenarios and small and micro branches. Office scenarios (such as file transfer with the staff of the R&D department and the staff of the sales department in the company) are used for data protection.

发明内容SUMMARY OF THE INVENTION

为解决相关技术问题,本申请实施例提供一种进程管理方法、装置及存储介质。In order to solve related technical problems, embodiments of the present application provide a process management method, device, and storage medium.

本申请实施例的技术方案是这样实现的:The technical solutions of the embodiments of the present application are implemented as follows:

本申请实施例提供了一种进程管理方法,包括:The embodiment of the present application provides a process management method, including:

监测终端的进程;监测到第一进程时,根据所述第一进程携带的桌面标识,确定所述第一进程在所述终端包含的多个桌面中对应的第一桌面;所述终端包含的多个桌面中各桌面对应的系统操作权限相同或不同;所述多个桌面中各桌面对应的进程基于沙箱进行了隔离;Monitoring the process of the terminal; when monitoring the first process, according to the desktop identifier carried by the first process, determine the first desktop corresponding to the first process in the multiple desktops included in the terminal; The system operating authority corresponding to each desktop in the multiple desktops is the same or different; the processes corresponding to each desktop in the multiple desktops are isolated based on the sandbox;

利用桌面与进程处理策略之间的对应关系,确定所述第一桌面对应的第一策略;并根据所述第一策略,允许或禁止所述终端执行所述第一进程对应的操作。The first policy corresponding to the first desktop is determined by using the correspondence between the desktop and the process processing policy; and according to the first policy, the terminal is allowed or prohibited to perform the operation corresponding to the first process.

上述方案中,所述方法还包括:In the above scheme, the method also includes:

从所述多个桌面的共享内存中获取所述桌面与进程处理策略之间的对应关系以及所述第一策略。The correspondence between the desktops and the process processing policy and the first policy are acquired from the shared memory of the multiple desktops.

上述方案中,所述终端包含的多个桌面包括第一类桌面和第二类桌面;所述第一类桌面对应的系统操作权限低于所述第二类桌面对应的系统操作权限;In the above solution, the multiple desktops included in the terminal include a first-type desktop and a second-type desktop; the system operation authority corresponding to the first-type desktop is lower than the system operation authority corresponding to the second-type desktop;

所述根据所述第一策略,允许或禁止所述终端执行所述第一进程对应的操作,包括:The allowing or prohibiting the terminal to perform the operation corresponding to the first process according to the first policy includes:

在所述第一进程对应的操作包含所述第二类桌面针对所述第一类桌面对应的文件目录下的文件的操作的情况下,允许所述终端执行所述第一进程对应的操作;In the case that the operation corresponding to the first process includes the operation of the second type of desktop on the file in the file directory corresponding to the first type of desktop, allowing the terminal to perform the operation corresponding to the first process;

在所述第一进程对应的操作包含所述第一类桌面针对所述第二类桌面对应的文件目录下的文件的操作的情况下,禁止所述终端执行所述第一进程对应的操作;其中,In the case that the operation corresponding to the first process includes the operation of the first type of desktop on the file in the file directory corresponding to the second type of desktop, prohibiting the terminal from executing the operation corresponding to the first process; in,

所述多个桌面中各桌面对应的文件目录下的文件基于沙箱进行了隔离。The files in the file directory corresponding to each desktop in the plurality of desktops are isolated based on the sandbox.

上述方案中,所述第一进程对应的操作包含所述第二类桌面针对所述第一类桌面对应的文件目录下的第一文件的操作;允许所述终端执行所述第一进程对应的操作时,所述方法还包括:In the above solution, the operation corresponding to the first process includes the operation of the second type of desktop on the first file in the file directory corresponding to the first type of desktop; allowing the terminal to execute the operation corresponding to the first process. In operation, the method further includes:

在所述第二类桌面对应的文件目录下存在所述第一文件对应的重定向文件的情况下,控制所述终端针对所述重定向文件执行所述第一进程对应的操作;In the case that a redirection file corresponding to the first file exists in the file directory corresponding to the second type of desktop, controlling the terminal to perform an operation corresponding to the first process with respect to the redirection file;

在所述第二类桌面对应的文件目录下不存在所述第一文件对应的重定向文件的情况下,在所述第二类桌面对应的文件目录下生成所述第一文件对应的重定向文件,并控制所述终端针对所述重定向文件执行所述第一进程对应的操作。In the case where the redirection file corresponding to the first file does not exist in the file directory corresponding to the second type of desktop, the redirection file corresponding to the first file is generated in the file directory corresponding to the second type of desktop file, and control the terminal to perform an operation corresponding to the first process with respect to the redirected file.

上述方案中,所述方法还包括:In the above scheme, the method also includes:

控制所述终端针对所述重定向文件执行所述第一进程对应的操作时,对所述重定向文件进行加密处理。When the terminal is controlled to perform an operation corresponding to the first process on the redirection file, the redirection file is encrypted.

上述方案中,所述根据所述第一策略,允许或禁止所述终端执行所述第一进程对应的操作,包括:In the above solution, according to the first policy, allowing or prohibiting the terminal from executing the operation corresponding to the first process includes:

在所述第一进程对应的操作包含所述第一类桌面对从所述第二类桌面复制的文本或图像进行粘贴的操作的情况下,禁止所述终端执行所述第一进程对应的操作;In the case that the operation corresponding to the first process includes the operation of pasting the text or image copied from the desktop of the second type by the desktop of the first type, prohibiting the terminal from executing the operation corresponding to the first process ;

在所述第一进程对应的操作包含所述第二类桌面对从所述第一类桌面复制的文本或图像进行粘贴的操作的情况下,允许所述终端执行所述第一进程对应的操作;其中,In the case that the operation corresponding to the first process includes the operation of pasting the text or image copied from the desktop of the first type by the desktop of the second type, the terminal is allowed to perform the operation corresponding to the first process ;in,

所述多个桌面中各桌面的剪切板基于沙箱进行了隔离。The clipboards of each desktop in the plurality of desktops are isolated based on the sandbox.

上述方案中,所述根据所述第一策略,允许或禁止所述终端执行所述第一进程对应的操作,包括:In the above solution, according to the first policy, allowing or prohibiting the terminal from executing the operation corresponding to the first process includes:

在根据所述第一策略确定所述第一桌面具备执行所述第一进程对应的操作的权限的情况下,允许所述终端执行所述第一进程对应的操作;In the case that it is determined according to the first policy that the first desktop has the authority to execute the operation corresponding to the first process, allowing the terminal to execute the operation corresponding to the first process;

在根据所述第一策略确定所述第一桌面不具备执行所述第一进程对应的操作的权限的情况下,禁止所述终端执行所述第一进程对应的操作;其中,In the case that it is determined according to the first policy that the first desktop does not have the authority to execute the operation corresponding to the first process, prohibit the terminal from executing the operation corresponding to the first process; wherein,

所述多个桌面中各桌面对应的系统服务接口及网络连接功能基于沙箱进行了隔离;The system service interface and network connection function corresponding to each desktop in the plurality of desktops are isolated based on the sandbox;

所述第一进程对应的操作包括以下之一:The operation corresponding to the first process includes one of the following:

访问第一局域网;access the first local area network;

接入第二局域网;Access the second local area network;

调用系统服务接口。Call the system service interface.

上述方案中,所述第一进程对应的操作包含截图操作;In the above solution, the operation corresponding to the first process includes a screenshot operation;

所述根据所述第一策略,允许或禁止所述终端执行所述第一进程对应的操作,包括:The allowing or prohibiting the terminal to perform the operation corresponding to the first process according to the first policy includes:

在所述第一桌面具备截图权限的情况下,允许所述终端执行所述第一进程对应的操作;Allowing the terminal to perform an operation corresponding to the first process when the first desktop has the right to take screenshots;

在所述第一桌面不具备截图权限的情况下,禁止所述终端执行所述第一进程对应的操作;或者,生成包含可追踪水印信息的截图图片。In the case that the first desktop does not have the right to take screenshots, the terminal is prohibited from executing the operation corresponding to the first process; or, a screenshot image including traceable watermark information is generated.

本申请实施例还提供了一种进程管理装置,包括:The embodiment of the present application also provides a process management device, including:

监测单元,用于监测终端的进程;监测到第一进程时,根据所述第一进程携带的桌面标识,确定所述第一进程在所述终端包含的多个桌面中对应的第一桌面;所述终端包含的多个桌面中各桌面对应的系统操作权限相同或不同;所述多个桌面中各桌面对应的进程基于沙箱进行了隔离;a monitoring unit, configured to monitor the process of the terminal; when the first process is monitored, according to the desktop identifier carried by the first process, determine the first desktop corresponding to the first process in the multiple desktops included in the terminal; The system operating authority corresponding to each desktop in the multiple desktops included in the terminal is the same or different; the processes corresponding to each desktop in the multiple desktops are isolated based on the sandbox;

处理单元,用于利用桌面与进程处理策略之间的对应关系,确定所述第一桌面对应的第一策略;并根据所述第一策略,允许或禁止所述终端执行所述第一进程对应的操作。a processing unit, configured to use the correspondence between the desktop and the process processing strategy to determine the first strategy corresponding to the first desktop; and according to the first strategy, allow or prohibit the terminal from executing the corresponding first process operation.

本申请实施例还提供了一种进程管理装置,包括:处理器和用于存储能够在处理器上运行的计算机程序的存储器;Embodiments of the present application also provide a process management apparatus, including: a processor and a memory for storing a computer program that can be run on the processor;

其中,所述处理器用于运行所述计算机程序时,执行上述任一方法的步骤。Wherein, when the processor is configured to execute the steps of any of the above methods when running the computer program.

本申请实施例还提供了一种存储介质,所述介质存储有计算机程序,所述计算机程序被处理器执行时实现上述任一方法的步骤。Embodiments of the present application further provide a storage medium, where the medium stores a computer program, and when the computer program is executed by a processor, the steps of any of the foregoing methods are implemented.

本申请实施例提供的进程管理方法、装置及存储介质,监测终端的进程;监测到第一进程时,根据所述第一进程携带的桌面标识,确定所述第一进程在所述终端包含的多个桌面中对应的第一桌面;所述终端包含的多个桌面中各桌面对应的系统操作权限相同或不同;所述多个桌面中各桌面对应的进程基于沙箱进行了隔离;利用桌面与进程处理策略之间的对应关系,确定所述第一桌面对应的第一策略;并根据所述第一策略,允许或禁止所述终端执行所述第一进程对应的操作。本申请实施例的方案,基于沙箱对用户终端包含的权限不同的多个桌面对应的进程进行了隔离,监测到终端的进程时,确定相应桌面对应的进程处理策略,并基于确定的策略允许或禁止终端执行相应进程对应的操作,如此,在用户基于终端的多桌面形态实现BYOD场景和小微分支办公场景时,能够避免办公数据泄露,提高办公数据的安全性,进而提升用户体验。The process management method, device, and storage medium provided by the embodiments of the present application monitor the process of the terminal; when the first process is monitored, according to the desktop identifier carried by the first process, it is determined that the first process is included in the terminal. The first desktop corresponding to the multiple desktops; the system operation authority corresponding to each desktop in the multiple desktops included in the terminal is the same or different; the processes corresponding to the desktops in the multiple desktops are isolated based on the sandbox; using the desktop The first policy corresponding to the first desktop is determined according to the corresponding relationship with the process processing policy; and according to the first policy, the terminal is allowed or prohibited to perform the operation corresponding to the first process. The solution of the embodiment of the present application isolates the processes corresponding to multiple desktops with different permissions contained in the user terminal based on the sandbox. Or prohibit the terminal from executing the operation corresponding to the corresponding process. In this way, when the user implements BYOD scenarios and small and micro branch office scenarios based on the multi-desktop form of the terminal, office data leakage can be avoided, the security of office data can be improved, and the user experience can be improved.

附图说明Description of drawings

图1为本申请实施例进程管理方法的流程示意图;1 is a schematic flowchart of a process management method according to an embodiment of the present application;

图2为本申请实施例的应用场景示意图;FIG. 2 is a schematic diagram of an application scenario of an embodiment of the present application;

图3为本申请应用实施例进程管理装置的结构示意图;3 is a schematic structural diagram of a process management apparatus according to an application embodiment of the present application;

图4为本申请实施例进程管理装置的结构示意图;4 is a schematic structural diagram of a process management apparatus according to an embodiment of the present application;

图5为本申请实施例进程管理装置的硬件结构示意图。FIG. 5 is a schematic diagram of a hardware structure of a process management apparatus according to an embodiment of the present application.

具体实施方式Detailed ways

以下结合附图及实施例对本申请的技术方案作进一步详细的阐述。The technical solutions of the present application will be described in further detail below with reference to the accompanying drawings and embodiments.

相关技术中,企业的办公数据保护(即办公数据防泄密)方案可以划分为硬件类方案和软件类方案。其中,硬件类方案的部署成本通常较高,可能需要为企业内的每个PC用户配置一个用于进行办公数据保护的外接设备,该设备通常对网络有较高的要求,无法支持超低带宽办公和离线办公。而软件类方案通常包括录屏、远程控制、行为审计等功能,对企业内的PC用户存在隐私侵犯,在BYOD场景和小微分支办公场景下的推广难度也比较大。同时,一些硬件类方案和软件类方案在应用于小微分支办公场景等带宽低、无管理员的场景下时,可能存在运维复杂和兼容性问题。可见,相关技术中的办公数据保护方案存在部署成本高、部署方式和运维复杂、用户体验较差的问题。In the related art, an enterprise's office data protection (ie, office data leakage prevention) solution can be divided into a hardware-based solution and a software-based solution. Among them, the deployment cost of hardware solutions is usually high. It may be necessary to configure an external device for office data protection for each PC user in the enterprise. This device usually has high requirements on the network and cannot support ultra-low bandwidth. Office and offline work. Software solutions usually include functions such as screen recording, remote control, and behavior auditing, which infringe on the privacy of PC users in the enterprise, and are difficult to promote in BYOD scenarios and small and micro branch office scenarios. At the same time, when some hardware solutions and software solutions are applied to scenarios with low bandwidth and no administrators, such as small and micro branch office scenarios, there may be complex O&M and compatibility issues. It can be seen that the office data protection solutions in the related technologies have the problems of high deployment cost, complicated deployment methods and operation and maintenance, and poor user experience.

另外,在设计BYOD场景和小微分支办公场景下的办公数据保护方案时,需要考虑到用户对BYOD场景和小微分支办公场景下办公数据安全性的担忧,比如用户因勒索病毒事件的影响对使用虚拟专用网络(VPN,Virtual Private Network)带来的可能导致内网病毒感染事件的担忧,因此,需要考虑用户对办公数据流转安全管控的需求,比如对使用VPN后办公数据流转安全管控的需求。同时,还需要考虑到用户对操作系统安全性的担忧。In addition, when designing office data protection solutions in BYOD scenarios and small and micro branch office scenarios, users' concerns about office data security in BYOD scenarios and small and micro branch office scenarios need to be considered. The use of virtual private network (VPN, Virtual Private Network) may lead to concerns about intranet virus infection. Therefore, it is necessary to consider the user's needs for the security control of office data flow, such as the need for security control of office data flow after using VPN. . At the same time, users' concerns about the security of the operating system also need to be taken into account.

基于此,在本申请的各种实施例中,基于沙箱对用户终端包含的权限不同的多个桌面对应的进程进行了隔离,监测到终端的进程时,确定相应桌面对应的进程处理策略,并基于确定的策略允许或禁止终端执行相应进程对应的操作,如此,在用户基于终端的多桌面形态实现BYOD场景和小微分支办公场景时,能够避免办公数据泄露,提高办公数据的安全性,进而提升用户体验。Based on this, in various embodiments of the present application, processes corresponding to multiple desktops with different permissions included in the user terminal are isolated based on the sandbox, and when the process of the terminal is monitored, the process processing policy corresponding to the corresponding desktop is determined, And based on the determined policy, the terminal is allowed or prohibited to perform the operation corresponding to the corresponding process. In this way, when the user implements the BYOD scenario and the small and micro branch office scenario based on the multi-desktop form of the terminal, it can avoid the leakage of office data and improve the security of office data. In order to improve the user experience.

同时,由于本申请的各种实施例是基于终端自身的多桌面形态实现的,不需要通过外接设备进行办公数据的保护,因此,大大降低了部署成本,也降低了部署方式的难度以及后续运维的难度。At the same time, since the various embodiments of the present application are implemented based on the multi-desktop form of the terminal itself, there is no need to protect office data through external devices, thus greatly reducing the deployment cost, the difficulty of the deployment method and the subsequent operation. dimension difficulty.

另外,由于本申请的各种实施例是基于终端自身的多桌面形态实现的,用户可以通过桌面切换直接实现BYOD场景和/或小微分支办公场景与其他应用场景(比如用户的个人应用场景)的切换,操作简单方便,因此,进一步提升了用户体验。In addition, since various embodiments of the present application are implemented based on the multi-desktop form of the terminal itself, users can directly implement BYOD scenarios and/or small and micro branch office scenarios and other application scenarios (such as user's personal application scenarios) through desktop switching. The switching of , the operation is simple and convenient, therefore, the user experience is further improved.

本申请实施例提供了一种进程管理方法,如图1所示,所述方法包括以下步骤:An embodiment of the present application provides a process management method, as shown in FIG. 1 , the method includes the following steps:

步骤101:监测终端的进程;监测到第一进程时,根据所述第一进程携带的桌面标识,确定所述第一进程在所述终端包含的多个桌面中对应的第一桌面;Step 101: monitor the process of the terminal; when the first process is monitored, according to the desktop identifier carried by the first process, determine the first desktop corresponding to the first process among the multiple desktops included in the terminal;

这里,所述终端包含的多个桌面中各桌面对应的系统操作权限相同或不同;所述多个桌面中各桌面对应的进程基于沙箱进行了隔离;Here, the system operation authority corresponding to each desktop in the multiple desktops included in the terminal is the same or different; the processes corresponding to each desktop in the multiple desktops are isolated based on the sandbox;

步骤102:利用桌面与进程处理策略之间的对应关系,确定所述第一桌面对应的第一策略;并根据所述第一策略,允许或禁止所述终端执行所述第一进程对应的操作。Step 102: Determine the first policy corresponding to the first desktop by using the correspondence between the desktop and the process processing policy; and allow or prohibit the terminal from executing the operation corresponding to the first process according to the first policy .

这里,需要说明的是,所述终端可以是任一具备多桌面形态的电子设备,比如PC、手机等;所述PC可以包括台式电脑、笔记本电脑、平板电脑等。所述多个桌面中每个桌面对应一个虚拟的工作空间,所述多个桌面中各桌面对应的工作空间基于沙箱进行了隔离;另外,所述多个桌面使用同一个物理磁盘,该磁盘上并未划分出各桌面的使用区域,用户针对相应桌面进行操作时终端呈现的画面即为相应桌面对应的工作空间。Here, it should be noted that the terminal may be any electronic device having a multi-desktop form, such as a PC, a mobile phone, etc.; the PC may include a desktop computer, a notebook computer, a tablet computer, and the like. Each desktop in the plurality of desktops corresponds to a virtual workspace, and the workspace corresponding to each desktop in the plurality of desktops is isolated based on the sandbox; in addition, the plurality of desktops use the same physical disk, and the disk The use area of each desktop is not divided on the above, and the screen displayed by the terminal when the user operates on the corresponding desktop is the work space corresponding to the corresponding desktop.

具体地,实际应用时,所述多个桌面中各桌面对应的进程可以利用基于统一端点管理(UEM,Unified Endpoint Management)实现的沙箱进行隔离,以使每个桌面能够对应于一个虚拟工作空间。Specifically, in practical application, the processes corresponding to each desktop in the multiple desktops can be isolated by using a sandbox implemented based on Unified Endpoint Management (UEM, Unified Endpoint Management), so that each desktop can correspond to a virtual workspace .

实际应用时,监测终端的进程的方式可以根据所述终端的操作系统以及用户需求进行设置。示例性地,在所述终端的操作系统为微软视窗(Microsoft Windows)操作系统的情况下,可以通过进程回调的方式对所述终端的进程进行监测。In practical application, the method of monitoring the process of the terminal may be set according to the operating system of the terminal and user requirements. Exemplarily, when the operating system of the terminal is a Microsoft Windows (Microsoft Windows) operating system, the process of the terminal may be monitored by means of a process callback.

实际应用时,所述终端中可以设置有所述多个桌面的共享内存,确定所述第一桌面后,可以从所述共享内存中获取所述桌面与进程处理策略之间的对应关系,比如获取第一配置文件,所述第一配置文件包含所述桌面与进程处理策略之间的对应关系;并且,可以在确定所述第一策略后,从所述共享内存中获取所述第一策略,比如获取第二配置文件,所述第二配置文件包含所述第一策略。In practical application, the terminal may be provided with the shared memory of the multiple desktops, and after the first desktop is determined, the corresponding relationship between the desktop and the process processing strategy may be obtained from the shared memory, such as Obtain a first configuration file, where the first configuration file includes the correspondence between the desktop and the process processing policy; and, after determining the first policy, obtain the first policy from the shared memory , such as acquiring a second configuration file, where the second configuration file contains the first policy.

基于此,在一实施例中,所述方法还可以包括:Based on this, in an embodiment, the method may further include:

从所述多个桌面的共享内存中获取所述桌面与进程处理策略之间的对应关系以及所述第一策略。The correspondence between the desktops and the process processing policy and the first policy are acquired from the shared memory of the multiple desktops.

实际应用时,用户可以根据需求设置所述终端包含的多个桌面中各桌面对应的系统操作权限,示例性地,如图2所示,用户可以在终端200中设置三个桌面:桌面A、桌面B和桌面C,其中,桌面A可以具备登录第一企业的内网的权限,但不具备浏览普通网页的权限;桌面B可以具备浏览普通网页的权限,但不具备登录第一企业的内网的权限;桌面C可以具备视频和音频的播放权限,但不具备登录第一企业的内网的权限以及浏览普通网页的权限。相应桌面对应的进程处理策略反映所述相应桌面对应的系统操作权限,示例性地,桌面B不具备登录第一企业的内网的权限,桌面B对应的进程处理策略可以包括:在监测到的进程包含访问第一企业的内网的操作的情况下,禁止所述终端执行所述监测到的进程对应的操作,即禁止用户通过桌面B访问第一企业的内网。这里,所述多个桌面中的每个桌面的任务栏201可以包含桌面切换按钮202,用户可以通过所述桌面切换按钮202实现桌面的切换,比如桌面A到桌面C的切换、桌面C到桌面B的切换等。In practical application, the user can set the system operation authority corresponding to each desktop in the multiple desktops included in the terminal according to the requirements. Exemplarily, as shown in FIG. 2 , the user can set three desktops in the terminal 200: desktop A, Desktop B and Desktop C, where Desktop A can have the right to log in to the internal network of the first enterprise, but does not have the right to browse ordinary web pages; Desktop B can have the right to browse ordinary webpages, but does not have the right to log in to the internal network of the first enterprise Network permissions; Desktop C can have video and audio playback permissions, but does not have the permissions to log in to the first enterprise's intranet and browse ordinary web pages. The process processing policy corresponding to the corresponding desktop reflects the system operation authority corresponding to the corresponding desktop. Exemplarily, the desktop B does not have the right to log in to the intranet of the first enterprise, and the process processing policy corresponding to the desktop B may include: When the process includes an operation of accessing the intranet of the first enterprise, the terminal is prohibited from executing the operation corresponding to the monitored process, that is, the user is prohibited from accessing the intranet of the first enterprise through desktop B. Here, the task bar 201 of each desktop in the plurality of desktops may include a desktop switching button 202, and the user can switch the desktop through the desktop switching button 202, such as switching from desktop A to desktop C, and switching from desktop C to desktop B switching, etc.

实际应用时,为了进一步保障办公数据的安全性,用户可以根据需要对所述终端包含的多个桌面中各桌面对应的系统操作权限进行分级,使得用户无法通过系统操作权限的级别较低的桌面打开或编辑系统操作权限的级别较高的桌面对应的文件目录下的文件。示例性地,用户可以将上述桌面A和桌面D设置为办公桌面,桌面D具备登录第二企业的内网的权限,但不具备浏览普通网页的权限,并将桌面A和桌面D对应的系统操作权限设置为一级;同时,将上述桌面B、上述桌面C和桌面E设置为个人桌面,桌面E具备浏览普通网页的权限,但不具备登录第二企业的内网的权限,并将桌面B、桌面C和桌面E对应的系统操作权限设置为二级。这里,桌面B、桌面C和桌面E对应的工作空间可以统称为个人域,桌面A和桌面D对应的工作空间可以统称为安全域,个人域和安全域的使用方式(比如文件存储方式)完全相同(即终端自身原本的文件存储方式),用户无法感知使用个人域和使用安全域的差别,无需对自身的使用习惯进行改变;个人域和安全域都可以直接访问终端的磁盘文件,并可以基于文件重定向实现隔离,但重定向前后的文件都存储在同一个磁盘上(即终端当前设置的磁盘),通过相应桌面对应的进程处理策略,使得用户无法通过桌面B、桌面C和桌面E打开或编辑桌面A和桌面D对应的文件目录下的文件,即个人域不可以访问和使用安全域的文件,而安全域可以访问和使用个人域的文件,不需要用户进行文件复制,操作简单方便。如此,实现了对所述终端包含的多个桌面中各桌面对应的文件目录下的文件的隔离,进一步保障了办公数据的安全性。In practical application, in order to further ensure the security of office data, the user can classify the system operation authority corresponding to each desktop in the multiple desktops included in the terminal as required, so that the user cannot pass the desktop with a lower level of system operation authority. Open or edit files in the file directory corresponding to the desktop with a higher level of system operating authority. Exemplarily, the user can set the above-mentioned desktop A and desktop D as office desktops, and desktop D has the right to log in to the intranet of the second enterprise, but does not have the right to browse ordinary web pages, and the system corresponding to desktop A and desktop D is set. The operation authority is set to the first level; at the same time, the above desktop B, the above desktop C and desktop E are set as personal desktops. Desktop E has the authority to browse ordinary web pages, but does not have the authority to log in to the intranet of the second enterprise. B. The system operation permissions corresponding to desktop C and desktop E are set to the second level. Here, the workspaces corresponding to desktop B, desktop C, and desktop E can be collectively referred to as personal domains, and the workspaces corresponding to desktop A and desktop D can be collectively referred to as security domains. The usage methods (such as file storage methods) of personal domains and security domains are completely The same (that is, the original file storage method of the terminal itself), the user cannot perceive the difference between using the personal domain and using the security domain, and does not need to change their own usage habits; both the personal domain and the security domain can directly access the terminal's disk files, and can Isolation is implemented based on file redirection, but the files before and after redirection are stored on the same disk (that is, the disk currently set by the terminal). Through the process processing policy corresponding to the corresponding desktop, the user cannot pass the desktop B, desktop C and desktop E. Open or edit the files in the file directories corresponding to desktop A and desktop D, that is, the personal domain cannot access and use the files of the security domain, but the security domain can access and use the files of the personal domain, and the user does not need to copy the files, and the operation is simple convenient. In this way, the isolation of the files in the file directory corresponding to each desktop among the multiple desktops included in the terminal is realized, and the security of the office data is further guaranteed.

基于此,在一实施例中,所述终端包含的多个桌面可以包括第一类桌面和第二类桌面;所述第一类桌面对应的系统操作权限低于所述第二类桌面对应的系统操作权限;所述根据所述第一策略,允许或禁止所述终端执行所述第一进程对应的操作,可以包括:Based on this, in an embodiment, the multiple desktops included in the terminal may include a first-type desktop and a second-type desktop; the system operating authority corresponding to the first-type desktop is lower than that corresponding to the second-type desktop System operation authority; the allowing or prohibiting the terminal to perform the operation corresponding to the first process according to the first policy may include:

在所述第一进程对应的操作包含所述第二类桌面针对所述第一类桌面对应的文件目录下的文件的操作的情况下,允许所述终端执行所述第一进程对应的操作;In the case that the operation corresponding to the first process includes the operation of the second type of desktop on the file in the file directory corresponding to the first type of desktop, allowing the terminal to perform the operation corresponding to the first process;

在所述第一进程对应的操作包含所述第一类桌面针对所述第二类桌面对应的文件目录下的文件的操作的情况下,禁止所述终端执行所述第一进程对应的操作;其中,In the case that the operation corresponding to the first process includes the operation of the first type of desktop on the file in the file directory corresponding to the second type of desktop, prohibiting the terminal from executing the operation corresponding to the first process; in,

所述多个桌面中各桌面对应的文件目录下的文件基于沙箱进行了隔离。The files in the file directory corresponding to each desktop in the plurality of desktops are isolated based on the sandbox.

具体地,实际应用时,所述终端包含的多个桌面中每个桌面可以对应不同的文件目录,用户无法通过所述第一类桌面查看或编辑所述第二类桌面对应的文件目录下的文件,但用户可以通过所述第二类桌面查看或编辑所述第一类桌面对应的文件目录下的文件。这里,在用户通过所述第二类桌面查看或编辑所述第一类桌面对应的文件目录下的文件时,为了使得用户通过所述第二类桌面对所述第一类桌面对应的文件目录下的文件的编辑对所述第一类桌面不可见,可以将用户进行查看和/或编辑的第一类桌面对应的文件目录下的文件重定向到所述第二类桌面对应的文件目录,如此,能够进一步保障办公数据的安全性。Specifically, in practical application, each desktop of the multiple desktops included in the terminal may correspond to a different file directory, and the user cannot view or edit the file directory corresponding to the second type of desktop through the first type of desktop. However, the user can view or edit the files in the file directory corresponding to the desktop of the first type through the desktop of the second type. Here, when the user views or edits the files in the file directory corresponding to the first type of desktop through the second type of desktop, in order to enable the user to use the second type of desktop to view or edit the file directory corresponding to the first type of desktop The editing of the file below is invisible to the desktop of the first type, and the file under the file directory corresponding to the desktop of the first type that the user is viewing and/or edited can be redirected to the file directory corresponding to the desktop of the second type, In this way, the security of office data can be further guaranteed.

基于此,在一实施例中,在所述第一进程对应的操作包含所述第二类桌面针对所述第一类桌面对应的文件目录下的第一文件的操作的情况下;允许所述终端执行所述第一进程对应的操作时,所述方法还可以包括:Based on this, in an embodiment, in the case that the operation corresponding to the first process includes the operation of the second type of desktop on the first file in the file directory corresponding to the first type of desktop; When the terminal performs the operation corresponding to the first process, the method may further include:

在所述第二类桌面对应的文件目录下存在所述第一文件对应的重定向文件的情况下,控制所述终端针对所述重定向文件执行所述第一进程对应的操作;In the case that a redirection file corresponding to the first file exists in the file directory corresponding to the second type of desktop, controlling the terminal to perform an operation corresponding to the first process with respect to the redirection file;

在所述第二类桌面对应的文件目录下不存在所述第一文件对应的重定向文件的情况下,在所述第二类桌面对应的文件目录下生成所述第一文件对应的重定向文件,并控制所述终端针对所述重定向文件执行所述第一进程对应的操作。In the case where the redirection file corresponding to the first file does not exist in the file directory corresponding to the second type of desktop, the redirection file corresponding to the first file is generated in the file directory corresponding to the second type of desktop file, and control the terminal to perform an operation corresponding to the first process with respect to the redirected file.

实际应用时,为了进一步保障办公数据的安全性,控制所述终端针对所述重定向文件执行所述第一进程对应的操作时,可以对所述重定向文件进行加密处理,如此,即便所述终端丢失,所述重定向文件也不会被泄露,进一步保障了办公数据的安全性。In practical application, in order to further ensure the security of office data, when the terminal is controlled to perform the operation corresponding to the first process on the redirected file, the redirected file may be encrypted. If the terminal is lost, the redirection file will not be leaked, which further ensures the security of office data.

基于此,在一实施例中,所述方法还可以包括:Based on this, in an embodiment, the method may further include:

控制所述终端针对所述重定向文件执行所述第一进程对应的操作时,对所述重定向文件进行加密处理。When the terminal is controlled to perform an operation corresponding to the first process on the redirection file, the redirection file is encrypted.

具体地,实际应用时,可以在控制所述终端针对所述重定向文件执行所述第一进程对应的操作后,在将所述重定向文件写入磁盘之前进行加密,并在控制所述终端针对所述重定向文件执行所述第一进程对应的操作之前,从磁盘读取所述重定向文件时,对所述重定向文件进行解密。Specifically, in practical application, after controlling the terminal to perform the operation corresponding to the first process on the redirected file, encrypt the redirected file before writing the redirected file to the disk, and control the terminal The redirected file is decrypted when the redirected file is read from the disk before the operation corresponding to the first process is performed on the redirected file.

实际应用时,可以通过微过滤框架(Minifilter)技术来实现对文件进行重定向以及对重定向文件进行加密和解密。In practical application, the file redirection and the encryption and decryption of the redirected file can be realized by using the Minifilter technology.

实际应用时,针对所述终端包含的多个桌面中的每个桌面,可以预先为相应桌面分配一个大文件以作为相应桌面对应的工作空间的文件存储空间,即相应桌面对应的工作空间的虚拟磁盘,将相应桌面对应的工作空间所产生的文件都存放在相应的虚拟磁盘中,并针对整个虚拟磁盘进行加密,不需要对单独的一个文件进行加密,如此,在进行数据迁移时只需要迁移一个大文件即可,提高了数据迁移的方便性。In practical application, for each desktop in the multiple desktops included in the terminal, a large file can be allocated for the corresponding desktop in advance as the file storage space of the workspace corresponding to the corresponding desktop, that is, the virtual storage space of the workspace corresponding to the corresponding desktop. Disk, the files generated by the workspace corresponding to the corresponding desktop are stored in the corresponding virtual disk, and the entire virtual disk is encrypted, and there is no need to encrypt a single file. One large file is sufficient, which improves the convenience of data migration.

实际应用时,还可以采用与文件隔离相同的方式对所述桌面中各桌面对应的注册表进行隔离,即使得所述多个桌面中各桌面对应的注册表目录下的注册表基于沙箱进行隔离。所述根据所述第一策略,允许或禁止所述终端执行所述第一进程对应的操作,可以包括:在所述第一进程对应的操作包含所述第二类桌面针对所述第一类桌面对应的注册表目录下的注册表的操作的情况下,允许所述终端执行所述第一进程对应的操作;在所述第一进程对应的操作包含所述第一类桌面针对所述第二类桌面对应的注册表目录下的注册表的操作的情况下,禁止所述终端执行所述第一进程对应的操作。In practical application, the registry corresponding to each desktop in the desktop can also be isolated in the same manner as the file isolation, that is, the registry under the registry directory corresponding to each desktop in the multiple desktops is performed based on the sandbox. isolation. The allowing or prohibiting the terminal to perform the operation corresponding to the first process according to the first policy may include: the operation corresponding to the first process includes that the desktop of the second type is directed to the first type of desktop. In the case of the operation of the registry under the registry directory corresponding to the desktop, the terminal is allowed to perform the operation corresponding to the first process; in the case of the operation corresponding to the first process, the operation of the first type of desktop includes the In the case of the operation of the registry under the registry directory corresponding to the desktop of the second type, the terminal is prohibited from executing the operation corresponding to the first process.

同时,在所述第一进程对应的操作包含所述第二类桌面针对所述第一类桌面对应的注册表目录下的第一注册表的操作的情况下;允许所述终端执行所述第一进程对应的操作时,所述方法还可以包括:在所述第二类桌面对应的注册表目录下存在所述第一注册表对应的重定向注册表的情况下,控制所述终端针对所述重定向注册表执行所述第一进程对应的操作;在所述第二类桌面对应的注册表目录下不存在所述第一文件对应的重定向注册表的情况下,在所述第二类桌面对应的注册表目录下生成所述第一注册表对应的重定向注册表,并控制所述终端针对所述重定向注册表执行所述第一进程对应的操作。At the same time, when the operation corresponding to the first process includes the operation of the second type of desktop with respect to the first registry under the registry directory corresponding to the first type of desktop; the terminal is allowed to execute the first registry. During an operation corresponding to a process, the method may further include: in the case that a redirection registry corresponding to the first registry exists in the registry directory corresponding to the second type of desktop, controlling the terminal to target the The redirection registry executes the operation corresponding to the first process; in the case that the redirection registry corresponding to the first file does not exist in the registry directory corresponding to the second type of desktop, in the second A redirection registry corresponding to the first registry is generated under the registry directory corresponding to the desktop-like, and the terminal is controlled to perform an operation corresponding to the first process with respect to the redirection registry.

实际应用时,为了进一步保障办公数据的安全性,需要避免用户将从所述第二类桌面复制的内容(文本或图片)粘贴到所述第一类桌面。In practical application, in order to further ensure the security of office data, it is necessary to prevent the user from pasting the content (text or picture) copied from the second type of desktop to the first type of desktop.

基于此,在一实施例中,所述根据所述第一策略,允许或禁止所述终端执行所述第一进程对应的操作,可以包括:Based on this, in an embodiment, the allowing or prohibiting the terminal to perform the operation corresponding to the first process according to the first policy may include:

在所述第一进程对应的操作包含所述第一类桌面对从所述第二类桌面复制的文本或图像进行粘贴的操作的情况下,禁止所述终端执行所述第一进程对应的操作;In the case that the operation corresponding to the first process includes the operation of pasting the text or image copied from the desktop of the second type by the desktop of the first type, prohibiting the terminal from executing the operation corresponding to the first process ;

在所述第一进程对应的操作包含所述第二类桌面对从所述第一类桌面复制的文本或图像进行粘贴的操作的情况下,允许所述终端执行所述第一进程对应的操作;其中,In the case that the operation corresponding to the first process includes the operation of pasting the text or image copied from the desktop of the first type by the desktop of the second type, the terminal is allowed to perform the operation corresponding to the first process ;in,

所述多个桌面中各桌面的剪切板基于沙箱进行了隔离。The clipboards of each desktop in the plurality of desktops are isolated based on the sandbox.

实际应用时,为了进一步保障办公数据的安全性,所述第一策略可以包括所述第一桌面访问网络的权限、接入网络的权限以及调用系统服务接口的权限等;如此,能够避免用户使用用于办公的桌面时通过网络或打印机等接口泄露办公数据。In practical application, in order to further ensure the security of office data, the first policy may include the permission of the first desktop to access the network, the permission to access the network, and the permission to call the system service interface, etc.; in this way, users can be prevented from using When the desktop is used for office, office data is leaked through interfaces such as network or printer.

基于此,在一实施例中,所述根据所述第一策略,允许或禁止所述终端执行所述第一进程对应的操作,可以包括:Based on this, in an embodiment, the allowing or prohibiting the terminal to perform the operation corresponding to the first process according to the first policy may include:

在根据所述第一策略确定所述第一桌面具备执行所述第一进程对应的操作的权限的情况下,允许所述终端执行所述第一进程对应的操作;In the case that it is determined according to the first policy that the first desktop has the authority to execute the operation corresponding to the first process, allowing the terminal to execute the operation corresponding to the first process;

在根据所述第一策略确定所述第一桌面不具备执行所述第一进程对应的操作的权限的情况下,禁止所述终端执行所述第一进程对应的操作;其中,In the case that it is determined according to the first policy that the first desktop does not have the authority to execute the operation corresponding to the first process, prohibit the terminal from executing the operation corresponding to the first process; wherein,

所述多个桌面中各桌面对应的系统服务接口及网络连接功能基于沙箱进行了隔离;The system service interface and network connection function corresponding to each desktop in the plurality of desktops are isolated based on the sandbox;

所述第一进程对应的操作包括以下之一:The operation corresponding to the first process includes one of the following:

访问第一局域网;access the first local area network;

接入第二局域网;Access the second local area network;

调用系统服务接口。Call the system service interface.

实际应用时,所述第一局域网可以是企业内网;所述第二局域网可以是无线蓝牙局域网、无线红外局域网等无线局域网。所述系统服务接口可以包括打印机接口、通用串行总线(USB,Universal Serial Bus)接口等;这样,可以避免用户通过网络、打印机或USB等方式泄露办公数据,进一步提高了办公数据的安全性。In practical application, the first local area network may be an enterprise intranet; the second local area network may be a wireless local area network such as a wireless Bluetooth local area network, a wireless infrared local area network, or the like. The system service interface may include a printer interface, a Universal Serial Bus (USB, Universal Serial Bus) interface, etc.; in this way, users can be prevented from leaking office data through a network, printer or USB, etc., and the security of office data can be further improved.

实际应用时,为了进一步保障办公数据的安全性,所述第一策略还可以包括截图权限,如此,能够避免用户使用用于办公的桌面时通过截图泄露办公数据。In practical application, in order to further ensure the security of office data, the first policy may further include a screenshot permission, so that the user can avoid leaking office data through screenshots when using the desktop for office.

基于此,在一实施例中,所述第一进程对应的操作包含截图操作;所述根据所述第一策略,允许或禁止所述终端执行所述第一进程对应的操作,可以包括:Based on this, in an embodiment, the operation corresponding to the first process includes a screenshot operation; the allowing or prohibiting the terminal from executing the operation corresponding to the first process according to the first policy may include:

在所述第一桌面具备截图权限的情况下,允许所述终端执行所述第一进程对应的操作;Allowing the terminal to perform an operation corresponding to the first process when the first desktop has the right to take screenshots;

在所述第一桌面不具备截图权限的情况下,禁止所述终端执行所述第一进程对应的操作;或者,生成包含可追踪水印信息的截图图片。In the case that the first desktop does not have the right to take screenshots, the terminal is prohibited from executing the operation corresponding to the first process; or, a screenshot image including traceable watermark information is generated.

本申请实施例提供的进程管理方法,监测终端的进程;监测到第一进程时,根据所述第一进程携带的桌面标识,确定所述第一进程在所述终端包含的多个桌面中对应的第一桌面;所述终端包含的多个桌面中各桌面对应的系统操作权限相同或不同;所述多个桌面中各桌面对应的进程基于沙箱进行了隔离;利用桌面与进程处理策略之间的对应关系,确定所述第一桌面对应的第一策略;并根据所述第一策略,允许或禁止所述终端执行所述第一进程对应的操作;如此,在用户基于终端的多桌面形态实现BYOD场景和小微分支办公场景时,能够避免办公数据泄露,提高办公数据的安全性,进而提升用户体验。In the process management method provided by the embodiment of the present application, the process of the terminal is monitored; when the first process is monitored, according to the desktop identifier carried by the first process, it is determined that the first process corresponds to a plurality of desktops included in the terminal the first desktop; the system operating authority corresponding to each desktop in the multiple desktops included in the terminal is the same or different; the process corresponding to each desktop in the multiple desktops is isolated based on the sandbox; using the difference between the desktop and the process processing strategy determine the first policy corresponding to the first desktop; and according to the first policy, allow or prohibit the terminal from executing the operation corresponding to the first process; in this way, in the user terminal-based multi-desktop When implementing BYOD scenarios and small and micro branch office scenarios, it can avoid office data leakage, improve the security of office data, and improve user experience.

同时,由于本申请实施例提供的进程管理方法是基于终端自身的多桌面形态实现的,不需要通过外接设备进行办公数据的保护,因此,大大降低了部署成本,也降低了部署方式的难度以及后续运维的难度。At the same time, because the process management method provided by the embodiments of the present application is implemented based on the multi-desktop form of the terminal itself, and does not need to use external devices to protect office data, the deployment cost is greatly reduced, and the difficulty and complexity of the deployment method are also reduced. The difficulty of subsequent operation and maintenance.

另外,由于本申请实施例提供的进程管理方法是基于终端自身的多桌面形态实现的,用户可以通过桌面切换直接实现BYOD场景和/或小微分支办公场景与其他应用场景(比如用户的个人应用场景)的切换,操作简单方便,因此,进一步提升了用户体验。In addition, since the process management method provided by the embodiment of the present application is implemented based on the multi-desktop form of the terminal itself, the user can directly realize the BYOD scenario and/or the small and micro branch office scenario and other application scenarios (such as the user's personal application) through desktop switching. Scene) switching, the operation is simple and convenient, therefore, the user experience is further improved.

下面结合应用实施例对本申请再作进一步详细的描述。The present application will be described in further detail below in conjunction with application examples.

本应用实施例提供了一种基于UEM沙箱的数据防泄密方案,从多个角度整体性地对BYOD场景和小微分支办公场景下的用户终端进行了数据保护(即对办公数据的保护)。具体地,基于用户终端的操作系统自带的用户的个人桌面空间,创建一个或者多个专门的桌面工作空间,即在用户终端中构建多桌面形态。同时,如图3所示,在用户终端中设置UEM数据防泄密控制单元301、多桌面形态单元302、进程识别与隔离单元303、文件隔离单元304、文件加解密单元305、VPN和网络隔离单元306、注册表隔离单元307、剪切板隔离单元308、屏幕水印和防截屏单元309、服务隔离单元310和红外和蓝牙设备隔离单元311,用于实现对多个桌面中每个桌面对应的工作空间中运行的软件(应用)的VPN安全链路隔离、文件隔离、文件加密、网络隔离、剪切板隔离、进程隔离、注册表隔离、屏幕水印、服务隔离和红外及蓝牙设备隔离等数据保护功能。This application embodiment provides a data leakage prevention solution based on UEM sandbox, which comprehensively protects user terminals in BYOD scenarios and small and micro branch office scenarios from multiple perspectives (that is, protection of office data) . Specifically, one or more dedicated desktop workspaces are created based on the user's personal desktop space provided by the operating system of the user terminal, that is, a multi-desktop form is constructed in the user terminal. At the same time, as shown in FIG. 3, a UEM data leakage prevention control unit 301, a multi-desktop form unit 302, a process identification and isolation unit 303, a file isolation unit 304, a file encryption and decryption unit 305, a VPN and a network isolation unit are set in the user terminal. 306, registry isolation unit 307, clipboard isolation unit 308, screen watermark and anti-screenshot unit 309, service isolation unit 310, and infrared and Bluetooth device isolation unit 311, for implementing work corresponding to each desktop in the multiple desktops Data protection such as VPN security link isolation, file isolation, file encryption, network isolation, clipboard isolation, process isolation, registry isolation, screen watermarking, service isolation, and infrared and Bluetooth device isolation for software (applications) running in the space Function.

具体地,UEM数据防泄密控制单元301用于提供基于UEM实现的沙箱功能,作为进程识别与隔离单元303、文件隔离单元304、文件加解密单元305、VPN和网络隔离单元306、注册表隔离单元307、剪切板隔离单元308、屏幕水印和防截屏单元309、服务隔离单元310和红外和蓝牙设备隔离单元311的基础;同时,UEM数据防泄密控制单元301用于从所述多个桌面的共享内存(可以称为全局共享内存)中获取桌面与数据保护策略(即上述进程处理策略)之间的对应关系以及各桌面对应的数据保护策略提供给其他单元。Specifically, the UEM data leakage prevention control unit 301 is used to provide a sandbox function based on UEM, as the process identification and isolation unit 303, the file isolation unit 304, the file encryption and decryption unit 305, the VPN and network isolation unit 306, and the registry isolation unit 306. unit 307, clipboard isolation unit 308, screen watermark and anti-screenshot unit 309, service isolation unit 310 and infrared and Bluetooth device isolation unit 311; The corresponding relationship between desktops and data protection policies (that is, the above-mentioned process processing policies) is obtained from the shared memory (which may be referred to as global shared memory), and the data protection policies corresponding to each desktop are provided to other units.

多桌面形态单元302,用于构建包含个人桌面(即上述第一类桌面)和安全桌面(即上述第二类桌面)的多桌面形态。这里,用户的数据保护需要在安全桌面内体现,可以采用如下关键技术进行保障,如进程识别,文件加解密,文件隔离,注册表隔离,网络隔离,剪切板隔离等技术。同时,在每个桌面的任务栏显示桌面切换按钮,用于个人桌面与安全桌面的快速切换。The multi-desktop form unit 302 is configured to construct a multi-desktop form including a personal desktop (ie, the above-mentioned first type of desktop) and a secure desktop (ie, the above-mentioned second type of desktop). Here, user data protection needs to be reflected in the secure desktop, which can be guaranteed by the following key technologies, such as process identification, file encryption and decryption, file isolation, registry isolation, network isolation, clipboard isolation and other technologies. At the same time, a desktop switching button is displayed on the task bar of each desktop, which is used to quickly switch between the personal desktop and the secure desktop.

进程识别与隔离单元303,用于准确识别出操作数据的进程是属于个人桌面还是属于安全桌面,以保护安全桌面内的数据。示例性地,在Windows系统中,属于某个桌面的进程空间中都包含有相应的桌面信息(即上述桌面标识,英文可以表示为DesktopInformation,简称为DesktopInfo),以此来标记进程是个人进程(即个人桌面对应的进程)还是安全进程(即安全桌面对应的进程);同时,可以在Windows驱动中通过调用相应的的应用程序接口(API,Application Programming Interface)PsSetCreateProcessNotifyRoutineEx来注册一个进程回调函数,当有进程启动和退出时系统会调用注册的回调函数通知驱动程序,然后通过进程的EPROCESS对象(表征进程的EPROCESS结构)获取进程的PEB信息(表征PEB结构),从PEB信息中获取DesktopInfo,以确定此进程所属桌面。The process identification and isolation unit 303 is used to accurately identify whether the process operating the data belongs to the personal desktop or the secure desktop, so as to protect the data in the secure desktop. Exemplarily, in the Windows system, the process space belonging to a certain desktop contains corresponding desktop information (that is, the above-mentioned desktop identifier, which can be expressed as DesktopInformation in English, referred to as DesktopInfo for short), so as to mark the process as a personal process ( That is, the process corresponding to the personal desktop) or the secure process (that is, the process corresponding to the secure desktop); at the same time, a process callback function can be registered in the Windows driver by calling the corresponding application programming interface (API, Application Programming Interface) PsSetCreateProcessNotifyRoutineEx. When a process starts and exits, the system will call the registered callback function to notify the driver, and then obtain the PEB information of the process (representing the PEB structure) through the EPROCESS object of the process (representing the EPROCESS structure of the process), and obtain the DesktopInfo from the PEB information to determine The desktop to which this process belongs.

文件隔离单元304,用于进行文件隔离。具体地,初始状态时,个人桌面内的文件和安全桌面内的文件是相同的,后续当安全进程以带有写权限的方式打开文件,此文件真正打开之前,可以通过Minifilter技术,把此文件拷贝一份到属于安全桌面的重定向目录,后续打开此文件对应于重定向目录下文件,后续对此文件的操作都换成了对重定向目录下的对应文件的操作。The file isolation unit 304 is used for file isolation. Specifically, in the initial state, the files in the personal desktop and the files in the secure desktop are the same, and when the security process opens the file with write permission, before the file is actually opened, the Minifilter technology can be used to convert the file Copy a copy to the redirection directory belonging to the secure desktop, and then open the file corresponding to the file in the redirection directory. Subsequent operations on this file are replaced by operations on the corresponding files in the redirection directory.

文件加解密单元305,用于对重定向目录下的文件进行加密和解密。具体地,初始状态时,个人桌面内的文件和安全桌面内的文件是相同的,都是处于未加密状态,可以通过Minifilter技术,后续安全进程针对重定向目录下的文件进行写操作时,相应文件写入磁盘之前会被加密;安全进程针对重定向目录下的文件进行读操作时,相应文件的读取数据返回给安全进程之前会被解密。The file encryption and decryption unit 305 is configured to encrypt and decrypt the files in the redirected directory. Specifically, in the initial state, the files in the personal desktop and the files in the secure desktop are the same, and both are in an unencrypted state. Through the Minifilter technology, when the subsequent security process writes to the files in the redirected directory, the corresponding The file will be encrypted before being written to the disk; when the secure process reads the file in the redirected directory, the read data of the corresponding file will be decrypted before returning to the secure process.

VPN和网络隔离单元306,用于进行VPN和网络隔离。具体地,安全桌面需要具备访问企业内网的功能,安全桌面内的软件的网络协议支持程度与内网PC使用没有区别,要支持传输控制协议(TCP,Transmission Control Protocol)、用户数据报协议(UDP,UserDatagram Protocol)和网络控制报文协议(ICMP,Internet Control Message Protocol);同时,需要保证仅安全桌面内的软件可以访问内网,个人桌面的软件无法访问内网;另外,安全桌面内的软件需要支持域名系统(DNS,Domain Name System)解析。这里,具体可以采用基于sslVPN(基于安全套接字层协议(SSL,Security Socket Layer)建立远程安全访问通道的VPN技术)的Windows过滤平台(WFP,Windows Filtering Platform)的网络驱动对安全进程和个人进程进行网络隔离。The VPN and network isolation unit 306 is used for VPN and network isolation. Specifically, the secure desktop needs to have the function of accessing the enterprise intranet. The network protocol support of the software in the secure desktop is no different from that of the intranet PC. It must support Transmission Control Protocol (TCP, Transmission Control Protocol), User Datagram Protocol ( UDP, UserDatagram Protocol) and Internet Control Message Protocol (ICMP, Internet Control Message Protocol); at the same time, it is necessary to ensure that only the software in the secure desktop can access the intranet, and the software in the personal desktop cannot access the intranet; The software needs to support Domain Name System (DNS, Domain Name System) resolution. Here, the network driver of Windows Filtering Platform (WFP, Windows Filtering Platform) based on sslVPN (VPN technology based on Secure Socket Layer (SSL, Security Socket Layer) to establish a remote secure access channel) can be used for security processes and individuals. Process for network isolation.

注册表隔离单元307,用于对进行注册表隔离。具体地,初始状态时,个人桌面内的注册表和安全桌面内的注册表是相同的,后续当安全进程以带有写权限的方式打开注册表时,在相应注册表被真正打开之前,可以通过驱动技术,将相应注册表的路径替换成安全桌面的重定向注册表路径,从而打开相应注册表路径对应的重定向路径下的注册表,后续对所述相应注册表的操作都换成了对重定向注册表路径下的注册表的操作。示例性地,可以在Windows驱动中通过调用CmRegisterCallbackEx API注册一个注册表回调,当有注册表操作发生时系统会调用注册的回调通知驱动程序。The registry isolation unit 307 is used to isolate the registry. Specifically, in the initial state, the registry in the personal desktop and the registry in the secure desktop are the same. When the security process opens the registry with write permission later, before the corresponding registry is actually opened, you can Through the driving technology, the path of the corresponding registry is replaced with the redirected registry path of the secure desktop, thereby opening the registry under the redirected path corresponding to the corresponding registry path, and subsequent operations on the corresponding registry are replaced by Operations on the registry under the redirected registry path. Exemplarily, a registry callback can be registered in the Windows driver by calling the CmRegisterCallbackEx API, and when a registry operation occurs, the system will call the registered callback to notify the driver.

剪切板隔离单元308,用于对剪切板进行隔离。具体地,安全桌面内部的数据不允许拷贝到个人桌面,可以通过钩子(Hook)技术,对进程操作剪切板的API(包括user32.dll!GetClipboardData和user32.dll!SetClipboardData)进行Hook,当进程调用user32.dll!SetClipboardData进行复制时,可以在全局共享内存设置当前复制的进程的安全属性,当进程调用user32.dll!GetClipboardData进行粘贴时,从全局共享内存中获取触发复制的进程的安全属性,与当前粘贴的进程的安全属性进行对比,以决定当前粘贴行为是否信任。即触发复制的进程的安全属性为安全进程,当前粘贴的进程的安全属性为个人进程时,可以确定当前的粘贴行为不可信任,并拒绝执行粘贴的进程;触发复制的进程的安全属性为个人进程,当前粘贴的进程的安全属性为安全进程时,可以确定当前的粘贴行为可以信任,并允许执行粘贴的进程。The shearing board isolation unit 308 is used to isolate the shearing board. Specifically, the data inside the secure desktop is not allowed to be copied to the personal desktop. The Hook technology can be used to Hook the APIs (including user32.dll!GetClipboardData and user32.dll!SetClipboardData) for the process to operate the clipboard. When the process call user32.dll! When SetClipboardData is copied, the security attribute of the currently copied process can be set in the global shared memory, when the process calls user32.dll! When GetClipboardData is pasting, it obtains the security attribute of the process that triggers the copy from the global shared memory, and compares it with the security attribute of the current pasting process to determine whether the current pasting behavior is trusted. That is, when the security attribute of the process that triggers copying is a secure process, and the security attribute of the currently pasted process is a personal process, it can be determined that the current pasting behavior cannot be trusted, and the execution of the pasting process is refused; the security attribute of the process that triggers copying is a personal process , when the security attribute of the currently pasting process is a safe process, it can be determined that the current pasting behavior can be trusted, and the pasting process is allowed to execute.

屏幕水印和防截屏单元309,用于防止用户通过截屏泄密。具体地,可以在相应的工作空间显示醒目的水印(比如DesktopInfo、用户名、用户账号等),同时截图之后产生的截图画面会包含水印信息,以便后续跟踪。The screen watermark and screen capture prevention unit 309 is used to prevent users from leaking secrets through screen capture. Specifically, an eye-catching watermark (such as DesktopInfo, user name, user account, etc.) can be displayed in the corresponding workspace, and the screenshot generated after the screenshot will contain watermark information for subsequent tracking.

服务隔离单元310,用于进行服务隔离。具体地,可以通过禁止安全桌面内的进程使用打印功能来防止用户通过打印泄密。示例性地,通过Hook技术,对调用打印机服务的的API(包括Winspool.drvl!OpenPrinter、Winspool.drv!AddPrinter、Winspool.drv!StartDocPrinter、Winspool.drv!StartPagePrinter和Winspool.drv!WritePrinter)进行Hook,当安全进程调用这些操作打印机的API时,直接返回失败。The service isolation unit 310 is used for service isolation. Specifically, the user can be prevented from leaking secrets through printing by prohibiting the process within the secure desktop from using the printing function. Exemplarily, through the Hook technology, Hook the APIs (including Winspool.drvl!OpenPrinter, Winspool.drv!AddPrinter, Winspool.drv!StartDocPrinter, Winspool.drv!StartPagePrinter and Winspool.drv!WritePrinter) that call the printer service, When the security process calls these APIs for operating printers, it returns failure directly.

红外和蓝牙设备隔离单元311,用于进行无线红外局域网和无线蓝牙局域网的隔离。具体地,和网络隔离类似,采用WFP实现无线红外局域网和无线蓝牙局域网的隔离。这里,实现无线红外局域网的隔离使用的协议族(英文可以表示为AF)为AF_IRDR(26),实现无线蓝牙局域网的隔离使用的AF为AF_BTH(32),实现普通网络(比如企业内网)的隔离使用的AF为AF_INET和AF_INET6。这里,红外和蓝牙设备隔离单元311根据相应桌面对应的数据保护策略确定是否开启红外和蓝牙的设备拦截,如果开启相应拦截,则安全进程访问红外和蓝牙设备将被拒绝,非安全进程不受管控(即非安全进程能够访问红外和蓝牙设备)。The infrared and Bluetooth device isolation unit 311 is used to isolate the wireless infrared local area network and the wireless Bluetooth local area network. Specifically, similar to the network isolation, the WFP is used to realize the isolation of the wireless infrared local area network and the wireless Bluetooth local area network. Here, the protocol family (which can be expressed as AF in English) used to realize the isolation of the wireless infrared local area network is AF_IRDR(26), and the AF used to realize the isolation of the wireless Bluetooth local area network is AF_BTH(32). The AFs used for isolation are AF_INET and AF_INET6. Here, the infrared and bluetooth device isolation unit 311 determines whether to enable infrared and bluetooth device interception according to the data protection policy corresponding to the corresponding desktop. If the corresponding interception is enabled, the access of the safe process to the infrared and bluetooth devices will be rejected, and the non-safety process will not be controlled. (ie non-secure processes can access IR and Bluetooth devices).

实际应用时,相对于在用户终端构建多桌面形态,还可以采用微件(英文可以表示为Web Widget,可简称为Widget)的形式,新增一个工作空间(即桌面)即新增一个Widget,并通过UEM沙箱实现各Widget对应的工作空间的隔离。In practical application, compared to building a multi-desktop form on the user terminal, it can also be in the form of a widget (which can be expressed as a Web Widget in English, or abbreviated as Widget), and adding a workspace (ie, desktop) means adding a Widget. And through the UEM sandbox to achieve the isolation of the workspace corresponding to each Widget.

本应用实施例提供的基于UEM沙箱的数据防泄密方案,在用户终端中创建一个或多个与个人桌面(即上述个人域)完全逻辑隔离的安全工作空间(即上述安全域),在安全工作空间中运行的软件(应用)具备VPN安全链路隔离、文件隔离、文件加密、网络隔离、剪切板隔离、进程隔离、注册表隔离、屏幕水印、服务隔离和红外及蓝牙设备隔离等数据保护功能。与相关技术中的数据防泄密方案相比,没有改变用户现有的桌面使用习惯,同时,针对安全工作空间的网络、文件等操作与个人工作空间完全隔离,安全性更高。The UEM sandbox-based data leakage prevention solution provided by this application embodiment creates one or more secure workspaces (that is, the above-mentioned security domains) that are completely logically isolated from the personal desktop (that is, the above-mentioned personal domain) in the user terminal. The software (application) running in the workspace has data such as VPN secure link isolation, file isolation, file encryption, network isolation, clipboard isolation, process isolation, registry isolation, screen watermark, service isolation, and infrared and Bluetooth device isolation. Protective function. Compared with the data leakage prevention solution in the related art, it does not change the user's existing desktop usage habits. At the same time, the network and file operations for the secure workspace are completely isolated from the personal workspace, and the security is higher.

为了实现本申请实施例的方法,本申请实施例还提供了一种进程管理装置,设置在终端上,如图4所示,该装置包括:In order to implement the method of the embodiment of the present application, the embodiment of the present application further provides a process management device, which is set on a terminal. As shown in FIG. 4 , the device includes:

监测单元401,用于监测所述终端的进程;监测到第一进程时,根据所述第一进程携带的桌面标识,确定所述第一进程在所述终端包含的多个桌面中对应的第一桌面;所述终端包含的多个桌面中各桌面对应的系统操作权限相同或不同;所述多个桌面中各桌面对应的进程基于沙箱进行了隔离;The monitoring unit 401 is configured to monitor the process of the terminal; when the first process is monitored, according to the desktop identifier carried by the first process, determine the first process corresponding to the multiple desktops included in the terminal. a desktop; the system operating authority corresponding to each desktop in the multiple desktops included in the terminal is the same or different; the processes corresponding to each desktop in the multiple desktops are isolated based on the sandbox;

处理单元402,用于利用桌面与进程处理策略之间的对应关系,确定所述第一桌面对应的第一策略;并根据所述第一策略,允许或禁止所述终端执行所述第一进程对应的操作。A processing unit 402, configured to determine a first policy corresponding to the first desktop by using the correspondence between the desktop and the process processing policy; and allow or prohibit the terminal from executing the first process according to the first policy corresponding operation.

其中,在一实施例中,所述进程管理装置还包括:Wherein, in an embodiment, the process management apparatus further includes:

获取单元,用于从所述多个桌面的共享内存中获取所述桌面与进程处理策略之间的对应关系以及所述第一策略。an obtaining unit, configured to obtain the correspondence between the desktops and the process processing policy and the first policy from the shared memory of the multiple desktops.

在一实施例中,所述终端包含的多个桌面包括第一类桌面和第二类桌面;所述第一类桌面对应的系统操作权限低于所述第二类桌面对应的系统操作权限;In one embodiment, the multiple desktops included in the terminal include a first type of desktop and a second type of desktop; the system operation authority corresponding to the first type of desktop is lower than the system operation authority corresponding to the second type of desktop;

所述处理单元402,用于:The processing unit 402 is used for:

在所述第一进程对应的操作包含所述第二类桌面针对所述第一类桌面对应的文件目录下的文件的操作的情况下,允许所述终端执行所述第一进程对应的操作;In the case that the operation corresponding to the first process includes the operation of the second type of desktop on the file in the file directory corresponding to the first type of desktop, allowing the terminal to perform the operation corresponding to the first process;

在所述第一进程对应的操作包含所述第一类桌面针对所述第二类桌面对应的文件目录下的文件的操作的情况下,禁止所述终端执行所述第一进程对应的操作;其中,In the case that the operation corresponding to the first process includes the operation of the first type of desktop on the file in the file directory corresponding to the second type of desktop, prohibiting the terminal from executing the operation corresponding to the first process; in,

所述多个桌面中各桌面对应的文件目录下的文件基于沙箱进行了隔离。The files in the file directory corresponding to each desktop in the plurality of desktops are isolated based on the sandbox.

在一实施例中,所述第一进程对应的操作包含所述第二类桌面针对所述第一类桌面对应的文件目录下的第一文件的操作;允许所述终端执行所述第一进程对应的操作时,所述处理单元402,用于:In one embodiment, the operation corresponding to the first process includes the operation of the second type of desktop on the first file in the file directory corresponding to the first type of desktop; allowing the terminal to execute the first process During corresponding operations, the processing unit 402 is configured to:

在所述第二类桌面对应的文件目录下存在所述第一文件对应的重定向文件的情况下,控制所述终端针对所述重定向文件执行所述第一进程对应的操作;In the case that a redirection file corresponding to the first file exists in the file directory corresponding to the second type of desktop, controlling the terminal to perform an operation corresponding to the first process with respect to the redirection file;

在所述第二类桌面对应的文件目录下不存在所述第一文件对应的重定向文件的情况下,在所述第二类桌面对应的文件目录下生成所述第一文件对应的重定向文件,并控制所述终端针对所述重定向文件执行所述第一进程对应的操作。In the case where the redirection file corresponding to the first file does not exist in the file directory corresponding to the second type of desktop, the redirection file corresponding to the first file is generated in the file directory corresponding to the second type of desktop file, and control the terminal to perform an operation corresponding to the first process with respect to the redirected file.

在一实施例中,所述处理单元402,用于在控制所述终端针对所述重定向文件执行所述第一进程对应的操作时,对所述重定向文件进行加密处理。In an embodiment, the processing unit 402 is configured to perform encryption processing on the redirected file when controlling the terminal to perform an operation corresponding to the first process on the redirected file.

在一实施例中,所述处理单元402,用于:In one embodiment, the processing unit 402 is configured to:

在所述第一进程对应的操作包含所述第一类桌面对从所述第二类桌面复制的文本或图像进行粘贴的操作的情况下,禁止所述终端执行所述第一进程对应的操作;In the case that the operation corresponding to the first process includes the operation of pasting the text or image copied from the desktop of the second type by the desktop of the first type, prohibiting the terminal from executing the operation corresponding to the first process ;

在所述第一进程对应的操作包含所述第二类桌面对从所述第一类桌面复制的文本或图像进行粘贴的操作的情况下,允许所述终端执行所述第一进程对应的操作;其中,In the case that the operation corresponding to the first process includes the operation of pasting the text or image copied from the desktop of the first type by the desktop of the second type, the terminal is allowed to perform the operation corresponding to the first process ;in,

所述多个桌面中各桌面的剪切板基于沙箱进行了隔离。The clipboards of each desktop in the plurality of desktops are isolated based on the sandbox.

在一实施例中,所述处理单元402,用于:In one embodiment, the processing unit 402 is configured to:

在根据所述第一策略确定所述第一桌面具备执行所述第一进程对应的操作的权限的情况下,允许所述终端执行所述第一进程对应的操作;In the case that it is determined according to the first policy that the first desktop has the authority to execute the operation corresponding to the first process, allowing the terminal to execute the operation corresponding to the first process;

在根据所述第一策略确定所述第一桌面不具备执行所述第一进程对应的操作的权限的情况下,禁止所述终端执行所述第一进程对应的操作;其中,In the case that it is determined according to the first policy that the first desktop does not have the authority to execute the operation corresponding to the first process, prohibit the terminal from executing the operation corresponding to the first process; wherein,

所述多个桌面中各桌面对应的系统服务接口及网络连接功能基于沙箱进行了隔离;The system service interface and network connection function corresponding to each desktop in the plurality of desktops are isolated based on the sandbox;

所述第一进程对应的操作包括以下之一:The operation corresponding to the first process includes one of the following:

访问第一局域网;access the first local area network;

接入第二局域网;Access the second local area network;

调用系统服务接口。Call the system service interface.

在一实施例中,所述第一进程对应的操作包含截图操作;所述处理单元402,用于:In one embodiment, the operation corresponding to the first process includes a screenshot operation; the processing unit 402 is configured to:

在所述第一桌面具备截图权限的情况下,允许所述终端执行所述第一进程对应的操作;Allowing the terminal to perform an operation corresponding to the first process when the first desktop has the right to take screenshots;

在所述第一桌面不具备截图权限的情况下,禁止所述终端执行所述第一进程对应的操作;或者,生成包含可追踪水印信息的截图图片。In the case that the first desktop does not have the right to take screenshots, the terminal is prohibited from executing the operation corresponding to the first process; or, a screenshot image including traceable watermark information is generated.

这里,所述监测单元401的功能相当于本申请应用实施例中进程识别与隔离单元303的部分功能;所述获取单元的功能相当于本申请应用实施例中UEM数据防泄密控制单元301的部分功能;所述处理单元402的功能相当于本申请应用实施例中UEM数据防泄密控制单元301和进程识别与隔离单元303的其他功能,以及多桌面形态单元302、文件隔离单元304、文件加解密单元305、VPN和网络隔离单元306、注册表隔离单元307、剪切板隔离单元308、屏幕水印和防截屏单元309、服务隔离单元310和红外和蓝牙设备隔离单元311的功能。Here, the function of the monitoring unit 401 is equivalent to part of the function of the process identification and isolation unit 303 in the application embodiment of the present application; the function of the acquisition unit is equivalent to the part of the UEM data leakage prevention control unit 301 in the application embodiment of the present application Function; the function of the processing unit 402 is equivalent to the other functions of the UEM data leakage prevention control unit 301 and the process identification and isolation unit 303 in the application embodiment of this application, as well as the multi-desktop form unit 302, the file isolation unit 304, the file encryption and decryption unit 302 Functions of unit 305, VPN and network isolation unit 306, registry isolation unit 307, clipboard isolation unit 308, screen watermark and anti-screenshot unit 309, service isolation unit 310 and infrared and bluetooth device isolation unit 311.

所述监测单元401和所述获取单元可由进程管理装置中的处理器结合通信接口实现;所述处理单元402可由进程管理装置中的处理器实现。The monitoring unit 401 and the acquiring unit may be implemented by a processor in the process management apparatus in conjunction with a communication interface; the processing unit 402 may be implemented by a processor in the process management apparatus.

需要说明的是:上述实施例提供的进程管理装置在管理进程时,仅以上述各程序模块的划分进行举例说明,实际应用时,可以根据需要而将上述处理分配由不同的程序模块完成,即将进程管理装置的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的进程管理装置与进程管理方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that: when the process management apparatus provided by the above embodiments manages processes, only the division of the above program modules is used as an example for illustration, and in practical applications, the above processes may be allocated to different program modules to complete the process. The internal structure of the process management device is divided into different program modules to complete all or part of the processes described above. In addition, the process management apparatus and the process management method embodiments provided by the above embodiments belong to the same concept, and the specific implementation process thereof is detailed in the method embodiments, which will not be repeated here.

基于上述程序模块的硬件实现,且为了实现本申请实施例的方法,本申请实施例还提供了一种进程管理装置,设置在终端上,如图5所示,进程管理装置500包括:Based on the hardware implementation of the above program modules, and in order to implement the methods of the embodiments of the present application, the embodiments of the present application further provide a process management apparatus, which is set on a terminal. As shown in FIG. 5 , the process management apparatus 500 includes:

通信接口501,能够与其他电子设备进行信息交互;A communication interface 501, capable of information interaction with other electronic devices;

处理器502,与所述通信接口501连接,以实现与其他电子设备进行信息交互,用于运行计算机程序时,执行上述一个或多个技术方案提供的方法;A processor 502, connected to the communication interface 501, to realize information interaction with other electronic devices, for executing the method provided by one or more of the above technical solutions when running a computer program;

存储器503,用于存储能够在所述处理器502上运行的计算机程序。The memory 503 is used to store computer programs that can be executed on the processor 502 .

具体地,所述处理器502用于执行以下操作:Specifically, the processor 502 is configured to perform the following operations:

监测所述终端的进程;监测到第一进程时,根据所述第一进程携带的桌面标识,确定所述第一进程在所述终端包含的多个桌面中对应的第一桌面;所述终端包含的多个桌面中各桌面对应的系统操作权限相同或不同;所述多个桌面中各桌面对应的进程基于沙箱进行了隔离;Monitoring the process of the terminal; when monitoring the first process, according to the desktop identifier carried by the first process, determine the first desktop corresponding to the first process in the multiple desktops included in the terminal; the terminal The system operating authority corresponding to each desktop in the multiple desktops included is the same or different; the processes corresponding to each desktop in the multiple desktops are isolated based on the sandbox;

利用桌面与进程处理策略之间的对应关系,确定所述第一桌面对应的第一策略;并根据所述第一策略,允许或禁止所述终端执行所述第一进程对应的操作。The first policy corresponding to the first desktop is determined by using the correspondence between the desktop and the process processing policy; and according to the first policy, the terminal is allowed or prohibited to perform the operation corresponding to the first process.

其中,在一实施例中,所述处理器502用于执行以下操作:Wherein, in one embodiment, the processor 502 is configured to perform the following operations:

从所述多个桌面的共享内存中获取所述桌面与进程处理策略之间的对应关系以及所述第一策略。The correspondence between the desktops and the process processing policy and the first policy are acquired from the shared memory of the multiple desktops.

在一实施例中,所述终端包含的多个桌面包括第一类桌面和第二类桌面;所述第一类桌面对应的系统操作权限低于所述第二类桌面对应的系统操作权限;所述处理器502用于执行以下操作:In one embodiment, the multiple desktops included in the terminal include a first type of desktop and a second type of desktop; the system operation authority corresponding to the first type of desktop is lower than the system operation authority corresponding to the second type of desktop; The processor 502 is configured to perform the following operations:

在所述第一进程对应的操作包含所述第二类桌面针对所述第一类桌面对应的文件目录下的文件的操作的情况下,允许所述终端执行所述第一进程对应的操作;In the case that the operation corresponding to the first process includes the operation of the second type of desktop on the file in the file directory corresponding to the first type of desktop, allowing the terminal to perform the operation corresponding to the first process;

在所述第一进程对应的操作包含所述第一类桌面针对所述第二类桌面对应的文件目录下的文件的操作的情况下,禁止所述终端执行所述第一进程对应的操作;其中,In the case that the operation corresponding to the first process includes the operation of the first type of desktop on the file in the file directory corresponding to the second type of desktop, prohibiting the terminal from executing the operation corresponding to the first process; in,

所述多个桌面中各桌面对应的文件目录下的文件基于沙箱进行了隔离。The files in the file directory corresponding to each desktop in the plurality of desktops are isolated based on the sandbox.

在一实施例中,所述第一进程对应的操作包含所述第二类桌面针对所述第一类桌面对应的文件目录下的第一文件的操作;允许所述终端执行所述第一进程对应的操作时,所述处理器502用于执行以下操作:In one embodiment, the operation corresponding to the first process includes the operation of the second type of desktop on the first file in the file directory corresponding to the first type of desktop; allowing the terminal to execute the first process During corresponding operations, the processor 502 is configured to perform the following operations:

在所述第二类桌面对应的文件目录下存在所述第一文件对应的重定向文件的情况下,控制所述终端针对所述重定向文件执行所述第一进程对应的操作;In the case that a redirection file corresponding to the first file exists in the file directory corresponding to the second type of desktop, controlling the terminal to perform an operation corresponding to the first process with respect to the redirection file;

在所述第二类桌面对应的文件目录下不存在所述第一文件对应的重定向文件的情况下,在所述第二类桌面对应的文件目录下生成所述第一文件对应的重定向文件,并控制所述终端针对所述重定向文件执行所述第一进程对应的操作。In the case where the redirection file corresponding to the first file does not exist in the file directory corresponding to the second type of desktop, the redirection file corresponding to the first file is generated in the file directory corresponding to the second type of desktop file, and control the terminal to perform an operation corresponding to the first process with respect to the redirected file.

在一实施例中,所述处理器502用于执行以下操作:In one embodiment, the processor 502 is configured to perform the following operations:

控制所述终端针对所述重定向文件执行所述第一进程对应的操作时,对所述重定向文件进行加密处理。When the terminal is controlled to perform an operation corresponding to the first process on the redirection file, the redirection file is encrypted.

在一实施例中,所述处理器502用于执行以下操作:In one embodiment, the processor 502 is configured to perform the following operations:

在所述第一进程对应的操作包含所述第一类桌面对从所述第二类桌面复制的文本或图像进行粘贴的操作的情况下,禁止所述终端执行所述第一进程对应的操作;In the case that the operation corresponding to the first process includes the operation of pasting the text or image copied from the desktop of the second type by the desktop of the first type, prohibiting the terminal from executing the operation corresponding to the first process ;

在所述第一进程对应的操作包含所述第二类桌面对从所述第一类桌面复制的文本或图像进行粘贴的操作的情况下,允许所述终端执行所述第一进程对应的操作;其中,In the case that the operation corresponding to the first process includes the operation of pasting the text or image copied from the desktop of the first type by the desktop of the second type, the terminal is allowed to perform the operation corresponding to the first process ;in,

所述多个桌面中各桌面的剪切板基于沙箱进行了隔离。The clipboards of each desktop in the plurality of desktops are isolated based on the sandbox.

在一实施例中,所述处理器502用于执行以下操作:In one embodiment, the processor 502 is configured to perform the following operations:

在根据所述第一策略确定所述第一桌面具备执行所述第一进程对应的操作的权限的情况下,允许所述终端执行所述第一进程对应的操作;In the case that it is determined according to the first policy that the first desktop has the authority to execute the operation corresponding to the first process, allowing the terminal to execute the operation corresponding to the first process;

在根据所述第一策略确定所述第一桌面不具备执行所述第一进程对应的操作的权限的情况下,禁止所述终端执行所述第一进程对应的操作;其中,In the case that it is determined according to the first policy that the first desktop does not have the authority to execute the operation corresponding to the first process, prohibit the terminal from executing the operation corresponding to the first process; wherein,

所述多个桌面中各桌面对应的系统服务接口及网络连接功能基于沙箱进行了隔离;The system service interface and network connection function corresponding to each desktop in the plurality of desktops are isolated based on the sandbox;

所述第一进程对应的操作包括以下之一:The operation corresponding to the first process includes one of the following:

访问第一局域网;access the first local area network;

接入第二局域网;Access the second local area network;

调用系统服务接口。Call the system service interface.

在一实施例中,所述第一进程对应的操作包含截图操作;所述处理器502用于执行以下操作:In one embodiment, the operation corresponding to the first process includes a screenshot operation; the processor 502 is configured to perform the following operations:

在所述第一桌面具备截图权限的情况下,允许所述终端执行所述第一进程对应的操作;Allowing the terminal to perform an operation corresponding to the first process when the first desktop has the right to take screenshots;

在所述第一桌面不具备截图权限的情况下,禁止所述终端执行所述第一进程对应的操作;或者,生成包含可追踪水印信息的截图图片。In the case that the first desktop does not have the right to take screenshots, the terminal is prohibited from executing the operation corresponding to the first process; or, a screenshot image including traceable watermark information is generated.

需要说明的是:所述处理器502具体执行上述操作的过程详见方法实施例,这里不再赘述。It should be noted that: the specific process for the processor 502 to perform the above operations can be found in the method embodiments, and details are not repeated here.

当然,实际应用时,进程管理装置500中的各个组件通过总线系统504耦合在一起。可理解,总线系统504用于实现这些组件之间的连接通信。总线系统504除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图5中将各种总线都标为总线系统504。Of course, in practical application, the various components in the process management apparatus 500 are coupled together through the bus system 504 . It will be appreciated that the bus system 504 is used to implement connection communication between these components. In addition to the data bus, the bus system 504 also includes a power bus, a control bus and a status signal bus. For clarity, however, the various buses are labeled as bus system 504 in FIG. 5 .

本申请实施例中的存储器503用于存储各种类型的数据以支持进程管理装置500的操作。这些数据的示例包括:用于在进程管理装置500上操作的任何计算机程序。The memory 503 in this embodiment of the present application is used to store various types of data to support the operation of the process management apparatus 500 . Examples of such data include: any computer program used to operate on the process management apparatus 500 .

上述本申请实施例揭示的方法可以应用于处理器502中,或者由处理器502实现。处理器502可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过处理器502中的硬件的集成逻辑电路或者软件形式的指令完成。上述的处理器502可以是通用处理器、数字信号处理器(DSP,Digital Signal Processor),或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。处理器502可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于存储器503,处理器502读取存储器503中的信息,结合其硬件完成前述方法的步骤。The methods disclosed in the above embodiments of the present application may be applied to the processor 502 or implemented by the processor 502 . The processor 502 may be an integrated circuit chip with signal processing capability. In the implementation process, each step of the above-mentioned method may be completed by a hardware integrated logic circuit in the processor 502 or an instruction in the form of software. The above-mentioned processor 502 may be a general-purpose processor, a digital signal processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. The processor 502 may implement or execute the methods, steps, and logical block diagrams disclosed in the embodiments of this application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the methods disclosed in the embodiments of the present application can be directly embodied as being executed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the memory 503, and the processor 502 reads the information in the memory 503, and completes the steps of the foregoing method in combination with its hardware.

在示例性实施例中,进程管理装置500可以被一个或多个应用专用集成电路(ASIC,Application Specific Integrated Circuit)、DSP、可编程逻辑器件(PLD,Programmable Logic Device)、复杂可编程逻辑器件(CPLD,Complex Programmable LogicDevice)、现场可编程门阵列(FPGA,Field-Programmable Gate Array)、通用处理器、控制器、微控制器(MCU,Micro Controller Unit)、微处理器(Microprocessor)、或者其他电子元件实现,用于执行前述方法。In an exemplary embodiment, the process management apparatus 500 may be implemented by one or more Application Specific Integrated Circuits (ASIC, Application Specific Integrated Circuits), DSPs, Programmable Logic Devices (PLDs, Programmable Logic Devices), complex Programmable Logic Devices ( CPLD, Complex Programmable LogicDevice), Field-Programmable Gate Array (FPGA, Field-Programmable Gate Array), general-purpose processor, controller, microcontroller (MCU, Micro Controller Unit), microprocessor (Microprocessor), or other electronic Element implementation for performing the aforementioned method.

可以理解,本申请实施例的存储器503可以是易失性存储器或者非易失性存储器,也可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(ROM,Read Only Memory)、可编程只读存储器(PROM,Programmable Read-Only Memory)、可擦除可编程只读存储器(EPROM,Erasable Programmable Read-Only Memory)、电可擦除可编程只读存储器(EEPROM,Electrically Erasable Programmable Read-Only Memory)、磁性随机存取存储器(FRAM,ferromagnetic random access memory)、快闪存储器(FlashMemory)、磁表面存储器、光盘、或只读光盘(CD-ROM,Compact Disc Read-Only Memory);磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(RAM,Random Access Memory),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(SRAM,Static Random Access Memory)、同步静态随机存取存储器(SSRAM,Synchronous Static Random Access Memory)、动态随机存取存储器(DRAM,Dynamic Random Access Memory)、同步动态随机存取存储器(SDRAM,Synchronous Dynamic Random Access Memory)、双倍数据速率同步动态随机存取存储器(DDRSDRAM,Double Data Rate Synchronous Dynamic Random Access Memory)、增强型同步动态随机存取存储器(ESDRAM,Enhanced Synchronous Dynamic Random AccessMemory)、同步连接动态随机存取存储器(SLDRAM,SyncLink Dynamic Random AccessMemory)、直接内存总线随机存取存储器(DRRAM,Direct Rambus Random Access Memory)。本申请实施例描述的存储器旨在包括但不限于这些和任意其他适合类型的存储器。It can be understood that the memory 503 in this embodiment of the present application may be a volatile memory or a non-volatile memory, and may also include both volatile and non-volatile memory. Among them, the non-volatile memory may be a read-only memory (ROM, Read Only Memory), a programmable read-only memory (PROM, Programmable Read-Only Memory), an erasable programmable read-only memory (EPROM, Erasable Programmable Read-only memory) Only Memory), Electrically Erasable Programmable Read-Only Memory (EEPROM, Electrically Erasable Programmable Read-Only Memory), Magnetic Random Access Memory (FRAM, ferromagnetic random access memory), Flash Memory (FlashMemory), Magnetic Surface Memory, Optical disk, or Compact Disc Read-Only Memory (CD-ROM); the magnetic surface memory can be a magnetic disk memory or a magnetic tape memory. The volatile memory may be random access memory (RAM, Random Access Memory), which is used as an external cache memory. By way of example and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory Memory (DRAM, Dynamic Random Access Memory), Synchronous Dynamic Random Access Memory (SDRAM, Synchronous Dynamic Random Access Memory), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM, Double Data Rate Synchronous Dynamic Random Access Memory), Enhanced Type Synchronous Dynamic Random Access Memory (ESDRAM, Enhanced Synchronous Dynamic Random Access Memory), Synchronous Link Dynamic Random Access Memory (SLDRAM, SyncLink Dynamic Random Access Memory), Direct Memory Bus Random Access Memory (DRRAM, Direct Rambus Random Access Memory). The memories described in the embodiments of the present application are intended to include, but not be limited to, these and any other suitable types of memories.

在示例性实施例中,本申请实施例还提供了一种存储介质,即计算机存储介质,具体为计算机可读存储介质,例如包括存储计算机程序的存储器503,上述计算机程序可由进程管理装置500的处理器502执行,以完成前述方法所述步骤。计算机可读存储介质可以是FRAM、ROM、PROM、EPROM、EEPROM、Flash Memory、磁表面存储器、光盘、或CD-ROM等存储器。In an exemplary embodiment, an embodiment of the present application further provides a storage medium, that is, a computer storage medium, specifically a computer-readable storage medium, for example, including a memory 503 for storing a computer program. The processor 502 executes to complete the steps of the aforementioned method. The computer-readable storage medium may be memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface memory, optical disk, or CD-ROM.

需要说明的是:“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that "first", "second", etc. are used to distinguish similar objects, and are not necessarily used to describe a specific sequence or sequence.

另外,本申请实施例所记载的技术方案之间,在不冲突的情况下,可以任意组合。In addition, the technical solutions described in the embodiments of the present application may be combined arbitrarily unless there is a conflict.

以上所述,仅为本申请的较佳实施例而已,并非用于限定本申请的保护范围。The above descriptions are only preferred embodiments of the present application, and are not intended to limit the protection scope of the present application.

Claims (11)

1. A process management method, comprising:
monitoring the process of the terminal; when a first process is monitored, determining a first desktop corresponding to the first process in a plurality of desktops included in the terminal according to a desktop identifier carried by the first process; the system operation authorities corresponding to all desktops in a plurality of desktops contained in the terminal are the same or different; processes corresponding to each desktop in the multiple desktops are isolated based on sandboxes;
determining a first strategy corresponding to the first desktop by utilizing the corresponding relation between the desktop and the process processing strategy; and allowing or prohibiting the terminal to execute the operation corresponding to the first process according to the first strategy.
2. The method of claim 1, further comprising:
and acquiring the corresponding relation between the desktop and the process processing strategy and the first strategy from the shared memories of the desktops.
3. The method according to claim 1 or 2, wherein the plurality of desktops included in the terminal include a first desktop type and a second desktop type; the system operation authority corresponding to the first type of desktop is lower than the system operation authority corresponding to the second type of desktop;
the allowing or prohibiting the terminal to execute the operation corresponding to the first process according to the first policy includes:
allowing the terminal to execute the operation corresponding to the first process under the condition that the operation corresponding to the first process comprises the operation of the second type desktop on the file in the file directory corresponding to the first type desktop;
under the condition that the operation corresponding to the first process comprises the operation of the first class desktop on the file in the file directory corresponding to the second class desktop, prohibiting the terminal from executing the operation corresponding to the first process; wherein,
files under the file directories corresponding to the desktops in the multiple desktops are isolated on the basis of sandboxes.
4. The method according to claim 3, wherein the operation corresponding to the first process includes an operation of the second type desktop on a first file in a file directory corresponding to the first type desktop; when the terminal is allowed to execute the operation corresponding to the first process, the method further comprises the following steps:
under the condition that a redirection file corresponding to the first file exists in a file directory corresponding to the second type desktop, controlling the terminal to execute an operation corresponding to the first process aiming at the redirection file;
and under the condition that the redirection file corresponding to the first file does not exist in the file directory corresponding to the second type desktop, generating the redirection file corresponding to the first file in the file directory corresponding to the second type desktop, and controlling the terminal to execute the operation corresponding to the first process aiming at the redirection file.
5. The method of claim 4, further comprising:
and when the terminal is controlled to execute the operation corresponding to the first process aiming at the redirection file, the redirection file is encrypted.
6. The method according to claim 3, wherein the allowing or prohibiting the terminal to execute the operation corresponding to the first process according to the first policy includes:
when the operation corresponding to the first process comprises an operation of pasting the text or the image copied from the second desktop by the first desktop, the terminal is prohibited from executing the operation corresponding to the first process;
allowing the terminal to execute the operation corresponding to the first process under the condition that the operation corresponding to the first process comprises the operation of pasting the text or the image copied from the first desktop by the second desktop; wherein,
the shear plates of each of the plurality of table tops are isolated based on a sandbox.
7. The method according to claim 1 or 2, wherein the allowing or prohibiting the terminal to execute the operation corresponding to the first process according to the first policy includes:
allowing the terminal to execute the operation corresponding to the first process under the condition that the first desktop is determined to have the authority of executing the operation corresponding to the first process according to the first strategy;
under the condition that the first desktop does not have the authority of executing the operation corresponding to the first process according to the first strategy, the terminal is prohibited from executing the operation corresponding to the first process; wherein,
the system service interfaces and the network connection functions corresponding to the desktops in the desktops are isolated on the basis of sandboxes;
the operation corresponding to the first process comprises one of the following operations:
accessing a first local area network;
accessing a second local area network;
and calling a system service interface.
8. The method according to claim 1 or 2, wherein the operation corresponding to the first process comprises a screenshot operation;
the allowing or prohibiting the terminal to execute the operation corresponding to the first process according to the first policy includes:
allowing the terminal to execute the operation corresponding to the first process under the condition that the first desktop has the screenshot authority;
under the condition that the first desktop does not have the screenshot authority, prohibiting the terminal from executing the operation corresponding to the first process; alternatively, a screenshot picture containing traceable watermark information is generated.
9. A process management apparatus, comprising:
the monitoring unit is used for monitoring the process of the terminal; when a first process is monitored, determining a first desktop corresponding to the first process in a plurality of desktops included in the terminal according to a desktop identifier carried by the first process; the system operation authorities corresponding to all desktops in a plurality of desktops contained in the terminal are the same or different; processes corresponding to each desktop in the multiple desktops are isolated based on sandboxes;
the processing unit is used for determining a first strategy corresponding to the first desktop by utilizing the corresponding relation between the desktop and the process processing strategy; and allowing or prohibiting the terminal to execute the operation corresponding to the first process according to the first strategy.
10. A process management apparatus, comprising: a processor and a memory for storing a computer program capable of running on the processor;
wherein the processor is adapted to perform the steps of the method of any one of claims 1 to 8 when running the computer program.
11. A storage medium storing a computer program, characterized in that the computer program realizes the steps of the method according to any one of claims 1 to 8 when executed by a processor.
CN202011186959.0A 2020-10-29 2020-10-29 Process management method, device and storage medium Active CN112269986B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011186959.0A CN112269986B (en) 2020-10-29 2020-10-29 Process management method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011186959.0A CN112269986B (en) 2020-10-29 2020-10-29 Process management method, device and storage medium

Publications (2)

Publication Number Publication Date
CN112269986A true CN112269986A (en) 2021-01-26
CN112269986B CN112269986B (en) 2025-01-17

Family

ID=74344933

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011186959.0A Active CN112269986B (en) 2020-10-29 2020-10-29 Process management method, device and storage medium

Country Status (1)

Country Link
CN (1) CN112269986B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113918359A (en) * 2021-09-29 2022-01-11 西安万像电子科技有限公司 Data copying and pasting system, method and device
CN118916918A (en) * 2024-10-10 2024-11-08 北京时代亿信科技股份有限公司 File processing method and electronic equipment
CN119475287A (en) * 2025-01-14 2025-02-18 江苏意源科技有限公司 A method, device and equipment for tracing source based on digital certificate and hidden watermark

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070101435A1 (en) * 2005-10-14 2007-05-03 Check Point Software Technologies, Inc. System and Methodology Providing Secure Workspace Environment
US7246374B1 (en) * 2000-03-13 2007-07-17 Microsoft Corporation Enhancing computer system security via multiple user desktops
CN102024110A (en) * 2010-12-14 2011-04-20 汉柏科技有限公司 Method and system for safely isolating desktop
CN102043927A (en) * 2010-12-29 2011-05-04 北京深思洛克软件技术股份有限公司 Computer system for data divulgence protection
CN104008330A (en) * 2014-05-23 2014-08-27 武汉华工安鼎信息技术有限责任公司 Data leakage prevention system and method based on file centralized storage and isolation technology
CN104318179A (en) * 2014-10-30 2015-01-28 成都卫士通信息产业股份有限公司 File redirection technology based virtualized security desktop
US20150106917A1 (en) * 2013-10-11 2015-04-16 Centrify Corporation Method and apparatus for creating switchable desktops with separate authorizations
US20150146231A1 (en) * 2013-10-23 2015-05-28 Avecto Limited Computer device and method for isolating untrusted content
US20170017508A1 (en) * 2015-07-17 2017-01-19 Backes Srt Gmbh Method for forming a virtual environment in an operating system of a computer
CN107358097A (en) * 2017-07-23 2017-11-17 宣以政 A kind of method and system in open environment Computer protecting information safety
US20180316649A1 (en) * 2017-04-28 2018-11-01 Dell Products L.P. Browser drag and drop file upload encryption enforcement
CN109117664A (en) * 2018-07-19 2019-01-01 北京明朝万达科技股份有限公司 The access control method and device of application program
US10263986B1 (en) * 2014-07-07 2019-04-16 Quest Software Inc. Privilege elevation system and method for desktop administration
CN111158857A (en) * 2019-12-24 2020-05-15 深信服科技股份有限公司 Data encryption method, device, equipment and storage medium

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7246374B1 (en) * 2000-03-13 2007-07-17 Microsoft Corporation Enhancing computer system security via multiple user desktops
US20070101435A1 (en) * 2005-10-14 2007-05-03 Check Point Software Technologies, Inc. System and Methodology Providing Secure Workspace Environment
CN102024110A (en) * 2010-12-14 2011-04-20 汉柏科技有限公司 Method and system for safely isolating desktop
CN102043927A (en) * 2010-12-29 2011-05-04 北京深思洛克软件技术股份有限公司 Computer system for data divulgence protection
US20150106917A1 (en) * 2013-10-11 2015-04-16 Centrify Corporation Method and apparatus for creating switchable desktops with separate authorizations
US20150146231A1 (en) * 2013-10-23 2015-05-28 Avecto Limited Computer device and method for isolating untrusted content
CN104008330A (en) * 2014-05-23 2014-08-27 武汉华工安鼎信息技术有限责任公司 Data leakage prevention system and method based on file centralized storage and isolation technology
US10263986B1 (en) * 2014-07-07 2019-04-16 Quest Software Inc. Privilege elevation system and method for desktop administration
CN104318179A (en) * 2014-10-30 2015-01-28 成都卫士通信息产业股份有限公司 File redirection technology based virtualized security desktop
US20170017508A1 (en) * 2015-07-17 2017-01-19 Backes Srt Gmbh Method for forming a virtual environment in an operating system of a computer
US20180316649A1 (en) * 2017-04-28 2018-11-01 Dell Products L.P. Browser drag and drop file upload encryption enforcement
CN107358097A (en) * 2017-07-23 2017-11-17 宣以政 A kind of method and system in open environment Computer protecting information safety
CN109117664A (en) * 2018-07-19 2019-01-01 北京明朝万达科技股份有限公司 The access control method and device of application program
CN111158857A (en) * 2019-12-24 2020-05-15 深信服科技股份有限公司 Data encryption method, device, equipment and storage medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
史乐平, 吴邦欲, 顾明: "桌面Linux操作系统页面交换算法的改进", 计算机应用研究, no. 08, 28 August 2005 (2005-08-28) *
薛亮;朱雄泳;陈慧妍;: "虚拟桌面技术实施和运维过程中的优化策略", 广东第二师范学院学报, no. 05 *
陈华清;吴键;: "开放系统桌面进程通信机制研究", 计算机应用研究, no. 10, 10 October 2006 (2006-10-10) *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113918359A (en) * 2021-09-29 2022-01-11 西安万像电子科技有限公司 Data copying and pasting system, method and device
CN118916918A (en) * 2024-10-10 2024-11-08 北京时代亿信科技股份有限公司 File processing method and electronic equipment
CN118916918B (en) * 2024-10-10 2025-01-03 北京时代亿信科技股份有限公司 File processing method and electronic equipment
CN119475287A (en) * 2025-01-14 2025-02-18 江苏意源科技有限公司 A method, device and equipment for tracing source based on digital certificate and hidden watermark

Also Published As

Publication number Publication date
CN112269986B (en) 2025-01-17

Similar Documents

Publication Publication Date Title
TWI241818B (en) Application-based data encryption system and method thereof
US20210192062A1 (en) Systems and methods for screenshot mediation based on policy
US9692597B2 (en) Apparatus and method for content handling
JP4578119B2 (en) Information processing apparatus and security ensuring method in information processing apparatus
US9172724B1 (en) Licensing and authentication with virtual desktop manager
KR101705550B1 (en) Method and software product for controlling application program which access secure saving area
CN112269986A (en) Process management method, device and storage medium
RU2559728C2 (en) System and method of encoding files from encrypted drive
CN104268484A (en) Cloud environment data leakage prevention method based on virtual isolation mechanism
CN113536369A (en) Electronic file real-time transparent storage encryption and decryption method and system and related products
US20150121538A1 (en) Techniques for managing security modes applied to application program execution
CN105303074A (en) Method for protecting security of Web application
WO2015176531A1 (en) Terminal data writing and reading methods and devices
US10642984B2 (en) Secure drive and method for booting to known good-state
EP3298534B1 (en) Creating multiple workspaces in a device
CN103425938B (en) The folder encryption method of one kind Unix operating system and device
US20090150682A1 (en) Third Party Secured Storage for Web Services and Web Applications
TW200905516A (en) Method and system for protecting file data against divulgence
CN112434285B (en) File management method, device, electronic equipment and storage medium
JP4516598B2 (en) How to control document copying
CN105205403A (en) Method and system for managing and controlling file data of local area network based on file filtering
JP2007148466A (en) Portable storage device and os
CN113626149B (en) Business secret protection method and system based on terminal virtualization
AT&T
JP7527539B2 (en) Electronic data management method, electronic data management device, program therefor, and recording medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载