File Access Control Mechanism Based On Inode Virtualization

With the development of cloud computing,container technology has been widely used in various fields.However,compared with traditional virtualization technology,container technology does not provide hardware simulation and instruction interpretation.Instead,multiple containers share the system kernel,which brings not only performance,but also huge challenges to the security of the system.How to ensure the secure access of files has become the top priority of container security.Although there are many solutions to enhance the file security of containers,such as using Linux native App Armor to control access through character matching in the kernel mode,g Visor uses the Gofer manager to block illegal file access in the user mode,but these solutions are enhancing file security with a lot of performance loss to the container,which cannot meet the container’s file security and performance requirements at the same time.To solve the above problem,using Linux modularization,a set of file access control mechanism based on inode virtualization named Vinode are designed and implemented.For each container,Vinode extracts the inode numbers and permission information needed for file access control to virtualize inodes in the module.Vinode filters unnecessary access control through identification.Filters unnecessary access control by identification.When a container is started,Vinode is loaded in the form of a Linux kernel module,and according to the set permission checking rules,the inode of the corresponding file is virtualized.When the container accesses files,the control mechanism running in the kernel mode will enforce the access permissions based on the virtualized inode information,so as to achieve finegrained access control to a single file in the container and all files in the directory.Experimental results show that the mechanism only brings 1-2% performance overhead to the start,stop,and removal of the container.In terms of file operations,the mechanism has a performance improvement of 1-10 x compared to g Visor.Compared with App Armor,the mechanism has a performance improvement of more than 5% in conventional file operations,and the performance improvement of statx,read,and write system calls is as high as 27.38%,8.96%,and 9.37%.