[go: up one dir, main page]

WO2025066244A1 - Sandbox-based file operation processing method, apparatus, and electronic device - Google Patents

Sandbox-based file operation processing method, apparatus, and electronic device Download PDF

Info

Publication number
WO2025066244A1
WO2025066244A1 PCT/CN2024/096651 CN2024096651W WO2025066244A1 WO 2025066244 A1 WO2025066244 A1 WO 2025066244A1 CN 2024096651 W CN2024096651 W CN 2024096651W WO 2025066244 A1 WO2025066244 A1 WO 2025066244A1
Authority
WO
WIPO (PCT)
Prior art keywords
sandbox
clone
application
dlp
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2024/096651
Other languages
French (fr)
Chinese (zh)
Inventor
李兵
刘树岭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2025066244A1 publication Critical patent/WO2025066244A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules

Definitions

  • the embodiments of the present application relate to the field of smart terminal technology, and in particular to a sandbox-based file operation processing method, device, and electronic device.
  • DLP data loss prevention
  • the file Before the file is transmitted, it can be encrypted locally by selecting a user list for authorization.
  • the file encryption and decryption control can also be carried out in combination with components such as file management, system capability management services, permission management services and/or user-mode file system (fuse).
  • DLP management applications implement sandbox-level control by creating sandbox clones of applications. Encrypted permission documents can only be viewed in the sandbox clones of legitimate users, and the transmission of encrypted permission documents is restricted due to permission control in the sandbox environment. This security-based design protects document data to the greatest extent.
  • the present application provides a sandbox-based file operation processing method, device and electronic device.
  • the present application also provides a computer-readable storage medium to realize the processing of operations on DLP files through associated sandbox clones.
  • the management and control strategy of the associated sandbox clones is the same as the management and control strategy of the DLP files to ensure the security of the DLP files, and the associated sandbox clones can perform data communication and collaboratively process business, so as to restore the user's last usage scene and improve the user experience.
  • the present application provides a sandbox-based file operation processing method, including: in response to an access request for a data leakage protection DLP file, creating a first sandbox clone of a first application, and opening the DLP file through the first sandbox clone; wherein the first sandbox clone is associated with the DLP file; in response to a first operation on the DLP file, obtaining a second sandbox clone for processing the first operation; wherein the second sandbox clone includes a sandbox clone of a second application, and the control policies of the first sandbox clone and the second sandbox clone are the same as the control policy of the DLP file; and processing the first operation through the second sandbox clone.
  • the electronic device creates a first sandbox clone of the first application in response to an access request for the DLP file, opens the above-mentioned DLP file through the first sandbox clone, and then, in response to the first operation for the above-mentioned DLP file, obtains a second sandbox clone that processes the above-mentioned first operation, and processes the above-mentioned first operation through the second sandbox clone; wherein, the second sandbox clone can be a sandbox clone of the second application, the first sandbox clone is associated with the DLP file, and the management and control policies of the first sandbox clone and the second sandbox clone are the same as the management and control policies of the DLP file, thereby ensuring the security of the DLP file, and the DLP file, the first s
  • obtaining the second sandbox clone for processing the first operation includes: querying the sandbox clone associated with the first sandbox clone; in response to the second sandbox clone not existing in the sandbox clone associated with the first sandbox clone, creating the second sandbox clone, and associating the second sandbox clone with the first sandbox clone.
  • before obtaining the second sandbox clone that processes the first operation it also includes: receiving a first operation processing request initiated by the first sandbox clone in response to the first operation on the DLP file, the first operation processing request being used to request the second sandbox clone to process the first operation.
  • the method before creating the second sandbox clone and associating the second sandbox clone with the first sandbox clone, the method further includes: in response to the second sandbox clone not existing in the sandbox clones associated with the first sandbox clone, obtaining a second application that monitors the first operation; and notifying the second application of the first operation.
  • the second sandbox clone and associating the second sandbox clone with the first sandbox clone also includes: determining whether the second application is a trusted application; if the second application is a trusted application, executing the steps of creating the second sandbox clone and associating the second sandbox clone with the first sandbox clone.
  • the determining whether the second application is a trusted application includes: determining whether the second application is in a data table; wherein the data table stores configured trusted applications.
  • the first sandbox clone and the second sandbox clone constitute a sandbox group; the method also includes: in response to a second operation on the DLP file, receiving a second operation processing request initiated by the first sandbox clone or the second sandbox clone, the second operation processing request is used to request a third application to process the second operation; creating a third sandbox clone of the third application, and adding the third sandbox clone to the sandbox group; processing the second operation through the third sandbox clone.
  • the method further includes: detecting a write operation of the second sandbox clone on the DLP file; and in response to the write operation, the first sandbox clone reading the modified DLP file.
  • the first operation includes a selection operation of the first sandbox clone on the content of the DLP file, and the DLP file is a read-only file; and processing the first operation by the second sandbox clone includes: translating the selected content in the DLP file by the second sandbox clone.
  • the present application provides a document operation processing device, which is included in an electronic device, and has the function of implementing the electronic device behavior in the first aspect and the possible implementation of the first aspect.
  • the function can be implemented by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules or units corresponding to the above functions. For example, a creation module, an opening module, an acquisition module, and a processing module.
  • the present application provides an electronic device comprising: one or more processors; a memory; and one or more computer programs, wherein the one or more computer programs are stored in the memory, and the one or more computer programs include instructions, which, when executed by the electronic device, enable the electronic device to perform the method provided in the first aspect.
  • the present application provides a computer-readable storage medium, in which a computer program is stored.
  • the computer-readable storage medium is run on a computer, the computer executes the method provided in the first aspect.
  • the present application provides a computer program, which, when executed by a computer, is used to execute the method provided in the first aspect.
  • the program in the fifth aspect may be stored in whole or in part on a storage medium packaged together with the processor, or may be stored in whole or in part on a memory not packaged together with the processor.
  • FIG1 is a schematic diagram of the structure of an electronic device provided by an embodiment of the present application.
  • FIG2 is a schematic diagram of an application scenario of a sandbox-based operation processing method provided by an embodiment of the present application
  • FIG3 is a diagram of an implementation architecture of a sandbox-based operation processing method provided by an embodiment of the present application.
  • FIG4 is a flow chart of a sandbox-based operation processing method provided by an embodiment of the present application.
  • FIG5 is a schematic diagram of a file owner configuring a trusted application according to an embodiment of the present application
  • FIG6 is a schematic diagram of a first sandbox clone actively requesting to associate with a second sandbox clone provided by an embodiment of the present application;
  • FIG7 is a schematic diagram of an external application passively associating with a first sandbox clone according to an embodiment of the present application
  • FIG8 is a schematic diagram of the structure of an electronic device provided by another embodiment of the present application.
  • FIG9 is a schematic diagram of the structure of an electronic device provided in yet another embodiment of the present application.
  • the management and control is based on the sandbox mechanism.
  • Sandbox applications cannot pull up other external applications to share data according to the usage scenario. Therefore, the collaborative processing of the same business by multiple applications will be restricted, especially for read-only permission documents.
  • the existing sandbox mechanism does not support multiple sandbox applications to automatically configure the same management policy, and cannot support multiple applications with the same policy to collaboratively process the same document; and in the existing related technologies, the DLP mechanism does not support the controlled sandbox application to pull up external applications, especially read-only control, and the operations of the applications in the sandbox cannot be perceived by external applications and cannot be collaboratively processed. For users, many common collaborative operation scenarios cannot be completed, and the user experience is poor.
  • an embodiment of the present application provides a sandbox-based operation processing method, in which operations on DLP files are processed through associated sandbox clones, and the associated sandbox clones are managed by the DLP management application.
  • the control strategy of the associated sandbox clone is the same as the control strategy of the DLP file, and the associated sandbox clones can share data, such as encrypted files; and, in an embodiment of the present application, the associated sandbox clone provides a monitoring interface to the outside, and the events triggered by the associated sandbox clone can be monitored by external applications.
  • the DLP management application can create a sandbox clone of the external application, and add the created sandbox clone of the external application to the associated sandbox clone, so as to collaboratively process operations on the DLP file.
  • the sandbox-based operation processing method provided in the embodiment of the present application can be applied to electronic devices, wherein the above-mentioned electronic devices can be smart phones, tablet computers, wearable devices, vehicle-mounted devices, augmented reality (AR)/virtual reality (VR) devices, laptop computers, ultra-mobile personal computers (UMPC), netbooks or personal digital assistants (PDA) and other devices; the embodiment of the present application does not impose any restrictions on the specific types of electronic devices.
  • the above-mentioned electronic devices can be smart phones, tablet computers, wearable devices, vehicle-mounted devices, augmented reality (AR)/virtual reality (VR) devices, laptop computers, ultra-mobile personal computers (UMPC), netbooks or personal digital assistants (PDA) and other devices; the embodiment of the present application does not impose any restrictions on the specific types of electronic devices.
  • AR augmented reality
  • VR virtual reality
  • laptop computers laptop computers
  • UMPC ultra-mobile personal computers
  • PDA personal digital assistants
  • FIG1 is a schematic diagram of the structure of an electronic device provided by an embodiment of the present application.
  • the electronic device 100 may include a processor 110, an external memory interface 120, an internal memory 121, a universal serial bus (USB) interface 130, a charging management module 140, a power management module 141, a battery 142, an antenna 1, an antenna 2, a mobile communication module 150, a wireless communication module 160, an audio module 170, a speaker 170A, a receiver 170B, a microphone 170C, an earphone interface 170D, a sensor module 180, a button 190, a motor 191, an indicator 192, a camera 193, a display screen 194, and a subscriber identification module (SIM) card interface 195, etc.
  • SIM subscriber identification module
  • the sensor module 180 may include a pressure sensor 180A, a gyroscope sensor 180B, an air pressure sensor 180C, a magnetic sensor 180D, an acceleration sensor 180E, a distance sensor 180F, a proximity light sensor 180G, a fingerprint sensor 180H, a temperature sensor 180J, a touch sensor 180K, an ambient light sensor 180L, a bone conduction sensor 180M, etc.
  • the structure illustrated in the embodiment of the present application does not constitute a specific limitation on the electronic device 100.
  • the electronic device 100 may include more or fewer components than shown in the figure, or combine some components, or split some components, or arrange the components differently.
  • the components shown in the figure may be implemented in hardware, software, or a combination of software and hardware.
  • the processor 110 may include one or more processing units, for example, the processor 110 may include an application processor (AP), a modem processor, a graphics processor (GPU), an image signal processor (ISP), a controller, a video codec, a digital signal processor (DSP), a baseband processor, and/or a neural-network processing unit (NPU), etc.
  • AP application processor
  • GPU graphics processor
  • ISP image signal processor
  • DSP digital signal processor
  • NPU neural-network processing unit
  • Different processing units may be independent devices or integrated in one or more processors.
  • the controller can generate operation control signals according to the instruction operation code and timing signal to complete the control of instruction fetching and execution.
  • the processor 110 may also be provided with a memory for storing instructions and data.
  • the memory in the processor 110 is a cache memory.
  • the memory may store instructions or data that the processor 110 has just used or cyclically used. If the processor 110 needs to use the instruction or data again, it may be directly called from the memory. This avoids repeated access, reduces the waiting time of the processor 110, and thus improves the efficiency of the system.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Document Processing Apparatus (AREA)

Abstract

Provided in the embodiments of the present application are a sandbox-based file operation processing method, an apparatus, and an electronic device. The sandbox-based operation processing method comprises: an electronic device, in response to an access request for a DLP file, creating a first sandbox clone of a first application, and opening the DLP file by means of the first sandbox clone, and then, in response to a first operation, acquiring a second sandbox clone for processing the first operation, and processing the first operation by means of the second sandbox clone, the first sandbox clone being associated with the DLP file, and management and control policies of the first sandbox clone and the second sandbox clone being the same as a management and control policy of the DLP file. Therefore, the security of the DLP file can be ensured; in addition, the DLP file, the first sandbox clone and the second sandbox clone can form a small system, and the plurality of sandbox clones working cooperatively can reserve an operating environment and configuration information of the DLP file, so as to facilitate scenario reproduction when the DLP file is opened next time by a managed and controlled user, thus improving user experience.

Description

基于沙箱的文件操作处理方法、装置和电子设备Sandbox-based file operation processing method, device and electronic device

本申请要求于2023年09月28日提交中国国家知识产权局、申请号为202311280981.5、申请名称为“基于沙箱的文件操作处理方法、装置和电子设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the State Intellectual Property Office of China on September 28, 2023, with application number 202311280981.5 and application name “Sandbox-based file operation processing method, device and electronic device”, the entire contents of which are incorporated by reference in this application.

技术领域Technical Field

本申请实施例涉及智能终端技术领域,特别涉及一种基于沙箱的文件操作处理方法、装置和电子设备。The embodiments of the present application relate to the field of smart terminal technology, and in particular to a sandbox-based file operation processing method, device, and electronic device.

背景技术Background Art

许多企业为了确保数据安全,在企业内部网络中部署数据泄漏防护(data loss prevent,DLP)服务。In order to ensure data security, many companies deploy data loss prevention (DLP) services in their internal networks.

文件在传递前,可以通过本地加密,选择用户列表分别授权的方式进行加密处理,在处理过程中还可以结合文件管理、系统能力管理服务、权限管理服务和/或用户态文件系统(fuse)等组件进行文件加解密管控。Before the file is transmitted, it can be encrypted locally by selecting a user list for authorization. During the processing, the file encryption and decryption control can also be carried out in combination with components such as file management, system capability management services, permission management services and/or user-mode file system (fuse).

DLP管理应用通过创建应用的沙箱分身来实现沙箱级控制,加密的权限文档仅在合法用户的沙箱分身内才可查看文档明文,并且由于沙箱环境的权限管控,加密的权限文档的传输受到限制。这种基于安全性的设计最大程度保护了文档的数据。DLP management applications implement sandbox-level control by creating sandbox clones of applications. Encrypted permission documents can only be viewed in the sandbox clones of legitimate users, and the transmission of encrypted permission documents is restricted due to permission control in the sandbox environment. This security-based design protects document data to the greatest extent.

由于基于沙箱机制进行管控,沙箱应用无法根据使用场景拉起其他外部应用进行数据共享,因此多应用协同处理同一业务会被限制,尤其是只读权限文档。Since the management and control is based on the sandbox mechanism, sandbox applications cannot pull up other external applications to share data according to the usage scenario. Therefore, the collaborative processing of the same business by multiple applications will be restricted, especially for read-only permission documents.

发明内容Summary of the invention

本申请提供了一种基于沙箱的文件操作处理方法、装置和电子设备,本申请还提供一种计算机可读存储介质,以实现通过关联的沙箱分身对针对DLP文件的操作进行处理,关联的沙箱分身的管控策略与DLP文件的管控策略相同,保证DLP文件的安全,并且关联的沙箱分身可以进行数据通信,协同处理业务,从而能够恢复用户最后一次的使用现场,提升用户体验。The present application provides a sandbox-based file operation processing method, device and electronic device. The present application also provides a computer-readable storage medium to realize the processing of operations on DLP files through associated sandbox clones. The management and control strategy of the associated sandbox clones is the same as the management and control strategy of the DLP files to ensure the security of the DLP files, and the associated sandbox clones can perform data communication and collaboratively process business, so as to restore the user's last usage scene and improve the user experience.

第一方面,本申请提供了一种基于沙箱的文件操作处理方法,包括:响应于针对数据泄漏防护DLP文件的访问请求,创建第一应用的第一沙箱分身,通过所述第一沙箱分身打开所述DLP文件;其中,所述第一沙箱分身与所述DLP文件关联;响应于针对所述DLP文件的第一操作,获取处理所述第一操作的第二沙箱分身;其中,所述第二沙箱分身包括第二应用的沙箱分身,所述第一沙箱分身和所述第二沙箱分身的管控策略与所述DLP文件的管控策略相同;通过所述第二沙箱分身处理所述第一操作。In a first aspect, the present application provides a sandbox-based file operation processing method, including: in response to an access request for a data leakage protection DLP file, creating a first sandbox clone of a first application, and opening the DLP file through the first sandbox clone; wherein the first sandbox clone is associated with the DLP file; in response to a first operation on the DLP file, obtaining a second sandbox clone for processing the first operation; wherein the second sandbox clone includes a sandbox clone of a second application, and the control policies of the first sandbox clone and the second sandbox clone are the same as the control policy of the DLP file; and processing the first operation through the second sandbox clone.

上述基于沙箱的操作处理方法中,电子设备响应于针对DLP文件的访问请求,创建第一应用的第一沙箱分身,通过第一沙箱分身打开上述DLP文件,然后,电子设备响应于针对上述DLP文件的第一操作,获取处理上述第一操作的第二沙箱分身,通过第二沙箱分身处理上述第一操作;其中,第二沙箱分身可以为第二应用的沙箱分身,第一沙箱分身与DLP文件关联,第一沙箱分身和第二沙箱分身的管控策略与DLP文件的管控策略相同,从而可以保证DLP文件的安全,并且DLP文件、第一沙箱分身和第二沙箱分身可以形成一个小系统,多个沙箱分身协同工作可以保留DLP文件的运行环境和配置信息,方便受管控用户下次打开DLP文件后的场景复现,提升用户体验。In the above-mentioned sandbox-based operation processing method, the electronic device creates a first sandbox clone of the first application in response to an access request for the DLP file, opens the above-mentioned DLP file through the first sandbox clone, and then, in response to the first operation for the above-mentioned DLP file, obtains a second sandbox clone that processes the above-mentioned first operation, and processes the above-mentioned first operation through the second sandbox clone; wherein, the second sandbox clone can be a sandbox clone of the second application, the first sandbox clone is associated with the DLP file, and the management and control policies of the first sandbox clone and the second sandbox clone are the same as the management and control policies of the DLP file, thereby ensuring the security of the DLP file, and the DLP file, the first sandbox clone and the second sandbox clone can form a small system, and multiple sandbox clones working together can retain the operating environment and configuration information of the DLP file, which is convenient for the controlled user to reproduce the scene after opening the DLP file next time, thereby improving the user experience.

一种可能的实现方式中,所述获取处理所述第一操作的第二沙箱分身包括:查询所述第一沙箱分身关联的沙箱分身;响应于所述第一沙箱分身关联的沙箱分身中不存在所述第二沙箱分身,创建所述第二沙箱分身,关联所述第二沙箱分身与所述第一沙箱分身。In one possible implementation, obtaining the second sandbox clone for processing the first operation includes: querying the sandbox clone associated with the first sandbox clone; in response to the second sandbox clone not existing in the sandbox clone associated with the first sandbox clone, creating the second sandbox clone, and associating the second sandbox clone with the first sandbox clone.

一种可能的实现方式中,所述获取处理所述第一操作的第二沙箱分身之前,还包括:响应于针对所述DLP文件的第一操作,接收所述第一沙箱分身发起的第一操作处理请求,所述第一操作处理请求用于请求第二沙箱分身处理所述第一操作。 In one possible implementation, before obtaining the second sandbox clone that processes the first operation, it also includes: receiving a first operation processing request initiated by the first sandbox clone in response to the first operation on the DLP file, the first operation processing request being used to request the second sandbox clone to process the first operation.

一种可能的实现方式中,所述创建所述第二沙箱分身,关联所述第二沙箱分身与所述第一沙箱分身之前,还包括:响应于所述第一沙箱分身关联的沙箱分身中不存在所述第二沙箱分身,获取监听所述第一操作的第二应用;将所述第一操作通知给所述第二应用。In one possible implementation, before creating the second sandbox clone and associating the second sandbox clone with the first sandbox clone, the method further includes: in response to the second sandbox clone not existing in the sandbox clones associated with the first sandbox clone, obtaining a second application that monitors the first operation; and notifying the second application of the first operation.

一种可能的实现方式中,,所述创建所述第二沙箱分身,关联所述第二沙箱分身与所述第一沙箱分身之前,还包括:判断所述第二应用是否为可信应用;如果所述第二应用是可信应用,则执行所述创建所述第二沙箱分身,关联所述第二沙箱分身与所述第一沙箱分身的步骤。In one possible implementation, before creating the second sandbox clone and associating the second sandbox clone with the first sandbox clone, it also includes: determining whether the second application is a trusted application; if the second application is a trusted application, executing the steps of creating the second sandbox clone and associating the second sandbox clone with the first sandbox clone.

一种可能的实现方式中,所述判断所述第二应用是否为可信应用包括:判断所述第二应用是否在数据表中;其中,所述数据表中保存配置的可信应用。In a possible implementation, the determining whether the second application is a trusted application includes: determining whether the second application is in a data table; wherein the data table stores configured trusted applications.

一种可能的实现方式中,所述第一沙箱分身和所述第二沙箱分身构成沙箱组;所述方法还包括:响应于针对所述DLP文件的第二操作,接收所述第一沙箱分身或者所述第二沙箱分身发起的第二操作处理请求,所述第二操作处理请求用于请求第三应用处理所述第二操作;创建所述第三应用的第三沙箱分身,将所述第三沙箱分身加入所述沙箱组;通过所述第三沙箱分身处理所述第二操作。In one possible implementation, the first sandbox clone and the second sandbox clone constitute a sandbox group; the method also includes: in response to a second operation on the DLP file, receiving a second operation processing request initiated by the first sandbox clone or the second sandbox clone, the second operation processing request is used to request a third application to process the second operation; creating a third sandbox clone of the third application, and adding the third sandbox clone to the sandbox group; processing the second operation through the third sandbox clone.

一种可能的实现方式中,所述通过所述第二沙箱分身处理所述第一操作之后,还包括:检测到所述第二沙箱分身对所述DLP文件的写操作;响应于所述写操作,所述第一沙箱分身读取修改后的DLP文件。In a possible implementation, after the second sandbox clone processes the first operation, the method further includes: detecting a write operation of the second sandbox clone on the DLP file; and in response to the write operation, the first sandbox clone reading the modified DLP file.

一种可能的实现方式中,所述第一操作包括所述第一沙箱分身对所述DLP文件的内容的选中操作,所述DLP文件为只读文件;所述通过所述第二沙箱分身处理所述第一操作包括:通过所述第二沙箱分身翻译所述DLP文件中被选中的内容。In one possible implementation, the first operation includes a selection operation of the first sandbox clone on the content of the DLP file, and the DLP file is a read-only file; and processing the first operation by the second sandbox clone includes: translating the selected content in the DLP file by the second sandbox clone.

第二方面,本申请提供一种文档操作处理装置,该装置包含在电子设备中,该装置具有实现第一方面及第一方面的可能实现方式中电子设备行为的功能。功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。硬件或软件包括一个或多个与上述功能相对应的模块或单元。例如,创建模块、打开模块、获取模块和处理模块等。In a second aspect, the present application provides a document operation processing device, which is included in an electronic device, and has the function of implementing the electronic device behavior in the first aspect and the possible implementation of the first aspect. The function can be implemented by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules or units corresponding to the above functions. For example, a creation module, an opening module, an acquisition module, and a processing module.

第三方面,本申请提供一种电子设备,包括:一个或多个处理器;存储器;以及一个或多个计算机程序,其中上述一个或多个计算机程序被存储在上述存储器中,上述一个或多个计算机程序包括指令,当上述指令被上述电子设备执行时,使得上述电子设备执行第一方面提供的方法。In a third aspect, the present application provides an electronic device comprising: one or more processors; a memory; and one or more computer programs, wherein the one or more computer programs are stored in the memory, and the one or more computer programs include instructions, which, when executed by the electronic device, enable the electronic device to perform the method provided in the first aspect.

应当理解的是,本申请的第二方面和第三方面与本申请的第一方面的技术方案一致,各方面及对应的可行实施方式所取得的有益效果相似,不再赘述。It should be understood that the second and third aspects of the present application are consistent with the technical solutions of the first aspect of the present application, and the beneficial effects achieved by each aspect and the corresponding feasible implementation methods are similar and will not be repeated here.

第四方面,本申请提供一种计算机可读存储介质,上述计算机可读存储介质中存储有计算机程序,当其在计算机上运行时,使得计算机执行第一方面提供的方法。In a fourth aspect, the present application provides a computer-readable storage medium, in which a computer program is stored. When the computer-readable storage medium is run on a computer, the computer executes the method provided in the first aspect.

第五方面,本申请提供一种计算机程序,当上述计算机程序被计算机执行时,用于执行第一方面提供的方法。In a fifth aspect, the present application provides a computer program, which, when executed by a computer, is used to execute the method provided in the first aspect.

在一种可能的设计中,第五方面中的程序可以全部或者部分存储在与处理器封装在一起的存储介质上,也可以部分或者全部存储在不与处理器封装在一起的存储器上。In one possible design, the program in the fifth aspect may be stored in whole or in part on a storage medium packaged together with the processor, or may be stored in whole or in part on a memory not packaged together with the processor.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1为本申请一个实施例提供的电子设备的结构示意图;FIG1 is a schematic diagram of the structure of an electronic device provided by an embodiment of the present application;

图2为本申请一个实施例提供的基于沙箱的操作处理方法的应用场景示意图;FIG2 is a schematic diagram of an application scenario of a sandbox-based operation processing method provided by an embodiment of the present application;

图3为本申请一个实施例提供的基于沙箱的操作处理方法的实现架构图;FIG3 is a diagram of an implementation architecture of a sandbox-based operation processing method provided by an embodiment of the present application;

图4为本申请一个实施例提供的基于沙箱的操作处理方法的流程图;FIG4 is a flow chart of a sandbox-based operation processing method provided by an embodiment of the present application;

图5为本申请一个实施例提供的文件拥有者配置可信应用的示意图;FIG5 is a schematic diagram of a file owner configuring a trusted application according to an embodiment of the present application;

图6为本申请一个实施例提供的第一沙箱分身主动请求关联第二沙箱分身的示意图;FIG6 is a schematic diagram of a first sandbox clone actively requesting to associate with a second sandbox clone provided by an embodiment of the present application;

图7为本申请一个实施例提供的外部应用被动关联第一沙箱分身的示意图;FIG7 is a schematic diagram of an external application passively associating with a first sandbox clone according to an embodiment of the present application;

图8为本申请另一个实施例提供的电子设备的结构示意图;FIG8 is a schematic diagram of the structure of an electronic device provided by another embodiment of the present application;

图9为本申请再一个实施例提供的电子设备的结构示意图。FIG9 is a schematic diagram of the structure of an electronic device provided in yet another embodiment of the present application.

具体实施方式DETAILED DESCRIPTION

本申请的实施方式部分使用的术语仅用于对本申请的具体实施例进行解释,而非旨在限定本申请。 The terms used in the implementation section of this application are only used to explain the specific embodiments of this application and are not intended to limit this application.

当前基于沙箱机制进行管控,沙箱应用无法根据使用场景拉起其他外部应用进行数据共享,因此多应用协同处理同一业务会被限制,尤其是只读权限文档。并且,现有的沙箱机制不支持多个沙箱应用自动配置同一管控策略,无法支持多个同策略管控应用协同处理同一文档;并且,现有相关技术中,DLP机制并不支持受管控沙箱应用拉起外部应用,尤其是只读管控,并且沙箱内应用的操作,外部应用无法感知,无法进行协同处理,对用户来说有很多常见的协同操作场景无法完成,用户体验较差。Currently, the management and control is based on the sandbox mechanism. Sandbox applications cannot pull up other external applications to share data according to the usage scenario. Therefore, the collaborative processing of the same business by multiple applications will be restricted, especially for read-only permission documents. In addition, the existing sandbox mechanism does not support multiple sandbox applications to automatically configure the same management policy, and cannot support multiple applications with the same policy to collaboratively process the same document; and in the existing related technologies, the DLP mechanism does not support the controlled sandbox application to pull up external applications, especially read-only control, and the operations of the applications in the sandbox cannot be perceived by external applications and cannot be collaboratively processed. For users, many common collaborative operation scenarios cannot be completed, and the user experience is poor.

基于以上问题,本申请实施例提供一种基于沙箱的操作处理方法,通过关联的沙箱分身对针对DLP文件的操作进行处理,由DLP管理应用管理上述关联的沙箱分身,上述关联的沙箱分身的管控策略与DLP文件的管控策略相同,上述关联的沙箱分身可进行数据共享,如加密文件等;并且,本申请实施例中,关联的沙箱分身对外提供监听接口,关联的沙箱分身所触发的事件可以由外部应用监听,DLP管理应用可以创建外部应用的沙箱分身,并将创建的外部应用的沙箱分身加入上述关联的沙箱分身,以协同处理针对DLP文件的操作。Based on the above problems, an embodiment of the present application provides a sandbox-based operation processing method, in which operations on DLP files are processed through associated sandbox clones, and the associated sandbox clones are managed by the DLP management application. The control strategy of the associated sandbox clone is the same as the control strategy of the DLP file, and the associated sandbox clones can share data, such as encrypted files; and, in an embodiment of the present application, the associated sandbox clone provides a monitoring interface to the outside, and the events triggered by the associated sandbox clone can be monitored by external applications. The DLP management application can create a sandbox clone of the external application, and add the created sandbox clone of the external application to the associated sandbox clone, so as to collaboratively process operations on the DLP file.

本申请实施例提供的基于沙箱的操作处理方法可以应用于电子设备,其中,上述电子设备可以为智能手机、平板电脑、可穿戴设备、车载设备、增强现实(augmented reality,AR)/虚拟现实(virtual reality,VR)设备、笔记本电脑、超级移动个人计算机(ultra-mobile personal computer,UMPC)、上网本或个人数字助理(personal digital assistant,PDA)等设备;本申请实施例对电子设备的具体类型不作任何限制。The sandbox-based operation processing method provided in the embodiment of the present application can be applied to electronic devices, wherein the above-mentioned electronic devices can be smart phones, tablet computers, wearable devices, vehicle-mounted devices, augmented reality (AR)/virtual reality (VR) devices, laptop computers, ultra-mobile personal computers (UMPC), netbooks or personal digital assistants (PDA) and other devices; the embodiment of the present application does not impose any restrictions on the specific types of electronic devices.

示例性的,图1为本申请一个实施例提供的电子设备的结构示意图,如图1所示,电子设备100可以包括处理器110,外部存储器接口120,内部存储器121,通用串行总线(universal serial bus,USB)接口130,充电管理模块140,电源管理模块141,电池142,天线1,天线2,移动通信模块150,无线通信模块160,音频模块170,扬声器170A,受话器170B,麦克风170C,耳机接口170D,传感器模块180,按键190,马达191,指示器192,摄像头193,显示屏194,以及用户标识模块(subscriber identification module,SIM)卡接口195等。其中传感器模块180可以包括压力传感器180A,陀螺仪传感器180B,气压传感器180C,磁传感器180D,加速度传感器180E,距离传感器180F,接近光传感器180G,指纹传感器180H,温度传感器180J,触摸传感器180K,环境光传感器180L,骨传导传感器180M等。Exemplarily, FIG1 is a schematic diagram of the structure of an electronic device provided by an embodiment of the present application. As shown in FIG1 , the electronic device 100 may include a processor 110, an external memory interface 120, an internal memory 121, a universal serial bus (USB) interface 130, a charging management module 140, a power management module 141, a battery 142, an antenna 1, an antenna 2, a mobile communication module 150, a wireless communication module 160, an audio module 170, a speaker 170A, a receiver 170B, a microphone 170C, an earphone interface 170D, a sensor module 180, a button 190, a motor 191, an indicator 192, a camera 193, a display screen 194, and a subscriber identification module (SIM) card interface 195, etc. The sensor module 180 may include a pressure sensor 180A, a gyroscope sensor 180B, an air pressure sensor 180C, a magnetic sensor 180D, an acceleration sensor 180E, a distance sensor 180F, a proximity light sensor 180G, a fingerprint sensor 180H, a temperature sensor 180J, a touch sensor 180K, an ambient light sensor 180L, a bone conduction sensor 180M, etc.

可以理解的是,本申请实施例示意的结构并不构成对电子设备100的具体限定。在本申请另一些实施例中,电子设备100可以包括比图示更多或更少的部件,或者组合某些部件,或者拆分某些部件,或者不同的部件布置。图示的部件可以以硬件,软件或软件和硬件的组合实现。It is to be understood that the structure illustrated in the embodiment of the present application does not constitute a specific limitation on the electronic device 100. In other embodiments of the present application, the electronic device 100 may include more or fewer components than shown in the figure, or combine some components, or split some components, or arrange the components differently. The components shown in the figure may be implemented in hardware, software, or a combination of software and hardware.

处理器110可以包括一个或多个处理单元,例如:处理器110可以包括应用处理器(application processor,AP),调制解调处理器,图形处理器(graphics processing unit,GPU),图像信号处理器(image signal processor,ISP),控制器,视频编解码器,数字信号处理器(digital signal processor,DSP),基带处理器,和/或神经网络处理器(neural-network processing unit,NPU)等。其中,不同的处理单元可以是独立的器件,也可以集成在一个或多个处理器中。The processor 110 may include one or more processing units, for example, the processor 110 may include an application processor (AP), a modem processor, a graphics processor (GPU), an image signal processor (ISP), a controller, a video codec, a digital signal processor (DSP), a baseband processor, and/or a neural-network processing unit (NPU), etc. Different processing units may be independent devices or integrated in one or more processors.

控制器可以根据指令操作码和时序信号,产生操作控制信号,完成取指令和执行指令的控制。The controller can generate operation control signals according to the instruction operation code and timing signal to complete the control of instruction fetching and execution.

处理器110中还可以设置存储器,用于存储指令和数据。在一些实施例中,处理器110中的存储器为高速缓冲存储器。该存储器可以保存处理器110刚用过或循环使用的指令或数据。如果处理器110需要再次使用该指令或数据,可从所述存储器中直接调用。避免了重复存取,减少了处理器110的等待时间,因而提高了系统的效率。The processor 110 may also be provided with a memory for storing instructions and data. In some embodiments, the memory in the processor 110 is a cache memory. The memory may store instructions or data that the processor 110 has just used or cyclically used. If the processor 110 needs to use the instruction or data again, it may be directly called from the memory. This avoids repeated access, reduces the waiting time of the processor 110, and thus improves the efficiency of the system.

为了便于理解,本申请以下实施例将以具有图1所示结构的电子设备为例,结合附图和应用场景,对本申请实施例提供的基于沙箱的操作处理方法进行具体阐述。For ease of understanding, the following embodiments of the present application will take an electronic device having the structure shown in Figure 1 as an example, and combine the accompanying drawings and application scenarios to specifically explain the sandbox-based operation processing method provided in the embodiments of the present application.

图2为本申请一个实施例提供的基于沙箱的操作处理方法的应用场景示意图,本申请实施例中,DLP管理应用通过关联的沙箱分身对针对DLP文件的操作进行处理,如图2所示,为了管理上述关联的沙箱分身,DLP管理应用针对上述DLP文件创建沙箱组,DLP管理应用管理DLP文件对应的沙箱组,DLP管理应用管理该沙箱组的生命周期,该沙箱组的管控策略与DLP文件的管控策略相同,后加入该沙箱组的应用由DLP管理应用统一配置与DLP文件相同的管控策略。图2中A应用为首个处理DLP文件的应用,具体实现时,DLP管理应用创建A应用的沙箱分身,通过A应用的沙箱分身处理上述DLP文件,A应用的沙箱分身与DLP文件受相同策略管控,DLP管理应用创建DLP文件对应的沙箱组之后, 将A应用的沙箱分身加入上述沙箱组。若A应用需要B应用协同处理一个业务,则A应用可以向DLP管理应用发出请求,DLP管理应查询沙箱组中是否有B应用的沙箱分身,若沙箱组中存在B应用的沙箱分身,则DLP管理应用直接拉起B应用的沙箱分身,A应用的沙箱分身和B应用的沙箱分身进行数据共享共同处理业务,若A应用的沙箱分身和B应用的沙箱分身协同工作时还需C应用,则可以由A应用的沙箱分身或B应用的沙箱分身发出请求,DLP管理应用查询C应用的沙箱分身是否在沙箱组内,若不在,则DLP管理应用创建C应用的沙箱分身,并将C应用的沙箱分身加入该沙箱组进行数据共享协同处理业务。FIG2 is a schematic diagram of an application scenario of a sandbox-based operation processing method provided by an embodiment of the present application. In the embodiment of the present application, the DLP management application processes operations on DLP files through associated sandbox clones. As shown in FIG2, in order to manage the above-mentioned associated sandbox clones, the DLP management application creates a sandbox group for the above-mentioned DLP files. The DLP management application manages the sandbox group corresponding to the DLP files. The DLP management application manages the life cycle of the sandbox group. The control policy of the sandbox group is the same as the control policy of the DLP files. Applications that are subsequently added to the sandbox group are uniformly configured by the DLP management application with the same control policy as the DLP files. In FIG2, application A is the first application to process DLP files. In specific implementation, the DLP management application creates a sandbox clone of application A, and processes the above-mentioned DLP files through the sandbox clone of application A. The sandbox clone of application A and the DLP files are controlled by the same policy. After the DLP management application creates a sandbox group corresponding to the DLP files, Add the sandbox clone of application A to the above sandbox group. If application A needs application B to jointly process a business, application A can send a request to the DLP management application, and the DLP management should query whether there is a sandbox clone of application B in the sandbox group. If there is a sandbox clone of application B in the sandbox group, the DLP management application will directly pull up the sandbox clone of application B, and the sandbox clone of application A and the sandbox clone of application B will share data and jointly process the business. If the sandbox clone of application A and the sandbox clone of application B need application C when working together, the sandbox clone of application A or the sandbox clone of application B can send a request, and the DLP management application will query whether the sandbox clone of application C is in the sandbox group. If not, the DLP management application will create a sandbox clone of application C and add the sandbox clone of application C to the sandbox group for data sharing and collaborative processing of business.

图3为本申请一个实施例提供的基于沙箱的操作处理方法的实现架构图,图3中,文档的拥有者(owner)用户与DLP管理应用进行交互,设置管控策略并生成对应文档的DLP文件,由DLP管理应用创建该DLP文件对应的沙箱组,并配置沙箱组的管控策略与owner用户设置的管控策略相同。当受管控用户访问上述DLP文档时,需要使用应用A协同处理上述受管控用户的访问请求,DLP管理应用创建应用A的沙箱分身,并将应用A的沙箱分身加入上述DLP文件对应的沙箱组内。通过上述流程,DLP管理应用可以将多个外部应用加入沙箱组内,该沙箱组可以形成一个小系统,多个沙箱应用协同工作可以保留DLP文件的运行环境和配置信息,方便受管控用户下次打开DLP文件后的场景复现。FIG3 is an implementation architecture diagram of a sandbox-based operation processing method provided by an embodiment of the present application. In FIG3, the owner user of the document interacts with the DLP management application, sets the control policy and generates the DLP file of the corresponding document. The DLP management application creates a sandbox group corresponding to the DLP file, and configures the control policy of the sandbox group to be the same as the control policy set by the owner user. When a controlled user accesses the above-mentioned DLP document, application A needs to be used to collaboratively process the access request of the above-mentioned controlled user. The DLP management application creates a sandbox clone of application A and adds the sandbox clone of application A to the sandbox group corresponding to the above-mentioned DLP file. Through the above process, the DLP management application can add multiple external applications to the sandbox group, and the sandbox group can form a small system. Multiple sandbox applications can work together to retain the operating environment and configuration information of the DLP file, which is convenient for the controlled user to reproduce the scene after opening the DLP file next time.

本申请实施例提出一种基于沙箱的操作处理方法,通过关联的沙箱分身对针对DLP文件的操作进行处理,关联的沙箱分身可以共享数据,协同处理同一个业务。DLP管理应用将沙箱分身进行关联的方式可以包括主动和被动两种方式,并且提供监听机制,可让外部应用监听关联的沙箱分身的操作,从而DLP管理应用可以关联进行监听的外部应用的沙箱分身,以协同处理针对DLP文件的操作。The embodiment of the present application proposes a sandbox-based operation processing method, which processes operations on DLP files through associated sandbox clones, and the associated sandbox clones can share data and collaboratively process the same business. The DLP management application can associate the sandbox clones in two ways: active and passive, and provide a monitoring mechanism that allows external applications to monitor the operations of the associated sandbox clones, so that the DLP management application can associate the sandbox clones of the external applications that perform monitoring to collaboratively process operations on DLP files.

图4为本申请一个实施例提供的基于沙箱的操作处理方法的流程图,本实施例提供的基于沙箱的操作处理方法可以通过电子设备100中的DLP管理应用实现。如图4所示,上述基于沙箱的操作处理方法可以包括:FIG4 is a flow chart of a sandbox-based operation processing method provided by an embodiment of the present application. The sandbox-based operation processing method provided by the present embodiment can be implemented by a DLP management application in the electronic device 100. As shown in FIG4 , the sandbox-based operation processing method may include:

步骤401,电子设备100响应于针对DLP文件的访问请求,创建第一应用的第一沙箱分身,通过第一沙箱分身打开上述DLP文件。Step 401: The electronic device 100 creates a first sandbox clone of a first application in response to an access request for a DLP file, and opens the DLP file through the first sandbox clone.

在一些示例中,第一沙箱分身与上述DLP文件关联。In some examples, the first sandbox clone is associated with the DLP file described above.

步骤402,电子设备100响应于针对上述DLP文件的第一操作,获取处理上述第一操作的第二沙箱分身。Step 402: In response to a first operation on the DLP file, the electronic device 100 obtains a second sandbox clone for processing the first operation.

在一些示例中,第二沙箱分身为第二应用的沙箱分身,第一沙箱分身和第二沙箱分身的管控策略与上述DLP文件的管控策略相同。DLP文件的管控策略可以包括:文档访问权限、文档外发权限、文档自动备份权限和/或文档拷贝权限等等。本实施例中,第一沙箱分身与DLP文件关联,第二沙箱分身与第一沙箱分身关联,这样,DLP文件、第一沙箱分身和第二沙箱分身可以形成一个小系统,多个沙箱分身协同工作可以保留DLP文件的运行环境和配置信息,方便受管控用户下次打开DLP文件后的场景复现。In some examples, the second sandbox clone is a sandbox clone of the second application, and the control policies of the first sandbox clone and the second sandbox clone are the same as the control policies of the above-mentioned DLP files. The control policies of DLP files may include: document access rights, document outbound rights, document automatic backup rights and/or document copy rights, etc. In this embodiment, the first sandbox clone is associated with the DLP file, and the second sandbox clone is associated with the first sandbox clone. In this way, the DLP file, the first sandbox clone and the second sandbox clone can form a small system. Multiple sandbox clones can work together to retain the operating environment and configuration information of the DLP file, which is convenient for the controlled user to reproduce the scene after opening the DLP file next time.

在一些示例中,针对上述DLP文件的第一操作可以包括:选中DLP文件的内容并请求翻译,或者选中DLP文件的内容并搜索等,本实施例对此不作限定。举例来说,电子设备100接收受管控用户针对DLP文件的访问请求之后,创建第一应用的第一沙箱分身,通过第一沙箱分身打开上述DLP文件。受管控用户浏览DLP文件过程中,有对DLP文件的部分内容进行翻译的需求,那么受管控用户可以在DLP文件中选中需要翻译的内容,并请求翻译所选中的内容,那么,受管控用户选中需要翻译的内容并请求翻译的这个操作即为针对上述DLP文件的操作。然后,响应于受管控用户针对上述DLP文件的这个操作,DLP管理应用从第一沙箱分身关联的沙箱分身中获取,可以执行对所选中的内容进行翻译的第二沙箱分身。In some examples, the first operation for the above-mentioned DLP file may include: selecting the content of the DLP file and requesting translation, or selecting the content of the DLP file and searching, etc., which is not limited in this embodiment. For example, after the electronic device 100 receives the access request for the DLP file from the controlled user, it creates a first sandbox clone of the first application and opens the above-mentioned DLP file through the first sandbox clone. During the process of the controlled user browsing the DLP file, there is a need to translate part of the content of the DLP file. Then, the controlled user can select the content to be translated in the DLP file and request translation of the selected content. Then, the operation of the controlled user selecting the content to be translated and requesting translation is the operation for the above-mentioned DLP file. Then, in response to this operation of the controlled user on the above-mentioned DLP file, the DLP management application obtains from the sandbox clone associated with the first sandbox clone, and a second sandbox clone that can execute translation of the selected content.

参见图2,为了管理第一沙箱分身关联的沙箱分身,电子设备100中的DLP管理应用可以在创建第一应用的第一沙箱分身之后,创建DLP文件对应的沙箱组,将第一沙箱分身加入上述沙箱组。然后,DLP管理应用响应于针对DLP文件的第一操作,从上述沙箱组中获取处理上述第一操作的第二沙箱分身。2, in order to manage the sandbox clones associated with the first sandbox clone, the DLP management application in the electronic device 100 can create a sandbox group corresponding to the DLP file after creating the first sandbox clone of the first application, and add the first sandbox clone to the sandbox group. Then, in response to the first operation on the DLP file, the DLP management application obtains the second sandbox clone that processes the first operation from the sandbox group.

在一些示例中,电子设备100获取处理上述操作的第二沙箱分身可以为:电子设备100查询第一沙箱分身关联的沙箱分身,响应于第一沙箱分身关联的沙箱分身中不存在第二沙箱分身,则电子设备100中的DLP管理应用创建上述第二沙箱分身,关联第二沙箱分身与第一沙箱分身。 In some examples, the electronic device 100 obtains the second sandbox clone that processes the above operations as follows: the electronic device 100 queries the sandbox clone associated with the first sandbox clone, and in response to the fact that the second sandbox clone does not exist in the sandbox clone associated with the first sandbox clone, the DLP management application in the electronic device 100 creates the above-mentioned second sandbox clone and associates the second sandbox clone with the first sandbox clone.

步骤403,电子设备100通过第二沙箱分身处理上述第一操作。Step 403: The electronic device 100 processes the first operation through the second sandbox clone.

在一些示例中,电子设备100通过第二沙箱分身处理上述第一操作之后,电子设备100检测到第二沙箱分身对上述DLP文件的写操作,响应于上述写操作,第一沙箱分身可以读取修改后的DLP文件。In some examples, after the electronic device 100 processes the first operation through the second sandbox clone, the electronic device 100 detects the write operation of the second sandbox clone on the DLP file, and in response to the write operation, the first sandbox clone can read the modified DLP file.

在一些示例中,第一沙箱分身和第二沙箱分身可以构成沙箱组;这样,响应于针对上述DLP文件的第二操作,电子设备100可以接收第一沙箱分身或者第二沙箱分身发起的第二操作处理请求,上述第二操作处理请求用于请求第三应用处理上述第二操作;然后,电子设备100创建上述第三应用的第三沙箱分身,将第三沙箱分身加入上述沙箱组,通过第三沙箱分身处理上述第二操作。In some examples, the first sandbox clone and the second sandbox clone may constitute a sandbox group; thus, in response to a second operation on the DLP file, the electronic device 100 may receive a second operation processing request initiated by the first sandbox clone or the second sandbox clone, and the second operation processing request is used to request a third application to process the second operation; then, the electronic device 100 creates a third sandbox clone of the third application, adds the third sandbox clone to the sandbox group, and processes the second operation through the third sandbox clone.

在一些示例中,参见图5,在电子设备100创建上述第二沙箱分身,关联第二沙箱分身与第一沙箱分身之前,电子设备100还可以先判断第二应用是否为可信应用,如果第二应用是可信应用,则执行创建上述第二沙箱分身,关联第二沙箱分身与第一沙箱分身的步骤。具体地,电子设备100可以通过以下方式来判断第二应用是否为可信应用:判断上述第二应用是否在数据表中;其中,上述数据表中保存配置的可信应用。其中,上述可信应用可以由DLP文件拥有者配置,如图5所示,图5为本申请一个实施例提供的文件拥有者配置可信应用的示意图,具体来说,文件拥有者可以通过以下方式配置可信应用:将可信应用的名称或包名保存在数据表中,这样,电子设备100可以判断第二应用的名称或包名是否在配置的数据表中,如果在,则电子设备100可以确定第二应用为可信应用,如果第二应用的名称或包名不在配置的数据表中,则电子设备100可以确定第二应用不是可信应用。另外,文件拥有者还可以在应用安装包的配置文件中配置该应用是否为可信应用的指示信息,这样,电子设备100可以根据第二应用安装包的配置文件中的上述指示信息,确定第二应用是否为可信应用。In some examples, referring to FIG. 5, before the electronic device 100 creates the second sandbox clone and associates the second sandbox clone with the first sandbox clone, the electronic device 100 may also first determine whether the second application is a trusted application. If the second application is a trusted application, the steps of creating the second sandbox clone and associating the second sandbox clone with the first sandbox clone are performed. Specifically, the electronic device 100 may determine whether the second application is a trusted application in the following manner: determine whether the second application is in a data table; wherein the configured trusted application is saved in the data table. The trusted application may be configured by the DLP file owner, as shown in FIG. 5, which is a schematic diagram of a file owner configuring a trusted application provided by an embodiment of the present application. Specifically, the file owner may configure the trusted application in the following manner: save the name or package name of the trusted application in a data table, so that the electronic device 100 may determine whether the name or package name of the second application is in the configured data table. If so, the electronic device 100 may determine that the second application is a trusted application. If the name or package name of the second application is not in the configured data table, the electronic device 100 may determine that the second application is not a trusted application. In addition, the file owner may also configure indication information of whether the application is a trusted application in the configuration file of the application installation package, so that the electronic device 100 may determine whether the second application is a trusted application based on the above indication information in the configuration file of the second application installation package.

另外,判断第二应用是否为可信应用还可以由应用市场审核确定,如果第二应用通过了应用市场的审核,则电子设备100可以确定第二应用为可信应用;而如果第二应用未通过应用市场的审核,则电子设备100可以确定第二应用不是可信应用。In addition, whether the second application is a trusted application can also be determined by application market review. If the second application passes the review of the application market, the electronic device 100 can determine that the second application is a trusted application; if the second application fails the review of the application market, the electronic device 100 can determine that the second application is not a trusted application.

本实施例中,将沙箱分身进行关联的方式可以包括主动和被动两种方式,下面分别对两种加入方式进行说明。In this embodiment, the manner of associating the sandbox clones may include active and passive methods, and the two joining methods are described below respectively.

一种实现方式中,获取处理上述第一操作的第二沙箱分身之前,电子设备100响应于针对上述DLP文件的第一操作,接收第一沙箱分身发起的第一操作处理请求,上述第一操作处理请求用于请求第二沙箱分身处理上述第一操作。也就是说,主动方式是第一沙箱分身主动请求DLP管理应用创建第二应用的第二沙箱分身,并将第二沙箱分身与第一沙箱分身关联。In one implementation, before obtaining the second sandbox clone that processes the first operation, the electronic device 100 receives a first operation processing request initiated by the first sandbox clone in response to the first operation on the DLP file, and the first operation processing request is used to request the second sandbox clone to process the first operation. In other words, the active method is that the first sandbox clone actively requests the DLP management application to create a second sandbox clone of the second application and associate the second sandbox clone with the first sandbox clone.

图6为本申请一个实施例提供的第一沙箱分身主动请求关联第二沙箱分身的示意图,如图6所示,第一沙箱分身主动请求电子设备100中的DLP管理应用拉起第二应用,DLP管理应用首先查询第二应用的沙箱分身(即第二沙箱分身)是否在第一沙箱分身关联的沙箱分身中,若第一沙箱分身关联的沙箱分身中存在第二沙箱分身,则DLP管理应用直接拉起第二沙箱分身,并通知第一沙箱分身,第二沙箱分身拉起成功。若第一沙箱分身关联的沙箱分身中不存在第二沙箱分身,则DLP管理应用创建第二沙箱分身,并将上述第二沙箱分身与第一沙箱分身关联,拉起第二沙箱分身,并通知第一沙箱分身,第二沙箱分身拉起成功。FIG6 is a schematic diagram of a first sandbox clone actively requesting to associate with a second sandbox clone provided by an embodiment of the present application. As shown in FIG6 , the first sandbox clone actively requests the DLP management application in the electronic device 100 to pull up the second application. The DLP management application first queries whether the sandbox clone of the second application (i.e., the second sandbox clone) is in the sandbox clone associated with the first sandbox clone. If the second sandbox clone exists in the sandbox clone associated with the first sandbox clone, the DLP management application directly pulls up the second sandbox clone and notifies the first sandbox clone that the second sandbox clone is successfully pulled up. If the second sandbox clone does not exist in the sandbox clone associated with the first sandbox clone, the DLP management application creates a second sandbox clone, associates the second sandbox clone with the first sandbox clone, pulls up the second sandbox clone, and notifies the first sandbox clone that the second sandbox clone is successfully pulled up.

本实现方式的一种应用场景是:只读权限的文档访问者使用word的沙箱分身(第一沙箱分身)阅读DLP文档时,需要翻译软件的协同翻译,上述文档访问者可以主动发起翻译请求,由word的沙箱分身作为请求发起方向DLP管理应用请求拉起翻译软件协同工作,DLP管理应用查询word的沙箱分身关联的沙箱分身中是否存在翻译软件的沙箱分身,若不存在,则DLP管理应用创建翻译软件的沙箱分身,并将翻译软件的沙箱分身与word的沙箱分身关联,然后通过翻译软件的沙箱分身翻译上述DLP文档;若word的沙箱分身关联的沙箱分身中存在翻译软件的沙箱分身,则DLP管理应用直接拉起翻译软件的沙箱分身,不需要重复创建沙箱分身,然后通过翻译软件的沙箱分身翻译上述DLP文档。相关联的沙箱分身的管控策略与DLP文件的管控策略相同。One application scenario of this implementation method is: when a document visitor with read-only permission uses the sandbox clone of word (the first sandbox clone) to read a DLP document, the translation software needs to be translated collaboratively. The document visitor can actively initiate a translation request, and the sandbox clone of word is used as the request initiator to request the DLP management application to pull up the translation software for collaborative work. The DLP management application queries whether there is a sandbox clone of the translation software in the sandbox clone associated with the sandbox clone of word. If not, the DLP management application creates a sandbox clone of the translation software and associates the sandbox clone of the translation software with the sandbox clone of word, and then translates the above DLP document through the sandbox clone of the translation software; if there is a sandbox clone of the translation software in the sandbox clone associated with the sandbox clone of word, the DLP management application directly pulls up the sandbox clone of the translation software without repeatedly creating the sandbox clone, and then translates the above DLP document through the sandbox clone of the translation software. The control policy of the associated sandbox clone is the same as the control policy of the DLP file.

本实现方式解决了只读权限的文档访问者无法拉起外部应用协同工作的问题,并且保证了数据通信的安全性,基于现有的DLP保护机制,实现了访问者在合理场景下拉起外部应用,极大地提升了访问者的使用体验,并且相关联的沙箱分身受相同管控策略的管控,保证了数据的安全性。This implementation solves the problem that document visitors with read-only permissions cannot launch external applications for collaborative work, and ensures the security of data communication. Based on the existing DLP protection mechanism, it enables visitors to launch external applications in reasonable scenarios, greatly improving the visitor's user experience, and the associated sandbox clones are controlled by the same management policy, ensuring data security.

另一种实现方式中,创建第二沙箱分身,将第二沙箱分身与第一沙箱分身关联之前,如果第一沙箱分身关联的沙箱分身中不存在第二沙箱分身,则电子设备100可以获取监听上述操作的第二应用,将上 述操作通知给第二应用。也就是说,被动加入方式是通过监听机制让外部应用被动加入第一沙箱分身关联的沙箱分身。In another implementation, before creating a second sandbox clone and associating the second sandbox clone with the first sandbox clone, if the second sandbox clone does not exist in the sandbox clone associated with the first sandbox clone, the electronic device 100 can obtain a second application that monitors the above operation and associate the second sandbox clone with the first sandbox clone. That is, the passive joining method is to allow the external application to passively join the sandbox clone associated with the first sandbox clone through the monitoring mechanism.

图7为本申请一个实施例提供的外部应用被动关联第一沙箱分身的示意图,如图7所示,当第一沙箱分身触发针对DLP文件的操作A,而外部第二应用通过监听机制正在监听操作A,则可以由DLP管理应用通知外部第二应用,沙箱内有使用场景触发了操作A,并且DLP管理应用可以为外部第二应用创建第二沙箱分身,并将第二沙箱分身与第一沙箱分身关联,然后第二沙箱分身与第一沙箱分身协同工作。Figure 7 is a schematic diagram of an external application passively associating a first sandbox clone provided by an embodiment of the present application. As shown in Figure 7, when the first sandbox clone triggers operation A for a DLP file, and the external second application is monitoring operation A through a monitoring mechanism, the DLP management application can notify the external second application that a usage scenario in the sandbox has triggered operation A, and the DLP management application can create a second sandbox clone for the external second application, and associate the second sandbox clone with the first sandbox clone, and then the second sandbox clone works collaboratively with the first sandbox clone.

举例来说,电子设备100接收只读权限访问用户针对DLP文件的访问请求之后,创建第一应用的第一沙箱分身,通过第一沙箱分身打开上述DLP文件,显而易见地,对于只读权限访问用户来说,该DLP文件为只读文件。假设DLP文件为一篇英文文档,具体内容可以如下所示:“Some people,no matter how old they are,are always young;Some people,regardless of whether it is honor or disgrace,are calm and calm;……”只读权限访问用户有对上述英文文档中的部分内容进行翻译的需求,只读权限访问用户可以用鼠标选中所需翻译的内容,这里假设“Some people,regardless of whether it is honor or disgrace,are calm and calm;”为只读权限访问用户用鼠标选中的部分,只读权限访问用户需要翻译软件翻译选中的这句话,那么只读权限访问用户使用鼠标“选中”这句话的操作就可作为一个触发操作供外部的翻译软件监听,外部的翻译软件通过监听机制监听上述选中操作之后,由DLP管理应用创建翻译软件的沙箱分身,并将翻译软件的沙箱分身与第一沙箱分身关联,然后通过翻译软件的沙箱分身翻译上述DLP文件中被选中的内容。For example, after the electronic device 100 receives an access request for a DLP file from a user with read-only access, it creates a first sandbox clone of the first application and opens the DLP file through the first sandbox clone. Obviously, for the user with read-only access, the DLP file is a read-only file. Assume that the DLP file is an English document, and the specific content may be as follows: "Some people, no matter how old they are, are always young; Some people, regardless of whether it is honor or disgrace, are calm and calm;..." The user with read-only access has a need to translate part of the content in the English document. The user with read-only access can select the content to be translated with the mouse. Here, it is assumed that "Some people, regardless of "ess of whether it is honor or disgrace, are calm and calm;" is the part selected by the read-only access user with the mouse. The read-only access user requires the translation software to translate the selected sentence. Then the operation of "selecting" this sentence by the read-only access user with the mouse can be used as a trigger operation for the external translation software to monitor. After the external translation software monitors the above selection operation through the monitoring mechanism, the DLP management application creates a sandbox clone of the translation software, associates the sandbox clone of the translation software with the first sandbox clone, and then translates the selected content in the above DLP file through the sandbox clone of the translation software.

本实现方式可以解决外部应用无法感知沙箱内应用的操作的问题,通过监听机制可以创建外部应用的沙箱分身,将外部应用的沙箱分身与打开DLP文件的应用的沙箱分身关联,二者协同工作,可以提升用户的使用体验。This implementation can solve the problem that external applications cannot perceive the operations of applications in the sandbox. Through the monitoring mechanism, a sandbox clone of the external application can be created, and the sandbox clone of the external application can be associated with the sandbox clone of the application that opens the DLP file. The two work together to improve the user experience.

上述基于沙箱的操作处理方法中,电子设备100响应于针对DLP文件的访问请求,创建第一应用的第一沙箱分身,通过第一沙箱分身打开上述DLP文件,然后,电子设备100响应于针对上述DLP文件的第一操作,获取处理上述第一操作的第二沙箱分身,通过第二沙箱分身处理上述第一操作;其中,第二沙箱分身可以为第二应用的沙箱分身,第一沙箱分身与DLP文件关联,第一沙箱分身和第二沙箱分身的管控策略与DLP文件的管控策略相同,从而可以保证DLP文件的安全,并且DLP文件、第一沙箱分身和第二沙箱分身可以形成一个小系统,多个沙箱分身协同工作可以保留DLP文件的运行环境和配置信息,方便受管控用户下次打开DLP文件后的场景复现,提升用户体验。In the above-mentioned sandbox-based operation processing method, the electronic device 100 creates a first sandbox clone of the first application in response to an access request for the DLP file, and opens the above-mentioned DLP file through the first sandbox clone. Then, the electronic device 100 obtains a second sandbox clone that processes the above-mentioned first operation in response to the first operation for the above-mentioned DLP file, and processes the above-mentioned first operation through the second sandbox clone; wherein, the second sandbox clone may be a sandbox clone of the second application, the first sandbox clone is associated with the DLP file, and the management and control policies of the first sandbox clone and the second sandbox clone are the same as the management and control policies of the DLP file, thereby ensuring the security of the DLP file, and the DLP file, the first sandbox clone and the second sandbox clone can form a small system, and multiple sandbox clones can work together to retain the operating environment and configuration information of the DLP file, so as to facilitate the reproduction of the scene after the controlled user opens the DLP file next time, thereby improving the user experience.

可以理解的是,上述实施例中的部分或全部步骤或操作仅是示例,本申请实施例还可以执行其它操作或者各种操作的变形。此外,各个步骤可以按照上述实施例呈现的不同的顺序来执行,并且有可能并非要执行上述实施例中的全部操作。It is to be understood that some or all of the steps or operations in the above embodiments are merely examples, and the present application embodiments may also perform other operations or variations of various operations. In addition, the various steps may be performed in different orders presented in the above embodiments, and it is possible that not all of the operations in the above embodiments need to be performed.

可以理解的是,电子设备为了实现上述功能,其包含了执行各个功能相应的硬件和/或软件模块。结合本申请所公开的实施例描述的各示例的算法步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。本领域技术人员可以结合实施例对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。It is understandable that, in order to realize the above functions, the electronic device includes hardware and/or software modules corresponding to the execution of each function. In combination with the algorithm steps of each example described in the embodiments disclosed in this application, the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a function is executed in the form of hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application in combination with the embodiments, but such implementation should not be considered to exceed the scope of this application.

本实施例可以根据上述方法实施例对电子设备进行功能模块的划分,例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个模块中。上述集成的模块可以采用硬件的形式实现。需要说明的是,本实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。This embodiment can divide the electronic device into functional modules according to the above method embodiment. For example, each functional module can be divided according to each function, or two or more functions can be integrated into one module. The above integrated module can be implemented in the form of hardware. It should be noted that the division of modules in this embodiment is schematic and is only a logical function division. There may be other division methods in actual implementation.

图8为本申请另一个实施例提供的电子设备的结构示意图,在采用对应各个功能划分各个功能模块的情况下,图8示出了上述实施例中涉及的电子设备800的一种可能的组成示意图,如图8所示,该电子设备800可以包括:创建模块801、打开模块802、获取模块803和处理模块804;FIG8 is a schematic diagram of the structure of an electronic device provided by another embodiment of the present application. In the case of dividing each functional module according to each function, FIG8 shows a possible schematic diagram of the composition of the electronic device 800 involved in the above embodiment. As shown in FIG8 , the electronic device 800 may include: a creation module 801, an opening module 802, an acquisition module 803 and a processing module 804;

其中,创建模块801,用于响应于针对DLP文件的访问请求,创建第一应用的第一沙箱分身;其中,第一沙箱分身与上述DLP文件关联;The creation module 801 is used to create a first sandbox clone of the first application in response to an access request for the DLP file; wherein the first sandbox clone is associated with the DLP file;

打开模块802,用于通过第一沙箱分身打开上述DLP文件; An opening module 802 is used to open the DLP file through the first sandbox clone;

获取模块803,用于响应于针对上述DLP文件的第一操作,获取处理上述第一操作的第二沙箱分身;其中,第二沙箱分身包括第二应用的沙箱分身,第一沙箱分身和第二沙箱分身的管控策略与DLP文件的管控策略相同;An acquisition module 803 is used to acquire, in response to the first operation on the DLP file, a second sandbox clone for processing the first operation; wherein the second sandbox clone includes a sandbox clone of the second application, and the control policies of the first sandbox clone and the second sandbox clone are the same as the control policy of the DLP file;

处理模块804,用于通过第二沙箱分身处理上述第一操作。The processing module 804 is used to process the above-mentioned first operation through the second sandbox clone.

需要说明的是,本申请图4所示方法实施例涉及的各步骤的所有相关内容均可以援引到对应功能模块的功能描述,在此不再赘述。It should be noted that all relevant contents of each step involved in the method embodiment shown in FIG. 4 of the present application can be referred to the functional description of the corresponding functional module and will not be repeated here.

本实施例提供的电子设备800,用于执行本申请图4所示实施例提供的基于沙箱的操作处理方法,因此可以达到与上述方法相同的效果。The electronic device 800 provided in this embodiment is used to execute the sandbox-based operation processing method provided in the embodiment shown in FIG. 4 of the present application, and thus can achieve the same effect as the above method.

图9为本申请再一个实施例提供的电子设备的结构示意图,与图8所示的电子设备相比,不同之处在于,图9所示的电子设备900还可以包括:查询模块805和关联模块806;FIG9 is a schematic diagram of the structure of an electronic device provided in another embodiment of the present application. Compared with the electronic device shown in FIG8 , the difference is that the electronic device 900 shown in FIG9 may further include: a query module 805 and an association module 806;

其中,查询模块805,用于查询第一沙箱分身关联的沙箱分身;The query module 805 is used to query the sandbox clones associated with the first sandbox clone;

创建模块801,还用于响应于第一沙箱分身关联的沙箱分身中不存在第二沙箱分身,创建第二沙箱分身;The creation module 801 is further configured to create a second sandbox clone in response to the second sandbox clone not existing in the sandbox clones associated with the first sandbox clone;

关联模块806,用于关联第二沙箱分身与第一沙箱分身。The association module 806 is used to associate the second sandbox clone with the first sandbox clone.

在一些示例中,电子设备800还可以包括:接收模块807;In some examples, the electronic device 800 may further include: a receiving module 807;

接收模块807,用于在获取模块803获取处理上述第一操作的第二沙箱分身之前,响应于针对上述DLP文件的第一操作,接收第一沙箱分身发起的第一操作处理请求,上述第一操作处理请求用于请求第二沙箱分身处理上述第一操作。The receiving module 807 is used to receive a first operation processing request initiated by the first sandbox clone in response to the first operation on the above-mentioned DLP file before the acquisition module 803 acquires the second sandbox clone that processes the above-mentioned first operation, and the above-mentioned first operation processing request is used to request the second sandbox clone to process the above-mentioned first operation.

在一些示例中,电子设备800还可以包括:通知模块808;In some examples, the electronic device 800 may further include: a notification module 808;

获取模块803,还用于在关联模块806关联第二沙箱分身与第一沙箱分身关联之前,响应于第一沙箱分身关联的沙箱分身中不存在第二沙箱分身,获取监听上述第一操作的第二应用。The acquisition module 803 is further configured to acquire a second application that monitors the first operation in response to the second sandbox clone not existing in the sandbox clones associated with the first sandbox clone before the association module 806 associates the second sandbox clone with the first sandbox clone.

通知模块808,用于将上述第一操作通知给第二应用。The notification module 808 is used to notify the second application of the first operation.

在一些示例中,电子设备800还可以包括:判断模块809;In some examples, the electronic device 800 may further include: a determination module 809;

判断模块809,用于在关联模块806关联第二沙箱分身与第一沙箱分身之前,判断第二应用是否为可信应用;如果第二应用是可信应用,则由创建模块801和关联模块806执行创建第二沙箱分身,关联第二沙箱分身与第一沙箱分身的步骤。本实施例中,判断模块809,具体用于判断第二应用是否在数据表中;其中,上述数据表中保存配置的可信应用。The judgment module 809 is used to judge whether the second application is a trusted application before the association module 806 associates the second sandbox clone with the first sandbox clone; if the second application is a trusted application, the creation module 801 and the association module 806 execute the steps of creating the second sandbox clone and associating the second sandbox clone with the first sandbox clone. In this embodiment, the judgment module 809 is specifically used to judge whether the second application is in the data table; wherein the above data table stores the configured trusted applications.

本实施例中,第一沙箱分身和第二沙箱分身构成沙箱组;接收模块807,还用于响应于针对上述DLP文件的第二操作,接收第一沙箱分身或者第二沙箱分身发起的第二操作处理请求,上述第二操作处理请求用于请求第三应用处理第二操作;In this embodiment, the first sandbox clone and the second sandbox clone constitute a sandbox group; the receiving module 807 is further used to receive a second operation processing request initiated by the first sandbox clone or the second sandbox clone in response to the second operation on the DLP file, wherein the second operation processing request is used to request the third application to process the second operation;

创建模块801,还用于创建第三应用的第三沙箱分身,将第三沙箱分身加入上述沙箱组;The creation module 801 is further used to create a third sandbox clone of the third application and add the third sandbox clone to the above sandbox group;

处理模块804,还用于通过第三沙箱分身处理第二操作。The processing module 804 is further configured to process the second operation through the third sandbox clone.

在一些示例中,第一操作可以包括第一沙箱分身对上述DLP文件的内容的选中操作,上述DLP文件为只读文件;这样,处理模块804,具体用于通过第二沙箱分身翻译上述DLP文件中被选中的内容。In some examples, the first operation may include a selection operation of the first sandbox clone on the content of the DLP file, where the DLP file is a read-only file; thus, the processing module 804 is specifically used to translate the selected content in the DLP file through the second sandbox clone.

需要说明的是,本申请图4~图7所示方法实施例涉及的各步骤的所有相关内容均可以援引到对应功能模块的功能描述,在此不再赘述。It should be noted that all relevant contents of each step involved in the method embodiments shown in Figures 4 to 7 of the present application can be referred to the functional description of the corresponding functional modules and will not be repeated here.

本实施例提供的电子设备800,用于执行本申请图4~图7所示实施例提供的基于沙箱的操作处理方法,因此可以达到与上述方法相同的效果。The electronic device 800 provided in this embodiment is used to execute the sandbox-based operation processing method provided in the embodiments shown in Figures 4 to 7 of the present application, and thus can achieve the same effect as the above method.

应当理解的是,电子设备800可以对应于图1所示的电子设备100。其中,打开模块802、获取模块803、处理模块804、关联模块805、接收模块806、获取模块807、通知模块808和判断模块809的功能可以由图1所示电子设备100中的处理器110实现。It should be understood that the electronic device 800 may correspond to the electronic device 100 shown in Figure 1. Among them, the functions of the opening module 802, the acquisition module 803, the processing module 804, the association module 805, the receiving module 806, the acquisition module 807, the notification module 808 and the judgment module 809 may be implemented by the processor 110 in the electronic device 100 shown in Figure 1.

在采用集成的单元的情况下,电子设备800可以包括处理模块、存储模块和通信模块。In the case of adopting an integrated unit, the electronic device 800 may include a processing module, a storage module, and a communication module.

其中,处理模块可以用于对电子设备800的动作进行控制管理,例如,可以用于支持电子设备800执行上述模块执行的步骤。存储模块可以用于支持电子设备800存储程序代码和数据等。通信模块,可以用于支持电子设备800与其他设备的通信。The processing module can be used to control and manage the actions of the electronic device 800, for example, it can be used to support the electronic device 800 to execute the steps executed by the above modules. The storage module can be used to support the electronic device 800 to store program codes and data, etc. The communication module can be used to support the communication between the electronic device 800 and other devices.

其中,处理模块可以是处理器或控制器,其可以实现或执行结合本申请公开内容所描述的各种示例 性的逻辑方框、模块和电路。处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,数字信号处理(digital signal processing,DSP)和微处理器的组合等等。存储模块可以是存储器。通信模块具体可以为射频电路、蓝牙芯片和/或Wi-Fi芯片等与其他电子设备交互的设备。The processing module may be a processor or a controller, which may implement or execute various examples described in conjunction with the contents disclosed in this application. The processor may also be a combination that implements computing functions, such as a combination of one or more microprocessors, a combination of digital signal processing (DSP) and a microprocessor, etc. The storage module may be a memory. The communication module may specifically be a device that interacts with other electronic devices, such as a radio frequency circuit, a Bluetooth chip and/or a Wi-Fi chip.

在一个实施例中,当处理模块为处理器,存储模块为存储器时,本实施例所涉及的电子设备800可以为具有图1所示结构的设备。In one embodiment, when the processing module is a processor and the storage module is a memory, the electronic device 800 involved in this embodiment may be a device having the structure shown in FIG. 1 .

本申请实施例还提供一种计算机可读存储介质,该计算机可读存储介质中存储有计算机程序,当其在计算机上运行时,使得计算机执行本申请图4~图7所示实施例提供的方法。The embodiment of the present application also provides a computer-readable storage medium, in which a computer program is stored. When the computer-readable storage medium is run on a computer, the computer executes the method provided in the embodiments shown in Figures 4 to 7 of the present application.

本申请实施例还提供一种计算机程序产品,该计算机程序产品包括计算机程序,当其在计算机上运行时,使得计算机执行本申请图4~图7所示实施例提供的方法。The embodiment of the present application also provides a computer program product, which includes a computer program. When the computer program is run on a computer, it enables the computer to execute the method provided by the embodiments shown in Figures 4 to 7 of the present application.

本申请实施例中,“至少一个”是指一个或者多个,“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示单独存在A、同时存在A和B、单独存在B的情况。其中A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一项”及其类似表达,是指的这些项中的任意组合,包括单项或复数项的任意组合。例如,a,b和c中的至少一项可以表示:a,b,c,a和b,a和c,b和c或a和b和c,其中a,b,c可以是单个,也可以是多个。In the embodiments of the present application, "at least one" refers to one or more, and "more than one" refers to two or more. "And/or" describes the association relationship of associated objects, indicating that three relationships may exist. For example, A and/or B can represent the existence of A alone, the existence of A and B at the same time, and the existence of B alone. Among them, A and B can be singular or plural. The character "/" generally indicates that the previous and next associated objects are in an "or" relationship. "At least one of the following" and similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one of a, b and c can be represented by: a, b, c, a and b, a and c, b and c, or a and b and c, where a, b, c can be single or multiple.

本领域普通技术人员可以意识到,本文中公开的实施例中描述的各单元及算法步骤,能够以电子硬件、计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those of ordinary skill in the art will appreciate that the various units and algorithm steps described in the embodiments disclosed herein can be implemented in a combination of electronic hardware, computer software, and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Professional and technical personnel can use different methods to implement the described functions for each specific application, but such implementation should not be considered to be beyond the scope of this application.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working processes of the systems, devices and units described above can refer to the corresponding processes in the aforementioned method embodiments and will not be repeated here.

在本申请所提供的几个实施例中,任一功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。In several embodiments provided in the present application, any function can be stored in a computer-readable storage medium if it is implemented in the form of a software functional unit and sold or used as an independent product. Based on this understanding, the technical solution of the present application, or the part that contributes to the prior art or the part of the technical solution, can be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method described in each embodiment of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), disk or optical disk, and other media that can store program codes.

以上所述,仅为本申请的具体实施方式,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。本申请的保护范围应以所述权利要求的保护范围为准。 The above is only a specific implementation of the present application. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present application, which should be included in the protection scope of the present application. The protection scope of the present application should be based on the protection scope of the claims.

Claims (11)

一种基于沙箱的文件操作处理方法,其特征在于,包括:A sandbox-based file operation processing method, characterized by comprising: 响应于针对数据泄漏防护DLP文件的访问请求,创建第一应用的第一沙箱分身,通过所述第一沙箱分身打开所述DLP文件;其中,所述第一沙箱分身与所述DLP文件关联;In response to an access request for a data leakage prevention (DLP) file, create a first sandbox clone of a first application, and open the DLP file through the first sandbox clone; wherein the first sandbox clone is associated with the DLP file; 响应于针对所述DLP文件的第一操作,获取处理所述第一操作的第二沙箱分身;其中,所述第二沙箱分身包括第二应用的沙箱分身,所述第一沙箱分身和所述第二沙箱分身的管控策略与所述DLP文件的管控策略相同;In response to a first operation on the DLP file, obtaining a second sandbox clone that processes the first operation; wherein the second sandbox clone includes a sandbox clone of a second application, and the control policies of the first sandbox clone and the second sandbox clone are the same as the control policy of the DLP file; 通过所述第二沙箱分身处理所述第一操作。The first operation is processed by the second sandbox clone. 根据权利要求1所述的方法,其特征在于,所述获取处理所述第一操作的第二沙箱分身包括:The method according to claim 1, wherein obtaining a second sandbox clone for processing the first operation comprises: 查询所述第一沙箱分身关联的沙箱分身;Querying the sandbox clone associated with the first sandbox clone; 响应于所述第一沙箱分身关联的沙箱分身中不存在所述第二沙箱分身,创建所述第二沙箱分身,关联所述第二沙箱分身与所述第一沙箱分身。In response to the second sandbox clone not existing in the sandbox clone associated with the first sandbox clone, the second sandbox clone is created and associated with the first sandbox clone. 根据权利要求1所述的方法,其特征在于,所述获取处理所述第一操作的第二沙箱分身之前,还包括:The method according to claim 1, characterized in that before obtaining the second sandbox clone for processing the first operation, it also includes: 响应于针对所述DLP文件的第一操作,接收所述第一沙箱分身发起的第一操作处理请求,所述第一操作处理请求用于请求第二沙箱分身处理所述第一操作。In response to a first operation on the DLP file, a first operation processing request initiated by the first sandbox clone is received, where the first operation processing request is used to request a second sandbox clone to process the first operation. 根据权利要求2所述的方法,其特征在于,所述创建所述第二沙箱分身,关联所述第二沙箱分身与所述第一沙箱分身之前,还包括:The method according to claim 2, characterized in that before creating the second sandbox clone and associating the second sandbox clone with the first sandbox clone, the method further comprises: 响应于所述第一沙箱分身关联的沙箱分身中不存在所述第二沙箱分身,获取监听所述第一操作的第二应用;In response to the second sandbox clone not existing in the sandbox clone associated with the first sandbox clone, obtaining a second application that monitors the first operation; 将所述第一操作通知给所述第二应用。The second application is notified of the first operation. 根据权利要求2-4任意一项所述的方法,其特征在于,所述创建所述第二沙箱分身,关联所述第二沙箱分身与所述第一沙箱分身之前,还包括:The method according to any one of claims 2 to 4, characterized in that before creating the second sandbox clone and associating the second sandbox clone with the first sandbox clone, the method further comprises: 判断所述第二应用是否为可信应用;Determining whether the second application is a trusted application; 如果所述第二应用是可信应用,则执行所述创建所述第二沙箱分身,关联所述第二沙箱分身与所述第一沙箱分身的步骤。If the second application is a trusted application, the steps of creating the second sandbox clone and associating the second sandbox clone with the first sandbox clone are performed. 根据权利要求5所述的方法,其特征在于,所述判断所述第二应用是否为可信应用包括:The method according to claim 5, characterized in that the determining whether the second application is a trusted application comprises: 判断所述第二应用是否在数据表中;其中,所述数据表中保存配置的可信应用。Determine whether the second application is in a data table; wherein the data table stores configured trusted applications. 根据权利要求1所述的方法,其特征在于,所述第一沙箱分身和所述第二沙箱分身构成沙箱组;所述方法还包括:The method according to claim 1, characterized in that the first sandbox clone and the second sandbox clone constitute a sandbox group; the method further comprises: 响应于针对所述DLP文件的第二操作,接收所述第一沙箱分身或者所述第二沙箱分身发起的第二操作处理请求,所述第二操作处理请求用于请求第三应用处理所述第二操作;In response to a second operation on the DLP file, receiving a second operation processing request initiated by the first sandbox clone or the second sandbox clone, where the second operation processing request is used to request a third application to process the second operation; 创建所述第三应用的第三沙箱分身,将所述第三沙箱分身加入所述沙箱组;Creating a third sandbox clone of the third application, and adding the third sandbox clone to the sandbox group; 通过所述第三沙箱分身处理所述第二操作。The second operation is processed by the third sandbox clone. 根据权利要求1所述的方法,其特征在于,所述通过所述第二沙箱分身处理所述第一操作之后,还包括:The method according to claim 1, characterized in that after the second sandbox clone processes the first operation, it also includes: 检测到所述第二沙箱分身对所述DLP文件的写操作;Detecting a write operation of the second sandbox clone on the DLP file; 响应于所述写操作,所述第一沙箱分身读取修改后的DLP文件。In response to the write operation, the first sandbox clone reads the modified DLP file. 根据权利要求1所述的方法,其特征在于,所述第一操作包括所述第一沙箱分身对所述DLP文件的内容的选中操作,所述DLP文件为只读文件;The method according to claim 1, wherein the first operation comprises a selection operation of the first sandbox clone on the content of the DLP file, and the DLP file is a read-only file; 所述通过所述第二沙箱分身处理所述第一操作包括:Processing the first operation by the second sandbox clone includes: 通过所述第二沙箱分身翻译所述DLP文件中被选中的内容。The selected content in the DLP file is translated by the second sandbox clone. 一种电子设备,其特征在于,包括:An electronic device, comprising: 一个或多个处理器;存储器;以及一个或多个计算机程序,其中所述一个或多个计算机程序被存储在所述存储器中,所述一个或多个计算机程序包括指令,当所述指令被所述电子设备执行时,使得所述电子设备执行如权利要求1-9任一项所述的方法。 One or more processors; a memory; and one or more computer programs, wherein the one or more computer programs are stored in the memory, and the one or more computer programs include instructions, which, when executed by the electronic device, cause the electronic device to perform the method as described in any one of claims 1 to 9. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有计算机程序,当其在计算机上运行时,使得计算机执行如权利要求1-9任一项所述的方法。 A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, and when the computer-readable storage medium is run on a computer, the computer is caused to execute the method according to any one of claims 1 to 9.
PCT/CN2024/096651 2023-09-28 2024-05-31 Sandbox-based file operation processing method, apparatus, and electronic device Pending WO2025066244A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202311280981.5 2023-09-28
CN202311280981.5A CN119720175A (en) 2023-09-28 2023-09-28 Sandbox-based file operation processing method, device and electronic device

Publications (1)

Publication Number Publication Date
WO2025066244A1 true WO2025066244A1 (en) 2025-04-03

Family

ID=95098608

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2024/096651 Pending WO2025066244A1 (en) 2023-09-28 2024-05-31 Sandbox-based file operation processing method, apparatus, and electronic device

Country Status (2)

Country Link
CN (1) CN119720175A (en)
WO (1) WO2025066244A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013097666A1 (en) * 2011-12-28 2013-07-04 北京奇虎科技有限公司 Sandbox technology based webpage browsing method and device
US20130185764A1 (en) * 2010-05-28 2013-07-18 Apple Inc. File system access for one or more sandboxed applications
US20140007263A1 (en) * 2012-06-27 2014-01-02 Research In Motion Limited Selection of sandbox for initiating application
CN114096946A (en) * 2019-07-10 2022-02-25 三星电子株式会社 Method and apparatus for managing applications
WO2022194024A1 (en) * 2021-03-17 2022-09-22 华为技术有限公司 File access method, communication system, and electronic device
CN115114618A (en) * 2021-03-22 2022-09-27 华为技术有限公司 Application processing method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130185764A1 (en) * 2010-05-28 2013-07-18 Apple Inc. File system access for one or more sandboxed applications
WO2013097666A1 (en) * 2011-12-28 2013-07-04 北京奇虎科技有限公司 Sandbox technology based webpage browsing method and device
US20140007263A1 (en) * 2012-06-27 2014-01-02 Research In Motion Limited Selection of sandbox for initiating application
CN114096946A (en) * 2019-07-10 2022-02-25 三星电子株式会社 Method and apparatus for managing applications
WO2022194024A1 (en) * 2021-03-17 2022-09-22 华为技术有限公司 File access method, communication system, and electronic device
CN115114618A (en) * 2021-03-22 2022-09-27 华为技术有限公司 Application processing method and device

Also Published As

Publication number Publication date
CN119720175A (en) 2025-03-28

Similar Documents

Publication Publication Date Title
US12118128B2 (en) Running a trusted application using a dynamic library
CN109413043B (en) Method and device for realizing dynamic configuration of database, electronic equipment and storage medium
US7873758B2 (en) Cellular phone and portable storage device using the same
US11269700B2 (en) System call interception for file providers
CN114356870B (en) Cross-device data sharing method and related equipment
US12124895B2 (en) Techniques for managing access to file systems
CN112231124B (en) Inter-application communication method and device based on privacy protection
US12500757B2 (en) Trusted computing-based local key escrow method, apparatus, device and medium
JP7788451B2 (en) Method and electronic device for reusing shared libraries
US20250238269A1 (en) Data processing method, terminal device, and readable storage medium
WO2025066244A1 (en) Sandbox-based file operation processing method, apparatus, and electronic device
WO2025050722A1 (en) Sandbox data processing method, and electronic device
EP4310672B1 (en) Application keep-alive method, electronic device and a storage medium
US9497194B2 (en) Protection of resources downloaded to portable devices from enterprise systems
CN117556454A (en) A data management method and electronic device
RU2746570C1 (en) Method for managing access service and displaying confidential information and data using virtual desktop
US20130263278A1 (en) Method and apparatus for controlling operations performed by a mobile co
CN117857646B (en) Data network sharing method, electronic device and storage medium
CN117708072B (en) File copying method, terminal equipment and chip system
CN116737404B (en) Method and terminal device for application connection
EP4535203A1 (en) File management and application management method, and electronic device
WO2023088090A1 (en) File verification method and related device
CN121098848A (en) A log transmission method, apparatus, device, and computer-readable storage medium
US20100333103A1 (en) Information processor and information processing method
CN117892320A (en) A method, system, device and medium for automatic encryption and decryption of data access

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24869806

Country of ref document: EP

Kind code of ref document: A1