CN107463369B - Access device control method and device for virtual desktop - Google Patents
Access device control method and device for virtual desktop Download PDFInfo
- Publication number
- CN107463369B CN107463369B CN201710521624.1A CN201710521624A CN107463369B CN 107463369 B CN107463369 B CN 107463369B CN 201710521624 A CN201710521624 A CN 201710521624A CN 107463369 B CN107463369 B CN 107463369B
- Authority
- CN
- China
- Prior art keywords
- driver
- access
- file
- virtual desktop
- computer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/4401—Bootstrapping
- G06F9/4411—Configuring for operating with peripheral devices; Loading of device drivers
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for controlling access equipment of a virtual desktop, which comprises the following steps: acquiring virtualization platform information and setting a driving interface; acquiring a control rule and distributing the control rule to an equipment driver and a file driver; when the access equipment is accessed to the virtual desktop through equipment mapping or file mapping, calling corresponding equipment driving or file driving according to the driving interface; and the device driver or the file driver controls the access device according to the control rule. The invention can unify the virtual drive interface, avoid blue screen, control file mapping, control indirect copy and easily update the control rule.
Description
Technical Field
The present invention relates to the field of virtual machines, and in particular, to a method and an apparatus for controlling an access device of a virtual desktop.
Background
In a virtualization environment, the use of the USB storage device includes two ways, one is to map the USB storage device on the local login machine to the virtual desktop in a device manner, and the other is to map the USB storage device in a file manner, where the virtual desktop has a corresponding local disk drive identifier of the login machine.
In a physical machine provided with a Windows system, after being accessed, a USB storage device is firstly identified by a USB device driver, then identified by a disk driver and finally identified by a file system driver, and the USB storage device can be used by an application program under the condition that the steps are normal.
The traditional method for managing and controlling the USB storage device is to develop a WDM (Windows Driver Module), mount the WDM on the USB device bus, when the USB device is inserted into a physical machine, the WDM Driver can also obtain information in the process of identifying the USB device by the bus, at this time, a specific IRP request is sent to the USB bus Driver, VID and PID of the USB device can be obtained, and after the acquisition, the comparison with the set management and control rules is carried out, and the device is released or prohibited.
The traditional method has a plurality of defects in USB storage device management and control under a virtualization environment: firstly, a USB driver of a physical computer is developed by Microsoft, the drive name of the USB driver is kept unchanged in order to ensure the backward compatibility with third-party software, and the equipment names of the USB bus drivers developed by each virtualization manufacturer are defined by themselves and are different from each other, so that the drive developed for the physical computer cannot be used in a virtualization environment; secondly, when the VID and the PID of the USB storage device are acquired, a specific IRP request is sent downwards in the WDM drive to be successfully acquired, and in a virtualization environment, the operation fails under the environment of some manufacturers, even a blue screen is displayed; thirdly, a WDM driving mode is used, only a USB storage device can be controlled in a device mapping mode under a virtualization environment, a file mapping use mode cannot be controlled, and read-only control cannot be performed on the file mapping mode; fourthly, indirect copy cannot be controlled, when a local disk of a login machine (a thin client generally has no local disk) adopts a file mapping mode, a file is copied to the local disk in a virtual desktop, and then the file can be copied to the USB storage device on the login machine; fifthly, when the USB storage device is operated, if the management and control rule is changed from the permission to the prohibition, the USB storage device is used by the system and cannot be stopped, and the computer can only be restarted, which is not user-friendly.
In the virtualization environment, a user logs in a virtual desktop for working through a thin client or a local computer, inserts a peripheral on a login machine, and is mapped into the virtual machine by the virtualization environment for the virtual desktop to use. However, in an occasion with high requirements on a secure environment, the virtual desktop is accessed to a peripheral, particularly a mobile storage device, which has a significant impact on the security of the virtual desktop.
Aiming at the problems that in the prior art, a virtualization driving interface is not uniform, an IRP requests a blue screen, file mapping cannot be controlled, indirect copying cannot be controlled, control rule change is complex to take effect, and the like, no effective solution is available at present.
Disclosure of Invention
In view of this, an object of the embodiments of the present invention is to provide a method and an apparatus for controlling an access device of a virtual desktop, which can unify a driving interface for virtualization, avoid blue screen, manage and control file mapping, manage and control indirect copying, and easily update management and control rules.
Based on the above object, an aspect of the embodiments of the present invention provides a method for controlling an access device of a virtual desktop, including the following steps:
acquiring virtualization platform information and setting a driving interface;
acquiring a control rule and distributing the control rule to an equipment driver and a file driver;
when the access equipment is accessed to the virtual desktop through equipment mapping or file mapping, calling corresponding equipment driving or file driving according to the driving interface;
and the device driver or the file driver controls the access device according to the control rule.
In some embodiments, the device driver governing the access device according to the governing rule includes:
setting a callback function in a dispatch function driven by equipment, and passively acquiring and recording VID (video identifier) and/or PID (proportion integration differentiation) information of access equipment;
when the access device is loaded by a disk drive, judging whether to allow access according to VID and/or PID information and a control rule, and judging whether to read only when the access is allowed;
and when the control rule is changed, restarting the access equipment at the application layer.
In some embodiments, when the access device is determined to be read-only accessed by the management and control rule, the access device is placed in the linked list, and the callback function sets an attribute of the access device in the linked list for the non-read-only operation as a protection attribute.
In some embodiments, the file driver governing the access device according to the governing rule includes:
obtaining a system file path according to a dispatching function of the file drive, and adding the system file path into a white list;
and when the file mapping is accessed, judging whether the access is allowed according to the white list and the control rule, and when the access is allowed, judging whether the access is read only.
In some embodiments, when the access device is judged to be read-only access by the management and control rule, the non-read-only operation is set to be in an unauthorized state in the dispatch function.
In some embodiments, the virtualization platform is a window system, the device driver is a WDM driver, the file driver is a Minifilter driver, and the access device is a USB storage device.
On the other hand, the embodiment of the invention also provides a device for controlling the access equipment of the virtual desktop, and the method is used.
In another aspect of the embodiments of the present invention, there is also provided a computer device, including a memory, at least one processor, and a computer program stored on the memory and executable on the processor, where the processor executes the program to perform the method described above.
In another aspect of the embodiments of the present invention, a computer-readable storage medium is further provided, which stores a computer program, and the computer program, when executed by a processor, performs the above-mentioned method.
In another aspect of the embodiments of the present invention, there is also provided a computer program product including a computer program stored on a computer-readable storage medium, the computer program including instructions which, when executed by a computer, cause the computer to perform the above method.
The invention has the following beneficial technical effects: according to the access equipment control method and device for the virtual desktop, provided by the embodiment of the invention, the technical scheme that the driving interface is set, the management and control rule is distributed, the corresponding driving is called according to the access mode of the access equipment, and the management and control are carried out according to the management and control rule is provided, so that the driving interface can be unified, the blue screen is avoided, the mapping of the management and control file, the indirect copy of the management and control is avoided, and the management and control rule is easy to update.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a method for controlling an access device of a virtual desktop according to a first embodiment of the present invention;
fig. 2 is a schematic hardware structure diagram of an embodiment of a computer device for executing the method for controlling an access device of a virtual desktop according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the following embodiments of the present invention are described in further detail with reference to the accompanying drawings.
It should be noted that all expressions using "first" and "second" in the embodiments of the present invention are used for distinguishing two entities with the same name but different names or different parameters, and it is understood that "first" and "second" are only used for convenience of expression and should not be construed as limitations to the embodiments of the present invention, and the descriptions thereof in the following embodiments are omitted.
In view of the foregoing, a first aspect of the embodiments of the present invention provides a first embodiment of a method for controlling an access device of a virtual desktop. Fig. 1 is a flowchart illustrating a method for controlling an access device of a virtual desktop according to a first embodiment of the present invention.
The method for controlling the access device of the virtual desktop optionally includes the following steps:
step S101, acquiring virtualization platform information and setting a driving interface;
step S103, acquiring a control rule and distributing the control rule to an equipment driver and a file driver;
step S105, when the access device is accessed to the virtual desktop through the device mapping or the file mapping, calling a corresponding device driver or a corresponding file driver according to the driving interface;
and step S107, the device driver or the file driver manages and controls the access device according to the management and control rule.
Optionally, the device mapping and the file mapping are respectively controlled, so that the control effect on the USB storage device is improved.
In some embodiments, the device driver governing the access device according to the governing rule includes:
setting a callback function in a dispatch function driven by equipment, and passively acquiring and recording VID (video identifier) and/or PID (proportion integration differentiation) information of access equipment;
when the access device is loaded by a disk drive, judging whether to allow access according to VID and/or PID information and a control rule, and judging whether to read only when the access is allowed;
and when the control rule is changed, restarting the access equipment at the application layer.
Optionally, the access device is restarted only in the application layer without restarting the physical computer, so that convenience in changing the control rule is improved. When the restart of the application layer fails, the virtual desktop is directly quitted, and the management and control rules can be updated when the application layer is started next time.
In some embodiments, when the access device is determined to be read-only accessed by the management and control rule, the access device is placed in the linked list, and the callback function sets an attribute of the access device in the linked list for the non-read-only operation as a protection attribute.
In some embodiments, the file driver governing the access device according to the governing rule includes:
obtaining a system file path according to a dispatching function of the file drive, and adding the system file path into a white list;
and when the file mapping is accessed, judging whether the access is allowed according to the white list and the control rule, and when the access is allowed, judging whether the access is read only.
Optionally, the file driver manages and controls the access device by completely converting the device into a file and according to a method for managing and controlling authority of the file.
In some embodiments, when the access device is judged to be read-only access by the management and control rule, the non-read-only operation is set to be in an unauthorized state in the dispatch function.
In some embodiments, the virtualization platform is a window system, the device driver is a WDM driver, the file driver is a Minifilter driver, and the access device is a USB storage device.
It can be seen from the above embodiments that the method for controlling the access device of the virtual desktop provided in the embodiments of the present invention can automatically adapt to the USB storage device (including the device mapping mode and the file mapping mode) according to different virtualization platforms, and is convenient for extension for unknown virtualization manufacturer platforms; VID and PID of the USB storage device are acquired in a passive mode, and are separated from storage control, so that the compatibility is good; by adopting a plurality of technologies, including a WDM driving technology, a Minifilter driving technology and an application layer auxiliary technology, according to the use characteristics of USB storage equipment in a virtualization environment, targeted management and control are performed on equipment mapping, file mapping and user friendliness; the local disk mapping mode of the log-in machine can be controlled, so that the potential safety hazard of indirectly copying the file in the virtual desktop to the USB storage equipment is eliminated; in the environment with high control real-time performance, aiming at the characteristics of a virtualization environment, in the exception processing of occupying a USB storage device by a system, the system is not restarted to unload the device, but a virtual desktop is withdrawn, so that the method is more friendly.
The embodiment of the invention also provides a second embodiment of the access equipment control method of the virtual desktop.
In the device mapping management and control process:
when the computer system is started, the WDM driver obtains the manufacturer's virtual agent version and Windows operating system version in the current virtual desktop, and automatically selects and sets the driver name used in the current virtual desktop. And then setting a drop-back function in a dispatching function of the WDM-driven IRP _ MJ _ SCSI, analyzing data characteristics in the drop-back function, obtaining a data structure containing VID & PID information, obtaining VID & PID information of the USB device, and recording the VID & PID and a corresponding driving object. And mounting the WDM drive to a disk drive, searching in a record according to a drive object when the disk drive of the USB storage device is loaded, obtaining VID & PID information of the device, and controlling the USB storage device according to a control rule. If the control rule is read-only, the device object is recorded into another linked list and is searched in a callback function, if the control rule is read-only, the SCSI instruction is analyzed for the found object in the callback, a read-WRITE mark is found, and the MODE _ DSP _ WRITE _ PROTECT attribute is set. In addition, if the control rule changes, the application layer restarts the device, and if the restart fails, the current virtual desktop is exited.
In the file mapping management and control process:
when the system loads the driver, the driver firstly obtains the virtual agent version and the Windows operating system version of the manufacturer in the current virtual desktop, selects the name of the volume equipment object suitable for the current platform, and registers the corresponding equipment object according to the requirement. Then, in the file creation function IRP _ MJ _ CREATE dispatch function, the access path of the file is obtained, and the path related to the network is filtered out as a white list. According to different virtualization manufacturers and agents under different systems, operations such as file creation, deletion, modification, renaming and the like are processed in different file dispatching functions IRP _ MJ _ CREATE and IRP _ MJ _ SET _ INFORMATION, and control (including read-only control) of a file mapping mode is realized by comparing control rules.
Specifically, the implementation process is as follows:
in the first step, the agent installs the WDM driver and the file filtering driver.
And secondly, after the driver is installed or the computer is started, the information of the related virtualization platform, the operating system and the like is automatically obtained, and the corresponding characteristics of the related platform are automatically set.
And thirdly, the agent obtains the control rule and respectively issues the control rule to the device driver and the file driver.
Fourthly, after the USB storage device enters the virtual desktop system in a device mapping mode, the WDM driver sets a callback function in the IRP _ MJ _ SCSI dispatch function, passively obtains VID & PID information of the device, and records the VID & PID and a corresponding driving object.
And fifthly, comparing the control rules when the disk is loaded, if the control rules are forbidden, directly removing the USB storage equipment, if the USB storage equipment is allowed to be used, releasing the USB storage equipment, and if the USB storage equipment is read only, recording the equipment object into a linked list.
Sixthly, when the system or the user accesses the read-only USB storage device, the callback function in the step 4 is triggered, in the function, the object and the corresponding read-WRITE operation in the linked list in the step 5 are searched, and the MODE _ DSP _ WRITE _ PROTECT attribute is set.
And seventhly, after the equipment is inserted, if the control rule changes, restarting the equipment in the application layer, and if the restart fails, exiting the current virtual desktop.
And eighthly, after the USB storage equipment enters the virtual desktop system in a file mapping mode, filtering out file path information related to the system, such as a network access path, by the drive of the Minifilter.
And ninthly, when a system or a user accesses a mapped disk, in an IRP _ MJ _ CREATE dispatching function, if a file path is not in a filtered system white list, judging a control rule, if the file path is forbidden, setting a STATUS _ ACCESS _ DENIED no-authority state, returning, if the file path is allowed, directly returning, not processing, if the file path is read-only, and if the file path is judged to be a created file, setting a STATUS _ ACCESS _ DENIED no-authority state, and returning.
And step ten, in the IRP _ MJ _ SET _ INFORMATION, if the control rule is read-only, the control rule is judged to be deleted, and when renaming, the STATUS _ ACCESS _ DENIED no-authority state is SET and then the operation returns.
It can be seen from the above embodiments that the method for controlling the access device of the virtual desktop provided in the embodiments of the present invention can automatically adapt to the USB storage device (including the device mapping mode and the file mapping mode) according to different virtualization platforms, and is convenient for extension for unknown virtualization manufacturer platforms; VID and PID of the USB storage device are acquired in a passive mode, and are separated from storage control, so that the compatibility is good; by adopting a plurality of technologies, including a WDM driving technology, a Minifilter driving technology and an application layer auxiliary technology, according to the use characteristics of USB storage equipment in a virtualization environment, targeted management and control are performed on equipment mapping, file mapping and user friendliness; the local disk mapping mode of the log-in machine can be controlled, so that the potential safety hazard of indirectly copying the file in the virtual desktop to the USB storage equipment is eliminated; in the environment with high control real-time performance, aiming at the characteristics of a virtualization environment, in the exception processing of occupying a USB storage device by a system, the system is not restarted to unload the device, but a virtual desktop is withdrawn, so that the method is more friendly.
It should be particularly noted that, the steps in the foregoing embodiments of the method for controlling an access device of a virtual desktop can be mutually intersected, replaced, added, and deleted, and therefore, the method for controlling an access device of a virtual desktop, which is transformed by these reasonable permutations and combinations, shall also belong to the scope of the present invention, and shall not limit the scope of the present invention to the above embodiments.
In view of the above, a second aspect of the embodiments of the present invention provides a first embodiment of an access device control apparatus for a virtual desktop. The access equipment control device of the virtual desktop uses the access equipment control method of the virtual desktop.
It can be seen from the foregoing embodiments that the access device control apparatus for a virtual desktop provided in the embodiments of the present invention can automatically adapt to USB storage devices (including device mapping manner and file mapping manner) according to different virtualization platforms, and is convenient for extension for unknown virtualization manufacturer platforms; VID and PID of the USB storage device are acquired in a passive mode, and are separated from storage control, so that the compatibility is good; by adopting a plurality of technologies, including a WDM driving technology, a Minifilter driving technology and an application layer auxiliary technology, according to the use characteristics of USB storage equipment in a virtualization environment, targeted management and control are performed on equipment mapping, file mapping and user friendliness; the local disk mapping mode of the log-in machine can be controlled, so that the potential safety hazard of indirectly copying the file in the virtual desktop to the USB storage equipment is eliminated; in the environment with high control real-time performance, aiming at the characteristics of a virtualization environment, in the exception processing of occupying a USB storage device by a system, the system is not restarted to unload the device, but a virtual desktop is withdrawn, so that the method is more friendly.
It should be particularly noted that, in the embodiment of the access device control apparatus of the virtual desktop, the working process of each module is specifically described by using the embodiment of the access device control method of the virtual desktop, and those skilled in the art can easily think that these modules are applied to other embodiments of the access device control method of the virtual desktop. Of course, since the steps in the embodiment of the method for controlling the access device of the virtual desktop can be mutually intersected, replaced, added, and deleted, the access device control apparatus of the virtual desktop that is transformed by these reasonable permutations and combinations also belongs to the protection scope of the present invention, and the protection scope of the present invention should not be limited on the embodiment.
In view of the foregoing, a third aspect of the embodiments of the present invention provides an embodiment of a computer device executing the method for controlling an access device of a virtual desktop.
The computer device for executing the method for controlling the access device of the virtual desktop comprises a memory, at least one processor and a computer program which is stored on the memory and can run on the processor, wherein the processor executes the computer program to execute any one of the methods.
Fig. 2 is a schematic diagram of a hardware structure of an embodiment of a computer device for executing the method for controlling an access device of a virtual desktop according to the present invention.
Taking the computer device shown in fig. 2 as an example, the computer device includes a processor 201 and a memory 202, and may further include: an input device 203 and an output device 204.
The processor 201, the memory 202, the input device 203 and the output device 204 may be connected by a bus or other means, and fig. 2 illustrates the connection by a bus as an example.
The memory 202, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as program instructions/modules corresponding to the access device control method of the virtual desktop in the embodiments of the present application. The processor 201 executes various functional applications and data processing of the server by running the nonvolatile software programs, instructions and modules stored in the memory 202, that is, the access device control method of the virtual desktop implementing the above method embodiments.
The memory 202 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of the access device control apparatus of the virtual desktop, and the like. Further, the memory 202 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, memory 202 may optionally include memory located remotely from processor 201, which may be connected to local modules via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input means 203 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the access device control means of the virtual desktop. The output device 204 may include a display device such as a display screen.
Program instructions/modules corresponding to the access device control methods of the one or more virtual desktops are stored in the memory 202, and when executed by the processor 201, the access device control methods of the virtual desktops in any of the above-described method embodiments are executed.
Any embodiment of the computer device executing the method for controlling the access device of the virtual desktop can achieve the same or similar effects as any corresponding embodiment of the foregoing method.
In view of the foregoing, a fourth aspect of the embodiments of the present invention provides a computer-readable storage medium, where the computer-readable storage medium stores computer-executable instructions, where the computer-executable instructions can execute a method for controlling an access device of a virtual desktop in any method embodiment and an apparatus/system for controlling an access device of a virtual desktop in any apparatus/system embodiment. Embodiments of the computer-readable storage medium may achieve the same or similar effects as any of the aforementioned method and apparatus/system embodiments corresponding thereto.
In view of the above object, a fifth aspect of the embodiments of the present invention provides a computer program product, which includes a computer program stored on a computer-readable storage medium, where the computer program includes instructions that, when executed by a computer, cause the computer to execute the method for controlling an access device of a virtual desktop in any of the above method embodiments and the apparatus/system for controlling an access device of a virtual desktop in any of the above apparatus/system embodiments. Embodiments of the computer program product may achieve the same or similar effects as any of the aforementioned method and apparatus/system embodiments corresponding thereto.
Finally, it should be noted that, as will be understood by those skilled in the art, all or part of the processes of the methods of the above embodiments may be implemented by a computer program, which may be stored in a computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like. Embodiments of the computer program may achieve the same or similar effects as any of the preceding method embodiments to which it corresponds.
In addition, the apparatuses, devices and the like disclosed in the embodiments of the present invention may be various electronic terminal devices, such as a mobile phone, a Personal Digital Assistant (PDA), a tablet computer (PAD), a smart television and the like, or may be a large terminal device, such as a server and the like, and therefore the scope of protection disclosed in the embodiments of the present invention should not be limited to a specific type of apparatus, device. The client disclosed in the embodiment of the present invention may be applied to any one of the above electronic terminal devices in the form of electronic hardware, computer software, or a combination of both.
Furthermore, the method disclosed according to an embodiment of the present invention may also be implemented as a computer program executed by a CPU, and the computer program may be stored in a computer-readable storage medium. The computer program, when executed by the CPU, performs the above-described functions defined in the method disclosed in the embodiments of the present invention.
Further, the above method steps and system elements may also be implemented using a controller and a computer readable storage medium for storing a computer program for causing the controller to implement the functions of the above steps or elements.
Further, it should be appreciated that the computer-readable storage media (e.g., memory) described herein can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. By way of example, and not limitation, nonvolatile memory can include Read Only Memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM), which can act as external cache memory. By way of example and not limitation, RAM is available in a variety of forms such as synchronous RAM (DRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The storage devices of the disclosed aspects are intended to comprise, without being limited to, these and other suitable types of memory.
Those of skill would further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the disclosure herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as software or hardware depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the disclosed embodiments of the present invention.
The various illustrative logical blocks, modules, and circuits described in connection with the disclosure herein may be implemented or performed with the following components designed to perform the functions described herein: a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination of these components. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP, and/or any other such configuration.
The steps of a method or algorithm described in connection with the disclosure herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a user terminal. In the alternative, the processor and the storage medium may reside as discrete components in a user terminal.
In one or more exemplary designs, the functions may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Also, any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk and disc, as used herein, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk, blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.
The foregoing is an exemplary embodiment of the present disclosure, but it should be noted that various changes and modifications could be made herein without departing from the scope of the present disclosure as defined by the appended claims. The functions, steps and/or actions of the method claims in accordance with the disclosed embodiments described herein need not be performed in any particular order. Furthermore, although elements of the disclosed embodiments of the invention may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated.
It should be understood that, as used herein, the singular forms "a," "an," "the" are intended to include the plural forms as well, unless the context clearly supports the exception. It should also be understood that "and/or" as used herein is meant to include any and all possible combinations of one or more of the associated listed items.
The numbers of the embodiments disclosed in the embodiments of the present invention are merely for description, and do not represent the merits of the embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, of embodiments of the invention is limited to these examples; within the idea of an embodiment of the invention, also technical features in the above embodiment or in different embodiments may be combined and there are many other variations of the different aspects of an embodiment of the invention as described above, which are not provided in detail for the sake of brevity. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the embodiments of the present invention are intended to be included within the scope of the embodiments of the present invention.
Claims (10)
1. A method for controlling access equipment of a virtual desktop is characterized by comprising the following steps:
acquiring virtualization platform information and setting a driving interface;
acquiring a control rule and distributing the control rule to an equipment driver and a file driver;
when the access equipment is accessed to the virtual desktop through equipment mapping or file mapping, calling the corresponding equipment driver or file driver according to the driving interface;
the device driver or the file driver controls the access device according to the control rule;
wherein the device driver managing and controlling the access device according to the management and control rule comprises:
the method comprises the steps of mounting a device driver under a disk driver, setting a callback function in a dispatch function of the device driver, analyzing data characteristics through the callback function, obtaining a data structure containing VID & PID information, obtaining the VID & PID information of the device, and recording the VID & PID and a corresponding driver object.
2. The method of claim 1, wherein the device driver regulates access devices according to the regulation rules, further comprising:
when the access device is loaded by a disk drive, judging whether to allow access according to the VID and/or PID information and the control rule, and when the access is allowed, judging whether to read only;
and restarting the access equipment at an application layer when the control rule is changed.
3. The method of claim 2, wherein when an access device is determined by the policing rule to be read-only access, the access device is placed in a linked list, and the callback function sets an attribute of the access device in the linked list for non-read-only operations as a protection attribute.
4. The method of claim 1, wherein the file driver policing the access device according to the governing rules comprises:
obtaining a system file path according to the dispatching function of the file driver, and adding the system file path into a white list;
and when the file mapping is accessed, judging whether the access is allowed according to the white list and the control rule, and when the access is allowed, judging whether the access is read only.
5. The method of claim 4, wherein when an access device is determined by the governing rule to be read-only, a non-read-only operation is set to an unauthorized state in the dispatch function.
6. The method of any one of claims 1-5, wherein the virtualization platform is a windows system, the device driver is a WDM driver, the file driver is a Minifilter driver, and the access device is a USB storage device.
7. An access device control apparatus for a virtual desktop, using the method of any one of claims 1-6.
8. A computer device comprising a memory, at least one processor and a computer program stored on the memory and executable on the processor, characterized in that the processor performs the method according to any of claims 1-6 when executing the program.
9. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, is adapted to carry out the method of any one of claims 1 to 6.
10. A computer program product, characterized in that the computer program product comprises a computer program stored on a computer-readable storage medium, the computer program comprising instructions which, when executed by a computer, cause the computer to carry out the method of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710521624.1A CN107463369B (en) | 2017-06-30 | 2017-06-30 | Access device control method and device for virtual desktop |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710521624.1A CN107463369B (en) | 2017-06-30 | 2017-06-30 | Access device control method and device for virtual desktop |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107463369A CN107463369A (en) | 2017-12-12 |
| CN107463369B true CN107463369B (en) | 2020-10-16 |
Family
ID=60544092
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710521624.1A Active CN107463369B (en) | 2017-06-30 | 2017-06-30 | Access device control method and device for virtual desktop |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107463369B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108229191A (en) * | 2018-01-03 | 2018-06-29 | 江苏神州信源***工程有限公司 | The document protection method and device of a kind of virtual machine |
| CN108427649B (en) * | 2018-01-16 | 2020-09-15 | 广州杰赛科技股份有限公司 | Access management method, terminal device, system and storage medium of USB interface |
| CN108566297B (en) * | 2018-04-12 | 2021-04-09 | 福建升腾资讯有限公司 | Windows network card drive loading method under VOI virtualization |
| CN110334037A (en) * | 2019-04-15 | 2019-10-15 | 长飞光纤光缆股份有限公司 | The method that USB based on cloud desktop redirects filtering |
| CN110096910A (en) * | 2019-05-14 | 2019-08-06 | 北京天地和兴科技有限公司 | A kind of credible USB flash disk implementation method based on filter Driver on FSD |
| CN110750337A (en) * | 2019-10-30 | 2020-02-04 | 太华(深圳)技术有限责任公司 | Method for uniformly controlling AI (Artificial intelligence) equipment |
| CN111562436B (en) * | 2020-07-15 | 2020-11-03 | 南方电网数字电网研究院有限公司 | Equipment driving method and device of double-core intelligent electric meter |
| CN111885170B (en) * | 2020-07-23 | 2022-03-11 | 平安科技(深圳)有限公司 | Processing method and system of Internet of things control system, cloud server and medium |
| CN112000376B (en) * | 2020-07-29 | 2023-12-26 | 深圳市智微智能软件开发有限公司 | Multi-path mute control method, equipment and storage medium based on android system |
| CN112818341B (en) * | 2021-01-26 | 2023-02-24 | 山东方寸微电子科技有限公司 | External device control method and device based on operating system filter layer drive |
| CN113778870A (en) * | 2021-09-07 | 2021-12-10 | 杭州雾联科技有限公司 | Blue screen callback method, device, equipment and computer readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102495750A (en) * | 2010-09-30 | 2012-06-13 | 微软公司 | Virtual desktop configuration and operation techniques |
| CN103595790A (en) * | 2013-11-14 | 2014-02-19 | 华为技术有限公司 | Remote accessing method for device, thin client side and virtual machine |
| CN104636201A (en) * | 2013-11-15 | 2015-05-20 | 中国电信股份有限公司 | Virtual I/O scheduling method and system |
| CN106664242A (en) * | 2015-07-03 | 2017-05-10 | 华为技术有限公司 | Network configuration method, network system and device |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105100157B (en) * | 2014-05-15 | 2019-08-27 | 中兴通讯股份有限公司 | A kind of USB device mapping, exchange method, device, cloud terminal and Cloud Server |
| CN104462372A (en) * | 2014-12-09 | 2015-03-25 | 武汉理工大学 | Method and system for project schedule control based on file driving |
| CN104598170B (en) * | 2015-01-30 | 2017-12-05 | 华为技术有限公司 | The method and apparatus for determining read/write path |
| CN105700826A (en) * | 2015-12-31 | 2016-06-22 | 华为技术有限公司 | Virtualization method and device |
-
2017
- 2017-06-30 CN CN201710521624.1A patent/CN107463369B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102495750A (en) * | 2010-09-30 | 2012-06-13 | 微软公司 | Virtual desktop configuration and operation techniques |
| CN103595790A (en) * | 2013-11-14 | 2014-02-19 | 华为技术有限公司 | Remote accessing method for device, thin client side and virtual machine |
| CN104636201A (en) * | 2013-11-15 | 2015-05-20 | 中国电信股份有限公司 | Virtual I/O scheduling method and system |
| CN106664242A (en) * | 2015-07-03 | 2017-05-10 | 华为技术有限公司 | Network configuration method, network system and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107463369A (en) | 2017-12-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107463369B (en) | Access device control method and device for virtual desktop | |
| KR101928127B1 (en) | Selective file access for applications | |
| TWI559167B (en) | A unified extensible firmware interface(uefi)-compliant computing device and a method for administering a secure boot in the uefi-compliant computing device | |
| KR101802800B1 (en) | Media protection policy enforcement for multiple-operating-system environments | |
| EP2656271B1 (en) | Providing a security boundary | |
| KR101748000B1 (en) | Dynamically redirecting boot to another operating system | |
| KR101760778B1 (en) | Computer system and method for updating program therein | |
| CN108255542B (en) | Serial port and parallel port control method and device of virtual machine | |
| US20180246710A1 (en) | Software update apparatus and method in virtualized environment | |
| EP3682332B1 (en) | Method and apparatus for erasing or writing flash data | |
| US8949590B2 (en) | Controlling access to software component state | |
| CN110622163A (en) | Auxiliary storage device with independent recovery area and equipment suitable for auxiliary storage device | |
| US10628489B2 (en) | Controlling access to one or more datasets of an operating system in use | |
| CN113826072B (en) | Code update in system management mode | |
| CN112579202A (en) | Method, device, equipment and storage medium for editing service program of Windows system | |
| US10474659B2 (en) | Large scale network system upgrade | |
| CN110750805A (en) | Application program access control method and device, electronic equipment and readable storage medium | |
| KR101650287B1 (en) | File access control system based on volume guid and method thereof | |
| JP6669958B2 (en) | Information processing device | |
| CN110781527B (en) | Control register protection method and device | |
| CN108121562B (en) | Firmware version switching method, electronic device and BIOS chip | |
| US20210240364A1 (en) | Storing new settings for write-protected systems on non-write-protected storage | |
| CN112434285B (en) | File management method, device, electronic equipment and storage medium | |
| CN117891682A (en) | Method and device for hiding process of Linux system, electronic equipment and storage medium | |
| KR101391508B1 (en) | Terminal and method for protecting stored file |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |