Technical Field
The present application relates to the technical field of computers, specifically to the technical field of computer security, and more specifically to a method and apparatus for capturing an operation, and security control in a container-based virtualization system.
Description of the Related Art
Virtualization refers to virtualizing multiple logical computers (virtual machines) on a single computer (physical machine) by using virtualization technology. Multiple logical computers run on the same computer at the same time. Each logical computer is capable to run a different operating system. Applications can run in independent spaces without affecting one another, thereby significantly improving the working efficiency of the computer. At present, container-based virtualization technologies are one of the most widely utilized virtualization technologies, which can provide lightweight virtualization to compartmentalize processes and resources, and do not require the provision of an instruction interpreting mechanism and other complex processing of full virtualization. A container-based virtualization system is a virtual environment built by using container-based virtualization technology and includes containers and a host. With the use of containers, resources managed by a single operating system are effectively grouped into an isolated group, in order to better balance conflicting resource usage demands among the isolated groups. Compared with conventional virtualization technologies, container-based virtualization technologies are advantageous in that the performance loss is minimal because all containers share the same kernel of the host, and instruction-level simulation is not required.
However, in the container-based virtualization system, because a container can directly access the kernel of the host, a process in the container can easily invade the host kernel and take control over the host, threatening the security of the entire host and other containers. To ensure the security of the container-based virtualization system, an access operation of a process in a container to the host kernel needs to be captured, and appropriate processing needs to be performed on the captured operation. However, currently there is no method capable of implementing the capture of an access operation by a process in a container to a host kernel.