| CPC G06F 9/45558 (2013.01) [H04L 63/20 (2013.01); G06F 2009/45587 (2013.01); G06F 2009/45595 (2013.01)] | 17 Claims |
|
1. A data processing method based on a container engine, performed by a computer device and comprising:
generating a container creation process according to a creation request for an isolation container when a container engine daemon obtains the creation request, the container creation process being used for creating the isolation container;
forwarding the creation request from the container engine daemon to a security policy agent component in response to detecting that the container creation process is started;
acquiring, from the creation request by using the security policy agent component, creation dependency resource information of the isolation container;
acquiring a valid policy file of a container engine corresponding to the isolation container by using the security policy agent component;
performing validity verification on the creation dependency resource information based on the valid policy file, to obtain a validity verification result of the isolation container; and
creating the isolation container when the validity verification result is a valid result, wherein the performing the validity verification on the creation dependency resource information based on the valid policy file to obtain the validity verification result comprises:
searching the valid policy file for invalid privileged field information by using the security policy agent component;
searching for target privileged field information in the creation dependency resource information when the invalid privileged field information is first privileged state information; and
determining the validity verification result based on whether the target privileged field information is found in the creation dependency resource information.
|