Storage volume protection using restricted resource classes

US 10,032,041 B2
Filed: 10/02/2015
Issued: 07/24/2018
Est. Priority Date: 05/30/2015
Status: Active Grant

First Claim

Patent Images

1. A method of protecting a storage volume using a restricted resource class, the method comprising:

receiving a message indicating attachment of a storage volume;

creating an association between a restricted resource class (RRC) and the storage volume to limit programmatic access to the storage volume to one or more programs having an RRC entitlement to access resources in the RRC;

requesting an evaluation of the storage volume;

receiving a result of the evaluation of the storage volume;

removing or maintaining the association based on the result;

in response to the result of the evaluation indicating that the storage volume is a protected storage volume;

receiving one or more RRC entitlements from a program that requests programmatic access to the storage volume, wherein an RRC entitlement indicates that the program is entitled to access a resource in the restricted resource class;

allowing the program to access data on the storage volume in response to an RRC entitlement of the program matching the RRC associated with the storage volume.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for restricting access to a storage volume attached to a data processing system are described. In one embodiment, a storage management and access control logic in the data processing system can receive a message indicating the attachment of a storage volume. The logic can apply access restrictions to the storage volume by creating an association between a restricted resource class and the storage volume to limit programmatic access to the storage volume. An evaluation of the storage volume can be requested and based on the result of the evaluation the access restrictions can be removed or retained on the storage volume.

35 Citations

32 Claims

1. A method of protecting a storage volume using a restricted resource class, the method comprising:
- receiving a message indicating attachment of a storage volume;
  
  creating an association between a restricted resource class (RRC) and the storage volume to limit programmatic access to the storage volume to one or more programs having an RRC entitlement to access resources in the RRC;
  
  requesting an evaluation of the storage volume;
  
  receiving a result of the evaluation of the storage volume;
  
  removing or maintaining the association based on the result;
  
  in response to the result of the evaluation indicating that the storage volume is a protected storage volume;
  
  receiving one or more RRC entitlements from a program that requests programmatic access to the storage volume, wherein an RRC entitlement indicates that the program is entitled to access a resource in the restricted resource class;
  
  allowing the program to access data on the storage volume in response to an RRC entitlement of the program matching the RRC associated with the storage volume.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as in claim 1, wherein creating the association between the restricted resource class and the storage volume includes associating a resource identifier for the storage volume with a restricted resource class identifier and associating the resource identifier for the storage volume with a restricted resource class identifier includes creating an entry in an access control list to identify one or more restricted resource classes associated with the storage volume.
  - 3. The method as in claim 1, wherein the restricted resource class is tolimit programmatic access to the storage volume to a set of applications having a matching restricted resource class.
  - 4. The method as in claim 1, wherein the message indicating attachment of the storage volume is received by a kernel component of an operating system executed via one or more processors and requesting an evaluation of the storage volume includes sending a message from the kernel component to a user space component of the operating system, the message requesting the evaluation of the storage volume.
  - 5. The method as in claim 4, wherein the evaluation of the storage volume includes analyzing data stored on the storage volume to determine if the data is of a type of data associated with the restricted resource class.
  - 6. The method as in claim 4, wherein the evaluation of the storage volume includes analyzing metadata associated with the storage volume to determine if the storage volume is to store a type of data associated with the restricted resource class.
  - 7. The method of claim 1, wherein the one or more RRC entitlements of the program are stored in an executable image of the program.
  - 8. The method of claim 1, further comprising:
    - allowing the program to access data of any resource having the same RRC as the storage volume, in response to an RRC entitlement of the program matching the RRC of the storage volume.

9. A non-transitory machine-readable medium storing instructions which, when executed by one or more processors, cause the one or more processors to perform operations comprising:
- receiving a message indicating attachment of a storage volume;
  
  creating an association between a restricted resource class (RRC) and the storage volume to limit programmatic access to the storage volume to one or more programs having an RRC entitlement to access resources in the RRC;
  
  requesting an evaluation of the of the storage volume;
  
  receiving a result of the evaluation of the storage volume;
  
  removing or maintaining the association based on the result;
  
  in response to the result of the evaluation indicating that the storage volume is a protected storage volume;
  
  receiving one or more RRC entitlements from a program that requests programmatic access to the storage volume, wherein the RRC entitlement indicates that the program is entitled to access a resource in the restricted resource class;
  
  allowing the program to access data on the storage volume in response to determining that an RRC entitlement of the program matches the RRC associated with the storage volume.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The medium as in claim 9, wherein creating the association between the restricted resource class and the storage volume includes associating a resource identifier for the storage volume with a restricted resource class identifier.
  - 11. The medium as in claim 10, wherein associating the resource identifier for the storage volume with a restricted resource class identifier includes creating an entry in an access control list to identify one or more restricted resource classes associated with the storage volume.
  - 12. The medium as in claim 9, wherein the restricted resource class limits programmatic access to the storage volume to a set of applications having a matching restricted resource class.
  - 13. The medium as in claim 9, wherein the message indicating attachment of the storage volume is received by a kernel component of an operating system executed via the one or more processors.
  - 14. The medium as in claim 13, wherein requesting an evaluation of the storage volume includes sending a message from the kernel component to a user space component of the operating system, the message requesting the evaluation of the storage volume.
  - 15. The medium as in claim 14, wherein the evaluation of the storage volume includes analyzing data stored on the storage volume to determine if the data is of a type of data associated with the restricted resource class.
  - 16. The medium as in claim 14, wherein the evaluation of the storage volume includes analyzing metadata associated with the storage volume to determine if the storage volume is to store a type of data associated with the restricted resource class.

17. A data processing system comprising one or more processors,including at least one hardware processor, coupled to memory, the one or more processors to execute a plurality of processes comprising:
- a kernel mode process to receive a message indicating attachment of a storage volume and create an association between a restricted resource class (RRC) and the storage volume to limit programmatic access to the storage volume to one or more programs having an RRC entitlement to access resources in the RRC; and
  
  a user mode process to perform an evaluation of the storage volume upon request from the kernel mode process, the evaluation based on one or more characteristics of the storage volume, wherein the kernel mode process is to maintain the association between the restricted resource class and the storage volume, in response a result of the evaluation indicating that the storage volume is a protected volume;
  
  the kernel mode process further configured to receive one or more RRC entitlements from a program that requests programmatic access to the storage volume, wherein an RRC entitlement indicates that the program is entitled to access a resource in the restricted resource class, and configured to allow access to data on the storage volume in response to the kernel mode process determining that an RRC entitlement of the program matches the RRC associated with the storage volume.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 18. The system as in claim 17, wherein the characteristics of the storage volume include a type of data stored on the storage volume, metadata associated with the storage volume, and data stored on the storage volume.
  - 19. The system as in claim 18, wherein the type of data stored on the storage volume includes backup data or operating system data and the data stored on the storage volume is to indicate that the storage volume is a user home directory, bootable operating system, or a backup volume.
  - 20. The system as in claim 18, wherein the metadata associated with the storage volume is to indicate that the storage volume is a user home directory, that the storage volume contains a bootable operating system, or that the storage volume is a backup volume.
  - 21. The system as in claim 17, wherein the characteristics of the storage volume include layout of data on the storage volume and wherein the layout of data on the storage volume is to indicate that the storage volume is a backup volume or a user home directory.
  - 22. The system as in claim 17, wherein the kernel mode process is to associate a resource identifier for the storage volume with a restricted class identifier to create the association between the restricted resource class and the storage volume.
  - 23. The system as in claim 22, wherein the kernel mode process is further to create an entry in an access control list to associate the resource identifier for the storage volume with the restricted class identifier.
  - 24. The system as in claim 23, wherein the user mode process is further to transmit a result of the evaluation to the kernel mode process.
  - 25. The system as in claim 24, wherein the kernel mode process is further to remove or maintain the association based on the result of the evaluation.
  - 26. The system as in claim 17, wherein the storage volume resides at least in part on a physically coupled storage device.
  - 27. The system as in claim 26, wherein the storage volume is a logical volume associated with one or more physically coupled storage volumes.
  - 28. The system as in claim 17, wherein the storage volume resides at least in part on a storage volume coupled via a network.
  - 29. The system as in claim 17, wherein the storage volume is browsable via a file manager during the evaluation of the storage volume.

30. A method of protecting a storage volume using a restricted resource class, the method comprising:
- receiving a message indicating attachment of a storage volume;
  
  requesting an evaluation of the of the storage volume;
  
  receiving a result of the evaluation of the storage volume; and
  
  based on the result of the evaluation, creating an association between a restricted resource class (RRC) and the storage volume to limit programmatic access to the storage volume to one or more programs having an RRC entitlement to access resources in the RRC, wherein the storage volume is browsable via a file manager during the evaluation of the storage volume;
  
  in response to the result of the evaluation indicating that the storage volume is a protected volume;
  
  receiving one or more RRC entitlements from a program that requests programmatic access to the storage volume, wherein an RRC entitlement indicates that the program is entitled to access a resource in the restricted resource class;
  
  allowing the program to access data on the storage volume in response to an RRC entitlement of the program matching the RRC associated with the storage volume.
- View Dependent Claims (31, 32)
- - 31. The method as in claim 30, wherein creating the association between the restricted resource class and the storage volume includes associating a resource identifier for the storage volume with a restricted resource class identifier.
  - 32. The method as in claim 31, wherein associating the resource identifier for the storage volume with a restricted resource class identifier includes creating an entry in an access control list to identify one or more restricted resource classes associated with a the storage volume.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Martel, Pierre-Olivier, Jennings, Austin G.
Primary Examiner(s)
Moorthy, Aravind K

Application Number

US14/874,224
Publication Number

US 20160357983A1
Time in Patent Office

1,026 Days
Field of Search

726 27, 726 30, 726 34, 713165, 713166, 713168, 713189
US Class Current
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Storage volume protection using restricted resource classes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Storage volume protection using restricted resource classes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links