Isolating an application running inside a native container application
First Claim
1. A computer system comprising:
- one or more processors; and
one or more computer-readable media having stored thereon instructions that are executable by the one or more processors to configure the computer system to limit access to native device capabilities, including instructions that are executable to configure the computer system to perform at least the following;
executing a container application installed at the computer system, the container application configured to execute one or more hosted script based applications and the container application configured to;
identify a hosted application to execute;
obtain information identifying a limited set of capabilities from among the native device capabilities indicating which of the native device capabilities the hosted application has been granted access to;
create a hosting manager, the hosting manager implemented completely within a native context of the device, and provide the information identifying the limited set of capabilities to the hosting manager;
the container application preventing the hosted application from directly accessing any of the native device capabilities;
to provide access to the limited set of capabilities, for the limited set of capabilities, identify and provide plugins which provide access to the limited set of capabilities to the hosted application, the plugins providing a transport layer between the container application and the hosted application which provides a connection between the native context associated with the container application and a hosted application context such that the hosted application can communicate with the limited set of capabilities through the plugins and the hosting manager, each plugin having a container part executing within the container application and an outside part executing within the native context, wherein the container part communicates with the outside part through messages and wherein, before allowing access to any native device capability, the outside part verifies permissions of the hosted application to access the any native device capability; and
execute the hosted application and enforce limits on the hosted application such that the hosted application is able to access only the native device capabilities identified in the limited set of capabilities.
1 Assignment
0 Petitions
Accused Products
Abstract
Limiting access to native device capabilities. A method includes, at a container application installed at the computing device, the container application configured to execute hosted script based applications, identifying a hosted application to execute. The method further includes, at the container application, obtaining information identifying a limited set of capabilities from among the native device capabilities indicating which of the native device capabilities the hosted application has been granted access to. The method further includes, at the container application, executing the hosted application and enforcing limits on the hosted application such that the hosted application is only able to access the native device capabilities identified in the limited set of capabilities.
23 Citations
20 Claims
-
1. A computer system comprising:
-
one or more processors; and one or more computer-readable media having stored thereon instructions that are executable by the one or more processors to configure the computer system to limit access to native device capabilities, including instructions that are executable to configure the computer system to perform at least the following; executing a container application installed at the computer system, the container application configured to execute one or more hosted script based applications and the container application configured to; identify a hosted application to execute; obtain information identifying a limited set of capabilities from among the native device capabilities indicating which of the native device capabilities the hosted application has been granted access to; create a hosting manager, the hosting manager implemented completely within a native context of the device, and provide the information identifying the limited set of capabilities to the hosting manager; the container application preventing the hosted application from directly accessing any of the native device capabilities; to provide access to the limited set of capabilities, for the limited set of capabilities, identify and provide plugins which provide access to the limited set of capabilities to the hosted application, the plugins providing a transport layer between the container application and the hosted application which provides a connection between the native context associated with the container application and a hosted application context such that the hosted application can communicate with the limited set of capabilities through the plugins and the hosting manager, each plugin having a container part executing within the container application and an outside part executing within the native context, wherein the container part communicates with the outside part through messages and wherein, before allowing access to any native device capability, the outside part verifies permissions of the hosted application to access the any native device capability; and execute the hosted application and enforce limits on the hosted application such that the hosted application is able to access only the native device capabilities identified in the limited set of capabilities. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. At a computing device having native device capabilities, a computer implemented method of limiting access to native device capabilities, the method comprising:
-
executing a container application installed at the computing device, the container application configured to execute one or more hosted script based applications and the container application configured to perform; identifying a hosted application to execute; obtaining information identifying a limited set of capabilities from among the native device capabilities indicating which of the native device capabilities the hosted application has been granted access to; creating a hosting manager, the hosting manager implemented completely within a native context of the device, and providing the information identifying the limited set of capabilities to the hosting manager; the container application preventing the hosted application from directly accessing any of the native device capabilities; to provide access to the limited set of capabilities, for the limited set of capabilities, identifying and providing plugins which provide access to the limited set of capabilities to the hosted application, the plugins providing a transport layer between the container application and the hosted application which provides a connection between the native context associated with the container application and a hosted application context such that the hosted application can communicate with the limited set of capabilities through the plugins and the hosting manager, each plugin having a container part executing within the container application and an outside part executing within the native context, wherein the container part communicates with the outside part through messages and wherein, before allowing access to any native device capability, the outside part verifies permissions of the hosted application to access the any native device capability; and executing the hosted application and enforcing limits on the hosted application such that the hosted application is able to access only the native device capabilities identified in the limited set of capabilities. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computing device comprising:
-
one or more cameras; one or more microphones; one or more pieces of communication hardware; one or more pieces of location hardware; a file system; a container application coupled to the one or more cameras, one or more microphones, one or more pieces of communication hardware, one or more pieces of location hardware and the file system, wherein the container application is configured to access computing device capabilities associated with the one or more cameras, one or more microphones, one or more pieces of communication hardware, one or more pieces of location hardware and the file system; and a script based hosted application configured to be executed by the container application, wherein the container application is configured to; create a hosting manager, the hosting manager implemented completely within a native context of the device, and provide information identifying the computing device capabilities to the hosting manager; the container application preventing the hosted application from directly accessing any of the native device capabilities; to provide access to the limited set of capabilities, for the computing device capabilities, identify and provide plugins which provide access to the computing device capabilities to the hosted application, the plugins providing a transport layer between the container application and the hosted application which provides a connection between the a native context associated with the container application and a hosted application context such that the hosted application can communicate with the computing device capabilities through the plugins and the hosting manager, each plugin having a container part executing within the container application and an outside part executing within the native context, wherein the container part communicates with the outside part through messages and wherein, before allowing access to any native device capability, the outside part verifies permissions of the hosted application to access the any native device capability; and limit capabilities associated with the one or more cameras, one or more microphones, one or more pieces of communication hardware, one or more pieces of location hardware and the file system to the hosted application even when the hosted application includes functionality for accessing capabilities from which it is limited. - View Dependent Claims (18, 19, 20)
-
Specification