System and method for file system mandatory access control
First Claim
Patent Images
1. A computer system for controlling access to certain files by processes, said computer system comprising:
- compartments implemented on an operating system;
a database containing access rules, said access rules defining which compartments are authorized to access particular file resources;
a kernel module for receiving a system call to access a file from a user space application belonging to a compartment; and
a security module for determining whether said user space application is authorized to access said file utilizing access rules stored in said database.
9 Assignments
0 Petitions
Accused Products
Abstract
In one embodiment, the present invention is related to a computer system including compartments implemented on an operating system. A database contains access rules with said access rules defining which compartments are authorized to access particular file resources. A kernel module receives a system call to access a file from a user space application belonging to a compartment. A security module determines whether said user space application is authorized to access said file utilizing access rules stored in said database.
-
Citations
30 Claims
-
1. A computer system for controlling access to certain files by processes, said computer system comprising:
-
compartments implemented on an operating system;
a database containing access rules, said access rules defining which compartments are authorized to access particular file resources;
a kernel module for receiving a system call to access a file from a user space application belonging to a compartment; and
a security module for determining whether said user space application is authorized to access said file utilizing access rules stored in said database. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 18, 19, 20, 21, 22, 23, 25, 26, 27, 28, 29, 30)
-
-
14. A method for controlling access to a file by a process, said method comprising:
-
receiving a request from said process to access said file, said process being associated with a compartment implemented on an operating system;
determining an identifier of said compartment; and
searching for access rules on a database, said database containing access rules defining whether processes associated with particular compartments are permitted to access certain file resources.
-
-
24. A computer readable medium including instructions executable by a processor, said computer readable medium comprising:
-
code for receiving a request from a process associated with a particular compartment to access a particular file, said compartment being associated with an operating system; and
code for searching a database containing access rules which define which compartments possess authorization to access certain file resources.
-
Specification