System and method for file system mandatory access control

US 20030009685A1
Filed: 06/29/2001
Published: 01/09/2003
Est. Priority Date: 06/29/2001
Status: Active Grant

First Claim

Patent Images

1. A computer system for controlling access to certain files by processes, said computer system comprising:

compartments implemented on an operating system;

a database containing access rules, said access rules defining which compartments are authorized to access particular file resources;

a kernel module for receiving a system call to access a file from a user space application belonging to a compartment; and

a security module for determining whether said user space application is authorized to access said file utilizing access rules stored in said database.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, the present invention is related to a computer system including compartments implemented on an operating system. A database contains access rules with said access rules defining which compartments are authorized to access particular file resources. A kernel module receives a system call to access a file from a user space application belonging to a compartment. A security module determines whether said user space application is authorized to access said file utilizing access rules stored in said database.

137 Citations

30 Claims

1. A computer system for controlling access to certain files by processes, said computer system comprising:
- compartments implemented on an operating system;
  
  a database containing access rules, said access rules defining which compartments are authorized to access particular file resources;
  
  a kernel module for receiving a system call to access a file from a user space application belonging to a compartment; and
  
  a security module for determining whether said user space application is authorized to access said file utilizing access rules stored in said database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 18, 19, 20, 21, 22, 23, 25, 26, 27, 28, 29, 30)
- - 2. The computer system of claim 1 wherein said database is stored on a common file system with said particular file resources.
  - 3. The computer system of claim 1 wherein each compartment is assigned a unique identifier.
  - 4. The computer system of claim 1 wherein at least one access rule in said database defines whether any process belonging to a particular compartment is permitted to access a plurality of files within at least one subdirectory.
  - 5. The computer system of claim 1 wherein at least one access rule in said database defines whether any process belonging to a particular compartment is permitted to access a particular file.
  - 6. The computer system of claim 1 wherein said security module comprises at least one kernel routine.
  - 7. The computer system of claim 1 wherein said particular file resources are maintained on a file system possessing a subdirectory-based structure and wherein said database organizes access rules according to said subdirectory-based structure.
  - 8. The computer system of claim 7 wherein a default access rule is stored at a database location associated with a root directory of said subdirectory-based structure.
  - 9. The computer system of claim 7 wherein specific access rules are stored at database locations associated with subdirectories of said subdirectory-based structure.
  - 10. The computer system of claim 9 wherein said security module is operable to receive a path identifier of the file from said user space application with said path identifier including a plurality of subdirectory identifiers.
  - 11. The computer system of claim 10 wherein said security module is operable to apply an access rule according to a lowest subdirectory identifier of said plurality of subdirectory identifiers.
  - 12. The computer system of claim 10 wherein said security module is operable to respectively search said database according to each higher subdirectory identifier of said plurality of subdirectory identifiers, when an access rule is not located according to a lower subdirectory identifier.
  - 13. The computer system of claim 1 wherein said security module is operable to permit access when no access rule is located.
  - 15. The method of claim 14 wherein said file is stored on a file system that possesses a subdirectory structure, and wherein said database is structured to retain access rules in a hierarchical manner that parallels the subdirectory structure of said file system.
  - 16. The method of claim 15 wherein said access rules includes at least one access rule that allows a process associated with said compartment to access a plurality of files associated with a particular subdirectory.
  - 17. The method of claim 15 wherein a default access rule stored in said database is associated with a root directory of said file system.
  - 18. The method of claim 17 wherein specific access rules are stored in said database and said specific access rules are associated with subdirectories of said file system.
  - 19. The method of claim 14 wherein said request includes a filename containing a path identifier, said path identifier specifying a plurality of subdirectories, wherein said step of searching includes the sub-steps of:
    - (a) searching said database according to a lowest subdirectory of said plurality of subdirectories for an access rule applicable to said compartment;
      
      (b) when an access rule is found in step (a), proceeding to step (e);
      
      (c) searching said database according a next higher subdirectory of said plurality of subdirectories for an access rule applicable to said compartment;
      
      (d) repeating step (c) until the first event of the following events occurs;
      
      (i) an access rule applicable to said compartment is located;
      
      (ii) said database is searched according to a root directory. (e) when an access rule applicable to said compartment is located, providing access to said file when said access rule applicable to said compartment allows access.
  - 20. The method of claim 19 wherein said step of searching further comprises:
    - (f) when an access rule applicable to said compartment is not located, providing access to said file.
  - 21. The method of claim 14 wherein said database is stored on a same file system as said file.
  - 22. The method of claim 14 wherein said step of searching is performed by a kernel routine of an operating system.
  - 23. The method of claim 14 wherein said database comprises at least one rule that defines whether a process associated with a particular compartment is permitted to access a plurality of files in a particular subdirectory.
  - 25. The computer readable medium of claim 24 wherein said database comprises at least one rule which defines whether a process associated with a compartment is permitted to access a plurality of files of a subdirectory.
  - 26. The computer readable medium of claim 24 wherein said particular file is stored on a file system that possesses a subdirectory structure, and wherein said database possesses a structure that parallels said subdirectory structure.
  - 27. The computer readable medium of claim 26 wherein said code for receiving receives a filename that possesses a plurality of subdirectory identifiers, and wherein said code for searching searches said database according to a lowest subdirectory of said plurality of subdirectories for an access rule applicable to said compartment.
  - 28. The computer readable medium of claim 26 wherein said code for searching searches said database according to a higher level subdirectory when an access rule applicable to said compartment is not located according to a lower level subdirectory.
  - 29. The computer readable medium of claim 24 further comprising:
    - code for determining whether said process may access said particular file.
  - 30. The computer readable medium of claim 24 further comprising:
    - code for denying access to said particular file by said process.

14. A method for controlling access to a file by a process, said method comprising:
- receiving a request from said process to access said file, said process being associated with a compartment implemented on an operating system;
  
  determining an identifier of said compartment; and
  
  searching for access rules on a database, said database containing access rules defining whether processes associated with particular compartments are permitted to access certain file resources.

24. A computer readable medium including instructions executable by a processor, said computer readable medium comprising:
- code for receiving a request from a process associated with a particular compartment to access a particular file, said compartment being associated with an operating system; and
  
  code for searching a database containing access rules which define which compartments possess authorization to access certain file resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Leerssen, Scott A., Choo, Tse-Huong, Berger, Joubert

Granted Patent

US 7,962,950 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 2221/2141 Access rights, e.g. capabil...

System and method for file system mandatory access control

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

137 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for file system mandatory access control

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

137 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links