Global visibility controls for operating system partitions
First Claim
Patent Images
1. A method comprising:
- establishing a global zone in an operating system environment controlled by a single operating system kernel instance;
establishing at least one non-global zone;
selectively limiting at least one of visibility and access by processes associated with the global zone to objects within the global zone and select objects within at least one non-global zone; and
limiting visibility and access by processes associated with each non-global zone to objects within that non-global zone.
1 Assignment
0 Petitions
Accused Products
Abstract
In accordance with one embodiment of the present invention, there is provided a mechanism for managing and controlling global visibility of resources in zones within an operating system controlled by a single kernel instance. Embodiments enable isolation and virtualization of processes within a single image of an operating system, without requiring implementation of hardware support (such as the introduction of an additional privilege level) to isolate privileged programs, and without multiple instances of an operating system or operating system kernel for some applications.
89 Citations
27 Claims
-
1. A method comprising:
-
establishing a global zone in an operating system environment controlled by a single operating system kernel instance;
establishing at least one non-global zone;
selectively limiting at least one of visibility and access by processes associated with the global zone to objects within the global zone and select objects within at least one non-global zone; and
limiting visibility and access by processes associated with each non-global zone to objects within that non-global zone. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer based method for managing resources in a single kernel instance operating system, the method comprising the steps of:
-
creating a global zone and at least one non-global zone;
permitting processes of the global zone to view and access objects in the global zone and view objects in non-global zones;
permitting processes of the non-global zone to view and access objects only in the non-global zone; and
selectively permitting upon authorized request, a process of the global zone to access objects in a non-global zone. - View Dependent Claims (12)
-
-
13. A computer readable medium, comprising:
-
instructions for causing one or more processors to establish a global zone;
instructions for causing one or more processors to establish at least one non-global zone;
instructions for causing one or more processors to selectively limit at least one of visibility and access by processes associated with the global zone to objects within the global zone and select objects within at least one non-global zone; and
instructions for causing one or more processors to limit visibility and access by processes associated with each non-global zone to objects within that non-global zone;
wherein the global zone and the at least one non-global zone exist concurrently in an operating system controlled by a single kernel instance. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A computer readable medium, comprising:
-
instructions for causing one or more processors to create a global zone and at least one non-global zone within an operating system controlled by a single kernel instance;
instructions for causing one or more processors to permit processes of the global zone to view and access objects in the global zone and view objects in non-global zones;
instructions for causing one or more processors to permit processes of the non-global zone to view and access objects only in the non-global zone; and
instructions for causing one or more processors to selectively permit upon authorized request, a process of the global zone to access objects in a non-global zone. - View Dependent Claims (24)
-
-
25. An apparatus, comprising:
-
a means for establishing a global zone;
a means for establishing at least one non-global zone;
a means for selectively limiting at least one of visibility and access by processes associated with the global zone to objects within the global zone and select objects within at least one non-global zone; and
a means for limiting visibility and access by processes associated with each non-global zone to objects within that zone.
-
-
26. An apparatus, comprising:
-
a means for creating a first zone and a second zone, wherein the first zone and the second zone exist concurrently in an operating system controlled by a single kernel instance; and
a means for selectively permitting;
access by processes associated with the first zone to computational entities associated with the first zone;
access by certain ones of processes associated with the first zone to computational entities associated with the second zone; and
access by processes associated with the second zone exclusively to computational entities associated with the second zone.
-
-
27. A system, comprising:
-
a processor; and
a memory connected with the processor, and operative to hold at least one of a plurality of program processes, including;
instructions for providing an operating system;
instructions for establishing and managing a plurality of zones within the operating system under control of a single kernel instance, including;
instructions for creating a global zone and at least one non-global zone;
instructions for permitting processes attached to the global zone to view and access objects in the global zone and view objects in non-global zones;
instructions for permitting processes attached to the non-global zone to view and access objects only in the non-global zone; and
instructions for selectively permitting upon authorized request, a process attached to the global zone to access objects in a non-global zone.
-
Specification