Controlling computer program extensions in a network device
First Claim
1. A data processing apparatus, comprising:
- a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;
one or more processors;
a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;
a computer-readable storage medium having stored thereon an application program and one or more user program extensions to the application program;
logic comprising one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;
creating and storing one or more default program security permissions;
receiving a user-defined security policy that defines one or more user extension security permissions for the one or more user program extensions;
creating and storing only each of the one or more user extension security permissions that do not conflict with the default program security permissions;
receiving a request from one of the user program extensions to access a resource of the apparatus or the network;
permitting the request to access the resource or the network only when the access does not violate the user extension security permissions and the default program security permissions.
1 Assignment
0 Petitions
Accused Products
Abstract
A network infrastructure element such as a packet data router or switch hosts an application program and one or more user program extensions to the application program. Logic in the network element is configured to perform creating and storing one or more default program security permissions; receiving a user-defined security policy that defines one or more user extension security permissions for the one or more user program extensions; creating and storing only each of the one or more user extension security permissions that do not conflict with the default program security permissions; receiving a request from one of the user program extensions to access a resource of the apparatus or the network; permitting the request to access the resource or the network only when the access does not violate the user extension security permissions and the default program security permissions.
-
Citations
22 Claims
-
1. A data processing apparatus, comprising:
-
a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;
one or more processors;
a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;
a computer-readable storage medium having stored thereon an application program and one or more user program extensions to the application program;
logic comprising one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;
creating and storing one or more default program security permissions;
receiving a user-defined security policy that defines one or more user extension security permissions for the one or more user program extensions;
creating and storing only each of the one or more user extension security permissions that do not conflict with the default program security permissions;
receiving a request from one of the user program extensions to access a resource of the apparatus or the network;
permitting the request to access the resource or the network only when the access does not violate the user extension security permissions and the default program security permissions. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A machine-implemented method, comprising:
-
creating and storing one or more default program security permissions in a network infrastructure device that is coupled to a network and that hosts an application program and one or more user program extensions to the application program;
receiving a user-defined security policy that defines one or more user extension security permissions for the one or more user program extensions;
creating and storing only each of the one or more user extension security permissions that do not conflict with the default program security permissions;
receiving in the network infrastructure device a request from one of the user program extensions to access a resource of the apparatus or the network;
permitting the request to access the resource or the network only when the access does not violate the user extension security permissions and the default program security permissions. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer-readable storage medium carrying instructions which when executed by one or more processors, cause the one or more processors to perform:
-
creating and storing one or more default program security permissions in a network infrastructure device that is coupled to a network and that hosts an application program and one or more user program extensions to the application program;
receiving a user-defined security policy that defines one or more user extension security permissions for the one or more user program extensions;
creating and storing each of the one or more user extension security permissions that do not conflict with the default program security permissions;
receiving in the network infrastructure device a request from one of the user program extensions to access a resource of the apparatus or the network;
permitting the request to access the resource or the network only when the access does not violate the user extension security permissions and the default program security permissions.
-
-
16. A data processing apparatus, comprising:
-
a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;
one or more processors;
a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;
a computer-readable storage medium having stored thereon an application program and one or more user program extensions to the application program;
means for creating and storing one or more default program security permissions;
means for receiving a user-defined security policy that defines one or more user extension security permissions for the one or more user program extensions;
means for creating and storing each of the one or more user extension security permissions that do not conflict with the default program security permissions;
means for receiving a request from one of the user program extensions to access a resource of the apparatus or the network;
means for permitting the request to access the resource or the network only when the access does not violate the user extension security permissions and the default program security permissions. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
Specification