Use of rules engine to build namespaces
First Claim
1. A system for restricting access to resources comprising:
- an operating system module adapted to serve a system space and an isolated environment within the system environment, the system environment associated with a set of resources represented by a plurality of nodes of a global hierarchy, the isolated environment associated with a view of the set of resources, wherein the operating system module is adapted to generate the view by creating a constrained-space-specific hierarchy comprising a subset of the plurality of nodes of the global hierarchy, the subset representing resources accessible to the isolated environment;
a rules engine adapted to receive and evaluate a set of rules governing access capabilities for the resources accessible to the isolated environment.
2 Assignments
0 Petitions
Accused Products
Abstract
A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system environment is divided into one or more side-by-side and/or nested spaces enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces via virtual hierarchies. A set of declarative rules specifying access capabilities may specify a set of filter drivers to be used to limit access to nodes in the hierarchical name space. The rules may be applied in sequence to construct a new name space from an existing one, or to add to an existing hierarchy. Filter drivers are used to limit access to nodes in the new name space or new portion of the name space. Access to nodes can be limited (read-only access instead of read/write) or nodes can be hidden altogether. Rules may be specified in a declarative language such as XML.
-
Citations
20 Claims
-
1. A system for restricting access to resources comprising:
-
an operating system module adapted to serve a system space and an isolated environment within the system environment, the system environment associated with a set of resources represented by a plurality of nodes of a global hierarchy, the isolated environment associated with a view of the set of resources, wherein the operating system module is adapted to generate the view by creating a constrained-space-specific hierarchy comprising a subset of the plurality of nodes of the global hierarchy, the subset representing resources accessible to the isolated environment;
a rules engine adapted to receive and evaluate a set of rules governing access capabilities for the resources accessible to the isolated environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of providing a view of a global name space to an entity executing in an isolated environment comprising:
-
generating the isolated environment within a system environment via an operating system image, the operating system image serving the isolated environment and the system environment, the system environment associated with a global hierarchy and the isolated environment associated with a view of the global hierarchy, the view providing an entity executing in the isolated environment access to only a subset of the global hierarchy; and
generating the view by applying a set of rules to a node of an isolated environment-specific hierarchy, the set of rules enabling access to the node, prohibiting access to the node or changing an access capability of the node, the node representing a resource. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A computer-readable medium comprising computer-executable instructions for:
restricting a set of resources available to a process, group of processes, application or group of applications running in a silo by creating a silo hierarchy accessed by the process, the group of processes, the application or the group of applications by applying a set of rules to a node of the silo hierarchy, the node comprising a link to a node of the global hierarchy the isolated environment-specific hierarchy providing sole access to the node in the global hierarchy via a link from a node in the isolated environment-specific hierarchy to the node in the physical hierarchy. - View Dependent Claims (18, 19, 20)
Specification