Use of rules engine to build namespaces

US 20070134069A1
Filed: 12/12/2005
Published: 06/14/2007
Est. Priority Date: 12/12/2005
Status: Active Grant

First Claim

Patent Images

1. A system for restricting access to resources comprising:

an operating system module adapted to serve a system space and an isolated environment within the system environment, the system environment associated with a set of resources represented by a plurality of nodes of a global hierarchy, the isolated environment associated with a view of the set of resources, wherein the operating system module is adapted to generate the view by creating a constrained-space-specific hierarchy comprising a subset of the plurality of nodes of the global hierarchy, the subset representing resources accessible to the isolated environment;

a rules engine adapted to receive and evaluate a set of rules governing access capabilities for the resources accessible to the isolated environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system environment is divided into one or more side-by-side and/or nested spaces enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces via virtual hierarchies. A set of declarative rules specifying access capabilities may specify a set of filter drivers to be used to limit access to nodes in the hierarchical name space. The rules may be applied in sequence to construct a new name space from an existing one, or to add to an existing hierarchy. Filter drivers are used to limit access to nodes in the new name space or new portion of the name space. Access to nodes can be limited (read-only access instead of read/write) or nodes can be hidden altogether. Rules may be specified in a declarative language such as XML.

Citations

20 Claims

1. A system for restricting access to resources comprising:
- an operating system module adapted to serve a system space and an isolated environment within the system environment, the system environment associated with a set of resources represented by a plurality of nodes of a global hierarchy, the isolated environment associated with a view of the set of resources, wherein the operating system module is adapted to generate the view by creating a constrained-space-specific hierarchy comprising a subset of the plurality of nodes of the global hierarchy, the subset representing resources accessible to the isolated environment;
  
  a rules engine adapted to receive and evaluate a set of rules governing access capabilities for the resources accessible to the isolated environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the global hierarchy represents a global object manager name space for the system environment or a global registry for the system environment or a global file system for the system environment and wherein the isolated environment-specific hierarchy represents a view representing a subset of the system object manager name space, or a subset of the global registry name space or a subset of the global file system name space for the isolated environment.
  - 3. The system of claim 1, wherein the entity comprises a process, group of processes, program, group of programs, application or group of applications.
  - 4. The system of claim 1, wherein the set of rules permit access to a node of the isolated environment-specific hierarchy or deny access to the node or change access capabilities of the node.
  - 5. The system of claim 1, wherein the isolated environment is a silo.
  - 6. The system of claim 1, wherein the rules engine evaluates the set of rules during construction of the constrained-space-specific hierarchy and associates directives representing the set of rules with nodes in the constrained-space-specific hierarchy.
  - 7. The system of claim 1, wherein the isolated environment is a first isolated environment of a plurality of side-by-side isolated environments within the system environment.
  - 8. The system of claim 1, wherein the isolated environment includes at least one level of nested isolated environments.
  - 9. The system of claim 6, wherein the constrained-space-specific hierarchy generated by application of the set of rules during construction of the constrained-space-specific hierarchy restricts a set of resources available to at least one process executing in the isolated environment by evaluating the directives during processing and enabling or denying access to a node in the constrained-space-specific hierarchy.

10. A method of providing a view of a global name space to an entity executing in an isolated environment comprising:
- generating the isolated environment within a system environment via an operating system image, the operating system image serving the isolated environment and the system environment, the system environment associated with a global hierarchy and the isolated environment associated with a view of the global hierarchy, the view providing an entity executing in the isolated environment access to only a subset of the global hierarchy; and
  
  generating the view by applying a set of rules to a node of an isolated environment-specific hierarchy, the set of rules enabling access to the node, prohibiting access to the node or changing an access capability of the node, the node representing a resource.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, wherein applying the set of rules comprises:
    - receiving an access request to the node in the isolated environment-specific hierarchy;
      
      evaluating the set of rules dynamically during processing associated with the node to determine if access to the node is allowed;
      
      rewriting the access capability of the node; and
      
      returning a handle to the node, the handle comprising the rewritten access capability of the node.
  - 12. The method of claim 11, further comprising:
    - evaluating a name by which the node is referenced relative to the isolated environment-specific hierarchy.
  - 13. The method of claim 11, further comprising changing a name by which the node is referenced to reference a node in the global hierarchy.
  - 14. The method of claim 10, wherein the isolated environment is a silo.
  - 15. The method of claim 10, wherein the isolated environment is a first isolated environment of a plurality of side-by-side isolated environments.
  - 16. The method of claim 10, wherein the entity comprises a process, a group of processes, an application or a group of applications.

17. A computer-readable medium comprising computer-executable instructions for:
- restricting a set of resources available to a process, group of processes, application or group of applications running in a silo by creating a silo hierarchy accessed by the process, the group of processes, the application or the group of applications by applying a set of rules to a node of the silo hierarchy, the node comprising a link to a node of the global hierarchy the isolated environment-specific hierarchy providing sole access to the node in the global hierarchy via a link from a node in the isolated environment-specific hierarchy to the node in the physical hierarchy.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable medium of claim 17, comprising further computer-readable instructions for:
    - evaluating the set of rules.
  - 19. The computer-readable medium of claim 18, wherein the computer-executable instructions for evaluating the set or rules permit access to the node of the global hierarchy, deny access to the node of the global hierarchy or change an access capability associated with the node of the global hierarchy.
  - 20. The computer-readable medium of claim 17, wherein the computer-executable instructions generate a registry, a file system or an object manager name space.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Talluri, Madhusudhan, Smith, Frederick, Khalidi, Yousef, Havens, Jeff

Granted Patent

US 8,312,459 B2
Time in Patent Office

Days
Field of Search
US Class Current

406/39
CPC Class Codes

G06F 9/5072 Grid computing

Use of rules engine to build namespaces

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Use of rules engine to build namespaces

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links