Using virtual hierarchies to build alternative namespaces

US 20070136723A1
Filed: 12/12/2005
Published: 06/14/2007
Est. Priority Date: 12/12/2005
Status: Active Grant

First Claim

Patent Images

1. A system for restricting access to resources comprising:

an operating system module adapted to serve a system environment, the system environment associated with a global physical hierarchy comprising a plurality of nodes representing resources and an isolated environment within the system environment associated with a view of the global physical hierarchy, the view constraining access of an entity executing in the isolated environment to a subset of the resources, the operating system module adapted to generating the view by creation of a virtual hierarchy in volatile storage only, the virtual hierarchy not persisted to non-volatile storage and wherein the entity'"'"'s sole access to the subset of the resources is via the virtual hierarchy.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system is divided into one or more side-by-side and/or nested isolated environments enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces via virtual hierarchies.

61 Citations

View as Search Results

20 Claims

1. A system for restricting access to resources comprising:
- an operating system module adapted to serve a system environment, the system environment associated with a global physical hierarchy comprising a plurality of nodes representing resources and an isolated environment within the system environment associated with a view of the global physical hierarchy, the view constraining access of an entity executing in the isolated environment to a subset of the resources, the operating system module adapted to generating the view by creation of a virtual hierarchy in volatile storage only, the virtual hierarchy not persisted to non-volatile storage and wherein the entity'"'"'s sole access to the subset of the resources is via the virtual hierarchy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the global physical hierarchy represents a global file system directory and wherein the virtual hierarchy represents a subset of the global file system directory for the isolated environment, each node in the global file system directory representing a sub-directory or a file.
  - 3. The system of claim 1, wherein the entity comprises a process, group of processes, program, group of programs, application or group of applications.
  - 4. The system of claim 1, wherein the virtual hierarchy comprises a plurality of virtual nodes wherein at least one virtual node of the plurality of virtual nodes comprises a link to a physical node of the global physical hierarchy.
  - 5. The system of claim 1, wherein the isolated environment comprises at least one process executing in the isolated environment and wherein the virtual hierarchy is a default hierarchy for the at least one process.
  - 6. The system of claim 1, wherein the isolated environment is a silo.
  - 7. The system of claim 1, wherein the isolated environment is a first isolated environment of a plurality of side-by-side isolated environments within the system environment.
  - 8. The system of claim 1, wherein the isolated environment includes at least one level of nested isolated environments.
  - 9. The system of claim 5, wherein the virtual hierarchy restricts a set of resources available to the at least one process by restricting to a subset of the global physical hierarchy the view of the global physical hierarchy presented to the at least one process.

10. A method of providing a view of a global name space to an entity executing in an isolated environment comprising:
- generating the isolated environment within a system environment via an operating system image, the operating system image serving the isolated environment and the system environment, the system environment associated with a global physical hierarchy on non-volatile storage and the isolated environment associated with a view of the global physical hierarchy; and
  
  generating the view by creating a virtual hierarchy that provides the entity access to only a subset of the global physical hierarchy, the virtual hierarchy stored only in volatile storage.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, further comprising generating the virtual hierarchy by creating a virtual root node for the virtual hierarchy;
    - creating at least one level of nodes depending from the virtual root, wherein at least one node of at least one of the levels of nodes comprises a leaf node;
      
      creating a link from the at least one leaf node to a node in the global physical directory.
  - 12. The method of claim 10, wherein the isolated environment is a silo.
  - 13. The method of claim 10, further comprising nesting a child isolated environment within the isolated environment.
  - 14. The method of claim 10, wherein the global physical hierarchy is a file system directory for the system environment and the virtual hierarchy is a virtual file system directory for the entity executing in the isolated environment.
  - 15. The method of claim 10, wherein the isolated environment is a first isolated environment of a plurality of side-by-side isolated environments.
  - 16. The method of claim 10, wherein the entity comprises a process, a group of processes, an application or a group of applications.

17. A computer-readable medium comprising computer-executable instructions for:
- restricting a set of resources available to a process, group of processes, application or group of applications running in a silo by creating a virtual hierarchy accessed by the process, the group of processes, the application or the group of applications, the virtual hierarchy comprising a plurality of virtual nodes at least one of which comprises a link to a physical hierarchy comprising a plurality of physical nodes, the virtual hierarchy providing sole access to a node in the physical hierarchy via a link from a node in the virtual hierarchy to the node in the physical hierarchy.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable medium of claim 17, comprising further computer-readable instructions for:
    - storing the virtual hierarchy only in volatile storage and not in non-volatile storage.
  - 19. The computer-readable medium of claim 17, wherein the computer-executable instructions comprise a portion of an operating system that serves the silo and a plurality of system processes external to the silo.
  - 20. The computer-readable medium of claim 17, wherein the computer-executable instructions comprise a portion of a silo file system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Talluri, Madhusudhan, Smith, Frederick, Khalidi, Yousef, Havens, Jeff

Granted Patent

US 8,539,481 B2
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 2009/45566   Nested virtual machines

G06F 21/6281   at program execution time, ...

G06F 9/45558   Hypervisor-specific managem...

Using virtual hierarchies to build alternative namespaces

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

61 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Using virtual hierarchies to build alternative namespaces

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links