Resource Restriction Systems and Methods

US 20080034208A1
Filed: 08/04/2006
Published: 02/07/2008
Est. Priority Date: 08/04/2006
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

defining launch restrictions for a user;

receiving an execution call to an operating system for an application launch;

intercepting the execution call above a user level;

determining above the user level if the launch restrictions for the user restrict the application launch; and

canceling the execution call if the launch restrictions for the user restrict the application launch.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Resource restrictions are associated with a user identifier. A resource restriction agent receives operating system calls related for resources and provides resource request data to a resource agent. The resource agent determines whether the resource is restricted based on the resource request data and resource restriction data and generates access data based on the determination. The resource restriction agent grants or denies the system call based on the access data.

Citations

27 Claims

1. A method, comprising:
- defining launch restrictions for a user;
  
  receiving an execution call to an operating system for an application launch;
  
  intercepting the execution call above a user level;
  
  determining above the user level if the launch restrictions for the user restrict the application launch; and
  
  canceling the execution call if the launch restrictions for the user restrict the application launch.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - defining launch restrictions according to an application path.
  - 3. The method of claim 1, further comprising:
    - defining launch restrictions according to an application hash.
  - 4. The method of claim 1, further comprising:
    - determining if the application related to the application launch is an allowed application; and
      
      if it cannot be determined above the user level if the launch restrictions for the user restrict the application launch, granting the execution call if the application is an allowed application.
  - 5. The method of claim 1, wherein:
    - defining launch restrictions for a user comprises defining launch restrictions for a user at the user level.

6. A system, comprising:
- a data store associating launch restrictions with a user identifier;
  
  a launch restriction extension configured to intercept execution calls to a kernel for an application launch and determine resource request data associated with the execution call, and further configured to provide the resource request data to a user agent and receive launch data in response, and grant or deny the execution call based on the launch data; and
  
  a user agent configured to execute above a user level and access the data store and determine whether an application launch is restricted based on the resource request data provided by the launch restriction agent and generate the launch data based on the determination.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 7. The system of claim 6, wherein:
    - the launch restriction agent is configured to communicate with the user agent by a kernel control socket.
  - 8. The system of claim 7, wherein:
    - the kernel control socket is a root-owned socket.
  - 9. The system of claim 6, wherein:
    - the launch restriction agent is further configured to determine if the launch data is received before an expiration of a time-period, and if the launch data is not received before the expiration of the time period, then grant the execution call if an application associated with the application launch is an allowed application.
  - 10. The system of claim 9, wherein:
    - an allowed application is defined by an application path.
  - 11. The system of claim 6, wherein:
    - the launch restrictions are defined by an application path.
  - 12. The system of claim 6, wherein:
    - the launch restrictions are defined by an application hash.
  - 13. The system of claim 6, wherein:
    - the user agent is an agent that is specific to the user.
  - 14. The system of claim 6, wherein:
    - the resource request data comprises data identifying the execution call.
  - 15. The system of claim 6, further comprising:
    - an authorization program configured to associate launch restrictions with user identifiers based on a user input.

16. A system, comprising:
- a data store associating resource restrictions with a user identifier;
  
  a resource restriction service configured to receive system calls related to resources and directed to an operating system, determine resource request data associated with the system call, and further configured to provide the resource request data to a resource agent and receive access data in response, and grant or deny the system call based on the access data; and
  
  a resource agent configured to execute above a user level and access the data store and determine whether the resource is restricted based on the resource request data provided by the resource restriction agent and generate the access data based on the determination.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The system of claim 16, wherein:
    - the resource agent is further configured to provide user identifiers having associated resource restrictions to the resource restriction service; and
      
      the resource restriction service is further configured to provide the resource request data to the resource agent for only the system calls associated with the user identifiers provided by the resource agent.
  - 18. The system of claim 16, wherein:
    - the resource agent is further configured to determine the user identifier.
  - 19. The system of claim 16, wherein:
    - the system call corresponds to an application launch.
  - 20. The system of claim 19, wherein:
    - the system call corresponds to file sharing.
  - 21. The system of claim 16, wherein:
    - the restrictions for the resources are defined by an application path.

22. A system, comprising:
- a data store associating resource restrictions with user identifiers;
  
  a resource restriction service configured to receive system calls related to resources and directed to an operating system, provide resource request data to a resource agent and receive access data in response, and grant or deny the system call based on the access data; and
  
  a resource agent configured to execute above a user level and in response to the resource request data, determine a user identifier associated with an active user and determine whether the user identifier has associated resource restrictions, and upon determining that the user identifier has associated resource restrictions, determine whether the resource is restricted based on the resource request data provided by the resource restriction agent and generate the access data based on the determination.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The system of claim 22, wherein:
    - the resource restriction service is further configured to determine if the access data are received before an expiration of a time period, and if the access data are not received before the expiration of the time period, then grant the system call if the resource associated with the system call is an allowed resource.
  - 24. The system of claim 22, wherein:
    - the system call corresponds to an application launch.
  - 25. The system of claim 22, wherein:
    - the resource request data comprises a user identifier; and
      
      the resource agent is further configured to determine system call identifiers associated with the system calls.
  - 26. The system of claim 22, wherein:
    - the resource request data comprises a system call identifier; and
      
      the resource agent is further configured to determine a user identifier for a user logged on in a user session.
  - 27. The system of claim 22, wherein:
    - the resource request data comprises a system call identifier and a user identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Computer Incorporated (Apple Inc.)
Inventors
Smith, Michael John, Kiehtreiber, Peter, Scalo, John William, Mantere, Jussi-Pekka, Cooper, Simon P., Maluta, Alexander Tony, Tyacke, Eugene Ray, Gaya, Bruce

Granted Patent

US 8,352,733 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/164
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/602   Providing cryptographic fac...

G06F 9/5005   to service a request

G06F 9/54   Interprogram communication

H04L 63/104   Grouping of entities

Resource Restriction Systems and Methods

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Resource Restriction Systems and Methods

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links