Configurable access control security for virtualization
First Claim
1. A system to provide security for a computer, comprising:
- one or more containers configured to contain one or more virtual machines;
a plurality of virtual machine images;
a configurable security policy that controls access to the one or more containers and controls system resources available to the one or more containers;
a loader that loads a first virtual machine image into a first container based on the access granted by the configurable security policy; and
a user interface configured to receive security configuration information, wherein the configurable security policy is configurable based on the security configuration information.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided are systems and methods for applying access controls to separate and contain virtual machines in a flexible, configurable manner. Access can be granted or removed to a variety of system resources—including network cards, shared folders, and external devices. Operations, such as cut and paste, between the virtual machines can be restricted or allowed. Virtual machines are run in containers. This allows more than one virtual machine to share the same access profile. Containers can be configured to allow a user to instantiate a virtual machine at run time. This allows the user to dynamically define which virtual machines run in various containers. An administrator determines which containers (if any) allow dynamic instantiation, and specifies the list of virtual machines the user can choose from. A container, and/or virtual machines within the container, can be restricted to particular users.
121 Citations
25 Claims
-
1. A system to provide security for a computer, comprising:
-
one or more containers configured to contain one or more virtual machines; a plurality of virtual machine images; a configurable security policy that controls access to the one or more containers and controls system resources available to the one or more containers; a loader that loads a first virtual machine image into a first container based on the access granted by the configurable security policy; and a user interface configured to receive security configuration information, wherein the configurable security policy is configurable based on the security configuration information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-implemented method to provide security for a computer, comprising:
-
receiving security-configuration information via a user interface, wherein the security-configuration information defines one or more containers and a plurality of system resources, and wherein the one or more containers are configured to include one or more virtual machines; controlling, with a security policy, which system resources that each container is entitled to access, wherein the security policy is configurable based on the security-configuration information; and loading a first virtual machine image into a first container based on access granted to the first container by the security policy. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A computer-implemented method for configuring mandatory access control (MAC) security, comprising:
-
(a) receiving security-configuration information that defines a security profile for one or more containers and a plurality of system resources, wherein the one or more containers are configured to include one or more virtual machines; and (b) implementing a MAC security policy based on the security-configuration information. - View Dependent Claims (24, 25)
-
Specification