SELECTIVE FILE ACCESS FOR APPLICATIONS

US 20130067600A1
Filed: 09/09/2011
Published: 03/14/2013
Est. Priority Date: 09/09/2011
Status: Active Grant

First Claim

Patent Images

1. A method in a computing device, comprising:

installing an application in the computing device;

receiving an application manifest associated with the application, the application manifest indicating one or more file types that the application is allowed to access; and

registering the one or more file types in a location accessible by a broker service, the broker service being configured to limit access by the application to files of the registered one or more file types.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer program products are provided for enabling selective file system access by applications. An application is installed in a computing device. An application manifest associated with the application is received. The application manifest indicates one or more file types that the application is allowed to access. The indicated file type(s) are registered in a location accessible by a broker service. The application is launched as an application process. The application process is isolated in an application container. The application container prevents direct access by the application process to file system data. An access request related to first data of the file system data is received at the broker service from the application process. Access by the application process to the first data is enabled when the broker service determines that a file type of the first data is included in the registered file type(s).

Citations

20 Claims

1. A method in a computing device, comprising:
- installing an application in the computing device;
  
  receiving an application manifest associated with the application, the application manifest indicating one or more file types that the application is allowed to access; and
  
  registering the one or more file types in a location accessible by a broker service, the broker service being configured to limit access by the application to files of the registered one or more file types.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - launching the application as an application process;
      
      loading the application process into an application container, the application container denying direct access by the application process to file system data;
      
      receiving an access request related to first data of the file system data at the broker service from the application process; and
      
      enabling access by the application process to the first data when the broker service determines that a file type of the first data is included in the registered one or more file types.
  - 3. The method of claim 2, wherein the one or more file types include one or more file extensions, file kinds, or other file attributes or metadata, wherein said registering comprises:
    - storing an indication of the one or more file extensions, file kinds, or other file attributes or metadata indicated in the application manifest for the application in a secure location accessible by the broker service and not accessible by the application process.
  - 4. The method of claim 3, wherein said loading the application process into an application container comprises:
    - generating a token for the application process that includes an identifier for the application container, the token being unmodifiable by the application process.
  - 5. The method of claim 4, wherein said receiving an access request comprises:
    - receiving at the broker service the token and an indication of the first data requested in the access request.
  - 6. The method of claim 5, wherein said enabling access by the application process comprises:
    - determining, by the broker service, a file type of the first data based on the indication of the first data requested in the access request;
      
      accessing, by the broker service, the registered one or more file types for the application in the secure location;
      
      determining, by the broker service, whether the file type of the first data is included in the registered one or more file types; and
      
      enabling, by the broker service, the application process to access the first data when the file type of the first data is determined to be included in the registered one or more file types.
  - 7. The method of claim 6, wherein said enabling access by the application process comprises:
    - denying, by the broker service, access by the application process to the first data when the file type of the first data is determined to not be included in the registered one or more file type.
  - 8. The method of claim 7, wherein said denying comprises:
    - denying access by the application process to read a file of the first data, to read contents of a folder of the first data, to write to at least one of a file or folder of the first data, to rename a file or folder of the first data, to move a file or folder of the first data, or to copy over a file or folder of the first data.

9. A method in a broker service operating in a computing device, comprising:
- receiving an access request related to first data of a file system containing data from an application process, the application process being a launched version of an application, the application process residing in an application container that prevents direct access by the application process to the file system; and
  
  enabling access by the application process to the first data when the broker service determines that a file type of the first data is included in one or more file types registered for the application as file types that the application is allowed to access.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, wherein the one or more file types include one or more file extensions, file kinds, or other file attributes or metadata, wherein said enabling comprises:
    - accessing the registered one or more file extensions, file kinds, or other file attributes or metadata in a secure location accessible by the broker service and not accessible by the application process.
  - 11. The method of claim 10, wherein said receiving an access request comprises:
    - receiving a token for the application process that includes an identifier for the application container and an indication of the first data requested in the access request.
  - 12. The method of claim 11, wherein said enabling access by the application process comprises:
    - determining a file type of the first data based on the indication of the first data requested in the access request;
      
      accessing the registered one or more file types for the application in the secure location;
      
      determining whether the file type of the first data is included in the registered one or more file types; and
      
      enabling the application process to access the first data when the file type of the first data is determined to be included in the registered one or more file types.
  - 13. The method of claim 12, wherein said enabling access by the application process further comprises:
    - denying access by the application process to the first data when the file type of the first data is determined to not be included in the registered one or more file type.
  - 14. The method of claim 13, wherein said denying comprises:
    - denying access by the application process to read a file of the first data, to read contents of a folder of the first data, to write to at least one of a file or folder of the first data, to rename a file or folder of the first data, to move a file or folder of the first data, or to copy over a file or folder of the first data.

15. A computing device, comprising:
- storage that stores an application installed in the computing device and an application manifest associated with the application, the application manifest indicating one or more file types that the application is allowed to access; and
  
  a processing logic that includes a broker service and registers the one or more file types indicated by the application manifest in a location accessible by the broker service, the broker service being configured to limit access by the application to files of the registered one or more file types.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computing device of claim 15, wherein the processing logic initiates an application process when the application is launched, and loads the application process into an application container, the application container denying direct access by the application process to file system data;
    - the broker service receiving an access request for first data of the file system data from the application process; and
      
      the processing logic enabling access by the application process to the first data when the broker service determines that a file type of the first data is included in the registered one or more file types.
  - 17. The computing device of claim 16, wherein the one or more file types include one or more file extensions, file kinds, or other file attributes or metadata, wherein the processing logic stores an indication of the one or more file extensions, file kinds, or other file attributes indicated in the application manifest for the application in a secure location accessible by the broker service and not accessible by the application process.
  - 18. The method of claim 17, wherein the processing logic generates a token for the application process that includes an identifier for the application container, the token being unmodifiable by the application process.
  - 19. The computing device of claim 18, wherein, in the access request, the broker service receives the token and an indication of the requested first data.
  - 20. The computing device of claim 19, wherein the broker service determines a file type of the first data based on the indication of the first data requested in the access request, accesses the registered one or more file types for the application in the secure location, determines whether the file type of the first data is included in the registered one or more file types, and enables the application process to access the first data when the file type of the first data is determined to be included in the registered one or more file types.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Radhakrishnan, Kavitha, Iskin, Sermet, Blanch, Katrina M., Beam, Tyler Kien, Graham, Scott, Ball, Steven, Hazen, John, Kim, Allen, Quintero, Guillermo Enrique Rueda

Granted Patent

US 9,773,102 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/30
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

SELECTIVE FILE ACCESS FOR APPLICATIONS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SELECTIVE FILE ACCESS FOR APPLICATIONS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links