Process restriction within file system hierarchies
First Claim
1. A method for restricting a process or set of processes to a subset of a host computer system'"'"'s file systems, comprising the steps of:
- providing a host computer system within which multiple processes operate;
each process having simultaneous access to multiple, discrete, hierarchically-organized file systems,permitting a privileged process, operating on behalf of a specially authorized user, to designate sub-hierarchies within one or more of the available file systems,changing the behavior of the host system such that for each such file system sub-hierarchy assigned to a process, the process is prevented from accessing or even addressing any file system objects outside the assigned sub-hierarchy in the respective file system, andchanging the behavior of the host system such that, after the assignment of such sub-hierarchies to a process, the restriction is also assigned to and enforced against any further process it subsequently creates.
10 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a method and apparatus for restricting a process or process hierarchy to a subset of a computer host'"'"'s file system(s) in an environment where all file systems are simultaneously available to an application. A caller is provided with the ability to arrange for the restriction of a process hierarchy (consisting of a process and all the processes it may subsequently create) to a set of file system sub-hierarchies. When a process executes within a restriction domain in which a sub-hierarchy has been specified for each of the available file systems, an embodiment of the invention will modify the usual operation of the host computer'"'"'s operating system interface such that any file system access attempts by the affected process are constrained to occur logically within the restriction domain.
-
Citations
11 Claims
-
1. A method for restricting a process or set of processes to a subset of a host computer system'"'"'s file systems, comprising the steps of:
-
providing a host computer system within which multiple processes operate;
each process having simultaneous access to multiple, discrete, hierarchically-organized file systems,permitting a privileged process, operating on behalf of a specially authorized user, to designate sub-hierarchies within one or more of the available file systems, changing the behavior of the host system such that for each such file system sub-hierarchy assigned to a process, the process is prevented from accessing or even addressing any file system objects outside the assigned sub-hierarchy in the respective file system, and changing the behavior of the host system such that, after the assignment of such sub-hierarchies to a process, the restriction is also assigned to and enforced against any further process it subsequently creates. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for restricting a process or set of processes in which the process state is conceptually a list of pairs, each pair consisting of a device and a restriction hierarchy to apply to that device, wherein another component can register to receive notification of such an event, comprising the method steps of:
-
calling PsSetCreateProcessNotifyRoutine( ) to register itself for the notification, identifying a first process, locating a first set of state data structures associated with the first process, allocating memory for a new set of data structures, copying the contents of first set of state data structures to the new set of data structures, wherein, the new of data structures are inserted into the first set of data structures using the new process ID as a key, distinguishing the device, further comprising the steps of; identifying each local file system by its own file system device object as the corresponding object created by the process restriction filter driver is sufficient to distinguish the device, and identifying removable media file systems by assigning a serial number to each device such that when file system restrictions are imposed against a process, the serial number of each respective file system device is recorded in the process state data structures. - View Dependent Claims (10, 11)
-
Specification