Building alternative views of name spaces

US 7,996,841 B2
Filed: 12/12/2005
Issued: 08/09/2011
Est. Priority Date: 12/12/2005
Status: Active Grant

First Claim

Patent Images

1. A system for restricting access to resources comprising:

a computer device comprising a processor;

a memory in communication with the processor when the system is operational;

computer instructions stored in the memory that upon execution by the computing device cause an operating system module to serve a system environment,the system environment associated with a global hierarchy comprising a plurality of nodes representing resources;

the operating system creating an isolated environment within the system environment by controlling a view of the global hierarchy, the view constraining access of an entity executing in the isolated environment to a subset of the resources and;

computer instruction stored in the memory that upon execution cause the operating system module to generate the view by creating a constrained-space-specific hierarchy in volatile storage only, the constrained-space-specific hierarchy not persisted to non-volatile storage and wherein the entity'"'"'s sole access to the subset of the resources is via the constrained-space-specific hierarchy, the constrained-space-specific hierarchy comprising a subset of the plurality of nodes of the global hierarchy,wherein the global hierarchy represents a system object manager name space for the system environment,wherein the constrained-space-specific hierarchy represents a subset of the system object manager name space for the isolated environment,wherein at least one node in the constrained-space-specific hierarchy represents a link to a system object,wherein the view comprises a hierarchical arrangement distinct from an arrangement of the global hierarchy, such that the nodes of the distinct hierarchical arrangement have a subset nodes of the global hierarchy that are not dependant on one another.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system is divided into one or more side-by-side and/or nested spaces enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces by creating a new branch of an existing global system name space or by linking the sub-root level nodes of a new hierarchy to a subset of nodes in an existing global system name space.

32 Citations

View as Search Results

19 Claims

1. A system for restricting access to resources comprising:
- a computer device comprising a processor;
  
  a memory in communication with the processor when the system is operational;
  
  computer instructions stored in the memory that upon execution by the computing device cause an operating system module to serve a system environment,the system environment associated with a global hierarchy comprising a plurality of nodes representing resources;
  
  the operating system creating an isolated environment within the system environment by controlling a view of the global hierarchy, the view constraining access of an entity executing in the isolated environment to a subset of the resources and;
  
  computer instruction stored in the memory that upon execution cause the operating system module to generate the view by creating a constrained-space-specific hierarchy in volatile storage only, the constrained-space-specific hierarchy not persisted to non-volatile storage and wherein the entity'"'"'s sole access to the subset of the resources is via the constrained-space-specific hierarchy, the constrained-space-specific hierarchy comprising a subset of the plurality of nodes of the global hierarchy,wherein the global hierarchy represents a system object manager name space for the system environment,wherein the constrained-space-specific hierarchy represents a subset of the system object manager name space for the isolated environment,wherein at least one node in the constrained-space-specific hierarchy represents a link to a system object,wherein the view comprises a hierarchical arrangement distinct from an arrangement of the global hierarchy, such that the nodes of the distinct hierarchical arrangement have a subset nodes of the global hierarchy that are not dependant on one another.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the entity comprises a process, group of processes, program, group of programs, application or group of applications.
  - 3. The system of claim 1, wherein the isolated environment-specific hierarchy includes at least one node comprising a pointer to a resource.
  - 4. The system of claim 1, wherein the isolated environment comprises at least one process executing in the isolated environment and wherein the constrained-space-specific hierarchy is a default hierarchy for the at least one process.
  - 5. The system of claim 4, wherein the isolated environment-specific hierarchy restricts a set of resources available to the at least one process by restricting to a subset of the global physical hierarchy the view of the global physical hierarchy presented to the at least one process.
  - 6. The system of claim 1, wherein the isolated environment is a silo.
  - 7. The system of claim 1, wherein the isolated environment is a first isolated environment of a plurality of side-by-side isolated environments within the system environment.
  - 8. The system of claim 1, wherein the isolated environment includes at least one level of nested isolated environments.

9. A method of providing a view of a global name space to an entity executing in an isolated environment comprising:
- generating on a computer system the isolated environment within a system environment via an operating system image, the operating system image serving the isolated environment and the system environment, the system environment associated with a global hierarchy in non-volatile storage and the isolated environment instantiated by a view of the global hierarchy in volatile storage; and
  
  generating on the computer system the view by creating a constrained-space-specific hierarchy that provides the entity access to only a subset of the global hierarchy, the isolated environment-specific hierarchy stored only in volatile storage,.wherein the global hierarchy represents a system object manager name space for the system environment,wherein the constrained-space-specific hierarchy represents a subset of the system object manager name space for the isolated environment,wherein at least one node in the constrained-space-specific hierarchy represents a link to a system object,wherein the view comprises a hierarchical arrangement distinct from an arrangement of the global hierarchy, such that the nodes of the distinct hierarchical arrangement have a subset nodes of the global hierarchy that are not dependant on one another.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, further comprising generating the constrained-space-specific hierarchy by:
    - creating an isolated environment-specific branch of the global hierarchy, wherein creating the branch comprises;
      
      creating a root node for the isolated environment-specific hierarchy;
      
      creating at least one level of nodes depending from the root node, wherein at least one node of at least one of the levels of nodes comprises a leaf node;
      
      creating a symbolic link from the at least one leaf node to a node in the global hierarchy.
  - 11. The method of claim 9, wherein the isolated environment is a silo.
  - 12. The method of claim 9, further comprising nesting a child isolated environment within the isolated environment.
  - 13. The method of claim 10, wherein the global hierarchy is a registry for the system environment and the isolated environment-specific hierarchy is a constrained-space specific registry for the entity executing in the isolated environment.
  - 14. The method of claim 9, wherein the isolated environment is a first isolated environment of a plurality of side-by-side isolated environments.
  - 15. The method of claim 9, wherein the entity comprises a process, a group of processes, an application or a group of applications.

16. A computer-readable storage medium comprising computer-executable instructions that upon execution on a computing device cause:
- restricting a set of resources available to a process, group of processes, application or group of applications running in a silo by creating a silo hierarchy accessed by the process, the group of processes, the application or the group of applications, the silo hierarchy comprising a plurality of nodes at least one of which comprises a link to a global physical hierarchy comprising a plurality of physical nodes; and
  
  by use of the silo hierarchy, providing sole access to a node in the global physical hierarchy via a link from a node in the silo hierarchy to the node in the physical hierarchy,wherein the global hierarchy represents a system object manager name space for the system environment,wherein the silo hierarchy represents a subset of the system object manager name space for the isolated environment,wherein the silo hierarchical arrangement is distinct from an arrangement of the global hierarchy, such that the nodes of the distinct hierarchical arrangement have a subset nodes of the global hierarchy that are not dependant on one another.
- View Dependent Claims (17, 18, 19)
- - 17. The computer-readable medium of claim 16, comprising further computer-readable instructions for:
    - storing the silo hierarchy only in volatile storage and not in non-volatile storage.
  - 18. The computer-readable medium of claim 16, wherein the computer-executable instructions comprise a portion of an operating system that serves the silo and a plurality of system processes external to the silo.
  - 19. The computer-readable medium of claim 16, wherein the computer-executable instructions generate a registry.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Talluri, Madhusudhan, Smith, Frederick J., Havens, Jeff L., Khalidi, Yousef A.
Primary Examiner(s)
Bullock, Jr.; Lewis A
Assistant Examiner(s)
KUMABE, BLAKE K

Application Number

US11/301,065
Publication Number

US 20070134070A1
Time in Patent Office

2,066 Days
Field of Search

718/104
US Class Current

718/104
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/6281   at program execution time, ...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 49/90   Buffering arrangements

Building alternative views of name spaces

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Building alternative views of name spaces

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links