Building alternative views of name spaces
First Claim
Patent Images
1. A system for restricting access to resources comprising:
- a computer device comprising a processor;
a memory in communication with the processor when the system is operational;
computer instructions stored in the memory that upon execution by the computing device cause an operating system module to serve a system environment,the system environment associated with a global hierarchy comprising a plurality of nodes representing resources;
the operating system creating an isolated environment within the system environment by controlling a view of the global hierarchy, the view constraining access of an entity executing in the isolated environment to a subset of the resources and;
computer instruction stored in the memory that upon execution cause the operating system module to generate the view by creating a constrained-space-specific hierarchy in volatile storage only, the constrained-space-specific hierarchy not persisted to non-volatile storage and wherein the entity'"'"'s sole access to the subset of the resources is via the constrained-space-specific hierarchy, the constrained-space-specific hierarchy comprising a subset of the plurality of nodes of the global hierarchy,wherein the global hierarchy represents a system object manager name space for the system environment,wherein the constrained-space-specific hierarchy represents a subset of the system object manager name space for the isolated environment,wherein at least one node in the constrained-space-specific hierarchy represents a link to a system object,wherein the view comprises a hierarchical arrangement distinct from an arrangement of the global hierarchy, such that the nodes of the distinct hierarchical arrangement have a subset nodes of the global hierarchy that are not dependant on one another.
2 Assignments
0 Petitions
Accused Products
Abstract
A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system is divided into one or more side-by-side and/or nested spaces enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces by creating a new branch of an existing global system name space or by linking the sub-root level nodes of a new hierarchy to a subset of nodes in an existing global system name space.
32 Citations
19 Claims
-
1. A system for restricting access to resources comprising:
-
a computer device comprising a processor; a memory in communication with the processor when the system is operational; computer instructions stored in the memory that upon execution by the computing device cause an operating system module to serve a system environment, the system environment associated with a global hierarchy comprising a plurality of nodes representing resources; the operating system creating an isolated environment within the system environment by controlling a view of the global hierarchy, the view constraining access of an entity executing in the isolated environment to a subset of the resources and; computer instruction stored in the memory that upon execution cause the operating system module to generate the view by creating a constrained-space-specific hierarchy in volatile storage only, the constrained-space-specific hierarchy not persisted to non-volatile storage and wherein the entity'"'"'s sole access to the subset of the resources is via the constrained-space-specific hierarchy, the constrained-space-specific hierarchy comprising a subset of the plurality of nodes of the global hierarchy, wherein the global hierarchy represents a system object manager name space for the system environment, wherein the constrained-space-specific hierarchy represents a subset of the system object manager name space for the isolated environment, wherein at least one node in the constrained-space-specific hierarchy represents a link to a system object, wherein the view comprises a hierarchical arrangement distinct from an arrangement of the global hierarchy, such that the nodes of the distinct hierarchical arrangement have a subset nodes of the global hierarchy that are not dependant on one another. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of providing a view of a global name space to an entity executing in an isolated environment comprising:
-
generating on a computer system the isolated environment within a system environment via an operating system image, the operating system image serving the isolated environment and the system environment, the system environment associated with a global hierarchy in non-volatile storage and the isolated environment instantiated by a view of the global hierarchy in volatile storage; and generating on the computer system the view by creating a constrained-space-specific hierarchy that provides the entity access to only a subset of the global hierarchy, the isolated environment-specific hierarchy stored only in volatile storage,. wherein the global hierarchy represents a system object manager name space for the system environment, wherein the constrained-space-specific hierarchy represents a subset of the system object manager name space for the isolated environment, wherein at least one node in the constrained-space-specific hierarchy represents a link to a system object, wherein the view comprises a hierarchical arrangement distinct from an arrangement of the global hierarchy, such that the nodes of the distinct hierarchical arrangement have a subset nodes of the global hierarchy that are not dependant on one another. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computer-readable storage medium comprising computer-executable instructions that upon execution on a computing device cause:
-
restricting a set of resources available to a process, group of processes, application or group of applications running in a silo by creating a silo hierarchy accessed by the process, the group of processes, the application or the group of applications, the silo hierarchy comprising a plurality of nodes at least one of which comprises a link to a global physical hierarchy comprising a plurality of physical nodes; and by use of the silo hierarchy, providing sole access to a node in the global physical hierarchy via a link from a node in the silo hierarchy to the node in the physical hierarchy, wherein the global hierarchy represents a system object manager name space for the system environment, wherein the silo hierarchy represents a subset of the system object manager name space for the isolated environment, wherein the silo hierarchical arrangement is distinct from an arrangement of the global hierarchy, such that the nodes of the distinct hierarchical arrangement have a subset nodes of the global hierarchy that are not dependant on one another. - View Dependent Claims (17, 18, 19)
-
Specification