Method and system for implementing mandatory file access control in native discretionary access control environments
First Claim
1. A method for implementing mandatory access control in a system comprising a plurality of computers, the system comprising a plurality of information assets, stored as files on the plurality of computers, and a network communicatively connecting the plurality of computers, wherein each of the plurality of computers includes an operating system that uses a discretionary access control policy, and wherein each of a subset of the plurality of computers includes a software agent component operable to perform the steps of:
- intercepting a request for a file operation on a file from a user of one of a plurality of computers including a software agent;
determining whether the file is protected based on a mandatory access control policy;
determining whether the file is on storage local to or remote from the computer from which the request for the file operation occurred; and
providing access to the file based on the mandatory access control policy wherein providing access to the file comprises;
if the file is protected and on local storage;
altering ownership of the file from the user to another owner;
setting an access control list of the file based on the mandatory access control policy; and
if the file is protected and on remote storage;
setting an access control list of the file to allow another owner to take ownership of the file;
reopening the file using permissions of the other owner;
setting ownership of the file to the other owner; and
setting an access control list of the file based on the mandatory access control policy.
12 Assignments
0 Petitions
Accused Products
Abstract
A method is provided for implementing a mandatory access control model in operating systems which natively use a discretionary access control scheme. A method for implementing mandatory access control in a system comprising a plurality of computers, the system comprising a plurality of information assets, stored as files on the plurality of computers, and a network communicatively connecting the plurality of computers, wherein each of the plurality of computers includes an operating system that uses a discretionary access control policy, and wherein each of a subset of the plurality of computers includes a software agent component operable to perform the steps of intercepting a request for a file operation on a file from a user of one of the plurality of computers including the software agent, determining whether the file is protected, if the file is protected, altering ownership of the file from the user to another owner, and providing access to the file based on a mandatory access control policy.
12 Citations
16 Claims
-
1. A method for implementing mandatory access control in a system comprising a plurality of computers, the system comprising a plurality of information assets, stored as files on the plurality of computers, and a network communicatively connecting the plurality of computers, wherein each of the plurality of computers includes an operating system that uses a discretionary access control policy, and wherein each of a subset of the plurality of computers includes a software agent component operable to perform the steps of:
-
intercepting a request for a file operation on a file from a user of one of a plurality of computers including a software agent; determining whether the file is protected based on a mandatory access control policy; determining whether the file is on storage local to or remote from the computer from which the request for the file operation occurred; and providing access to the file based on the mandatory access control policy wherein providing access to the file comprises; if the file is protected and on local storage; altering ownership of the file from the user to another owner; setting an access control list of the file based on the mandatory access control policy; and if the file is protected and on remote storage; setting an access control list of the file to allow another owner to take ownership of the file; reopening the file using permissions of the other owner; setting ownership of the file to the other owner; and setting an access control list of the file based on the mandatory access control policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer program product embodied on a non-transitory computer readable medium, the computer program product comprising a software agent for implementing a mandatory access control in a system comprising a plurality of computers, wherein each of the plurality of computers includes an operating system that uses a discretionary access control policy, and wherein each of a subset of the plurality of computers includes the software agent component, the computer readable medium comprising:
-
computer code for intercepting a request for a file operation on a file from a user of one of a plurality of computers including the software agent; computer code for determining whether the file is protected based on a mandatory access control policy; computer code for determining whether the file is on storage local to or remote from the computer from which the request for the file operation occurred; and computer code for providing access to the file based on a mandatory access control policy; wherein the computer code is operable such that providing access to the file includes; if the file is protected and on local storage; altering ownership of the file from the user to another owner; setting an access control list of the file based on the mandatory access control policy; and if the file is protected and on remote storage; setting an access control list of the file to allow another owner to take ownership of the file; reopening the file using permissions of the other owner; setting ownership of the file to the other owner; and setting an access control list of the file based on the mandatory access control policy.
-
-
16. A system, comprising:
a processor for executing a software agent component, the software agent component for implementing a mandatory access control in a system comprising a plurality of computers, wherein each of the plurality of computers includes an operating system that uses a discretionary access control policy, and wherein each of a subset of the plurality of computers includes the software agent component, the software agent component configuring the processor to; intercept a request for a file operation on a file from a user of one of a plurality of computers including a software agent; determine whether the file is protected based on a mandatory access control policy; determine whether the file is on storage local to or remote from the computer from which the request for the file operation occurred; and provide access to the file based on the mandatory access control policy wherein the act of providing access to the file comprises; if the file is protected and on local storage; altering ownership of the file from the user to another owner; and setting an access control list of the file based on the mandatory access control policy; if the file is protected and on remote storage; setting an access control list of the file to allow another owner to take ownership of the file; reopening the file using permissions of the other owner; setting ownership of the file to the other owner; and setting an access control list of the file based on the mandatory access control policy.
Specification