Use of rules engine to build namespaces

US 8,312,459 B2
Filed: 12/12/2005
Issued: 11/13/2012
Est. Priority Date: 12/12/2005
Status: Active Grant

First Claim

Patent Images

1. A system for restricting access to resources comprising:

a computing device comprising a processor;

a memory in communication with the processor when the system is operational, said memory having stored therein;

computer-readable instructions that upon execution by the processor cause an operating system module to serve a system environment and an isolated environment within the system environment, the system environment associated with a set of resources represented by a plurality of nodes of a global hierarchy, the isolated environment associated with a view of the set of resources wherein the view comprises a hierarchical arrangement distinct from an arrangement of the global hierarchy such that the view may comprise nodes from the global hierarchy in a dependency relationship that is different from the dependency relationship of the global hierarchy, the hierarchical arrangement of the view comprising a node not found in the global hierarchy;

upon execution by the processor, the operating system module causing the generation of the view by creating a constrained-space-specific hierarchy comprising a subset of the plurality of nodes of the global hierarchy, the subset representing resources accessible to the isolated environment; and

computer-readable instructions that upon execution cause a rules engine to receive and evaluate a set of declarative rules that when applied change the access capabilities for the resources accessible to the isolated environment represented by the view creating the constrained-space-specific hierarchy, wherein the rules engine evaluates the set of rules during construction of the constrained-space-specific hierarchy and associates directives representing the set of rules with nodes in the constrained-space-specific hierarchy, and wherein the constrained-space-specific hierarchy generated by application of the set of rules during construction of the constrained-space-specific hierarchy restricts a set of resources available to at least one process executing in the isolated environment by evaluating the directives during processing and enabling or denying access to a node in the constrained-space-specific hierarchy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system environment is divided into one or more side-by-side and/or nested spaces enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces via virtual hierarchies. A set of declarative rules specifying access capabilities may specify a set of filter drivers to be used to limit access to nodes in the hierarchical name space. The rules may be applied in sequence to construct a new name space from an existing one, or to add to an existing hierarchy. Filter drivers are used to limit access to nodes in the new name space or new portion of the name space. Access to nodes can be limited (read-only access instead of read/write) or nodes can be hidden altogether. Rules may be specified in a declarative language such as XML.

Citations

16 Claims

1. A system for restricting access to resources comprising:
- a computing device comprising a processor;
  
  a memory in communication with the processor when the system is operational, said memory having stored therein;
  
  computer-readable instructions that upon execution by the processor cause an operating system module to serve a system environment and an isolated environment within the system environment, the system environment associated with a set of resources represented by a plurality of nodes of a global hierarchy, the isolated environment associated with a view of the set of resources wherein the view comprises a hierarchical arrangement distinct from an arrangement of the global hierarchy such that the view may comprise nodes from the global hierarchy in a dependency relationship that is different from the dependency relationship of the global hierarchy, the hierarchical arrangement of the view comprising a node not found in the global hierarchy;
  
  upon execution by the processor, the operating system module causing the generation of the view by creating a constrained-space-specific hierarchy comprising a subset of the plurality of nodes of the global hierarchy, the subset representing resources accessible to the isolated environment; and
  
  computer-readable instructions that upon execution cause a rules engine to receive and evaluate a set of declarative rules that when applied change the access capabilities for the resources accessible to the isolated environment represented by the view creating the constrained-space-specific hierarchy, wherein the rules engine evaluates the set of rules during construction of the constrained-space-specific hierarchy and associates directives representing the set of rules with nodes in the constrained-space-specific hierarchy, and wherein the constrained-space-specific hierarchy generated by application of the set of rules during construction of the constrained-space-specific hierarchy restricts a set of resources available to at least one process executing in the isolated environment by evaluating the directives during processing and enabling or denying access to a node in the constrained-space-specific hierarchy.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the global hierarchy represents a global object manager name space for the system environment or a global registry for the system environment or a global file system for the system environment and wherein the constrained-space-specific hierarchy represents a view representing a subset of the system object manager name space, or a subset of the global registry name space or a subset of the global file system name space for the isolated environment.
  - 3. The system of claim 1, wherein the resources accessible to the isolated environment are accessible to an entity, wherein the entity comprises a process, group of processes, program, group of programs, application or group of applications.
  - 4. The system of claim 1, wherein the set of rules permit access to a node of the isolated environment-specific hierarchy or deny access to the node or change access capabilities of the node.
  - 5. The system of claim 1, wherein the isolated environment is a silo.
  - 6. The system of claim 1, wherein the isolated environment is a first isolated environment of a plurality of side-by-side isolated environments within the system environment.
  - 7. The system of claim 1, wherein the isolated environment includes at least one level of nested isolated environments.

8. A method for restricting access to resources, comprising:
- serving, by an operating system module, a system environment and an isolated environment within the system environment, the system environment associated with a set of resources represented by a plurality of nodes of a global hierarchy, the isolated environment associated with a view of the set of resources wherein the view comprises a hierarchical arrangement distinct from an arrangement of the global hierarchy such that the view may comprise nodes from the global hierarchy in a dependency relationship that is different from the dependency relationship of the global hierarchy, the hierarchical arrangement of the view comprising a node not found in the global hierarchy;
  
  causing, by the operating system module, the generation of the view by creating a constrained-space-specific hierarchy comprising a subset of the plurality of nodes of the global hierarchy, the subset representing resources accessible to the isolated environment; and
  
  receiving and evaluating, by a rules engine, a set of declarative rules that when applied change the access capabilities for the resources accessible to the isolated environment represented by the view creating the constrained-space-specific hierarchy, wherein the rules engine evaluates the set of rules during construction of the constrained-space-specific hierarchy and associates directives representing the set of rules with nodes in the constrained-space-specific hierarchy, and wherein the constrained-space-specific hierarchy generated by application of the set of rules during construction of the constrained-space-specific hierarchy restricts a set of resources available to at least one process executing in the isolated environment by evaluating the directives during processing and enabling or denying access to a node in the constrained-space-specific hierarchy.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein receiving and evaluating the set of rules comprises:
    - receiving an access request to the node in the isolated environment-specific hierarchy;
      
      evaluating the set of rules dynamically during processing associated with the node to determine if access to the node is allowed;
      
      rewriting the access capability of the node; and
      
      returning a handle to the node, the handle comprising the rewritten access capability of the node.
  - 10. The method of claim 9, further comprising:
    - changing a name by which the node is referenced to reference a node in the global hierarchy.
  - 11. The method of claim 8, wherein the isolated environment is a silo.
  - 12. The method of claim 8, wherein the isolated environment is a first isolated environment of a plurality of side-by-side isolated environments.
  - 13. The method of claim 8, wherein the resources accessible to the isolated environment are accessible to an entity, wherein the entity comprises a process, a group of processes, an application or a group of applications.

14. A computer-readable storage medium comprising computer-executable instructions that upon execution by a computing device cause operations comprising:
- serving, by an operating system module, a system environment and an isolated environment within the system environment, the system environment associated with a set of resources represented by a plurality of nodes of a global hierarchy, the isolated environment associated with a view of the set of resources wherein the view comprises a hierarchical arrangement distinct from an arrangement of the global hierarchy such that the view may comprise nodes from the global hierarchy in a dependency relationship that is different from the dependency relationship of the global hierarchy, the hierarchical arrangement of the view comprising a node not found in the global hierarchy;
  
  causing, by the operating system module, the generation of the view by creating a constrained-space-specific hierarchy comprising a subset of the plurality of nodes of the global hierarchy, the subset representing resources accessible to the isolated environment; and
  
  receiving and evaluating, by a rules engine, a set of declarative rules that when applied change the access capabilities for the resources accessible to the isolated environment represented by the view creating the constrained-space-specific hierarchy, wherein the rules engine evaluates the set of rules during construction of the constrained-space-specific hierarchy and associates directives representing the set of rules with nodes in the constrained-space-specific hierarchy, and wherein the global hierarchy represents a global object manager name space for the system environment or a global registry for the system environment or a global file system for the system environment and wherein the constrained-space-specific hierarchy represents a view representing a subset of the system object manager name space, or a subset of the global registry name space or a subset of the global file system name space for the isolated environment.
- View Dependent Claims (15, 16)
- - 15. The computer-readable medium of claim 14, wherein evaluating the set declarative rules comprises:
    - permitting access to the node of the global hierarchy, deny access to the node of the global hierarchy or changing an access capability associated with the node of the global hierarchy.
  - 16. The computer-readable medium of claim 14, further comprising computer-executable instructions that upon execution by the computing device, cause operations comprising:
    - generating a registry, a file system or an object manager name space.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Smith, Frederick J., Havens, Jeff L., Talluri, Madhusudhan, Khalidi, Yousef A.
Primary Examiner(s)
An, Meng
Assistant Examiner(s)
KUMABE, BLAKE K

Application Number

US11/301,071
Publication Number

US 20070134069A1
Time in Patent Office

2,528 Days
Field of Search

718/104
US Class Current

718/104
CPC Class Codes

G06F 9/5072 Grid computing

Use of rules engine to build namespaces

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Use of rules engine to build namespaces

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links