Resource restriction systems and methods

US 8,352,733 B2
Filed: 08/04/2006
Issued: 01/08/2013
Est. Priority Date: 08/04/2006
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by a computer, an execution call to an operating system for launching an application, the execution call being associated with a user;

intercepting, by the computer, the execution call using a resource restriction service associated with an operating system kernel;

determining, by the computer, and using the resource restriction service and a resource agent, if one or more launch restrictions for the user restrict the launching of the application, including;

providing, by the resource restriction service, at least one of a user identifier or a system call identifier to the resource agent, the user identifier being usable to identify the user, the system call identifier being usable to identify the execution call;

when one of the user identifier or the system call identifier is not provided by the resource restriction service, determining, by the resource agent, the identifier that is not provided; and

determining, by the resource agent, whether the one or more launch restrictions for the user restrict the launching of the application based on the user identifier, and the system call identifier, and pre-specified launch restrictions stored in a data store, wherein;

the resource agent executes outside of the operating system kernel and is configured to communicate with the resource restriction service through a kernel control socket, the kernel control socket being a root-owned socket configured to prevent insertion of a user process, the kernel control socket being registered to the resource restriction service upon loading of the resource restriction service; and

upon determining that the launch restrictions for the user restrict the launching of the application, cancelling the execution call.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Resource restrictions are associated with a user identifier. A resource restriction agent receives operating system calls related for resources and provides resource request data to a resource agent. The resource agent determines whether the resource is restricted based on the resource request data and resource restriction data and generates access data based on the determination. The resource restriction agent grants or denies the system call based on the access data.

Citations

19 Claims

1. A method, comprising:
- receiving, by a computer, an execution call to an operating system for launching an application, the execution call being associated with a user;
  
  intercepting, by the computer, the execution call using a resource restriction service associated with an operating system kernel;
  
  determining, by the computer, and using the resource restriction service and a resource agent, if one or more launch restrictions for the user restrict the launching of the application, including;
  
  providing, by the resource restriction service, at least one of a user identifier or a system call identifier to the resource agent, the user identifier being usable to identify the user, the system call identifier being usable to identify the execution call;
  
  when one of the user identifier or the system call identifier is not provided by the resource restriction service, determining, by the resource agent, the identifier that is not provided; and
  
  determining, by the resource agent, whether the one or more launch restrictions for the user restrict the launching of the application based on the user identifier, and the system call identifier, and pre-specified launch restrictions stored in a data store, wherein;
  
  the resource agent executes outside of the operating system kernel and is configured to communicate with the resource restriction service through a kernel control socket, the kernel control socket being a root-owned socket configured to prevent insertion of a user process, the kernel control socket being registered to the resource restriction service upon loading of the resource restriction service; and
  
  upon determining that the launch restrictions for the user restrict the launching of the application, cancelling the execution call.
- View Dependent Claims (2, 3, 4, 5, 12, 13, 14)
- - 2. The method of claim 1 further comprisingdefining the launch restrictions according to a path of the application.
  - 3. The method of claim 1 further comprisingdefining the launch restrictions according to a hash of the application.
  - 4. The method of claim 1 further comprisingdetermining if the application is an allowed application;
    - andif whether the application is an allowed application cannot be determined, determining, using the resource restriction service associated with the operating system kernel and the resource agent, if one or more launch restrictions for the user restrict the launching of the application, otherwise granting the execution call if the application is an allowed application.
  - 5. The method of claim 1, whereinthe launch restrictions are defined at a user level.
  - 12. The method of claim 1, wherein the execution call is associated with a user session.
  - 13. The method of claim 1, wherein determining using the resource restriction service and the resource agent comprises:
    - sending a request from the kernel of the operating system to the resource agent; and
      
      receiving a reply from the resource agent executing on the computer through the kernel control socket, the reply including a determination whether the application can be launched, the determination being based on the launch restrictions, and the launch restrictions specifying whether the application can be launched by a user session.
  - 14. The method of claim 1, wherein the intercepting, determining and canceling are performed at a root level, the root level being a level above a user level at which user-level processes are restricted.

6. A system, comprising:
- one or more processors; and
  
  computer program instructions tangibly stored in the system, the computer program instructions operable to cause the one or more processor to perform operations comprising;
  
  receiving an execution call to an operating system for launching an application, the execution call being associated with a user;
  
  intercepting the execution call using a resource restriction service associated with an operating system kernel; and
  
  determining, using the resource restriction service and a resource agent, if one or more launch restrictions for the user restrict the launching of the application, including;
  
  providing, by the resource restriction service, at least one of a user identifier or a system call identifier to the resource agent, the user identifier being usable to identify the user, the system call identifier being usable to identify the execution call;
  
  when one of the user identifier or the system call identifier is not provided by the resource restriction service, determining, by the resource agent, the identifier that is not provided; and
  
  determining, by the resource agent, whether the one or more launch restrictions for the user restrict the launching of the application based on the user identifier, and the system call identifier, and pre-specified launch restrictions stored in a data store,wherein;
  
  the resource agent is configured to execute in a user space outside of the operating system kernel and is configured to communicate with the resource restriction service through a kernel control socket, the kernel control socket being a root-owned socket configured to prevent insertion of a user process, the kernel control socket being registered to the resource restriction service upon loading of the resource restriction service; and
  
  upon determining that the launch restrictions for the user restrict the launching of the application, cancelling the execution call.
- View Dependent Claims (7, 8, 9, 10, 11, 15)
- - 7. The system of claim 6, whereinthe resource agent is configured to provide one or more user identifiers having associated resource restrictions to the resource restriction service.
  - 8. The system of claim 6, whereinthe resource restriction service is a system extension, a boot program, or a library that is linked to a profile of a user.
  - 9. The system of claim 6, whereinthe execution call is for launching an application.
  - 10. The system of claim 9, whereinthe execution call is for sharing a file.
  - 11. The system of claim 6, whereinthe resource restrictions are defined by an application path.
  - 15. The system of claim 6, wherein the resource restriction service and the resource agent execute at a root level, the root level being a level above a user level at which user-level processes are restricted.

16. Program instructions tangibly stored on a computer processing system, the program instructions, when executed by the computer processing system, operable to cause the computer processing system to perform operations comprising:
- receiving, by a computer, an execution call to an operating system for launching an application, the execution call being associated with a user;
  
  intercepting, by the computer, the execution call using a resource restriction service associated with an operating system kernel;
  
  determining, by the computer, and using the resource restriction service associated with the operating system kernel and a resource agent, if one or more launch restrictions for the user restrict the launching of the application, including;
  
  providing, by the resource restriction service, at least one of a user identifier or a system call identifier to the resource agent, the user identifier being usable to identify the user, the system call identifier being usable to identify the execution call;
  
  when one of the user identifier or the system call identifier is not provided by the resource restriction service, determining, by the resource agent, the identifier that is not provided;
  
  determining, by the resource agent, whether the one or more launch restrictions for the user restrict the launching of the application based on the user identifier, and the system call identifier, and pre-specified launch restrictions stored in a data store, wherein;
  
  the resource agent executes outside of the operating system kernel and is configured to communicate with the service associated with the operating system kernel through a kernel control socket, the kernel control socket being a root-owned socket configured to prevent insertion of a user process, the kernel control socket being registered to the service associated with the operating system kernel upon loading of the service associated with the operating system kernel; and
  
  upon determining that the launch restrictions for the user restrict the launching of the application, cancelling the execution call.
- View Dependent Claims (17, 18, 19)
- - 17. The program instructions of claim 16, the operations comprise defining the launch restrictions according to a path or a hash of the application.
  - 18. The program instructions of claim 16, wherein the launch restrictions are defined at a user level.
  - 19. The program instructions of claim 17, wherein the resource restriction service is a system extension, a boot program, or a library that is linked to a profile of a user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Mantere, Jussi-Pekka, Maluta, Alexander Tony, Scalo, John William, Tyacke, Eugene Ray, Gaya, Bruce, Smith, Michael John, Kiehtreiber, Peter, Cooper, Simon P.
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Anderson, Michael D

Application Number

US11/462,600
Publication Number

US 20080034208A1
Time in Patent Office

2,349 Days
Field of Search

726/3, 713/164, 713/186, 455/405, 455/456.3
US Class Current

713/164
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/602   Providing cryptographic fac...

G06F 9/5005   to service a request

G06F 9/54   Interprogram communication

H04L 63/104   Grouping of entities

Resource restriction systems and methods

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Resource restriction systems and methods

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links