Resource restriction systems and methods
First Claim
Patent Images
1. A method, comprising:
- receiving, by a computer, an execution call to an operating system for launching an application, the execution call being associated with a user;
intercepting, by the computer, the execution call using a resource restriction service associated with an operating system kernel;
determining, by the computer, and using the resource restriction service and a resource agent, if one or more launch restrictions for the user restrict the launching of the application, including;
providing, by the resource restriction service, at least one of a user identifier or a system call identifier to the resource agent, the user identifier being usable to identify the user, the system call identifier being usable to identify the execution call;
when one of the user identifier or the system call identifier is not provided by the resource restriction service, determining, by the resource agent, the identifier that is not provided; and
determining, by the resource agent, whether the one or more launch restrictions for the user restrict the launching of the application based on the user identifier, and the system call identifier, and pre-specified launch restrictions stored in a data store, wherein;
the resource agent executes outside of the operating system kernel and is configured to communicate with the resource restriction service through a kernel control socket, the kernel control socket being a root-owned socket configured to prevent insertion of a user process, the kernel control socket being registered to the resource restriction service upon loading of the resource restriction service; and
upon determining that the launch restrictions for the user restrict the launching of the application, cancelling the execution call.
2 Assignments
0 Petitions
Accused Products
Abstract
Resource restrictions are associated with a user identifier. A resource restriction agent receives operating system calls related for resources and provides resource request data to a resource agent. The resource agent determines whether the resource is restricted based on the resource request data and resource restriction data and generates access data based on the determination. The resource restriction agent grants or denies the system call based on the access data.
-
Citations
19 Claims
-
1. A method, comprising:
-
receiving, by a computer, an execution call to an operating system for launching an application, the execution call being associated with a user; intercepting, by the computer, the execution call using a resource restriction service associated with an operating system kernel; determining, by the computer, and using the resource restriction service and a resource agent, if one or more launch restrictions for the user restrict the launching of the application, including; providing, by the resource restriction service, at least one of a user identifier or a system call identifier to the resource agent, the user identifier being usable to identify the user, the system call identifier being usable to identify the execution call; when one of the user identifier or the system call identifier is not provided by the resource restriction service, determining, by the resource agent, the identifier that is not provided; and determining, by the resource agent, whether the one or more launch restrictions for the user restrict the launching of the application based on the user identifier, and the system call identifier, and pre-specified launch restrictions stored in a data store, wherein; the resource agent executes outside of the operating system kernel and is configured to communicate with the resource restriction service through a kernel control socket, the kernel control socket being a root-owned socket configured to prevent insertion of a user process, the kernel control socket being registered to the resource restriction service upon loading of the resource restriction service; and upon determining that the launch restrictions for the user restrict the launching of the application, cancelling the execution call. - View Dependent Claims (2, 3, 4, 5, 12, 13, 14)
-
-
6. A system, comprising:
-
one or more processors; and computer program instructions tangibly stored in the system, the computer program instructions operable to cause the one or more processor to perform operations comprising; receiving an execution call to an operating system for launching an application, the execution call being associated with a user; intercepting the execution call using a resource restriction service associated with an operating system kernel; and determining, using the resource restriction service and a resource agent, if one or more launch restrictions for the user restrict the launching of the application, including; providing, by the resource restriction service, at least one of a user identifier or a system call identifier to the resource agent, the user identifier being usable to identify the user, the system call identifier being usable to identify the execution call; when one of the user identifier or the system call identifier is not provided by the resource restriction service, determining, by the resource agent, the identifier that is not provided; and determining, by the resource agent, whether the one or more launch restrictions for the user restrict the launching of the application based on the user identifier, and the system call identifier, and pre-specified launch restrictions stored in a data store, wherein; the resource agent is configured to execute in a user space outside of the operating system kernel and is configured to communicate with the resource restriction service through a kernel control socket, the kernel control socket being a root-owned socket configured to prevent insertion of a user process, the kernel control socket being registered to the resource restriction service upon loading of the resource restriction service; and upon determining that the launch restrictions for the user restrict the launching of the application, cancelling the execution call. - View Dependent Claims (7, 8, 9, 10, 11, 15)
-
-
16. Program instructions tangibly stored on a computer processing system, the program instructions, when executed by the computer processing system, operable to cause the computer processing system to perform operations comprising:
-
receiving, by a computer, an execution call to an operating system for launching an application, the execution call being associated with a user; intercepting, by the computer, the execution call using a resource restriction service associated with an operating system kernel; determining, by the computer, and using the resource restriction service associated with the operating system kernel and a resource agent, if one or more launch restrictions for the user restrict the launching of the application, including; providing, by the resource restriction service, at least one of a user identifier or a system call identifier to the resource agent, the user identifier being usable to identify the user, the system call identifier being usable to identify the execution call; when one of the user identifier or the system call identifier is not provided by the resource restriction service, determining, by the resource agent, the identifier that is not provided; determining, by the resource agent, whether the one or more launch restrictions for the user restrict the launching of the application based on the user identifier, and the system call identifier, and pre-specified launch restrictions stored in a data store, wherein; the resource agent executes outside of the operating system kernel and is configured to communicate with the service associated with the operating system kernel through a kernel control socket, the kernel control socket being a root-owned socket configured to prevent insertion of a user process, the kernel control socket being registered to the service associated with the operating system kernel upon loading of the service associated with the operating system kernel; and upon determining that the launch restrictions for the user restrict the launching of the application, cancelling the execution call. - View Dependent Claims (17, 18, 19)
-
Specification