Domain based isolation of objects
First Claim
1. A method comprising:
- determining, in operating system space, that an operation is being attempted on an object identified with an object identifier;
determining a domain identifier associated with the operation, wherein the domain identifier identifies a domain that represents an organizational entity of a plurality of domains representing a plurality of organizational entities;
accessing from a kernel space associated with the operating system space a plurality of domain isolation rules that indicate rules for allowing operations to proceed on objects based on domain identifiers indicated as permitted for the objects, wherein the plurality of domain isolation rules are stored in the kernel space;
evaluating the plurality of domain isolation rules with the object identifier and the domain identifier associated with the operation;
determining whether the operation can proceed on the object based on said evaluating the plurality of domain isolation rules with the domain identifier associated with the operation and the object identifier;
determining that a plurality of domain identifiers are associated with the object identifier of the object;
determining whether the plurality of domain identifiers includes the domain identifier associated with the operation;
evaluating the domain isolation rules for an indication of whether any or all of the domain identifiers associated with the object identifier are required by the operation for permission to access the object;
returning a permit indication that the operation can proceed on the object if the domain isolation rules indicate that the domain identifier represents a domain that has permission for the object; and
returning a deny indication that the operation cannot proceed on the object if the domain isolation rules indicate that the domain identifier represents a domain that does not have permission for the object.
1 Assignment
0 Petitions
Accused Products
Abstract
Functionality can be implemented in an operating system to increase the granularity of isolation for objects. A domain can be defined to represent each of different entities (e.g., different departments or work groups). User identifiers and/or user credentials can be associated with the appropriate domain or domains. An administrator can then define a set of rules that govern operation(s) that can be performed on the objects based on the domains. Processes running on a system will inherit the domains of a user account logged into the system. When a process running on the system attempts to perform an operation on an object, an operating system process evaluates the domain isolation rules with an identifier of the object and a domain identifier to determine whether the operation is permitted to proceed.
-
Citations
19 Claims
-
1. A method comprising:
-
determining, in operating system space, that an operation is being attempted on an object identified with an object identifier; determining a domain identifier associated with the operation, wherein the domain identifier identifies a domain that represents an organizational entity of a plurality of domains representing a plurality of organizational entities; accessing from a kernel space associated with the operating system space a plurality of domain isolation rules that indicate rules for allowing operations to proceed on objects based on domain identifiers indicated as permitted for the objects, wherein the plurality of domain isolation rules are stored in the kernel space; evaluating the plurality of domain isolation rules with the object identifier and the domain identifier associated with the operation; determining whether the operation can proceed on the object based on said evaluating the plurality of domain isolation rules with the domain identifier associated with the operation and the object identifier; determining that a plurality of domain identifiers are associated with the object identifier of the object; determining whether the plurality of domain identifiers includes the domain identifier associated with the operation; evaluating the domain isolation rules for an indication of whether any or all of the domain identifiers associated with the object identifier are required by the operation for permission to access the object; returning a permit indication that the operation can proceed on the object if the domain isolation rules indicate that the domain identifier represents a domain that has permission for the object; and returning a deny indication that the operation cannot proceed on the object if the domain isolation rules indicate that the domain identifier represents a domain that does not have permission for the object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 18, 19)
-
-
9. A computer program product for domain based object isolation, the computer program product comprising:
-
a computer readable storage medium having computer usable program code embodied therewith, the computer usable program code executable to cause a computer to perform; determining, in operating system space, that an operation is being attempted on an object identified with an object identifier; determining a domain identifier associated with the operation, wherein the domain identifier identifies a domain that represents an organizational entity of a plurality of domains representing a plurality of organizational entities; accessing from a kernel space associated with the operating system space a plurality of domain isolation rules that indicate rules for allowing operations to proceed on objects based on domain identifiers indicated as permitted for the objects, wherein the plurality of domain isolation rules are stored in the kernel space; evaluating the plurality of domain isolation rules with the object identifier and the domain identifier associated with the operation; determining whether the operation can proceed on the object based on said evaluating the plurality of domain isolation rules with the domain identifier associated with the operation and the object identifier; determining that a plurality of domain identifiers are associated with the object identifier of the object; determining whether the plurality of domain identifiers includes the domain identifier associated with the operation; evaluating the domain isolation rules for an indication of whether any or all of the domain identifiers associated with the object identifier are required by the operation for permission to access the object; returning a permit indication that the operation can proceed on the object if the domain isolation rules indicate that the domain identifier represents a domain that has permission for the object; and returning a deny indication that the operation cannot proceed on the object if the domain isolation rules indicate that the domain identifier represents a domain that does not have permission for the object. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. An apparatus comprising:
-
a processor unit; a network interface coupled with the processor unit; and a domain based object isolation monitor operable to, determine in operating system space, that an operation is being attempted on an object identified with an object identifier; determine a domain identifier associated with the operation, wherein the domain identifier identifies a domain that represents an organizational entity of a plurality of domains representing a plurality of organizational entities; access from a kernel space associated with the operating system space a plurality of domain isolation rules that indicate rules for allowing operations to proceed on objects based on domain identifiers indicated as permitted for the objects, wherein the plurality of domain isolation rules are stored in the kernel space; evaluate the plurality of domain isolation rules with the object identifier and the domain identifier associated with the operation; determine whether the operation can proceed on the object based on said evaluating the plurality of domain isolation rules with the domain identifier associated with the operation and the object identifier; determine that a plurality of domain identifiers are associated with the object identifier of the object; determine whether the plurality of domain identifiers includes the domain identifier associated with the operation; evaluate the domain isolation rules for an indication of whether any or all of the domain identifiers associated with the object identifier are required by the operation for permission to access the object; return a permit indication that the operation can proceed on the object if the domain isolation rules indicate that the domain identifier represents a domain that has permission for the object; and return a deny indication that the operation cannot proceed on the object if the domain isolation rules indicate that the domain identifier represents a domain that does not have permission for the object.
-
Specification