Domain based isolation of objects

US 8,429,191 B2
Filed: 01/14/2011
Issued: 04/23/2013
Est. Priority Date: 01/14/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining, in operating system space, that an operation is being attempted on an object identified with an object identifier;

determining a domain identifier associated with the operation, wherein the domain identifier identifies a domain that represents an organizational entity of a plurality of domains representing a plurality of organizational entities;

accessing from a kernel space associated with the operating system space a plurality of domain isolation rules that indicate rules for allowing operations to proceed on objects based on domain identifiers indicated as permitted for the objects, wherein the plurality of domain isolation rules are stored in the kernel space;

evaluating the plurality of domain isolation rules with the object identifier and the domain identifier associated with the operation;

determining whether the operation can proceed on the object based on said evaluating the plurality of domain isolation rules with the domain identifier associated with the operation and the object identifier;

determining that a plurality of domain identifiers are associated with the object identifier of the object;

determining whether the plurality of domain identifiers includes the domain identifier associated with the operation;

evaluating the domain isolation rules for an indication of whether any or all of the domain identifiers associated with the object identifier are required by the operation for permission to access the object;

returning a permit indication that the operation can proceed on the object if the domain isolation rules indicate that the domain identifier represents a domain that has permission for the object; and

returning a deny indication that the operation cannot proceed on the object if the domain isolation rules indicate that the domain identifier represents a domain that does not have permission for the object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Functionality can be implemented in an operating system to increase the granularity of isolation for objects. A domain can be defined to represent each of different entities (e.g., different departments or work groups). User identifiers and/or user credentials can be associated with the appropriate domain or domains. An administrator can then define a set of rules that govern operation(s) that can be performed on the objects based on the domains. Processes running on a system will inherit the domains of a user account logged into the system. When a process running on the system attempts to perform an operation on an object, an operating system process evaluates the domain isolation rules with an identifier of the object and a domain identifier to determine whether the operation is permitted to proceed.

Citations

19 Claims

1. A method comprising:
- determining, in operating system space, that an operation is being attempted on an object identified with an object identifier;
  
  determining a domain identifier associated with the operation, wherein the domain identifier identifies a domain that represents an organizational entity of a plurality of domains representing a plurality of organizational entities;
  
  accessing from a kernel space associated with the operating system space a plurality of domain isolation rules that indicate rules for allowing operations to proceed on objects based on domain identifiers indicated as permitted for the objects, wherein the plurality of domain isolation rules are stored in the kernel space;
  
  evaluating the plurality of domain isolation rules with the object identifier and the domain identifier associated with the operation;
  
  determining whether the operation can proceed on the object based on said evaluating the plurality of domain isolation rules with the domain identifier associated with the operation and the object identifier;
  
  determining that a plurality of domain identifiers are associated with the object identifier of the object;
  
  determining whether the plurality of domain identifiers includes the domain identifier associated with the operation;
  
  evaluating the domain isolation rules for an indication of whether any or all of the domain identifiers associated with the object identifier are required by the operation for permission to access the object;
  
  returning a permit indication that the operation can proceed on the object if the domain isolation rules indicate that the domain identifier represents a domain that has permission for the object; and
  
  returning a deny indication that the operation cannot proceed on the object if the domain isolation rules indicate that the domain identifier represents a domain that does not have permission for the object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 18, 19)
- - 2. The method of claim 1, wherein the object comprises one of a file, a file system, a volume group, a file set, and a device.
  - 3. The method of claim 1, wherein the operation is initiated by one of an application process, an operating system process, a script process, a tool process, a command process, and a utility process.
  - 4. The method of claim 1 further comprises storing an association of a user identifier and the domain identifier in the kernel space.
  - 5. The method of claim 1 further comprising:
    - determining that the operation is associated with a second domain identifier;
      
      determining whether the domain isolation rule for the object indicates that all of the plurality of domain identifiers associated with the object identifier are required to be associated with the operation to permit access to the object;
      
      determining that the operation can proceed if the plurality of domain identifiers consists of the domain identifier and the second domain identifier associated with the operation;
      
      determining that the operation cannot proceed if the plurality of domain identifiers comprises more than the domain identifier and the second domain identifier associated with the operation.
  - 6. The method of claim 1, wherein said determining the domain identifier associated with the operation comprises determining that the domain identifier is indicated in user data that represents a user account logged into a machine that hosts the operating system space.
  - 7. The method of claim 1 further comprising:
    - after returning the permit indication that the operation can proceed on the object, determining that the object is associated with a plurality of access control lists;
      
      selecting a first of the plurality of access control lists, wherein the first access control list corresponds to domains; and
      
      determining that the first access control list indicates the domain identifier has one of read, write, and execute permission on the object.
  - 8. The method of claim 1 further comprising loading the plurality of domain isolation rules into the operating system space from the kernel space.
  - 18. The method of claim 1 further comprising:
    - determining that the operation is associated with a second domain identifier;
      
      determining whether the domain isolation rules for the object indicates that any of domain identifier or second domain identifier are required for the object;
      
      determining that the operation can proceed if the domain isolations rules indicate that the plurality of domain identifiers associated with the object identifier includes at least one of the domain identifier and the second domain identifier associated with the operation;
      
      determining that the operation cannot proceed if the domain isolation rules indicate that the plurality of domains associated with the object identifier does not include either the domain identifier or the first domain identifier as associated with the operation.
  - 19. The method of claim 1 further comprising:
    - determining, in the operating system space, that the operation is being attempted on an object by a user;
      
      determining a user identifier associated with the user, wherein the user identifier uniquely identifies the user from a plurality of users;
      
      evaluating a set of login rules to determine if the user identifier is permitted login access to the operating system space;
      
      wherein the user identifier is unassociated with any object or object identifier and the domain identifier identifies a domain that represents an organizational entity, each organizational entity being comprised of a plurality of users.

9. A computer program product for domain based object isolation, the computer program product comprising:
- a computer readable storage medium having computer usable program code embodied therewith, the computer usable program code executable to cause a computer to perform;
  
  determining, in operating system space, that an operation is being attempted on an object identified with an object identifier;
  
  determining a domain identifier associated with the operation, wherein the domain identifier identifies a domain that represents an organizational entity of a plurality of domains representing a plurality of organizational entities;
  
  accessing from a kernel space associated with the operating system space a plurality of domain isolation rules that indicate rules for allowing operations to proceed on objects based on domain identifiers indicated as permitted for the objects, wherein the plurality of domain isolation rules are stored in the kernel space;
  
  evaluating the plurality of domain isolation rules with the object identifier and the domain identifier associated with the operation;
  
  determining whether the operation can proceed on the object based on said evaluating the plurality of domain isolation rules with the domain identifier associated with the operation and the object identifier;
  
  determining that a plurality of domain identifiers are associated with the object identifier of the object;
  
  determining whether the plurality of domain identifiers includes the domain identifier associated with the operation;
  
  evaluating the domain isolation rules for an indication of whether any or all of the domain identifiers associated with the object identifier are required by the operation for permission to access the object;
  
  returning a permit indication that the operation can proceed on the object if the domain isolation rules indicate that the domain identifier represents a domain that has permission for the object; and
  
  returning a deny indication that the operation cannot proceed on the object if the domain isolation rules indicate that the domain identifier represents a domain that does not have permission for the object.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer program product of claim 9, wherein the object comprises one of a file, a file system, a volume group, a file set, and a device and the operation is initiated by one of an application process, an operating system process, a script process, a tool process, a command process, and a utility process.
  - 11. The computer program product of claim 9, wherein the computer usable program code is further executable to cause a computer to store an association of a user identifier and the domain identifier in the kernel space responsive to receiving user credentials.
  - 12. The computer program product of claim 9, wherein said determining whether the operation can proceed on the object comprises:
    - determining that a plurality of domain identifiers are indicated as having permission for the object; and
      
      determining whether the plurality of domain identifiers includes the domain identifier associated with the operation.
  - 13. The computer program product of claim 12, wherein the computer usable program code is further executable to cause a computer to:
    - determine that the operation is associated with a second domain identifier;
      
      determine whether the domain isolation rule for the object indicates that all of the plurality of domain identifiers are required for the object;
      
      determine that the operation can proceed if the plurality of domain identifiers consists of the domain identifier and the second domain identifier associated with the operation;
      
      determine that the operation cannot proceed if the plurality of domain identifiers comprises more than the domain identifier and the second domain identifier associated with the operation.
  - 14. The computer program product of claim 9, wherein said determining the domain identifier associated with the operation comprises determining that the domain identifier is indicated in user data that represents a user account logged into a machine that hosts the operating system space.
  - 15. The computer program product of claim 9, wherein the computer usable program code is further executable to cause a computer to:
    - after returning the permit indication that the operation can proceed on the object, determine that the object is associated with a plurality of access control lists;
      
      select a first of the plurality of access control lists, wherein the first access control list corresponds to domains; and
      
      determine that the first access control list indicates the domain identifier has one of read, write, and execute permission on the object.
  - 16. The computer program product of claim 9, wherein the computer usable program code is executable to further cause a computer to load the plurality of domain isolation rules into the kernel space.

17. An apparatus comprising:
- a processor unit;
  
  a network interface coupled with the processor unit; and
  
  a domain based object isolation monitor operable to,determine in operating system space, that an operation is being attempted on an object identified with an object identifier;
  
  determine a domain identifier associated with the operation, wherein the domain identifier identifies a domain that represents an organizational entity of a plurality of domains representing a plurality of organizational entities;
  
  access from a kernel space associated with the operating system space a plurality of domain isolation rules that indicate rules for allowing operations to proceed on objects based on domain identifiers indicated as permitted for the objects, wherein the plurality of domain isolation rules are stored in the kernel space;
  
  evaluate the plurality of domain isolation rules with the object identifier and the domain identifier associated with the operation;
  
  determine whether the operation can proceed on the object based on said evaluating the plurality of domain isolation rules with the domain identifier associated with the operation and the object identifier;
  
  determine that a plurality of domain identifiers are associated with the object identifier of the object;
  
  determine whether the plurality of domain identifiers includes the domain identifier associated with the operation;
  
  evaluate the domain isolation rules for an indication of whether any or all of the domain identifiers associated with the object identifier are required by the operation for permission to access the object;
  
  return a permit indication that the operation can proceed on the object if the domain isolation rules indicate that the domain identifier represents a domain that has permission for the object; and
  
  return a deny indication that the operation cannot proceed on the object if the domain isolation rules indicate that the domain identifier represents a domain that does not have permission for the object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Desai, Saurabh, Koikara, George Mathew, Nataraj, Pruthvi Panyam, Venkataraman, Guha Prasad, Ranganathan, Vidya
Primary Examiner(s)
Truong, Dennis

Application Number

US13/006,621
Publication Number

US 20120185510A1
Time in Patent Office

830 Days
Field of Search

707781-789, 707/999.009, 715/789, 726/2, 726/1
US Class Current

707/783
CPC Class Codes

G06F 21/6281 at program execution time, ...

G06F 2221/2141 Access rights, e.g. capabil...

Domain based isolation of objects

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Domain based isolation of objects

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links