Using virtual hierarchies to build alternative namespaces

US 8,539,481 B2
Filed: 12/12/2005
Issued: 09/17/2013
Est. Priority Date: 12/12/2005
Status: Active Grant

First Claim

Patent Images

1. A system for restricting access to resources comprising:

a computing device storing instructions that when executed cause;

an operating system module to instantiate a system environment, the system environment associated with a global physical hierarchy comprising a plurality of nodes representing resources and an isolated environment within the system environment associated with a view of the global physical hierarchy,the view constraining access of an entity executing in the isolated environment to a subset of the resources and forms a virtual file system hierarchy that is different from a hierarchy in the global physical hierarchy and contains at least one node in addition to the nodes in the global hierarchy,the virtual file system hierarchy comprising a first virtual node with a link to a first physical node in the global physical hierarchy, and a second virtual node with a link to a second physical node in the global physical hierarchy, a relative arrangement of the first and second virtual nodes within the virtual file system hierarchy differing as compared to a relative arrangement of the first and second physical nodes within the global physical hierarchy,the operating system module adapted to generating the view by creation of the virtual file system hierarchy in volatile storage only, the virtual file system hierarchy not persisted to non-volatile storage and wherein the entity'"'"'s sole access to the subset of the resources is via the virtual file system hierarchy,the operating system module adapted to receiving a first request to access a first node in the virtual file system hierarchy, and, in response to determining that the first node is not a leaf node, responding to the first request by returning a file handle that references the first node,the operating system module adapted to receiving a second request to access a second node in the virtual file system hierarchy, in response to determining that the second node is a leaf node, determining a name used to reference a node in the physical directory; and

responding to the second request by returning a file handle that references the name used to reference the node in the physical directory.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system is divided into one or more side-by-side and/or nested isolated environments enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces via virtual hierarchies.

43 Citations

View as Search Results

20 Claims

1. A system for restricting access to resources comprising:
- a computing device storing instructions that when executed cause;
  
  an operating system module to instantiate a system environment, the system environment associated with a global physical hierarchy comprising a plurality of nodes representing resources and an isolated environment within the system environment associated with a view of the global physical hierarchy,the view constraining access of an entity executing in the isolated environment to a subset of the resources and forms a virtual file system hierarchy that is different from a hierarchy in the global physical hierarchy and contains at least one node in addition to the nodes in the global hierarchy,the virtual file system hierarchy comprising a first virtual node with a link to a first physical node in the global physical hierarchy, and a second virtual node with a link to a second physical node in the global physical hierarchy, a relative arrangement of the first and second virtual nodes within the virtual file system hierarchy differing as compared to a relative arrangement of the first and second physical nodes within the global physical hierarchy,the operating system module adapted to generating the view by creation of the virtual file system hierarchy in volatile storage only, the virtual file system hierarchy not persisted to non-volatile storage and wherein the entity'"'"'s sole access to the subset of the resources is via the virtual file system hierarchy,the operating system module adapted to receiving a first request to access a first node in the virtual file system hierarchy, and, in response to determining that the first node is not a leaf node, responding to the first request by returning a file handle that references the first node,the operating system module adapted to receiving a second request to access a second node in the virtual file system hierarchy, in response to determining that the second node is a leaf node, determining a name used to reference a node in the physical directory; and
  
  responding to the second request by returning a file handle that references the name used to reference the node in the physical directory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the global physical hierarchy represents a global file system directory and wherein the virtual file system hierarchy represents a subset of the global file system directory for the isolated environment, each node in the global file system directory representing a sub-directory or a file.
  - 3. The system of claim 1, wherein the entity comprises a process, group of processes, program, group of programs, application or group of applications.
  - 4. The system of claim 1, wherein the virtual file system hierarchy comprises a plurality of virtual nodes wherein at least one virtual node of the plurality of virtual nodes comprises a link to a physical node of the global physical hierarchy.
  - 5. The system of claim 1, wherein the isolated environment comprises at least one process executing in the isolated environment and wherein the virtual file system hierarchy is a default hierarchy for the at least one process.
  - 6. The system of claim 1, wherein the isolated environment is a silo.
  - 7. The system of claim 1, wherein the isolated environment is a first isolated environment of a plurality of side-by-side isolated environments within the system environment.
  - 8. The system of claim 1, wherein the isolated environment includes at least one level of nested isolated environments.
  - 9. The system of claim 5, wherein the virtual file system hierarchy restricts a set of resources available to the at least one process by restricting to a subset of the global physical hierarchy the view of the global physical hierarchy presented to the at least one process.

10. A method of providing a view of a global name space to an entity executing in an isolated environment comprising:
- generating the isolated environment within a system environment via an operating system image, the operating system image serving the isolated environment and the system environment, the system environment associated with a global physical hierarchy on non-volatile storage and the isolated environment associated with a view of the global physical hierarchy;
  
  generating the view by creating a virtual file system hierarchy that is different from a file system hierarchy in the global physical hierarchy and contains at least one node in addition to the nodes in the global file system hierarchy, and that provides the entity access to only a subset of the global physical file system hierarchy, the virtual file system hierarchy stored only in volatile storage;
  
  receiving a first request to access a first node in the virtual file system hierarchy;
  
  in response to determining that the first node is not a leaf node, responding to the first request by returning a file handle that references the first node;
  
  receiving a second request to access a second node in the virtual file system hierarchy;
  
  in response to determining that the second node is a leaf node, determining a name used to reference a node in the physical directory; and
  
  responding to the second request by returning a file handle that references the name used to reference the node in the physical directory.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, further comprising generating the virtual hierarchy bycreating a virtual root node for the virtual hierarchy;
    - creating at least one level of nodes depending from the virtual root, wherein at least one node of at least one of the levels of nodes comprises a leaf node;
      
      creating a link from the at least one leaf node to a node in the global physical directory.
  - 12. The method of claim 10, wherein the isolated environment is a silo.
  - 13. The method of claim 10, further comprising nesting a child isolated environment within the isolated environment.
  - 14. The method of claim 10, wherein the global physical hierarchy is a file system directory for the system environment and the virtual hierarchy is a virtual file system directory for the entity executing in the isolated environment.
  - 15. The method of claim 10, wherein the isolated environment is a first isolated environment of a plurality of side-by-side isolated environments.
  - 16. The method of claim 10, wherein the entity comprises a process, a group of processes, an application or a group of applications.

17. A computer-readable storage device comprising computer-executable instructions for:
- restricting a set of resources available to a process, group of processes, application or group of applications running in a silo by creating a virtual file system hierarchy accessed by the process, the group of processes, the application or the group of applications,the virtual file system hierarchy comprising a first and a second virtual node, the first virtual node comprising a link to a first physical node of a physical file system hierarchy, the second virtual node comprising a link to a second physical node of the physical file system hierarchy, the virtual file system hierarchy containing at least one node in addition to the nodes in the global hierarchy,a relative arrangement of the first and second virtual nodes within the virtual file system hierarchy differing as compared to a relative arrangement of the first and second physical nodes within the global physical file system hierarchy,the virtual file system hierarchy providing sole access to a node in the physical file system hierarchy via a link from a node in the virtual file system hierarchy to the node in the physical file system hierarchy;
  
  receiving a first request to access a first node in the virtual file system hierarchy;
  
  in response to determining that the first node is not a leaf node, responding to the first request by returning a file handle that references the first node;
  
  receiving a second request to access a second node in the virtual file system hierarchy;
  
  in response to determining that the second node is a leaf node, determining a name used to reference a node in the physical directory; and
  
  responding to the second request by returning a file handle that references the name used to reference the node in the physical directory.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable device of claim 17, comprising further computer-readable instructions for:
    - storing the virtual hierarchy only in volatile storage and not in non-volatile storage.
  - 19. The computer-readable device of claim 17, wherein the computer-executable instructions comprise a portion of an operating system that serves the silo and a plurality of system processes external to the silo.
  - 20. The computer-readable device of claim 17, wherein the computer-executable instructions comprise a portion of a silo file system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Smith, Frederick J., Havens, Jeff L., Talluri, Madhusudhan, Khalidi, Yousef A.
Primary Examiner(s)
Sough, H S
Assistant Examiner(s)
Onat, Umut

Application Number

US11/301,093
Publication Number

US 20070136723A1
Time in Patent Office

2,836 Days
Field of Search

None
US Class Current

718/1
CPC Class Codes

G06F 2009/45566   Nested virtual machines

G06F 21/6281   at program execution time, ...

G06F 9/45558   Hypervisor-specific managem...

Using virtual hierarchies to build alternative namespaces

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

43 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Using virtual hierarchies to build alternative namespaces

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links