Exposing data to virtual machines
First Claim
Patent Images
1. A method performed by a system of one or more computers, the method comprising:
- executing a virtual machine on a host operating system;
mounting a synthetic file system on the virtual machine to expose the synthetic file system to a plurality of guest applications executing on the virtual machine, wherein the synthetic file system is configured to provide a plurality of system calls to the guest applications including at least a read operation or a write operation for reading from or writing to an external data repository storing data outside the virtual machine;
receiving a first system call of the plurality of system calls at the synthetic file system for the read operation or the write operation from a first guest application of the plurality of guest applications;
determining that the first guest application is not authorized for the first system call by a security policy associated with the synthetic file system, wherein determining that the first guest application is not authorized for the first system call by the security policy comprises;
translating the first system call into a server request; and
providing the server request to a trusted agent, the trusted agent being a process executing on the virtual machine, wherein the trusted agent is configured to send the server request to a server external to the virtual machine, the server being configured to access the external data repository, and wherein the server is configured to provide a token to the trusted agent during a booting process for the virtual machine, and the trusted agent is configured to provide the token to the server with the server request; and
denying access to the external data repository to the first guest application.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for exposing metadata to a virtual machine. In one aspect, a method includes executing a virtual machine on a host operating system. A synthetic file system is mounted on the virtual machine to expose the synthetic file system to a plurality of guest applications executing on the virtual machine. The synthetic file system is configured to provide a plurality of system calls to the guest applications including at least a read operation or a write operation for reading from or writing to external metadata stored outside the virtual machine.
-
Citations
20 Claims
-
1. A method performed by a system of one or more computers, the method comprising:
-
executing a virtual machine on a host operating system; mounting a synthetic file system on the virtual machine to expose the synthetic file system to a plurality of guest applications executing on the virtual machine, wherein the synthetic file system is configured to provide a plurality of system calls to the guest applications including at least a read operation or a write operation for reading from or writing to an external data repository storing data outside the virtual machine; receiving a first system call of the plurality of system calls at the synthetic file system for the read operation or the write operation from a first guest application of the plurality of guest applications; determining that the first guest application is not authorized for the first system call by a security policy associated with the synthetic file system, wherein determining that the first guest application is not authorized for the first system call by the security policy comprises; translating the first system call into a server request; and providing the server request to a trusted agent, the trusted agent being a process executing on the virtual machine, wherein the trusted agent is configured to send the server request to a server external to the virtual machine, the server being configured to access the external data repository, and wherein the server is configured to provide a token to the trusted agent during a booting process for the virtual machine, and the trusted agent is configured to provide the token to the server with the server request; and denying access to the external data repository to the first guest application. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system of one or more computers configured to perform operations comprising:
-
executing a virtual machine on a host operating system; mounting a synthetic file system on the virtual machine to expose the synthetic file system to a plurality of guest applications executing on the virtual machine, wherein the synthetic file system is configured to provide a plurality of system calls to the guest applications including at least a read operation or a write operation for reading from or writing to an external data repository storing data outside the virtual machine; receiving a first system call of the plurality of system calls at the synthetic file system for the read operation or the write operation from a first guest application of the plurality of guest applications; determining that the first guest application is not authorized for the first system call by a security policy associated with the synthetic file system, wherein determining that the first guest application is not authorized for the first system call by the security policy comprises; translating the first system call into a server request; and providing the server request to a trusted agent, the trusted agent being a process executing on the virtual machine, wherein the trusted agent is configured to send the server request to a server external to the virtual machine, the server being configured to access the external data repository, and wherein the server is configured to provide a token to the trusted agent during a booting process for the virtual machine, and the trusted agent is configured to provide the token to the server with the server request; and denying access to the external data repository to the first guest application. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer storage medium encoded with a computer program, the program comprising instructions that when executed by one or more computers cause the one or more computers to perform operations comprising:
-
executing a virtual machine on a host operating system; mounting a synthetic file system on the virtual machine to expose the synthetic file system to a plurality of guest applications executing on the virtual machine, wherein the synthetic file system is configured to provide a plurality of system calls to the guest applications including at least a read operation or a write operation for reading from or writing to an external data repository storing data outside the virtual machine; receiving a first system call of the plurality of system calls at the synthetic file system for the read operation or the write operation from a first guest application of the plurality of guest applications; determining that the first guest application is not authorized for the first system call by a security policy associated with the synthetic file system, wherein determining that the first guest application is not authorized for the first system call by the security policy comprises; translating the first system call into a server request; and providing the server request to a trusted agent, the trusted agent being a process executing on the virtual machine, wherein the trusted agent is configured to send the server request to a server external to the virtual machine, the server being configured to access the external data repository, and wherein the server is configured to provide a token to the trusted agent during a booting process for the virtual machine, and the trusted agent is configured to provide the token to the server with the server request; and denying access to the external data repository to the first guest application. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification