Access authorization having embedded policies
First Claim
Patent Images
1. A computer-readable storage medium comprising computer-executable instructions that, when executed by a processor, perform a method comprising:
- receiving from a first process a request to load a first embedded policy and a second embedded policy applicable to an application program, wherein the first embedded policy and the second embedded policy are executed by an operating system access control service;
storing the first embedded policy and the second embedded policy in a policy repository, wherein the first embedded policy includes a provision to verify that the application program is of a type applicable to the first embedded policy and a set of executable rules that restrict access to a resource, wherein the second embedded policy includes a provision to verify that the application program is of a type applicable to second embedded policy and a set of executable rules that restrict access to a resource, and wherein the second embedded policy is more restrictive than the first embedded policy;
associating the first embedded policy with a first instance of the application program, such that the first embedded policy must be applied before executing the first instance of the application program;
applying the first embedded policy;
executing the first instance of the application program;
associating the second embedded policy with a second instance of the application program, such that the second embedded policy must be applied before executing the second instance of the application program;
applying the second embedded policy;
executing the second instance of the application program;
receiving a request from the second instance of the application program to access the resource; and
denying access to the resource based upon the second embedded policy.
1 Assignment
0 Petitions
Accused Products
Abstract
A facility for receiving an embedded policy is provided. The facility checks an application program image for the presence of an embedded policy. If an embedded policy is detected, the facility extracts the policy from within the application program image. The facility may then apply the extracted policy to the application program image before the application program image is loaded and/or executed. Moreover, the facility may check the application program image'"'"'s integrity prior to extracting the embedded policy.
-
Citations
30 Claims
-
1. A computer-readable storage medium comprising computer-executable instructions that, when executed by a processor, perform a method comprising:
-
receiving from a first process a request to load a first embedded policy and a second embedded policy applicable to an application program, wherein the first embedded policy and the second embedded policy are executed by an operating system access control service; storing the first embedded policy and the second embedded policy in a policy repository, wherein the first embedded policy includes a provision to verify that the application program is of a type applicable to the first embedded policy and a set of executable rules that restrict access to a resource, wherein the second embedded policy includes a provision to verify that the application program is of a type applicable to second embedded policy and a set of executable rules that restrict access to a resource, and wherein the second embedded policy is more restrictive than the first embedded policy; associating the first embedded policy with a first instance of the application program, such that the first embedded policy must be applied before executing the first instance of the application program; applying the first embedded policy; executing the first instance of the application program; associating the second embedded policy with a second instance of the application program, such that the second embedded policy must be applied before executing the second instance of the application program; applying the second embedded policy; executing the second instance of the application program; receiving a request from the second instance of the application program to access the resource; and denying access to the resource based upon the second embedded policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method comprising:
-
receiving from a first process a request to load a first embedded policy and a second embedded policy applicable to an application program, wherein the first embedded policy and the second embedded policy are executed by an operating system access control service; storing the first embedded policy and the second embedded policy in a policy repository, wherein the first embedded policy includes a provision to verify that the application program is of a type applicable to the first embedded policy and a set of executable rules that restrict access to a resource, wherein the second embedded policy includes a provision to verify that the application program is of a type applicable to second embedded policy and a set of executable rules that restrict access to a resource, and wherein the second embedded policy is more restrictive than the first embedded policy; associating the first embedded policy with a first instance of the application program, such that the first embedded policy must be applied before executing the first instance of the application program; and applying the first embedded policy; executing the first instance of the application program; associating the second embedded policy with a second instance of the application program, such that the second embedded policy must be applied before executing the second instance of the application program; applying the second embedded policy; executing the second instance of the application program; receiving a request from the second instance of the application program to access the resource; and denying access to the resource based upon the second embedded policy. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A system comprising:
-
a processing unit; and a memory coupled to the processing unit, the memory encoding computer executable instructions that, when executed by the processing unit, perform a method comprising; receiving from a first process a request to load a first embedded policy and a second embedded policy applicable to an application program, wherein the first embedded policy and the second embedded policy are executed by an operating system access control service; storing the first embedded policy and the second embedded policy in a policy repository, wherein the first embedded policy includes a provision to verify that the application program is of a type applicable to the first embedded policy and a set of executable rules that restrict access to a resource, wherein the second embedded policy includes a provision to verify that the application program is of a type applicable to second embedded policy and a set of executable rules that restrict access to a resource, and wherein the second embedded policy is more restrictive than the first embedded policy; associating the first embedded policy with a first instance of the application program, such that the first embedded policy must be applied before executing the first instance of the application program; applying the first embedded policy; executing the first instance of the application program; associating the second embedded policy with a second instance of the application program, such that the second embedded policy must be applied before executing the second instance of the application program; applying the second embedded policy; executing the second instance of the application program; receiving a request from the second instance of the application program to access the resource; and denying access to the resource based upon the second embedded policy. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification