File system access for one or more sandboxed applications

US 8,943,550 B2
Filed: 09/28/2012
Issued: 01/27/2015
Est. Priority Date: 05/28/2010
Status: Active Grant

First Claim

Patent Images

1. A machine implemented method comprising:

receiving a selection of a resource managed by a restricted operating environment, the resource consisting of a file or folder;

requesting, in response to the selection, a location identifier associated with the resource, wherein the request for the location identifier is serviced by a cryptographically authenticated resource manager;

receiving, in response to the request, a first identifier, and a second identifier, wherein the second identifier is a uniform resource locator (URL), which allows retrieval of the resource if the resource is renamed or moved, and the first identifier is a cryptographically authenticated location identifier consisting of a first keyed hash of the URL; and

storing the first and second identifier on a non-transitory storage device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and machine-readable storage medium are described wherein, in one embodiment, identifiers, such as bookmarks, are used to allow access to files or folders in a sandboxed environment. One or more applications are restricted by an access control system, which can be, for example, a trusted software component of an operating system. In one embodiment, the bookmarks or other identifiers allow an application to have access to a file even if the file is renamed or moved by a user while the application has been terminated. In one embodiment, a resource manager, or other trusted access control system, can interact with an application to allow for the use of bookmarks in an environment in which a sandbox application controls access to the files such that each application must make a request to the sandbox application in order to obtain access to a particular file or folder.

30 Citations

View as Search Results

19 Claims

1. A machine implemented method comprising:
- receiving a selection of a resource managed by a restricted operating environment, the resource consisting of a file or folder;
  
  requesting, in response to the selection, a location identifier associated with the resource, wherein the request for the location identifier is serviced by a cryptographically authenticated resource manager;
  
  receiving, in response to the request, a first identifier, and a second identifier, wherein the second identifier is a uniform resource locator (URL), which allows retrieval of the resource if the resource is renamed or moved, and the first identifier is a cryptographically authenticated location identifier consisting of a first keyed hash of the URL; and
  
  storing the first and second identifier on a non-transitory storage device.
- View Dependent Claims (2, 3, 4, 5, 19)
- - 2. The method as in claim 1 wherein the resource manager is a trusted access control system of an operating system for a data processing system.
  - 3. The method as in claim 2 further comprising:
    - terminating a first application session after receiving the first and second identifiers for the resource from the resource manager;
      
      beginning a second application session after terminating the first application session; and
      
      retrieving the resource using the first and second identifiers.
  - 4. The method as in claim 3 further comprising:
    - requesting access to a selected resource;
      
      providing the first and second identifiers; and
      
      accessing the resource, wherein the resource is renamed or moved between the first and second application session.
  - 5. The method as in claim 4 further comprising authenticating the second identifier by the resource manager, wherein the authenticating includes creating a second keyed hash and comparing the second keyed hash with the first keyed hash.
  - 19. A non-transitory machine-readable storage medium, which provides instructions that when executed, cause a data processing system to perform a method as in claim 1.

6. A system to provide a restricted operating environment for managing access to a resource on an electronic computer system, the system comprising:
- memory to store instructions and resources;
  
  a storage device coupled to the memory; and
  
  one or more processors coupled to the memory and the storage device, the one or more processors to execute instructions stored in the memory to create the restricted operating environment for managing access to the resource by an application, wherein the restricted operating environment couples with a cryptographically authenticated resource manager, the cryptographically authenticated resource manager to receive a request for a location identifier to access the resource, authenticate the request by determining whether access is allowed to the resource, and send the location identifier and an identifier, wherein the identifier is a uniform resource locator (URL), which allows retrieval of the resource outside of the restricted operating environment if the resource is renamed or moved, and the location identifier is a keyed hash of the URL.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6 wherein the restricted operating environment is to restrict access to files and folders located outside of the restricted operating environment.
  - 8. The system of claim 7 wherein the resource manager is a cryptographically authenticated component of a computer operating system.
  - 9. The system of claim 8 wherein the keyed hash is generated and authenticated cryptographically.
  - 10. The system of claim 6 wherein the restricted operating environment is configured to restrict access to main memory.

11. A non-transitory machine-readable storage medium, which provides instructions that, when executed by a processing system, cause the processing system to perform operations managing resource access in a restricted operating environment, the operations comprising:
- receiving a first request to provide a location identifier associated with a resource, the resource consisting of a file or folder, the file or folder representing a collection of one or more user selected files;
  
  verifying that the first request is entitled to access the resource;
  
  creating a random key and attaching the random key to the resource;
  
  creating a first keyed hash using the random key; and
  
  returning the location identifier associated with the resource, the location identifier including a uniform resource locator (URL) and the first keyed hash, wherein the location identifier provides persistent access to the collection of files represented by the resource.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The machine-readable storage medium of claim 11 further comprising:
    - receiving a second request to access the resource, the second request including the location identifier;
      
      retrieving the random key from the resource;
      
      using the random key to create a second keyed hash;
      
      comparing the second keyed hash with the first keyed hash; and
      
      providing access to the resource and the collection of files represented by the resource based on the comparing.
  - 13. The machine-readable storage medium of claim 12 wherein the random key is not accessible by an application with access to the resource.
  - 14. The machine-readable storage medium of claim 13, wherein verifying that the first request is entitled to access the resource includes verifying that a requesting application has access to the resource.
  - 15. The machine-readable storage medium of claim 13 wherein the location identifier is specific to a particular application.
  - 16. The machine-readable storage medium of claim 13 wherein the first hash key is included within the URL.
  - 17. The machine-readable storage medium of claim 13 wherein the URL and first hash key provide consistent access across application sessions.
  - 18. The machine-readable storage medium of claim 17 wherein the URL and first hash key provide consistent access across system power cycles.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Astrand, Love Hrnquist, Krsti, Ivan
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US13/631,715
Publication Number

US 20130185764A1
Time in Patent Office

851 Days
Field of Search

None
US Class Current

726/2
CPC Class Codes

G06F 16/122   using management policies b...

G06F 16/9566   URL specific, e.g. using al...

G06F 21/53   by executing in a restricte...

G06F 2221/034   Test or assess a computer o...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

File system access for one or more sandboxed applications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

File system access for one or more sandboxed applications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links