Methods for restricting resources used by a program based on entitlements
First Claim
1. A computer-implemented method, comprising:
- in response to a request for launching a program;
identifying a library that the program utilizes when executed;
determining a list of resources of the library to be accessed by the program during execution of the program;
calling a predetermined function of the library that provides access to the resources, the call including a parameter specifying one or more resource entitlements of the program, the predetermined function returning a set of rules for accessing resources associated with the library based on the one or more resource entitlements specified in the parameter; and
dynamically generating a security profile for the program based on the set of rules returned from the library, wherein the security profile is used to permit the program to access a resource of the library for which a rule in the set of rules permits access, and the security profile restricts the program from accessing a library resource for which a rule in the set of rules restricts access or no rule in the set of rules permits access during execution of the program.
0 Assignments
0 Petitions
Accused Products
Abstract
In response to a request for launching a program, a list of one or more application frameworks to be accessed by the program during execution of the program is determined. Zero or more entitlements representing one or more resources entitled by the program during the execution are determined. A set of one or more rules based on the entitlements of the program is obtained from at least one of the application frameworks. The set of one or more rules specifies one or more constraints of resources associated with the at least one application framework. A security profile is dynamically compiled for the program based on the set of one or more rules associated with the at least one application framework. The compiled security profile is used to restrict the program from accessing at least one resource of the at least one application frameworks during the execution of the program.
46 Citations
21 Claims
-
1. A computer-implemented method, comprising:
in response to a request for launching a program; identifying a library that the program utilizes when executed; determining a list of resources of the library to be accessed by the program during execution of the program; calling a predetermined function of the library that provides access to the resources, the call including a parameter specifying one or more resource entitlements of the program, the predetermined function returning a set of rules for accessing resources associated with the library based on the one or more resource entitlements specified in the parameter; and dynamically generating a security profile for the program based on the set of rules returned from the library, wherein the security profile is used to permit the program to access a resource of the library for which a rule in the set of rules permits access, and the security profile restricts the program from accessing a library resource for which a rule in the set of rules restricts access or no rule in the set of rules permits access during execution of the program. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform a method, the method comprising:
-
in response to a request for launching a program; identifying a library that the program utilizes when executed; determining a list of resources of the library to be accessed by the program during execution of the program; calling a predetermined function of the library that provides access to the resources, the call including a parameter specifying one or more resource entitlements of the program, the predetermined function returning a set of rules for accessing resources associated with the library based on the one or more resource entitlements specified in the parameter; and dynamically generating a security profile for the program based on the set of rules returned from the library, wherein the security profile is used to permit the program to access a resource of the library for which a rule in the set of rules permits access, and the security profile restricts the program from accessing a library resource for which a rule in the set of rules restricts access or no rule in the set of rules permits access during execution of the program. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A data processing system, comprising:
-
an access control module executed by a processor, in response to a request for launching a program, to; identify a library that the program utilizes when executed; determine a list of resources of the library to be accessed by the program during execution of the program; and call a predetermined function of the library that provides access to the resources, the call including a parameter specifying one or more resource entitlements of the program, the predetermined function to return a set of rules for accessing resources associated with the library based on the one or more resource entitlements; and a profile compiler, executed by the processor, to dynamically generate a security profile for the program based on the set of rules returned from the library, wherein the security profile is used to permit a program to access a resource of the library for which a rule in the set of rules permits access, and the security profile restricts the program from accessing a library resource for which a rule in the set of rules restricts access or no rule in the set of rules permits access during execution of the program. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification