Pervasive package identifiers
First Claim
Patent Images
1. A system comprising:
- a memory; and
one or more processors;
at least one of the one or more processors is configured to perform actions including;
obtaining, at a computing device for an application installed on the computing device from a package, a package identifier for the package, the package identifier including an identifier of an architecture of devices on which the application is designed to operate, the application having been installed only if a publisher of the package included in the package identifier was verified as being the same as the publisher included in a digital certificate associated with the package;
maintaining the package identifier in a protected manner such that the package identifier is accessible to an operating system of the computing device but not accessible to other applications of the computing device;
assigning the package identifier to each of one or more processes created for the application, wherein each process created for the application includes a process token generated by the operating system of the computing device, the process incapable of modifying the process token; and
determining, based at least in part on the package identifier, for each of the one or more processes whether the process is permitted to access a resource of the computing device.
2 Assignments
0 Petitions
Accused Products
Abstract
A package identifier for a package from which an application is installed on a computing device is obtained. The package identifier is assigned to each of one or more processes created for running the application and, for each of the one or more processes, whether the process is permitted to access a resource of the computing device is determined based at least in part on the package identifier.
165 Citations
31 Claims
-
1. A system comprising:
-
a memory; and one or more processors; at least one of the one or more processors is configured to perform actions including; obtaining, at a computing device for an application installed on the computing device from a package, a package identifier for the package, the package identifier including an identifier of an architecture of devices on which the application is designed to operate, the application having been installed only if a publisher of the package included in the package identifier was verified as being the same as the publisher included in a digital certificate associated with the package; maintaining the package identifier in a protected manner such that the package identifier is accessible to an operating system of the computing device but not accessible to other applications of the computing device; assigning the package identifier to each of one or more processes created for the application, wherein each process created for the application includes a process token generated by the operating system of the computing device, the process incapable of modifying the process token; and determining, based at least in part on the package identifier, for each of the one or more processes whether the process is permitted to access a resource of the computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
a memory; and one or more processors; at least one of the one or more processors configured to perform operations including; obtaining, at a computing device as part of installing one or more applications from a package on the computing device, a package identifier from the package; maintaining the package identifier in a protected manner such that the package identifier is accessible to an operating system of the computing device but not to other applications of the device; adding capabilities of one or more components included in the package to an access control list of a resource to create a capability security identifier; adding a package identifier security identifier to the access control list associated with the stored capabilities for the package; using the package identifier security identifier to gain access to the capability security identifier; and using the capability security identifier to access the resource. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. A computing device comprising:
-
a memory; and one or more processors; at least one of the one or more processors configured to perform actions including; obtaining, at the computing device as part of installing one or more applications from a package on the computing device, a package identifier from the package, the package identifier including a name of the package, a name of a publisher of the package, an identifier of an architecture of devices on which the application is designed to operate, an indication of a version of the package, and a value identifying a resource type of the package, the one or more applications being installed only if the publisher of the package included in the package identifier is verified to be the same as the publisher included in a digital certificate associated with the package; maintaining the package identifier in a protected manner such that the package identifier is accessible to an operating system of the computing device but not to other applications of the computing device; using a subset of elements of the package identifier to be a family identifier of the package, the subset of elements including the name of the package and the name of the publisher of the package; assigning the family identifier to each of one or more processes created for running the one or more applications by generating a security identifier based on the family identifier and adding the security identifier to a process token of each of the one or more processes; and responsive to the one or more processes spawning one or more other processes, causing the one or more other processes to inherit the same process token.
-
-
20. A mobile device, comprising:
-
a memory; and one or more processors; at least one of the one or more processors configured to perform actions including; obtaining, at the mobile device as part of installing one or more applications from a package on the mobile device, a package identifier from the package, the package identifier including a name of the package, a name of a publisher of the package, an identifier of an architecture of devices on which the application is designed to operate, an indication of a version of the package, and a value identifying a resource type of the package, the one or more applications being installed only if the publisher of the package included in the package identifier is verified to be the same as the publisher included in a digital certificate associated with the package; maintaining the package identifier in a protected manner such that the package identifier is accessible to an operating system of the mobile device but not to other applications of the mobile device; using a subset of elements of the package identifier to be a family identifier of the package, the subset of elements including the name of the package and the name of the publisher of the package; assigning the family identifier to each of one or more processes created for running the one or more applications by generating a security identifier based on the family identifier and adding the security identifier to a process token of each of the one or more processes; and responsive to the one or more processes spawning one or more other processes, causing the one or more other processes to inherit the same process token.
-
-
21. A mobile device, comprising:
-
a memory; and at least one processor; the at least one processor is configured to perform actions including; obtaining, at the mobile device for an application installed on the mobile device from a package, a package identifier for the package, the package identifier including an identifier of an architecture of devices on which the application is designed to operate, the application having been installed only if a publisher of the package included in the package identifier was verified as being the same as the publisher included in a digital certificate associated with the package; maintaining the package identifier in a protected manner such that the package identifier is accessible to an operating system of the mobile device but not accessible to other applications of the mobile device; assigning the package identifier to each of one or more processes created for the application, wherein each process created for the application includes a process token generated by the operating system of the mobile device, the process incapable of modifying the process token; and determining, based at least in part on the package identifier, for each of the one or more processes whether the process is permitted to access a resource of the mobile device. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
-
Specification