Enabling resource access for secure application containers

US 9,747,438 B2
Filed: 11/02/2015
Issued: 08/29/2017
Est. Priority Date: 11/02/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying, by a processor, a tracing wrapper for an application to be executed by the processor, the tracing wrapper to track an event associated with an interaction of the application with one or more system resources;

executing, by the processor, an instance of the application using an application account having access to the one or more system resources;

determining, by the processor, a first system resource of the one or more system resources used by the application in view of the tracing wrapper;

copying, by the processor, the application to a secure container to be executed by the processor using a container account associated with the secure container, the secure container is isolated from access to the one or more system resources; and

providing, by the processor, the container account with access to the first system resource of the one or more system resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the disclosure enable resource access for secure application containers. In accordance with one embodiment, a method is provided that comprises identifying a tracing wrapper for an application to be executed by a process. The tracing wrapper to track an event associated with an interaction of the application with one or more system resources. An instance of the application is executed by the process using an application account having access to the system resources. A first system resource of the system resources is determined to be used by the application in view of the tracing wrapper. The application is then copied to a secure container to be executed by the process using a container account of the secure container. The secure container is isolated from access to the one or more system resources. Thereupon, the container account is provided access to the first system resource.

Citations

20 Claims

1. A method comprising:
- identifying, by a processor, a tracing wrapper for an application to be executed by the processor, the tracing wrapper to track an event associated with an interaction of the application with one or more system resources;
  
  executing, by the processor, an instance of the application using an application account having access to the one or more system resources;
  
  determining, by the processor, a first system resource of the one or more system resources used by the application in view of the tracing wrapper;
  
  copying, by the processor, the application to a secure container to be executed by the processor using a container account associated with the secure container, the secure container is isolated from access to the one or more system resources; and
  
  providing, by the processor, the container account with access to the first system resource of the one or more system resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein identifying the tracing wrapper further comprises initiating for the application.
  - 3. The method of claim 2, further comprising tracking output data associated with the system tracing to identify system events corresponding to operations executed by the application.
  - 4. The method of claim 3, further comprising searching the output data for the event associated with the interaction of the application with the one or more system resources.
  - 5. The method of claim 4, further comprising identifying a file operation associated the application in view of the searching.
  - 6. The method of claim 1, further comprising determining a permission to be associated with the first system resource in view of the tracing wrapper.
  - 7. The method of claim 6, further comprising modifying the permission with regard to the container account associated with the secure container.

8. A system comprising:
- a memory to store a secure container; and
  
  a processor, operatively coupled to the memory, to;
  
  identify a tracing wrapper for an application to be executed by the processor, the tracing wrapper to track an event associated with an interaction of the application with one or more system resources;
  
  execute an instance of the application using an application account having access to the one or more system resources;
  
  determine a first system resource of the one or more system resources used by the application in view of the tracing wrapper;
  
  copy the application to the secure container to be executed by the processor using a container account associated with the secure container, the secure container is isolated from access to the one or more system resources; and
  
  provide the container account with access to the first system resource of the one or more system resources.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein to identify the tracing wrapper, the processor is further to initiate system tracing for the application.
  - 10. The system of claim 9, wherein the processor is further to track output data associated with the system tracing to identify system events corresponding to operations executed by the application.
  - 11. The system of claim 10, wherein the processor is further to search the output data for the event associated the interaction of the application with the one or more system resources.
  - 12. The system of claim 11, wherein the processor is further to identify a file operation associated the application in view of the searching.
  - 13. The system of claim 8, wherein the processor is further to determine a permission to be associated with the first system resource in view of the tracing wrapper.
  - 14. The system of claim 13, wherein the processor is further to modify the permission with regard to the container account associated with the secure container.

15. A non-transitory computer-readable storage medium comprising executable instructions that when executed, by a processor, cause the processor to:
- identify, by the processor, a tracing wrapper for an application to be executed by the processor, the tracing wrapper to track an event associated with an interaction of the application with one or more system resources;
  
  execute an instance of the application using an application account having access to the one or more system resources;
  
  determine a first system resource of the one or more system resources used by the application in view of the tracing wrapper;
  
  copy the application to a secure container to be executed by the processor using a container account associated with the secure container, the secure container is isolated from access to the one or more system resources; and
  
  provide the container account access to the first system resource of the one or more system resources.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage medium of claim 15, wherein to identify the tracing wrapper, the executable instructions further cause the processor to initiate system tracing for the application.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein the executable instructions further cause the processor to track output data associated with the system tracing to identify system events corresponding to operations executed by the application.
  - 18. The non-transitory computer-readable storage medium of claim 17, wherein the executable instructions further cause the processor to search the output data for the event associated the interaction of the application with the one or more system resources.
  - 19. The non-transitory computer-readable storage medium of claim 18, wherein the executable instructions further cause the processor to identify a file operation associated the application in view of the searching.
  - 20. The non-transitory computer-readable storage medium of claim 15, wherein the executable instructions further cause the processor to determine a permission to be associated with the first system resource in view of the tracing wrapper.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Fojtik, Michal, Parees, Benjamin Michael
Primary Examiner(s)
Song, Hosuk

Application Number

US14/930,358
Publication Number

US 20170124320A1
Time in Patent Office

666 Days
Field of Search

726 22- 23, 726 26- 27, 713193
US Class Current
CPC Class Codes

G06F 21/53 by executing in a restricte...

G06F 21/629 to features or functions of...

Enabling resource access for secure application containers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Enabling resource access for secure application containers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links