Domain-based isolation and access control on dynamic objects

摘要

A technique for performing domain-based access control for granular isolation on a data processing system includes assigning, using the data processing system, one or more first domain tags to a dynamic object that is created by a first process that is executing on the data processing system. The technique also includes assigning, using the data processing system, one or more second domain tags to a second process that is executing on the data processing system. The first and second domain tags are evaluated, using the data processing system, according to one or more enforced rules to determine whether to grant or deny the second process access to data associated with the dynamic object.

主权项

1. A method of performing domain-based access control for granular isolation on a data processing system, comprising:
assigning, using the data processing system, one or more first domain tags to a dynamic object that is created by a first process that is executing on the data processing system; assigning, using the data processing system, one or more second domain tags to a second process that is executing on the data processing system; and evaluating, using the data processing system, the first and second domain tags according to one or more enforced rules to determine whether to grant or deny the second process access to data associated with the dynamic object, wherein the one or more enforced rules include a first rule that specifies that a domain set of the dynamic object is required to be a subset of a domain set of the second process, a second rule that specifies that the domain set of the dynamic object is required to share one or more common domains with the domain set of the second process, and a third rule that specifies a denial domain set that takes precedence over the first and second rules when the domain set of the second process includes a domain in the denial domain set.