Methods for restricting resources used by an application based on a base profile and an application specific profile

摘要

In response to a request for launching an application within an operating system of a data processing system, one or more extended entitlements are extracted from the application, where the one or more extended entitlements specify one or more resources the application is entitled to access. One or more security profile extensions corresponding to the one or more extended entitlements are dynamically generated. A security profile specifically for the application is created based on the one or more security profile extensions and a base security profile that has been previously compiled, where the base security profile specifies a list of a plurality of base resources. The application is then launched in a sandboxed operating environment that is configured based on the security profile specifically generated for the application.

主权项

1. A computer-implemented method, comprising:
in response to a request for launching an application within an operating system of a data processing system, extracting one or more extended entitlements from the application, the one or more extended entitlements specifying one or more extended resources the application is entitled to access; dynamically generating one or more security profile extensions corresponding to the one or more extended entitlements; creating a security profile specifically for the application based on the one or more security profile extensions and a base security profile that has been previously compiled, wherein the base security profile specifies a list of a plurality of base resources, wherein the one or more extended resources and the base resources are provided within the data processing system and specified by the profile extensions and the base security profile respectively; and launching the application in a sandboxed operating environment that is configured based on the security profile specifically generated for the application.