SYSTEM CALL POLICIES FOR CONTAINERS

SYSTEM CALL POLICIES FOR CONTAINERS

Examples relate to system call policies for containers. In an example, a method includes receiving, by a container platform, a container for running an application. The container has a metadata recordthat specifies an application type of the application. The container platform receives a data struct...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: CHRIS I DALTON, SIANI PEARSON, LEON FRANK EHRENHART, DENNIS HEINZE, D'ERRICO MICHELA, MICHAEL JOHN WRAY
Format: Patent
Sprache:chi ; eng
Schlagworte:
CALCULATING
COMPUTING
COUNTING
ELECTRIC DIGITAL DATA PROCESSING
PHYSICS
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Examples relate to system call policies for containers. In an example, a method includes receiving, by a container platform, a container for running an application. The container has a metadata recordthat specifies an application type of the application. The container platform receives a data structure that specifies a set of system call policies for a set of application types and queries the data structure to determine a policy of the set of system call policies to apply to the container based on the application type in the metadata record. A kernel implements the policy for the container toallow or deny permission for a system call by the application running in the container based on a comparison of the system call to the policy. 示例涉及用于容器的系统调用策略。在示例中,方法包括:由容器平台接收用于运行应用程序的容器。容器具有指定应用程序的应用程序类型的元数据记录。容器平台接收指定用于组应用程序类型的组系统调用策略的数据结构,并且查询数据结构,以基于元数据记录中的应用程序类型确定该组系统调用策略中的要应用于容器的策略。内核实施用于容器的策略,以基于系统调用与策略的比较,允许或拒绝运行在容器中的应用程序的系统调用的许可。