In the environment in which a plurality of information processing apparatuses is connected to one another by a network, an access request can be executed among different OS (Operating Systems) via an NFS (Network File System) or Samba.
The “access request” means herein that “a subject (a process or a thread) that is an access main body accesses an object (a file, a directory, a heap, a stack, a semaphore, FIFO (First-In First-Out), a message, or a computer resource such as a shared memory or a socket).
Namely, if the above-stated environment is considered, in the environment in which Windows® is installed into one information processing apparatus and Linux is installed into another information processing apparatus, a process on Windows® is accessible to a file on Linux via Samba.
Furthermore, even if only one information processing apparatus is present, an access request can be executed between a guest OS and a host OS by constructing a virtual machine environment in the apparatus.
For example, in a UML (User-Mode Linux) environment, a process executed on UML is accessible to a file on host Linux via Host Filesystem.
However, if a subject on a requester OS makes an illegal access to a resource on a request destination OS using this access request between the different OS, the request destination OS may possibly malfunction.
In the UML environment, for example, if a process operating on the UML illegally tamper with a system file on the host Linux, the host Linux may possibly malfunction.
To solve such a problem, it is necessary to provide an access right checking system that can verify whether an access request from a subject on the requester OS to access an object on the request destination OS is legal. Demand of an access right checking system satisfying the following three requirements particularly rises.
As a first requirement, the access right checking system is required to be able to conduct an access right check according to a type of a right of the subject operating on the requester OS.
For example, the access right checking system is required as follows. The right of a process executed on the requester OS can be set by authority of a system administrator so as to be able to write data to many files on the request destination OS. In addition, the right of the process executed on the request destination OS can be set by authority of an ordinary user so as to be able to approve reading only a few files.
A second requirement is as follows. As security measures, an access right checking system is often already installed into the request destination OS. Due to this, it is required that the access right checking system can deal with an access request from the requester OS only by modifying the existing access right checking system using the existing access right checking system.
A third requirement is as follows. The access right checking system that can conduct access right checks of all subjects on the requester OS is required.
It is necessary to conduct the access right checks in response to access requests from the respective subjects on the requester OS to access objects on the request destination OS.
In a conventional access right checking system of this type, to prohibit an illegal access to an object from a subject in one OS, when the subject accesses the object, it is verified whether the access is effective based on an access policy prepared in advance in the OS, only an approved access is executed and a disapproved access is not executed as disclosed in, for example, Patent Document 1 and Non-Patent Document 1.
This access right checking system satisfies the third requirement stated above.
Moreover, in the conventional access right checking system of this type, to prohibit an illegal access to an object from a subject between a plurality of OS, access right checking means 207 and an access policy are separately prepared in a communication unit of each OS, the access right checking means 207 verifies whether an access from the subject on the requester OS to the object on the request destination OS is effective based on the access policy when the access occurs, only an approved access is executed, and a disapproved access is not executed, as disclosed in, for example, Patent Document 2.
This access right checking system satisfies the first and third requirements.
Furthermore, in the conventional access right checking system of this type, to prohibit an illegal access from a user on UML (User-mode Linux) to a file on Host Filesystem in the Linux-oriented virtual machine environment, if the user on the UML is to access the file on the Host Filesystem, then a permission to the access target file is checked, only an access coincident with the permission is executed, and an access that is not coincident with the permission is not executed, as disclosed in Non-Patent Document 2.
This access right checking system satisfies the second requirement.    Patent Document 1: JP-A-2002-149494    Patent Document 2: JP-A-2003-345654    Non-Patent Document 1: Security-Enhanced Linux URL: http://nsa.gov/selinux/    Non-Patent Document 2: The User-mode Kernel HomePage URL: http://user-mode-linux.sourceforge.net/