Modern computer systems perform a variety of processing and communication tasks. For example, computers execute application programs such as word processing programs, scheduling programs, design programs, etc. Computers are also used to connect to other computers in order to exchange information. For example, a computer may execute a program that enables the computer to access information stored on other computers. For example, in order to access the Internet, a computer may execute what is referred to as a “web browser” program. The web browser is an application program, similar to that described above, that enables the computer to navigate through the Internet.
When a computer starts an application program, the computer creates what is referred to as a “process” corresponding to the program. The process contains an instance of the application program and a number of attributes that associate the process to the computer user and to other elements associated with the process. For each instance of the program, another process is invoked. Multiple programs having corresponding processes may operate on a computer simultaneously. Furthermore, one application program may have multiple processes running at the same time.
Some processes, such as, for example but not limited to, a word processing program, may interact with files that are stored on the computer that is executing the process, and also may interact with other computers over a network. The network may be a local area network (LAN) or a wide area network (WAN). Such networks allow multiple computers to communicate with each other.
Typically, each process and each file includes a set of attributes, which may determine, for example, access control. For example, a process executing on a computer has a set of attributes assigned, which may determine whether it may access a particular file, which also includes a (generally) different set of attributes. Some of the attributes assigned to the file define the required set of attributes that a process must have in order to access the file. For example in the UNIX operating system, each file includes permission attributes, which specify the owner, group and world (everyone) access to the file. If the file attributes specify that a particular group has “read” and “write” access, but not “execute” access, a process possessing that group in its attribute set will only be able to read and write to the file, but not execute it.
When a process that is executing on a computer wishes to communicate with another computer over a network, the process typically sends and receives messages through a network interface card (NIC) associated with the computer. The NIC connects the computer to a network, to which the other computer is also attached through its own associated NIC.
In current computer systems, a process executing on a computer has access to and can use all the NICs on the computer. Unfortunately, there is no way to restrict access of a process executing on a computer to one or a set of NICs (and therefore the network to which the NIC is connected) and associated computers.
Therefore there is a need in the industry for a mechanism to assign certain attributes to a NIC and to processes executing on a computer, and a filter mechanism that can determine whether a process having a certain attribute may access a NIC in order to gain access to the network to which the computer and the NIC are connected.