There exists a need for restricting a process or process hierarchy to a subset of a host's file system(s) in an operating system environment where all file systems are simultaneously available to an application.
Inasmuch as administration of modern computer systems is complex and error prone, and since errors in the specification of the systems' access control can lead to unauthorized disclosure or modification of information residing on that system, additional limitations on the computer system processes providing access to the information can be useful in reducing the danger of such inappropriate disclosure or modification. In particular, much information residing on networked computer systems is stored on fixed or removable electronic media structured as file systems, which provide a method of accessing the information to software agents executing on the same system. The access method provided by a typical file system provides a conceptual view of the storage media as a hierarchy shaped like an inverted tree. Each node in the hierarchy is either a leaf node--typically called a file and containing arbitrary stored information--or an intermediate node--called a directory and logically containing zero or more other files or directories (FIG. 1). Individual nodes are addressed by naming the particular file system and each of the file system nodes that must be traversed to reach the desired node within the hierarchy, starting from the root file system node. The combination of the file system name and a sequence of nodes uniquely identifies a particular file system node, and can be expressed in human-readable form as a path name describing the order of traversal from the root through each intermediate node to the leaf or intermediate node being accessed (FIG. 2).
In an operating system environment where multiple discrete file systems may be available for simultaneous access by processes, it would be desirable and of considerable advantage to provide a restriction mechanism that limits the portion of each file system that is accessible to each process as this serves to restrict the collection of information to which a given process might potentially have access.
Certain computer operating systems (in particular UNIX and its derivatives) have provided a feature that restricts a process and its descendant processes to a small portion of the file system hierarchy. These operating systems view the combination of all physical and logical file systems as a single tree-structured hierarchy. Other file systems beyond the first are overlaid on an existing node, replacing and usually extending the tree downward from that point. Some operating systems, however--exemplified by Microsoft Windows INT--provide simultaneous access to any number of file systems. While each of these file systems is itself considered a tree-structured hierarchy, user processes view each file system as a discrete, independently addressable collection of files (see FIG. 3).
It will be apparent from the foregoing that there is still a need for a method and apparatus for restricting a process or process hierarchy from the rest of a host's file system(s) in an environment where all file systems are simultaneously available to an application.