Abstract: According to one aspect of the present disclosure, a method and technique for domain based user mapping of objects is disclosed. The method includes: responsive to determining that an operation is being attempted on an object identified with an object identifier, determining a domain identifier associated with a user attempting the operation; determining whether the operation can proceed on the object based on domain isolation rules, the domain isolation rules indicating rules for allowing or disallowing operations to proceed on objects based on object identifiers and domain identifiers; responsive to determining that the operation on the object can proceed based on the domain isolation rules, accessing user mapping rules that map specified users allowed to perform a specified operation to a specified object; and determining whether the operation can proceed on the object by the user based on the user mapping rules.

Abstract: Provided are techniques for the fast and reliable distribution of security keys within a cluster of computing devices, or computers. One embodiment provides a method for secure distribution of encryption keys, comprising generating a symmetric key for the encryption of communication among a plurality of nodes of a cluster of nodes; encrypting the symmetric key with a plurality of public keys, each public key corresponding to a particular node of the plurality of modes, to generate a plurality of encrypted symmetric keys; storing the plurality of encrypted symmetric keys in a central repository; and distributing the encrypted symmetric keys to the nodes such that each particular node receives an encrypted symmetric key corresponding to a corresponding public key of the particular node.

Abstract: Provided are techniques for the fast and reliable distribution of security keys within a cluster of computing devices, or computers. One embodiment provides a method for secure distribution of encryption keys, comprising generating a symmetric key for the encryption of communication among a plurality of nodes of a cluster of nodes; encrypting the symmetric key with a plurality of public keys, each public key corresponding to a particular node of the plurality of modes, to generate a plurality of encrypted symmetric keys; storing the plurality of encrypted symmetric keys in a central repository; and distributing the encrypted symmetric keys to the nodes such that each particular node receives an encrypted symmetric key corresponding to a corresponding public key of the particular node.

Abstract: Methods, systems, and products for managing memory. In one general embodiment, the method includes assigning an isolated virtual heap in a global kernel heap of a global operating system environment to each of a plurality of isolated virtual operating system environments operating in a global operating system environment; and in response to an invocation of kernel heap memory allocation from one of the isolated virtual operating system environments, dynamically allocating memory to the invoking isolated virtual operating system environment from the virtual kernel heap assigned to the invoking isolated virtual operating system environment. The method may also include running the plurality of isolated virtual operating system environments in the global operating system environment. The plurality of isolated virtual operating system environments may share a single common kernel. The isolated virtual operating system environments may run under the same operating system image.

Abstract: A method and system for reducing processing overhead during execution of a code block in a high efficiency compilation framework. The method identifies second code blocks within the code block and separates them out from the first code block during compilation. Further, during compilation, the system converts the second code blocks to kernel program modules, in a form recognizable by the system kernel. The compilation is followed by execution of the first code block, with the compiled object code of the first code block being executed in user mode and the kernel program modules being executed in kernel mode.

Abstract: Method for providing programming support to a debugger are disclosed. The method includes defining at least one debugger programming statement, and instructing the debugger to execute the at least one debugger programming statement which modifies a least a portion of the computer program during execution of the computer program without recompiling the computer program. The debugger may be instructed to execute the at least one debugger programming statement at a specified position of the computer program. The at least one debugger programming statement may include a delete instruction that instructs the debugger to prevent one or more programming statements at a specified position in the computer program from being executed. The debugger may be instructed to execute the at least one debugger programming statement instead of one or more programming statements at a specified position in the computer program without recompiling the computer program.

Abstract: Domains can also be used to control access to physical memory space. Data in a physical memory space that has been used by a process sometimes endures after the process stops using the physical memory space (e.g., the process terminates). In addition, a virtual memory manager may allow processes of different applications to access a same memory space. To prevent exposure of sensitive/confidential data, physical memory spaces can be designated for a specific domain or domains when the physical memory spaces are allocated.

Abstract: When an operating system process evaluates a rule for an operation being attempted on a logical network port, the operating system process determines whether the target logical port falls within a range of logical ports, and then determines whether the operation is associated with a permitted domain of the range of logical ports. If the operation is a bind operation, then the process attempting to bind to the target port will be allowed to bind if the target port falls within the range and the operation/process is associated with a permitted domain. Otherwise, the binding operation will not be allowed to proceed.

Abstract: Functionality can be implemented in an operating system to increase the granularity of isolation for objects. A domain can be defined to represent each of different entities (e.g., different departments or work groups). User identifiers and/or user credentials can be associated with the appropriate domain or domains. An administrator can then define a set of rules that govern operation(s) that can be performed on the objects based on the domains. Processes running on a system will inherit the domains of a user account logged into the system. When a process running on the system attempts to perform an operation on an object, an operating system process evaluates the domain isolation rules with an identifier of the object and a domain identifier to determine whether the operation is permitted to proceed.

Abstract: Domains can be used to secure resources of a cluster. An administrator can configure a node of a cluster as a member of a particular domain. Membership in a cluster can be restricted to nodes that are members of the particular domain. When a node generates a cluster message, a kernel process or operating system process of the node will indicate the domain(s) of the node in the cluster message. The cluster message can be a command message to read or write to a storage resource of the cluster. When the cluster storage resource node or node that controls the storage resource receives the command message, the node will examine the command message to ensure the message indicates a domain that aligns with the cluster. If the proper domain is indicated in the command message, then the command message is processed. Otherwise, the command message is denied.

Abstract: Reducing application downtime during failover including identifying a critical line in the startup of an application, the critical line comprising the point in the startup of the application in which the application begins to use dependent resources; checkpointing the application at the critical line of startup; identifying a failure in the application; and restarting the application from the checkpointed application at the critical line.

Abstract: Methods, apparatuses, and computer program products are provided for locking access to data storage shared by a plurality of compute nodes. Embodiments include maintaining, by a compute node, a queue of requests from requesting compute nodes of the plurality of compute nodes for access to the data storage, wherein possession of the queue represents possession of a mutual-exclusion lock on the data storage, the mutual-exclusion lock indicating exclusive permission for access to the data storage; and conveying, based on the order of requests in the queue, possession of the queue from the compute node to a next requesting compute node when the compute node no longer requires exclusive access to the data storage.

Abstract: A computer implemented method, apparatus, and computer program product for managing privileges on a data processing system. The process initiates a privilege monitor. All other entities in the data processing system are prevented from assigning privileges. The privilege monitor is the only entity authorized to assign privileges. The process monitors for requests for privileges. In response to detecting a request from a user for a privilege, the process selectively assigns the privilege to the user through the privilege monitor.

Abstract: Methods, systems, and products for governing access to objects on a filesystem. In one general embodiment, the method includes providing a framework in an operating system environment for support of a plurality of access control list (ACL) types, thereby enabling governing of access to objects on a filesystem according to an associated definition of an ACL type; and accepting definitions of ACL types. The associated definition may comprise a kernel extension.

Abstract: Method, system, and computer program product for providing programming support to a debugger are disclosed. The method includes defining at least one debugger programming statement, and instructing the debugger to execute the at least one debugger programming statement which modifies a least a portion of the computer program during execution of the computer program without recompiling the computer program. The debugger may be instructed to execute the at least one debugger programming statement at a specified position of the computer program. The at least one debugger programming statement may include a delete instruction that instructs the debugger to prevent one or more programming statements at a specified position in the computer program from being executed. The debugger may be instructed to execute the at least one debugger programming statement instead of one or more programming statements at a specified position in the computer program without recompiling the computer program.

Abstract: Methods, systems, and products for managing memory. In one general embodiment, the method includes assigning an isolated virtual heap in a global kernel heap of a global operating system environment to each of a plurality of isolated virtual operating system environments operating in a global operating system environment; and in response to an invocation of kernel heap memory allocation from one of the isolated virtual operating system environments, dynamically allocating memory to the invoking isolated virtual operating system environment from the virtual kernel heap assigned to the invoking isolated virtual operating system environment. The method may also include running the plurality of isolated virtual operating system environments in the global operating system environment. The plurality of isolated virtual operating system environments may share a single common kernel. The isolated virtual operating system environments may run under the same operating system image.

Abstract: A computer implemented method, apparatus, and computer program product for using a virtual file system to encrypt files. The process registers a plurality of file systems on a data processing system with the virtual file system. The virtual file system is enabled to encrypt files without intervention from any file system in the plurality of file systems. The virtual file system identifies whether a file on a given file system is an encrypted file using a map file associated with the given file system. In response to identifying the file as an encrypted file, the virtual file system encrypts all data written to the file in accordance with encryption specifications in the map file.

Abstract: A method and system for reducing processing overhead during execution of a code block in a high efficiency compilation framework. The method identifies second code blocks within the code block and separates them out from the first code block during compilation. Further, during compilation, the system converts the second code blocks to kernel program modules, in a form recognizable by the system kernel. The compilation is followed by execution of the first code block, with the compiled object code of the first code block being executed in user mode and the kernel program modules being executed in kernel mode.

Abstract: The present invention discloses a solution for second failure data capture problem determination using user selective memory protection to trace application failures. In the solution, one or more data structures can be selected by a user to be allocated a unique address space from a debug heap. The address space called a region can be assigned permissions for which executable code can access the contents. Permissions can include full access (e.g., read/write), read, and no access which can “lock” the region against specific types of access. The user can permit known trusted executable code to access allocated regions. Untrusted executable code attempting to access “locked” regions will result in an application failure event (e.g., segmentation fault). The failure can be used to determine the point of memory corruption through inspection of the stack trace.

Abstract: Computer implemented method, system and computer usable program code for providing time-based control of user access in a data processing system utilizing a Role-Based Access Control model. A computer implemented method for providing time-based control of user access in a data processing system utilizing a Role-Based Access Control model includes providing at least one timing attribute for a role, wherein each at least one timing attribute specifies a timing condition by which a user is enabled to use the role. The user is enabled to use the role pursuant to satisfying the at least one timing attribute.