Abstract: Terminating a process executing within a container is described. An access restriction applicable to the process is temporarily modified with a policy change that prevents creating new processes within the container. The policy change prevents operations that would allow processes within the container from performing a fork operation, or otherwise spawning new processes within the container. The policy change may be, for example, applied by means of a rule added or removed from an access restriction policy. While the processes are prevented from creating new processes, one specified process or all processes within the container are terminated. After termination of the process(es), the policy change can be reversed, allowing normal use of the container.

Abstract: A method of creating and managing virtual servers utilizes separate master copies of information such as operating systems, configuration files, and application programs. When a virtual server is created, it loads an appropriate operating system and configuration information. During the boot process, the virtual server is configured to provide a predetermined service. Appropriate application programs are subsequently loaded to support the service configuration. Multiple virtual servers can be created and configured using the master copies of information, thus reducing the amount of customization required by each virtual server. Virtual servers can be easily restarted from failures with minimal loss of data.

Abstract: Application of a local instance of a general security policy is described. In a system with an instance of a program executing in a path container, a security policy applicable the the instance of the program is managed locally for the path container. The path container provides a confined execution environment for the program instance, and the security policy defines permitted operations for the program an all its instances. The instance of the security policy is associated with the path container, which allows the program instance to “see” management within the path container as though with the security policy, while entities having permissions outside the path container “see” the program instance limited to the path container and its associated security policy instance.

Abstract: A system is provided for detecting unsolicited bulk email (spam). A list server receives email from various senders as well as queries regarding the senders. A database is used for storing information corresponding to the amount of unsolicited bulk email received at the spamtrap addresses. The list server dynamically makes a determination as to which senders are transmitting a disproportionate amount of email and should be labeled as spammers. The determinations made by the list server are based on the amount of unsolicited bulk email received from senders relative to the total amount of email transmitted by senders.

Abstract: A method and system for binding interrupts to central processing units (CPUs). An interrupt controller receives an interrupt that is generated by a device coupled to the computer system. The interrupt controller identifies a preferred CPU associated with the device based on a predetermined binding. If the preferred CPU is currently available, the interrupt is sent to the preferred CPU. If the preferred CPU is not currently available, the interrupt is sent to another CPU in the computer system that is currently available.

Abstract: Preventing a process from traversing back a directory tree through its parent directories is described. In a system with a program executing in a path container, an access permission rule applicable to the instance of the program prevents the program from traversing the tree structure back through its parent directories towards an absolute root directory. The access permission rule may be a rule in an instance of a security policy applicable to the particular path container from which the process is executing.

Abstract: A method and system to handle an asynchronous page fault in a virtual machine system. A computer hosts a virtual machine that includes a virtual central processing unit (CPU). The virtual CPU requests access to a page that is not resident in memory. The host operating system of the computer receives an indication of a page fault, and informs the virtual CPU of the page fault. The host operating system provides an identifier associated with the page fault. The host operating system performs page swapping operating in parallel with a new task rescheduled by the virtual CPU, and sends a wake-up signal to the virtual CPU when the page has been brought back into the memory.

Abstract: A method and system for binding interrupts to central processing units (CPUs). An interrupt controller receives an interrupt that is generated by a device coupled to the computer system. The interrupt controller identifies a preferred CPU associated with the device based on a predetermined binding. If the preferred CPU is currently available, the interrupt is sent to the preferred CPU. If the preferred CPU is not currently available, the interrupt is sent to another CPU in the computer system that is currently available.

Abstract: A method and system to handle an asynchronous page fault in a virtual machine system. A computer hosts a virtual machine that includes a virtual central processing unit (CPU). The virtual CPU requests access to a page that is not resident in memory. The host operating system of the computer receives an indication of a page fault, and informs the virtual CPU of the page fault. The host operating system provides an identifier associated with the page fault. The host operating system performs page swapping operating in parallel with a new task rescheduled by the virtual CPU, and sends a wake-up signal to the virtual CPU when the page has been brought back into the memory.

Abstract: An embodiment relates generally to a method of restoring data in storage systems. The method includes providing for a current snapshot of a primary storage system at a secondary storage system and mounting an empty volume in the primary storage system. The method also includes receiving a request for a selected block of data in the primary storage system and retrieving a restore block from the secondary storage system, where the restore block encompasses the selected block of data. The method further includes writing the restore block to the empty volume in the primary storage system as an incremental restore process.

Abstract: Application of a local instance of a general security policy is described. In a system with an instance of a program executing in a path container, a security policy applicable the the instance of the program is managed locally for the path container. The path container provides a confined execution environment for the program instance, and the security policy defines permitted operations for the program an all its instances. The instance of the security policy is associated with the path container, which allows the program instance to “see” management within the path container as though with the security policy, while entities having permissions outside the path container “see” the program instance limited to the path container and its associated security policy instance.

Abstract: Preventing a process from traversing back a directory tree through its parent directories is described. In a system with a program executing in a path container, an access permission rule applicable to the instance of the program prevents the program from traversing the tree structure back through its parent directories towards an absolute root directory. The access permission rule may be a rule in an instance of a security policy applicable to the particular path container from which the process is executing.

Abstract: Terminating a process executing within a container is described. An access restriction applicable to the process is temporarily modified with a policy change that prevents creating new processes within the container. The policy change prevents operations that would allow processes within the container from performing a fork operation, or otherwise spawning new processes within the container. The policy change may be, for example, applied by means of a rule added or removed from an access restriction policy. While the processes are prevented from creating new processes, one specified process or all processes within the container are terminated. After termination of the process(es), the policy change can be reversed, allowing normal use of the container.

Abstract: An embodiment relates generally to a method of restoring data in storage systems. The method includes providing for a current snapshot of a primary storage system at a secondary storage system and mounting an empty volume in the primary storage system. The method also includes receiving a request for a selected block of data in the primary storage system and retrieving a restore block from the secondary storage system, where the restore block encompasses the selected block of data. The method further includes writing the restore block to the empty volume in the primary storage system as an incremental restore process.