Abstract: When a process running in an isolated execution environment is started by a user, the credentials of the user are associated with a naming environment for the isolated execution environment. The isolated execution environment may be implemented via creation of a namespace representing resources available to one or more processes running within the isolated execution environment. The resources available to the isolated processes may represent some subset of global resources. When a request to access a named resource is received, the request is mediated by the operating system. Access, if provided, may be provided via the naming environment associated with the isolated execution environment. The operating system determines whether to grant or deny access to the resource by checking the credentials associated with the naming environment with the ACL of the resource.

Abstract: The resources needed by an application to execute are declared by the application. When the application is activated, only the declared resources are made available to the application because only the declared resources are connected to the execution environment. Accessibility to resources may be controlled by the operating system by making the resource visible or invisible to the executing software by mapping a local name used by the executing software to a global resource, possibly limiting the type of access allowed. Because the executing software relies on the mapping function performed by the operating system for access to resources, and the operating system only maps names declared by the software, the operating system can isolate the software, and prevent the application from accessing undeclared global resources.

Abstract: An intra-operating system isolation mechanism called a silo provides for the grouping of processes running on a single computer using a single instance of the operating system. The operating system divides the system into multiple side-by-side and/or nested environments enabling the partitioning and controlled sharing of resources and providing an isolated application environment in which applications can run. More specifically, a system environment may be divided into an infrastructure silo and one or more server silos. Each server silo is provided with its own copy of the device driver name space. Each device is associated with a system device object accessed via a system device functional interface and with a server silo-specific device object accessed via a control device interface. The infrastructure silo populates the silo-specific device name space with the control device interface. The server silo uses the control device interface to create new device object(s) as needed.

Abstract: An intra-operating system isolation mechanism called a silo provides for the grouping and isolation of processes running on a single computer using a single instance of the operating system. The operating system enables the controlled sharing of resources by providing a view of a system name space to processes executing within an isolated application called a server silo. A server silo is created by performing a separate “mini-boot” of user-level services within the server silo. The single OS image serving the computer employs the mechanism of name space containment to constrain which server silos can use which resource(s). Restricting access to resources is therefore directly based on the process or application placed in the server silo rather than who is running the application because if a process or application is unable to resolve a name used to access a resource, it will be unable to use the resource.

Abstract: A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system is divided into one or more side-by-side and/or nested isolated environments enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces via virtual hierarchies.

Abstract: A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system environment is divided into one or more side-by-side and/or nested spaces enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces via virtual hierarchies. A set of declarative rules specifying access capabilities may specify a set of filter drivers to be used to limit access to nodes in the hierarchical name space. The rules may be applied in sequence to construct a new name space from an existing one, or to add to an existing hierarchy. Filter drivers are used to limit access to nodes in the new name space or new portion of the name space. Access to nodes can be limited (read-only access instead of read/write) or nodes can be hidden altogether. Rules may be specified in a declarative language such as XML.

Abstract: A containment mechanism provides for the grouping and isolation of multiple processes running on a single computer using a single instance of the operating system. A system is divided into one or more side-by-side and/or nested spaces enabling the partitioning and controlled sharing of resources by creating different views of hierarchical name spaces by creating a new branch of an existing global system name space or by linking the sub-root level nodes of a new hierarchy to a subset of nodes in an existing global system name space.

Abstract: An operating system architecture is based on a service model in which active entities (services) are containers for objects having a number of interfaces specified through a contract language that is a subset of the language in which the service is coded. Services may reside in the same address space or may reside in separate address spaces, without changing the programming model or compiled binaries. The location of a service is independent of the location of the service's clients and of services the service calls.

Abstract: Reference counting is shared between an in-process service runtime and a machine-wide service. The machine-wide service maintains a count for the total number of references to an object or resource (the global reference count), a count for the number of exports of a object (the global export count) and a count of the number of exports that must be received by the machine-wide service before a revoke can occur (the exports before revoke count). When a process exports an object or resource, the machine-wide service increments the global export count for the object or resource and increments the global reference count for the object or resource. The machine-wide service increments the global reference count for a passed reference but does not increment the global reference count. The machine-wide service decrements the global reference count in response to receiving an unreferenced message.

Abstract: An agent, service or process may request an operation by invoking an object that is implemented by another agent, service or process. Object invocation may be carried out by one thread in a service which may include multiple executing threads. After initiating the operation, the requesting agent may detect one or more conditions that make it advisable to cancel the requested operation. In a mechanism for implementing a cancellation operation in a cooperative system, a thread identifies an operation to be cancelled. A cancel function has an argument comprising the thread identifier in which the operation is to be cancelled. The cancel function is called by a client process thread to cancel a pending object invocation initiated by the client process. An immediate or hard cancel causes the targeted client and cancel thread to return immediately. A discretionary or soft cancel does not affect the targeted client thread. In either case the server process is notified via a maintenance notification.

Abstract: A system and method are disclosed that provides transparent, global access to devices on a computer cluster. The present system generates unique device type (dev.sub.-- t) values for all devices and corresponding links between a global file system and the dev.sub.-- t values. The file system is modified to take advantage of this framework so that, when a user requests that a particular device, identified by its logical name, be opened, an operating system kernel queries the file system to determine that device's dev.sub.-- t value and then queries the a device configuration system (DCS) for the location (node) and identification (local address) of a device with that dev.sub.-- t value. Once it has received the device's location and identification, the kernel issues an open request to the host node for the device identified by the DCS.

Abstract: A system and method are disclosed for rendering devices on a cluster globally visible, wherein the cluster includes a plurality of nodes on which the devices are attached. The system establishes for each of the devices in the cluster at least one globally unique identifier enabling global access to the device. The system includes a device registrar that creates the identifiers and a global file system. The identifiers include a globally unique logical name by which users of the cluster identify the device and a globally unique physical name by which the global file system identifies the device. The registrar creates a one-to-one mapping between the logical name and the physical name for each of the devices. The system also includes a device information (dev.sub.-- info) data structure maintained by the device registrar that represents physical associations of the devices within the cluster. Each association corresponds to the physical name of a device file maintained by the global file system.