公开(公告)号：US09280644B2

公开(公告)日：2016-03-08

申请号：US13922188

申请日：2013-06-19

Applicant: Apple Inc.

Inventor： Ivan Krstić ,  Austin G. Jennings ,  Richard L. Hagy

IPC: G06F9/46 ,  G06F9/455 ,  G06F21/10 ,  G06F21/51 ,  G06F21/53 ,  G06F21/62

CPC classification number: G06F21/6281 ,  G06F21/10 ,  G06F21/51 ,  G06F21/53 ,  G06F21/629 ,  G06F2221/033 ,  G06F2221/0735

Abstract: In response to a request for launching a program, a list of one or more application frameworks to be accessed by the program during execution of the program is determined. Zero or more entitlements representing one or more resources entitled by the program during the execution are determined. A set of one or more rules based on the entitlements of the program is obtained from at least one of the application frameworks. The set of one or more rules specifies one or more constraints of resources associated with the at least one application framework. A security profile is dynamically compiled for the program based on the set of one or more rules associated with the at least one application framework. The compiled security profile is used to restrict the program from accessing at least one resource of the at least one application frameworks during the execution of the program.

Abstract translation: 响应于启动程序的请求，确定在程序执行期间由程序访问的一个或多个应用程序框架的列表。 确定在执行期间表示由程序授权的一个或多个资源的零个或多个授权。 从应用程序框架中的至少一个获得基于程序的权利的一组或多个规则。 所述一个或多个规则的集合指定与所述至少一个应用框架相关联的资源的一个或多个约束。 基于与所述至少一个应用框架相关联的一个或多个规则的集合，为所述程序动态地编译安全简档。 编译的安全简档用于在程序执行期间限制程序访问至少一个应用程序框架的至少一个资源。

公开(公告)号：US20150347774A1

公开(公告)日：2015-12-03

申请号：US14292705

申请日：2014-05-30

Applicant: Apple Inc.

Inventor： Ivan Krstic ,  Pierre-Olivier J. Martel ,  Austin G. Jennings

IPC: G06F21/62 ,  G06F9/50 ,  G06F21/44

CPC classification number: G06F21/6218 ,  G06F21/44 ,  G06F21/62

Abstract: Techniques for access control of a data processing system are described. In one embodiment, in response to a request from an application for accessing a resource of a data processing system, it is determined a first class of resources the requested resource belongs. A second class of resources the application is entitled to access is determined based on a resource entitlement encoded within the application and authorized by a predetermined authority. The application is allowed to access the resource if the first class and the second class of resources are matched. The application is denied from accessing the resource if the first class and the second class are not matched, regardless an operating privilege level of the application.

Abstract translation: 描述了数据处理系统的访问控制技术。 在一个实施例中，响应于来自应用程序访问数据处理系统的资源的请求，确定所请求资源所属的第一类资源。 应用程序有权访问的第二类资源基于在应用程序内编码并由预定授权机构授权的资源授权来确定。 如果第一类和第二类资源匹配，则应用程序被允许访问该资源。 无论应用程序的操作权限级别如何，如果第一个类和第二个类不匹配，应用程序将被拒绝访问该资源。