| CPC G06F 21/604 (2013.01) [G06F 9/5027 (2013.01)] | 18 Claims |
|
5. A system, comprising:
one or more processors; and
memory storing executable instructions that, as a result of execution by the one or more processors, cause the system to:
obtain, within a kernel of an operating system, a system call from an application running on the operating system that indicates a request to access a resource managed by the operating system;
determine, within the kernel, a request context for the system call, wherein the request context comprises:
a principal identifier associated with a user of the system call;
a resource identifier associated with the resource managed by the operating system; and
an action corresponding to a permission requested in the system call, wherein to determine the request context for the system call includes,
determine a user identifier associated with the user call, and
decorate the user identifier of the user with an operating system identifier to determine the principal identifier;
determine, based on the resource, one or more applicable security policies managed by a policy management service;
perform a policy evaluation using the request context and the one or more applicable security policies to determine an indication of whether to grant access to the resource managed by the operating system; and
based on the indication being to grant access to the resource, cause the kernel to access the resource to fulfill the system call.
|