Container-oriented linux kernel virtualizing system and method thereof
US-2023092214-A1 · Mar 23, 2023 · US
Providing system services
US12254079B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12254079-B2 |
| Application number | US-202217662710-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 10, 2022 |
| Priority date | May 10, 2022 |
| Publication date | Mar 18, 2025 |
| Grant date | Mar 18, 2025 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Embodiments of the present disclosure relate to a method, system and computer program product for providing system services. In some embodiments, a method is disclosed. According to the method, from a user program in a user address space, a request for a system service is received via a program call instruction of a set of program call instructions in an application interface code library. Based on the program call instruction, a target authorized address space of a plurality of authorized address spaces and a target system service routine for providing the system service in the target authorized address space is determined. A result of running the target system service routine in the target authorized address space is returned to the user program as a response to the request.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method comprising: receiving, from a user program in a user address space, a request for a system service via a program call instruction of a set of program call instructions in an application interface code library for the user address space; determining, based on a value of a first field of the program call instruction, an authorized address space from a first table comprising a mapping of the plurality of authorized address spaces and values of the first field; identifying, based on the authorized address space, a second table comprising a mapping of identifiers of a plurality of system service routines provided in the authorized address space and values of a second field of the program call instruction; and determining, based on a value of the second field of the program call instruction, a system service routine for providing the system service from the second table; running the system service routine in the authorized address space; and returning a result of running the system service routine to the user program as a response to the request. 2. The method of claim 1 , wherein determining the system service routine from the second table comprises: determining, based on the value of the second field of the program call instruction, an identifier of the system service requested by the user program from the plurality of identifiers; and determining, based on the identifier, an address of the system service routine for providing the system service. 3. The method of claim 2 , wherein the identifiers of the plurality of system services are system call numbers or mapped to the system call numbers. 4. The method of claim 1 , wherein the value of the first field of the program call instruction and the value of the first field in the first table are the same. 5. The method of claim 1 , wherein receiving the request for the system service comprises: receiving the request from a container comprising the application interface code library running in the user address space; wherein the authorized address space is determined as a virtual kernel space for the container. 6. The method of claim 5 , further comprising: receiving another request from another container comprising another application interface code library running in another user address space; determining, based on another program call instruction associated with the other request in the other application interface code library, another authorized address space and another system service routine associated with the other request, wherein the other authorized address space is different from the authorized address space; running the other system service routine in the other authorized address space and wherein the other authorized address space is determined as another virtual kernel space for the other container; and returning a result of running the other system service routine to the other container as a response to the other request. 7. The method of claim 1 , further comprising: using a MVCP instruction to move data from the user address space to the authorized address space; and using a MVCS instruction to move data from the authorized address space to the user address space. 8. A system comprising: a processing unit; and a memory coupled to the processing unit and storing instructions thereon, the instructions, when executed by the processing unit, performing actions comprising: receiving, from a user program in a user address space, a request for a system service via a program call instruction of a set of program call instructions in an application interface code library for the user address space; determining, based on a value of a first field of the program call instruction, an authorized address space from a first table comprising a mapping of the plurality of authorized address spaces and values of the first field; identifying, based on the authorized address space, a second table comprising a mapping of identifiers of a plurality of system service routines provided in the authorized address space and values of a second field of the program call instruction; and determining, based on a value of the second field of the program call instruction, a system service routine for providing the system service from the second table; running the system service routine in the authorized address space; and returning a result of running the system service routine to the user program as a response to the request. 9. The system of claim 8 , wherein determining the system service routine from the second table comprises: determining, based on the value of the second field of the program call instruction, an identifier of the system service requested by the user program from the plurality of identifiers; and determining, based on the identifier, an address of the system service routine for providing the system service. 10. The system of claim 9 , wherein the identifiers of the plurality of system services are system call numbers or mapped to the system call numbers. 11. The system of claim 8 , wherein the value of the first field of the program call instruction and the value of the first field in the first table are the same. 12. The system of claim 8 , wherein receiving the request for the system service comprises: receiving the request from a container comprising the application interface code library running in the user address space; wherein the authorized address space is determined as a virtual kernel space for the container. 13. The system of claim 12 , wherein the actions further comprise: receiving another request from another container comprising another application interface code library running in another user address space; determining, based on another program call instruction associated with the other request in the other application interface code library, another authorized address space and another system service routine associated with the other request, wherein the other authorized address space is different from the authorized address space; running the other system service routine in the other authorized address space and wherein the other authorized address space is determined as another virtual kernel space for the other container; and returning a result of running the other system service routine to the other container as a response to the other request. 14. The system of claim 8 , wherein the actions further comprise: using a MVCP instruction to move data from the user address space to the authorized address space; and using a MVCS instruction to move data from the authorized address space to the user address space. 15. A computer program product being tangibly stored on a non-transient machine-readable medium and comprising machine-executable instructions, the instructions, when executed on a device, causing the device to perform actions comprising: receiving, from a user program in a user address space, a request for a system service via a program call instruction of a set of program call instructions in an application interface code library for the user address space; determining, based on a value of a first field of the program call instruction, an authorized address space from a first table comprising a mapping of the plurality of authorized address spaces and values of the first field; identifying, based on the authorized address space, a second table comprising a mapping of identifiers of a plurality of system service routines provided in the authorized address space and values of a second field of the program call instruction; and determining,
Assignees
Inventors
Classifications
Security improvement · CPC title
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
where tasks reside in different layers, e.g. user- and kernel-space · CPC title
Protection against unauthorised use of memory {or access to memory} · CPC title
in a hierarchical protection system, e.g. privilege levels, memory rings · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12254079B2 cover?
- Embodiments of the present disclosure relate to a method, system and computer program product for providing system services. In some embodiments, a method is disclosed. According to the method, from a user program in a user address space, a request for a system service is received via a program call instruction of a set of program call instructions in an application interface code library. Base…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification G06F21/51. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 18 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).