What technology area does this patent fall under?

Primary CPC classification G06F9/545. Mapped technology areas include Physics.

When was this patent published?

Publication date Thu Jan 13 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Speedup build container data access via system call filtering

US2022012210A1 · US · A1

Patent metadata
Field	Value
Publication number	US-2022012210-A1
Application number	US-202017038562-A
Country	US
Kind code	A1
Filing date	Sep 30, 2020
Priority date	Jul 13, 2020
Publication date	Jan 13, 2022
Grant date	—

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

A method includes receiving a system call from an application within a container executing on an operating system, the system call comprising a synchronization operation to synchronize memory of the application to storage. The method further includes determining, by the kernel, whether a system call filtering policy associated with the container indicates that the system call is to be prevented. preventing, by the kernel, performance of the synchronization operation in view of the system call filtering policy.

First claim

Opening claim text (preview).

What is claimed is: 1 . A method comprising: receiving a system call from an application within a container executing on an operating system, the system call comprising a synchronization operation to synchronize memory of the application to storage; determining, by processing device executing an operating system kernel, whether a system call filtering policy associated with the container indicates that the system call is to be prevented; and preventing, by the processing device executing the kernel, performance of the synchronization operation in view of the system call filtering policy. 2 . The method of claim 1 , wherein the system call filtering policy comprises a secure computing mode policy to prevent performance of system calls received from the container that are associated with synchronizing data in memory to storage. 3 . The method of claim 2 , further comprising: providing a response to the application indicating that the system call has been performed. 4 . The method of claim 3 , wherein the response provided to the application indicating that the system call has been performed comprises an indication that the synchronization operation has been successfully performed. 5 . The method of claim 1 , wherein determining whether the system call filtering policy indicates that the system call is to be prevented comprises: identifying the system call filtering policy associated with the container; determining at least one system call to be filtered by the system call filtering policy; and determining whether the at least one system call to be filtered includes the system call received from the application. 6 . The method of claim 1 , wherein the system call filtering policy associated with the container prevents performance of synchronization operations received from the container during a build of the container. 7 . The method of claim 6 , further comprising: determining that the build of the container has completed; and synchronizing the completed build of the container to storage. 8 . A system comprising: a memory; and a processing device operatively coupled to the memory, the processing device to: receive, at a kernel of an operating system executing on the processing device, a system call from an application within a container executing on the operating system, the system call comprising a synchronization operation to synchronize memory of the application to storage; determining, by the kernel, whether a system call filtering policy associated with the container indicates that the system call is to be prevented; and preventing performance of the synchronization operation in view of the system call filtering policy. 9 . The system of claim 8 , wherein the system call filtering policy comprises a secure computing mode policy to prevent performance of system calls received from the container that are associated with synchronizing data in memory to storage. 10 . The system of claim 9 , wherein the processing device is further to: provide a response to the application indicating that the system call has been performed. 11 . The system of claim 10 , wherein the response provided to the application indicating that the system call has been performed comprises an indication that the synchronization operation has been successfully performed. 12 . The system of claim 8 , wherein to determine whether the system call filtering policy indicates that the system call is to be prevented, the processing device is to: identify the system call filtering policy associated with the container; determine at least one system call to be filtered by the system call filtering policy; and determine whether the at least one system call to be filtered includes the system call received from the application. 13 . The system of claim 8 , wherein the system call filtering policy associated with the container prevents performance of synchronization operations received from the container during a build of the container. 14 . The system of claim 13 , wherein the processing device is further to: determine that the build of the container has completed; and synchronize the completed build of the container to storage. 15 . A non-transitory computer-readable storage medium including instructions that, when executed by a processing device, cause the processing device to: receive a system call from an application within a container executing on an operating system, the system call comprising a synchronization operation to synchronize memory of the application to storage; determining, by the processing device executing an operating system kernel, whether a system call filtering policy associated with the container indicates that the system call is to be prevented; and preventing, by the processing device, performance of the synchronization operation in view of the system call filtering policy. 16 . The non-transitory computer-readable storage medium of claim 15 , wherein the system call filtering policy comprises a secure computing mode policy to prevent performance of system calls received from the container that are associated with synchronizing data in memory to storage. 17 . The non-transitory computer-readable storage medium of claim 16 , wherein the processing device is further to: provide a response to the application indicating that the system call has been performed. 18 . The non-transitory computer-readable storage medium of claim 15 , wherein to determine whether the system call filtering policy indicates that the system call is to be prevented, the processing device is to: identify the system call filtering policy associated with the container; determine at least one system call to be filtered by the system call filtering policy; and determine whether the at least one system call to be filtered includes the system call received from the application. 19 . The non-transitory computer-readable storage medium of claim 15 , wherein the system call filtering policy associated with the container prevents performance of synchronization operations received from the container during a build of the container. 20 . The non-transitory computer-readable storage medium of claim 19 , wherein the processing device is further to: determine that the build of the container has completed; and synchronize the completed build of the container to storage.

Assignees

Red Hat Inc

Inventors

Classifications

G06F9/545Primary
where tasks reside in different layers, e.g. user- and kernel-space · CPC title
G06F16/178Primary
Techniques for file synchronisation in file systems · CPC title
G06F9/54
Interprogram communication · CPC title

Patent family

Related publications grouped by family.

View patent family 79172544

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US2022012210A1 cover?: A method includes receiving a system call from an application within a container executing on an operating system, the system call comprising a synchronization operation to synchronize memory of the application to storage. The method further includes determining, by the kernel, whether a system call filtering policy associated with the container indicates that the system call is to be prevented…
Who is the assignee on this patent?: Red Hat Inc
What technology area does this patent fall under?: Primary CPC classification G06F9/545. Mapped technology areas include Physics.
When was this patent published?: Publication date Thu Jan 13 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).