U.S. patent application number 16/526253 was filed with the patent office on 2019-11-21 for multiple containers assigned to an application.
The applicant listed for this patent is Apple Inc.. Invention is credited to Eric Olaf Carlson, Paul William Chinn, Simon P. Cooper, Jacques Anthony Vidrine, Kelly B. Yancey.
Application Number | 20190354705 16/526253 |
Document ID | / |
Family ID | 52006691 |
Filed Date | 2019-11-21 |
![](/patent/app/20190354705/US20190354705A1-20191121-D00000.png)
![](/patent/app/20190354705/US20190354705A1-20191121-D00001.png)
![](/patent/app/20190354705/US20190354705A1-20191121-D00002.png)
![](/patent/app/20190354705/US20190354705A1-20191121-D00003.png)
![](/patent/app/20190354705/US20190354705A1-20191121-D00004.png)
![](/patent/app/20190354705/US20190354705A1-20191121-D00005.png)
![](/patent/app/20190354705/US20190354705A1-20191121-D00006.png)
United States Patent
Application |
20190354705 |
Kind Code |
A1 |
Yancey; Kelly B. ; et
al. |
November 21, 2019 |
MULTIPLE CONTAINERS ASSIGNED TO AN APPLICATION
Abstract
The disclosed technology addresses the need in the art for
assigning multiple containers to a single application. A container
can be a specified area of a file system that an assigned
application can access to store data, while other applications are
restricted access to the container. In some instances, it may be
beneficial for multiple applications to share some data, while
still maintaining other data in a secure location, thus an
application can be assigned to multiple containers, a personal
container that can only be accessed by the applications, and a
shared container that can be accessed by multiple applications.
Further, an application can be assigned an alternate container, in
addition to the personal container. The alternate container can be
used when an alternate user is using the client device, thus
restricting the alternate user from accessing any sensitive data
stored in the personal container.
Inventors: |
Yancey; Kelly B.; (Mountain
View, CA) ; Vidrine; Jacques Anthony; (San Francisco,
CA) ; Carlson; Eric Olaf; (Mountain View, CA)
; Chinn; Paul William; (San Jose, CA) ; Cooper;
Simon P.; (Cupertino, CA) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Apple Inc. |
Cupertino |
CA |
US |
|
|
Family ID: |
52006691 |
Appl. No.: |
16/526253 |
Filed: |
July 30, 2019 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
13913059 |
Jun 7, 2013 |
10410003 |
|
|
16526253 |
|
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
G06F 21/53 20130101;
G06F 21/62 20130101; G06F 21/6245 20130101 |
International
Class: |
G06F 21/62 20060101
G06F021/62; G06F 21/53 20060101 G06F021/53 |
Claims
1. A method comprising: receiving, by a processor, a command to
execute an application on a client device, the application being
configured to run in a sand-boxed environment; determining, by the
processor, whether the client device is running in a first mode or
a second mode, the first mode being associated with a first
container representing a first specified portion of memory on the
client device and the second mode being associated with a second
container representing a second specified portion of memory on the
client device, wherein the first specified portion of memory is
different than the second specified portion of memory, and upon a
determination that the client device is running in the first mode,
granting the application access to the first specified portion of
memory represented by the first container, wherein the application
is restricted from accessing the second specified portion of memory
while the client device is running in the first mode.
2. The method of claim 1, further comprising: upon a determination
that the client device is running in the second mode, granting the
application access to the second specified portion of memory
represented by the second container, wherein the application is
restricted from accessing the first specified portion of memory
while the client device is running in the first mode.
3. The method of claim 2, wherein the first mode is a primary mode
indicating that a primary user associated with the client device is
accessing the client device and the first container is a primary
container used to store data associated with the primary user.
4. The method of claim 3, wherein the second mode is an alternate
mode indicating that an alternate user, different that the primary
user, is accessing the client device and the second container is an
alternate container used to store data associated with the
alternate user.
5. The method of claim 4, further comprising: deleting data stored
in the second container.
6. The method of claim 5, wherein the deleting is performed upon a
determination that the client device changed from the second mode
to the first mode.
7. A non-transitory computer-readable medium containing
instructions that, when executed by a client device, cause the
client device to: receive a command to execute an application on
the client device, the application being configured to run in a
sand-boxed environment; determine whether the client device is
running in a first mode or a second mode, the first mode being
associated with a first container representing a first specified
portion of memory on the client device and the second mode being
associated with a second container representing a second specified
portion of memory on the client device, wherein the first specified
portion of memory is different than the second specified portion of
memory; and upon a determination that the client device is running
in the first mode, grant the application access to the first
specified portion of memory represented by the first container,
wherein the application is restricted from accessing the second
specified portion of memory while the client device is running in
the first mode.
8. The non-transitory computer-readable medium of claim 7, wherein
the instructions further causes the client device to: upon a
determination that the client device is running in the second mode,
grant the application access to the second specified portion of
memory represented by the second container, wherein the application
is restricted from accessing the first specified portion of memory
while the client device is running in the first mode.
9. The non-transitory computer-readable medium of claim 8, wherein
the first mode is a primary mode indicating that a primary user
associated with the client device is accessing the client device
and the first container is a primary container used to store data
associated with the primary user.
10. The non-transitory computer-readable medium of claim 9, wherein
the second mode is an alternate mode indicating that an alternate
user, different that the primary user, is accessing the client
device and the second container is an alternate container used to
store data associated with the alternate user.
11. The non-transitory computer-readable medium of claim 10,
wherein the instructions further cause the client device to: delete
data stored in the second container.
12. The non-transitory computer-readable medium of claim 11,
wherein the deleting is performed upon a determination that the
client device changed from the second mode to the first mode.
13. A data processing system in a client device, the data
processing system comprising: a processing system; a memory coupled
to the processing system, the memory including a non-transitory
computer-readable medium containing instructions that, when
executed by the processing system, cause the processing system to:
receive a command to execute an application on the client device,
the application being configured to run in a sand-boxed
environment; determine whether the client device is running in a
first mode or a second mode, the first mode being associated with a
first container representing a first specified portion of memory on
the client device and the second mode being associated with a
second container representing a second specified portion of memory
on the client device, wherein the first specified portion of memory
is different than the second specified portion of memory; and upon
a determination that the client device is running in the first
mode, grant the application access to the first specified portion
of memory represented by the first container, wherein the
application is restricted from accessing the second specified
portion of memory while the client device is running in the first
mode.
14. The data processing system of claim 13, wherein the
instructions further causes the processing system to: upon a
determination that the client device is running in the second mode,
grant the application access to the second specified portion of
memory represented by the second container, wherein the application
is restricted from accessing the first specified portion of memory
while the client device is running in the first mode.
15. The data processing system of claim 14, wherein the first mode
is a primary mode indicating that a primary user associated with
the client device is accessing the client device and the first
container is a primary container used to store data associated with
the primary user.
16. The data processing system of claim 15, wherein the second mode
is an alternate mode indicating that an alternate user, different
that the primary user, is accessing the client device and the
second container is an alternate container used to store data
associated with the alternate user.
17. The data processing system of claim 16, wherein the
instructions further cause the processing system to: delete data
stored in the second container.
18. The data processing system of claim 17, wherein the deleting is
performed upon a determination that the client device changed from
the second mode to the first mode.
Description
TECHNICAL FIELD
[0001] This application is a divisional of co-ending U.S.
application Ser. No. 13/913,059 filed on Jun. 7, 2013, which
application is incorporated herein by reference in its
entirety.
[0002] The present technology pertains to file system containers,
and more specifically pertains to assigning multiple containers to
a single application.
BACKGROUND
[0003] With modern computing devices, protecting sensitive data is
of the utmost importance. To protect a user's sensitive data, an
application can be executed in a sandboxed environment in which the
application is granted access to only a specified portion of the
file system. Further, other applications are restricted access to
the specified portion of the file system. Thus, a user can be
confident than an untrusted application cannot access and gather
any sensitive data meant to be accessed by only the trusted
application.
[0004] While running applications in a sandboxed environment
provides additional security, there are also some limitations. For
example, data cannot be shared across multiple applications, which
in some instances could increase efficiency and performance.
Further, while restricting an application to a single specified
portion of the file system provides security from other
applications, the sensitive data can still be accessible by an
alternate user of the client device. Accordingly, there exists a
need for an improved system.
SUMMARY
[0005] Additional features and advantages of the disclosure will be
set forth in the description which follows, and in part will be
obvious from the description, or can be learned by practice of the
herein disclosed principles. The features and advantages of the
disclosure can be realized and obtained by means of the instruments
and combinations particularly pointed out in the appended claims.
These and other features of the disclosure will become more fully
apparent from the following description and appended claims, or can
be learned by the practice of the principles set forth herein.
[0006] Disclosed are systems, methods, and non-transitory
computer-readable storage media for assigning multiple containers
to a single application. A container can be a specified area of a
file system designated to an application. The application can be
allowed to access and store data in the application's designated
container. Further, other applications cannot access a container
assigned to a different application. Thus, each application is
limited to their specified container and, further each application
cannot access a container not assigned to the application.
[0007] In some instances, it may be beneficial for multiple
applications to share some data with each other, while still
maintaining other data in a secure location that cannot be accessed
by other applications. To accomplish this, in some embodiments, an
application can be assigned to multiple containers. For example, an
application can be assigned to a personal container that can only
be accessed by the application, and the application can be assigned
to a shared container that can be accessed by multiple
applications. Thus, data that can be shared amongst the multiple
applications can be stored in the shared container, whereas data
that should not be shared can be stored in the personal
container.
[0008] Using assigned containers can provide data security across
multiple applications, however sensitive data may still be accessed
by an alternate user accessing an application from the client
device. Thus, in some embodiments, an application can be assigned
an alternate container in addition to the personal container. The
alternate container can be used when an alternate user is using the
client device, thus restricting the alternate user from accessing
any sensitive data stored in the personal container.
BRIEF DESCRIPTION OF THE DRAWINGS
[0009] The above-recited and other advantages and features of the
disclosure will become apparent by reference to specific
embodiments thereof which are illustrated in the appended drawings.
Understanding that these drawings depict only exemplary embodiments
of the disclosure and are not therefore to be considered to be
limiting of its scope, the principles herein are described and
explained with additional specificity and detail through the use of
the accompanying drawings in which:
[0010] FIG. 1 illustrates an exemplary configuration of devices and
a network in accordance with the invention;
[0011] FIG. 2 illustrates two applications sharing a container;
[0012] FIG. 3 illustrates a general purpose computing environment
in which multiple computing devices can be configured to
communicate with each other to send and receive data;
[0013] FIG. 4 illustrates an exemplary method embodiment of
assigning multiple containers to an application;
[0014] FIG. 5 illustrates an exemplary method embodiment of
deleting a container; and
[0015] FIGS. 6A and 6B illustrate exemplary possible system
embodiments.
DESCRIPTION
[0016] Various embodiments of the disclosure are discussed in
detail below. While specific implementations are discussed, it
should be understood that this is done for illustration purposes
only. A person skilled in the relevant art will recognize that
other components and configurations may be used without parting
from the spirit and scope of the disclosure.
[0017] The disclosed technology addresses the need in the art for
assigning multiple containers to a single application. A container
can be a specified area of a file system designated to an
application. The application can be allowed to access and store
data in the application's designated container. Further, other
applications cannot access a container assigned to a different
application. Thus, each application is limited to their specified
container and, further each application cannot access a container
not assigned to the application.
[0018] In some instances, it may be beneficial for multiple
applications to share some data with each other, while still
maintaining other data in a secure location that cannot be accessed
by other applications. To accomplish this, in some embodiments, an
application can be assigned to multiple containers. For example, an
application can be assigned to a personal container that can only
be accessed by the application, and the application can be assigned
to a shared container that can be accessed by multiple
applications. Thus, data that can be shared amongst the multiple
applications can be stored in the shared container, whereas data
that should not be shared can be stored in the personal
container.
[0019] Using assigned containers can provide data security across
multiple applications, however sensitive data may still be accessed
by an alternate user accessing an application from the client
device. Thus, in some embodiments, an application can be assigned
an alternate container, in addition to the personal container. The
alternate container can be used when an alternate user is using the
client device, thus restricting the alternate user from accessing
any sensitive data stored in the personal container.
[0020] FIG. 1 illustrates client device 105 configured to assign
multiple containers to a single application. Client device 105 can
be any type of general computing device capable of network
communication with other computing devices. For example, client
device 105 can be a personal computing device such as a desktop or
workstation, a business server, or a portable computing device,
such as a laptop, smart phone, or a tablet PC. Client device 105
can include some or all of the features, components, and
peripherals of the computing device illustrated in FIGS. 6A and 6B.
To facilitate communication with other computing devices, client
device 105 can include communication interface 110 configured to
receive a communication, such as a request, data, etc., from
another computing device in network communication with client
device 105 and pass the communication along to an appropriate
module running on client device 105. Communication interface 110
can also be configured to send a communication to another computing
device in network communication with client device 105.
[0021] As shown, client device 105 can include storage 115. Storage
115 can be any type of memory configured to store data used by
client device 105 and/or any modules, applications, etc., running
on client device 105. For example, in some embodiments, storage 115
can be a file system utilized by client device 105.
[0022] In addition to storage 115, client device 105 can also
include container management module 120 configured to create and
manage containers assigned to applications running on client device
105. A container can be a specified area of storage 110 that is
assigned to a specific application running on client device 105.
For example, a container can be a specified area of a file system
that is assigned to an application running on client device 105. A
container can be used to run an application in a sandboxed
environment that restricts the application to the data stored in
the container assigned to the application. Further, in some
embodiments, only the application assigned to the container can
access the data stored in the container. Thus, an application can
only access the data stored in its assigned container, and the data
stored in the container cannot be accessed from other applications
not assigned to the container.
[0023] Container management module 120 can be configured to
communicate with applications running on client device 105 to
determine if the application is assigned a container, and to create
a container for the application if one does not already exist. For
example, client device 105 can include application 125 which, upon
execution, can be configured to communicate with container
management module 120 to declare the entitlements of application
125, including identifying any containers assigned to application
125.
[0024] The declaration of entitlements can include a unique
container identifier that identifies a container assigned to
application 125. Further, the declaration of entitlements can
include container parameters describing the container, such as the
size of the container. The size of the container can be the size of
the specified area of storage 115 assigned to the application. The
data in the declaration of entitlements can be included in an
application by, for example, a developer of the application. Thus,
the application is restricted to the entitlements given to the
application by the developer.
[0025] Upon receiving the declaration of entitlements from
application 125, container management module 120 can be configured
to determine if the container identified by the declaration has
already been created in storage 115. For example, container
management module 120 can be configured to communicate with storage
115 to search for the unique container identifier included in the
entitlement declaration received from application 125. If a
container with the unique container identifier is not found,
container management module 120 can determine that the container
has not been created, upon which, container management module 120
can create the container according to the corresponding container
parameters. Alternatively, if the container is found, container
management module 120 can grant application 125 access to the
container. Granting an application access to a container can
include enabling the application to access, modify and store data
in the container.
[0026] In some embodiments, it can be beneficial for multiple
applications to share some data with each other, while maintaining
other data in a secure container that can only be accessed by the
one application. To accomplish this, an application can be assigned
a personal container and a shared container. A personal container
can be a container that can only be accessed by the application. A
shared container can be a container that can be accessed by
multiple applications.
[0027] To access both a personal and shared container, an
application can identify multiple containers assigned to the
application. For example, upon execution, application 125 can
communicate with container management module 120 to declare
entitlements, including two unique container identifiers. One of
the unique container identifier can identify the personal container
and the other unique container identifier can identify the shared
container. Container management module 120 can search for the
corresponding containers in storage 115 and create a container if
it is not found, and grant application 125 access to the identified
containers.
[0028] As an example of two applications sharing a container,
client device 105 can also include application 130, which can be
assigned to the shared container that application 125 is also
assigned. For example, upon execution, application 130 can
communicate with container management module 120 to declare
entitlements that include unique container identifiers identifying
the containers assigned to application 130. One of the unique
container identifiers can identify the shared container that is
also assigned to application 125. Container management module 120
can grant application 130 access to the shared container, resulting
in both application 125 and application 130 being assigned to the
same shared container and therefore being able to access data
stored in the shared container.
[0029] FIG. 2 illustrates two applications sharing a container. As
illustrated, application 1 and application 2 are each assigned to
two containers. Application 1 is assigned to container 1 and
container 2, and application 2 is assigned to container 2 and
container 3. As shown, container 2 is a shared container that can
be accessed by application 1 and application 2, whereas container 1
and container 3 are personal containers that can only be accessed
by a single application. For example, container 1 can only be
accessed by application 1 and container 3 can only be accessed by
application 2. Therefore, application 2 cannot access data stored
in container 1 and application 1 cannot access data stored in
container 3. Furthermore, both application 1 and application 2 can
access data stored in container 2.
[0030] Although application 1 and application 2 are illustrated as
being assigned to only one shared container, this is just one
possible embodiment and is not meant to be limiting. One skilled in
the art would recognize that an application can be assigned to any
number of shared containers. Further, a shared container can be
assigned to any number of applications.
[0031] Returning to the discussion of FIG. 1, in addition to
creating containers, container management module 120 can also be
configured to delete containers. For example, upon detecting that
an application has been deleted from client device 105, container
management module 120 can be configured to delete containers
assigned to the application. For example, container management
module 120 can be configured to delete a personal container
assigned to an application upon the application being deleted.
Deleting a personal container assigned to the application can be
performed when the application is deleted because the personal
container can only be accessed by the deleted application.
[0032] Alternatively, a shared container can be accessed by
multiple applications and thus, in some embodiments, should not be
deleted unless all applications assigned to the shared container
have been deleted. Accordingly, upon an application assigned to a
shared container being deleted, container management module 120 can
be configured to check to see if any other applications on client
device 105 are assigned to the shared container. Container
management module 120 can be configured to delete the shared
container when no other applications on client device 105 are
assigned to the shared container. Thus, the shared container will
not be deleted if it is assigned to at least one application that
is installed on client device 105.
[0033] In addition to assigning multiple containers to a single
application to share data between multiple applications, in some
embodiments, an application can be assigned to multiple containers
to be used with different users. For example, an application can be
assigned a first container that is used when the application is
used by a primary user, and a second container that is used when
the application is used by a secondary user.
[0034] To accomplish this, upon execution of an application,
container management module 120 can be configured to determine the
current user of client device 105, and grant the application access
to the appropriate container based on the determined current user.
For example, upon execution, application 125 can be configured to
communicate with container management module 120 to declare
entitlements of application 125, including unique container
identifiers identifying the containers that are assigned to
application 125. In addition to the unique container identifiers of
the container that should be assigned to application 125, the
declaration can also include container parameters identifying
conditions upon which the application should be granted access to
the container. For example, the container parameters can indicate
which of the identified containers application 125 should be
granted access to depending on the current user of client device
105.
[0035] In some embodiments, the container parameters can identify a
specific user that must be logged in to client device 105 for
application 125 to be granted access to the container. For example,
client device 105 can be configured to be accessed by two specific
user, requiring one user to log out for the other user to access
client device 105. In this type of embodiments, container
management module 120 can be configured to communicate with an
operating system running on client device 105 to determine the
current user of client device 105. Upon determining the current
user of client device 105, container management module 120 can
determine which of the assigned containers application 125 should
be granted access to. Thus, application 125 can only access one of
the assigned containers depending on the user logged into client
device 105. Thus, one user cannot access sensitive data stored in a
container associated with a different user.
[0036] In some embodiments, client device 105 can be configured to
enable a primary user to put client device 105 in an alternate mode
that protects sensitive data of the primary user from any alternate
user using client device 105. For example, alternate mode can limit
the applications, data, folders, etc., available to the alternate
user of client device 105. In some embodiments, the primary user's
sensitive information can be protected from an alternate user by
granting the application access to an alternate container, rather
than a primary container, when the alternate user is using client
device 105. This can protect any sensitive data stored in the
primary container from an alternate user.
[0037] To accomplish this, client device 105 can include alternate
mode module 135 configured to put client device 105 into an
alternate mode. For example, alternate mode module 135 can be
configured to present an interface enabling a user to select to
place client device 105 into an alternate mode. Upon receiving an
input to place client device 105 into an alternate mode, in some
embodiments, alternate mode module 135 can be configured to
terminate any running applications on client device 105.
Alternatively, in some embodiments, any running applications can be
made inactive until client device 105 is returned to non-alternate
mode.
[0038] Accordingly, upon client device 105 being placed into
alternate mode, all applications will have to be executed,
resulting in the application communicating with container
management module 120 to declare entitlements identifying the
containers assigned to the application as well as their
corresponding container parameters. The container parameters can
identify which mode client device 105 should be in, either guest or
non-guest, for the application to be granted access to a container.
Container management module 120 can then determine whether client
device 105 is in alternate mode by, for example, communicating with
alternate mode module 135 and/or the operating system of client
device 105. Container management module 120 can then grant the
application access to the appropriate container based on whether
the client device 105 is in alternate mode or non-alternate
mode.
[0039] In some embodiments, container management module 120 can be
configured to periodically delete data stored in an alternate
container. This can ensure that sensitive data stored in the
alternate container by one guest cannot be accessed by another
alternate user of client device 105. In some embodiments, the data
stored in the alternate container can be deleted upon client device
105 being returned to non-alternate mode. For example, alternate
mode module 135 can be configured to transmit a message to
container management module 120 that client device 105 has been
returned to non-alternate mode and, in response, container
management module 120 can be configured to delete data stored in
the alternate containers.
[0040] Alternatively, in some embodiments, container management
module 120 can be configured to delete the data in the alternate
containers at a scheduled time. For example, container management
module 120 can be configured to delete data in the alternate
containers daily, hourly, etc. Further, in some embodiments,
container management module 120 can be configured to delete the
data in the alternate containers upon receiving an input from the
user requesting that the data be deleted. For example, the user can
be presented with an interface enabling a user to select to delete
the data in the alternate containers. Upon receiving a command
indicating that the user has selected to erase the data in the
alternate containers, container management module 120 can be
configured to delete the data in the alternate containers.
[0041] Although assigning multiple containers to an application is
presented on a single computing device, this is only one embodiment
and is not meant to be limiting. In some embodiments, the disclosed
system can be implemented on multiple computing devices in network
connection with each other. FIG. 3 illustrates a general purpose
computing environment 300 in which multiple computing devices can
be configured to communicate with each other to send and receive
data. As illustrated, multiple computing devices can be connected
to communication network 310 and be configured to communicate with
each other through use of communication network 310. Communication
network 310 can be any type of network, including a local area
network ("LAN"), such as an intranet, a wide area network ("WAN"),
such as the internet, or any combination thereof. Further,
communication network 310 can be a public network, a private
network, or a combination thereof. Communication network 310 can
also be implemented using any number of communications links
associated with one or more service providers, including one or
more wired communication links, one or more wireless communication
links, or any combination thereof. Additionally, communication
network 310 can be configured to support the transmission of data
formatted using an number of protocols.
[0042] As illustrated in FIG. 3, the exemplary system includes
various computing devices in network communication with each other
to send and receive data. In particular, FIG. 3 shows client device
305, client device 315 and server 320. Each computing device can be
configured to assign multiple containers to an application.
[0043] In some embodiments, a shared container that can be accessed
by multiple applications can be located on a computing device other
than the client device on which the applications are executing. For
example, client device 305 can include application 325 and client
device 315 can include application 330. Application 325 and
application 330 can both be assigned to a shared container that is
stored in storage 325 on server 320. Accordingly, client device 305
and client device 315 can be in network communication with server
320 to access data in the shared container stored in storage
325.
[0044] In some embodiments, a personal container for each of the
applications can be stored locally on their respective client
device. For example, a personal container assigned to application
325 can be stored in memory on client device 305 and a personal
container for application 330 can be stored in memory on client
device 315. Thus, in this type of embodiment, only the data shared
between application 325 and application 330 is stored on server 330
in the shared container stored in storage 325.
[0045] Alternatively, in some embodiments, the personal and shared
containers can be stored on server 320. Thus, application 325 and
application 330 would both communicate with server 320 to access
their respective personal and shared containers.
[0046] FIG. 4 illustrates an exemplary method embodiment of
assigning multiple containers to an application. As illustrated,
the method begins at block 405 where a declaration of entitlements
is received from an application. A declaration of entitlements can
be received as a result of an application being executed. For
example, each time the application is executed, the application can
declare the application's entitlements. The declaration of
entitlements can identify containers assigned to the application as
well as container parameters defining the containers.
[0047] In some embodiments, the declaration can include a unique
container identifier for each of the containers identified by the
declarations. A unique container identifier can be an identifier
that uniquely identifies a container. The container parameters can
define the container by specifying the parameters of the container
such as the size and location of the container. Further, in some
embodiment, the container parameters can specify conditions that
must be met for the application to be granted access to the
container. For example, in some embodiments, the container
parameters can specify a current mode that the client device must
be in, for the application to be granted access to the container.
Alternatively, in some embodiments, the container parameters can
specify a specific user that must be logged in for the application
to be granted access to the container.
[0048] Upon receiving the declaration of entitlements from the
application, the method continues to block 410 where one of the
containers identified in the declaration is searched for in memory.
For example, a search can be performed in memory for the unique
container identifier of the container.
[0049] If at block 415 the container is found, the method continues
to block 425 where it is determined if the application should be
granted access to the container. For example, if the container
parameters indicate that the client device must be in an alternate
mode for the application to access the container, a determination
can be made as to whether the client device is or is not in the
alternate mode. If at block 425 it is determined that the
application should be granted access to the container, the method
continues to block 430 where the application is granted access to
the container. This can include enabling the application to access
the container to retrieve, store and modify data.
[0050] The method then continues to block 435 where a determination
is made as to whether there are any remaining containers identified
by the declaration that have not yet been searched for in memory.
If there are any remaining unsearched containers, the method
returns to block 410. Alternatively, if there are no more remaining
containers that need to be searched for in memory, the method
ends.
[0051] Returning to block 425, if it is determined that the
application should not be granted access to the container, for
example, because the client device is not in the specified mode
required by the container parameters, the method continues to block
435 without granting the application to the container.
[0052] Returning to the discussion of block 415, if the container
identified by the unique container identifier is not found, the
method continues to block 420 where the container is created based
on the specified container parameters. For example, the container
can be created in a location and be of the size specified by the
container parameters.
[0053] FIG. 5 illustrates an exemplary method embodiment of
deleting a container. As illustrated, the method begins at block
505 where a message to delete an application is received. The
message can be received in response to a user selecting to delete
the application.
[0054] Upon receiving the message to delete the application, the
method continues to block 510 where a container assigned to the
application is identified. For example, in some embodiments, the
message can include unique container identifiers identifying the
containers assigned to the application. Alternatively, in some
embodiments, a container index listing the containers assigned to
each application can be searched to identify each container
assigned to the application.
[0055] The method then continues to block 515 where it is
determined if the identified container is a shared container. For
example, the delete message can indicate if there are other
applications that can be assigned to the container. Alternatively,
an index listing can identify all applications assigned to a
container.
[0056] If at block 515 it is determined that the container is not a
shared container, and thus the container is a personal container
assigned to only the application to be deleted, the method
continues to block 525 where the container is deleted.
[0057] However, if at block 515, it is determined that the
container is a shared container, meaning that the container is
assigned to multiple applications, the method continues to block
520 where it is determined if any other applications assigned to
the container are present on a client device that can access the
container. For example, a search can be performed for the
applications that can be assigned to the container. If at block 520
it is determined that the other application are not present, the
method continues to block 525 where the container is deleted.
[0058] If, however, one of the other applications is present,
meaning that another application is using the shared container, the
method continues to block 530 without deleting the container.
[0059] At block 530, the method determines whether there are any
further containers assigned to the application identified for
deletion. If there are more containers, the method returns to block
510. If there are no further containers, the method ends.
[0060] FIG. 6A, and FIG. 6B illustrate exemplary possible system
embodiments. The more appropriate embodiment will be apparent to
those of ordinary skill in the art when practicing the present
technology. Persons of ordinary skill in the art will also readily
appreciate that other system embodiments are possible.
[0061] FIG. 6A illustrates a conventional system bus computing
system architecture 600 wherein the components of the system are in
electrical communication with each other using a bus 605. Exemplary
system 600 includes a processing unit (CPU or processor) 610 and a
system bus 605 that couples various system components including the
system memory 615, such as read only memory (ROM) 620 and random
access memory (RAM) 625, to the processor 610. The system 600 can
include a cache of high-speed memory connected directly with, in
close proximity to, or integrated as part of the processor 610. The
system 600 can copy data from the memory 615 and/or the storage
device 630 to the cache 612 for quick access by the processor 610.
In this way, the cache can provide a performance boost that avoids
processor 610 delays while waiting for data. These and other
modules can control or be configured to control the processor 610
to perform various actions. Other system memory 615 may be
available for use as well. The memory 615 can include multiple
different types of memory with different performance
characteristics. The processor 610 can include any general purpose
processor and a hardware module or software module, such as module
1 632, module 2 634, and module 3 636 stored in storage device 630,
configured to control the processor 610 as well as a
special-purpose processor where software instructions are
incorporated into the actual processor design. The processor 610
may essentially be a completely self-contained computing system,
containing multiple cores or processors, a bus, memory controller,
cache, etc. A multi-core processor may be symmetric or
asymmetric.
[0062] To enable user interaction with the computing device 600, an
input device 645 can represent any number of input mechanisms, such
as a microphone for speech, a touch-sensitive screen for gesture or
graphical input, keyboard, mouse, motion input, speech and so
forth. An output device 635 can also be one or more of a number of
output mechanisms known to those of skill in the art. In some
instances, multimodal systems can enable a user to provide multiple
types of input to communicate with the computing device 600. The
communications interface 640 can generally govern and manage the
user input and system output. There is no restriction on operating
on any particular hardware arrangement and therefore the basic
features here may easily be substituted for improved hardware or
firmware arrangements as they are developed.
[0063] Storage device 630 is a non-volatile memory and can be a
hard disk or other types of computer readable media which can store
data that are accessible by a computer, such as magnetic cassettes,
flash memory cards, solid state memory devices, digital versatile
disks, cartridges, random access memories (RAMs) 625, read only
memory (ROM) 620, and hybrids thereof.
[0064] The storage device 630 can include software modules 642,
634, 616 for controlling the processor 610. Other hardware or
software modules are contemplated. The storage device 630 can be
connected to the system bus 605. In one aspect, a hardware module
that performs a particular function can include the software
component stored in a computer-readable medium in connection with
the necessary hardware components, such as the processor 610, bus
605, display 635, and so forth, to carry out the function.
[0065] FIG. 6B illustrates a computer system 650 having a chipset
architecture that can be used in executing the described method and
generating and displaying a graphical user interface (GUI).
Computer system 650 is an example of computer hardware, software,
and firmware that can be used to implement the disclosed
technology. System 650 can include a processor 655, representative
of any number of physically and/or logically distinct resources
capable of executing software, firmware, and hardware configured to
perform identified computations. Processor 655 can communicate with
a chipset 660 that can control input to and output from processor
655. In this example, chipset 660 outputs information to output
665, such as a display, and can read and write information to
storage device 670, which can include magnetic media, and solid
state media, for example. Chipset 660 can also read data from and
write data to RAM 675. A bridge 680 for interfacing with a variety
of user interface components 685 can be provided for interfacing
with chipset 660. Such user interface components 685 can include a
keyboard, a microphone, touch detection and processing circuitry, a
pointing device, such as a mouse, and so on. In general, inputs to
system 650 can come from any of a variety of sources, machine
generated and/or human generated.
[0066] Chipset 660 can also interface with one or more
communication interfaces 690 that can have different physical
interfaces. Such communication interfaces can include interfaces
for wired and wireless local area networks, for broadband wireless
networks, as well as personal area networks. Some applications of
the methods for generating, displaying, and using the GUI disclosed
herein can include receiving ordered datasets over the physical
interface or be generated by the machine itself by processor 655
analyzing data stored in storage 670 or 675. Further, the machine
can receive inputs from a user via user interface components 685
and execute appropriate functions, such as browsing functions by
interpreting these inputs using processor 655.
[0067] It can be appreciated that exemplary systems 600 and 650 can
have more than one processor 610 or be part of a group or cluster
of computing devices networked together to provide greater
processing capability.
[0068] For clarity of explanation, in some instances the present
technology may be presented as including individual functional
blocks including functional blocks comprising devices, device
components, steps or routines in a method embodied in software, or
combinations of hardware and software.
[0069] In some embodiments the computer-readable storage devices,
mediums, and memories can include a cable or wireless signal
containing a bit stream and the like. However, when mentioned,
non-transitory computer-readable storage media expressly exclude
media such as energy, carrier signals, electromagnetic waves, and
signals per se.
[0070] Methods according to the above-described examples can be
implemented using computer-executable instructions that are stored
or otherwise available from computer readable media. Such
instructions can comprise, for example, instructions and data which
cause or otherwise configure a general purpose computer, special
purpose computer, or special purpose processing device to perform a
certain function or group of functions. Portions of computer
resources used can be accessible over a network. The computer
executable instructions may be, for example, binaries, intermediate
format instructions such as assembly language, firmware, or source
code. Examples of computer-readable media that may be used to store
instructions, information used, and/or information created during
methods according to described examples include magnetic or optical
disks, flash, memory, USB devices provided with non-volatile
memory, networked storage devices, and so on.
[0071] Devices implementing methods according to these disclosures
can comprise hardware, firmware and/or software, and can take any
of a variety of form factors. Typical examples of such form factors
include laptops, smart phones, small form factor personal
computers, personal digital assistants, and so on. Functionality
described herein also can be embodied in peripherals or add-in
cards. Such functionality can also be implemented on a circuit
board among different chips or different processes executing in a
single device, by way of further example.
[0072] The instructions, media for conveying such instructions,
computing resources for executing them, and other structures for
supporting such computing resources are means for providing the
functions described in these disclosures.
[0073] Although a variety of examples and other information was
used to explain aspects within the scope of the appended claims, no
limitation of the claims should be implied based on particular
features or arrangements in such examples, as one of ordinary skill
would be able to use these examples to derive a wide variety of
implementations. Further and although some subject matter may have
been described in language specific to examples of structural
features and/or method steps, it is to be understood that the
subject matter defined in the appended claims is not necessarily
limited to these described features or acts. For example, such
functionality can be distributed differently or performed in
components other than those identified herein. Rather, the
described features and steps are disclosed as examples of
components of systems and methods within the scope of the appended
claims.
* * * * *