DETAILED ACTION
Claim Status
This Office Action is in response to claims filed on 03/03/2021.
Claims 1-3, 5-10, 12-18 and 21 are pending and 4, 11, 19-20 and 22 have previously been canceled.
Claims 1-3, 5-10, 12-18 and 21 have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
With respect to the rejections of claims under 35 U.S.C. 101, Applicant is of the opinion that the claims 1, 8, and 15 have been amended hence the § 101 rejection of independent claims 1, 8, 15 and their corresponding dependent claims should be withdrawn.
Examiner fully considers Applicant’s position, but respectfully disagree because the claim continue to be directed to an abstract idea without significantly more hence the claims are not patent eligible and Examiner sustains the rejection.

With respect to the rejections of claims under 35 U.S.C. 112(a), Applicant is of the opinion that claims have been amended to overcome the rejection of independent claims as support for the claim amendment is at paragraphs [0016]-[0017] of the published patent application and Support for the claim amendments is included throughout the originally filed the hypervisor process may access a ... network [storage] client associated with the network based storage [server] device directly to perform I/O against the [networked storage server] device. For a variety of reasons, it is becoming more common to push the network client code into the hypervisor itself, which bypasses the kernel and/or host OS services. Principally, this helps the guest domains obtain a shorter EO path by being able to connect to the network devices without going through the host OS in order to improve system performance.” Applicants specification, [0016] (emphasis added). “For the hypervisor to act as the network [storage] client, it needs to be given permission to connect directly to the storage server over the network. As a result, the hypervisor has direct access to the networked storage server, thus bypassing any access controls that the host OS can implement on resources [i.e. files] of the server
Examiner fully considers Applicant’s position, but respectfully disagree because the claim subject matter was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor at the time the application was filed, had possession of the claimed invention as the specification do not contain a proper written description of the invention, in such full, clear, concise, and exact terms.  That is, the section of the Specification provided by the Applicant as having proper support has not been found to be since the Specification do not contain a proper written description is silent of the language and does not disclose the hypervisor retrieves the at least one file from the networked storage server to bypass file access controls nor does the Specification disclose the host kernel implements on files from the networked storage server.  Therefore, as the claims continue to be recite limitations that is not properly described in the Applicant’s Specification, Examiner sustains the rejection.

With respect to the rejections of claims under 35 U.S.C. 103, Applicant is of the opinion the claims 1, 8 and 15 are patentable over the combination of cited references because the combination does not teach or suggest all of the features of the claims and Roush discusses containers and OS virtualization, not virtual machines and hypervisors. Therefore, Walsh in view of Roush does not teach the claimed “performing, by the hypervisor executed by the processing device, I/O to access the network resource from a networked storage server, wherein the hypervisor comprises code of a network storage client and retrieves the at least one file from the networked storage server to bypass file access controls a host kernel implements on files from the networked storage server
Examiner fully considers Applicant’s position, but respectfully disagree because Walsh discloses,
“Embodiments of the invention provide a mechanism for applying security category labels to multi-tenant applications of a node in a PaaS environment. A method of embodiments of the invention includes receiving, by a virtual machine (VM) executing on a computing device, a custom security type label (STL) and a custom security policy associated with the custom STL, the custom STL and associated custom security policy applied to one or more multi-tenant applications executed by the VM. The method further include receiving a request to initialize an application on the VM, the request identifying the custom STL as an STL to apply to the application, assigning a local UID maintained by the VM to the application, recording a mapping of the assigned local UID to the custom STL, assigning the custom STL to files of the application, and assigning the custom STL to a running process of the application.
Upon receiving a command identifying specific data (e.g., application data and files used to initialize an application on the cloud), the cloud provider 104 retrieves the corresponding data from the image repository 106, creates an instance of it, and loads it to the host 110, 120 to run on top of a hypervisor (not shown) as a VM 111, 112, 121, 122 or within a VM 111, 112, 121, 122. In addition, a command may identify specific data to be executed on one or more of the VMs 111, 112, 121, 122. The command may be received from the cloud controller 108, from a PaaS Provider Controller 130, or a user (e.g., a system administrator) via a console computer or a client machine. The image repository 106 may be local or remote and may represent a single data structure or multiple data structures (databases, repositories, files, etc.) residing on one or more mass storage devices, such as magnetic or optical storage based disks, solid-state drives (SSDs) or hard drives.
Once the application is running 305 on node 232, OS 315 enforces the security policy associated with the custom STL against application 305. The custom STL security policy prevents the application 305 from negatively affecting underlying system resources of the node 232. The security policy consists of custom-tailored rules, which apply to processes having the custom STL type, which dictate actions that the processes may or may not perform. In addition, the security policy applies to allow or prevent actions with respect to the application files identified with the custom STL, regardless of the security context of the process trying to access or manipulate the application files.
Then, at block 430, a request to initialize an application on the node is received. In one embodiment, the request is received at a server orchestration system agent of the node and includes identifying information of the custom STL to assign to the application. At block 440, the application is assigned a unique local UID from the node. Then, at block 450, a mapping between the assigned local UID of the application and the custom STL of the application is recorded on the node. In one embodiment, the mapping is recorded in a UID/STL data store maintained by the node.
Then, at decision block 540, it is determined whether the determined STLs of the requesting process and/or the requested one or more resources are a custom STL for multi-tenant applications on the node. If either of the STLs is a custom STL associated with a multi-tenant application of the node, then method 500 proceeds to block 550 where a custom security policy of the custom STL is applied to either or both of the requesting process and/or the one or more requested resources with the custom STL. The custom security policy applies a plurality of rules tailored to prevent the running process or resources (e.g., files) of the multi-tenant application with the custom STL from harming the underlying system of the node.
For example, the custom security policy may prevent the requesting process (if associated with the custom STL) from running certain commands, such as overwriting a shadow file of the node and/or overwriting a password file of the node. The custom security policy may define the ports of the node that the requesting process may or may not bind to, may dictate what files the requesting process is allowed to search, read, write, and execute, may dictate whether the one or more requested files (if associated with the custom STL) may be searched, read, written to, or executed, may define the outbound access the requesting process is allowed, may force the requesting process to utilize specific applications to read other files, may force any processes requesting the one or more requested files to use a specific application to read or modify those files, may prevent the requesting process from writing to specific portions of the underlying node file system, and so on. Any rule that prevents harm to the underlying system of the node may be included in the custom security policy associated with the custom STL.” (In at least Pars. 15, 25-26, 50, 53, 59-60) 
Therefore, given the broadest reasonable interpretation of the claim in light of the Applicant’s Specification before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, Walsh discloses performing, by the hypervisor executed by the processing device, I/O to access the network resource from a networked storage server, and retrieves the at least one file from the networked storage server, a host kernel implements on files from the networked storage server.  
Welsh does not specifically discloses the requestor client being associated with a second security context label and validating, by the processing device, the request in view of the first security context label, the second security context label and the security context data structure; and authorizing, by the processing device, the virtual machine to access the at least one file responsive to the validating.  Roush discloses,
“Some embodiments may include a tangible storage medium including instructions that can be executed by a computer. The instructions may include the following operations. Providing a security label for a resource of a computer. Configuring a zone and providing the zone with a second security label. The zone may include an application. Providing a kernel, where the kernel is in communication with the resource and the zone. Configuring a global zone, where the global zone is in communication with the kernel. Generating a request from the zone, from an application within the zone, and sending the request to the kernel. Adding data corresponding to the second security label of the zone to the request. Comparing the two security labels, and conditionally allowing the application access to the resource depending on outcome of the comparison of the two security labels.The term “zone” is intended to refer to an environment provided by the operating system, and the environment is a place where user-level software components run. The zone may be run on a single physical machine or a virtual machine. The operating system provides security isolation, application fault isolation, and resource control for the zone.
The administration of a security container, in some embodiments is done from a secure location, such as the global zone. The administrator identifies the security label for the cluster-wide security container and specifies what resources may be available in the cluster-wide security container. The security label data is set up so that it cannot be modified from inside the cluster-wide security container. Each cluster-wide security container may have a unique security label, and all resources within that cluster-wide security container inherit this label. This means that applications, file systems, storage devices, network communication resources within the security container have the security label of the enclosing security container. As a result, processes and data are associated with a particular security label of the enclosing cluster-wide security container. The system controls access to data and system resources based on comparisons of the security labels of users/processes and the data/resources they desire to access.
FIG. 8 is a block diagram illustrating the granting of read/write access right for file systems to zones according to some embodiments. Referring now to FIG. 8, for data file systems that may include more than just binaries for operating software, or more sensitive data, a direct mount is used to load the file system into a number of zones. The global zone 802 may contain three file systems 804, 806, 808 that may be mounted into each zone 810, 812 and 814. The file systems 804, 806 and 808 are mounted under the root of the container of each zone 810, 812 and 814. As a result, this may prevent the file system from being accessed elsewhere and restricts users from sharing the information to users with different security labels.
The global zone 616 sets a security label for a file system 608. The file system 608 may be any type of file system, for instance, a failover file system, cluster file system, and the file system may be accessed read-only or read-write. However, before the file system 608 is accessed, a security check is done by either the kernel 604 or the global zone 616. The security check verifies that the file system 608 is authorized to be accessed by the zone 602. If the file system 608 is not authorized, the file system 608 is not accessed by the zone 602. If the file system 608 may be accessed by the particular zone, then access to file system 608 is allowed. If the file system 608 is a cluster-file system, it may be mounted on multiple machines at the same time. In these embodiments, the global zone 616 or kernel 604 verifies whether the file system 608 may be accessed by the specific different zones, and if so then the file system 608 may be mounted on each zone.” (In at least Pars. 6, 21, 28, 64, 69)
Therefore, given the broadest reasonable interpretation of the claim in light of the Applicant’s Specification before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, Roush discloses requestor client being associated with a second security context label (Figs. 8; Pars. 6, 28, 69) and validating, by the processing device, the request in view of the first security context label, the second security context label and the security context data structure (Pars. 6, 28, 44-45, 54, 60); and authorizing, by the processing device, the virtual machine to access the at least one file responsive to the validating (Fig. 6; Pars. 6, 20-21, 28, 44-45, 54, 60, 63-65).  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to substituting the determining of the STLs of the requesting process and/or the requested one or more resources are a custom STL for multi-tenant applications on the node and applying a set of rules/permissions to the resources in terms of which processes (e.g., applications) are allowed to perform what actions on the resources (Pars. 42-44, 57-59) of Welsh Express suggestion to substitute one equivalent technique for another need not be present to render such substitution obvious"; In re Fout, 213 USPQ 532 (CCPA 1982), In re Siebentritt, 152 USPQ 618 (CCPA 1967); Ex Parte Smith, 83 USPQ2d 1509 (Bd. Pat. App. & Int. 2007); KSR International Co. v. Teleflex Inc., 82 USPQ2d 1385 (U.S. 2007)).
Neither Welsh nor Roush explicitly discloses wherein the hypervisor comprises code of a network storage client to bypass file access controls.  Domsch discloses,
“The process depicted by FIG. 6 and above directs network packets to processors based upon the processes running on the processors. In one embodiment, the process is a virtual machine executing on one or more processors to run applications that perform network-supported functions. Virtual machines enhance information handling system resource utilization by defining virtual information handling systems that run over physical information handling system resources. A hypervisor or other operating system runs over the physical components to support execution of separate virtual information handling systems that each support independently-managed functions. For example, a virtual machine supports a virtual private network (VPN) application that runs over a Linux operating system on a virtual processor under the control of a hypervisor to support client network interactions through a VPN. The VPN application and Linux operating systems interact with a virtual processor and virtual network interface card to support VPN communications as if the virtual processor and virtual network interface card are actual physical components, and the hypervisor schedules physical components to perform operations for the VPN application based upon the availability of physical processor and network interface card resources.
Referring now to FIG. 7, a block diagram depicts an example embodiment of an information handling system 700 having plural virtual machines 702 and a network flow assignment manager 704 to direct network packets to physical processing resources of the virtual machine 702 associated with the network packets. Network flow assignment manager 704 maps associations between the information of the network packet and the one or more processes executing on one or more of the plural processors by reference to assignments by a process scheduler 710 of the one or more processes to the plural processors. Information handling system 700 includes physical processing resources that interface with each other to process information, such as plural processors 706 interfaced with a network interface card (NIC) 708 through a system bus, such as a PCIe link. In the example embodiment, each processor 706 is a processor core on a common substrate that processes information; however, in alternative embodiments processors 706 can be processor cores on separate or common substrates such as discussed above. Process scheduler 710 executes over one or more processors 706 to manage scheduling of processes for execution on physical resources. For example, process scheduler 710 is logic in a hypervisor 712 or other operating system that assigns virtual machines 702 to physical resources for execution. In one example embodiment, process scheduler 710 provides flow assignment manager 704 with information about the physical processor core 706 that a process is assigned to execute upon so that flow assignment manager 704 can direct network packets for use by a process to the processor core 706 that is executing the process. For instance, flow assignment manager 704 includes a hash function, indirection table and MSI-X table as depicted by FIG. 2 to perform a hash on a network packet, associate the network packet with a processor 706 running a process associated with the network packet, and interrupt the associated processor 706 to retrieve the network packet for use by the process. In alternative embodiments, flow assignment manager 704 can apply other techniques to direct a network packet to a processor that is running a process that is associated with the network packet.” (In at least Pars. 38-39)
Therefore, given the broadest reasonable interpretation of the claim in light of the Applicant’s Specification before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, Domsch discloses wherein the hypervisor comprises code of a network storage client to bypass file access controls (Figs. 7; Pars. 15, 38-41, 45-46).  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to substituting the determining of the STLs of the requesting process and/or the requested one or more resources are a custom Express suggestion to substitute one equivalent technique for another need not be present to render such substitution obvious"; In re Fout, 213 USPQ 532 (CCPA 1982), In re Siebentritt, 152 USPQ 618 (CCPA 1967); Ex Parte Smith, 83 USPQ2d 1509 (Bd. Pat. App. & Int. 2007); KSR International Co. v. Teleflex Inc., 82 USPQ2d 1385 (U.S. 2007)).

Examiner Comments
Claim 5 recites “used to reference…”, claims 6, 13 and 21 recite “to assign…”, claims 7 and 14 recite “to authorize or reject…”, claim 8 recites “the processor executing the instructions to perform operations to: identify… access… associate… receive… validate… authorize…”, claims 9-10, 14 and 16-17 recite “to determine…”, claim 13 and 21 recite “to receive…”, claims 11 and 18 recites “to transmit…” are all intended use/functional language and do not have patentable weight as each describes the intended use of the network client code, request, label, determining, memory device, processor, processing device and network client code respectively.  (See MPEP 2103 I C, 2114 IV).

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-3, 5-10, 12-18 and 21 are rejected under 35 U.S.C. 101 because the claimed invention is directed an abstract idea without significantly more.
Analysis
In the instant case, claims 1-3 and 5-7 are directed to a method (Process).  Claims 8-10 and 12-14 are directed to a system (Machine) and claims 15-18 and 21 are directed to a non-transitory computer readable medium (Article of manufacture).  Therefore, these claims fall within the four statutory categories of invention.
The claims recite access control, which is an abstract idea.  Specifically, the claims recite “identifying a security context data structure comprising a first security context label, a resource identifier and a plurality of access types, wherein the plurality of access types represent types of access to resource; associating the first security context label with the resource comprising the at least one file; receiving a request to validate an access right of a requestor with respect to the resource, the requestor client being associated with comprising a second security context label; and validating the request in view of the first security context label and second security context label and the security context data structure; performing I/O to access the resource from a storage, and retrieves the at least one file from the storage to bypass file access controls a host implements on files; and authorizing access the at least one file responsive to the validating." which is grouped within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas in prong one of step 2A of the Alice/Mayo test such as “managing relationships” (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 52, 54 (January See pages 7, 10, Alice Corporation Pty. Ltd. v. CLS Bank International, et al., US Supreme Court, No. 13-298, June 19, 2014; 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 53-54 (January 7, 2019)).
This judicial exception is not integrated into a practical application because, when analyzed under prong two of step 2A of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 54-55 (January 7, 2019)), the additional element(s) of the claims such as “a system comprising: a memory device storing security context data and instructions: and a processor operatively coupled to the memory device, the processor executing the instructions to perform operations,” “network,” “remote storage device,” “network client of a hypervisor,” “networked storage server,” “a hypervisor executed by a processing device,  wherein the hypervisor comprises code of a storage client” “a host kernel,” and “virtual machine” merely uses a computer as a tool to perform an abstract idea and/or generally links the use of a judicial exception to a particular technological environment.  Specifically, the “a system comprising: a memory device storing security context data and instructions: and a processor operatively coupled to the memory device, the processor executing the instructions to perform operations,” “network,” “remote storage device,” “network client of a hypervisor,” “networked storage server,” “a hypervisor executed by a processing device,  wherein the hypervisor comprises code of a storage client” “a host kernel,” and “virtual machine” perform the steps or identifying a security context data structure comprising a first security context label, a resource identifier and a plurality of access types, wherein the plurality of access types represent types of access to resource; associating the first security context label with the resource comprising the at least one file; receiving a request to validate an access right of a requestor with respect to the resource, the requestor client being associated with comprising a second security context label; and validating the request in view of the first security context label and second security context label and the security context data structure; performing I/O to access the resource from a storage, and retrieves the at least one file from the storage to bypass file access controls a host implements on files; and authorizing access the at least one file responsive to the validating."  The use of a processor/computer as a tool to implement the abstract idea and/or generally linking the use of the abstract idea to a particular technological environment does not integrate the abstract idea into a practical application because it requires no more than a computer performing functions that correspond to acts required to carry out the abstract idea.  The additional elements do not involve improvements to the functioning of a computer, or to any other technology or technical field (MPEP 2106.05(a)), the claims do not apply or use the abstract idea to effect a particular treatment or prophylaxis for a disease or medical condition (Vanda Memo), the claims do not apply the abstract idea with, or by use of, a particular machine (MPEP 2106.05(b)), the claims do not effect a transformation or reduction of a particular article to a different state or thing (MPEP 2106.05(c)), and the claims do not apply or use the abstract idea in some other meaningful way beyond generally linking the use of the abstract idea to a particular technological environment, such that the claim as a whole is more than a drafting effort designed to monopolize the exception (MPEP 2106.05(e) and Vanda Memo).  Therefore, the claims do not, for example, purport to improve the functioning of a 
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, when analyzed under step 2B of the Alice/Mayo test (See 2019 Revised Patent Subject Matter Eligibility Guidance, 84 Fed. Reg. 50, 52, 56 (January 7, 2019)), the additional elements of using a “a system comprising: a memory device storing security context data and instructions: and a processor operatively coupled to the memory device, the processor executing the instructions to perform operations,” “network,” “remote storage device,” “network client of a hypervisor,” “networked storage server,” “a hypervisor executed by a processing device,  wherein the hypervisor comprises code of a storage client” “a host kernel,” and “virtual machine” to perform the steps amounts to no more than using a computer or processor to automate and/or implement the abstract idea of access control.  As discussed above, taking the claim elements separately, the “a system comprising: a memory device storing security context data and instructions: and a processor operatively coupled to the memory device, the processor executing the instructions to perform operations,” “network,” “remote storage device,” “network client of a hypervisor,” “networked storage server,” “a hypervisor executed by a processing device,  wherein the hypervisor comprises code of a storage client” “a host kernel,” and “virtual machine” perform the steps or functions of “identifying a security context data structure comprising a first security context label, a resource identifier and a plurality of access types, wherein the plurality of access types represent types of access to resource; associating the first security context label with the resource comprising the at least one file; receiving a request to validate an access right of a requestor with respect to the resource, the requestor client being associated with comprising a second security context label; and validating the request in view of the first security context label and second security context label and the security context data structure; performing I/O to access the resource from a storage, and retrieves the at least one file from the storage to bypass file access controls a host implements on files; and authorizing access the at least one file responsive to the validating."  These functions correspond to the actions required to perform the abstract idea. Viewed as a whole, the combination of elements recited in the claims merely recite the concept of access control.  Therefore, the use of these additional elements does no more than employ the computer as a tool to automate and/or implement the abstract idea.  The use of a computer or processor to merely automate and/or implement the abstract idea cannot provide significantly more than the abstract idea itself (MPEP 2106.05(I) (A) (f) & (h)). Therefore, the claim is not patent eligible.
Dependent claims 2-3, 5-7, 9-10, 12-14, 16-18 and 21 further describe the abstract idea of access control.  The dependent claims do not include additional elements that integrate the abstract idea into a practical application or that provide significantly more than the abstract idea.  Therefore, the dependent claims are also not patent eligible.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person 

Claims 1-3, 5-10, 12-18 and 21 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claim contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claim 1 recite “wherein the hypervisor comprises code of a network storage client and retrieves the at least one file from the networked storage server to bypass file access controls a host kernel implements on files from the networked storage server.”  Although the Applicant’s Specification recites, 
“Increasingly, many systems today use network based resources, such as a network based storage device (e.g., RBD, Gluster, iSCSI). In some situations, when a network based storage device is used, the virtualized host acts as a network client with respect to communicating with the storage device. For example, the hypervisor process may access a remote network client associated with the network based storage device directly to perform I/O against the device. For a variety of reasons, it is becoming more common to push the network client code into the hypervisor itself, which bypasses the kernel and/or host OS services. Principally, this helps the guest domains obtain a shorter I/O path by being able to connect to the network devices without going through the host OS in order to improve system performance.
The storage device 170 may then perform an access control check for any access attempt to its labeled resource using the second security context unit 172 to validate the security context labels associated with a connecting network client. In one embodiment, when a network client (e.g., one of the VMs 150-154) attempts to accesses resources of storage device 170 (e.g., read, write, etc.), the device 170 will request that the network client provide its security context label. In other embodiments, the network client may provide its security context label with the request. For example, the network client may use a secure network protocol, such as Internet protocol security (IPsec), to transmit over network 110 a security context label associated with the client to the storage device 170. In an alternative embodiment, the storage device 170 may retrieve a security context label associated with a connecting network client directly from the client by using, for example, a determined interface of the client.
The storage device 170 may then request that the device OS 173 perform the access control check by using the security context unit 172 to apply context policy rules associated with the resource. To apply the context policy rules, the device OS 173 may use the security context data structure 174 of security context unit 172 to identify an entry associated with the security context label of the network client to validate that the client has access to those resources according to the access types in that entry. In this regard, the storage device 170 is not actually interpreting the context policy rules of the host OS 140, rather it is passing security context labels associated with the resource and the client to the device OS 173 which may in turn transmit an authorization or rejection response. The storage device 170 is thus applying mandatory access control checks that are equivalent to those performed when the host OS 140 is accessing local resources, for example, via local files or block devices.” (PGPub, Pars. 16, 32-33, as similarly 17-18, 28, 34-41, 44, 46, 48)
The Applicant’s Specification is silent of the language and does not disclose the hypervisor retrieves the at least one file from the networked storage server to bypass file access controls nor does the Specification disclose the host kernel implements on files from the networked storage server.  Therefore, the claim language is not found in the Spec.  (See MPEP 2163 (I) (B)).
Claims 8 and 15 are also rejected based on the same rational as each recite similar language.
Claims 2-3, 5-7, 9-10, 12-14, 16-18 and 21 are also rejected as each depend on claims 1, 8 and 15 respectively.
Claim 6, 13 and 21 recite “…wherein the request is related to an additional requestor client of an additional virtual machine and comprising an additional security context label associated with the additional requestor client.”  However, the Applicant’s Specification is silent of the language.  Therefore, Claim language is not found in the Spec.  (See MPEP 2163 (I) (B)).
Claims 7 and 14 are also rejected as each depend on claim 6 and 13.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:



Claims 1-3, 5-10, 12-18 and 21 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 1 recites “…a host kernel implements on files from the networked storage server.”  Which are limitations directed to a host kernel.  However, claim 1 is directed to an act performed by a hypervisor executed by a processing device.  It is unclear if the claim is directed to a hypervisor executed by a processing device or in combination with a host kernel.  Therefore, the scope of the claim is unclear.  (See In re Zletz, 893 F.2d 319, 13 USPQ2d 1320 (Fed. Cir. 1989)).
Claims 8 and 15 are also rejected based on the same rational as each recites similar limitation.
Claims 2-3, 5-7, 9-10, 12-14, 16-18 and 21 are also rejected as each depend on claims 1, 8 and 15 respectively.
Claim 1 recites “performing, by the hypervisor executed by the processing device, I/O to access the network resource from a networked storage server, wherein the hypervisor comprises code of a network storage client and retrieves the at least one file from the networked storage server to bypass file access controls a host kernel implements on files from the networked storage server.”  However, the claim is unclear to one of ordinary skilled if it is directed to what the hypervisor executed by the processing device performs or what the host kernel implements on files.  Therefore, the scope of the claim is unclear.  (See In re Zletz
Claims 8 and 15 are also rejected based on the same rational as each recites similar limitation.
Claims 2-3, 5-7, 9-10, 12-14, 16-18 and 21 are also rejected as each depend on claims 1, 8 and 15 respectively.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 8-10, 12, and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over Walsh et al. (US 2013/0227561), Roush et al. (US 2011/0238984) in view of Domsch et al. (US 2013/0104127).
With respect to claims 1, 8 and 15, Walsh discloses a method and a system comprising: 
a memory device storing store security context data and instruction (Figs. 1-3, 6; Pars. 18-19, 37, 43, 63-69, 71); and 
a processor operatively coupled to the memory device, the processor executing the instructions to perform operations to (Figs. 1-3, 6; Pars. 18-19, 26, 56, 63-69, 71):
a non-transitory computer readable medium comprising executable instructions that when executed by a processing device, cause the processing device to (Figs. 1-3, 6; Pars. 18-21, 51, 56, 63-69, 71):
identifying, by a hypervisor executed by a processing device, a security context data structure comprising a first security context label (custom STL), a resource identifier (UID) and a plurality of access types (search, read, write, and execute), wherein the plurality of access types represent types of access to resources (Abstract, Figs. 1, 3-5; Pars. 15, 22-23, 26, 42-44, 47-48, 50, 53-54, 58);
identify a security context data structure comprising a first security context label and a plurality of access rules, wherein the plurality of access types represent types of access permitted by a virtual machine to resources associated with the resource identifier (Abstract, Figs. 1, 3-5; Pars. 15, 22-23, 42-44, 47-48, 50, 54, 58-60);
associating, by the hypervisor executed by the processing device, the first security context label with the network resource comprising the at least one file (Figs. 1-4; Pars. 6, 15, 22, 26, 37, 42-45, 48-50, 52-53, 57-60);
receiving, by the processing device executing the hypervisor, a request to validate an access right of a requestor client of the virtual machine with respect to the network resource (Abstract, Fig. 5; Pars. 34, 41, 47-48, 57-61).
performing, by the hypervisor executed by the processing device, I/O to access the network resource from a networked storage server (Figs. 2, 5; Pars. 25-26, 28, 36, 41-43, 50, 59-60, 62), and
retrieves the at least one file from the networked storage server (Pars. Pars. 25-26)
a host kernel implements on files from the networked storage server (Figs. 1, 3, 5; Pars. 22, 25-26, 42, 44, 48, 50, 56-57, 59); and
Welsh does not specifically discloses the requestor client being associated with a second security context label and validating, by the processing device, the request in view of the first Express suggestion to substitute one equivalent technique for another need not be present to render such substitution obvious"; In re Fout, 213 USPQ 532 (CCPA 1982), In re Siebentritt, 152 USPQ 618 (CCPA 1967); Ex Parte Smith, 83 USPQ2d 1509 (Bd. Pat. App. & Int. 2007); KSR International Co. v. Teleflex Inc., 82 USPQ2d 1385 (U.S. 2007)).
Neither Welsh nor Roush explicitly discloses wherein the hypervisor comprises code of a network storage client to bypass file access controls.  Domsch discloses wherein the hypervisor comprises code of a network storage client to bypass file access controls (Figs. 7; Pars. 15, 38-41, 45-46).  Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to substituting the determining of the STLs of the requesting process and/or the requested one or more resources are a custom STL for multi-tenant applications on the node and retrieving a file from the data from remote data repository upon receiving a command identifying specific data (Pars. 26, 58) of Welsh, Roush in view of wherein the hypervisor comprises code of a network storage client to bypass file access controls (Figs. 7; Pars. 15, 38-41, 45-46) of Domsch in order to apply the custom security policy of the custom STL to either or both of the requesting processes and/or the one or more requested resources with the custom STL for access to resources (Welsh, Par. 59) and to run over an operating system on a virtual processor under the control of a hypervisor to support client network interactions through a VPN (Domsch, Par. 38).  ("Express suggestion to substitute one equivalent technique for another need not be present to render such substitution obvious"; In re Fout, 213 USPQ 532 (CCPA 1982), In re Siebentritt, 152 USPQ 618 (CCPA 1967); Ex Parte Smith, 83 USPQ2d 1509 (Bd. Pat. App. & Int. 2007); KSR International Co. v. Teleflex Inc.
With respect to claims 2, 9 and 16, Welsh, Roush in view of Domsch discloses all the limitations as described above.  Additionally, Roush discloses wherein the validating comprises determining whether the first security context label and the second security context label correspond with an entry in the security context data structure (Par. 5-6, 28).
With respect to claims 3, 10 and 17, Welsh, Roush in view of Domsch discloses all the limitations as described above.  Additionally, Roush discloses wherein the validating comprises determining whether at least one of the plurality of access types associated with the entry in the security context data structure corresponds with the access right of the requestor client (Fig. 8; Par. 5, 28, 33, 69).
With respect to claims 5 and 12, Welsh, Roush in view of Domsch discloses all the limitations as described above.  Additionally, Welsh discloses wherein the associating comprises associating the first security context label with a label used to reference the network resource (Figs. 2-4; Pars. 15, 39, 42-43, 48, 53).

Claims 6-7, 13-14 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Walsh et al. (US 2013/0227561), Roush et al. (US 2011/0238984), Domsch et al. (US 2013/0104127) in view of Von Eicken et al. (US 8,438,654).
With respect to claims 6, 13 and 21, Welsh, Roush in view of Domsch discloses all the limitations as described above.
Neither Welsh, Roush nor Domsch discloses receiving a request to validate an access right to assign a new security context label with respect to the network resource, wherein the request is related to an additional requestor client of an additional virtual machine and comprising an additional security context label (virtual machine instance identifier) associated Express suggestion to substitute one equivalent technique for another need not be present to render such substitution obvious"; In re Fout, 213 USPQ 532 (CCPA 1982), In re Siebentritt, 152 USPQ 618 (CCPA 1967); Ex Parte Smith, 83 USPQ2d 1509 (Bd. Pat. App. & Int. 2007); KSR International Co. v. Teleflex Inc., 82 USPQ2d 1385 (U.S. 2007)).
With respect to claims 7 and 14, Welsh, Roush, Domsch in view of Von discloses all the limitations as described above.  Additionally, Von discloses determining whether to authorize or .

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
PGPub Keagy et al. (US 8,352.608); authorizing virtual machine to access files by a hypervisor based on validation (Fig. 21; Col. 42, Lines 11-64).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WODAJO GETACHEW whose telephone number is (469)295-9069.  The examiner can normally be reached on M-F 8:00-6:00 CST.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Calvin L Hewitt can be reached on 5712726709.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/WODAJO GETACHEW/Examiner, Art Unit 3685

/Mohammad A. Nilforoush/Primary Examiner, Art Unit 3685