DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ray et al. (US. Pub. No. 2020/0076792 A1, hereinafter Ray) in view of Subhraveti (US. Pub. No. 2018/0007178 A1, hereinafter Subhraveti).
Regarding claim 1.
      Ray teaches a system comprising: one or more processors (Ray in Fig. 3 and ¶ [0042] and ¶ [0046] one or more processors 330); and one or more computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations (Ray in Fig. 3, ¶ [0042] and ¶ [0046] server devices 304 also include one or more processors 330, a communication interface 332, one or more storage devices 334, I/O devices 336, and a memory 338 as described above), comprising: executing, on a computing device, a process running in a first container assigned to a first namespace, the first container being assigned a first privilege that restricts access by the first container to the first namespace (note that the restriction of the namespace access equivalent to the claimed “a first privilege”. Ray teaches in ¶ [0032]-[0033] various types of isolated execution environments are provided. A container is one such isolation execution environment 122 that provides an isolated, resource controlled, portable runtime environment which runs on a host machine or virtual machine and there are different types of containers where each container type has different isolation requirements. Namespaces contain all the resources that an application can interact with, such as files, network ports, and the list of running processes. With this restricted view, a container can't access (i.e., “a first privilege”) files not included in its virtualized namespace regardless of their permissions since it cannot see them. Also, see ¶ [0032]); and             
          executing, on the computing device, a namespace service being assigned a second privilege that allows the namespace service access to the first namespace and a second namespace (not that allowing the container in a namespace equivalent to the claimed “a second privilege”. Ray teaches in ¶ [0032]-[0033] a container is one such isolation execution environment 122 that provides an isolated, resource controlled, portable runtime environment which runs on a host machine and there are different types of containers where each container type has different isolation requirements namespaces contain all the resources that an application can interact with, such as files, network ports, and the list of running processes. Namespace isolation allows (i.e., a second privilege) the host to give each container a virtualized namespace that includes only the resources that it needs); Ray as a whole teaches the process of namespace related to a container technology but Ray does not use the namespace to create a socket and thus, he does not explicitly teach receiving, at the namespace service, a request from the process to create a socket in the second namespace to allow the process to communicate with a second container assigned to the second namespace; creating, by the namespace service, the socket in the second namespace; and providing, from the namespace service to the process, a file descriptor associated with the socket.
      However, Subhraveti teaches receiving, at the namespace service, a request from the process to create a socket in the second namespace to allow the process to communicate with a second container assigned to the second namespace (Subhraveti teaches in ¶ [0059]- [0061] a communication endpoint can also be a server listening socket, a virtual interface within a container, a network namespace, etc. (i.e., the network namespace the claimed “the second namespace”) and the client application 604 can be sitting in a network namespace (i.e., the second namespace ) of its own. This namespace may not have any network access but through the host agent 606. The host agent 606 can pass the socket (i.e., allow the process) to the client application and further teaches in ¶ [0064] that the client application receives the file descriptor and uses it. Even though the client originally asked created an INET socket the shim layer would replace the original socket with the UNIX socket received through file descriptor passing mechanism. These indicate that the host agent passes the created socket to allow the container to establish a communication); 
        creating, by the namespace service, the socket in the second namespace (Subhraveti teaches in ¶ [0059]-[0061] a communication endpoint can also be a server listening socket, a virtual interface within a container, a network namespace, etc. the client application 604 can be sitting in a network namespace (i.e., the second namespace) of its own and further teaches in ¶ [0064] that the client originally asked created an INET socket the shim layer would replace the original socket with the UNIX socket received through file descriptor passing mechanism. These indicate that the host agent passes the created socket to allow the container to establish a communication); and 
        providing, from the namespace service to the process, a file descriptor associated with the socket (Subhraveti teaches in ¶ [0061] same file-descriptor passing mechanism may also be implemented over another socket family such as Linux's netlink socket family and further teaches in ¶ [0064] that the file descriptor of the UNIX socket is then passed to the client application through the file descriptor passing mechanism available on UNIX systems).
             It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Subhraveti by including a file descriptor and a socket ([0059]- [0061]) into the teachings of Ray by including the namespace and container ([0032]-[0033]). One would have been motivated to do so since the system of creating socket in a file descriptor improves the security and provides to the user a reliable and a flexible access to the file and data effecienly.
Regarding claim 2.
        Subhraveti further teaches the namespace service is communicatively coupled to the first namespace and the second namespace via a Unix Domain Socket (UDS) (Subhraveti teaches in ¶ [0061] the client application 604 can be sitting in a network namespace of its own and the host agent 606 is returning a UNIX socket to it. The UNIX socket can behave and appear to the client application to be a TCP/IP socket as querying the file descriptor tells the client application it is a TCP/IP socket); and 
       the socket is an Internet Protocol (IP) socket (Subhraveti teaches in ¶ [0054]-[0055] interaction module 402 can emulate a TCP/IP based BSD API from the application over a UNIX socket and the interaction module 402 can also translate a virtual address of the target application used by the application to an appropriate address for communication of the target protocol. For example, UNIX socket but believe they are communication via TCP/IP protocols).
             It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Subhraveti by including UNIX socket ([0054]-[0055]) into the teachings of Ray invention. One would have been motivated to do so in order to the user can assign permissions that suit the way he/she wants to set up the system so that the exchange of data between process execution system and the host system can be performed more efficiently. 
Regarding claim 3. 
            Ray teaches wherein the request includes credentials associated with the process (Ray teaches in ¶ [0049] performing a secure password-based sign-on to a web-based resource controlled by a directory service without passing the credentials to a client device and the secure container ensures that the credentials are not visible to the client device and are not part of any network transmission to the client device), and the operations further comprising determining, at the namespace service, that the process requires access to the second container, based at least in part on the credentials (Ray teaches in ¶ [0049] the secure container ensures that the credentials are not visible to the client device and are not part of any network transmission to the client device and further teaches in ¶ [0033] that there are different types of containers where each container type has different isolation requirements. Namespaces contain all the resources that an application can interact with, such as files, network ports, and the list of running processes).

Regarding claim 4.
       Subhraveti further teaches wherein the request includes an identifier of the second namespace and one or more properties associated with the socket (Subhraveti teaches in ¶ [0069] the shim layer running below a client or a server application can consult the database to convert a virtual identifier to an actual identifier and further teaches in ¶ [0061] that the host agent 606 can create a socket on behalf of the client application. The client application 604 can be sitting in a network namespace of its own. This namespace may not have any network access but through the host agent 606). 
         It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Subhraveti by including UNIX socket ([0054]-[0055]) into the teachings of Ray invention. One would have been motivated to do so since a namespace is a communication channel that allows the user to split the logic of his/her application over a single shared connection he/she wants to create an admin namespace that only authorized users have access and the technical effect is achieved by the directory service in providing a more secure single sign-on, thus, preventing malicious users from accessing unauthorized web-based resources.
Regarding claim 5. 
      Subhraveti further teaches wherein the second privilege includes root privileges associated with the computing device (Subhraveti teaches in ¶ [0065] the host agent can run as a root user (e.g. have a specified set of privileges)).
            It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Subhraveti by including a root privilege ([0065]) into the teachings of Ray invention. One would have been motivated to do so in order to the root privilege user easily access to all of the core files without any restriction. 
Regarding claim 6. 
          Subhraveti further teaches the operations further comprising: sending, from the namespace service and to the second namespace, a request to create the socket (Subhraveti teaches in ¶ [0059] communication endpoint can also be a server listening socket, a virtual interface within a container, a network namespace, etc. and further teaches in and ¶ [0061] the host agent 606 can create a socket on behalf of the client application. The client application 604 can be sitting in a network namespace of its own. This namespace may not have any network access but through the host agent 606); and 
        receiving, at the namespace service and from the second namespace, the file descriptor associated with the socket (Subhraveti further teaches in ¶ [0059] that a communication endpoint can also be a server listening socket, a virtual interface within a container, a network namespace, etc. and further teaches in ¶ [0061] same file-descriptor passing mechanism may also be implemented over another socket family such as Linux's netlink socket family and further teaches in ¶ [0064] that the file descriptor of the UNIX socket is then passed to the client application through the file descriptor passing mechanism available on UNIX systems).
            It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Subhraveti by including a file descriptor and a socket ([0059]- [0061]) into the teachings of Ray invention. One would have been motivated to do so since the system of creating socket in a file descriptor provides flexible access to files and data over a network, and user can share resources efficiently and thus helps to improve the security in an efficient manner.
Regarding claim 7. 
        Ray in view of Subhraveti further teaches wherein the socket is a first socket, and the operations further comprising receiving, at the process and from an additional process, a communication via a second socket in the namespace (Ray teaches in ¶ [0033] the process of namespace and the namespace isolation allows the host to give each container a virtualized namespace that includes only the resources that it needs and further Subhraveti in ¶ [0064] within the network namespace the server can seek to create a socket (i.e., second socket) and bind it to certain IP address and a port).
        It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Subhraveti by including a system of creating socket ([0064]) into the teachings of Ray invention. One would have been motivated to do so in order to share the resources in a flexible and a secured manner.
Regarding claim 8.
Claim 8 incorporates substantively all the limitation of claim 1 in method form and is rejected under the same rationale.
Regarding claim 9.
Claim 9 incorporates substantively all the limitation of claim 3 in method form and is rejected under the same rationale.
Regarding claim 10.
Claim 10 incorporates substantively all the limitation of claim 4 in method form and is rejected under the same rationale.
Regarding claim 11.
Claim 11 incorporates substantively all the limitation of claim 5 in method form and is rejected under the same rationale.
Regarding claim 12.
Claim 12 incorporates substantively all the limitation of claim 6 in method form and is rejected under the same rationale.
Regarding claim 13.
Claim 13 incorporates substantively all the limitation of claim 7 in method form and is rejected under the same rationale.
Regarding claim 14.
Claim 14 incorporates substantively all the limitation of claim 2 in method form and is rejected under the same rationale.
Regarding claim 15. 
           Ray teaches a method comprising: executing, on a computing device, a process running in a first container assigned to a first namespace, the first container being assigned a first privilege that restricts access by the first container to the first namespace (note that the restriction of the namespace access equivalent to the claimed “a first privilege”. Ray teaches in ¶ [0032]-[0033] there are various types of isolated execution environments. A container is one such isolation execution environment 122 that provides an isolated, resource controlled, portable runtime environment which runs on a host machine or virtual machine and there are different types of containers where each container type has different isolation requirements. Namespaces contain all the resources that an application can interact with, such as files, network ports, and the list of running processes. With this restricted view, a container can't access (i.e., “a first privilege”) files not included in its virtualized namespace regardless of their permissions since it cannot see them. Also, see ¶ [0032]); 
      executing, on the computing device, a namespace service being assigned a second privilege that allows the namespace service access to the first namespace and a second namespace (Ray teaches in ¶ [0032]-[0033] a container is one such isolation execution environment 122 that provides an isolated, resource controlled, portable runtime environment which runs on a host machine and there are different types of containers where each container type has different isolation requirements namespaces contain all the resources that an application can interact with, such as files, network ports, and the list of running processes. Namespace isolation allows (i.e., a second privilege) the host to give each container a virtualized namespace that includes only the resources that it needs); Ray as a whole teaches the process of namespace related to a container technology but Ray does not use the namespace to create a socket and thus, he does not explicitly teach sending, to the namespace service and from the process, a request to create a socket in the second namespace to allow the process to communicate with a second container assigned to the second namespace; and receiving, at the process and from the namespace service, a file descriptor associated with the socket and a third privilege that allows the process to utilize the socket.
        However, Subhraveti sending, to the namespace service and from the process, a request to create a socket in the second namespace to allow the process to communicate with a second container assigned to the second namespace (Subhraveti teaches in ¶ [0059] communication endpoint can also be a server listening socket, a virtual interface within a container, a network namespace, etc. and further teaches in and ¶ [0061] the host agent 606 can create a socket on behalf of the client application. The client application 604 can be sitting in a network namespace of its own. This namespace may not have any network access but through the host agent 606); and 
        receiving, at the process and from the namespace service, a file descriptor associated with the socket and a third privilege that allows the process to utilize the socket (Subhraveti teaches in ¶ [0059] that a communication endpoint can also be a server listening socket, a virtual interface within a container, a network namespace, etc. and further teaches in ¶ [0061] same file-descriptor passing mechanism may also be implemented over another socket family such as Linux's netlink socket family and further teaches in ¶ [0064] that the file descriptor of the UNIX socket is then passed to the client application through the file descriptor passing mechanism available on UNIX systems).
            It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Subhraveti by including a file descriptor and a socket ([0059]- [0061]) into the teachings of Ray by including the namespace and container ([0032]-[0033]). One would have been motivated to do so since the system of creating socket in a file descriptor improves the security and provides to the user a reliable and a flexible access to the file and data efficiently.
Regarding claim 16.
         Ray teaches wherein the first privilege includes more favorable access rights than the second privilege (Ray teaches in ¶ [0028] all subsequent accesses to the resources controlled by the directory service 104 are seamless to the end user and do not require the end user to perform a further sign-on process. The seamless access to the end user indicates the “favorable access right”).
Regarding claim 17. 
       Subhraveti further teaches wherein the socket is a first socket, and further comprising receiving, at the process and from an additional process, a communication via a second socket in the namespace (Subhraveti further teaches in ¶ [0059] and ¶ [0061] the host agent 606 can create a socket on behalf of the client application. The client application 604 can be sitting in a network namespace of its own and in this way, client application 604 can connect to other entities in the network. The client application 604 may have asked for a TCP/IP socket, for example. However, the host agent 606 is returning a UNIX socket to it). 
               It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Subhraveti by including a file descriptor and a socket ([0059]- [0061]) into the teachings of Ray by including the seamless to the end user and do not require the end user to perform a further sign-on process ([0028]). One would have been motivated to do so since the system of creating socket in a file descriptor improves the security and improves user experience.
Regarding claim 18. 
        Subhraveti further teaches wherein the namespace service is communicatively coupled to the first namespace and the second namespace via a Unix Domain Socket (UDS) (Subhraveti teaches in ¶ [0061] the client application 604 can be sitting in a network namespace of its own. This namespace may not have any network access but through the host agent 606. However, the host agent 606 is returning a UNIX socket to it); and 
              the socket is an Internet Protocol (IP) socket (Subhraveti teaches in ¶ [0054]-[0055] interaction module 402 can emulate a TCP/IP based BSD API from the application over a UNIX socket which is more efficient and the interaction module 402 can also translate a virtual address of the target application used by the application to an appropriate address for communication of the target protocol. For example, UNIX socket but believe they are communication via TCP/IP protocols). 
           It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Subhraveti by including UNIX socket ([0054]-[0055]) into the teachings of Ray invention. One would have been motivated to do so in order to the user can assign permissions that suit the way he/she wants to set up the system so that the exchange of data between process execution system and the host system can be performed more efficiently. 
Regarding claim 19. 
         Ray further teaches wherein the request includes credentials associated with the process, the credentials including an indication that the process requires access to the second container (Ray teaches in ¶ [0049] performing a secure password-based sign-on to a web-based resource controlled by a directory service without passing the credentials to a client device and the secure container ensures that the credentials are not visible to the client device and are not part of any network transmission to the client device) and further teaches in ¶ [0033] that there are different types of containers where each container type has different isolation requirements. Namespaces contain all the resources that an application can interact with, such as files, network ports, and the list of running processes).

Regarding claim 20. 
        Subhraveti further teaches receiving, at the process and from an additional process running in the second container, a communication via the socket (Subhraveti teaches in ¶ [0041]-[0042] an application's communications to the platform requesting to create a socket, to connect to the other network entity and/or other control elements of the API can be intercepted).
          It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Subhraveti by including a file descriptor and a socket ([0041]-[0042]) into the teachings of Ray invention. One would have been motivated to do so since the system of creating socket in a file descriptor provides flexible access to files and data over a network, sharing resources efficiently and improves the security and the speed in an efficient manner.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BERHANU SHITAYEWOLDETSADIK whose telephone number is (571)270-7142. The examiner can normally be reached M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emmanuel Moise can be reached on 5712723865. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/BERHANU SHITAYEWOLDETADIK/Examiner, Art Unit 2455