DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment / Arguments
Regarding the rejection of claims 1-10 under 35 USC 103:
Applicant’s arguments, in view of the amended claim language, have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Schultz (US 2018/0314846 A1).

Regarding the rejection of claims 11-18 under 35 USC 103:
Applicant's arguments have been fully considered but they are not persuasive.
In response to Applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). In this case, Applicant argues (pages 15-18) against the Mayer reference individually with respect to modifying images to include enforcement. However, the Gerebe reference is relied upon for this teaching.
In response to Applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, Applicant argues that because the container image of Mayer is “already clean,” there is no reason to modify the image to further include Gerebe’s security agent for enforcement. However, it is considered that there may be good reasons for performing such a combination. For instance, as per the motivation discussed in the 12/21/2021 Office action, it may be desirable for the container to be further protected (e.g., from its host). It is further noted that an otherwise “clean” container may be infected by accessing malicious resources, and that there is therefore a reason to include the additional access control and security agent of Gerebe (i.e., protecting the clean container from accessing unclean resources).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-6 and 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Schultz (US 2018/0314846 A1). 

Regarding claim 1, Schultz discloses: A system for executing one or more operating-system-level virtualization software objects (virtualization containers), comprising (e.g., Fig. 1 and 3 of Schultz): 
at least one hardware processor connected to at least one data communication network interface, and adapted to: 
for each of the one or more virtualization containers: 
execute the virtualization container in at least one isolated process of an operating system, wherein the virtualization container is created from one or more software image files (e.g., [0003]-[0004] of Schultz with respect to containers) modified to include access control information [which is associated and used together with] access rules governing input to and output from the virtualization container, said access control information including a plurality of data patterns, each data pattern comprising at least one output target and an access instruction for execution of access control operations; and 
Refer to at least [0042], [0021], and [0039]-[0041] of Schultz with respect to adding a code integrity policy to a container by adding the policy to a base image of the container. The code integrity policy is used for access control by the container.
while executing the virtualization container, executing code instructions of the virtualization container implementing said access control operations which are configured to: 
identify at least one forbidden input-output (I/O) instruction of the virtualization container, by matching an instruction target of at least one of a plurality of I/O instructions of the virtualization container with at least one output target of at least one data pattern of the plurality of data patterns; and 
Refer to at least [0018]-[0021] of Schultz with respect to the container having access control information such as blacklists and permitted types of access for specific objects, wherein the contain enforces the policy during execution. 
Refer to at least [0032]-[0037] of Schultz with respect to enforcing access control by the container.
decline execution of the at least one forbidden I/O instruction.
Refer to at least 188 in FIG. 5 of Schultz with respect to denying requests. 
Although Schultz discloses adding code integrity policy (i.e., [0042] of Schultz) to the container and that access control information is specified to a container (i.e., [0021] of Schultz), it is not clear whether the full suite of access control information is specified within the container image. Accordingly, Schultz does not appear to fully disclose: the container image file(s) modified to include access control information equivalent to access rules governing input to and output from the virtualization container, said access control information including a plurality of data patterns, each data pattern comprising at least one output target and an access instruction for execution of access control operations. However, Schultz in view of Gerebe discloses: the container image file(s) modified to include access control information equivalent to access rules governing input to and output from the virtualization container, said access control information including a plurality of data patterns, each data pattern comprising at least one output target and an access instruction for execution of access control operations. 
Refer to at least FIG 2A-B, [0021]-[0022], and [0028] of Gerebe with respect to a modified software container image having, embedded within, a security agent and manifest with modified entry point. 
Refer to at least [0018], [0035], and [0042]-[0048] of Gerebe with respect to the security agent of the container implementing policy for access control via operating system hooks.
The teachings of Schultz and Gerebe both concern virtualization and containers, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Schultz to more specifically include all policy information within the container image for at least the purpose of further securing the container from its host (e.g., see at least [0005] of Schultz).

Regarding claim 2, Schultz-Gerebe discloses: The system of claim 1, wherein the at least one hardware processor is adapted to identify at least one forbidden I/O instruction by: identifying at least one I/O instruction of the plurality of I/O instructions of the virtualization container, wherein executing the at least one I/O instruction results in the at least one hardware processor receiving or sending digital data via the at least one data communication network interface; 
Refer to at least [0019]-[0020] of Schultz with respect to, e.g., opening URLs; blacklists.
comparing the instruction target of the at least one I/O instruction to a plurality of output targets of the plurality of data patterns to identify at least one data pattern having at least one output target matching the instruction target according to a target matching test, and having an access instruction forbidding access to the at least one output target; and identifying the at least one I/O instruction as forbidden subject to identifying the at least one data pattern.
Refer to at least [0035]-[0037] and [0040]-[0041] of Schultz with respect to enforcing access control for, e.g., calls to network resources; combining with the code integrity monitor. 

Regarding claim 3, it is rejected for substantially the same reasons as claims 1-2 above (i.e., the citations concerning network resources / URLs).

Regarding claim 4, it is rejected for substantially the same reasons as claims 1-2 above (i.e., the citations concerning network resources / URLs).

Regarding claim 5, Schultz-Gerebe discloses: The system of claim 1, wherein the at least one hardware processor is adapted to execute the virtualization container by a container platform engine.
Refer to at least FIG. 1 and 3 of Schultz with respect to a container engine. 

Regarding claim 6, it is rejected for substantially the same reasons as claims 1 and 2 above (i.e., the citations concerning comparisons performed and subsequent denial; see at least [0045]-[0047] of Gerebe with respect to the agent implementing operating system hooks via system call replacement).

Regarding independent claim 10, it is substantially similar to independent claim 1 above, and is therefore likewise rejected for substantially the same reasons (i.e., the citations).

Claim 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Schultz-Gerebe as applied to claims 1-6 and 10 above, and further in view of Mayer (US 2009/0222880 A1).

Regarding claim 7, Schultz-Gerebe does not disclose the claim fully. However, Schultz-Gerebe in view of Mayer discloses: The system of claim 2, wherein the at least one hardware processor is adapted to execute Security-Enhanced Linux (SELinux), wherein SELinux has a policy; wherein executing the virtualization container comprises for at least one data pattern of the plurality of data patterns: generating a rule comprising the access instruction of the at least one data pattern; generating at least one label mapping the at least one output target of the at least one data pattern to the rule; and configuring the SELinux policy with the rule and the at least one label; and wherein the at least one hardware processor is adapted to identify the at least one I/O instruction of the virtualization container, comparing the instruction target of the at least one I/O instruction to a plurality of output targets of the plurality of data patterns, identify the at least one data pattern and decline execution of the at least one forbidden I/O instruction by executing a SELinux method as known in the art for enforcing Mandatory Access Control using the SELinux policy configured with the rule and the at least one label.
Refer to at least [0005], [0008], [0028], [0031]-[0034], and [0038]-[0040] of Mayer with respect to SELinux and configuring associated access control policy; said policy including use of labels; access control via MAC as per the SELinux policy. 
The teachings of Mayer concern virtual container access control policy and enforcement and are considered to be within the same field of endeavor and combinable as such. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Schultz-Gerebe to further include support for policy setting for at least the purposes outlined in [0005]-[0007] of Mayer.

Claims 8-9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Schultz-Gerebe as applied to claims 1-6, and 10 above, and further in view of Official Notice.

Regarding claims 8 and 9, Schultz does not specify: wherein the plurality of data patterns comprises at least one data pattern defined according to Health Insurance Portability and Accountability Act of 1996 (HIPAA) security regulations and wherein the plurality of data patterns comprises at least one data pattern defined according to European Union (EU) General Data Protection Regulation (GDPR). However, the examiner hereby takes official notice that both HIPAA and GDPR are known in the art and it is further known in the art to implement access control policy in view of said HIPAA and GDPR. Accordingly, it would have been obvious to one of ordinary skill in the art to modify the teachings of Schultz-Gerebe to further include support for HIPAA and GDPR because design incentives or market forces provided a reason to make an adaptation, and the invention resulted from application of the prior knowledge in a predictable manner.

Claims 11 and 14-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Mayer (US 2009/0222880 A1) in view of Gerebe (US 2019/0213319 A1).

Regarding claim 11, Mayer discloses: A computer implemented method for producing one or more software image files for creating a virtualization container, comprising: 
receiving one or more virtualization container definition files describing the virtualization container; 
Refer to at least [0026]-[0027] of Mayer with respect to configuring virtual containers.
receiving a plurality of access rules governing input to and output from the virtualization container, each comprising at least one first output target and a first access instruction; 
producing a plurality of access patterns equivalent to the plurality of access rules, each comprising at least one second output target and a second access instruction; and 
Refer to at least [0031]-[0034], [0038]-[0040], and [0044]-[0048] of Mayer with respect to configuring access control policy rules for the containers; further reconfiguration based on the configuring. 
producing one or more software image files comprising the plurality of access patterns and digital information for creating the virtualization container.
Refer to at least [0061]-[0062] of Mayer with respect to an installation package based on the configuring.
Mayer does not fully disclose: a first access instruction for implementing first access control operations; a second access instruction for implementing second access control operations, said access patterns defining access policies to be enforced when executing said virtualization container by comparing said access patterns to Input/Output (I/O) instructions being executed by said virtualization container. However, Mayer in view of Gerebe discloses: a first access instruction for implementing first access control operations; a second access instruction for implementing second access control operations, said access patterns defining access policies to be enforced when executing said virtualization container by comparing said access patterns to Input/Output (I/O) instructions being executed by said virtualization container. 
Refer to at least FIG 2A-B, [0021]-[0022], and [0028] of Gerebe with respect to a modified software container image having, embedded within, a security agent and manifest with modified entry point. 
Refer to at least [0018], [0035], and [0042]-[0048] of Gerebe with respect to the security agent of the container implementing policy for access control via operating system hooks.
The teachings of Mayer and Gerebe both concern virtualization and containers and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Mayer to further include a modified image having an embedded security agent with policy and modified manifest for at least the purpose of increasing the security of operations from within the container via its own dedicated agent.

Regarding claim 14, Mayer-Gerebe discloses: The method of claim 11, wherein the one or more software image files are Docker image files modified to comprise the plurality of access patterns.
Refer to at least [0004] and [0035] of Gerebe with respect to DOCKER image files.
The claim would have been obvious because the substitution of one known element for another would have yielded predictable results to one of ordinary skill in the art at the time (i.e., the format / platform used for the image files).

Regarding claim 15, Mayer-Gerebe discloses: The method of claim 11, wherein the plurality of access rules are received via a data communication network interface connected to at least one hardware processor executing the method or by reading the plurality of data patterns from a digital storage connected to the at least one hardware processor.
Refer to at least FIG. 1, [0026], and [0031] of Mayer with respect to policy storage and configuration system details. 

Regarding claims 16-17, they are rejected for substantially the same reasons as claims 11 and 15 above (i.e., the citations).

Regarding claim 18, it is rejected for substantially the same reasons as claim 11 above (i.e., the citations and obviousness rationale).

Claims 12-13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Mayer-Gerebe as applied to claims 11 and 14-18 above, and further in view of Official Notice.

Regarding claims 8 and 9, Mayer does not specify: wherein the plurality of data patterns comprises at least one data pattern defined according to Health Insurance Portability and Accountability Act of 1996 (HIPAA) security regulations and wherein the plurality of data patterns comprises at least one data pattern defined according to European Union (EU) General Data Protection Regulation (GDPR). However, the examiner hereby takes official notice that both HIPAA and GDPR are known in the art and it is further known in the art to implement access control policy in view of said HIPAA and GDPR. Accordingly, it would have been obvious to one of ordinary skill in the art to modify the teachings of Mayer-Gerebe to further include support for HIPAA and GDPR because design incentives or market forces provided a reason to make an adaptation, and the invention resulted from application of the prior knowledge in a predictable manner.	

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432