DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to amendment
This office action is responsive to amendment filed on 06, 2022. Claims 1, 2, 4, 6-8, 10, 12-15, 17, 18 and 20 have been amended. No new claims haven been added and cancelled. Claims 1-20 are presented for the examination and remain pending in the application. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-4, 6-10 and 12-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ray et al. (US. Pub. No. 2020/0076792 A1, hereinafter Ray) in view of Kashyap (US. Pub. No. 2011/0161988 A1, hereinafter Kashyap ) further in view of Honjo (US. Pub. No. 2009/0259634 A1, hereinafter Honjo).
Regarding claim 1.
         Ray teaches a system comprising: one or more processors (Ray in Fig. 3 and Para. [0042] and Para. [0046] one or more processors 330); and one or more computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations (Ray in Fig. 3, Para. [0042] and Para. [0046] server devices 304 also include one or more processors 330, a communication interface 332, one or more storage devices 334, I/O devices 336, and a memory 338 as described above), comprising: executing, on a computing device, a process running in a first container assigned to a first namespace, the first container being assigned a first privilege that restricts access by the first container to the first namespace (note that the restriction of the namespace access equivalent to the claimed “a first privilege”. Ray teaches in Para. [0032]-[0033] various types of isolated execution environments are provided. A container is one such isolation execution environment 122 that provides an isolated, resource controlled, portable runtime environment which runs on a host machine or virtual machine and there are different types of containers where each container type has different isolation requirements. Namespaces contain all the resources that an application can interact with, such as files, network ports, and the list of running processes. With this restricted view, a container can't access (i.e., “a first privilege”) files not included in its virtualized namespace regardless of their permissions since it cannot see them. Also, see Para. [0032]); 
      executing, on the computing device, a namespace service being assigned a second privilege that allows the namespace service access to the first namespace and a second namespace (not that allowing the container in a namespace equivalent to the claimed “a second privilege”. Ray teaches in Para. [0032]-[0033] a container is one such isolation execution environment 122 that provides an isolated, resource controlled, portable runtime environment which runs on a host machine and there are different types of containers where each container type has different isolation requirements namespaces contain all the resources that an application can interact with, such as files, network ports, and the list of running processes. Namespace isolation allows (i.e., a second privilege) the host to give each container a virtualized namespace that includes only the resources that it needs). Ray as a whole teaches the process of namespace related to a container technology but Ray does not use the namespace to create a socket and thus, he does not explicitly teach creating, by the namespace service, a first socket in the first container; receiving, at the namespace service, a request from the process to create a second socket in a second container assigned to the second namespace to allow the process to access  the second namespace; creating, by the namespace service, the second socket in the second container; and providing, from the namespace service and to the process via the first socket.
      However, Kashyap teaches creating, by the namespace service, a first socket in the first container (Kashyap teaches in Figs. 1 and 2 and Para. [0006] a first container is created with a first isolated namespace, and a first socket, in listening mode to accept connections, is created in that namespace);
        receiving, at the namespace service, a request from the process to create a second socket in a second container assigned to the second namespace to allow the process to access  the second namespace (Kashyap teaches in Figs. 1 and 2 and Para. [0006] listen mode to accept a connection (i.e., receiving) the namespace and a second socket is created in the second namespace (108) and the second container requests a connection to the first socket (110) created at step (104)); 
      creating, by the namespace service, the second socket in the second container (Kashyap teaches in Para. [0006] second socket is created in the second namespace (108) and the second container requests a connection to the first socket (110) created at step (104). Also, see Para. [0009]-[0010]); and providing, from the namespace service and to the process via the first socket (Kashyap teaches in Para. [0006] second socket is created in the second namespace (108) and the second container requests a connection to the first socket (110)). 
        It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Kashyap by including a system of creating a socket in a namespace based on a request ([0006]) into the teachings of Ray invention. One would have been motivated to do so since the system of creating socket in a namespace system in order to improve the security and thus, provides to the user a reliable and a flexible access to the file and data efficiently.
           Ray in view of Kashyap does not explicitly teach providing a file descriptor associated with the second socket, the file descriptor allowing the process to access the second namespace.
         However, Honjo teaches providing a file descriptor associated with the second socket, the file descriptor allowing the process to access the second namespace (Honjo teaches in Para. [0005]-[0006] in UNIX/LINUX environment, file descriptors are employed as a mechanism for processes and threads to operate an object such as a file and a socket. Allocating a file descriptor to a server socket, server socket listening for connection; Client socket establishing connection to server socket via the file descriptor).
     It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Honjo by including a file descriptor to a server socket to establish a connection ([0005]-[0006]) into the teachings of Ray by including the namespace which contain all the resources that an application can interact with, such as files and further into the teachings of Kashyap invention. One would have been motivated to do so since the system of creating socket in a file descriptor improves the security and provides to the user a reliable and a flexible access to the file and data efficiently.
Regarding claim 2.
        Kashyap further teaches wherein, the namespace service is communicatively coupled to the first namespace and the second namespace via a Unix Domain Socket (UDS) (Kashyap teaches in Para. [0006] a first and a second namespaces communicates and a socket is a software object that connects an application to a network protocol. For example, in an UNIX operating system environment and further narrated in Para. [0041] that the UNIX operating system deals with second socket is created to communicate with the first socket in the networking domain by finding it in the file system domain); and  
      the second socket is an Internet Protocol (IP) socket (Kashyap teaches in Para. [0006] a first and a second namespaces communicates and a socket is a software object that connects an application to a network protocol a program can send and receive TCP/IP messages by opening a socket and reading and writing data to and from the socket).
             It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Kashyap by including UNIX socket and the created socket in a domain system ([0006] and [0041]) into the teachings of Ray in view of Honjo invention. One would have been motivated to do so in order to enable cross container communication, utilizing shared namespace to enable cross-container communication in inter-process communication namespace and improving efficiency of resource utilization. 
Regarding claim 3. 
            Ray teaches wherein the request includes credentials associated with the process (Ray teaches in Para. [0049] performing a secure password-based sign-on to a web-based resource controlled by a directory service without passing the credentials to a client device and the secure container ensures that the credentials are not visible to the client device and are not part of any network transmission to the client device), and the operations further comprising determining, at the namespace service, that the process requires access to the second container, based at least in part on the credentials (Ray teaches in Para. [0049] the secure container ensures that the credentials are not visible to the client device and are not part of any network transmission to the client device and further teaches in Para. [0033] that there are different types of containers where each container type has different isolation requirements. Namespaces contain all the resources that an application can interact with, such as files, network ports, and the list of running processes).
Regarding claim 4.
       Kashyap further teaches wherein the request includes an identifier of the second namespace and one or more properties associated with the socket (Kashyap teaches in Para. [0005] a subsystem object identifier is present and is searchable in a particular instance of the namespace, thereby the same identifier may be used in another namespace without conflict. In effect a namespace allows multiple instances of the same subsystem identifier to exist on the same operating system. Also, see Para. [0027]-[0028]). 
         It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Kashyap by including identifier of namespace ([0005]) into the teachings of Ray in view of Honjo invention. One would have been motivated to do so since a namespace is a communication channel that allows the user to split the logic of his/her application over a single shared connection he/she wants to create an admin namespace that only authorized users have access and the technical effect is achieved by the directory service in providing a more secure single sign-on, thus, preventing malicious users from accessing unauthorized web-based resources.
Regarding claim 6. 
     Kashyap in view of Honjo further teaches the operations further comprising: sending, from the namespace service and to the second namespace, a request to create the second socket (Kashyap teaches in Para. [0033] a socket manager (470) is provided to create a socket in either one of the first or second namespaces (432), (434), respectively); and 
       receiving, at the namespace service and from the second namespace, the file descriptor associated with the second socket Kashyap teaches in Para. [0011] provided to assign the first container to a first set of namespaces and to assign the second container to a second set of namespaces, with the first namespace set being isolated from the second namespace set and further Honjo teaches in Para. [0005]-[0006] a file descriptor to a server socket, server socket listening for connection; Client socket establishing connection to server socket via the file descriptor).
     It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Honjo by including a file descriptor to a server socket to establish a connection ([0005]-[0006]) into the teachings of Ray by including the namespace which contain all the resources that an application can interact with, such as files and further into the teachings of Kashyap invention. One would have been motivated to do so since the system of creating socket in a file descriptor improves the security and provides to the user a reliable and a flexible access to the file and data efficiently.
Regarding claim 7. 
     Ray in view of Kashyap further teaches the operations further comprising receiving, at the process and from an additional process, a communication via the second socket in the second namespace (Ray teaches in Para. [0033] the process of namespace and the namespace isolation allows the host to give each container a virtualized namespace that includes only the resources that it needs and further Kashyap teaches in Para. [0006] second socket is created in the second namespace (108) and the second container requests a connection to the first socket (110)).
        It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Kashyap by including a system of creating socket ([0006]) into the teachings of Ray in view of Honjo invention. One would have been motivated to do so in order to share the resources in a flexible and a secured manner.    
Regarding claim 8.
Claim 8 incorporates substantively all the limitation of claim 1 in method form and is rejected under the same rationale.
Regarding claim 9.
Claim 9 incorporates substantively all the limitation of claim 3 in method form and is rejected under the same rationale.
Regarding claim 10.
Claim 10 incorporates substantively all the limitation of claim 4 in method form and is rejected under the same rationale.
Regarding claim 12.
Claim 12 incorporates substantively all the limitation of claim 6 in method form and is rejected under the same rationale.
Regarding claim 13.
Claim 13 incorporates substantively all the limitation of claim 7 in method form and is rejected under the same rationale.
Regarding claim 14.
Claim 14 incorporates substantively all the limitation of claim 2 in method form and is rejected under the same rationale.
Regarding claim 15. 
             Ray teaches a method comprising: executing, on a computing device, a process running in a first container assigned to a first namespace, the first container being assigned a first privilege that restricts access by the first container to the first namespace (note that the restriction of the namespace access equivalent to the claimed “a first privilege”. Ray teaches in Para. [0032]-[0033] there are various types of isolated execution environments. A container is one such isolation execution environment 122 that provides an isolated, resource controlled, portable runtime environment which runs on a host machine or virtual machine and there are different types of containers where each container type has different isolation requirements. Namespaces contain all the resources that an application can interact with, such as files, network ports, and the list of running processes. With this restricted view, a container can't access (i.e., “a first privilege”) files not included in its virtualized namespace regardless of their permissions since it cannot see them. Also, see Para. [0032]); 
       executing, on the computing device, a namespace service being assigned a second privilege that allows the namespace service access to the first namespace and a second namespace (Ray teaches in Para. [0032]-[0033] a container is one such isolation execution environment 122 that provides an isolated, resource controlled, portable runtime environment which runs on a host machine and there are different types of containers where each container type has different isolation requirements namespaces contain all the resources that an application can interact with, such as files, network ports, and the list of running processes. Namespace isolation allows (i.e., a second privilege) the host to give each container a virtualized namespace that includes only the resources that it needs); Ray as a whole teaches the process of namespace related to a container technology); Ray as a whole teaches the process of namespace related to a container technology but Ray does not use the namespace to create a socket and thus, he does not explicitly teach creating, by the namespace service, a first socket in the first container; sending, to the namespace service and from the process, a request to create a second socket in a second container assigned to the second namespace to allow the process to access  the second namespace; and receiving, at the process and from the namespace service via the first socket.
        However, Kashyap teaches creating, by the namespace service, a first socket in the first container (Kashyap teaches in Figs. 1 and 2 and Para. [0006] a first container is created with a first isolated namespace, and a first socket, in listening mode to accept connections, is created in that namespace);
        sending, to the namespace service and from the process, a request to create a second socket in a second container assigned to the second namespace to allow the process to access  the second namespace (Kashyap teaches in Figs. 1 and 2 and Para. [0006] listen mode to accept a connection (i.e., receiving), the namespace and a second socket is created in the second namespace (108) and the second container requests a connection to the first socket (110) created at step (104) and further teaches in Para. [0033] a socket manager (470) is provided to create a socket in either one of the first or second namespaces (432), (434), respectively)); and 
         receiving, at the process and from the namespace service via the first socket (Kashyap teaches in Para. [0006] second socket is created in the second namespace (108) and the second container requests a connection to the first socket (110)).
           It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Kashyap by including a system of creating a socket in a namespace based on a request ([0006]) into the teachings of Ray invention. One would have been motivated to do so since the system of creating socket in a namespace system in order to improve the security and thus, provides to the user a reliable and a flexible access to the file and data efficiently.
        Ray in view of Kashyap does not explicitly teach receiving, at the process a file descriptor associated with the second socket and a third privilege that allows the process to access the second namespace.
     However, Honjo teaches receiving, at the process a file descriptor associated with the second socket and a third privilege that allows the process to access the second namespace (Honjo teaches in Para. [0005]-[0006] in UNIX/LINUX environment, file descriptors are employed as a mechanism for processes and threads to operate an object such as a file and a socket. Allocating a file descriptor to a server socket, server socket listening for connection; Client socket establishing connection to server socket via the file descriptor).
       It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Honjo by including a file descriptor to a server socket to establish a connection ([0005]-[0006]) into the teachings of Ray by including the namespace which contain all the resources that an application can interact with, such as files and further into the teachings of Kashyap invention. One would have been motivated to do so since the system of creating socket in a file descriptor improves the security and provides to the user a reliable and a flexible access to the file and data efficiently.     
Regarding claim 16.
         Ray teaches wherein the first privilege includes more favorable access rights than the second privilege (Ray teaches in Para. [0028] all subsequent accesses to the resources controlled by the directory service 104 are seamless to the end user and do not require the end user to perform a further sign-on process. The seamless access to the end user indicates the “favorable access right”).

Regarding claim 17. 
         Ray in view of Kashyap further teaches receiving, at the process and from an additional process, a communication via the second socket in the second namespace (Ray teaches in Para. [0033] the process of namespace and the namespace isolation allows the host to give each container a virtualized namespace that includes only the resources that it needs and further Kashyap teaches in Para. [0006] second socket is created in the second namespace (108) and the second container requests a connection to the first socket (110)).
        It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Kashyap by including a system of creating socket ([0006]) into the teachings of Ray in view of Honjo invention. One would have been motivated to do so in order to share the resources in a flexible and a secured manner.    
Regarding claim 18. 
        Kashyap further teaches wherein the namespace service is communicatively coupled to the first namespace and the second namespace via a Unix Domain Socket (UDS) (Kashyap teaches in Para. [0006] a first and a second namespaces communicates and a socket is a software object that connects an application to a network protocol. For example, in an UNIX operating system environment and further narrated in Para. [0041] that the UNIX operating system deals with second socket is created to communicate with the first socket in the networking domain by finding it in the file system domain); and 
              the socket is an Internet Protocol (IP) socket (Kashyap teaches in Para. [0006] a first and a second namespaces communicates and a socket is a software object that connects an application to a network protocol a program can send and receive TCP/IP messages by opening a socket and reading and writing data to and from the socket).
          It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Kashyap by including UNIX socket and the created socket in a domain system ([0006] and [0041]) into the teachings of Ray in view of Honjo invention. One would have been motivated to do so in order to enable cross container communication, utilizing shared namespace to enable cross-container communication in inter-process communication namespace and improving efficiency of resource utilization. 
Regarding claim 19. 
         Ray further teaches wherein the request includes credentials associated with the process, the credentials including an indication that the process requires access to the second container (Ray teaches in Para. [0049] performing a secure password-based sign-on to a web-based resource controlled by a directory service without passing the credentials to a client device and the secure container ensures that the credentials are not visible to the client device and are not part of any network transmission to the client device) and further teaches in Para. [0033] that there are different types of containers where each container type has different isolation requirements. Namespaces contain all the resources that an application can interact with, such as files, network ports, and the list of running processes).
Regarding claim 20. 
        Kashyap further teaches receiving, at the process and from an additional process running in the second container, a communication via the socket (Kashyap teaches in Para. [0004] providing a way to create and enter containers, an operating system gives applications the illusion of running on a separate machine while at the same time sharing many of the underlying resources and communicating via a socket as narrated in Para. [0006]).
          It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Kashyap by including create and enter containers, an operating system gives applications and a communication socket ([0004] and [0006]) into the teachings of Ray in view of Honjo invention. One would have been motivated to do so since the system of creating socket in a file descriptor provides flexible access to files and data over a network, sharing resources efficiently and improves the security and the speed in an efficient manner.
Claims 5 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Ray in view of Kashyap further in view of Honjo and further in view of Subhraveti (US. Pub. No. 2018/0007178 A1, hereinafter Subhraveti).
Regarding claim 5. Ray in view of Kashyap further in view of Honjo teaches the system of claim 1.
      Ray in view of Kashyap further in view of Honjo does not explicitly teach wherein the second privilege includes root privileges associated with the computing device.
       However, Subhraveti teaches wherein the second privilege includes root privileges associated with the computing device (Subhraveti teaches in Para. [0065] the host agent can run as a root user (e.g. have a specified set of privileges)).
            It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Subhraveti by including a root privilege ([0065]) into the teachings of Ray in view of Kashyap further in view of Honjo invention. One would have been motivated to do so in order to the root privilege user easily access to all of the core files without any restriction. 
Regarding claim 11.
Claim 11 incorporates substantively all the limitation of claim 5 in method form and is rejected under the same rationale.
Response to Arguments
     Applicant argues that the combination of Ray and Subharveti does not teach or suggest the amended limitations (“creating, by the namespace service, a first socket in the first container”; “receiving, at the namespace service, a request from the process to create a second socket in a second container assigned to the second namespace to allow…”; “creating, by the namespace service, the second socket in the second container namespace”; and “providing, from the namespace service and to the process via the first socket, a file descriptor associated with the second socket,…”) of independent claims 1, 8 and 15. (Remarks. Pages 8-12).
    In response to the above applicant’s arguments, the Examiner reviewed the arguments above and he believes that the amendment changes the scope of previously recited claims and the Examiner has introduced a new prior art of record (Kashyap US. Pub. No. 2011/0161988 A1) and (Honjo US. Pub. No. 2009/0259634 A1) to address the limitations in question above and therefore, the arguments with respect to claims 1, 8, 15 and their dependent claims are moot because the arguments do not apply to the references being used in the current rejection. 
       Furthermore, any remaining arguments are addressed by the response above.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BERHANU SHITAYEWOLDETSADIK whose telephone number is (571)270-7142. The examiner can normally be reached M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emmanuel Moise can be reached on 5712723865. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/BERHANU SHITAYEWOLDETADIK/Examiner, Art Unit 2455

/EMMANUEL L MOISE/Supervisory Patent Examiner, Art Unit 2455