US Patent 11281767 Secure system state extraction software extensibility via plugin sandboxing

A sandbox component, operatively coupled to a host and a guest container, the sandbox component securely extends systems data collection software with potentially untrusted third-party code. A secure environment is enabled where plugins will run inside a sidecar container that is separate from a guest container. A container consists of an entire runtime environment: an application, plus its dependencies, libraries and other binaries, and configuration files needed to run it, bundled into one package. A sidecar service is not necessarily part of the application but is connected to the guest container and follows the parent application. A sidecar is independent from its primary application in terms of runtime environment and programming language. The sidecar plugin will be given a sparse/limited set of privileges required to simply perform its intended function and the Linux kernel constructs will control data access and transfer. The Plugin is essentially considered sandboxed as it runs in a sidecar and is fenced in by a set of kernel constructs.