KasperskyOS Community Edition 1.1
- What's new
- About KasperskyOS Community Edition
- Overview of KasperskyOS
- Getting started
- Development for KasperskyOS
- Starting processes
- File systems and network
- Contents of the VFS component
- Creating an IPC channel to VFS
- Building a VFS executable file
- Merging a client and VFS into one executable file
- Overview: arguments and environment variables of VFS
- Mounting a file system at startup
- Using VFS backends to separate file calls and network calls
- Writing a custom VFS backend
- IPC and transport
- KasperskyOS API
- libkos library
- Overview of the libkos library
- Memory
- Memory allocation
- Threads
- KosThreadCallback()
- KosThreadCallbackRegister()
- KosThreadCallbackUnregister()
- KosThreadCreate()
- KosThreadCurrentId()
- KosThreadExit()
- KosThreadGetStack()
- KosThreadOnce()
- KosThreadResume()
- KosThreadSleep()
- KosThreadSuspend()
- KosThreadTerminate()
- KosThreadTlsGet()
- KosThreadTlsSet()
- KosThreadWait()
- KosThreadYield()
- Handles
- Notifications
- Processes
- Dynamically created channels
- Synchronization primitives
- KosCondvarBroadcast()
- KosCondvarDeinit()
- KosCondvarInit()
- KosCondvarSignal()
- KosCondvarWait()
- KosCondvarWaitTimeout()
- KosEventDeinit()
- KosEventInit()
- KosEventReset()
- KosEventSet()
- KosEventWait()
- KosEventWaitTimeout()
- KosMutexDeinit()
- KosMutexInit()
- KosMutexInitEx()
- KosMutexLock()
- KosMutexLockTimeout()
- KosMutexTryLock()
- KosMutexUnlock()
- KosRWLockDeinit()
- KosRWLockInit()
- KosRWLockRead()
- KosRWLockTryRead()
- KosRWLockTryWrite()
- KosRWLockUnlock()
- KosRWLockWrite()
- KosSemaphoreDeinit()
- KosSemaphoreInit()
- KosSemaphoreSignal()
- KosSemaphoreTryWait()
- KosSemaphoreWait()
- KosSemaphoreWaitTimeout()
- DMA buffers
- IOMMU
- I/O ports
- IoReadIoPort8(), IoReadIoPort16(), IoReadIoPort32()
- IoReadIoPortBuffer8(), IoReadIoPortBuffer16(), IoReadIoPortBuffer32()
- IoWriteIoPort8(), IoWriteIoPort16(), IoWriteIoPort32()
- IoWriteIoPortBuffer8(), IoWriteIoPortBuffer16(), IoWriteIoPortBuffer32()
- KnIoPermitPort()
- KnRegisterPort8(), KnRegisterPort16(), KnRegisterPort32()
- KnRegisterPorts()
- Memory-mapped I/O (MMIO)
- Interrupts
- Deallocating resources
- Time
- Queues
- Memory barriers
- Receiving information about CPU time and memory usage
- Sending and receiving IPC messages
- POSIX support
- MessageBus component
- Return codes
- libkos library
- Building a KasperskyOS-based solution
- Developing security policies
- Formal specifications of KasperskyOS-based solution components
- Describing a security policy for a KasperskyOS-based solution
- General information about a KasperskyOS-based solution security policy description
- PSL language syntax
- Describing the global parameters of a KasperskyOS-based solution security policy
- Including PSL files
- Including EDL files
- Creating security model objects
- Binding methods of security models to security events
- Describing security audit profiles
- Describing and performing tests for a KasperskyOS-based solution security policy
- PSL data types
- Examples of binding security model methods to security events
- Example descriptions of basic security policies for KasperskyOS-based solutions
- Example descriptions of security audit profiles
- Example descriptions of tests for KasperskyOS-based solution security policies
- KasperskyOS Security models
- Pred security model
- Bool security model
- Math security model
- Struct security model
- Base security model
- Regex security model
- HashSet security model
- StaticMap security model
- StaticMap security model object
- StaticMap security model init rule
- StaticMap security model fini rule
- StaticMap security model set rule
- StaticMap security model commit rule
- StaticMap security model rollback rule
- StaticMap security model get expression
- StaticMap security model get_uncommited expression
- Flow security model
- Mic security model
- Methods of KasperskyOS core endpoints
- Virtual memory endpoint
- I/O endpoint
- Threads endpoint
- Handles endpoint
- Processes endpoint
- Synchronization endpoint
- File system endpoints
- Time endpoint
- Hardware abstraction layer endpoint
- XHCI controller management endpoint
- Audit endpoint
- Profiling endpoint
- I/O memory management endpoint
- Connections endpoint
- Power management endpoint
- Notifications endpoint
- Hypervisor endpoint
- Trusted Execution Environment endpoints
- IPC interrupt endpoint
- CPU frequency management endpoint
- Security patterns for development under KasperskyOS
- Appendices
- Additional examples
- hello example
- echo example
- ping example
- net_with_separate_vfs example
- net2_with_separate_vfs example
- embedded_vfs example
- embed_ext2_with_separate_vfs example
- multi_vfs_ntpd example
- multi_vfs_dns_client example
- multi_vfs_dhcpcd example
- mqtt_publisher (Mosquitto) example
- mqtt_subscriber (Mosquitto) example
- gpio_input example
- gpio_output example
- gpio_interrupt example
- gpio_echo example
- koslogger example
- pcre example
- messagebus example
- I2c_ds1307_rtc example
- iperf_separate_vfs example
- Uart example
- spi_check_regs example
- barcode_scanner example
- perfcnt example
- Additional examples
- Licensing the application
- Data provision
- Information about third-party code
- Trademark notices
Handle permissions mask
A handle permissions mask has a size of 32 bits and consists of a general part and a specialized part. The general part describes the general rights that are not specific to any particular resource (the flags of these rights are defined in the services/ocap.h header file). For example, the general part contains the OCAP_HANDLE_TRANSFER flag, which defines the permission to transfer the handle. The specialized part describes the rights that are specific to the particular user resource or system resource. The flags of the specialized part's permissions for system resources are defined in the services/ocap.h header file. The structure of the specialized part for user resources is defined by the resource provider by using the OCAP_HANDLE_SPEC() macro that is defined in the services/ocap.h header file. The resource provider must export the public header files describing the structure of the specialized part.
When the handle of a system resource is created, the permissions mask is defined by the KasperskyOS kernel, which applies permissions masks from the services/ocap.h header file. It applies permissions masks with names such as OCAP_*_FULL (for example, OCAP_IOPORT_FULL, OCAP_TASK_FULL, OCAP_FILE_FULL) and OCAP_IPC_* (for example, OCAP_IPC_SERVER, OCAP_IPC_LISTENER, OCAP_IPC_CLIENT).
When the handle of a user resource is created, the permissions mask is defined by the user.
When a handle is transferred, the permissions mask is defined by the user but the transferred access rights cannot be elevated above the access rights of the process.