The Base security model lets you implement basic logic.
A PSL file containing a description of the Base security model is located in the KasperskyOS SDK at the following path:
toolchain/include/nk/base.psl
Base security model object
The base.psl
file contains a declaration that creates a Base security model object named base
. Consequently, inclusion of the base.psl
file into the solution security policy description will create a Base security model object by default. Methods of this object can be called without indicating the object name.
A Base security model object does not have any parameters.
A Base security model object can be covered by a security audit. There are no audit conditions specific to the Base security model.
It is necessary to create additional objects of the Base security model in the following cases:
Base security model methods
The Base security model contains the following rules:
grant ()
It has a parameter of the ()
type. It returns the "granted" result.
Example:
/* A client of the foo class is allowed
* to query a server of the bar class. */
request src=foo dst=bar { grant () }
assert
<Boolean
>It returns the "granted" result if the true
value is passed via the parameter. Otherwise it returns the "denied" result.
Example:
/* Any client in the solution will be allowed to query a server of the foo class
* by calling the Send method of the net.Net endpoint if the port parameter
* of the Send method will be used to pass a value greater than 80. Otherwise any
* client in the solution will be prohibited from querying a server of the
* foo class by calling the Send method of the net.Net endpoint. */
request dst=foo endpoint=net.Net method=Send { assert (message.port > 80) }
deny
<Boolean | ()
>It returns the "denied" result if the true
or ()
value is passed via the parameter. Otherwise it returns the "granted" result.
Example:
/* A server of the foo class is not allowed to
* respond to a client of the bar class. */
response src=foo dst=bar { deny () }
set_level
<UInt8
>It sets the security audit runtime-level equal to the value passed via this parameter. It returns the "granted" result. (For more details about the security audit runtime-level, see "Describing security audit profiles".)
Example:
/* A process of the foo class will receive the "allowed" decision from the
* Kaspersky Security Module if it calls the
* SetAuditLevel security interface method to change the security audit runtime-level. */
security src=foo method=SetAuditLevel { set_level (message.audit_level) }