create { source : <Sid>
, target : <Sid>
, container : <Sid | ()>
, driver : <Sid>
, level : <Level | ... | ()>
}
Assign the specified integrity level to the target resource in the following situation:
source process initiates creation of the target resource.target resource is managed by the driver subject, which is the resource provider or the KasperskyOS kernel.container resource is a container for the target resource (for example, a directory is a container for files and/or other directories).If the container field has the value (), the target resource is considered to be the root resource, which means that it has no container.
To define the integrity level, values of the Level type are used:
type Level = LevelFull | LevelNoCategory
type LevelFull =
{ degree : Text | ()
, categories : List<Text> | ()
}
type LevelNoCategory = Text
The rule returns the "granted" result if a specific integrity level was assigned to the target resource.
The rule returns the "denied" result in the following cases:
level value exceeds the integrity level of the source process, driver subject or container resource.level value is incomparable to the integrity level of the source process, driver subject or container resource.source process, driver subject, or container resource.source, target, container or driver is outside of the permissible range.Example:
/* A server of the updater.Realmserv class will be allowed to respond to
* queries of any client in the solution calling the resolve method
* of the realm.Reader endpoint if the resource whose creation is requested
* by the client will be assigned the LOW integrity level during response initiation.
* Otherwise a server of the updater.Realmserv class will be prohibited from responding to
* queries of any client calling the resolve method of the realm.Reader endpoint. */
response src=updater.Realmserv,
endpoint=realm.Reader {
match method=resolve {
mic.create { source : dst_sid
, target : message.handle.handle
, container : ()
, driver : src_sid
, level : "LOW"
}
}
}
Page top