The Defer to Kernel example demonstrates the use of Defer to Kernel and Policy Decision Point patterns.
The Defer to Kernel example contains three user entities: PictureManager, ValidPictureClient and NonValidPictureClient.
In this example, the ValidPictureClient and NonValidPictureClient entities query the PictureManager entity to receive information.
Only the ValidPictureClient entity is allowed to interact with the PictureManager entity.
The KasperskyOS kernel guarantees isolation of entities.
Control of interaction between entities in KasperskyOS is delegated to the Kaspersky Security Module. The subsystem analyzes each sent request and response and decides whether to allow or deny delivery based on the defined security policy.
A security policy in the Defer to Kernel example has the following characteristics:
Dynamically created IPC channels
The example also demonstrates the capability to dynamically create IPC channels between entities. IPC channels are dynamically created by using a name server, which is a special kernel service provided by the NameServer entity. The capability to dynamically create IPC channels allows you to change the topology of interaction between entities on the fly.
Any entity that is allowed to interact with NameServer via IPC can register its own interfaces in the name server. Another entity can request the registered interfaces from the name server, and then connect to the relevant interface.
The security module is used to control interactions via IPC (even those that were created dynamically).
Building the example
The example is built using the CMake build system that is included in KasperskyOS Community Edition.
Files containing the code of the example and build scripts are available at the following path:
/opt/KasperskyOS-Community-Edition-<version>/examples/defer_to_kernel
To build and run the example, run the following script:
/opt/KasperskyOS-Community-Edition-<version>/examples/defer_to_kernel/cross-build.sh