Description files in the Separate Storage example

Entity descriptions

The CertificateManager and UserManager entities do not provide functionality to other entities.

CertificateManager.edl

entity separate_storage.CertificateManager

UserManager.edl

entity separate_storage.UserManager

The VfsCertificate and VfsUser entities provide functionality for accessing the file system and contain an instance of the kl.Vfs component provided in the KasperskyOS Community Edition.

VfsCertificate.edl

entity separate_storage.VfsCertificate

components

{

vfs: kl.Vfs

}

VfsUser.edl

entity separate_storage.VfsUser

components

{

vfs: kl.Vfs

}

Init description

init.yaml

entities:

- task: separate_storage.UserManager

path: UserManager

name: separate_storage.UserManager

connections:

- target: separate_storage.VfsUser

id: {var: _VFS_CONNECTION_ID, include: vfs/defs.h}

- task: separate_storage.CertificateManager

path: CertificateManager

name: separate_storage.CertificateManager

connections:

- target: separate_storage.VfsCertificate

id: {var: _VFS_CONNECTION_ID, include: vfs/defs.h}

- task: separate_storage.VfsUser

path: VfsUser

name: separate_storage.VfsUser

connections:

- target: kl.drivers.ATA

id: kl.drivers.ATA

- task: separate_storage.VfsCertificate

path: VfsCertificate

name: separate_storage.VfsCertificate

connections:

- target: kl.drivers.ATA

id: kl.drivers.ATA

- name: kl.drivers.ATA

path: ata

connections:

- target: kl.drivers.PCIE

id: kl.drivers.PCIE

- name: kl.drivers.PCIE

path: pcie_hw

Solution security policy

security_x86.psl

/* Includes internal and external security policies. */

use internal._

use external._

/* Only for the x86 platform. */

use EDL kl.drivers.ATA

use EDL kl.drivers.PCIE

request src=kl.drivers.ATA, dst=kl.drivers.PCIE

{

grant()

}

response src=kl.drivers.PCIE, dst=kl.drivers.ATA

{

grant()

}

request src=kl.drivers.ATA, dst=kl.core.Core

{

grant()

}

response src=kl.core.Core, dst=kl.drivers.ATA

{

grant()

}

request src=kl.drivers.PCIE, dst=kl.core.Core

{

grant()

}

response src=kl.core.Core, dst=kl.drivers.PCIE

{

grant()

}

request src=separate_storage.VfsUser, dst=kl.drivers.ATA

{

grant()

}

response src=kl.drivers.ATA, dst=separate_storage.VfsUser

{

grant()

}

request src=separate_storage.VfsCertificate, dst=kl.drivers.ATA

{

grant()

}

response src=kl.drivers.ATA, dst=separate_storage.VfsCertificate

{

grant()

}

/**

* The following policy lets the ATA driver interact with the security monitor.

* It enables registration of a new port.

*/

security src=kl.drivers.ATA

{

grant ()

}

external.psl

use nk.base._

/**

* This code includes EDL descriptions of corresponding external

* entities (not provided by the SDK).

*/

use EDL separate_storage.UserManager

use EDL separate_storage.CertificateManager

use EDL separate_storage.VfsUser

use EDL separate_storage.VfsCertificate

/**

* The following code lets external entities send requests to the KasperskyOS kernel

* and receive responses. It makes it possible for external entities to use system calls.

* Caution! This rule is strictly for early-stage development because it

* exposes a variety of system services that could be invoked by an attacker.

* An audit must be performed to determine the minimal set of methods to allow.

*/

request src=separate_storage.UserManager, dst=kl.core.Core

{

grant ()

}

response src=kl.core.Core, dst=separate_storage.UserManager

{

grant ()

}

request src=separate_storage.CertificateManager, dst=kl.core.Core

{

grant ()

}

response src=kl.core.Core, dst=separate_storage.CertificateManager

{

grant ()

}

request src=separate_storage.VfsUser, dst=kl.core.Core

{

grant ()

}

response src=kl.core.Core, dst=separate_storage.VfsUser

{

grant ()

}

request src=separate_storage.VfsCertificate, dst=kl.core.Core

{

grant ()

}

response src=kl.core.Core, dst=separate_storage.VfsCertificate

{

grant ()

}

/**

* The following policy enables interactions between external entities.

*/

request src=separate_storage.UserManager, dst=separate_storage.VfsUser

{

grant ()

}

response src=separate_storage.VfsUser, dst=separate_storage.UserManager

{

grant ()

}

request src=separate_storage.CertificateManager, dst=separate_storage.VfsCertificate

{

grant ()

}

response src=separate_storage.VfsCertificate, dst=separate_storage.CertificateManager

{

grant ()

}

internal.psl

/**

* This file describes internal entities (provided by the SDK) and their connections.

*/

/**

* This code includes EDL descriptions of corresponding internal entities.

*/

use EDL Einit

use EDL kl.core.Core

/**

* This policy lets the KasperskyOS kernel start system entities.

*/

execute src=kl.core.Core, dst=kl.core.Core

{

grant()

}

execute src=kl.core.Core, dst=Einit

{

grant()

}

/**

* This statement enables startup and initialization of entities specified in the file init.yaml.in.

*/

execute src=Einit

{

grant()

}

/**

* This code lets you send requests from the Einit entity to the KasperskyOS kernel and receive

* responses. It makes it possible for Einit to use system calls.

*/

request src=Einit, dst=kl.core.Core

{

grant()

}

response src=kl.core.Core, dst=Einit

{

grant()

}

Page top