Файлы описаний в примере Separate Storage

Описания сущностей

Сущности CertificateManager и UserManager не предоставляют функциональности другим сущностям.

CertificateManager.edl

entity separate_storage.CertificateManager

UserManager.edl

entity separate_storage.UserManager

Сущности VfsCertificate и VfsUser предоставляет функциональность для доступа к файловой системе и содержат экземпляр компонента kl.Vfs, поставляемого в составе KasperskyOS Community Edition.

VfsCertificate.edl

entity separate_storage.VfsCertificate

components

{

vfs: kl.Vfs

}

VfsUser.edl

entity separate_storage.VfsUser

components

{

vfs: kl.Vfs

}

Init-описание

init.yaml

entities:

- task: separate_storage.UserManager

path: UserManager

name: separate_storage.UserManager

connections:

- target: separate_storage.VfsUser

id: {var: _VFS_CONNECTION_ID, include: vfs/defs.h}

- task: separate_storage.CertificateManager

path: CertificateManager

name: separate_storage.CertificateManager

connections:

- target: separate_storage.VfsCertificate

id: {var: _VFS_CONNECTION_ID, include: vfs/defs.h}

- task: separate_storage.VfsUser

path: VfsUser

name: separate_storage.VfsUser

connections:

- target: kl.drivers.ATA

id: kl.drivers.ATA

- task: separate_storage.VfsCertificate

path: VfsCertificate

name: separate_storage.VfsCertificate

connections:

- target: kl.drivers.ATA

id: kl.drivers.ATA

- name: kl.drivers.ATA

path: ata

connections:

- target: kl.drivers.PCIE

id: kl.drivers.PCIE

- name: kl.drivers.PCIE

path: pcie_hw

Политика безопасности решения

security_x86.psl

/* Include internal and external security policies. */

use internal._

use external._

/* Only for x86 platform. */

use EDL kl.drivers.ATA

use EDL kl.drivers.PCIE

request src=kl.drivers.ATA, dst=kl.drivers.PCIE

{

grant()

}

response src=kl.drivers.PCIE, dst=kl.drivers.ATA

{

grant()

}

request src=kl.drivers.ATA, dst=kl.core.Core

{

grant()

}

response src=kl.core.Core, dst=kl.drivers.ATA

{

grant()

}

request src=kl.drivers.PCIE, dst=kl.core.Core

{

grant()

}

response src=kl.core.Core, dst=kl.drivers.PCIE

{

grant()

}

request src=separate_storage.VfsUser, dst=kl.drivers.ATA

{

grant()

}

response src=kl.drivers.ATA, dst=separate_storage.VfsUser

{

grant()

}

request src=separate_storage.VfsCertificate, dst=kl.drivers.ATA

{

grant()

}

response src=kl.drivers.ATA, dst=separate_storage.VfsCertificate

{

grant()

}

/**

* Next policy enables ATA driver to interact with security monitor.

* It enables to register new port.

*/

security src=kl.drivers.ATA

{

grant ()

}

external.psl

use nk.base._

/**

* This code includes EDL descriptions of corresponding external

* (non-provided by SDK) entities.

*/

use EDL separate_storage.UserManager

use EDL separate_storage.CertificateManager

use EDL separate_storage.VfsUser

use EDL separate_storage.VfsCertificate

/**

* Next code enables to send requests from external entities to KasperskyOS kernel

* and get responses. It makes able to use system calls by external entities.

* Caution! This rule is strictly for early-stage development as it

* exposes a variety of system services that can be invoked by an attacker.

* An audit must be performed to determine minimal set of methods to allow.

*/

request src=separate_storage.UserManager, dst=kl.core.Core

{

grant ()

}

response src=kl.core.Core, dst=separate_storage.UserManager

{

grant ()

}

request src=separate_storage.CertificateManager, dst=kl.core.Core

{

grant ()

}

response src=kl.core.Core, dst=separate_storage.CertificateManager

{

grant ()

}

request src=separate_storage.VfsUser, dst=kl.core.Core

{

grant ()

}

response src=kl.core.Core, dst=separate_storage.VfsUser

{

grant ()

}

request src=separate_storage.VfsCertificate, dst=kl.core.Core

{

grant ()

}

response src=kl.core.Core, dst=separate_storage.VfsCertificate

{

grant ()

}

/**

* Next policies enables interactions between external entities.

*/

request src=separate_storage.UserManager, dst=separate_storage.VfsUser

{

grant ()

}

response src=separate_storage.VfsUser, dst=separate_storage.UserManager

{

grant ()

}

request src=separate_storage.CertificateManager, dst=separate_storage.VfsCertificate

{

grant ()

}

response src=separate_storage.VfsCertificate, dst=separate_storage.CertificateManager

{

grant ()

}

internal.psl

/**

* This file describes internal (provided by SDK) entities and their connections.

*/

/**

* This code includes EDL descriptions of corresponding internal entities.

*/

use EDL Einit

use EDL kl.core.Core

/**

* This policy enables to start up system entities by KasperskyOS kernel.

*/

execute src=kl.core.Core, dst=kl.core.Core

{

grant()

}

execute src=kl.core.Core, dst=Einit

{

grant()

}

/**

* This instruction enables to start up and initialize entities specified in file init.yaml.in.

*/

execute src=Einit

{

grant()

}

/**

* This code enables to send requests from Einit entity to KasperskyOS kernel and get

* responses. It makes able to use system calls by Einit.

*/

request src=Einit, dst=kl.core.Core

{

grant()

}

response src=kl.core.Core, dst=Einit

{

grant()

}

В начало