Matrix binding rules (<match-entry>)

Matrix binding rules are an alternative way to define rules for applying security policies.

This binding method lets you group rules based on individual attributes that characterize an event. For example, you can define a list of policies that are applied to all calls over a specific interface. Another example: you can use one globally declared execute { grant; } statement to allow an entity to start any other entities, without having to specify execute call main = grant; in the configuration of each entity.

In addition, matrix binding rules let you define the active audit profile.

Matrix binding rules can be used within the entity statement as well as outside of it (globally). However, entity statements cannot be within the matrix rules section.

Attributes with the reserved names src (for the source) and dst (for the destination) are used to specify the source and destination of an IPC message to which the rules are applied. If the src and dst attributes are not defined, the matrix rules apply for all entities in the solution. When using matrix rules in the entity section (the entity statement), you must specify whether the entity is the source (src=@) or the destination (dst=@) of the message.

Matrix binding rules may contain embedded sections of binding rules (see the <match-section-inner> element). In embedded sections, you cannot specify the event type (<match-operation>), but you can specify the attributes (<match-attrs>).

Syntax

<match-entry>

::= <match-operation> [<match-attrs>] "{" <match-body> "}"

<match-operation> ::= "request"

| "response"

| "security"

| "execute"

<match-attrs> ::= <match-attr> {"," <match-attr>}

<match-attr> ::= <match-entity>

| <match-message>

| <match-endpoint>

| <match-interface>

| <match-method>

<match-entity> ::= <call-side> "=" <match-entity-value>

<call-side> ::= "src" | "dst"

<match-entity-value> ::= <entity-self> | <entity-name>

<entity-self> :: = "@"

<match-message> ::= "message=" <name-path>

<match-endpoint> ::= "endpoint=" <name-path>

<match-interface> ::= "interface=" <name-path>

<match-method> ::= "method=" <method-name>

<match-body> ::= [<audit-profile>] {<match-body-section>}

<match-body-section> ::= <policy-list> | <match-section-inner>

<match-section-inner> ::= "match" <match-attrs> "{" <match-body> "}"

Elements

<match-operation>

Event type:

  • request – client entity calls the server entity (the client sends a request-message and the server receives it).
  • response – server entity responds to the call of the client entity (the server sends a response-message and the client receives it).
  • security – entity queries Kaspersky Security System via the security interface.
  • execute – entity starts.

<match-attrs>

List of attributes of matrix rules, separated with commas.

<match-entity>

Attributes that specifically define the entity.

<call-side>

The role of the entity in an event.

The src attribute designates the following:

  • Client entity, if the event has the request type.
  • Server entity, if the event has the response type.
  • Entity that initiated a query over the security interface, if the event has the security type.
  • Entity that started another entity, if the event has the execute type.

The dst attribute designates the following:

  • Server entity, if the event has the request type.
  • Client entity, if the event has the response type.
  • The started entity, if the event has the execute type.

<match-entity-value>

Pointer to the entity.

<entity-self>

Special character @ that is applied in matrix binding rules within the entity statement. It is used in the src or dst attributes to specify the entity name from the parent entity statement.

<match-message>

Attribute that specifically defines the full name of the message type, consisting of the component, interface, and method. For example:

message=com.example.ISomething.do

<match-endpoint>

Attribute that specifically defines the name of the component instance and the name of the interface implementation. For example:

endpoint=comp.iface

<match-interface>

Attribute that specifically defines the full name of the interface without the method. For example:

interface=com.example.ISomething

<match-method>

Attribute that specifically defines the method name. It is used for specifying the interface or endpoint attributes.

<match-body>

Body of the statement containing the binding rules.

<audit-profile>

Assignment of the audit profile to all bindings in the current and embedded sections.

<policy-list>

Binding of policies to all relevant calls defined by attributes in the current section and parent sections.

It is fully analogous to the right part of bindings in the sections of entities.

<match-section-inner>

Section of embedded matrix binding rules.

Inherits the event type, attributes, and audit profile from the parent section.

Example

use audit empty;

/* Allows all entities to send responses. Indicating an "empty" audit profile means that information about responses will not be recorded in the event log. */

response {

audit empty;

grant;

}

/* Defines the rules applied when the "client" calls the "server".

In contrast to bindings in the entity configuration, these rules will apply

only in relation to the specified entities and will not be combined with the configuration

of the second entity.

*/

request src=com.example.client, dst=com.example.server {

/* Embedded section that specifies the interaction of the entities indicated above.

The rules within this section are applied when the "do_something" method is called.

*/

match message=com.example.api.IServer.do_something { grant; }

/* This entry is equivalent to the preceding one. */

match interface=com.example.api.IServer {

match method=do_something {

grant;

}

}

}

/* Statement informing the compiler that entities exist.

The rules for binding to security policies are defined from outside. */

entity com.example.client;

entity com.example.server {

/* Section with matrix binding rules within the entity configuration.

The entity takes the request destination role (server),

which provides the capability to use the "endpoint" attribute. */

request dst=@, endpoint=tst.impl {

/* In accordance with the EDL, CDL, and IDL descriptions,

will check the availability of implementations and the specified

method at the "server" entity.

*/

match method=do_something_else { grant; }

}

}

Page top