The Defer to Kernel
example demonstrates the use of Defer to Kernel and Policy Decision Point patterns.
The Defer to Kernel
example contains three user programs: PictureManager
, ValidPictureClient
and NonValidPictureClient
.
In this example, the ValidPictureClient
and NonValidPictureClient
programs query the PictureManager
program to receive information.
Only the ValidPictureClient
program is allowed to interact with the PictureManager
program.
The KasperskyOS kernel guarantees isolation of running programs (processes).
Control of interaction between programs in KasperskyOS is delegated to the Kaspersky Security Module. The subsystem analyzes each sent request and response and decides whether to allow or deny delivery based on the defined security policy.
A security policy in the Defer to Kernel
example has the following characteristics:
ValidPictureClient
program is explicitly allowed to interact with the PictureManager
program.NonValidPictureClient
program is explicitly not allowed to interact with the PictureManager
program. This means that this interaction is denied (based on the Default Deny principle).Dynamically created IPC channels
The example also demonstrates the capability to dynamically create IPC channels between processes. IPC channels are dynamically created by using a name server, which is a special kernel service provided by the NameServer
program. The capability to dynamically create IPC channels allows you to change the topology of interaction between programs on the fly.
Any program that is allowed to interact with NameServer
via IPC can register its own interfaces in the name server. Another program can request the registered interfaces from the name server, and then connect to the relevant interface.
The security module is used to control interactions via IPC (even those that were created dynamically).
Example files
The code of the example and build scripts are available at the following path:
/opt/KasperskyOS-Community-Edition-<version>/examples/defer_to_kernel
Building and running example
See Building and running examples section.
Page top