KasperskyOS Community Edition 1.2
- What's new
- About KasperskyOS Community Edition
- Overview of KasperskyOS
- Getting started
- Development for KasperskyOS
- Starting processes
- File systems and network
- Contents of the VFS component
- Creating an IPC channel to VFS
- Including VFS functionality in a program
- Overview: startup parameters and environment variables of VFS
- Mounting file systems when VFS starts
- Using VFS backends to separate data streams
- Creating a VFS backend
- Dynamically configuring the network stack
- IPC and transport
- KasperskyOS API
- Return codes
- libkos library
- Managing handles (handle_api.h)
- Allocating and freeing memory (alloc.h)
- Using DMA (dma.h)
- Managing interrupt processing (irq.h)
- Initializing IPC transport for interprocess communication and managing IPC request processing (transport-kos.h, transport-kos-dispatch.h)
- Initializing IPC transport for querying the security module (transport-kos-security.h)
- Generating random numbers (random_api.h)
- Getting and changing time values (time_api.h)
- Using notifications (notice_api.h)
- Dynamically creating IPC channels (cm_api.h, ns_api.h)
- Using synchronization primitives (event.h, mutex.h, rwlock.h, semaphore.h, condvar.h)
- Managing I/O memory isolation (iommu_api.h)
- Using queues (queue.h)
- Using memory barriers (barriers.h)
- Executing system calls (syscalls.h)
- IPC interrupt (ipc_api.h)
- POSIX support
- Obtaining statistical data on the system
- MessageBus component
- ExecutionManager component
- Building a KasperskyOS-based solution
- Developing security policies
- Formal specifications of KasperskyOS-based solution components
- Description of a security policy for a KasperskyOS-based solution
- General information about a KasperskyOS-based solution security policy description
- PSL language syntax
- Setting the global parameters of a KasperskyOS-based solution security policy
- Including PSL files in a KasperskyOS-based solution security policy description
- Including EDL files in a KasperskyOS-based solution security policy description
- Creating security model objects
- Binding methods of security models to security events
- Creating security audit profiles
- Creating and performing tests for a KasperskyOS-based solution security policy
- PSL data types
- Examples of binding security model methods to security events
- Example descriptions of basic security policies for KasperskyOS-based solutions
- Examples of security audit profiles
- Examples of tests for KasperskyOS-based solution security policies
- KasperskyOS Security models
- Pred security model
- Bool security model
- Math security model
- Struct security model
- Base security model
- Regex security model
- HashSet security model
- StaticMap security model
- StaticMap security model object
- StaticMap security model init rule
- StaticMap security model fini rule
- StaticMap security model set rule
- StaticMap security model commit rule
- StaticMap security model rollback rule
- StaticMap security model get expression
- StaticMap security model get_uncommitted expression
- Flow security model
- Mic security model
- Mic security model object
- Mic security model create rule
- Mic security model delete rule
- Mic security model execute rule
- Mic security model upgrade rule
- Mic security model call rule
- Mic security model invoke rule
- Mic security model read rule
- Mic security model write rule
- Mic security model query_level expression
- Methods of KasperskyOS core endpoints
- Virtual memory endpoint
- I/O endpoint
- Threads endpoint
- Handles endpoint
- Processes endpoint
- Synchronization endpoint
- File system endpoints
- Time endpoint
- Hardware abstraction layer endpoint
- XHCI controller management endpoint
- Audit endpoint
- Profiling endpoint
- I/O memory isolation management endpoint
- Connections endpoint
- Power management endpoint
- Notifications endpoint
- Hypervisor endpoint
- Trusted Execution Environment endpoints
- IPC interrupt endpoint
- CPU frequency management endpoint
- Using the system programs Klog and KlogStorage to perform a security audit
- Security patterns for development under KasperskyOS
- Appendices
- Additional examples
- hello example
- echo example
- ping example
- net_with_separate_vfs example
- net2_with_separate_vfs example
- embedded_vfs example
- vfs_extfs example
- multi_vfs_ntpd example
- multi_vfs_dns_client example
- multi_vfs_dhcpcd example
- mqtt_publisher (Mosquitto) example
- mqtt_subscriber (Mosquitto) example
- gpio_input example
- gpio_output example
- gpio_interrupt example
- gpio_echo example
- koslogger example
- pcre example
- messagebus example
- I2c_ds1307_rtc example
- iperf_separate_vfs example
- Uart example
- spi_check_regs example
- barcode_scanner example
- perfcnt example
- watchdog_system_reset example
- shared_libs example
- Information about certain limits set in the system
- Additional examples
- Licensing
- Data provision
- Glossary
- Application
- Arena chunk descriptor
- Arena descriptor
- Callable handle
- Capability
- CDL
- Client
- Client library of the solution component
- Client Process
- Conditional variable
- Constant part of an IPC message
- Critical section
- Description of a security policy for a KasperskyOS-based solution
- Direct memory access
- DMA
- DMA buffer
- EDL
- Endpoint
- Endpoint ID
- Endpoint Interface
- Endpoint method
- Endpoint Method ID
- Event
- Event mask
- Execute interface
- Formal specification of the KasperskyOS-based solution component
- Handle
- Handle dereferencing
- Handle inheritance tree
- Handle permissions mask
- Handle transport container
- Hardware interrupt
- IDL
- Init description
- Initializing program
- Interface Method
- Interprocess communication
- IPC
- IPC channel
- IPC handle
- IPC message
- IPC message arena
- IPC request
- IPC response
- IPC transport
- KasperskyOS
- KasperskyOS Security Model
- KasperskyOS-based solution
- KasperskyOS-based solution component
- KSM
- KSS
- Listener handle
- Memory barrier
- Message signaled interrupt (MSI)
- MID
- Mutex
- Notification receiver
- OCap
- Operating Performance Point
- OPP
- PAL
- Process
- Program
- PSL
- Read-write lock
- Recursive mutex
- Resource
- Resource consumer
- Resource integrity level
- Resource provider
- Resource transfer context
- Resource transfer context object
- RIID
- Security audit
- Security audit configuration
- Security audit data
- Security audit profile
- Security audit runtime-level
- Security context
- Security event
- Security ID
- Security interface
- Security model expression
- Security model method
- Security model object
- Security model rule
- Security module decision
- Security pattern
- Security pattern system
- Security policy for a KasperskyOS-based solution
- Security template
- Seed
- Semaphore
- Server
- Server library of the solution component
- Server process
- SID
- Subject integrity level
- System program
- System resource
- Thread
- Transport code
- Transport library
- User resource
- User resource context
- Information about third-party code
- Trademark notices
Developing security policies > Description of a security policy for a KasperskyOS-based solution > KasperskyOS Security models > Flow security model > Flow security model allow rule
Flow security model allow rule
allow {sid : <Sid>, states : <Set<State>>}
It verifies that the state of the finite-state machine associated with the sid is in the set of defined states.
It returns the "granted" result if the state of the finite-state machine associated with the sid resource is in the set of defined states.
It returns the "denied" result in the following cases:
- The state of the finite-state machine associated with the
sidresource is not in the set of definedstates. - The
sidresource is not associated with a finite-state machine of the Flow security model object being used. - The
sidvalue is outside of the permissible range.
Example:
/* Any client in the solution is allowed to query a server
* of the Server class if the finite-state machine associated with this server
* is in the started or stopped state. Otherwise any client
* in the solution will be prohibited from querying a server of the Server class. */
request dst=Server {
service_flow.allow {sid : dst_sid, states : ["started", "stopped"]}
}
Article ID: ssp_descr_security_models_flow_allow, Last review: May 21, 2024