Mic security model execute rule

KasperskyOS Community Edition 1.2

Support Send link Get as PDF

Developing security policies > Description of a security policy for a KasperskyOS-based solution > KasperskyOS Security models > Mic security model > Mic security model execute rule

Mic security model execute rule

execute <ExecuteImage | ExecuteLevel>
 
type ExecuteImage =
  { image  : Sid
  , target : Sid
  , level  : Level | ... | ()
  , levelR : Level | ... | ()
  }
 
type ExecuteLevel =
  { image  : Sid | ()
  , target : Sid
  , level  : Level | ...
  , levelR : Level | ... | ()
  }

This assigns the specified integrity level to the target subject and defines the minimum integrity level of subjects and resources from which this subject can receive data (levelR). The code of the target subject is in the image executable file.

If the level field has the value (), the integrity level of the image executable file is assigned to the target subject. If the image field has the value (), the level field must have a value other than ().

If the levelR field has the value (), the levelR integrity level is assumed to be equal to the integrity level of the target subject.

To define the integrity level and levelR, values of the Level type are used. For the definition of the Level type, see "Mic security model create rule".

The rule returns the "granted" result if it assigned the specified integrity level to the target subject and defined the minimum integrity level of subjects and resources from which this subject can receive data (levelR).

The rule returns the "denied" result in the following cases:

The level value exceeds the integrity level of the image executable file.
The level value is incomparable to the integrity level of the image executable file.
The value of levelR exceeds the value of level.
The level and levelR values are incomparable.
An integrity level was not assigned to the image executable file.
The image or target value is outside of the permissible range.

Example:

/* A process of the updater.Manager class will be allowed to start
 * if, at startup initiation, this process will be assigned
 * the integrity level LOW, and the minimum
 * integrity level will be defined for the processes and resources from which this
 * process can received data (LOW). Otherwise the startup of a process
 * of the updater.Manager class will be denied. */
execute src=Einit, dst=updater.Manager, method=main {
    mic.execute { target : dst_sid
                , image : ()
                , level : "LOW"
                , levelR : "LOW"
                }
}

Article ID: ssp_descr_security_models_mic_execute, Last review: May 21, 2024

Page top