Critical changes in version 1.3

Due to modifications made to SDK components in version 1.3, you may need to make changes to the application code that was developed using KasperskyOS Community Edition version 1.2 before using that code with KasperskyOS Community Edition version 1.3.

The following critical changes were made to SDK components in version 1.3:

• Removed support for performance counters from the KasperskyOS kernel in the SDK.
• Declarations of the following functions were removed from the SDK: fork, exec*, popen*, and pclose. Use of these functions will result in an error during a build.
• Specifying an invalid name of an IPC channel in the init.yaml.in file template will result in an error during a build.
• The toolchain included in the SDK now uses the Clang compiler.
• TLS 1.3 algorithms are now included in the Mbed-TLS component. You must call the psa_crypto_init() function before you use the hashing mechanisms for the first time. To ensure correct operation of the Mbed-TLS library, all you have to do is add the psa_crypto_init() call before calling any Mbed-TLS function for the first time. This function can be called any number of times. If the first call is successful, all other calls will also be successful.
• Changes to the kdf library:
  • The KdfGetDeviceFromContainer() and KdfEnumContainerNames() functions have been removed.
  • The KdfGetDeviceListByTarget() and KdfGetDeviceListByTargetSet() functions now return a container with a handle of the KdfDevContainerHandle type.
• The obsolete SecurityDisconnect method has been removed from the Handle.idl kernel interface.
• The configuration parameter VFS_BUFFER_SPLIT_SIZE has been removed. VFS will use VFS_BUFFER_SIZE as the upper limit when transmitting data in an IPC arena. The new parameter VFS_BUFSIZ is being implemented to configure the size of the I/O buffer (setbuf). You will be able to use MDL buffers to read/write large-sized data.
• Support for file access permissions has been added to VFS. When working with files, VFS will now check the file owner bits (S_IRUSR, S_IWUSR, and S_IXUSR) and either allow or deny specific operations. When creating a file and directory, you must verify that all bits are set correctly:
  • The read/write permission bits must be specified for files: open(file, O_RDWR | O_CREAT, (S_IRUSR | S_IWUSR)
  • All three bits must be specified for directories (Read | Write | Execute). The Execute bit provides the capability to search for files in the directory: mkdir(dir, S_IRWXU)

  The open() function lets you create files without specifying these bits, therefore you may encounter a situation in which previously created files may stop opening and instead return an EACCESS error. You can use the chmod() function to change the file permissions.

• In the Driver.idl interface, the GetDeviceEvents() method has been renamed to AwaitDeviceEvents().
• The initializer function kl_drivers_Driver *KdfServerInit(KdfServerData *data) has been replaced with kl_drivers_Driver *KdfServerInit(void).
• The kernel interface Task::FreeSelfEnv has become a stub that returns rcUimplemented, and the KnTaskFreeEnv and KnTaskGetEnv functions are no longer thread-safe.
• Writing to AF_ROUTE sockets is prohibited. Now, if you attempt to write to the AF_ROUTE socket, the EACCESS error is returned. To add/delete routes, you must use ioctl() and the ortentry structure.
• The behavior of the nk_arena_get() call has changed. RTL_NULL is returned only if there is an error. Otherwise, the correct memory pointer is returned even if zero-sized data is received.
• The values of an IDL type "string" must contain a terminating null byte when passed in IPC messages, even if they are empty strings. Strings composed of zero bytes will no longer be considered valid and will be denied by the Kaspersky Security Module.
• Function prototypes have been changed:
  • KosString KosCreateStringEx(KosStringRoot *root, const char *str) was changed to Retcode KosCreateStringEx(KosStringRoot *root, const char *str, KosString *outStr);
  • KosString KosCreateString(const char *str) was changed to Retcode KosCreateString(const char *str, KosString *outStr).
• The kernel interface task.Task now has a new method named GetPid, which is always used when a process is created.

  As a result, the EntityInit(Ex) call will start to return an error when there is a strictly configured security policy with a rigid restriction on methods. You must add the new method to the permitted methods in the policy.

  Example:

  request dst=kl.core.Core {

  match endpoint=task.Task {

  match method=GetPid {

  match src=Einit { grant () }

  }

  }

  }

• An endpoint of the kl.drivers.Driver type has also been added to each SDK-included EDL file containing the kl.drivers.Block endpoint.

  For example, the result will look as follows for ATA.edl:

  entity kl.drivers.ATA

  security kl.drivers.block.Security

  endpoints {

  driver : kl.drivers.Driver

  ata: kl.drivers.Block

  }

• The set of methods of the Block.idl endpoint has been refined:
  • The Fini() method has been removed.
  • The EnumPorts() method has been removed. You should use the GetDeviceList() method of the kl.drivers.Driver endpoint.
  • The Open() method has been removed. You should use the OpenDevice() method of the kl.drivers.Driver endpoint.
  • The Close() method has been removed. You should use the CloseDevice() method of the kl.drivers.Driver endpoint.
• A list of supported codes (MIB) of the sysctl() function has been added. A call with codes that are different from the supported codes is prohibited and returns the ENOSYS code. All authorized codes have been converted into separate interface methods of the VFS component (VfsNetConfig.idl). With security policies, you can permit read-only or write-only by using the valOperation argument of an IPC request (except IpctlForwarding, RtDump, and RtIflist): 0 is for writing, or setting a parameter value, 1 is for reading a parameter, and 2 is for requesting the parameter size)

  The supported codes are listed in the table below.

  Authorized codes of the sysctl() function

  Parameter name	MIB code	VFS interface method
  net.inet.ip.forwarding	CTL_NET, PF_INET, IPPROTO_IP, IPCTL_FORWARDING	IpctlForwarding
  net.inet.ip.mtudisc	CTL_NET, PF_INET, IPPROTO_IP, IPCTL_MTUDISC	IpctlMtudisc
  net.inet.ip.ttl	CTL_NET, PF_INET, IPPROTO_IP, IPCTL_DEFTTL	IpctlTtl
  net.inet.tcp.keepcnt	CTL_NET, PF_INET, IPPROTO_TCP, TCPCTL_KEEPCNT	TcpctlKeepcnt
  net.inet.tcp.keepidle	CTL_NET, PF_INET, IPPROTO_TCP, TCPCTL_KEEPIDLE	TcpctlKeepidle
  net.inet.tcp.keepintvl	CTL_NET, PF_INET, IPPROTO_TCP, TCPCTL_KEEPINTVL	TcpctlKeepintvl
  net.inet.tcp.mss_ifmtu	CTL_NET, PF_INET, IPPROTO_TCP, TCPCTL_MSS_IFMTU	TcpctlMssifmtu
  net.inet.tcp.mssdflt	CTL_NET, PF_INET, IPPROTO_TCP, TCPCTL_MSSDFLT	TcpctlMssdflt
  net.inet.tcp.recvspace	CTL_NET, PF_INET, IPPROTO_TCP, TCPCTL_RECVSPACE	TcpctlRecvspace
  net.inet.tcp.sendspace	CTL_NET, PF_INET, IPPROTO_TCP, TCPCTL_SENDSPACE	TcpctlSendspace
  net.inet.udp.recvspace	CTL_NET, PF_INET, IPPROTO_UDP, UDPCTL_RECVSPACE	UdpctlRecvspace
  net.inet.udp.sendspace	CTL_NET, PF_INET, IPPROTO_UDP, UDPCTL_SENDSPACE	UdpctlSendspace
  net.route.rtdump	CTL_NET, PF_ROUTE, NET_RT_DUMP	RtDump
  net.route.rtiflist	CTL_NET, PF_ROUTE, NET_RT_IFLIST	RtIflist
  net.inet.ip.dad_count	CTL_NET, PF_INET, IPPROTO_IP, IPCTL_DAD_COUNT	IpctlDadcount
  kern.hostname	CTL_KERN, KERN_HOSTNAME	KernHostname

Page top