KasperskyOS Community Edition 1.3
English
About KasperskyOS Community Edition  >  Critical changes in version 1.3

Critical changes in version 1.3

Due to modifications made to SDK components in version 1.3, you may need to make changes to the application code that was developed using KasperskyOS Community Edition version 1.2 before using that code with KasperskyOS Community Edition version 1.3.

The following critical changes were made to SDK components in version 1.3:

  • Removed support for performance counters from the KasperskyOS kernel in the SDK.
  • Declarations of the following functions were removed from the SDK: fork, exec*, popen*, and pclose. Use of these functions will result in an error during a build.
  • Specifying an invalid name of an IPC channel in the init.yaml.in file template will result in an error during a build.
  • The toolchain included in the SDK now uses the Clang compiler.
  • TLS 1.3 algorithms are now included in the Mbed-TLS component. You must call the psa_crypto_init() function before you use the hashing mechanisms for the first time. To ensure correct operation of the Mbed-TLS library, all you have to do is add the psa_crypto_init() call before calling any Mbed-TLS function for the first time. This function can be called any number of times. If the first call is successful, all other calls will also be successful.
  • Changes to the kdf library:
    • The KdfGetDeviceFromContainer() and KdfEnumContainerNames() functions have been removed.
    • The KdfGetDeviceListByTarget() and KdfGetDeviceListByTargetSet() functions now return a container with a handle of the KdfDevContainerHandle type.
  • The obsolete SecurityDisconnect method has been removed from the Handle.idl kernel interface.
  • The configuration parameter VFS_BUFFER_SPLIT_SIZE has been removed. VFS will use VFS_BUFFER_SIZE as the upper limit when transmitting data in an IPC arena. The new parameter VFS_BUFSIZ is being implemented to configure the size of the I/O buffer (setbuf). You will be able to use MDL buffers to read/write large-sized data.
  • Support for file access permissions has been added to VFS. When working with files, VFS will now check the file owner bits (S_IRUSR, S_IWUSR, and S_IXUSR) and either allow or deny specific operations. When creating a file and directory, you must verify that all bits are set correctly:
    • The read/write permission bits must be specified for files: open(file, O_RDWR | O_CREAT, (S_IRUSR | S_IWUSR)
    • All three bits must be specified for directories (Read | Write | Execute). The Execute bit provides the capability to search for files in the directory: mkdir(dir, S_IRWXU)

    The open() function lets you create files without specifying these bits, therefore you may encounter a situation in which previously created files may stop opening and instead return an EACCESS error. You can use the chmod() function to change the file permissions.

  • In the Driver.idl interface, the GetDeviceEvents() method has been renamed to AwaitDeviceEvents().
  • The initializer function kl_drivers_Driver *KdfServerInit(KdfServerData *data) has been replaced with kl_drivers_Driver *KdfServerInit(void).
  • The kernel interface Task::FreeSelfEnv has become a stub that returns rcUimplemented, and the KnTaskFreeEnv and KnTaskGetEnv functions are no longer thread-safe.
  • Writing to AF_ROUTE sockets is prohibited. Now, if you attempt to write to the AF_ROUTE socket, the EACCESS error is returned. To add/delete routes, you must use ioctl() and the ortentry structure.
  • The behavior of the nk_arena_get() call has changed. RTL_NULL is returned only if there is an error. Otherwise, the correct memory pointer is returned even if zero-sized data is received.
  • The values of an IDL type "string" must contain a terminating null byte when passed in IPC messages, even if they are empty strings. Strings composed of zero bytes will no longer be considered valid and will be denied by the Kaspersky Security Module.
  • Function prototypes have been changed:
    • KosString KosCreateStringEx(KosStringRoot *root, const char *str) was changed to Retcode KosCreateStringEx(KosStringRoot *root, const char *str, KosString *outStr);
    • KosString KosCreateString(const char *str) was changed to Retcode KosCreateString(const char *str, KosString *outStr).
  • The kernel interface task.Task now has a new method named GetPid, which is always used when a process is created.

    As a result, the EntityInit(Ex) call will start to return an error when there is a strictly configured security policy with a rigid restriction on methods. You must add the new method to the permitted methods in the policy.

    Example:

    request dst=kl.core.Core { match endpoint=task.Task { match method=GetPid { match src=Einit { grant () } } } }
  • An endpoint of the kl.drivers.Driver type has also been added to each SDK-included EDL file containing the kl.drivers.Block endpoint.

    For example, the result will look as follows for ATA.edl:

    entity kl.drivers.ATA security kl.drivers.block.Security endpoints { driver : kl.drivers.Driver ata: kl.drivers.Block }
  • The set of methods of the Block.idl endpoint has been refined:
    • The Fini() method has been removed.
    • The EnumPorts() method has been removed. You should use the GetDeviceList() method of the kl.drivers.Driver endpoint.
    • The Open() method has been removed. You should use the OpenDevice() method of the kl.drivers.Driver endpoint.
    • The Close() method has been removed. You should use the CloseDevice() method of the kl.drivers.Driver endpoint.
  • A list of supported codes (MIB) of the sysctl() function has been added. A call with codes that are different from the supported codes is prohibited and returns the ENOSYS code. All authorized codes have been converted into separate interface methods of the VFS component (VfsNetConfig.idl). With security policies, you can permit read-only or write-only by using the valOperation argument of an IPC request (except IpctlForwarding, RtDump, and RtIflist): 0 is for writing, or setting a parameter value, 1 is for reading a parameter, and 2 is for requesting the parameter size)

    The supported codes are listed in the table below.

    Authorized codes of the sysctl() function

    Parameter name

    MIB code

    VFS interface method

    net.inet.ip.forwarding

    CTL_NET, PF_INET, IPPROTO_IP, IPCTL_FORWARDING

    IpctlForwarding

    net.inet.ip.mtudisc

    CTL_NET, PF_INET, IPPROTO_IP, IPCTL_MTUDISC

    IpctlMtudisc

    net.inet.ip.ttl

    CTL_NET, PF_INET, IPPROTO_IP, IPCTL_DEFTTL

    IpctlTtl

    net.inet.tcp.keepcnt

    CTL_NET, PF_INET, IPPROTO_TCP, TCPCTL_KEEPCNT

    TcpctlKeepcnt

    net.inet.tcp.keepidle

    CTL_NET, PF_INET, IPPROTO_TCP, TCPCTL_KEEPIDLE

    TcpctlKeepidle

    net.inet.tcp.keepintvl

    CTL_NET, PF_INET, IPPROTO_TCP, TCPCTL_KEEPINTVL

    TcpctlKeepintvl

    net.inet.tcp.mss_ifmtu

    CTL_NET, PF_INET, IPPROTO_TCP, TCPCTL_MSS_IFMTU

    TcpctlMssifmtu

    net.inet.tcp.mssdflt

    CTL_NET, PF_INET, IPPROTO_TCP, TCPCTL_MSSDFLT

    TcpctlMssdflt

    net.inet.tcp.recvspace

    CTL_NET, PF_INET, IPPROTO_TCP, TCPCTL_RECVSPACE

    TcpctlRecvspace

    net.inet.tcp.sendspace

    CTL_NET, PF_INET, IPPROTO_TCP, TCPCTL_SENDSPACE

    TcpctlSendspace

    net.inet.udp.recvspace

    CTL_NET, PF_INET, IPPROTO_UDP, UDPCTL_RECVSPACE

    UdpctlRecvspace

    net.inet.udp.sendspace

    CTL_NET, PF_INET, IPPROTO_UDP, UDPCTL_SENDSPACE

    UdpctlSendspace

    net.route.rtdump

    CTL_NET, PF_ROUTE, NET_RT_DUMP

    RtDump

    net.route.rtiflist

    CTL_NET, PF_ROUTE, NET_RT_IFLIST

    RtIflist

    net.inet.ip.dad_count

    CTL_NET, PF_INET, IPPROTO_IP, IPCTL_DAD_COUNT

    IpctlDadcount

    kern.hostname

    CTL_KERN, KERN_HOSTNAME

    KernHostname

Article ID: breaking_changes, Last review: Feb 20, 2025
Page top