|
| 1 | +.. |
| 2 | + # ******************************************************************************* |
| 3 | + # Copyright (c) 2026 Contributors to the Eclipse Foundation |
| 4 | + # |
| 5 | + # See the NOTICE file(s) distributed with this work for additional |
| 6 | + # information regarding copyright ownership. |
| 7 | + # |
| 8 | + # This program and the accompanying materials are made available under the |
| 9 | + # terms of the Apache License Version 2.0 which is available at |
| 10 | + # https://www.apache.org/licenses/LICENSE-2.0 |
| 11 | + # |
| 12 | + # SPDX-License-Identifier: Apache-2.0 |
| 13 | + # ******************************************************************************* |
| 14 | +
|
| 15 | +Assumptions of Use |
| 16 | +################## |
| 17 | + |
| 18 | +.. document:: Operating System Assumptions of Use |
| 19 | + :id: doc__os_aou |
| 20 | + :status: draft |
| 21 | + :safety: ASIL_B |
| 22 | + :security: YES |
| 23 | + :realizes: wp__requirements_comp |
| 24 | + |
| 25 | +.. aou_req:: No Root Privileges |
| 26 | + :id: aou_req__os__nonroot |
| 27 | + :reqtype: Functional |
| 28 | + :security: YES |
| 29 | + :safety: ASIL_B |
| 30 | + :status: valid |
| 31 | + |
| 32 | + No process running on the SW-platform shall request root privileges. |
| 33 | + |
| 34 | + Note: The root privilege is dangerous for security and safety as it destroys process isolation. |
| 35 | + |
| 36 | +.. aou_req:: Safe OS Function Use |
| 37 | + :id: aou_req__os__safe_fctn_use |
| 38 | + :reqtype: Functional |
| 39 | + :security: YES |
| 40 | + :safety: ASIL_B |
| 41 | + :status: valid |
| 42 | + |
| 43 | + If an application or SW-platform component is safety relevant and uses OS functions, it shall only use the safe functions. |
| 44 | + |
| 45 | + Note: For checking the "to be expected" safe functions the developer can consider the safe function list |
| 46 | + published by the OS supplier. For QNX this can be found for example in `appendices here <https://fs-products.tuvasi.com/certificates?keywords=Blackberry&productcategory_id=1#prodid_9842>`_ (for one version). |
| 47 | + |
| 48 | +.. aou_req:: OS Public API Use |
| 49 | + :id: aou_req__os__public_api |
| 50 | + :reqtype: Functional |
| 51 | + :security: YES |
| 52 | + :safety: ASIL_B |
| 53 | + :status: valid |
| 54 | + |
| 55 | + All components shall only use the public API of the OS components. |
| 56 | + |
| 57 | +.. aou_req:: C++ Library Preference |
| 58 | + :id: aou_req__os__cxx_preference |
| 59 | + :reqtype: Functional |
| 60 | + :security: YES |
| 61 | + :safety: ASIL_B |
| 62 | + :status: valid |
| 63 | + |
| 64 | + All components should prefer the use of C++ standard lib over the C lib to call a functionality. |
| 65 | + If C lib must be used, it shall not be mixed with C++ lib for the same functionality. |
| 66 | + |
| 67 | +.. aou_req:: Minimal Process Privileges |
| 68 | + :id: aou_req__os__minimal_privileges |
| 69 | + :reqtype: Functional |
| 70 | + :security: YES |
| 71 | + :safety: ASIL_B |
| 72 | + :status: valid |
| 73 | + |
| 74 | + All components shall only use the privileges that are indispensable for their function. |
| 75 | + |
| 76 | + Note1: OS safety manuals provide lists of allowed and not allowed privileges. |
| 77 | + |
| 78 | + Note2: One example is the "channel connect" - only IPC connections are allowed which are specified in the architecture. |
| 79 | + |
| 80 | + Note3: Another example is mmap_peer which would allow accessing other processes memory if wrongly used. |
| 81 | + |
| 82 | +.. needextend:: "__os_" in id |
| 83 | + :+tags: operating_system |
0 commit comments