Access Restriction Policy

The GeSWall access restriction policy determines how GeSWall will restrict access by applications to system resources. Resources are files, registry keys, processes etc. and all resources are categorized as either untrusted, trusted or confidential.

The access restriction policy is composed of both generic rules which apply to all applications and specific rules which apply to only one application.

The generic rules for an isolated application are that the application:

1. Can read but cannot modify trusted resources.
2. Cannot read or modify confidential resources.
3. May create new untrusted resources, e.g. files.
4. May read or modify untrusted resources.

The only generic rule for a non-isolated application is that the application cannot load untrusted executables into its address space. All other resources access are allowed.

These generic rules are overridden by any application specific rules in the application database.

All resources are trusted except those created by isolated applications. Resources created by isolated applications are untrusted. Confidential resources are any resources, which are marked as confidential in the database. By default, any files in a user My Documents\Confidential folder are confidential. You may specify additional untrusted and confidential resources explicitly by their name or ownership.

The GeSWall policy model also reserves the notion of a Jailed Application - an application that has no permissions by default and may access only explicitly granted resources.