next up previous contents index
Next: 11.4.3 revoke: Revoke previously Up: 11.4 oskit_avc_ss: AVC Interface Previous: 11.4.1 grant: Grant previously

11.4.2 try_revoke: Try to revoke previously granted permissions

 

SYNOPSIS

#include <oskit/flask/avc_ss.h>

OSKIT_COMDECL oskit_avc_ss_try_revoke(oskit_avc_ss_t *avc, oskit_security_id_t ssid, oskit_security_id_t tsid, oskit_security_class_t tclass, oskit_access_vector_t perms, oskit_u32_t seqno, [out] oskit_access_vector_t *out_retained);

DESCRIPTION

The oskit_avc_ss_try_revoke function tries to revoke previously granted permissions for a SID pair and class, but only if they are not retained in the state of an object manager. If any of the permissions in perms are retained, the retained permissions are returned in out_retained. The wildcard SID, OSKIT_SECSID_WILD, may be used for the ssid and tsid parameters to match all SID values. This function calls any callbacks registered by an object manager for the OSKIT_AVC_CALLBACK_TRY_REVOKE event with a matching SID pair, class and permissions. Permission vectors match if they have a non-null intersection. Each callback is expected to identify which matching permissions are retained in the state of the object manager. The set of retained permissions returned by each callback is added to out_retained. This function then removes any permissions in perms that were not retained from the allowed vector in any matching entries in the cache. This function updates the latest policy change sequence number to the greater of its current value and the seqno value.

PARAMETERS

avc
The access vector cache.
ssid
The source SID.
tsid
The target SID.
tclass
The target object security class.
perms
The permissions.
seqno
The sequence number for the policy change.
out_retained
The set of permissions retained.

RETURNS

Returns 0 on success, or an error code specified in <oskit/error.h>, on error.



Utah Flux Research Group