#include <oskit/flask/avc_ss.h>OSKIT_COMDECL oskit_avc_ss_try_revoke(oskit_avc_ss_t *avc, oskit_security_id_t ssid, oskit_security_id_t tsid, oskit_security_class_t tclass, oskit_access_vector_t perms, oskit_u32_t seqno, [out] oskit_access_vector_t *out_retained);
The oskit_avc_ss_try_revoke function tries to revoke previously granted permissions for a SID pair and class, but only if they are not retained in the state of an object manager. If any of the permissions in perms are retained, the retained permissions are returned in out_retained. The wildcard SID, OSKIT_SECSID_WILD, may be used for the ssid and tsid parameters to match all SID values. This function calls any callbacks registered by an object manager for the OSKIT_AVC_CALLBACK_TRY_REVOKE event with a matching SID pair, class and permissions. Permission vectors match if they have a non-null intersection. Each callback is expected to identify which matching permissions are retained in the state of the object manager. The set of retained permissions returned by each callback is added to out_retained. This function then removes any permissions in perms that were not retained from the allowed vector in any matching entries in the cache. This function updates the latest policy change sequence number to the greater of its current value and the seqno value.
- avc
- The access vector cache.
- ssid
- The source SID.
- tsid
- The target SID.
- tclass
- The target object security class.
- perms
- The permissions.
- seqno
- The sequence number for the policy change.
- out_retained
- The set of permissions retained.
Returns 0 on success, or an error code specified in <oskit/error.h>, on error.