#include <oskit/flask/avc_ss.h>OSKIT_COMDECL oskit_avc_ss_revoke(oskit_avc_ss_t *avc, oskit_security_id_t ssid, oskit_security_id_t tsid, oskit_security_class_t tclass, oskit_access_vector_t perms, oskit_u32_t seqno);
The oskit_avc_ss_revoke function revokes previously granted permissions for a SID pair and class, even if they are retained in the state of an object manager. The wildcard SID, OSKIT_SECSID_WILD, may be used for the ssid and tsid parameters to match all SID values. This function removes any permissions in perms from the allowed vector in any matching entries in the cache. It then calls any callbacks registered by an object manager for the OSKIT_AVC_CALLBACK_REVOKE event with a matching SID pair, class and permissions. Permission vectors match if they have a non-null intersection. Each callback is expected to revoke any matching permissions that are retained in the state of the object manager. This function updates the latest policy change sequence number to the greater of its current value and the seqno value.
- avc
- The access vector cache.
- ssid
- The source SID.
- tsid
- The target SID.
- tclass
- The target object security class.
- perms
- The permissions.
- seqno
- The sequence number for the policy change.
Returns 0 on success, or an error code specified in <oskit/error.h>, on error.