deny policy

Determines whether the current state of the security domain is on the states list specified in the policy configuration.

In contrast to the allow policy, the deny policy forbids event if the current state is on the passed list.

Type: call policy

Syntax

deny <configuration> (in SID sid)

Parameters

sid	SID of the security domain associated with the finite-state machine.

Policy configuration

<configuration> ::= <states>

<states> ::= "[" <state> {"," <state>} "]"

Configuration elements

<states>	JSON array of states to check.
<state>	State name

Returned value

KSS_GRANT, if the current state is not included in <states>.

KSS_DENY in the following cases:

• The current state is included in <states>.
• The finite-state machine has not been initialized for the specified SID.
• The specified SID of the domain is incorrect.

Example

...

policy if_not_working = service_flow.deny [sleep, stopped, finished];

entity service {

security call use [self] = if_not_stopped(self);

}

Page top