revoke policy

Revokes the capability from the holder and all its descendants in the capability derivation tree (CDT).

The holder can revoke the capability from itself and all its descendants in the CDT.

Type: call policy

Syntax

revoke <configuration> (in SID master,

in SID holder,

in SID resource)

Parameters

master	Parent of the capability holder that revokes this capability.
holder	Holder from which the capability is revoked.
resource	Resource SID associated with the capability.

Policy configuration

<configuration> ::= "{" <type> "}"

<type> ::= "type" ":" <resource-type>

Configuration elements

<resource-type>

Resource type assigned during initialization of the capability. It must match one of the types in the family instance configuration.

Returned value

KSS_GRANT if the capability was revoked, or KSS_DENY in the following cases:

• At least one of the specified SIDs is incorrect.
• The resource SID is not associated with the capability.
• The resource type specified in the configuration (<type>) does not match the type assigned during capability initialization.
• master is not a capability holder for the specified resource.
• master does not have Revoke permissions for the resource.
• master is not the parent of the holder in the CDT, except for when the holder and master match.
• holder is not a capability holder for the specified resource.

All specified restrictions apply only within the ocap family instance.

Page top