The ocap policy family enables implementation of a capability-based security model (object capability model).
This model is based on the principle of least privilege. This resource access organization principle involves granting a subject (process or user) only those privileges that they absolutely require to successfully perform a task. For example, a user that wants to view the contents of a file must only be granted permissions to read that file and only for the specific period of use of that file.
The ocap policy family lets you associate a resource SID with a capability that can be transferred and revoked. This way, the ocap policy family lets you manage access rights to the resources owned by those policies.
The init, transfer, derive and check policies have corresponding policies with the "R" postfix. Policies with the "R" postfix differ in that the list of access rights is statically defined in the policy configuration.
A declaration of the ocap family is in the following file:
/opt/KasperskyOS-StarterKit-<version>/sysroot-x86_64-pc-kos/include/kss/server/ocap.cfg