int security_compute_av(struct security_query *query, struct security_response *response);
struct security_query {
security_id_t ssid; /* source SID */
security_id_t tsid; /* target SID */
security_class_t tclass; /* target object class */
access_vector_t requested; /* requested permissions */
}
struct security_response {
access_vector_t allowed; /* granted permissions */
access_vector_t decided; /* decided permissions */
access_vector_t auditallow; /* audit when granted */
access_vector_t auditdeny; /* audit when denied */
access_vector_t notify; /* notify when used */
__u32 seqno;/* sequence number */
}
The allowed access vector contains the set of granted permissions. The decided access vector contains the set of permissions for which a decision was returned. Every permission in the requested access vector will be in this set, but other permission decisions may be deferred until explicitly requested.
The auditallow access vector contains the set of permissions that should be audited when they are granted. The auditdeny access vector contains the set of permissions that should be audited when they are denied. The notify access vector contains the set of permissions for which security_notify_perm should be invoked when the operation associated with the permission has successfully completed.
The seqno value may be used to determine the relative ordering of the computation with a revocation. The response should only be used if the seqno is greater than or equal to the largest sequence number that has been used for a revocation notification.