Next: Access Domain Access Control
Up: LinSec Filesystem Access Domains
Previous: Access Domain Inheritance
Contents
User Access Domain Revocation
User Access Domain Revocation is completely analogous to the
User Capability Revocation (Section 5.8.6) in its
implementation with the following slight differences:
- Changes to a linsec_usr structure referenced from
a struct user_struct structure are being carried out while holding
AD related spinlocks of the linsec_usr.
- Effects of the changes carried out on AD related fields in
linsec_usr are observable immediately after the update process has
finished. This is because AD access control checks take place directly on
linsec_usr and, unlike for the capability related fields, no separate
algorithm has to be executed to reflect the changes in process' privileges.