Hi Wolfgang,
Service A is pronounces to “init”. “Init” has the capability to Service A (e.g. AHCI). Program B is started. If Program B requests a service (e.g. read something fromAHCI), Init looks up its root list and notifies A that the service is requested, A creates a new capability and passes it to “Init”, which passes the capability further to B.
Is this correct? And does this happen always?
yes and yes.
Can a capability then be revoked? E.g. Program B does something which is not wanted and therefore the already given capability will be removed?
Since the common parent of A and B possesses both the root capability of service A and the session capability created for the client B, the parent can, at any time, close the session at service A by invoking the 'Root::close' function with the session capability as argument. (note however that the init process has no such policy) When the service A destructs the session (the 'Rpc_object') all capabilities that refer the 'Rpc_object' become invalid. The client is no longer able to reach the service using the now invalidated session capability.
Hence, in principle, a common parent is able to break the relationship between a client and a server by closing the corresponding sessions. In practice, a partial revocation of access rights to once-established sessions, is not common. "Revocation" should better be done by destructing a subsystem altogether and starting a new one.
Best regards Norman