Any operation performed on an ACL uses an ACL handle of type handle_t to identify the target of the operation. The handle is bound to the server that manages the object protected by the ACL, not to the ACL itself. Since an object may be protected by more than one ACL manager type (see Authorization), the ACL itself can only be uniquely identified by the ACL handle in combination with the manager type that manages it. ACL editing calls must also specify the ACL type to be read or otherwise manipulated (the object, default container, or default Object ACL types).
An application calls sec_acl_bind( ) to get an ACL handle. The handle itself is opaque to the calling program, which needs none of the information encoded in it to use the ACL interface. A program can obtain the list of ACL manager types protecting an object and pass this data, along with the ACL type identifier, to another client-side routine. The following two calls perform this function:
· sec_acl_get_manager_types( ) returns a list of UUIDs of the manager types.
· sec_acl_get_manager_types_semantics( ) returns UUIDs of the manager types, and also the POSIX semantics supported by each manager type. The output of this call is used by the sec_acl_calc_mask( ) routine when it calculates a new mask_obj mask.
In the absence of CDS, an application may call sec_acl_bind_to_addr( ); this call binds to a network address rather than a cell namespace entry.
Once an application is finished using an ACL handle, it should call sec_acl_release_handle( ) to dispose of it.