Central access policies

A central access policy is an additional layer of access restriction defined once and applied to many objects. Objects reference policies by SID in their SACL; the access check evaluates each referenced policy and intersects the result with the object's own DACL. CAAP never widens access — it only narrows.

A central access policy is a versioned bundle of rules. Each rule has an optional applies-to expression deciding when it fires, an effective DACL and SACL it contributes to the access check, and optional staged versions for testing. This page covers the structure.

CAAP evaluation runs at step 12 of the access-check pipeline. For each SYSTEM_SCOPED_POLICY_ID ACE in the object's SACL, the kernel looks up the policy, evaluates each rule's applies-to expression, and intersects each applicable rule's effective DACL with the running grant. This page covers the evaluation flow, the no-recursion rule, and how CAAP composes with the rest of the pipeline.

A CAAP rule can carry a staged DACL and SACL alongside its effective ones. The staged versions are evaluated in parallel during AccessCheck but do not affect the granted mask. The staging mismatch flag signals when the staged version would have produced different behaviour. This page covers how staging works and the rollout pattern it enables.

Central access policies are distributed by authd into the kernel's policy cache via kacs_set_caap. The cache is empty at boot; until authd populates it, every CAAP reference resolves to the hardcoded recovery policy. This page covers the distribution mechanism, the recovery policy, and the boot-time considerations.