Multics Technical Bulletin MTB-700-01
Ring 1 Privileges
To: Distribution
From: Benson I. Margulies
Date: 01/22/85
Subject: Allowing system privilege setting in ring 1
1 ABSTRACT
Ring 1 subsystems are supposed to maintain ring 1
multi-class databases. However, the system current
only supports single segment ring 1 databases, since
there is no way for a process to circumvent file system
AIM in ring 1 to create, delete, rename, or change the
access on segments.
This would be an academic problem, except for the fact
that we already have a ring 1 subsystem that maintains
a multi-segment multi-class database: RCP. RCP has
high priority outstanding TR's that document the fact
that it fails when a non-system process tries to add a
segment to a journal or a registry. This is revision |
01 of the MTB, carrying change bars. |
Comments should be sent to the author:
via Multics Mail:
Margulies at either System-M, MIT, or CISL-SERVICE.
via Forum:
>udd>m>mtgs>B2 on System-M
via telephone:
(HVN) 261-9333, or
(617) 492-9333
_________________________________________________________________
Multics project internal working documentation. Not to be
reproduced or distributed outside the Multics project without the
consent of the author or the author's management.
MTB-700-01 Multics Technical Bulletin
Ring 1 Privileges
2 PRIVILEGES IN RING 1
Ring 1 is supposed to have the neccessary access to maintain
multi-class databases. This support consists of multi-class
segments. A multi-class segment is a segment that is writable
from a range of authorizations.
Multi-class segments are not enough. To use them, the database
must be pre-created by a system_low process with as many segments
as it can ever need. Since some applications can use an
arbitrary amount of storage, this cannot work. One such
application is RCPRM. The registries and journals must be able
to grow by adding segments in any process.
The problem, then, is to define multi-class entities bigger than
a segment. The cleanest design would be to invent "multi-class
directories." A multi-class directory would allow processes at a
range of access classes to perform directory control "modify"
operations.
There is a major problems with this approach. Ring zero already
uses the same bits that are used to define multi-class segments
to define upgraded directories. To define multi-class
directories, we would have to add fields to the branch, which is
a large undertaking.
An alternative to this is to use the existing system privilege
mechanism to allow ring 1 programs to "write-down" directories.
This requires a much smaller implementation, and solves the
problem at hand. This is the solution proposed here.
3 VALIDATION LEVEL CLEANUP
While ring 1 programs need to be able to set privileges, it would
not be correct for them to set privileges on behalf of the outer
ring, especially by accident. Leaving it to cleanup handlers in
individual ring 1 subsystems is not adequate protection against a
privilege accidently being left set on exit to the outer ring.
The ring alarm mechanism must be used to reset any privileges set
in ring 1. A record must be kept of any privileges set, and the
ring alarm handler changed to reset them on exit. set_privileges
will have separate entrypoints for ring 1 privilege manipulation.
It will record settings in pds$ring_1_privileges, and the ring
alarm mechanism will check that value.
Multics Technical Bulletin MTB-700-01
Ring 1 Privileges
4 INTERFACES
This section describes the admin_gate_ interfaces. These are
designed along the lines of hcs_$set_ips_mask and reset_ips_mask.
This reduces the number of entrypoints to two from over a dozen.
___________ ___________
admin_gate_ admin_gate_
___________ ___________
NAME: ADMIN_GATE_
admin_gate_ is the gate from ring 1 to ring 0.
ENTRY: ADMIN_GATE_$SET_PRIVILEGES
This entry enables one or more AIM privileges and returns the
previous value of the AIM privileges. Any privileges set with
this entry should be reset with a call to
admin_gate_$reset_privileges. If they are not reset before exit
from ring 1, they will be reset automatically.
USAGE
declare admin_gate_$set_privileges entry (bit (36) aligned, bit
(36) aligned);
call admin_gate_$set_privileges (privs_to_set, old_privs);
ARGUMENTS
privs_to_set
is a word of bits. Each bit except the last corresponds to an
| AIM privilege. The bit masks defined in sys_info for the
| privilege bits should always be used to construct this mask.
| THIS IS A TCB CODING STANDARD. Declarations of these bit
| masks are provided in aim_privileges.incl.pl1 for
| convienience. (Output)
old_privs
is a word of bits. Each bit except the last corresponds to an
AIM privilege. The last bit is always returned "1"b to
indicate that privileges are set. cleanup handlers should
check the last bit to decide whether a call to
admin_gate_$reset_privileges should be called. (Output)
ENTRY: ADMIN_GATE_$RESET_PRIVILEGES
This entry is used to disable privileges set with
admin_gate_$set_privileges.
USAGE
declare admin_gate_$reset_privileges entry (bit (36) aligned)
call admin_gate_$reset_privileges (saved_old_privs)
___________ ________
admin_gate_ sys_info
___________ ________
USAGE
ARGUMENTS
saved_old_privs
is the result to a call of admin_gate_$set_privileges. If the
last bit of the word is "0"b, this entrypoint does nothing.
If the last bit of the word is "1"b, then this entrypoint
restores the privileges to their state before the call to
admin_gate_$set_privileges, and returns the word with the bit
reset to zero. (Input/Output)
5 SYS_INFO PRIVILEGE MASK VARIABLES |
It is desirable that the crossreference show which programs are |
using which individual privileges. This makes it much easier to |
survey all the users of, say, the dir privilege. To this end, |
the sys_info masks are defined. |
________________________________________ |
NAME: SYS_INFO |
ENTRY: SYS_INFO$DIR_PRIV_MASK |
This variable defines the system privilege bit for the directory |
AIM privilege. |
USAGE |
declare sys_info$dir_priv_mask bit (36) aligned external static; |
ENTRY: SYS_INFO$IPC_PRIV_MASK |
This variable defines the system privilege bit for the IPC |
AIM privilege. |
USAGE |
declare sys_info$seg_priv_mask bit (36) aligned external static; |
________ ________
sys_info sys_info
________ ________
| ENTRY: SYS_INFO$SEG_PRIV_MASK
| This variable defines the system privilege bit for the
| segment AIM privilege.
| USAGE
| declare sys_info$seg_priv_mask bit (36) aligned external static;
| ENTRY: SYS_INFO$SOOS_PRIV_MASK
| This variable defines the system privilege bit for the
| security-out-of-service AIM privilege.
| USAGE
| declare sys_info$soos_priv_mask bit (36) aligned external static;
| ENTRY: SYS_INFO$RING1_PRIV_MASK
| This variable defines the system privilege bit for the ring
| 1 message segment AIM privilege.
| USAGE
| declare sys_info$ring1_priv_mask bit (36) aligned external
| static;
| ENTRY: SYS_INFO$RCP_PRIV_MASK
| This variable defines the system privilege bit for the RCP
| AIM privilege.
| USAGE
| declare sys_info$rcp_priv_mask bit (36) aligned external static;
________ ________
sys_info sys_info
________ ________
ENTRY: SYS_INFO$COMM_PRIV_MASK |
This variable defines the system privilege bit for the |
communications AIM privilege. |
USAGE |
declare sys_info$comm_priv_mask bit (36) aligned external static; |