1
2 09/21/87 message_segments
3 Known errors in the current release of message_segments.
4 # Associated TR's
5 Description
6
7 0029 none
8 mseg_mbx_ms_gate_target_ has mseg_check_access_ check for proper ACL
9 entries to send a wakeup based upon target mailbox ACL modes and
10 audit the result of this check. Then mseg_mbx_ms_gate_target_
11 completes wakeup checking by examining AIM restrictions on sending a
12 wakeup to the target process one which is accepting wakeups on the
13 target mailbox. This AIM check is not audited--thus auditing of
14 sending wakeups is based only upon ACLs and not ACLs+AIM, so the audit
15 message produced is sometimes incorrect success rather than failure.
16
17 0018
18 The program mseg_mbx_ms_gate_target_ can return random ring 1 stack
19 garbage to the user ring if a *_own_* call returns
20 error_table_$no_message.
21
22 0016
23 There's a bug in mailbox_$wakeup_add_index and
24 mailbox_$wakeup_aim_add_index which will cause these programs to fail
25 to return the ID of the message added if, at the same time, they will
26 also return an error indication e.g. messags deferred. This bug
27 will cause the functional tests to fail as one of the test cases for
28 MAC must check that a message is added and error_table_$no_info is
29 returned at the same time.
30
31 0014
32 The message segment primitives try to audit object that they can't see
33 the existence of.
34
35 When a user passes a pathname including an AIM upgraded directory, or
36 the pathname of a mailbox whose ACL is corrupted so as to deny access
37 to the user in ring 1, the message segment primitives get
38 error_table_$incorrect_access back when they try to list access
39 information for the segment.
40
41 They then turn around and feed the same pathname back in to the
42 auditing entrypoints of admin_gate_. These try to use dc_find to find
43 the actual object, but fail due to the same lack of access entering
44 nasty messages into the syserr log.
45
46 There are two approaches to this. One would be to use privileged paths
47 in ring 0 for auditing, so that a ring 1 program could audit an
48 operation with respect to a completely inaccessible object.
49
50 This is hard, and probably wrong.
51
52 The second is to for ring 1 to notice the error code that means that
53 the user cannot, and has not, even discovered if the object exists. In
54 this case, it can audit the character pathname without any information.
55
56 Also, note that ring zero has already audited the access failure. The
57 admin_gate_ entry that suppresses audit only suppresses GRANT audits.