Multics Technical Bulletin MTB-611
DM File Commands
To: Distribution
From: Andre Bensoussan
Date: 02/04/83
Subject: Data Management File Commands
1 ABSTRACT
In the new Data Management architecture, a new object, the
"Data Management File", has been introduced. Commands to create,
delete, rename, copy, set ACL, etc..., need to be implemented for
Data Management Files. These operations represent a generic
function that is meaningful for all kinds of objects, but which
may require variations in the implementation, depending on the
kind of object they are applied to. The Multics command system
already recognizes that fact; in many instances, the same command
can be used regardless of whether the object is a segment, a
directory or a multi-segment file. This MTB describes how these
commands could also be extended to perform the appropriate
operation on a Data Management File, instead of having a special
command for it.
_________________________________________________________________
Multics project internal working documentation. Not to be
reproduced or distributed outside the Multics project.
MTB-611 Multics Technical Bulletin
DM File Commands
Comments should be sent to the author:
via Multics Mail:
Bensoussan.Multics on System M.
via US Mail:
André Bensoussan
Honeywell Information Systems, inc.
575 Tech Square
Cambridge, Massachusetts 02139
via telephone:
(HVN) 261-9334, or
(617) 492-9334
CONTENTS
Page
1 ABSTRACT . . . . . . . . . . . . . . i
2 INTRODUCTION . . . . . . . . . . . . 1
3 RATIONALE FOR PUTTING DM FILES IN
RING 2. . . . . . . . . . . . . . . . 1
4 HOW CAN A COMMAND DETERMINE IF AN
OBJECT IS A dm_file? . . . . . . . . 2
5 COMMANDS TO BE EXTENDED TO DEAL WITH
dm_files . . . . . . . . . . . . . . 2
Multics Technical Bulletin MTB-611
DM File Commands
2 INTRODUCTION
In MR10, Data Management Files (dm_files) are implemented as
inner ring multi segment files (MSF's), with ring brackets of [2,
2, 2] for all components and [2, user, user] for the directory.
For most commands that distinguish between segments, directoies
and MSF's (such as list, copy, set_acl, etc..), it is desirable
to extend them so that they also recognize dm_files and do
whatever is appropriate for them.
This implies (a) that these commands be changed, (b) that they be
able to determine if an object is a dm_file and (c) that there
exist ring 2 gates to perform operations the command could not do
from the user ring.
This memo explains why it is desirable to implement dm_files as
ring 2 MSF's as opposed to user ring MSF's. Then it gives the
list of the commands that should be extended to understand
dm_files, and describes how the extension is to be implemented.
3 RATIONALE FOR PUTTING DM FILES IN RING 2.
Ring 2 has been chosen as an inner ring for dm_files because the
File Manager runs in ring 2. There are various reasons why it is
desirable to put dm_files in ring 2:
o The File Manager maintains a header at the beginning of each
control interval (CI), with the CI number, the dm_file uid and
the time the CI was last modified. It also maintains a trailer
at the end of each CI to detect some disk error or CI
inconsistency. If components were directly accessible from the
user ring, user errors could cause the File Manager to
malfunction.
o The time stored in the header of each CI is also used by page
control to determine if the CI can safely be written to disk or
if it must be hold in main memory until its "before image" is
safe on disk. Since page control uses some non-ring zero
information, it has to gard itself against incorrect or
malicious programs that manufacture this information. By
putting dm_files in ring 2, page control can trust ring 2
programs to be, at least non-malicious programs.
MTB-611 Multics Technical Bulletin
DM File Commands
o Journalization and locking: The File Manager is responsible
for enforcing a journalization and locking policy each time a
CI of a dm_file is accessed. If dm_files were in the user
ring, user programs could bypass this protocol. Of course, it
is clear that even if dm_files are in ring 2 a malicious user
could always ask the File Manager to write garbage in all CI's.
However, this could not happen by mistake, and the mechanism to
enforce the locking and journalization protocols is garanteed
to be only in the File Manager.
o In the near future, MRDS will probably be moved in an inner
ring in order to provide "attribute level secutity". This
capability will require having dm_files in an inner ring.
o The MSF directory has to be an a ring 2 directory because if it
was a user ring directory, user ring programs could create
segments in it. The File Manager expects to find only MSF
components in the directory and could be made to malfunction.
In particular, if a user creates a ring 4 segment with the name
of a component, when the File Manager needs to create the ring
2 component with that name it would get a name duplication
error. There is nothing wrong in allowing user ring programs
to request status information on the directory. It might be
convenient to effectively allow it; that is why the ring
brackets for dm_file directories will be [2, user, user]
instead of [2, 2, 2].
4 HOW CAN A COMMAND DETERMINE IF AN OBJECT IS A DM_FILE?
o First, the object has to be an MSF.
o Second, the MSF directory and all MSF components have to be
ring 2 objects.
o Third, if additional identity checking is felt to be necessary
by a command, it could call a ring 2 gate provided by the File
Manager, which would return a yes or no answer.
Multics Technical Bulletin MTB-611
DM File Commands
5 COMMANDS TO BE EXTENDED TO DEAL WITH DM_FILES
A new command to create a dm_file will be implemented. In
addition, the following commands will be extended to understand
how to identify dm_files and what to do for them.
o delete
The delete command is already special cased for MSF's. If the
MSF is also a dm_file, the command calls the ring 2 gate
provided by the File Manager to delete a dm_file.
o list
The list command is already special cased for MSF's. If the
MSF is also a dm_file, the command prints the same information
as it does for a regular MSF, with the exception of the heading
which should be "DM Files" instead of "Multisegment Files".
Since the status information for the dm_file directory can be
requested from user ring programs, the command does not need to
call any special ring 2 gate to do its job.
o status
The status command is already special cased for MSF's. If the
MSF is also a dm_file, the command will return the same
information as it does for a regular MSF, but with type = "dm
file". In addition, it will return the dm_file attributes that
it can get by calling the ring 2 gate provided by the File
Manager to get dm_file attributes. These attributes include
protected or unprotected, locking, before journal, after
journal, last time dumped and other such items.
o copy
The copy command is already special cased for MSF's. If the
MSF is also a dm_file, the command calls the user ring
subroutine copy_dm_file which copies the file into a new file,
using the standard File Manager primitives to create the new
dm_file, to open the old and the new dm_files, to get each CI
from the old dm_file and put it in the new dm_file, and to
close the old and the new dm_files. The new dm_file is
identical to the old one, with the exception of the header and
trailer in each CI, containing the dm_file uid and the time
last modified. The 2 dm_files will have different uid's.
o copy_dir
MTB-611 Multics Technical Bulletin
DM File Commands
The copy_dir command is already special cased for MSF's. If
the MSF is also a dm_file, the command will do whatever the
copy command does for dm_files.
o move
The move command is already special cased for MSF's. If the
MSF is also a dm_file, the command copies the dm_file as the
copy command would do, and then deletes the original dm_file,
as the delete command would do.
o move_dir
The move_dir command is already special cased for MSF's. If
the MSF is also a dm_file, the command does whatever the move
command would for a dm_file.
o renaming commands
The commands to manipulate names are add_name, delete_name and
rename. These commands are not special cased for MSF's. They
will have to be special cased for dm_files. When the object to
rename is not a dm_file, the command calls the ring 0 gate
hcs_$chname to do the job. When it is a dm_file, the command
will call a ring 2 gate provided by the File Manager,
file_manager_$chname, which has the same calling sequence as
hcs_$chname, and which will issue a call to ring 0 from ring 2.
If ring 0 was called by the command from the user ring, ring 0
would reject the request because the ring brackets of the
dm_file directory are [2, user, user].
o ACL commands
The commands to manipulate ACL's are list_acl, set_acl,
delete_acl and copy_acl. These commands are already special
cased for MSF's. When the object is an MSF, the command calls
one of the msf_manager_ entry points $acl_list, $acl_add,
$acl_replace or $acl_delete, which in turn calls its homolog
hcs_$entry_point. For a dm_file, the list command can continue
to work like for a regular MSF; however, the other commands
modify the ACL and cannot call hcs from the user ring. Instead
of calling msf_manager_$entry_point they have to call the
homolog ring 2 gate provided by the File Manager,
file_manager_$entry_point. The file_manager_$entry_point can
now call its homolog entry_point in the msf_manager_ since the
process is in ring 2.
o Some other commands
Multics Technical Bulletin MTB-611
DM File Commands
One may consider extending some other commands later. Some
candidats are set_bit_count and set_safety_switch. They are
not needed for the moment, but whenever they are, it will be
trivial to extend them using the same method as described for
ACL operations or renaming operations.