Multics Technical Bulletin MTB-706
Suppressing Ring 1 FS auditing
To: Distribution
From: Benson I. Margulies
Date: 04/04/85
Subject: Avoiding Ring 0 Audit of Ring 1 TCB file system operations
1 ABSTRACT
The ring 1 TCB defines objects that are in fact
implementing segments and directories. As a result,
ring 1 TCB subsystems such as RCP and the mseg
primitives make many calls to ring 0 file system
primitives. These calls need not be audited by ring 0,
since the ring 1 TCB is already auditing the actual TCB
operation. For example, reading a message from a
mailbox, which is a TCB operation, often involves
initiating the mailbox segment, which is not.
This MTB describes the system mechanism that the ring 1
TCB uses to inform ring 0 that ring 0 should not audit
file system operations.
Comments should be sent to the author:
via Multics Mail:
Margulies at either System-M, MIT, or CISL-SERVICE.
via Forum:
>udd>m>mtgs>B2 on System-M
via telephone:
(HVN) 261-9333, or
(617) 492-9333
_________________________________________________________________
Multics project internal working documentation. Not to be
reproduced or distributed outside the Multics project without the
consent of the author or the author's management.
MTB-706 Multics Technical Bulletin
Suppressing Ring 1 FS auditing
2 OVERVIEW -- WHEN TO AUDIT
The goal of this design is to avoid duplicate auditing in the
TCB. If the ring one TCB is called to perform an operation, it
must audit the operation. If ring one must call ring zero
directory control to implement the operation, that directory
control call should not be audited. However, not all of the code
in ring one takes responsibility for auditing its operations.
Ring zero must not suppress audit of a directory control
operation unless it can positively verify that its caller has
taken responsibility for auditing the operation in progress.
The following conditions must be met for ring zero directory
control to omit auditing:
1) The validation level must be zero or one, indicating that
the caller was in fact part of the TCB.
2) A flag must be set indicating that the caller requested
that auditing be omitted.
3) The process' initial ring must be greater than one,
indicating that the user is not in direct control of the TCB
interfaces. Otherwise, a user logged in to ring 1 could
manipulate the file system with no auditing whatsoever.
4) The object of the operation must be a TCB-controlled
object. That is, its first ring bracket must be 0 or 1.
3 SPECIFICATION
The above criteria will be implemented as follows:
A flag is defined in the pds, pds$no_audit_ring1_fs_object_ops.
This flag indicates that directory control should omit auditing.
A new gate entry is defined,
admin_gate_$admin_level_no_ring1_fs_audit.
declare admin_gate_$admin_level_no_ring1_fs_audit
entry (fixed bin (3) aligned);
call admin_gate_$admin_level_no_ring1_fs_audit (old_level);
where old_level is fixed bin (3) aligned that is set on
return to the validation level at the time of the call.
This entry sets the validation level to one. If pds$initial_ring
is greater than one, it also sets
pds$no_audit_ring1_fs_object_ops to "1"b.
Multics Technical Bulletin MTB-706
Suppressing Ring 1 FS auditing
level$set (the target of hcs_$level_set) will reset
pds$no_audit_ring1_fs_object_ops to "0"b whenever it is called to
set the validation level greater than 1.
access_audit_check_ep_ (called by the various directory control
programs to decide whether to audit) will respect
pds$no_audit_ring1_fs_object_ops. In addition, this program will
require that the object being audited have a write bracket of one
or zero.
4 RULES FOR USE
Ring one TCB subsystems will call
admin_gate_$admin_level_no_ring1_fs_audit to set their validation
level to one for file system operations. Ring one subsystems
will therefore always audit such operations, rather than
depending on ring zero to audit for them. This will ensure that
the real caller validation level is recorded in the audit record.