Multics Technical Bulletin MTB-706 Suppressing Ring 1 FS auditing To: Distribution From: Benson I. Margulies Date: 04/04/85 Subject: Avoiding Ring 0 Audit of Ring 1 TCB file system operations 1 ABSTRACT The ring 1 TCB defines objects that are in fact implementing segments and directories. As a result, ring 1 TCB subsystems such as RCP and the mseg primitives make many calls to ring 0 file system primitives. These calls need not be audited by ring 0, since the ring 1 TCB is already auditing the actual TCB operation. For example, reading a message from a mailbox, which is a TCB operation, often involves initiating the mailbox segment, which is not. This MTB describes the system mechanism that the ring 1 TCB uses to inform ring 0 that ring 0 should not audit file system operations. Comments should be sent to the author: via Multics Mail: Margulies at either System-M, MIT, or CISL-SERVICE. via Forum: >udd>m>mtgs>B2 on System-M via telephone: (HVN) 261-9333, or (617) 492-9333 _________________________________________________________________ Multics project internal working documentation. Not to be reproduced or distributed outside the Multics project without the consent of the author or the author's management. MTB-706 Multics Technical Bulletin Suppressing Ring 1 FS auditing 2 OVERVIEW -- WHEN TO AUDIT The goal of this design is to avoid duplicate auditing in the TCB. If the ring one TCB is called to perform an operation, it must audit the operation. If ring one must call ring zero directory control to implement the operation, that directory control call should not be audited. However, not all of the code in ring one takes responsibility for auditing its operations. Ring zero must not suppress audit of a directory control operation unless it can positively verify that its caller has taken responsibility for auditing the operation in progress. The following conditions must be met for ring zero directory control to omit auditing: 1) The validation level must be zero or one, indicating that the caller was in fact part of the TCB. 2) A flag must be set indicating that the caller requested that auditing be omitted. 3) The process' initial ring must be greater than one, indicating that the user is not in direct control of the TCB interfaces. Otherwise, a user logged in to ring 1 could manipulate the file system with no auditing whatsoever. 4) The object of the operation must be a TCB-controlled object. That is, its first ring bracket must be 0 or 1. 3 SPECIFICATION The above criteria will be implemented as follows: A flag is defined in the pds, pds$no_audit_ring1_fs_object_ops. This flag indicates that directory control should omit auditing. A new gate entry is defined, admin_gate_$admin_level_no_ring1_fs_audit. declare admin_gate_$admin_level_no_ring1_fs_audit entry (fixed bin (3) aligned); call admin_gate_$admin_level_no_ring1_fs_audit (old_level); where old_level is fixed bin (3) aligned that is set on return to the validation level at the time of the call. This entry sets the validation level to one. If pds$initial_ring is greater than one, it also sets pds$no_audit_ring1_fs_object_ops to "1"b. Multics Technical Bulletin MTB-706 Suppressing Ring 1 FS auditing level$set (the target of hcs_$level_set) will reset pds$no_audit_ring1_fs_object_ops to "0"b whenever it is called to set the validation level greater than 1. access_audit_check_ep_ (called by the various directory control programs to decide whether to audit) will respect pds$no_audit_ring1_fs_object_ops. In addition, this program will require that the object being audited have a write bracket of one or zero. 4 RULES FOR USE Ring one TCB subsystems will call admin_gate_$admin_level_no_ring1_fs_audit to set their validation level to one for file system operations. Ring one subsystems will therefore always audit such operations, rather than depending on ring zero to audit for them. This will ensure that the real caller validation level is recorded in the audit record.