Multics Technical Bulletin                                MTB-706
Suppressing Ring 1 FS auditing

To:       Distribution

From:     Benson I. Margulies

Date:     04/04/85

Subject:  Avoiding Ring 0 Audit of Ring 1 TCB file system operations


     The  ring  1  TCB  defines  objects  that  are  in fact
     implementing  segments and  directories.  As  a result,
     ring  1  TCB  subsystems  such  as  RCP  and  the  mseg
     primitives  make  many  calls  to  ring  0  file system
     primitives.  These calls need not be audited by ring 0,
     since the ring 1 TCB is already auditing the actual TCB
     operation.   For  example,  reading  a  message  from a
     mailbox,  which  is  a  TCB  operation,  often involves
     initiating the mailbox segment, which is not.

     This MTB describes the system mechanism that the ring 1
     TCB uses to inform ring 0  that ring 0 should not audit
     file system operations.

Comments should be sent to the author:

via Multics Mail:
   Margulies at either System-M, MIT, or CISL-SERVICE.

via Forum:
   >udd>m>mtgs>B2 on System-M

via telephone:
   (HVN) 261-9333, or
   (617) 492-9333


Multics  project  internal  working  documentation.   Not  to  be
reproduced or distributed outside the Multics project without the
consent of the author or the author's management.

MTB-706                                Multics Technical Bulletin
                                   Suppressing Ring 1 FS auditing


The  goal of this  design is to  avoid duplicate auditing  in the
TCB.  If the  ring one TCB is called to  perform an operation, it
must  audit  the  operation.   If  ring  one  must call ring zero
directory  control  to  implement  the  operation, that directory
control call should not be audited.  However, not all of the code
in  ring one  takes responsibility  for auditing  its operations.
Ring  zero  must  not  suppress  audit  of  a  directory  control
operation  unless it  can positively  verify that  its caller has
taken responsibility for auditing the operation in progress.

The  following conditions  must be  met for  ring zero  directory
control to omit auditing:

   1) The validation  level must be zero or  one, indicating that
the caller was in fact part of the TCB.
   2)  A flag must  be set indicating  that the caller  requested
that auditing be omitted.
   3)  The  process'  initial  ring  must  be  greater  than one,
indicating  that the  user is  not in  direct control  of the TCB
interfaces.   Otherwise,  a  user  logged  in  to  ring  1  could
manipulate the file system with no auditing whatsoever.
   4)  The  object  of  the  operation  must  be a TCB-controlled
object.  That is, its first ring bracket must be 0 or 1.


     The above criteria will be implemented as follows:

A flag  is defined in the  pds, pds$no_audit_ring1_fs_object_ops.
This flag indicates that directory control should omit auditing.

A         new        gate        entry         is        defined,

     declare admin_gate_$admin_level_no_ring1_fs_audit
          entry (fixed bin (3) aligned);

     call admin_gate_$admin_level_no_ring1_fs_audit (old_level);

    where  old_level is  fixed bin   (3) aligned  that is  set on
return to the validation level at the time of the call.

This entry sets the validation level to one.  If pds$initial_ring
is      greater       than      one,      it       also      sets
pds$no_audit_ring1_fs_object_ops to "1"b.

Multics Technical Bulletin                                MTB-706
Suppressing Ring 1 FS auditing

level$set   (the    target   of   hcs_$level_set)    will   reset
pds$no_audit_ring1_fs_object_ops to "0"b whenever it is called to
set the validation level greater than 1.

access_audit_check_ep_ (called  by the various  directory control
programs   to    decide   whether   to   audit)    will   respect
pds$no_audit_ring1_fs_object_ops.  In addition, this program will
require that the object being audited have a write bracket of one
or zero.


Ring        one       TCB       subsystems        will       call
admin_gate_$admin_level_no_ring1_fs_audit to set their validation
level  to one  for file  system operations.   Ring one subsystems
will  therefore   always  audit  such  operations,   rather  than
depending on ring zero to audit  for them.  This will ensure that
the real caller validation level is recorded in the audit record.