|
|
A global section can provide access to a disk file (calleda file-backed global section), provide access to dynamically createdstorage (called a page file-backed global section), or provide accessto specific physical memory (called a page frame number [PFN] globalsection). A global section object may be either temporary or permanent.
The operating system supports two types of global sectionobjects:
NamingRules
The name of the object is a string of 1 to 44 characters.For group global sections, the name is qualified by your UIC groupnumber.
Typesof Access
The global section class supports the following types of access:
Template Profile
File-backed global sections share the security profile ofthe associated disk file. Whenever the profile of the backing fileis modified, the global section's profile automatically changes.To modify the protection elements of file-backed global sections,you must modify the backing file instead.
The global section class provides the following template profiles.Although the template assigns an owner UIC of [0,0], this valueis only temporary. As soon as the object is created, the operatingsystem replaces a 0 value with the value in the corresponding fieldof the creating process's UIC.
Type | Template Name | Owner UIC | Protection Code |
---|---|---|---|
System | DEFAULT | [0,0] | S:RWE,O:RWE,G:RWE,W:RWE |
Group | DEFAULT | [0,0] | S:RWE,O:RWE,G:RWE,W:RWE |
The operating system modifies the templates according to thevalues provided in the prot argumentto $CRMPSC. The prot argumentis ignored for file-backed sections.
To maintain compatibility with earlier versions of the operatingsystem, the DEFAULT templates have protection codes allowing worldaccess. Some applications may need a more restrictive default thanthe templates provide. If you do choose to restrict global sectionaccess, be aware that the more restrictive access can cause applicationsto fail in ways that are difficult to diagnose.
Privilege Requirements
The SYSGBL privilege is required to create or delete a systemglobal section. The PFNMAP privilege is necessary to create or deletea page frame section, and the PRMGBL privilege is required to createor delete a permanent global section.
Kinds of Auditing Performed
The following types of events can be audited, provided thesecurity administrator enables auditing for the appropriate eventclass:
Event Audited | When Audit Occurs |
---|---|
Creation | When a page file-backedor a PFN global section is created by the Create and Map Sectionsystem service ($CRMPSC). |
Access | When an existing page file-backedor a PFN global section is accessed with either $CRMPSC or the MapGlobal Section system service ($MGBLSC). The operating system auditsaccess to a file-backed global section as a file access. |
Deaccess | At image or process rundownwhen the process virtual address space is reset or deleted. |
Deletion | If a process with PRMGBL privilege, PFNMAPprivilege, or SYSGBL privilege (in the case of a system global section)deletes a permanent global section, the operating system auditsthe event through the use of privilege. |
Permanence of the Object
A global section and its security profile need to be resetafter every system boot.
|
|