 |
HP OpenVMS System Services Reference Manual
Because an active context block consumes process memory, be sure to
release the context block by setting the RELCTX flag when the profile
processing is complete. $SET_SECURITY sets the context argument to 0
once the context is released.
acmode
| OpenVMS usage: |
access_mode |
| type: |
longword (unsigned) |
| access: |
read only |
| mechanism: |
by reference |
Access mode to be used in the object protection check. The
acmode argument is the address of a longword
containing the access mode. The acmode argument
defaults to kernel mode; however, the system compares
acmode with the caller's access mode and uses the
least privileged mode. The access modes are defined in the system macro
$PSLDEF library.
HP recommends that this argument be omitted (passed as zero).
Item Codes The following table provides a summary of item codes that
are valid as an item descriptor in the itmlst
argument. The table lists the $SET_SECURITY item codes and gives a
corresponding description. Complete descriptions of each item code are
provided after the table.
| Item Code |
Description |
|
OSS$_ACL_ADD_ENTRY
|
Adds an access control entry (ACE)
|
|
OSS$_ACL_DELETE
|
Deletes all unprotected ACEs in an ACL
|
|
OSS$_ACL_DELETE_ALL
|
Deletes the ACL, including protected ACEs
|
|
OSS$_ACL_DELETE_ENTRY
|
Deletes an ACE
|
|
OSS$_ACL_FIND_ENTRY
|
Locates an ACE
|
|
OSS$_ACL_FIND_NEXT
|
Positions the next ACE
|
|
OSS$_ACL_FIND_TYPE
|
Locates an ACE of the specified type
|
|
OSS$_ACL_MODIFY_ENTRY
|
Replaces an ACE at the current position
|
|
OSS$_ACL_POSITION_BOTTOM
|
Sets a marker that points to the end of the ACL
|
|
OSS$_ACL_POSITION_TOP
|
Sets a marker that points to the beginning of the ACL
|
|
OSS$_OWNER
|
Sets the UIC or general identifier of the object's owner
|
|
OSS$_PROTECTION
|
Sets the protection code of the object
|
OSS$_ACL_ADD_ENTRY
Adds an access control entry (ACE) pointed to by the buffer address so
that it is in front of the current ACE in the access control list
(ACL). See OSS$_ACL_POSITION for more information on explicit access
control list positioning.
OSS$_ACL_DELETE
Deletes all unprotected ACEs in an ACL.
OSS$_ACL_DELETE_ALL
Deletes an entire ACL, including protected ACEs.
OSS$_ACL_DELETE_ENTRY
Deletes an ACE pointed to by the buffer address or, if the buffer
address is specified as 0, the ACE at the current position.
OSS$_ACL_FIND_ENTRY
Locates an ACE pointed to by the buffer address. OSS$_ACL_FIND_ENTRY
sets the position within the ACL for succeeding ACL operations; for
example, for a deletion or modification of the ACE. If the buffer
address is 0, it returns SS$_ACCVIO.
OSS$_ACL_FIND_NEXT
Advances the current position to the next ACE in the ACL.
OSS$_ACL_FIND_TYPE
Returns an ACE of a particular type if there is one in the buffer
pointed to by the buffer address. OSS$_ACL_FIND_TYPE sets the position
within the ACL for succeeding ACL operations. If the buffer address is
0, it returns SS$_ACCVIO.
OSS$_ACL_MODIFY_ENTRY
Replaces an ACE at the current position with the ACE pointed to by the
buffer address.
OSS$_ACL_POSITION_BOTTOM
Sets the ACL position to point to the bottom of the ACL.
OSS$_ACL_POSITION_TOP
Sets the ACL position to point to the top of the ACL.
OSS$_OWNER
Sets the owner UIC of the selected object to the value in the buffer.
The buffer size must be 4 bytes.
OSS$_PROTECTION
Sets the selected object's protection code to the value in the buffer.
The buffer size must be 2 bytes.
Description
The Set Security service modifies the security characteristics of a
protected object. Security characteristics include such information as
the protection code, the owner, and the access control list (ACL).
The security management services, $SET_SECURITY and $GET_SECURITY,
maintain a single master copy of a profile for every protected object
in an OpenVMS Cluster system. They also ensure that only one process at
a time can modify an object's security profile.
When you call $SET_SECURITY, the service performs the following steps:
- It selects the specified protected object.
- It fetches a local copy of the object's security profile, unless
the service is operating on an existing context.
- It modifies the local profile.
- It updates the master copy of the profile if the local flag is
clear and there was no error.
- It deletes the local copy of the profile and returns if RELCTX is
specified or if no context is specified.
There are different ways of identifying which protected object
$SET_SECURITY should process:
- Whenever the contxt argument has a nonzero value,
$SET_SECURITY uses the context to select the object and ignores the
class name, object name, and object handle.
- With some types of objects, such as a file or a device, it is
possible to select an object on the basis of its
objhan and clsnam values.
- When the clsnam and objnam
arguments are provided, $SET_SECURITY uses an object's class name and
object name to select the object.
The context for a security management operation can be established
through either $GET_SECURITY or $SET_SECURITY. Whenever the context is
set by one service, the other service can use it provided the necessary
locks are being held. A caller to $GET_SECURITY needs to set the write
lock flag (OSS$M_WLOCK) to inspect a profile value, maintain the lock
on the object's profile, and then modify some value through a call to
$SET_SECURITY.
There are many situations in which the contxt argument
is essential. By establishing a context for an ACL operation, for
example, a caller can retain an ACL position across calls to
$GET_SECURITY so that a set of ACEs can be read and modified
sequentially. A security context is released by a call to $SET_SECURITY
or $GET_SECURITY that sets the OSS$M_RELCTX flag. Once the context is
deleted, the user-supplied context longword is reset to 0.
Required Access or Privileges
Control access to the object is required.
Required Quota
None
Related Services
$GET_SECURITY
Condition Values Returned
|
SS$_NORMAL
|
The service completed successfully.
|
|
SS$_ACCVIO
|
The parameter cannot be read and the buffer cannot be written.
|
|
SS$_BADPARAM
|
You specified an invalid object, attribute code, or item size.
|
|
SS$_INSFARG
|
The
clsnam and
objnam arguments are not specified, the
clsnam and
objhan arguments are not specified, or the
contxt argument is not specified.
|
|
SS$_INVBUFLEN
|
The buffer size for one of the item codes was invalid.
|
|
SS$_INVCLSITM
|
The item code that you specified is not supported for the class.
|
|
SS$_INVFILFOROP
|
An invalid file name was specified; the file name contained either a
node or wildcard specification.
|
|
SS$_MMATORB
|
The attempted update cannot be performed. The object profile was
changed by another process.
|
|
SS$_NOCLASS
|
The named object class does not exist.
|
|
SS$_OBJLOCKED
|
The selected object is currently write locked.
|
$SET_SYSTEM_EVENT (Alpha and Integrity servers)
On Alpha and Integrity server systems, establishes a request for
notification when an OpenVMS system event occurs.
Format
SYS$SET_SYSTEM_EVENT event ,astadr ,astprm ,acmode ,flags ,handle
C Prototype
int sys$set_system_event (unsigned int event, void
(*astadr)(__unknown_params), int astprm, unsigned int acmode, unsigned
int flags, struct _generic_64 * handle);
Arguments
event
| OpenVMS usage: |
event_code |
| type: |
longword (unsigned) |
| access: |
read only |
| mechanism: |
by value |
Event code indicating the type of system event for which an AST is to
be delivered. The event argument is a value indicating
which type of event is of interest.
Each event type has a symbolic name. The $SYSEVTDEF macro defines the
following symbolic names:
| Symbolic Name |
Description |
|
SYSEVT$C_ADD_MEMBER
|
One or more OpenVMS instances have joined the OpenVMS Galaxy sharing
community.
|
|
SYSEVT$C_DEL_MEMBER
|
One or more OpenVMS instances have left the OpenVMS Galaxy sharing
community.
|
|
SYSEVT$C_ADD_ACTIVE_CPU
|
One or more processors have become active within this OpenVMS instance.
|
|
SYSEVT$C_DEL_ ACTIVE_CPU
|
One or more processors have become inactive within this OpenVMS
instance.
|
|
SYSEVT$C_ADD_CONFIG_CPU
|
One or more CPUs have been added to the set of available CPUs for this
OpenVMS instance.
|
|
SYSEVT$C_DEL_CONFIG_CPU
|
One or more processors have been removed from this OpenVMS instance.
|
|
SYSEVT$C_TDF_CHANGE
|
The system's time differential factor has changed.
|
|
SYSEVT$C_CPU_DEALLOCATE
|
One or more processors have been deallocated from this OpenVMS instance.
|
astadr
| OpenVMS usage: |
ast_procedure |
| type: |
procedure value |
| access: |
call without stack unwinding |
| mechanism: |
by 32-bit or 64-bit reference |
Notification AST routine to receive control after a change in OpenVMS
system configuration occurs.
astprm
| OpenVMS usage: |
user_arg |
| type: |
quadword |
| access: |
read only |
| mechanism: |
by value |
The quadword AST parameter to be passed to the AST routine.
acmode
| OpenVMS usage: |
access_mode |
| type: |
longword (unsigned) |
| access: |
read only |
| mechanism: |
by value |
Access mode at which the system event AST is to execute. The
acmode argument is a longword containing the access
mode.
Each access mode has a symbolic name. The $PSLDEF macro defines the
following symbols for the four access modes.
| Symbolic Name |
Description |
|
PSL$C_KERNEL
|
Kernel
|
|
PSL$C_EXEC
|
Executive
|
|
PSL$C_SUPER
|
Supervisor
|
|
PSL$C_USER
|
User
|
The value of the access mode is maximized with the access mode of the
caller.
flags
Defined in SYSEVTDEF.
|
SYSEVT$M_REPEAT_NOTIFY
|
When this flag is set, event notification is repeated.
|
handle
| OpenVMS usage: |
handle |
| type: |
quadword (unsigned) |
| access: |
read/write |
| mechanism: |
by reference |
The virtual address of a naturally aligned quadword for the event
handle.
Description
The Set System Event service establishes a request for notification
when a system event occurs. It may create a new system event
notification object, add an event to a new or existing object, and
enable notification on a new or existing object.
If the handle specified is zero, a new system
notification request object is created, and a handle for the new object
is returned.
If the event specified is non-zero, that event is
added to the set of events which trigger notification on the
notification object.
The service will verify that the input parameters specify a valid
request and enable the object for notification. Notification is
accomplished by AST delivery. After the AST has been delivered, if the
SYSEVT$M_REPEAT_NOTIFY flag is not set, notification must again be
enabled on the object before another notification (AST delivery) can
occur.
Errors are returned in the following cases:
- If quotas are exceeded, an error is returned. It is important to
note that this routine returns an error and will not retry an attempt
to get quota if quota is exhausted on the first attempt.
- See the Condition Values Returned section for types of errors that
can be returned.
- If the astadr argument is omitted, and a new
notification object is being created, SS$_BADPARAM is returned.
- If the event argument is incorrectly specified,
SS$_BADPARAM is returned.
- If the access mode parameter is more privileged than the mode of
the caller, the mode of the caller is used.
- If specified, the handle argument must be
writeable from the mode of the caller. SS$_ACCVIO is returned if this
is not the case.
Required Access or Privileges
None
Required Quota
ASTLM
Related Services
$CLEAR_SYSTEM_EVENT
Condition Values Returned
|
SS$_NORMAL
|
The service completed successfully.
|
|
SS$_ACCVIO
|
The service cannot access the locations specified by one or more
arguments.
|
|
SS$_BADPARAM
|
One of more arguments has an invalid value.
|
|
SS$_EXASTLM
|
The process exceeded its quota for outstanding ASTs.
|
|
SS$_INSFMEM
|
The system dynamic memory is insufficient to complete the service.
|
$SET_UNWIND_TABLE (Integrity servers Only)
Registers or extends unwind table (UT) information.
Format
SYS$SET_UNWIND_TABLE code_base_va, code_size, ut_base_va, ut_size,
gp_value, unwind_info_base, name
C Prototype
ind SYS$SET_UNWIND_TABLE (unsigned __int64 code_base_va, unsigned
__int64 code_size, unsigned __int64 ut_base_va, unsigned __int64
ut_size, unsigned __int64 gp_value, unsigned __int64 unwind_info_base,
void *name);
Arguments
code_base_va
| OpenVMS usage: |
address |
| type: |
quadword (unsigned) |
| access: |
read only |
| mechanism: |
by value |
With code_size, defines the potential code range.
code_base_va is required for both creation and
extension calls. code_base_va is the process virtual
address of the start of the code region. code_size is
the size of the code region in bytes. An error is returned if this
overlaps any existing range.
code_size
| OpenVMS usage: |
address |
| type: |
quadword (unsigned) |
| access: |
read only |
| mechanism: |
by value |
With code_base_va, defines the potential code range.
code_base_va is required for both creation and
extension calls. code_base_va is the process virtual
address of the start of the code region. code_size is
the size of the code region in bytes. An error is returned if this
overlaps any existing range.
ut_base_va
| OpenVMS usage: |
address |
| type: |
quadword (unsigned) |
| access: |
read only |
| mechanism: |
by value |
With ut_size, describes the unwind table (UT).
ut_base_va is the process virtual address of the UT
and must be quadword aligned. ut_size is the size of
the UT in bytes and must be a multiple of the size (24 bytes: 3
quadwords) of an unwind table entry (UTE). The UTEs must describe
nonoverlapping code subregions within the overall code region.
ut_size
| OpenVMS usage: |
address |
| type: |
quadword (unsigned) |
| access: |
read only |
| mechanism: |
by value |
With ut_base_va, describes the unwind table (UT).
ut_base_va is the process virtual address of the UT
and must be quadword aligned. ut_size is the size of
the UT in bytes and must be a multiple of the size (24 bytes: 3
quadwords) of an unwind table entry (UTE). The UTEs must describe
nonoverlapping code sub regions within the overall code region.
gp_value
| OpenVMS usage: |
address |
| type: |
quadword (unsigned) |
| access: |
read only |
| mechanism: |
by value |
Ignored on extension calls, required on create calls. The Global Data
Pointer (GP) value for the routines described by these unwind tables.
unwind_info_base
| OpenVMS usage: |
address |
| type: |
quadword (unsigned) |
| access: |
read only |
| mechanism: |
by value |
Ignored on extension calls; required on create calls. The
unwind_info_base plus a particular UTE UIB offset must
add up to the process virtual address of that UIB. Typically for static
code (activated images from disk), this specifies the process virtual
base address of the segment containing the UIBs. However, dynamically
generated code, for example, can pass a zero for the
unwind_info_base and have the full process virtual
addresses of the UIBs in their UTEs.
name
| OpenVMS usage: |
pseudo-image-name |
| type: |
character-code-text-string |
| access: |
read only |
| mechanism: |
by descriptor-fixed-length string descriptor |
Passed by descriptor (ignored on extension calls). May be used for
traceback. Need not be unique. Should be less than 255 characters (will
be truncated, otherwise).
Description
This interface can be used to register or extend unwind information. It
is expected, for example, that applications that dynamically create
code will also need to dynamically create unwind tables (UTs) and
unwind information blocks (UIBs) for that code. This interface
registers such information with the operating system.
The image activator also uses this interface to register unwind
information for shareable and main images. Note that the code region,
though fully specified in terms of its potential size, need not be full
of actual code at its initial registration. The unwind table, however,
must describe all the code that could execute within that region and
that needs unwind information, at any given time. Note also that the
unwind table entries (UTEs) within a registered unwind table must
remain sorted (ascending order) at any given time.
To create a new registration, specify a new (not registered) code
range. On a creation, all parameters (except name)
must be specified.
To extend an existing registration, specify an existing (registered)
code_base_va. On extension, only the identifying
code_base_va and new UT range need be specified, that is, the other
parameters may be zeros. An extension call can only alter that
registration's ut_base_va and ut_size.
The creator caller's mode defines the mode from which the registration
may be extended or removed.
Failure status is returned on creation if the input code range overlaps
an already existing range.
Required Access or Privileges
Unwind table information that describes code in process space can be
registered from any mode.
Unwind table information that describes code in system space can be
registered only from kernel mode or executive mode.
Required Quota
None
Related Services
SYS$CLEAR_UNWIND_TABLE, SYS$GET_UNWIND_ENTRY_INFO. Also see
LIB$GET_UIB_INFO in HP OpenVMS Calling Standard.
Condition Values Returned
|
SS$_NORMAL
|
Routine completed successfully.
|
|
SS$_BADPARAM
|
Missing or illegal parameter.
|
|
SS$_VA_IN_USE
|
Overlap detected.
|
|
SS$_ACCVIO
|
Name descriptor cannot be read.
|
|
