| Previous | Contents | Index |
Because an active context block consumes process memory, be sure to release the context block by setting the RELCTX flag when the profile processing is complete. $SET_SECURITY sets the context argument to 0 once the context is released.
| OpenVMS usage: | access_mode |
| type: | longword (unsigned) |
| access: | read only |
| mechanism: | by reference |
HP recommends that this argument be omitted (passed as zero). Item Codes The following table provides a summary of item codes that are valid as an item descriptor in the itmlst argument. The table lists the $SET_SECURITY item codes and gives a corresponding description. Complete descriptions of each item code are provided after the table.
| Item Code | Description |
|---|---|
| OSS$_ACL_ADD_ENTRY | Adds an access control entry (ACE) |
| OSS$_ACL_DELETE | Deletes all unprotected ACEs in an ACL |
| OSS$_ACL_DELETE_ALL | Deletes the ACL, including protected ACEs |
| OSS$_ACL_DELETE_ENTRY | Deletes an ACE |
| OSS$_ACL_FIND_ENTRY | Locates an ACE |
| OSS$_ACL_FIND_NEXT | Positions the next ACE |
| OSS$_ACL_FIND_TYPE | Locates an ACE of the specified type |
| OSS$_ACL_MODIFY_ENTRY | Replaces an ACE at the current position |
| OSS$_ACL_POSITION_BOTTOM | Sets a marker that points to the end of the ACL |
| OSS$_ACL_POSITION_TOP | Sets a marker that points to the beginning of the ACL |
| OSS$_OWNER | Sets the UIC or general identifier of the object's owner |
| OSS$_PROTECTION | Sets the protection code of the object |
OSS$_ACL_ADD_ENTRY
Adds an access control entry (ACE) pointed to by the buffer address so that it is in front of the current ACE in the access control list (ACL). See OSS$_ACL_POSITION for more information on explicit access control list positioning.OSS$_ACL_DELETE
Deletes all unprotected ACEs in an ACL.OSS$_ACL_DELETE_ALL
Deletes an entire ACL, including protected ACEs.OSS$_ACL_DELETE_ENTRY
Deletes an ACE pointed to by the buffer address or, if the buffer address is specified as 0, the ACE at the current position.OSS$_ACL_FIND_ENTRY
Locates an ACE pointed to by the buffer address. OSS$_ACL_FIND_ENTRY sets the position within the ACL for succeeding ACL operations; for example, for a deletion or modification of the ACE. If the buffer address is 0, it returns SS$_ACCVIO.OSS$_ACL_FIND_NEXT
Advances the current position to the next ACE in the ACL.OSS$_ACL_FIND_TYPE
Returns an ACE of a particular type if there is one in the buffer pointed to by the buffer address. OSS$_ACL_FIND_TYPE sets the position within the ACL for succeeding ACL operations. If the buffer address is 0, it returns SS$_ACCVIO.OSS$_ACL_MODIFY_ENTRY
Replaces an ACE at the current position with the ACE pointed to by the buffer address.OSS$_ACL_POSITION_BOTTOM
Sets the ACL position to point to the bottom of the ACL.OSS$_ACL_POSITION_TOP
Sets the ACL position to point to the top of the ACL.OSS$_OWNER
Sets the owner UIC of the selected object to the value in the buffer. The buffer size must be 4 bytes.OSS$_PROTECTION
Sets the selected object's protection code to the value in the buffer. The buffer size must be 2 bytes.
The Set Security service modifies the security characteristics of a protected object. Security characteristics include such information as the protection code, the owner, and the access control list (ACL).The security management services, $SET_SECURITY and $GET_SECURITY, maintain a single master copy of a profile for every protected object in an OpenVMS Cluster system. They also ensure that only one process at a time can modify an object's security profile.
When you call $SET_SECURITY, the service performs the following steps:
- It selects the specified protected object.
- It fetches a local copy of the object's security profile, unless the service is operating on an existing context.
- It modifies the local profile.
- It updates the master copy of the profile if the local flag is clear and there was no error.
- It deletes the local copy of the profile and returns if RELCTX is specified or if no context is specified.
There are different ways of identifying which protected object $SET_SECURITY should process:
- Whenever the contxt argument has a nonzero value, $SET_SECURITY uses the context to select the object and ignores the class name, object name, and object handle.
- With some types of objects, such as a file or a device, it is possible to select an object on the basis of its objhan and clsnam values.
- When the clsnam and objnam arguments are provided, $SET_SECURITY uses an object's class name and object name to select the object.
The context for a security management operation can be established through either $GET_SECURITY or $SET_SECURITY. Whenever the context is set by one service, the other service can use it provided the necessary locks are being held. A caller to $GET_SECURITY needs to set the write lock flag (OSS$M_WLOCK) to inspect a profile value, maintain the lock on the object's profile, and then modify some value through a call to $SET_SECURITY.
There are many situations in which the contxt argument is essential. By establishing a context for an ACL operation, for example, a caller can retain an ACL position across calls to $GET_SECURITY so that a set of ACEs can be read and modified sequentially. A security context is released by a call to $SET_SECURITY or $GET_SECURITY that sets the OSS$M_RELCTX flag. Once the context is deleted, the user-supplied context longword is reset to 0.
Control access to the object is required.
None
$GET_SECURITY
SS$_NORMAL The service completed successfully. SS$_ACCVIO The parameter cannot be read and the buffer cannot be written. SS$_BADPARAM You specified an invalid object, attribute code, or item size. SS$_INSFARG The clsnam and objnam arguments are not specified, the clsnam and objhan arguments are not specified, or the contxt argument is not specified. SS$_INVBUFLEN The buffer size for one of the item codes was invalid. SS$_INVCLSITM The item code that you specified is not supported for the class. SS$_INVFILFOROP An invalid file name was specified; the file name contained either a node or wildcard specification. SS$_MMATORB The attempted update cannot be performed. The object profile was changed by another process. SS$_NOCLASS The named object class does not exist. SS$_OBJLOCKED The selected object is currently write locked.
On Alpha and Integrity server systems, establishes a request for notification when an OpenVMS system event occurs.
SYS$SET_SYSTEM_EVENT event ,astadr ,astprm ,acmode ,flags ,handle
int sys$set_system_event (unsigned int event, void (*astadr)(__unknown_params), int astprm, unsigned int acmode, unsigned int flags, struct _generic_64 * handle);
event
OpenVMS usage: event_code type: longword (unsigned) access: read only mechanism: by value
Event code indicating the type of system event for which an AST is to be delivered. The event argument is a value indicating which type of event is of interest.Each event type has a symbolic name. The $SYSEVTDEF macro defines the following symbolic names:
Symbolic Name Description SYSEVT$C_ADD_MEMBER One or more OpenVMS instances have joined the OpenVMS Galaxy sharing community. SYSEVT$C_DEL_MEMBER One or more OpenVMS instances have left the OpenVMS Galaxy sharing community. SYSEVT$C_ADD_ACTIVE_CPU One or more processors have become active within this OpenVMS instance. SYSEVT$C_DEL_ ACTIVE_CPU One or more processors have become inactive within this OpenVMS instance. SYSEVT$C_ADD_CONFIG_CPU One or more CPUs have been added to the set of available CPUs for this OpenVMS instance. SYSEVT$C_DEL_CONFIG_CPU One or more processors have been removed from this OpenVMS instance. SYSEVT$C_TDF_CHANGE The system's time differential factor has changed. SYSEVT$C_CPU_DEALLOCATE One or more processors have been deallocated from this OpenVMS instance. astadr
OpenVMS usage: ast_procedure type: procedure value access: call without stack unwinding mechanism: by 32-bit or 64-bit reference
Notification AST routine to receive control after a change in OpenVMS system configuration occurs.astprm
OpenVMS usage: user_arg type: quadword access: read only mechanism: by value
The quadword AST parameter to be passed to the AST routine.acmode
OpenVMS usage: access_mode type: longword (unsigned) access: read only mechanism: by value
Access mode at which the system event AST is to execute. The acmode argument is a longword containing the access mode.Each access mode has a symbolic name. The $PSLDEF macro defines the following symbols for the four access modes.
Symbolic Name Description PSL$C_KERNEL Kernel PSL$C_EXEC Executive PSL$C_SUPER Supervisor PSL$C_USER User The value of the access mode is maximized with the access mode of the caller.
flags
type: access:
Defined in SYSEVTDEF.
SYSEVT$M_REPEAT_NOTIFY When this flag is set, event notification is repeated. handle
OpenVMS usage: handle type: quadword (unsigned) access: read/write mechanism: by reference
The virtual address of a naturally aligned quadword for the event handle.
The Set System Event service establishes a request for notification when a system event occurs. It may create a new system event notification object, add an event to a new or existing object, and enable notification on a new or existing object.If the handle specified is zero, a new system notification request object is created, and a handle for the new object is returned.
If the event specified is non-zero, that event is added to the set of events which trigger notification on the notification object.
The service will verify that the input parameters specify a valid request and enable the object for notification. Notification is accomplished by AST delivery. After the AST has been delivered, if the SYSEVT$M_REPEAT_NOTIFY flag is not set, notification must again be enabled on the object before another notification (AST delivery) can occur.
Errors are returned in the following cases:
- If quotas are exceeded, an error is returned. It is important to note that this routine returns an error and will not retry an attempt to get quota if quota is exhausted on the first attempt.
- See the Condition Values Returned section for types of errors that can be returned.
- If the astadr argument is omitted, and a new notification object is being created, SS$_BADPARAM is returned.
- If the event argument is incorrectly specified, SS$_BADPARAM is returned.
- If the access mode parameter is more privileged than the mode of the caller, the mode of the caller is used.
- If specified, the handle argument must be writeable from the mode of the caller. SS$_ACCVIO is returned if this is not the case.
None
ASTLM
$CLEAR_SYSTEM_EVENT
SS$_NORMAL The service completed successfully. SS$_ACCVIO The service cannot access the locations specified by one or more arguments. SS$_BADPARAM One of more arguments has an invalid value. SS$_EXASTLM The process exceeded its quota for outstanding ASTs. SS$_INSFMEM The system dynamic memory is insufficient to complete the service.
Registers or extends unwind table (UT) information.
SYS$SET_UNWIND_TABLE code_base_va, code_size, ut_base_va, ut_size, gp_value, unwind_info_base, name
ind SYS$SET_UNWIND_TABLE (unsigned __int64 code_base_va, unsigned __int64 code_size, unsigned __int64 ut_base_va, unsigned __int64 ut_size, unsigned __int64 gp_value, unsigned __int64 unwind_info_base, void *name);
code_base_va
OpenVMS usage: address type: quadword (unsigned) access: read only mechanism: by value
With code_size, defines the potential code range. code_base_va is required for both creation and extension calls. code_base_va is the process virtual address of the start of the code region. code_size is the size of the code region in bytes. An error is returned if this overlaps any existing range.code_size
OpenVMS usage: address type: quadword (unsigned) access: read only mechanism: by value
With code_base_va, defines the potential code range. code_base_va is required for both creation and extension calls. code_base_va is the process virtual address of the start of the code region. code_size is the size of the code region in bytes. An error is returned if this overlaps any existing range.ut_base_va
OpenVMS usage: address type: quadword (unsigned) access: read only mechanism: by value
With ut_size, describes the unwind table (UT). ut_base_va is the process virtual address of the UT and must be quadword aligned. ut_size is the size of the UT in bytes and must be a multiple of the size (24 bytes: 3 quadwords) of an unwind table entry (UTE). The UTEs must describe nonoverlapping code subregions within the overall code region.ut_size
OpenVMS usage: address type: quadword (unsigned) access: read only mechanism: by value
With ut_base_va, describes the unwind table (UT). ut_base_va is the process virtual address of the UT and must be quadword aligned. ut_size is the size of the UT in bytes and must be a multiple of the size (24 bytes: 3 quadwords) of an unwind table entry (UTE). The UTEs must describe nonoverlapping code sub regions within the overall code region.gp_value
OpenVMS usage: address type: quadword (unsigned) access: read only mechanism: by value
Ignored on extension calls, required on create calls. The Global Data Pointer (GP) value for the routines described by these unwind tables.unwind_info_base
OpenVMS usage: address type: quadword (unsigned) access: read only mechanism: by value
Ignored on extension calls; required on create calls. The unwind_info_base plus a particular UTE UIB offset must add up to the process virtual address of that UIB. Typically for static code (activated images from disk), this specifies the process virtual base address of the segment containing the UIBs. However, dynamically generated code, for example, can pass a zero for the unwind_info_base and have the full process virtual addresses of the UIBs in their UTEs.name
OpenVMS usage: pseudo-image-name type: character-code-text-string access: read only mechanism: by descriptor-fixed-length string descriptor
Passed by descriptor (ignored on extension calls). May be used for traceback. Need not be unique. Should be less than 255 characters (will be truncated, otherwise).
This interface can be used to register or extend unwind information. It is expected, for example, that applications that dynamically create code will also need to dynamically create unwind tables (UTs) and unwind information blocks (UIBs) for that code. This interface registers such information with the operating system.The image activator also uses this interface to register unwind information for shareable and main images. Note that the code region, though fully specified in terms of its potential size, need not be full of actual code at its initial registration. The unwind table, however, must describe all the code that could execute within that region and that needs unwind information, at any given time. Note also that the unwind table entries (UTEs) within a registered unwind table must remain sorted (ascending order) at any given time.
To create a new registration, specify a new (not registered) code range. On a creation, all parameters (except name) must be specified.
To extend an existing registration, specify an existing (registered) code_base_va. On extension, only the identifying code_base_va and new UT range need be specified, that is, the other parameters may be zeros. An extension call can only alter that registration's ut_base_va and ut_size.
The creator caller's mode defines the mode from which the registration may be extended or removed.
Failure status is returned on creation if the input code range overlaps an already existing range.
Unwind table information that describes code in process space can be registered from any mode.
Unwind table information that describes code in system space can be registered only from kernel mode or executive mode.
None
SYS$CLEAR_UNWIND_TABLE, SYS$GET_UNWIND_ENTRY_INFO. Also see LIB$GET_UIB_INFO in HP OpenVMS Calling Standard.
SS$_NORMAL Routine completed successfully. SS$_BADPARAM Missing or illegal parameter. SS$_VA_IN_USE Overlap detected. SS$_ACCVIO Name descriptor cannot be read.
| Previous | Next | Contents | Index |