OpenVMS memory management services allow processes
to communicate through shared memory pages called global sections.
Using global sections, two or more processes can map the same page
into their individual virtual address spaces, thereby sharing the
same page of code or data.
A global section can provide access to a disk
file (called a file-backed global section), provide access to dynamically
created storage (called a page file-backed global section), or provide
access to specific physical memory (called a page frame number [PFN]
global section). A global section object may be either temporary or
permanent.
The operating system supports two types of global
section objects:
Group global sections are shareable memory sections potentially
available to all processes in the same group.
System global sections are shareable memory sections potentially
available to all processes in the system.
Naming Rules |
 |
The name of the object is a string of 1 to 44
characters. For group global sections, the name is qualified by your
UIC group number.
Types of Access |
|
The global section class supports the following
types of access:
Read | Gives you
the right to map the section for read access. |
Write | Gives you
the right to map the section for write access. |
Execute | Gives you
the right to map the section for read access. Only software running
in executive or kernel mode can request this access. |
Control | Gives you
the right to modify the protection elements of PFN global sections and
page file-backed global sections. |
Template Profile |
|
File-backed global sections share the security
profile of the associated disk file. Whenever the profile of the backing
file is modified, the global section's profile automatically
changes. To modify the protection elements of file-backed global sections,
you must modify the backing file instead.
The global section class provides the following
template profiles. Although the template assigns an owner UIC of [0,0],
this value is only temporary. As soon as the object is created, the
operating system replaces a 0 value with the value in the corresponding
field of the creating process's UIC.
| Type | Template Name | Owner UIC | Protection Code |
|---|
System | DEFAULT | [0,0] | S:RWE,O:RWE,G:RWE,W:RWE |
Group | DEFAULT | [0,0] | S:RWE,O:RWE,G:RWE,W:RWE |
The operating system modifies the templates according
to the values provided in the prot argument to $CRMPSC. The prot argument
is ignored for file-backed sections.
To maintain compatibility with earlier versions
of the operating system, the DEFAULT templates have protection codes
allowing world access. Some applications may need a more restrictive
default than the templates provide. If you do choose to restrict global
section access, be aware that the more restrictive access can cause
applications to fail in ways that are difficult to diagnose.
Privilege Requirements |
|
The SYSGBL privilege is required to create or
delete a system global section. The PFNMAP privilege is necessary
to create or delete a page frame section, and the PRMGBL privilege
is required to create or delete a permanent global section.
Kinds of Auditing Performed |
|
The following types of events can be audited,
provided the security administrator enables auditing for the appropriate
event class:
| Event Audited | When Audit Occurs |
|---|
Creation | When a page file-backed or a PFN global section is
created by the Create and Map Section system service ($CRMPSC). |
Access | When an existing page file-backed or a PFN global section is
accessed with either $CRMPSC or the Map Global Section system service
($MGBLSC). The operating system audits access to a file-backed global
section as a file access. |
Deaccess | At image or process rundown when the process virtual
address space is reset or deleted. |
Deletion | If a process
with PRMGBL privilege, PFNMAP privilege, or SYSGBL privilege (in the
case of a system global section) deletes a permanent global section,
the operating system audits the event through the use of privilege. |
Permanence of the Object |
|
A global section and its security profile need
to be reset after every system boot.
