Multics Technical Bulletin                                MTB-611
DM File Commands

To:  Distribution

From:  Andre Bensoussan

Date:  02/04/83

Subject:  Data Management File Commands

1 ABSTRACT

     In the  new Data Management architecture,  a new object, the
"Data Management File", has been introduced.  Commands to create,
delete, rename, copy, set ACL, etc..., need to be implemented for
Data  Management  Files.   These operations  represent  a generic
function that is  meaningful for all kinds of  objects, but which
may  require variations  in the implementation,  depending on the
kind of object  they are applied to.  The  Multics command system
already recognizes that fact; in many instances, the same command
can  be used  regardless of  whether the  object is  a segment, a
directory or a multi-segment file.   This MTB describes how these
commands  could  also  be  extended  to  perform  the appropriate
operation on a Data Management  File, instead of having a special
command for it.

_________________________________________________________________

Multics  project  internal  working  documentation.   Not  to  be
reproduced or distributed outside the Multics project.


MTB-611                                Multics Technical Bulletin
                                                 DM File Commands

Comments should be sent to the author:

via Multics Mail:
   Bensoussan.Multics on System M.

via US Mail:
   André Bensoussan
   Honeywell Information Systems, inc.
   575 Tech Square
   Cambridge, Massachusetts 02139

via telephone:
   (HVN) 261-9334, or
   (617) 492-9334



                             CONTENTS

                                                         Page

                 1 ABSTRACT . . . . . . . . . . . . . .     i
                 2 INTRODUCTION . . . . . . . . . . . .     1
                 3 RATIONALE FOR PUTTING DM FILES IN
                  RING 2. . . . . . . . . . . . . . . .     1
                 4 HOW CAN A COMMAND DETERMINE IF AN
                  OBJECT IS A dm_file?  . . . . . . . .     2
                 5 COMMANDS TO BE EXTENDED TO DEAL WITH
                  dm_files  . . . . . . . . . . . . . .     2

Multics Technical Bulletin                                MTB-611
DM File Commands

2 INTRODUCTION

In  MR10,  Data Management  Files  (dm_files) are  implemented as
inner ring multi segment files (MSF's), with ring brackets of [2,
2, 2] for all components and [2, user, user] for the directory.

For most  commands that distinguish  between segments, directoies
and MSF's (such  as list, copy, set_acl, etc..),  it is desirable
to  extend  them  so that  they  also recognize  dm_files  and do
whatever is appropriate for them.

This implies (a) that these commands be changed, (b) that they be
able to  determine if an object  is a dm_file and  (c) that there
exist ring 2 gates to perform operations the command could not do
from the user ring.

This memo explains  why it is desirable to  implement dm_files as
ring 2  MSF's as opposed to  user ring MSF's.  Then  it gives the
list  of  the  commands  that should  be  extended  to understand
dm_files, and describes how the extension is to be implemented.

3 RATIONALE FOR PUTTING DM FILES IN RING 2.

Ring 2 has been chosen as  an inner ring for dm_files because the
File Manager runs in ring 2.  There are various reasons why it is
desirable to put dm_files in ring 2:

o The File  Manager maintains a  header at the  beginning of each
  control interval (CI), with the  CI number, the dm_file uid and
  the time the CI was last modified.  It also maintains a trailer
  at  the  end  of  each  CI  to detect  some  disk  error  or CI
  inconsistency.  If components were directly accessible from the
  user  ring,  user  errors  could  cause  the  File  Manager  to
  malfunction.

o The time stored  in the header of each CI  is also used by page
  control to determine if the CI can safely be written to disk or
  if it must  be hold in main memory until  its "before image" is
  safe  on  disk.  Since  page  control uses  some  non-ring zero
  information,  it  has  to  gard  itself  against  incorrect  or
  malicious  programs  that  manufacture  this  information.   By
  putting  dm_files  in ring  2,  page control  can trust  ring 2
  programs to be, at least non-malicious programs.


MTB-611                                Multics Technical Bulletin
                                                 DM File Commands

o Journalization  and locking:   The File  Manager is responsible
  for enforcing  a journalization and locking  policy each time a
  CI  of a  dm_file is  accessed.  If  dm_files were  in the user
  ring, user programs could bypass  this protocol.  Of course, it
  is clear that  even if dm_files are in ring  2 a malicious user
  could always ask the File Manager to write garbage in all CI's.
  However, this could not happen by mistake, and the mechanism to
  enforce the  locking and journalization  protocols is garanteed
  to be only in the File Manager.

o In  the near  future, MRDS will  probably be moved  in an inner
  ring  in  order to  provide  "attribute level  secutity".  This
  capability will require having dm_files in an inner ring.

o The MSF directory has to be an a ring 2 directory because if it
  was  a  user ring  directory, user  ring programs  could create
  segments  in it.   The File  Manager expects  to find  only MSF
  components in  the directory and could  be made to malfunction.
  In particular, if a user creates a ring 4 segment with the name
  of a component, when the File  Manager needs to create the ring
  2  component with  that name  it would  get a  name duplication
  error.  There  is nothing wrong in  allowing user ring programs
  to request  status information on  the directory.  It  might be
  convenient  to  effectively  allow  it; that  is  why  the ring
  brackets  for  dm_file  directories  will  be  [2,  user, user]
  instead of [2, 2, 2].

4 HOW CAN A COMMAND DETERMINE IF AN OBJECT IS A DM_FILE?

o First, the object has to be an MSF.

o Second,  the MSF  directory and all  MSF components  have to be
  ring 2 objects.

o Third, if additional identity checking  is felt to be necessary
  by a command, it could call a  ring 2 gate provided by the File
  Manager, which would return a yes or no answer.


Multics Technical Bulletin                                MTB-611
DM File Commands

5 COMMANDS TO BE EXTENDED TO DEAL WITH DM_FILES

A  new  command  to create  a  dm_file will  be  implemented.  In
addition, the  following commands will be  extended to understand
how to identify dm_files and what to do for them.

o delete

  The delete command is already  special cased for MSF's.  If the
  MSF  is  also a  dm_file,  the command  calls  the ring  2 gate
  provided by the File Manager to delete a dm_file.

o list

  The list  command is already  special cased for  MSF's.  If the
  MSF is also a dm_file,  the command prints the same information
  as it does for a regular MSF, with the exception of the heading
  which  should be  "DM Files"  instead of  "Multisegment Files".
  Since the  status information for the  dm_file directory can be
  requested from user ring programs, the command does not need to
  call any special ring 2 gate to do its job.

o status

  The status command is already  special cased for MSF's.  If the
  MSF  is  also  a  dm_file, the  command  will  return  the same
  information as it  does for a regular MSF, but  with type = "dm
  file".  In addition, it will return the dm_file attributes that
  it  can get  by calling  the ring 2  gate provided  by the File
  Manager  to get  dm_file attributes.   These attributes include
  protected  or  unprotected,   locking,  before  journal,  after
  journal, last time dumped and other such items.

o copy

  The copy  command is already  special cased for  MSF's.  If the
  MSF  is  also  a  dm_file,  the  command  calls  the  user ring
  subroutine copy_dm_file which copies the  file into a new file,
  using the  standard File Manager  primitives to create  the new
  dm_file, to open  the old and the new dm_files,  to get each CI
  from  the old  dm_file and  put it in  the new  dm_file, and to
  close  the  old  and  the new  dm_files.   The  new  dm_file is
  identical to the old one, with  the exception of the header and
  trailer  in each  CI, containing the  dm_file uid  and the time
  last modified.  The 2 dm_files will have different uid's.

o copy_dir


MTB-611                                Multics Technical Bulletin
                                                 DM File Commands

  The copy_dir  command is already  special cased for  MSF's.  If
  the  MSF is  also a dm_file,  the command will  do whatever the
  copy command does for dm_files.

o move

  The move  command is already  special cased for  MSF's.  If the
  MSF is  also a dm_file,  the command copies the  dm_file as the
  copy command  would do, and then  deletes the original dm_file,
  as the delete command would do.

o move_dir

  The move_dir  command is already  special cased for  MSF's.  If
  the MSF is  also a dm_file, the command  does whatever the move
  command would for a dm_file.

o renaming commands

  The commands to manipulate  names are add_name, delete_name and
  rename.  These commands are not  special cased for MSF's.  They
  will have to be special cased for dm_files.  When the object to
  rename  is not  a dm_file,  the command  calls the  ring 0 gate
  hcs_$chname to do  the job.  When it is  a dm_file, the command
  will  call  a  ring  2  gate  provided  by  the  File  Manager,
  file_manager_$chname,  which has  the same  calling sequence as
  hcs_$chname, and which will issue a call to ring 0 from ring 2.
  If ring 0 was called by the  command from the user ring, ring 0
  would  reject  the request  because  the ring  brackets  of the
  dm_file directory are [2, user, user].

o ACL commands

  The  commands  to  manipulate   ACL's  are  list_acl,  set_acl,
  delete_acl  and copy_acl.   These commands  are already special
  cased for MSF's.  When the object  is an MSF, the command calls
  one  of  the  msf_manager_  entry  points  $acl_list, $acl_add,
  $acl_replace  or $acl_delete,  which in turn  calls its homolog
  hcs_$entry_point.  For a dm_file, the list command can continue
  to  work like  for a regular  MSF; however,  the other commands
  modify the ACL and cannot call hcs from the user ring.  Instead
  of  calling  msf_manager_$entry_point  they  have  to  call the
  homolog   ring   2   gate   provided  by   the   File  Manager,
  file_manager_$entry_point.   The  file_manager_$entry_point can
  now call its homolog entry_point  in the msf_manager_ since the
  process is in ring 2.

o Some other commands


Multics Technical Bulletin                                MTB-611
DM File Commands

  One  may consider  extending some  other commands  later.  Some
  candidats  are set_bit_count  and set_safety_switch.   They are
  not needed  for the moment,  but whenever they are,  it will be
  trivial to extend  them using the same method  as described for
  ACL operations or renaming operations.