Global Sections
» Table of Contents |  | | » Glossary | | | » Index | | |
| | |
| ||
| ||
OpenVMS memory management services allow processes to communicate through shared memory pages called global sections. Using global sections, two or more processes can map the same page into their individual virtual address spaces, thereby sharing the same page of code or data.
A global section can provide access to a disk file (called a file-backed global section), provide access to dynamically created storage (called a page file-backed global section), or provide access to specific physical memory (called a page frame number [PFN] global section). A global section object may be either temporary or permanent.
The operating system supports two types of global section objects:
Group global sections are shareable memory sections potentially available to all processes in the same group.
System global sections are shareable memory sections potentially available to all processes in the system.
The name of the object is a string of 1 to 44 characters. For group global sections, the name is qualified by your UIC group number.
The global section class supports the following types of access:
File-backed global sections share the security profile of the associated disk file. Whenever the profile of the backing file is modified, the global section's profile automatically changes. To modify the protection elements of file-backed global sections, you must modify the backing file instead.
The global section class provides the following template profiles. Although the template assigns an owner UIC of [0,0], this value is only temporary. As soon as the object is created, the operating system replaces a 0 value with the value in the corresponding field of the creating process's UIC.
| Type | Template Name | Owner UIC | Protection Code |
|---|---|---|---|
System | DEFAULT | [0,0] | S:RWE,O:RWE,G:RWE,W:RWE |
Group | DEFAULT | [0,0] | S:RWE,O:RWE,G:RWE,W:RWE |
The operating system modifies the templates according to the values provided in the prot argument to $CRMPSC. The prot argument is ignored for file-backed sections.
To maintain compatibility with earlier versions of the operating system, the DEFAULT templates have protection codes allowing world access. Some applications may need a more restrictive default than the templates provide. If you do choose to restrict global section access, be aware that the more restrictive access can cause applications to fail in ways that are difficult to diagnose.
The SYSGBL privilege is required to create or delete a system global section. The PFNMAP privilege is necessary to create or delete a page frame section, and the PRMGBL privilege is required to create or delete a permanent global section.
The following types of events can be audited, provided the security administrator enables auditing for the appropriate event class:
| Event Audited | When Audit Occurs |
|---|---|
Creation | When a page file-backed or a PFN global section is created by the Create and Map Section system service ($CRMPSC). |
Access | When an existing page file-backed or a PFN global section is accessed with either $CRMPSC or the Map Global Section system service ($MGBLSC). The operating system audits access to a file-backed global section as a file access. |
Deaccess | At image or process rundown when the process virtual address space is reset or deleted. |
Deletion | If a process with PRMGBL privilege, PFNMAP privilege, or SYSGBL privilege (in the case of a system global section) deletes a permanent global section, the operating system audits the event through the use of privilege. |