SunSHIELD Basic Security Module Guide

The device_allocate File

Modify the device_allocate file to change devices from allocatable to non-allocatable or to add new devices. Table 4-1 shows a sample device_allocate file.

Table 4-1 Sample device_allocate File
st0;st;;;;/etc/security/lib/st_clean
fd0;fd;;;;/etc/security/lib/fd_clean
sr0;sr;;;;/etc/security/lib/sr_clean
audio;audio;;;*;/etc/security/lib/audio_clean

The administrator defines which devices should be allocatable during initial configuration of the Basic Security Module. You may decide to accept the default devices and their defined characteristics, as shown in Table 4-1. Whenever you add a device to any machine after the system is up and running, you must decide whether to make the new device allocatable.

The entries for devices in the device_allocate file may be modified by the administrator after installation. Any device that needs to be allocated before use must be defined in the device_allocate file on each machine. Currently, cartridge tape drives, diskette drives, CD-ROM devices, and audio chips are considered allocatable and have device-clean scripts.


Note -

If you add a Xylogics tape drive or an Archive tape drive, they can also use the st_clean script supplied for SCSI devices. Other devices that you can make allocatable are modems, terminals, graphics tablets, and the like, but you need to create your own device-clean scripts for such devices, and the script must fulfill object-reuse requirements for that type of device.


An entry in the device_allocate file does not mean the device is allocatable, unless the entry specifically states the device is allocatable. Notice in Table 4-1 an asterisk (*) in the fifth field of the audio device entry. An asterisk in the fifth field indicates to the system that the device is not allocatable; that is, the system administrator does not require a user to allocate the device before it is used nor to deallocate it afterward. Any other string placed in this field indicates that the device is allocatable.

In the device_allocate file, represent each device by a one-line entry of the form


device-name;device-type;reserved;reserved;alloc;device-clean

For example, the following line shows the entry for device name st0:


st0;st;;;;;/etc/security/lib/st_clean

Lines in device_allocate can end with a \ to continue an entry on the next line. Comments may also be included. A # makes a comment of all further text until the next newline not immediately preceded by a \. Leading and trailing blanks are allowed in any of the fields.

The following paragraphs describe each field in the device_allocate file in detail.

device-name

Specify the name of the device; for example, st0, fd0, or sr0. When making a new allocatable device, look up the device-name from the device-name field in the device_maps file or use the dminfo command. (The name is also the DAC file name for the device.)

device-type

Specify the generic device type (the name for the class of devices, such as st, fd, and sr). This field groups related devices. When making a new allocatable device, look up the device-type from the device-type field in the device_maps file or use the dminfo command.

reserved

These fields are reserved for future use.

alloc

Specify whether or not the device is allocatable. An asterisk (*) in this field indicates that the device is not allocatable. Any other string, or an empty field, indicates that the device is allocatable.

device-clean

Supply the path name of a program to be invoked for special handling, such as cleanup and object-reuse protection during the allocation process. The device-clean program is run any time the device is acted on by deallocate, such as when a device is forcibly deallocated with deallocate -F.