{
{    The purpose of this procedure is to enforce tape security in NOS/VE.  The
{ enforcement of tape security is controlled by the CHANGE_TAPE_VALIDATION
{ command which requires CONFIGURATION_ADMINISTRATION privilege.  During NOS/VE
{ deadstart, this procedure is not called.  After deadstart, tape security is
{ turned off by default but calls are enabled to this procedure regardless of
{ the CHANGE_TAPE_VALIDATION selection.  If you want to enable tape security
{ policies, you should insert a call to CHANGE_TAPE_VALIDATION in the
{ $SYSTEM.PROLOGS_AND_EPILOGS.SYSTEM_INITIATION_EPILOG:
{
{    CHANGE_TAPE_VALIDATION ENFORCE_TAPE_SECURITY=ON
{
{    This procedure is provided as part of the RMM$ENFORCE_TAPE_SECURITY site
{ hook.  As such, the source code of the implementation is available to
{ customers to review and to change as necessary to adapt to site-specific
{ security requirements.  NOS/VE has also placed code that is not inherently
{ related to tape security into the site hook because the code may implement a
{ policy that may not be desirable at some sites.  Placing such code in the
{ site hook allows the site to tailor the system to meet their requirements.
{
{    This procedure is implemented as a SYSTEM file access procedure, or SYSTEM
{ FAP.  It is not executed during normal GET/PUT data transfer operations,
{ except when reading or writing extends to another volume of the volume set.
{ However, it is called during other operations that are discussed below.  IT
{ IS EXTREMELY IMPORTANT FOR THE PROPER FUNCTIONING OF TAPE ACCESS THAT FAP
{ OPERATIONS DISCUSSED BELOW ARE PASSED THROUGH THIS FAP AS DESIGNED.  It is
{ possible for this FAP to intercept these calls and perform additional
{ processing but the call must ultimately be passed to the next FAP in the
{ stack for implementation of the request.  The calling sequences for these FAP
{ operations are defined in the type deck AMT$CALL_BLOCK on the
{ $SYSTEM.CYBIL.OSF$PROGRAM_INTERFACE library.
{
{      amc$dismount_current_volume:  This request dismounts the current volume
{            when access to the volume is denied due to security concerns.  It
{            is not used in any other circumstance and is therefore not related
{            to any externalized program interface.
{
{      amc$fetch_req:  This implements the AMP$FETCH request made by a user.
{            The site is free to modify the information that the user is
{            allowed to see.  To do this, first call the next SYSTEM FAP to
{            obtain the information, then edit it before returning to the
{            caller of this FAP.
{
{      amc$fetch_access_information_rq:  Same as above for amc$fetch_req.
{
{      amc$open_tape_volume:  This request causes a volume to be mounted.
{            Among the parameters passed in this request are the following
{            items that will be displayed in the VED, TAPE_MOUNT display.  If
{            the volume is a candidate for mounting by an operator, any field
{            that is set to a value other than SPACE is displayed in the VED,
{            TAPE_MOUNT display.  If the site does not desire a particular
{            field to be displayed in the VED, TAPE_MOUNT display it may set
{            the field to SPACE within this FAP.
{
{            ACCOUNT, FAMILY, PROJECT, and USER:  These fields identify the
{            login-user to the operator who may assign the requested volume.
{            These fields are set to SPACE by NOS/VE and are set to the
{            corresponding values of the login-user within this FAP.
{
{            REMOVABLE_MEDIA_GROUP, REMOVABLE_MEDIA_LOCATION, and SLOT:
{            These fields are initialized by the
{            REMOVABLE_MEDIA_MANAGEMENT_SYSTEM (RMS), if it is installed.
{            Together, the latter three fields identify the location of the
{            requested volume.
{
{            SOURCE_POOL and SOURCE_POOL_LOCATION are not used by this request
{            but are reserved for future implementation.
{
{      amc$read_tape_labels:  This request reads (or attempts to read) labels
{            from a tape volume.  NOS/VE calls this request whenever a volume
{            is mounted.  Thereafter, this request is called to read header
{            labels and trailer labels for each ANSI file in a file set.  The
{            labels will later be presented to this FAP as a parameter in one
{            of the tape security FAP requests discussed below; therefore,
{            there should be no need for the site to intercept this operation
{            to interpret the labels.  The site is dicouraged from making this
{            request on its own because, if not properly handled, the logical
{            position of a volume may lose synchronization with the physical
{            position.
{
{      amc$skip_req:  This request implements tapemark skipping requested by
{            the SYSTEM record access FAP during FILE_SET_POSITION operations.
{
{      amc$terminate_tape_volume:  This request unloads a tape volume during
{            GET/PUT or AMP$CLOSE_VOLUME operations.  Note that this request is
{            not called during DETACH_FILE processing because the FAP mechanism
{            is not operative at this time.
{
{      amc$write_tape_labels:  This request writes a sequence of labels and or
{            tapemarks to a tape volume.  This request is also called by this
{            FAP to write a label sequence during AUTHORIZE_VOLUME_REUSE
{            processing.  But it is also called at other times to write header
{            labels and trailer labels.
{
{    The amc$enforce_tape_security operation represents a class of requests all
{ related to the security of magnetic tape access.  The requests are
{ individually documented in more detail within the RMM$ENFORCE_TAPE_SECURITY
{ site hook.  However, an overview of each request is provided below.
{
{    Requests beginning with the word AUTHORIZE enforce security policies.
{ These policies ensure NOS/VE compliance with Department of Defense (DOD) C2
{ level security.
{
{    Requests beginning with the word VALIDATE ensure the consistency of fields
{ in header and trailer labels.  These requests are key to the ability of
{ NOS/VE to read labeled tapes that do not strictly conform to ANSI standards.
{
{    Requests beginning with the word SECURE allow a site to control visibility
{ of secure fields in ANSI labels.  NOS/VE maintains two sequences of header
{ labels and two sequences of trailer labels.  One pair of header/trailer
{ sequences is referred to as the UNSECURED sequences; the other pair is called
{ the SECURED sequences.  The UNSECURED header/trailer labels are first
{ VALIDATED by this FAP and then may be seen only by a
{ REMOVABLE_MEDIA_ADMINISTRATOR.  A copy of the UNSECURED header/trailer labels
{ are SECUREd by this FAP and then are made available to the normal user.
{
{
{      fsc$ts_authorize_access_method:  This request is called during an OPEN
{            when the user accesses a volume using FILE_LABEL_TYPE <>
{            amc$labeled.
{
{      fsc$ts_authorize_file_access:  This request is called during an OPEN
{            when file header labels are read, i.e.  when we are not reading
{            labels at the beginning of a volume.
{
{      fsc$ts_authorize_file_reuse:  This request is called during an OPEN when
{            the labels of an existing ANSI file are to be rewritten.
{
{      fsc$ts_authorize_file_set_mount:  This request is called during an OPEN
{            when volume header labels are read from the first volume of the
{            set.  This request is only called once per mount of the initial
{            volume of the volume set.  If the initial volume is dismounted and
{            remounted, the authority is rechecked to ensure that the volume
{            has not changed in any security details while dismounted from this
{            job.
{
{      fsc$ts_authorize_file_set_reuse:  This request is called during an OPEN
{            when the volume header labels are to be rewritten for the initial
{            volume of the volume set.
{
{      fsc$ts_authorize_section_read:  This request is called when labels are
{            read at the beginning of a volume other than the first volume of a
{            volume set when a GET operation spans volumes.
{
{      fsc$ts_authorize_section_write:  This request is called when labels are
{            to be written at the beginning of a volume other than the first
{            volume of a volume set.
{
{      fsc$ts_authorize_volume_reuse:  This request is called when a
{            REMOVABLE_MEDIA_OPERATOR is attempting to blank label or blank
{            unlabel a tape volume.  The site may use this opportunity to
{            consult its own database of tape volumes to ensure that the
{            operator has not made a mistake in choosing this volume to
{            initialize.  It is required that you call
{            PMP$EXECUTE_WITH_LESS_PRIVILEGE to execute a task to perform this
{            sort of analysis.  This FAP executes in Ring 3 of the NOS/VE
{            operating system and therefore is not interruptable.  Executing a
{            task allows the user to terminate-break.
{
{      fsc$ts_secure_header_labels:  This request is called whenever header
{            labels are read.  This request blanks secure fields in header
{            labels.
{
{      fsc$ts_secure_trailer_labels:  This request is called whenever trailer
{            labels are read.  This request blanks secure fields in trailer
{            labels.
{
{      fsc$ts_validate_header_labels:  This request is called whenever header
{            labels are read.  This request validates numeric and date fields
{            in header labels.
{
{      fsc$ts_validate_trailer_labels:  This request is called whenever trailer
{            labels are read.  This request validates numeric and date fields
{            in trailer labels.
{
{    The environment in which this FAP operates is shown below.  The FAPS are
{ listed in the order that they are called during tape operations.  Although,
{ as described above, only the operations described herein are passed below the
{ SYSTEM record access tape FAP.
{
{              1.  Optional user FAP
{
{              2.  SYSTEM record access tape FAP
{
{              3.  RMS FAP
{
{              4.  RMP$ENFORCE_TAPE_SECURITY FAP
{
{              5.  SYSTEM SERVICES FAP
