CMKRNL
The CMKRNL privilege allows the user's process to execute the Change Mode to Kernel ($CMKRNL) system service. This system service lets a process change its access mode to kernel mode, execute a specified routine, and then return to the access mode that was in effect before the system service was called. While in kernel mode, a process can enable any system privilege. A process holding both CMKRNL and SYSNAM can set the system time.
Grant this privilege only to users who need to execute privileged instructions or who need to gain access to the most protected and sensitive data structures and functions of the operating system. If unqualified users have unrestricted use of privileged instructions and unrestricted access to sensitive data structures and functions, the operating system and service to other users can be easily disrupted. Such disruptions can include failure of the system, destruction of all system and user data, and exposure of confidential information.
The CMKRNL privilege lets a process perform the following tasks:
| Task | Interface |
|---|---|
| Modify a multiprocessor operation | START/CPU, STOP/CPU |
| Modify systemwide RMS defaults | SET RMS/SYSTEM |
| Suspend a process in kernel mode | SET PROCESS/SUSPEND=KERNEL |
| Modify another process’ rights list or its nondynamic identifier attributes | SET RIGHTS_LIST |
| Grant an identifier with modified attributes | SET RIGHTS/ATTRIBUTE |
| Modify the system rights list | SET RIGHTS_LIST/SYSTEM |
| Change a process UIC | SET UIC |
| Modify the number of interlocked queue retries | $QIO request to an Ethernet 802 driver (DEBNA/NI) |
| Connect to a device interrupt vector | $QIO request to an interrupt vector (CONTINTERR) |
| Start or modify a line in Genbyte mode | $QIO request to a synchronous communications line (XGDRIVER) |
| Set the spin-wait time on the port command register | $QIO request to an Ethernet 802 driver (DEBNA) |
| Modify a known image list | INSTALL |
| Process the following item codes: SJC$_ACCOUNT_NAME item | Send to the Job Controller system service ($SNDJBC) |
| Create a detached process with unrestricted quotas | RUN/DETACHED, $CREPRC |
| Examine the internals of a running system | ANALYZE/SYSTEM |
