In addition to my own post, of course for the actual PADS functionality, where you allow a different access to a dataset if a certain program is doing the open it also makes sense that you only want to do that if you can make sure that this 'certain program' is actual the one you intended to give the access and not some rogue program that was just named likewise in an untrusted library. So I didn't want to imply that identity changing is the only 'use case' for program control.
On Tue, 22 Feb 2022 04:30:49 -0600, Erik Janssen <[email protected]> wrote: >Thanks for the pointers! Very interesting, I never realized that the ZSS part >was also open source and written in metal C. I've so far only seen very >minimal examples of using metal C, so I will look into the code! >It seems that ZOWE also has the approach to have a PC service that runs the >authorized code, so I guess my initial feeling was correct that this is the >correct 'pattern' to provide authorized services to an unauthorized (yet >perhaps 'program controlled') backend. The program control seems to be a >specialization of that 'pattern', where you might decide that the only >'clients' of your authorized PC service can be programs that have been loaded >from a 'controlled environment'. This mainly seems to have been focused on >services that allow the identify of the invoker to change like the >pthread_security_np() call, which seems to make sense that you would only want >to allow that to happen if you know where the module that wants to do that was >loaded from. >I will see if I can get slack up and running :-) > >Kind Regards, >Erik. > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
