VM:Secure Rules/REJECT vs. ACCEPT

Document ID : KB000051724
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

We have userid (TSTID1) with the following rule set:

ACCEPT SCSTCS LINK 291 * (NOPASS
ACCEPT TST456 LINK * RR (NOPASS
ACCEPT TSTMGR LINK 291 RR (NOPASS
REJECT * LINK 291 *
REJECT TST456 LINK 291 *
REJECT * LINK * MW

As you can see, TST456 can link to any minidisks owned by TSTID1 in R/O. We would like to prevent him from linking to TSTID1 291 while permitting others to link it if they are authorized.

Neither of the REJECT entries works. Are we missing something or is our only choice to replace the ACCEPT TST456 LINK * RR with individual ACCEPTs for each of the minidisks owned by TSTID1 except for 291?

Solution:

You should be able to accomplish this with two rules, but they have to be in the right order:

REJECT TST456 LINK 291 *
ACCEPT TST456 LINK * RR (NOPASS

This ordering should allow TST456 to link to everything for this user ID but *not* link to the 291.

During rules processing when two or more rules are equally specific about the requester, the rule that appears first in the rules file applies. The requester (for the link) is the same in this case. So, currently the ACCEPT (being first) allows the link you are trying to prevent. By putting the REJECT for the 291 first, it allows VM:Secure to process that first. If the disk vaddr doesn't match, it then goes on to the next rule which will match for vaddr *. If the vaddr matches (in this case 291) then it will be rejected. You may also want to review the 'Combining Rules' section in the VM:Secure Rules Reference guide.

Also, a QRULES command will always tell you which rule it is hitting and coming into play if a question comes up.

Test the rules placement by issuing a QRULES:

VMSECURE QRULES userid1 LINK userid2 vaddr etc. etc...