APF-authorized programs must reside in the link pack area (pageable
LPA, modified LPA, fixed LPA, dynamic LPA) or in an authorized library:
- SYS1.LINKLIB
- SYS1.SVCLIB
- Another library in the linklist (depending on the LNKAUTH= parameter
in your PARMLIB members)
- Another authorized library specified by your installation.
The LNKLSTxx parmlib member indicates the libraries that are to
be concatenated to SYS1.LINKLIB. The libraries in the LNKLST concatenation
are considered authorized unless the system programmer specifies LNKAUTH=APFTAB
in the IEASYSxx parameter list. If the system accesses the libraries
in the LNKLST concatenation through JOBLIB or STEPLIB DD statements,
the system does not consider those libraries authorized unless you
enter the library names in the APF list using one of the methods described
in APF-authorized library list. For more information about the LNKLSTxx parmlib
member, see z/OS MVS Initialization and Tuning Reference.
If a load module resides in the link pack area or in an authorized
library, an authorized program can load the module. To help avoid
integrity exposures, do not duplicate module names across the link
pack area or the authorized libraries.
Note: - If a JCL DD statement concatenates an authorized library
in any order with an unauthorized library, the entire set of concatenated
libraries is treated as unauthorized.
- SYS1.LPALIB and other libraries that contribute to the link pack
area (pageable LPA, modified LPA, fixed LPA, dynamic LPA) are treated
as authorized when the system places modules into the link pack area.
You should protect those libraries as you would protect any APF-authorized
library. When accessed via a tasklib DCB, or via a STEPLIB or JOBLIB
DD statement, these libraries are considered authorized only if you
have specified them in the APF list.