Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
61626364656667686970
Compartment Rules and Syntax
A compartment consists of a name and a set of rules. This section describes the four types of
compartment rules:
File system rules
IPC rules
Network rules
Miscellaneous rules
Add rules to a rules file you create in the /etc/cmpt directory. You can edit this file using vi
or a similar text editor. Your rules file must have a .rules extension.
Refer to compartments(5) for additional information.
Compartment Definition
Define compartments by configuring a name for each compartment, and associating one or more
compartment rules with the compartment name. You can specify rules in any order.
The syntax for a compartment definition is as follows:
<sealed> compartment <new_compartment_name> { <rules> }
For example:
sealed compartment server_children {
/* Deny all access to any file system objects ... */
permission none /
}
sealed
(Optional) A process in this compartment cannot gain privileges
or change compartments by calling execve.
compartment
Designates that the rule is a compartment definition.
new_compartment_name
The label associated with the new compartment. This label is
case sensitive. For example, compartmenta and CompartmentA
are different compartments.
{} Enclose the rules for this compartment.
NOTE: The INIT compartment name is not case sensitive. INIT, init, and Init are all treated
as the same compartment by the system. Do not use INIT or any variation for a new compartment
name.
Compartment specifications are preprocessed with cpp(1) before parsing begins. This is why
you use cpp directives such as #include, #define, #ifdef, and C-style comments to organize
and document rules files.
File System Rules
File system rules govern access by processes to files and directories on the system. File system
rules are inherited from a parent directory to all subdirectories and files within the parent, unless
an explicit rule overrides inheritance.
By default, if no permissions are specified, all permissions are granted for a file system object.
The syntax for file system rules is as follows:
(permission|perm) <permission_list> <file_object>
Compartment Rules and Syntax 63