Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software
61626364656667686970
/* allow the children to access UNIX domain */
/* sockets created by the parent compartment */
grant uxsock server_children
Access Specifies whether the rule is object-centric or subject-centric. The
options are:
grant: Specifies an object-centric rule. This rule allows processes
in the compartment compartment_name to access the specified
IPC mechanism in the current compartment.
access: Specifies a subject-centric rule. This rule allows processes
in the current compartment to access the specified IPC mechanism
in the compartment compartment_name.
Method Specifies the method of communication this rule applies to. The options
are:
pty: Specifies that the rule applies to pty used in interprocess
communication.
fifo: Specifies that the rule applies to FIFOs.
uxsock: Specifies that the rule applies to UNIX domain sockets.
ipc: Specifies that the rule applies to SYSV and POSIX IPC objects,
such as shared memory, semaphores, and message queues.
compartment_name The name of the other compartment where processes in this
compartment can communicate with.
The second type of IPC rule governs process access. The syntax for this type of rule is as follows:
(send|receive) signal <compartment_name>
For example:
/* allow the parent to send signals to children */
send signal server_children
Direction Specifies whether processes in the current compartment have access
to view and alter process behavior from another specified compartment.
The options are:
send: Specifies a subject-centric rule. Allows processes in the
current compartment to send signals view process data in the
compartment compartment_name.
receive: Specifies an object-centric rule. Allows processes in the
compartment compartment_name to send signals and view
process data in the current compartment.
signal Specifies that this rule applies to signals and process visibility.
compartment_name The name of the other compartment where processes in the current
compartment can have access to view process information or to be
viewed from.
Network Rules
Network rules govern access to network interfaces. Network rules also govern communication
between processes that use INET domain communication (TCP/IP sockets and streams). The
default behavior is to deny access to the network.
Network endpoints are treated as objects labeled with the compartment of the process that creates
them. However, a network endpoint can be created by one process, then passed to another
Compartment Rules and Syntax 65