cmpt_restrict_tl.5 (2011 09)
c
cmpt_restrict_tl(5) cmpt_restrict_tl(5)
(Tunable Kernel Parameters)
NAME
cmpt_restrict_tl - defines the restrictions for the inter-compartment communications through Streams
Local Transport Drivers
VALUES
Failsafe
0 (no)
Default
0 (no)
Allowed values
0 (no) or 1 (yes)
Recommended values
1 (yes)
Remarks
The
cmpt_restrict_tl
parameter is a dynamic kernel tunable. It only takes effect if the compart-
ments(5) feature is enabled on the system and if the HP-UX ContainmentPlus product (version
B.11.31.02 or later) is installed on the system.
DESCRIPTION
The
cmpt_restrict_tl
parameter defines the restrictions for the inter-compartment communications
through Streams Local Transport Drivers . Streams Local Transport Drivers are also known as loopback
drivers , namely
/dev/tlcots, /dev/tlcotsod
, and /dev/tlclts.
If the value of the
cmpt_restrict_tl
parameter is set to 0, the inter-compartment communications
through Streams Local Transport Drivers are allowed. Therefore, TLI/XTI applications that communicate
through the loopback drivers
/dev/tlcots, /dev/tlcotsod
,or/dev/tlclts can work across
compartments without any restrictions.
If you set the value of the
cmpt_restrict_tl
parameter to 1, the inter-compartment communications
through Streams Local Transport Drivers are restricted. Therefore, TLI/XTI applications that communi-
cate through the loopback drivers
/dev/tlcots, /dev/tlcotsod
,or/dev/tlclts will not succeed
across compartment boundaries, unless you specify explicit compartment IPC rules using the
tl key-
word. The t_connect() routine returns the TACCES error in such a case. For more information on
the tl keyword, see compartment (4).
By default, the
cmpt_restrict_tl
parameter is set to 0.
Note that the communications through Streams Local Transport Drivers are different from the loopback
communications that are addressed to loopback interfaces or addresses as defined in ifconfig(1M). The
inter-compartment communications through loopback interfaces or addresses are controlled by compart-
ment network rules. If you do not specify explicit compartment network rules, the inter-compartment
communications through loopback interfaces or addresses are always denied. The
cmpt_restrict_tl
parameter or the compartment IPC rule using the tl keyword, does not control whether the inter-
compartment communications through loopback interfaces or addresses are allowed.
Who Is Expected to Change This Tunable?
The HP-UX Secure Resource Partitions (SRP) product, can change the value of this tunable.
Administrators that manage compartments can also change the value of this parameter using the
kctune command.
Restrictions on Changing
The
cmpt_restrict_tl parameter is a dynamic parameter so any changes made to it take effect
immediately.
When Should the Tunable Be Changed?
If the inter-compartment communication through Streams Local Transport Drivers is considered as a
security threat, you must set the
cmpt_restrict_tl parameter to 1 to restrict this type of inter-
compartment communication channel.
HP-UX 11i Version 3: September 2011 − 1 − Hewlett-Packard Company 1