cmpt_tune.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

cmpt_tune(1M) cmpt_tune(1M)

NAME

cmpt_tune - query, enable, or disable compartmentalization feature

SYNOPSIS

cmpt_tune -h

cmpt_tune [-q][-s

]

cmpt_tune -Q [-s][

-n boot_image ]

cmpt_tune [-Q][-s

] -n boot_image

cmpt_tune {-d|-e}[-r

][-s][-n boot_image ]

DESCRIPTION

cmpt_tune queries, enables, or disables the compartmentalization feature. Compartmentalization is

not a dynamic feature; enabling or disabling the feature requires a reboot. If you make a change and do

not specify the -r ﬂag, cmpt_tune

reports a reboot reminder message. If no options are speciﬁed, the

-q option is assumed.

If no compartments have been deﬁned when compartmentalization is enabled, the network interfaces

currently installed on the system are assigned to a new compartment

ifaces, and the administrator is

given the opportunity to reassign these interfaces (see getrules (1M)).

The system initially boots into a predeﬁned compartment,

INIT. A process in the INIT

compartment

can access all objects (that is, all processes, ﬁles, IPC objects, etc., are accessible from the

INIT compart-

ment). See compartments (5) for more information. Using the

setfilexsec command (see

setﬁlexsec (1M)), an administrator can set speciﬁc binaries to start automatically in other compartments;

that is, when a process executes the binary, it may ﬁnd its compartment modiﬁed as a side-effect. This

concept is similar to a setuid binary changing a process’s euid.

When the

-e or -d option is speciﬁed without the -n

option, the current running conﬁguration is

modiﬁed. If

-e or -d is speciﬁed with the -n

option and boot_image does not exist, it is created as

though the administrator ran the following command:

kconfig -s boot_image

In any case, boot_image is marked for use on the next boot.

Options

The

cmpt_tune command recognizes the following options:

-d Disables compartments.

-e Enables compartments.

-h Prints a help message.

-n boot_image

Makes changes to or queries the speciﬁed boot_image . If this option is not speciﬁed,

boot_image defaults to nextboot. If no other options are speciﬁed, the -Q option is

assumed.

-q Queries the current state of compartments.

-Q Queries the state of compartments after the next reboot.

-r Reboots after making changes. You can only use this option with the -d or -e options.

-s Sets silent mode. Only the exit status is set.

RETURN VALUE

cmpt_tune returns the following values:

0 When querying, the compartmentalization feature is enabled. When making changes, the

changes are successfully applied.

1 An option processing error occurred. When querying, the compartmentalization feature is dis-

abled. When making changes, and -r is speciﬁed, the reboot option is ignored (for example, to

allow for editing of compartment conﬁguration ﬁles).

2 When querying, the kernel conﬁguration speciﬁed does not exist or has no support for com-

partmentalization.

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (2 pages)

PAGE 1
cmpt_tune(1M) cmpt_tune(1M) NAME cmpt_tune - query, enable, or disable compartmentalization feature SYNOPSIS cmpt_tune -h cmpt_tune [-q] [-s] cmpt_tune -Q [-s] [-n boot_image ] cmpt_tune [-Q] [-s] -n boot_image cmpt_tune {-d|-e} [-r] [-s] [-n boot_image ] DESCRIPTION cmpt_tune queries, enables, or disables the compartmentalization feature. Compartmentalization is not a dynamic feature; enabling or disabling the feature requires a reboot.
PAGE 2
cmpt_tune(1M) cmpt_tune(1M) WARNINGS A network interface that is not assigned to any compartment cannot be accessed by any process and effectively cannot be used. Assign at least one network interface to a compartment so that network communications can function. If the -e or -d option is used in conjunction with the -n option, any prior changes pending to the current configuration are lost.