compartments.4 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

compartments(4) compartments(4)

NAME

compartments - HP-UX compartments ﬁles

DESCRIPTION

HP-UX compartments are deﬁned by creating one or more ASCII ﬁles in the

/etc/cmpt directory. Only

ﬁle names ending with

.rules are parsed for compartment deﬁnitions. Collectively, these ﬁles deﬁne

compartments and compartment access rules for local system objects. System objects that have compart-

ment access controls deﬁned include ﬁle system objects, inter-process communication objects, and net-

work objects.

The compartment speciﬁcations are pre-processed with

cpp before parsing. See cpp (1). You can use

cpp

directives such as #include, #define, #ifdef

, and C/C++ style comments to organize and document

the rules ﬁles.

CONFIGURATION RULES SYNTAX

A compartment consists of a name and a set of rules. Compartments use four kinds of conﬁguration

rules: ﬁle system rules, inter-process communication (IPC) rules, network rules, and miscellaneous rules.

Rules can be either subject-centric or object-centric. Subject-centric rules control access by processes

(subjects) in a compartment to resources (objects) in other compartments. Object-centric rules control

access to resources (objects) in a compartment by processes (subjects) in other compartments.

Compartment deﬁnitions use the following format:

[

sealed][discover] compartment new_compartment_name

{rules }

where the values are deﬁned as follows:

sealed Indicates that any process in this compartment can not change its compartment

as a side-effect of the exec() call, even if the binary being executed has

extended security attributes indicating that the process starts in a different com-

partment. See exec(2). For security purposes, the minimum retained and

minimum permitted privileges of the binary are also ignored (and treated as

though both sets are empty sets).

discover Indicates that for all the processes in this compartment the required mandatory

access rules would be generated at run time so that the process operations would

succeed. This is more of a development tool that enables developers to identify

all the required mandatory access rules for the given application by running it in

a compartment marked as discover.

compartment Designates that this is a compartment deﬁnition.

new_compartment_name

Speciﬁes the name to be applied to the compartment being deﬁned. The name is

case sensitive, except for the

init compartment, which is case insensitive. It

can contain only alpha numeric characters, underscore and hyphen [a-zA-Z]

[

a-zA-Z0-9_-]* but not any other special or space characters. The total length

of the compartment name cannot exceed 256 characters.

{} Encloses the new rules.

rules Set of rules deﬁning the compartment. Each rule appears on a line by itself.

Note that the compartment speciﬁcation may be extended to include new keywords in the future. It is

strongly recommended that compartment names begin with an uppercase character to avoid any future

syntax errors (for example, compartment

Web instead of web).

File System Rules

File system rules govern access to the ﬁles and directories of the ﬁle system. All ﬁle system rules are

subject-centric.

File system rules use one of these two formats:

permission [none | all] ﬁle_object

permission [nsearch][, read][, write][, create][, unlink] ﬁle_object

If the HP-UX ContainmentExt product (version B.11.31.02 or later) is installed on the system, the ﬁle sys-

tem rules using the following format are also supported:

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (8 pages)

PAGE 1
compartments(4) compartments(4) NAME compartments - HP-UX compartments files DESCRIPTION HP-UX compartments are defined by creating one or more ASCII files in the /etc/cmpt directory. Only file names ending with .rules are parsed for compartment definitions. Collectively, these files define compartments and compartment access rules for local system objects. System objects that have compartment access controls defined include file system objects, inter-process communication objects, and network objects.
PAGE 2
compartments(4) compartments(4) permission nread file_object where the values are defined as follows: permission Sets the permissions allowed for processes in this compartment to access the file_object in the way specified. A none Denies any access to the file_object for any process in this compartment. If specified, none of the other possible arguments can be used. all Indicates all permissions on file_object . all is an alias for the expression nsearch, read, write, unlink, create.
PAGE 3
compartments(4) compartments(4) control (DAC) methods, when a symbolic link is accessed, the rule on the resolved file (not the link itself) is applied. For example, when the directory /orig, is looback mounted on /lofs, any access to objects under these directories using either name result in application of the rule corresponding to the path beginning from /orig but not from /lofs. When multiple file system rules are defined for the same pathname, the rules will be aggregated.
PAGE 4
compartments(4) compartments(4) receive Allows a process in compartment_name to view or access processes in this compartment. This keyword specified an object-centric rule. signal Identifies this as a signal IPC rule. Even though the rule uses the keyword signal, in reality, the signal IPC rule controls all aspects of process visibility. For example, the output of the ps command reflects the process visibility restrictions set using this rule.
PAGE 5
compartments(4) compartments(4) deny-local Denies access described by this rule between two processes using loopback communications. server Applies to inbound traffic. If the protocol is tcp, it allows processes in this compartment to accept connections. For udp and raw, this rule applies to all inbound packets. client Applies to outbound traffic. If the protocol is tcp, it allows processes in this compartment to initiate connections. For udp and raw, this rule applies to all outbound packets.
PAGE 6
compartments(4) compartments(4) disallowed privileges Identifies this as a privilege limitation. privilege[,privilege... ] is a comma separated list of privileges. The compound privileges basic, basicroot, policy, and none can also be used. An exclamation mark (!) before a privilege name removes it from the list. For example, if the privilege list is specified as basicroot,!mount, all root replacement privileges except mount are disallowed. If the privilege list is none,mount, only mount is disallowed.
PAGE 7
compartments(4) compartments(4) Such conflicts are resolved as follows: • An IP address or address range assignment has higher precedence than a name assignment. For instance, if lan0 is assigned an IP address of 192.200.1.1, it would belong to compartment IP_8, not LAN0. • A rule specifying a more specific IP address range has a precedence over a less specific IP address range. For instance, if lan1 is assigned 192.168.0.1, it would belong to compartment IP_16, not to IP_8.
PAGE 8
compartments(4) compartments(4) /etc/cmpt-rules.bin Binary equivalent of the combined human-readable rules files. Do NOT edit this file directly. SEE ALSO cmpt_tune(1M), getrules(1M), mount_lofs(1M), ndd(1M), setrules(1M), compartments(5), privileges(5).