compartments.4 (2010 09)

c
compartments(4) compartments(4)
control (DAC) methods, when a symbolic link is accessed, the rule on the resolved file (not the link itself)
is applied.
For example, when the directory
/orig, is looback mounted on /lofs, any access to objects under these
directories using either name result in application of the rule corresponding to the path beginning from
/orig but not from /lofs.
When multiple file system rules are defined for the same pathname, the rules will be aggregated. That is,
the union of the permissions is taken.
IPC Rules
IPC rules appear within a compartment definition and govern how processes in this compartment can
access another compartment’s IPC mechanisms and how processes in other compartments may access this
compartment’s IPC mechanisms. Since the default is to deny access, rules of this type are only for allow-
ing access. Rules of this type can be either subject-centric or object-centric. Two formats are available for
IPC rules.
The first form of IPC rules controls process communication and uses the following format:
(
grant|access)(pty
|fifo|uxsock|ipc) compartment_name
(
grant|access)[pty][
, fifo][, uxsock][, ipc] compartment_name
where the values are defined as follows:
grant Allows processes in the compartment compartment_name to access the specified IPC
mechanism in this compartment. This keyword specifies an object-centric rule.
access Allows processes in this compartment to access the specified IPC mechanism in com-
partment compartment_name. This keyword specifies a subject-centric rule.
pty Applies to terminals (ptys and ttys) that are used to communicate between processes.
Note that these rules are applied in addition to any file system rules that control the
path name representing the terminal. Normally terminals do not have any compart-
ment until a process opens them. When a terminal without a compartment ID is
opened, its compartment is set to that of the process that opened it. When all open
file handles to the terminal are closed, the terminal’s compartment ID is unset.
fifo Applies to named pipes (FIFOs) that are used to communicate between processes.
Note that these rules are applied in addition to any file system rules that control the
path name representing the named pipe. Initially a FIFO has no compartment.
When a process opens the FIFO for the first time, its compartment is set to that of the
process. When all processes close the FIFO, its compartment is unset.
uxsock Applies to UNIX domain sockets that are used to communicate between processes.
Note that these rules are applied in addition to any file system rules that control the
path name representing the socket. As with FIFOs, initially a UNIX socket has no
compartment. When a process opens the UNIX domain socket for the first time, its
compartment is set to that of the process. When all processes close the UNIX domain
socket, its compartment is unset.
ipc Applies to the following IPC mechanisms: System V shared memory (for example,
created using shmget()), System V and POSIX semaphores (for example, created
using semget() or sem_open()), and System V and POSIX message queues (for
example, created using msgget() or mq_get()). When an IPC object is created, its
compartment is set to that of the process that created it. POSIX shared memory is
implemented as standard files; hence, POSIX shared memory obeys file system rules,
but not ipc rules.
compartment_name
Name of the other compartment with which a process in this compartment can com-
municate.
The second form of IPC rules governs process visibility and uses the following format:
(
send|receive) signal compartment_name
where the values are defined as follows:
send Allows a process in this compartment to view or access processes in
compartment_name. This keyword specifies a subject-centric rule.
HP-UX 11i Version 3: September 2010 3 Hewlett-Packard Company 3