compartments.4 (2010 09)
c
compartments(4) compartments(4)
receive Allows a process in compartment_name to view or access processes in this compart-
ment. This keyword specified an object-centric rule.
signal Identifies this as a signal IPC rule. Even though the rule uses the keyword
signal,
in reality, the signal IPC rule controls all aspects of process visibility. For example,
the output of the
ps command reflects the process visibility restrictions set using this
rule.
compartment_name
Name of the other compartment which processes in this compartment can view or be
viewed from.
When multiple IPC rules are defined for the same compartment, the rules will be aggregated. That is,
the union of the IPC mechanisms is taken.
Network Rules
Network rules control access between a process and a network interface, as well as between two processes
using loopback communications.
If the HP-UX ContainmentExt product (version B.11.31.02 or later) is installed on the system, network
rules can also control access between two processes using loopback communications alone without chang-
ing the connectivities between a process and a network interface.
These rules control the direction of network traffic (incoming, outgoing, or both) between the subject com-
partment and the target compartment specified in the rule. For loopback communications, the subject
and target compartments should be of the processes that are communicating and not that of the interface
being used for communication. Each rule is specified by protocol (TCP, UDP, or any raw protocol
number) and the target compartment, and can optionally filter based on local or peer port numbers (TCP
and UDP only). If an explicit rule does not match a communication attempt, the default is to deny com-
munication.
If the HP-UX ContainmentExt product (version B.11.31.02 or later) is installed on the system, the default
rule for access between two processes through loopback communications (excluding those through loop-
back interfaces) is also configurable through the
cmpt_allow_local
tunable. See ifconfig(1M) for
more information about loopback interfaces.
See cmpt_allow_local(5) for more information upon installation of the HP-UX ContainmentExt product
(version B.11.31.02 or later).
Network rules use the following formats:
(
grant|deny)(server|client|bidir)(tcp|udp
)[port ports ][peer port ports ]
compartment_name
(
grant|deny)(server|client|bidir) raw protonum compartment_name
If the HP-UX ContainmentExt product (version B.11.31.02 or later) is installed on the system, the net-
work rules using the following formats are also supported:
(
grant-local|deny-local)(server|client|bidir)(tcp|udp)[port ports ][peer port
ports ] compartment_name
(
grant-local|deny-local)(server|client|bidir) raw protonum compartment_name
where the values are defined as follows:
grant Allows access to the network (both access between a process and a network interface,
as well as between two processes using loopback communications) described by this
rule.
deny Denies access to the network (both access between a process and a network interface,
as well as between two processes using loopback communications) described by this
rule. This rule is useful when you want to deny access for a specific configuration
(such as a single port), but you want to allow all other access to the network. Use it in
conjunction with a general rule that grants all other traffic.
grant-local
Allows access described by this rule between two processes using loopback communi-
cations.
4 Hewlett-Packard Company − 4 − HP-UX 11i Version 3: September 2010