compartments.4 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

compartments(4) compartments(4)

disallowed privileges

Identiﬁes this as a privilege limitation.

privilege[

,privilege... ]

is a comma separated list of privileges. The compound privileges

basic, basicroot,

policy, and none can also be used. An exclamation mark (

!) before a privilege name

removes it from the list. For example, if the privilege list is speciﬁed as

basicroot,!mount

, all root replacement privileges except mount are disallowed. If

the privilege list is

none,mount, only mount is disallowed. If the privilege list is not

speciﬁed for a compartment, the disallowed privilege list for the compartment defaults to

policy for sealed compartments and none for other compartments.

A disallowed privilege cannot be obtained as a side-effect of

exec() calls even when the binary being

executed has extended security attributes indicating that the process gains that privilege. As an example,

suppose

mount is a disallowed privilege in compartment

no_mounts, and that binary

/usr/bin/magic_mount

is expected to receive the

mount privilege by means of the following com-

mand:

setfilexsec -p mount -P mount /usr/bin/magic_mount

When an unprivileged process in no_mounts compartment executes the binary, it still would not see the

mount privilege in its potential set.

If a root replacement privilege is part of the disallowed privilege, the privilege is not implicitly granted to

a process with an effective uid of

0. As an extension of the above example, if a process with effective uid

of 0 but without mount privilege in its effective set cannot use the mount()

system call.

Note that a disallowed privilege is still available to processes that somehow obtain the privilege (for

example, a process with the

mount privilege in its effective set can enter the no_mounts

compartment

and use the

mount() system call).

When multiple disallowed privilege rules are deﬁned, the rules will be aggregated. Refer to

priv_str_to_set (3) for information on how the privileges string will be aggregated to the privilege set.

Network Interface Rules

Network interface rules specify the compartment to which a network interface belongs. If a network

interface does not have a compartment, no network trafﬁc in the INET domain (TCP/IP) is allowed to

pass.

Network interface rules use the following format:

interface X[,X...]

where the values are deﬁned as follows:

interface Identiﬁes this as an interface deﬁnition.

,X...] A comma-separated list of the following entities:

• A physical or virtual interface name, such as:

lan0, vlan0.

• An IPv4 address (for example, 192.168.0.1).

• An IPv6 address (for example, FE80::123:1234:F8).

• A range of IPv4 addresses speciﬁed as ipv4_addr /mask, where mask represents

the number of signiﬁcant bits of the address. For instance, an address

192.168.0.1/24 represents the address range from 192.168.0.0 to 192.168.0.255.

• An IPv6 address range speciﬁed as ipv6_address

/mask, where mask represents

the number of signiﬁcant bits of the address.

It is possible to conﬁgure the network interface rules such that there are conﬂicts. Consider the fol-

lowing example:

Interface

lan0 is assigned to compartment LAN0, IP address range 192.168.0.0/16 is assigned

to compartment IP_16, IP address range 192.0.0.0/8 is assigned to compartment IP_8, and IP

address 192.168.0.0 is assigned to compartment IP.

Note that IPv4 address 192.168.0.0 belongs to all these ranges speciﬁed in the rules for IP_8,

IP_16, and IP. If the interface lan0 is assigned an address of 192.168.0.0, there is an addi-

tional conﬂict.

6 Hewlett-Packard Company − 6 − HP-UX 11i Version 3: September 2010