compartments.4 (2011 09)
c
compartments(4) compartments(4)
blocked Indicates that no processes can be launched in this compartment from other
compartments. Therefore, if the blocked keyword is specified for a compart-
ment, then a process cannot use cmpt_change()
routine to enter this com-
partment, nor can it enter this compartment by executing a binary file that is
configured with the name of this compartment as one of its extended security
attributes (see setfilexsec (1M)).
The
blocked keyword is valid only if the HP-UX ContainmentPlus product
(version B.11.31.02 or later) is installed on the system.
compartment Designates that this is a compartment definition.
new_compartment_name
Specifies the name to be applied to the compartment being defined. The name is
case sensitive, except for the
init compartment, which is case insensitive. It
can contain only alpha numeric characters, underscore and hyphen [
a-zA-Z]
[
a-zA-Z0
-9_-]* but not any other special or space characters. The total length
of the compartment name cannot exceed 256 characters.
{} Encloses the new rules.
rules Set of rules defining the compartment. Each rule appears on a line by itself.
Note that the compartment specification can be extended to include new keywords in the future. HP
strongly recommendeds that compartment names begin with an uppercase character to avoid any future
syntax errors (for example, compartment
Web instead of web).
If the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system, the key-
words
sealed, discover, system, and blocked can be specified in any order.
File System Rules
File system rules govern access to the files and directories of the file system. All file system rules are
subject-centric.
File system rules use one of these two formats:
permission [none | all] file_object
permission [nsearch][, read][, write][, create][, unlink] file_object
If the HP-UX ContainmentPlus product is installed on the system, the file system rules using the follow-
ing format are also supported:
permission [nsearch][, nread][, read][, write][, create][, unlink
] file_object
where the values are defined as follows:
permission Sets the permissions allowed for processes in this compartment to access the
file_object in the way specified.
none Denies any access to the file_object for any process in this compartment. If
specified, none of the other possible arguments can be used.
all Indicates all permissions on file_object . The all parameter is an alias that
includes all parameters: nsearch, read, write, unlink, and create.
nsearch Controls search access to the file_object . The rule has an effect only if file_object is
a directory. It allows processes in the compartment to perform lookup in the direc-
tory. This access control is not inherited. So even if a directory is searchable, any
directory underneath is not searchable unless it is explicitly allowed.
nread Controls search and read access to the file_object . The rule has an effect only if
file_object is a directory. It allows processes in the compartment not only to lookup
in the directory (see the nsearch parameter), but also to list contents of the direc-
tory. Same as the nsearch parameter, this access control is not inherited. There-
fore, even if a directory is searchable and readable, any directory or file underneath
it is not searchable or readable unless it is explicitly allowed.
The
nread keyword is valid only if the HP-UX ContainmentPlus product is
installed on the system.
read Controls read access to the file_object . If the file_object is a file, read allows
processes in this compartment to open the file for reading. If the file_object is a
2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2011