compartments.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

compartments(5) compartments(5)

NAME

compartments - description of HP-UX compartments

DESCRIPTION

The UNIX operating system has traditionally used a single compartment model. The relatively free

access in traditional single compartment systems can lead to problems with malicious software or with

compromised programs. If a way to exploit a daemon process is discovered and used, an intruder gains

considerable access to the system. If the daemon process is running with an effective uid of

0 while being

exploited, this could translate to complete system access. With the use of compartments, you can limit

access to only what the process needs, thus reducing the amount of damage malicious or exploited pro-

grams can do.

A compartment isolates a process so that it can only access objects within the same compartment, unless a

compartment rule grants the process access to other compartments. Other access control methodologies,

such as ﬁle permissions and ACLs, still apply.

You can override compartment restrictions with appropriate privileges. See privileges (5) for a list of

privileges.

Compartments control process access to several different types of system objects. Some of these object

types are persistent, and are typically referenced by name (such as ﬁles). These objects do not have a

compartment directly associated with them. Instead, the rules that govern access to these objects are

associated with the name of the object. Other object types are transient, lasting only as long as the pro-

cess that created them, or while the system is booted. Transient objects are labeled with the compartment

of the process that creates them. The rules that govern access to these objects is a direct compartment-

to-compartment relationship.

Compartments govern three types of system objects: ﬁle system objects (persistent), inter-process com-

munication (IPC) objects (transient), network objects (transient):

• File System Objects. Includes ﬁles and directories. By default, all ﬁle system objects are accessible

by any compartment. However, speciﬁc compartment conﬁguration can deﬁne rules to restrict access

to various ﬁle system objects.

• Inter-process Communication (IPC) Objects. Enable or restrict communication between processes

on a single system. The types of IPC objects are System V shared memory, System V semaphores, Sys-

tem V message queues, POSIX semaphores, POSIX message queues, PTYs, FIFOs, UNIX domain sock-

ets, and processes (signal mechanism). POSIX shared memory is implemented as ﬁle system objects;

hence, compartment access is controlled with ﬁle system rules. By default, processes in a given com-

partment cannot access IPC objects in another compartment unless explicitly conﬁgured otherwise.

• Network Communication Objects. Includes network endpoints (sockets and streams) and network

LAN interfaces. These objects are used to communicate via the TCP/IP protocol with processes on

both local and remote systems. Access is controlled between a process’ network endpoints and the

LAN interfaces through which trafﬁc passes to remote systems. As with IPC objects, processes in a

given compartment cannot access network objects in a different compartment unless explicitly

conﬁgured to do so.

Each network LAN interface (logical/physical/virtual) can belong to a compartment of its own. For

example, it is possible to set the rules such that logical interfaces

lan0:1 and lan0:2 belong to

different compartments.

CONFIGURATION RULES

At system start up, the compartment conﬁguration is read from ﬁles in the

/etc/cmpt directory. The

conﬁguration is placed in ﬁles ending with .rules sufﬁx under /etc/cmpt. These ﬁles are pre-

processed with cpp before they are applied. You can use cpp’s mechanisms such as C/C++ comments,

#ifdef, and #include to organize the ﬁles. See compartments (4) for the syntax of the conﬁguration

ﬁles.

Compartments use four types of rules: ﬁle system rules, IPC rules, network rules, miscellaneous rules.

File System Rules

File system rules govern access to the ﬁles and directories of the ﬁle system. You can restrict access to

directories to the following actions:

•

nsearch: For searching a directory.

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (4 pages)

PAGE 1
compartments(5) compartments(5) NAME compartments - description of HP-UX compartments DESCRIPTION The UNIX operating system has traditionally used a single compartment model. The relatively free access in traditional single compartment systems can lead to problems with malicious software or with compromised programs. If a way to exploit a daemon process is discovered and used, an intruder gains considerable access to the system.
PAGE 2
compartments(5) compartments(5) • read: For directory listing and searching • create: For creation of new elements under the directory • unlink: For removing elements under the directory • Any combination of the above four You can restrict access to files to the following actions: A • read: For reading or executing the file • write: For writing the file • Any combination of the two All the file system rules are inherited except the nsearch access.
PAGE 3
compartments(5) compartments(5) COMMALLOWED Allows a process to override compartment IPC and networking rules. RULESCONFIG Allows a process to modify compartment rules on the system. Note: These privileges are not automatically granted by default to a process with an effective uid of 0. Default Compartments When compartments are installed on the system, there is only one default compartment, the init compartment. When the system boots, the init process belongs to this compartment.
PAGE 4
(Notes) A (Notes) cA 4 Hewlett-Packard Company −1− HP-UX 11i Version 3: September 2010