compartments.5 (2010 09)

c
compartments(5) compartments(5)
read: For directory listing and searching
create: For creation of new elements under the directory
unlink: For removing elements under the directory
Any combination of the above four
You can restrict access to files to the following actions:
read: For reading or executing the file
write: For writing the file
Any combination of the two
All the file system rules are inherited except the
nsearch access. For instance, if /a has a permission of
nsearch and create, /a/b would have a permission of
create alone unless a different set of permis-
sions is assigned to it.
IPC Rules
IPC rules govern how processes in this compartment can access other compartment’s IPC mechanisms
and how processes in other compartments can access this compartment’s IPC mechanisms. By default, a
process can access only the IPC objects in its own compartment.
Network Rules
Network rules control access between a process and a network interface, as well as between two processes
using loopback communications. These rules control the direction of network traffic (incoming, outgoing,
or both) between the subject compartment and the target compartment specified in the rule. Each rule
specifies the direction of traffic flow, the protocol (TCP, UDP, or a raw protocol), and the target compart-
ment (for either the network interface or a local compartment for local process communications). Option-
ally, the rule can filter on local and peer port numbers (for TCP and UDP only).
Compartments are associated with network endpoints when they are first created. When a process makes
the system call that creates the endpoint (
socket() or open()), the compartment of the process at that
time is applied to the network object. (See socket (2) or open(2)). This compartment is used in all network
communication access checks that the object is involved in. For TCP, rules are applied at connection
establishment time. For all other network communications, each inbound and outbound packet delivery
is checked against the rules.
Miscellaneous Rules
Miscellaneous rules appear within a compartment definition. These rules include the following:
Disallowed Privileges
Disallowed privileges define specific privileges that may not be obtained as a side effect of
exec() calls even when the binary being executed specifies that the privilege becomes avail-
able. See exec (2). See the description of the -p and -r flags for the
setfilexsec com-
mand. See setfilexsec (1M)) for information on how a process can gain privileges as a side effect
of an
exec() call.
Network Interface Rules
Interface rules define which network interfaces (Physical/Virtual/Logical) are in this compart-
ment. Each network interface can belong to only one compartment, though multiple interfaces
can be assigned to the same compartment. Also note that certain special logical interfaces,
such as the loopback interface
lo0 and tunneling interfaces, are not valid configuration
parameters. These are silently ignored.
COMPARTMENT-RELATED PRIVILEGES
The following set of privileges (see privileges (5)) affect the operation of compartments:
CHANGECMPT Grants a process the ability to change its compartment.
CMPTREAD Allows a process to open a file or directory for reading, executing (in the case
of a file), or searching (in the case of a directory), bypassing compartment
rules that would otherwise not permit the operation.
CMPTWRITE Allows a process to write into a file, or to create or delete files in a directory,
bypassing compartment rules that would otherwise not permit the operation.
2 Hewlett-Packard Company 2 HP-UX 11i Version 3: September 2010