compartments.5 (2010 09)

compartments(5) compartments(5)

COMMALLOWED Allows a process to override compartment IPC and networking rules.

RULESCONFIG Allows a process to modify compartment rules on the system.

Note: These privileges are not automatically granted by default to a process with an effective uid of

Default Compartments

When compartments are installed on the system, there is only one default compartment, the

init com-

partment. When the system boots, the

init

process belongs to this compartment. This compartment

has been deﬁned to have access to all other compartments that are explicitly deﬁned for the system. The

init compartment need not be deﬁned in a rules ﬁle. If you re-deﬁne the

init compartment by making

an explicit reference to it in a rules ﬁle, all special characteristics are lost and cannot be restored without

rebooting the system.

Compartment Manipulation Commands

Several commands review and modify the compartment conﬁguration on a system:

cmpt_tune Queries, enables, and disables the compartments feature. See cmpt_tune (1M) for

more information.

getrules Displays compartment rules. See getrules (1M) for more information.

setrules Parses and puts the rules into action. See setrules (1M) for more information.

Note: Currently, no command is available to modify the compartment conﬁguration ﬁles. You must edit

the conﬁguration ﬁles directly. Once that is done, you can use the above commands to put them into

action.

FILES

/etc/cmpt/rules/ All ﬁles under this directory whose names end with

.rules are used to

create the compartment conﬁguration. All ﬁles intended to be used to

conﬁgure compartment rules on the system (except those ﬁles referred by a

#include directive) must be in this directory.

/etc/cmpt-rules.bin

Binary ﬁle containing the machine readable compartment rules. Do not

edit this ﬁle directly.

/etc/cmpt-db File that maps compartment names to the ID numbers used internally by

the system. Do not edit this ﬁle directly.