HP-UX Reference (11i v2 07/12) - 4 File Formats (vol 8)
c
compartments(4) compartments(4)
NAME
compartments - HP-UX compartments files
DESCRIPTION
HP-UX compartments are defined by creating one or more ASCII files in the
/etc/cmpt directory. Only
file names ending with
.rules are parsed for compartment definitions. Collectively, these files define
compartments and compartment access rules for local system objects. System objects that have compart-
ment access controls defined include file system objects, inter-process communication objects, and network
objects.
The compartment specifications are pre-processed with
cpp before parsing. See cpp(1). Hence, you can
use
cpp directives such as #include, #define
, #ifdef, and C-style comments to organize and docu-
ment the rules files.
CONFIGURATION RULES SYNTAX
A compartment consists of a name and a set of rules. Compartments use four kinds of configuration rules:
file system rules, inter-process communication (IPC) rules, network rules, and miscellaneous rules. Rules
can be either subject-centric or object-centric. Subject-centric rules control access by processes (subjects) in
a compartment to resources (objects) in other compartments. Object-centric rules control access to
resources (objects) in a compartment by processes (subjects) in other compartments.
Compartment definitions use the following format:
[
sealed] compartment new_compartment_name
{rules}
where the values are defined as follows:
sealed Indicated that a process in this compartment does not change its compartment as a
side-effect of the exec() call, even if the binary being executed has extended secu-
rity attributes indicating that the process starts in a different compartment. See
exec(2). For security purposes, the minimum retained and minimum permitted
privileges of the binary are also ignored (and treated as though both sets are empty
sets).
compartment
Designates that this is a compartment definition.
new_compartment_name
Specifies the name to be applied to the compartment being defined. The name is case
sensitive, except for the init compartment, which is case insensitive.
{} Encloses the new rules.
rules Set of rules defining the compartment. Each rule appears on a line by itself.
Note that the compartment specification may be extended to include new keywords in the future. Hence, it
is strongly recommended that compartment names begin with an uppercase character to avoid any future
syntax errors (for example, compartment Web instead of web).
File System Rules
File system rules govern access to the files and directories of the file system. All file system rules are
subject-centric.
File system rules use the following format:
permission ([none|all]|[read][[,]write][[,]create][[,]unlink]) file_object
where the values are defined as follows:
permission Sets the permissions allowed for processes in this compartment to access the
file_object in the way specified.
none Denies any access to the file_object for any process in this compartment. If specified,
none of the other possible arguments can be used.
all Indicates all permissions on file_object. i.e., an alias for the expression read,
write, unlink, create.
read Controls read access to the file_object. If the file_object is a file, read allows
processes in this compartment to open the file for reading. If the file_object is a direc-
tory, it allows processes in this compartment to list the contents of this directory.
HP-UX 11i Version 2: December 2007 Update − 1 − Hewlett-Packard Company 53