HP-UX Reference (11i v2 07/12) - 4 File Formats (vol 8)
c
compartments(4) compartments(4)
path name representing the terminal. Normally terminals do not have any compart-
ment until a process opens them. When a terminal without a compartment ID is
opened, its compartment is set to that of the process that opened it. When all open
file handles to the terminal are closed, the terminal’s compartment ID is unset.
fifo Applies to named pipes (FIFOs) that are used to communicate between processes.
Note that these rules are applied in addition to any file system rules that control the
path name representing the directory containing the named pipe. Initially a FIFO has
no compartment. When a process opens the FIFO for the first time, its compartment
is set to that of the process. When all processes close the FIFO, its compartment is
unset.
uxsock Applies to UNIX domain sockets that are used to communicate between processes.
Note that these rules are applied in addition to any file system rules that control the
path name representing the directory containing the socket. As with FIFOs, initially
a UNIX socket has no compartment. When a process opens the UNIX domain socket
for the first time, its compartment is set to that of the process. When all processes
close the UNIX domain socket, its compartment is unset.
ipc Applies to the following IPC mechanisms: System V shared memory (for example,
created using shmget()), System V and POSIX semaphores (for example, created
using semget() or sem_open()), and System V and POSIX message queues (for
example, created using msgget() or mq_get()). When an IPC object is created,
its compartment is set to that of the process that created it. POSIX shared memory is
implemented as standard files; hence, POSIX shared memory obeys file system rules,
but not ipc rules.
compartment_name
Name of the other compartment with which a process in this compartment can com-
municate.
The second form of IPC rules governs process visibility and uses the following format:
(send|receive) signal compartment_name
where the values are defined as follows:
send Allows a process in this compartment to view or access processes in
compartment_name. This keyword specifies a subject-centric rule.
receive Allows a process in compartment_name to view or access processes in this compart-
ment. This keyword specified an object-centric rule.
signal Identifies this as a signal IPC rule. Even though the rule uses the keyword
signal,
in reality, it controls all aspects of process visibility. For example, the output of the
ps command reflects the process visibility restrictions set using this rule.
compartment_name
Name of the other compartment which processes in this compartment can view or be
viewed from.
Network Rules
Network rules control access between a process and a network interface, as well as between two processes
using loopback communications. These rules control the direction of network traffic (incoming, outgoing, or
both) between the subject compartment and the target compartment specified in the rule. Each rule is
specified by protocol (TCP, UDP, or any raw protocol number) and the target compartment, and can option-
ally filter based on local or peer port numbers (TCP and UDP only). If an explicit rule does not match a
communication attempt, the default is to deny communication.
Network rules use the following format:
(grant|deny)(server|client|bidir)(tcp|udp|raw protonum)[port port][peer port port]
compartment_name
where the values are defined as follows:
grant Allows access to the network described by this rule.
deny Denies access to the network described by this rule. This rule is useful when you
want to deny access for a specific configuration (such as a single port), but you want to
HP-UX 11i Version 2: December 2007 Update − 3 − Hewlett-Packard Company 55