HP-UX Reference (11i v2 07/12) - 4 File Formats (vol 8)
c
compartments(4) compartments(4)
policy, and none can also be used. An exclamation mark (
!) before a privilege name
removes it from the list. For example, if the privilege list is specified as
basicroot,!mount
, all root replacement privileges except mount are disallowed. If
the privilege list is
none,mount , only mount is disallowed. If this is not specified for a
compartment, it defaults to policy for sealed compartments and
none for other com-
partments.
A disallowed privilege cannot be obtained as a side-effect of
exec() calls even when the binary being exe-
cuted has extended security attributes indicating that the process gains that privilege. As an example, sup-
pose
mount is a disallowed privilege in compartment
no_mounts, and that binary
/usr/bin/magic_mount
is expected to receive the
mount privilege by means of the following com-
mand:
setfilexsec -p mount -P all /usr/bin/magic_mount
When an unprivileged process in no_mounts compartment executes the binary, it still would not see the
mount privilege in its potential set.
If a root replacement privilege is part of the disallowed privilege, the privilege is not implicitly granted to a
process with an effective uid of 0. As an extension of the above example, if a process with effective uid of
0
but without mount privilege in its effective set cannot use the mount() system call.
Note that a disallowed privilege is still available to processes that somehow obtain the privilege (for exam-
ple, a process with the
mount privilege in its effective set can enter the no_mounts
compartment and
use the
mount() system call).
Network Interface Rules
Network interface rules specify the compartment to which a network interface belongs. If a network inter-
face does not have a compartment, no network traffic in the INET domain (TCP/IP) is allowed to pass.
Network interface rules use the following format:
interface interface[[,interface]...]]
where the values are defined as follows:
interface
Identifies this as an interface definition.
interface[[,interface]...]
A comma-separated list of network interface names. Both physical lan device names and
VLAN names are supported.
FILES
The only rules files not described here that affect the compartment rules on a system are those included
through an #include directive.
/etc/cmpt/
The human-readable version of the compartment rules. All files whose names end in
*.rules that reside in the /etc/cmpt directory or its sub-directories are processed
when setting rules.
/etc/cmpt-rules.bin
Binary equivalent of the combined human-readable rules files. Do NOT edit this file
directly.
SEE ALSO
cmpt_tune(1M), getrules(1M), mount_lofs(1M), setrules(1M), compartments(5), privileges(5).
HP-UX 11i Version 2: December 2007 Update − 5 − Hewlett-Packard Company 57