HP-UX Reference (11i v2 07/12) - 5 Miscellaneous (vol 9)
c
compartments(5) compartments(5)
NAME
compartments - description of HP-UX compartments
DESCRIPTION
The UNIX operating system has traditionally used a single compartment model. The relatively free
access in traditional single compartment systems can lead to problems with malicious software or with
compromised programs. If a way to exploit a daemon process is discovered and used, an intruder gains
considerable access to the system. If the daemon process is running with an effective uid of
0 while being
exploited, this could translate to complete system access. With the use of compartments, you can limit
access to only what the process needs, thus reducing the amount of damage malicious or exploited pro-
grams can do.
A compartment isolates a process so that it can only access objects within the same compartment, unless a
compartment rule grants the process access to other compartments. Other access control methodologies,
such as file permissions and ACLs, still apply.
You can override compartment restrictions with appropriate privileges. See privileges(5) for a list of
privileges.
Compartments control process access to several different types of system objects. Some of these object
types are persistent, and are typically referenced by name (such as files). These objects do not have a com-
partment directly associated with them. Instead, the rules that govern access to these objects are associ-
ated with the name of the object. Other object types are transient, lasting only as long as the process that
created them, or while the system is booted. Transient objects are labeled with the compartment of the
process that creates them. The rules that govern access to these objects is a direct compartment-to-
compartment relationship.
Compartments govern three types of system objects: file system objects (persistent), inter-process com-
munication (IPC) objects (transient), network objects (transient):
• File System Objects. Include files and directories. By default, all file system objects are accessi-
ble by any compartment. However, specific compartment configuration can define rules to restrict
access to various file system objects.
• Inter-process Communication (IPC) Objects. Enable communication between processes on a
single system. The types of IPC objects are System V shared memory, System V semaphores, Sys-
tem V message queues, POSIX semaphores, POSIX message queues, PTYs, FIFOs, UNIX domain
sockets, and processes (signal mechanism). POSIX shared memory is implemented as file system
objects; hence, compartment access is controlled with file system rules. By default, processes in a
given compartment cannot access IPC objects in another compartment unless explicitly configured
otherwise.
• Network Communication Objects. Include network endpoints (sockets and streams) and net-
work lan interfaces. These objects are used to communicate via the TCP/IP protocol with processes
on both local and remote systems. Access is controlled between a process’ network endpoints and
the lan interfaces through which traffic passes to remote systems. As with IPC objects, processes
in a given compartment cannot access network objects in a different compartment unless explicitly
configured to do so.
All logical interfaces share the same compartment (that is, network interface
lan0:1 and
lan0:2 have the same compartment). Each virtual lan (VLAN) interface has a compartment of
its own.
CONFIGURATION RULES
At system start up, the compartment configuration is read from files in the /etc/cmpt directory. The
configuration is placed in files ending with .rules suffix under /etc/cmpt. These files are pre-
processed with cpp before they are applied. Hence, you can use cpp’s mechanisms such as C-style com-
ments, #ifdef, and #include to organize the files. See compartments(4) for the syntax of the
configuration files.
Compartments use four types of rules: file system rules, IPC rules, network rules, miscellaneous rules.
File System Rules
File system rules govern access to the files and directories of the file system. You can restrict access to
directories to the following actions:
HP-UX 11i Version 2: December 2007 Update − 1 − Hewlett-Packard Company 83