HP-UX Reference (11i v2 07/12) - 5 Miscellaneous (vol 9)
c
compartments(5) compartments(5)
read For directory listing
create For creation of new elements under the directory
unlink For removing elements under the directory
• Any combination of the above three
You can restrict access to files to the following actions:
read For reading or executing the file
write For writing the file
• A combination of the two
The file system rules are inherited; for instance, rules for
/a are applied to /a/b as well, unless /a/b has
a different set of rules.
IPC Rules
IPC rules govern how processes in this compartment can access other compartment’s IPC mechanisms and
how processes in other compartments can access this compartment’s IPC mechanisms. By default, a pro-
cess can access only the IPC objects in its own compartment.
Network Rules
Network rules control access between a process and a network interface, as well as between two processes
using loopback communications. These rules control the direction of network traffic (incoming, outgoing, or
both) between the subject compartment and the target compartment specified in the rule. Each rule
specifies the direction of traffic flow, the protocol (TCP, UDP, or a raw protocol), and the target compart-
ment (for either the network interface or a local compartment for local process communications). Option-
ally, the rule can filter on local and peer port numbers (for TCP and UDP only).
Compartments are associated with network endpoints when they are first created. Hence, when a process
makes the system call that creates the endpoint (
socket() or open()), the compartment of the process
at that time is applied to the network object. (See socket(2) or open(2)). This compartment is used in all
network communication access checks that the object is involved in. For TCP, rules are applied at connec-
tion establishment time. For all other network communications, each inbound and outbound packet
delivery is checked against the rules.
Miscellaneous Rules
Miscellaneous rules appear within a compartment definition. These rules include the following:
Disallowd Privileges
Disallowed privileges define specific privileges that may not be obtained as a side effect of
exec() calls even when the binary being executed specifies that the privilege becomes avail-
able. See exec(2). See the description of the -p and -r flags for the setfilexsec
command.
See setfilexsec(1M)) for information on how a process can gain privileges as a side-effect of an
exec() call.
Network Interface Rules
Interface rules define which network interfaces are in this compartment. Each network inter-
face can belong to only one compartment, though multiple interfaces can be assigned to the same
compartment. Also note that certain special logical interfaces, such as the loopback interface
lo0 and tunneling interfaces, are not valid configuration parameters. These are silently
ignored.
COMPARTMENT-RELATED PRIVILEGES
The following set of privileges (see privileges(5)) affect the operation of compartments:
CHANGECMPT Grants a process the ability to change its compartment.
CMPTREAD Allows a process to open a file or directory for reading, executing (in the case of a
file), or searching (in the case of a directory), bypassing compartment rules that
would otherwise not permit the operation.
CMPTWRITE Allows a process to write into a file, or to create or delete files in a directory,
bypassing compartment rules that would otherwise not permit the operation.
COMMALLOWED Allows a process to override compartment IPC and networking rules.
84 Hewlett-Packard Company − 2 − HP-UX 11i Version 2: December 2007 Update