HP-UX Reference (11i v3 07/02) - 4 File Formats (vol 8)
c
compartments(4) compartments(4)
• Privilege limitation rules
• Network interface rules
Privilege Limitation Rules
Privilege limitations provide a fine control of privileges that cannot be obtained by the processes in a com-
partment when calling execve(). See execve(2). Privilege limitation rules use the following format:
disallowed privileges privilege[,privilege...]
where the values are define as follows:
disallowed privileges
Identifies this as a privilege limitation.
privilege[,privilege...]
is a comma separated list of privileges. The compound privileges
basic, basicroot,
policy, and none can also be used. An exclamation mark (
!) before a privilege name
removes it from the list. For example, if the privilege list is specified as
basicroot,!mount
, all root replacement privileges except mount are disallowed. If
the privilege list is
none,mount , only mount is disallowed. If this is not specified for a
compartment, it defaults to policy for sealed compartments and none for other com-
partments.
A disallowed privilege cannot be obtained as a side-effect of exec() calls even when the binary being exe-
cuted has extended security attributes indicating that the process gains that privilege. As an example, sup-
pose mount is a disallowed privilege in compartment no_mounts, and that binary
/usr/bin/magic_mount
is expected to receive the mount privilege by means of the following com-
mand:
setfilexsec -p mount -P mount /usr/bin/magic_mount
When an unprivileged process in no_mounts compartment executes the binary, it still would not see the
mount privilege in its potential set.
If a root replacement privilege is part of the disallowed privilege, the privilege is not implicitly granted to a
process with an effective uid of 0. As an extension of the above example, if a process with effective uid of
0
but without mount privilege in its effective set cannot use the mount() system call.
Note that a disallowed privilege is still available to processes that somehow obtain the privilege (for exam-
ple, a process with the mount privilege in its effective set can enter the
no_mounts compartment and
use the
mount() system call).
Network Interface Rules
Network interface rules specify the compartment to which a network interface belongs. If a network inter-
face does not have a compartment, no network traffic in the INET domain (TCP/IP) is allowed to pass.
Network interface rules use the following format:
interface X[,X...]
where the values are defined as follows:
interface Identifies this as an interface definition.
X[,X...] A comma-separated list of the following entities:
• A physical or virtual interface name, such as: lan0, vlan0.
• An IPv4 address (for example, 192.168.0.1).
• An IPv6 address (for example, FE80::123:1234:F8).
• A range of IPv4 addresses specified as ipv4_addr/mask, where mask represents the
number of significant bits of the address. For instance, an address 192.168.0.1/24
represents the address range from 192.168.0.0 to 192.168.0.255.
• An IPv6 address range specified as ipv6_address/mask, where mask represents the
number of significant bits of the address.
It is possible to configure the network interface rules such that there are conflicts. Consider the fol-
lowing example:
HP-UX 11i Version 3: February 2007 − 5 − Hewlett-Packard Company 61