HP-UX Reference (11i v3 07/02) - 5 Miscellaneous Topics (vol 9)
c
compartments(5) compartments(5)
• create: For creation of new elements under the directory
• unlink: For removing elements under the directory
• Any combination of the above four
You can restrict access to files to the following actions:
• read: For reading or executing the file
• write: For writing the file
• Any combination of the two
All the file system rules are inherited except the
nsearch access. For instance, if /a has a permission of
nsearch and create, /a/b would have a permission of
create alone unless a different set of permis-
sions is assigned to it.
IPC Rules
IPC rules govern how processes in this compartment can access other compartment’s IPC mechanisms and
how processes in other compartments can access this compartment’s IPC mechanisms. By default, a pro-
cess can access only the IPC objects in its own compartment.
Network Rules
Network rules control access between a process and a network interface, as well as between two processes
using loopback communications. These rules control the direction of network traffic (incoming, outgoing, or
both) between the subject compartment and the target compartment specified in the rule. Each rule
specifies the direction of traffic flow, the protocol (TCP, UDP, or a raw protocol), and the target compart-
ment (for either the network interface or a local compartment for local process communications). Option-
ally, the rule can filter on local and peer port numbers (for TCP and UDP only).
Compartments are associated with network endpoints when they are first created. When a process makes
the system call that creates the endpoint (
socket() or open()), the compartment of the process at that
time is applied to the network object. (See socket(2) or open(2)). This compartment is used in all network
communication access checks that the object is involved in. For TCP, rules are applied at connection estab-
lishment time. For all other network communications, each inbound and outbound packet delivery is
checked against the rules.
Miscellaneous Rules
Miscellaneous rules appear within a compartment definition. These rules include the following:
Disallowed Privileges
Disallowed privileges define specific privileges that may not be obtained as a side effect of
exec() calls even when the binary being executed specifies that the privilege becomes avail-
able. See exec(2). See the description of the -p and -r flags for the setfilexsec
command.
See setfilexsec(1M)) for information on how a process can gain privileges as a side effect of an
exec() call.
Network Interface Rules
Interface rules define which network interfaces (Physical/Virtual/Logical) are in this compart-
ment. Each network interface can belong to only one compartment, though multiple interfaces
can be assigned to the same compartment. Also note that certain special logical interfaces, such
as the loopback interface lo0 and tunneling interfaces, are not valid configuration parameters.
These are silently ignored.
COMPARTMENT-RELATED PRIVILEGES
The following set of privileges (see privileges(5)) affect the operation of compartments:
CHANGECMPT Grants a process the ability to change its compartment.
CMPTREAD Allows a process to open a file or directory for reading, executing (in the case of a
file), or searching (in the case of a directory), bypassing compartment rules that
would otherwise not permit the operation.
CMPTWRITE Allows a process to write into a file, or to create or delete files in a directory,
bypassing compartment rules that would otherwise not permit the operation.
COMMALLOWED Allows a process to override compartment IPC and networking rules.
88 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: February 2007