Administrator's Guide
system (Optional) Indicates that this compartment shares the
ownership of network interfaces with default
compartments, such as the init compartment, and
other compartments that are marked as system
compartments. The ownership of network interfaces are
typically specified by network interface rules.
When a compartment is marked as a system
compartment, all of the network interfaces that are
configured to belong to this compartment are also
considered as belonging to the init compartment and
all other compartments that are marked as system
compartments. The init compartment will be in favor
of using these network interfaces for network
communications, over using the other network interfaces.
When a compartment is marked as system
compartment, it also shares the connectivities through
loopback interfaces with the init compartment.
The system keyword is valid only if the HP-UX
ContainmentPlus product (version B.11.31.02 or later)
is installed on the system.
blocked (Optional) Indicates that no processes can be launched
in this compartment from other compartments, either
through calling the cmpt_change() routine or through
executing a binary file that is configured with a
compartment name as one of its extended security
attributes (see setfilexsec(1M)).
The blocked keyword is valid only if the HP-UX
ContainmentPlus product (version B.11.31.02 or later)
is installed on the system.
compartment Designates that the rule is a compartment definition.
new_compartment_name The label associated with the new compartment. This
label is case sensitive. For example, compartmenta
and CompartmentA are different compartments.
{} Enclose the rules for this compartment.
In the following example, the server_children compartment is denied all access to
any file system objects:
sealed compartment server_children {
/permission none /
}
6.4 Compartment Rules and Syntax 115