Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
111112113114115116117118119120
object is associated with a process, the object exists in the same compartment as the
process that created it. You define compartment rules to describe the relationship between
the process accessing the object and the object being accessed. When the rule describes
two processes communicating with each other, you treat the second process as an object.
The default behavior for IPC objects is that all operations between different compartments
are prohibited unless explicitly allowed by a rule.
There are two types of IPC rules. The syntax for the first rule type is as follows:
(grant|access) (pty|fifo|uxsock|ipc) compartment_name
(grant|access) [pty][, fifo][, uxsock][, ipc] compartment_name
If the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the
system, a new keyword tl is also supported and the first form of IPC rules uses the
following format:
(grant|access) (pty|fifo|uxsock|ipc|tl) compartment_name
(grant|access) [pty][, fifo][, uxsock][, ipc] [, tl] compartment_name
where:
Access Specifies whether the rule is object-centric or subject-centric.
The options are:
grant: Specifies an object-centric rule. This rule allows
processes in the compartment compartment_name to
access the specified IPC mechanism in the current
compartment.
access: Specifies a subject-centric rule. This rule allows
processes in the current compartment to access the
specified IPC mechanism in the compartment
compartment_name.
Method Specifies the method of communication this rule applies to.
The options are:
pty: Specifies that the rule applies to pty used in
interprocess communication.
fifo: Specifies that the rule applies to FIFOs.
uxsock: Specifies that the rule applies to UNIX domain
sockets.
ipc: Specifies that the rule applies to SYSV and POSIX
IPC objects, such as shared memory, semaphores, and
message queues.
tl: Applies to Streams Local Transport Drivers that are
used to communicate between processes.
The tl keyword is valid only if the HP-UX ContainmentPlus
product (version B.11.31.02 or later) is installed on the
system. See compartments(4). The tl keyword only has
118 Compartments