compartments.4 (2011 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

compartments(4) compartments(4)

NAME

compartments - HP-UX compartments ﬁles

DESCRIPTION

HP-UX compartments are deﬁned by creating one or more ASCII ﬁles in the

/etc/cmpt directory. Only

ﬁle names ending with

.rules are parsed for compartment deﬁnitions. Collectively, these ﬁles deﬁne

compartments and compartment access rules for local system objects. System objects that have compart-

ment access controls deﬁned include ﬁle system objects, inter-process communication objects, and net-

work objects.

The compartment speciﬁcations are pre-processed with the

cpp command before parsing (see cpp (1)).

You can use

cpp directives such as

#include, #define, #ifdef, and C/C++ style comments to organ-

ize and document the rules ﬁles.

CONFIGURATION RULES SYNTAX

A compartment consists of a name and a set of rules. Compartments use four kinds of conﬁguration

rules:

• ﬁle system rules,

• inter-process communication (IPC) rules,

• network rules, and

• miscellaneous rules.

Rules can be either subject-centric or object-centric. Subject-centric rules control access by processes

(subjects) in a compartment to resources (objects) in other compartments. Object-centric rules control

access to resources (objects) in a compartment by processes (subjects) in other compartments.

Compartment deﬁnitions use the following format:

[

sealed][discover] compartment new_compartment_name

{rules }

If the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system, compart-

ment deﬁnitions use the following format:

[

sealed][discover][system][blocked] compartment new_compartment_name

{rules }

where the values are deﬁned as follows:

sealed Indicates that any process in this compartment can not change its compartment

as a side-effect of the exec() call, even if the binary being executed has

extended security attributes indicating that the process starts in a different com-

partment (see exec (2)). For security purposes, the minimum retained and

minimum permitted privileges of the binary are also ignored (and treated as

though both sets are empty sets).

discover Indicates that for all the processes in this compartment, the required mandatory

access rules would be generated at run time so that the process operations would

succeed. This is a development tool that enables developers to identify all the

required mandatory access rules for the given application by running it in a

compartment marked as discover.

system Indicates that this compartment shares the ownership of network interfaces with

default compartments such as, the init compartment, and other compartments

that are marked as system compartments. The ownership of network inter-

faces are typically speciﬁed by network interface rules (see the following Net-

work Interface Rules section).

When a compartment is marked as a

system compartment, all of the network

interfaces that are conﬁgured to belong to this compartment are also considered

as belonging to the init compartment and all other compartments that are

marked as system compartments. The init compartment will be in favor of

using these network interfaces for network communications, over using the other

network interfaces. When a compartment is marked as system compartment,

it also shares the connectivities through loopback interfaces with the init com-

partment.

The

system keyword is valid only if the HP-UX ContainmentPlus product (ver-

sion B.11.31.02 or later) is installed on the system.

HP-UX 11i Version 3: September 2011 − 1 − Hewlett-Packard Company 1

Summary of content (10 pages)

PAGE 1
compartments(4) compartments(4) NAME compartments - HP-UX compartments files DESCRIPTION HP-UX compartments are defined by creating one or more ASCII files in the /etc/cmpt directory. Only file names ending with .rules are parsed for compartment definitions. Collectively, these files define compartments and compartment access rules for local system objects. System objects that have compartment access controls defined include file system objects, inter-process communication objects, and network objects.
PAGE 2
compartments(4) blocked compartments(4) Indicates that no processes can be launched in this compartment from other compartments. Therefore, if the blocked keyword is specified for a compartment, then a process cannot use cmpt_change() routine to enter this compartment, nor can it enter this compartment by executing a binary file that is configured with the name of this compartment as one of its extended security attributes (see setfilexsec (1M)).
PAGE 3
compartments(4) compartments(4) directory, read allows processes in this compartment to list and search the contents of this directory (see the nsearch and nread parameters). This permission covers the permission granted by the nsearch or nread parameter. But unlike the nsearch or nread parameter, this access control is inherited, so any file or directory under this file_object can be read or listed. write Controls write access to the file_object .
PAGE 4
compartments(4) compartments(4) (grant|access) (pty|fifo|uxsock|ipc|tl) compartment_name (grant|access) [pty][, fifo][, uxsock][, ipc][, tl] compartment_name where the values are defined as follows: A grant Allows processes in the compartment_name compartment to access the specified IPC mechanism in this compartment. This keyword specifies an object-centric rule. access Allows processes in this compartment to access the specified IPC mechanism in compartment_name compartment.
PAGE 5
compartments(4) compartments(4) compartment_name Name of the other compartment which processes in this compartment can view or be viewed from. When multiple IPC rules are defined for the same compartment, the rules will be aggregated. That is, the union of the IPC mechanisms is taken. Network Rules Network rules control access between a process and a network interface, as well as between two processes using loopback communications.
PAGE 6
compartments(4) compartments(4) client Applies to outbound traffic. If the protocol is tcp, it allows processes in this compartment to initiate connections. For udp and raw, this rule applies to all outbound packets. bidir Applies to both inbound and outbound traffic. If the protocol is tcp, it allows for connections to be initiated from the compartment, as well as to be accepted by the compartment. For udp and raw, this rule applies to traffic in both directions.
PAGE 7
compartments(4) compartments(4) basicroot,!mount, all root replacement privileges except mount are disallowed. If the privilege list is none,mount, only mount is disallowed. If the privilege list is not specified for a compartment, the disallowed privilege list for the compartment defaults to policy for sealed compartments and none for other compartments.
PAGE 8
compartments(4) compartments(4) IP_16, not to IP_8. • A rule with an exact IP address has a higher precedence than other precedence rules. If lan0 were assigned an address of 192.168.0.0, it would have a compartment of IP. In a compartment definition, you can define duplicate interface rules. MULTIBIND Previous versions of HP-UX have allowed a process to bind to a port on an interface through which it cannot communicate.
PAGE 9
compartments(4) compartments(4) SEE ALSO cmpt_tune(1M), getrules(1M), mount_lofs(1M), ndd(1M), setrules(1M), t_connect(3), t_open(3), compartments(5), privileges(5).
PAGE 10
(Notes) A (Notes) cA 10 Hewlett-Packard Company −1− HP-UX 11i Version 3: September 2011