compartments.4 (2011 09)
c
compartments(4) compartments(4)
compartment_name
Name of the other compartment which processes in this compartment can view or be
viewed from.
When multiple IPC rules are defined for the same compartment, the rules will be aggregated. That is,
the union of the IPC mechanisms is taken.
Network Rules
Network rules control access between a process and a network interface, as well as between two processes
using loopback communications. They do NOT control the communications through Streams Local Tran-
sport Drivers (see cmpt_restrict_tl(5) and the
tl keyword).
If the HP-UX ContainmentPlus product is installed on the system, network rules can also control access
between two processes using loopback communications alone without changing the connectivities between
a process and a network interface.
These rules control the direction of network traffic (incoming, outgoing, or both) between the subject com-
partment and the target compartment specified in the rule. For loopback communications, the subject
and target compartments should be of the processes that are communicating and not that of the interface
being used for communication. Each rule is specified by protocol (TCP, UDP, or any raw protocol
number) and the target compartment, and can optionally filter based on local or peer port numbers (TCP
and UDP only). If an explicit rule does not match a communication attempt, the default is to deny com-
munication.
If the HP-UX ContainmentPlus product is installed on the system, the default rule for access between two
processes through loopback communications (excluding those through loopback interfaces) is also
configurable through the
cmpt_allow_local
tunable. See ifconfig(1M) for more information about
loopback interfaces.
See cmpt_allow_local(5) for more information upon installation of the HP-UX ContainmentPlus product.
Network rules use the following formats:
(
grant|deny)(server|client|bidir)(tcp|udp
)[port ports ][peer port ports ]
compartment_name
(
grant|deny)(server|client|bidir) raw protonum compartment_name
If the HP-UX ContainmentPlus product is installed on the system, the network rules using the following
formats are also supported:
(
grant-local|deny-local)(server|client|bidir)(tcp|udp)[
port ports ][peer port
ports ] compartment_name
(
grant-local|deny-local)(server|client|bidir) raw protonum compartment_name
where the values are defined as follows:
grant Allows access to the network (both access between a process and a network interface,
as well as between two processes using loopback communications) described by this
rule.
deny Denies access to the network (both access between a process and a network interface,
as well as between two processes using loopback communications) described by this
rule. This rule is useful when you want to deny access for a specific configuration
(such as a single port), but you want to allow all other access to the network. Use it in
conjunction with a general rule that grants all other traffic.
grant-local
Allows access described by this rule between two processes using loopback communi-
cations. The grant-local keyword is valid only if the HP-UX ContainmentPlus
product is installed on the system.
deny-local
Denies access described by this rule between two processes using loopback communi-
cations. The deny-local keyword is valid only if the HP-UX ContainmentPlus pro-
duct is installed on the system.
server Applies to inbound traffic. If the protocol is tcp, it allows processes in this compart-
ment to accept connections. For udp and raw, this rule applies to all inbound pack-
ets.
HP-UX 11i Version 3: September 2011 − 5 − Hewlett-Packard Company 5