compartments.4 (2011 09)
c
compartments(4) compartments(4)
IP_16, not to IP_8.
• A rule with an exact IP address has a higher precedence than other precedence rules. If lan0
were assigned an address of 192.168.0.0, it would have a compartment of IP.
In a compartment definition, you can define duplicate interface rules.
MULTIBIND
Previous versions of HP-UX have allowed a process to bind to a port on an interface through which it can-
not communicate. This limitation had the side effect of potentially preventing other (more legitimate)
processes from using the port on that interface; thus, effectively hijacking the port.
In this release, this limitation is removed. In particular, if a compartment has no access to an interface,
then processes in that compartment cannot hijack any ports on that interface.
This is referred to as multibind feature. To fully utilize this feature, the compartments must be
configured such that there is no interface that is accessible unless it can be used for communication.
For instance, if compartment X has access to interface lan0 only and compartment Y has access to inter-
face lan1 only, then processes in either compartment cannot hijack ports from a process in another com-
partment.
However, if X is allowed to access even a single port of lan1, it may be able to hijack all ports of lan1.
The current implementation is more generous: if X is allowed to access only tcp ports of lan1, it can hijack
all tcp ports (but not udp ports) of lan1. Similarly, if X is allowed to access only udp ports of lan1, it can
hijack only udp ports (but not tcp ports) of lan1.
However, this is an implementation detail and applications should not depend on that. If the processes in
X need to be protected from processes Y hijacking the ports or vice-versa, configure network rules and
interface rules such that no interface is accessible from both compartments on any protocol.
WARNINGS
The rules generated in
discover mode are only suggestive in nature and need to be verified.
The rules may be redundant (for example, identical rules may be generated for a parent directory and for
subdirectory instead of relying on rule inheritance), may be correct yet meaningless (for example, a file
permission of
create on a file), and may be insufficient (for example, a network rule may be created
only for a specific anonymous port instead of the entire anonymous port range). The rules also may be
insufficient especially when a given file has multiple pathnames via hardlinks (the discover mode may
add rules only for one of the paths or may add conflicting rules for different paths).
Also, the
disallowed privileges rule is not generated in discover mode.
If the
setrules command happens to fail at boot, it could leave the databases inconsistent and lead to
unexpected errors from getrules command. Hence, HP recommends using the preview option avail-
able in setrules to correct such errors and reboot the system.
Since the network interfaces are usable only when assigned to a compartment, every active interface
must belong to a compartment for normal operation. If none of the configured interfaces are assigned to
any compartment, inability to communicate can hang the system when trying to start services such as
nfs and sendmail at boot time. If the rules are not all identical, and a process uses autobind to obtain
a port number, the system can reject such a bind request or can assign a port number that does not allow
it to communicate.
FILES
The only rules files not described here that affect the compartment rules on a system are those included
through an
#include directive. The /etc/cmpt directory is used as the default search path for
#include directives that use relative paths.
/etc/cmpt/ The human-readable version of the compartment rules. All files whose names end
in *.rules that reside in the /etc/cmpt directory or its sub-directories are pro-
cessed when setting rules.
/etc/cmpt-rules.bin
Binary equivalent of the combined human-readable rules files. CAUTION: Do not
edit this file directly.
8 Hewlett-Packard Company − 8 − HP-UX 11i Version 3: September 2011