Administrator's Guide
effect when the cmpt_restrict_tl tunable is set to 1.
See t_open(3), t_connect(3), and cmpt_restrict_tl(5).
compartment_name The name of the other compartment where processes in this
compartment can communicate with.
When multiple IPC rules are defined for the same compartment, the rules will be
aggregated. That is, the union of the IPC mechanisms is taken.
For example:
/* allow the children to access UNIX domain */
/* sockets created by the parent compartment */
grant uxsock server_children
The second type of IPC rule governs process access. The syntax for this type of rule is as
follows:
(send|receive) signal compartment_name
where:
Direction Specifies whether processes in the current compartment have
access to view and alter process behavior from another
specified compartment. The options are:
• send: Specifies a subject-centric rule. Allows processes
in the current compartment to send signals and view
process data in the compartment compartment_name.
• receive: Specifies an object-centric rule. Allows
processes in the compartment compartment_name to
send signals and view process data in the current
compartment.
signal Specifies that this rule applies to signals and process visibility.
compartment_name The name of the other compartment where processes in the
current compartment can have access to view process
information or to be viewed from.
For example:
/* allow the parent to send signals to children */
send signal server_children
6.4.4 Network Rules
Network rules control access between a process and a network interface, as well as
between two processes using loopback communications. They do not control the
communications through Streams Local Transport Drivers (see cmpt_restrict_tl(5) and the
tl keyword).
These rules control the direction of network traffic (incoming, outgoing, or both) between
the subject compartment and the target compartment specified in the rule. For loopback
6.4 Compartment Rules and Syntax 119