compartments.4 (2011 09)
c
compartments(4) compartments(4)
directory, read allows processes in this compartment to list and search the con-
tents of this directory (see the nsearch
and nread parameters). This permission
covers the permission granted by the
nsearch or
nread parameter. But unlike
the
nsearch or nread parameter, this access control is inherited, so any file or
directory under this file_object can be read or listed.
write Controls write access to the file_object . If the file_object is a file,
write allows
processes in this compartment to open the file for writing. This permission has no
direct effect if file_object represents a directory. There is still an indirect effect as
the access control is inherited, so any file under this file_object can be written to.
create Controls create access to the file_object . The rule has an effect only if file_object is a
directory. This access control is inherited, so processes in this compartment can
create file objects anywhere under the specified directory.
unlink Controls delete access to the file_object . The rule has an effect only if file_object is a
directory. This access control is inherited, so processes in this compartment can
delete file objects anywhere under the specified directory.
file_object Fully-qualified name of a file or directory. This name is restricted in the following
ways:
• The total length of the name of the file_object cannot exceed
MAXPATHLEN bytes.
• Each component in the file_object name cannot exceed
MAXNAMELEN bytes.
• There can be no more than 10 components in the file_object name. Because one
component must be the name of the file or directory, there can be no more than
nine preceding components. For example, the path
/a/b/c/d has four com-
ponents.
• The file_object is literal; that is, wild card characters such as asterisk (
*) cannot
be specified.
• The file_object has no special or space characters. All characters except
a-z
, A-Z,
0-9, slash (/), dot (.), dash (-), underscore (
_), and colon (:), must be entered
using the notation
%xx where xx corresponds to the hexadecimal representation of
the character. See ascii (5) for translating an ASCII character to its hexadecimal
equivalent.
File system rules are based on the path name. One can specify rules for an object that does not yet exist.
In such a case, the rule becomes operational when an object with that name is created. If a file has two or
more names (for example, multiple hardlinks), and the two names have different rules for any compart-
ment,
vhardlinks command generates warnings. In order to successfully create a hard link (using
link()), the new name and the old name must have the same rules. As with discretionary access con-
trol (DAC) methods, when a symbolic link is accessed, the rule on the resolved file (not the link itself) is
applied.
For example, when the directory
/orig, is loopback mounted on /lofs, any access to objects under
these directories using either name result in application of the rule corresponding to the path beginning
from /orig but not from /lofs.
When multiple file system rules are defined for the same pathname, the rules will be aggregated. That is,
the union of the permissions is taken.
IPC Rules
IPC rules appear within a compartment definition and govern how processes in this compartment can
access another compartment’s IPC mechanisms and how processes in other compartments may access this
compartment’s IPC mechanisms. Since the default is to deny access, rules of this type are only for allow-
ing access. Rules of this type can be either subject-centric or object-centric. Two formats are available for
IPC rules.
The first form of IPC rules controls process communication and uses the following format:
(
grant|access)(pty|fifo|uxsock|ipc) compartment_name
(
grant|access)[pty][, fifo][, uxsock][, ipc] compartment_name
If the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system, a new
keyword
tl is also supported and the first form of IPC rules uses the following format:
HP-UX 11i Version 3: September 2011 − 3 − Hewlett-Packard Company 3