compartments.4 (2011 09)
c
compartments(4) compartments(4)
client Applies to outbound traffic. If the protocol is
tcp, it allows processes in this compart-
ment to initiate connections. For
udp and raw, this rule applies to all outbound
packets.
bidir Applies to both inbound and outbound traffic. If the protocol is
tcp, it allows for con-
nections to be initiated from the compartment, as well as to be accepted by the com-
partment. For
udp and raw, this rule applies to traffic in both directions.
tcp Applies to TCP protocol traffic only.
udp Applies to UDP protocol traffic only.
raw protonum
Specifies the INET protocol to which this rule applies. The
raw keyword is required
if the protonum parameter is specified. The protonum must be specified as the
number associated with a protocol. The names and numbers of these protocols are
available through the
getprotoent()
calls. See getprotoent (3N). The protocol
numbers corresponding to TCP and UDP (6 and 17) are not valid in a raw
configuration.
port Specifies that this rule applies to a specific port. If
port is specified as part of the
peer designation, the port applies to the other end of the communication. If
port is
not specified as part of the
peer designation, the port refers to the local end of the
communication.
ports Specifies the actual port being controlled by this rule. Must be specified as the
number of the port. The ports parameter can be a single port number, a range of port
numbers (such as, start of range - end of range), or a comma separated list of port
numbers and range of port numbers. The names and numbers of these ports are
available through the
getservent() calls (see getservent (3N)).
peer Designates that the port specifier that follows applies to the other end of the commun-
ication.
compartment_name
Specifies the name of the compartment that is the target of the rule. This is usually
the interface compartment name, but can also be specified as another compartment to
indicate a loopback communication.
The network rules control how a process can communicate on a given port and interface, and/or how the
process can bind to a port or address. In other words, the network rules are enforced at the time a com-
munication takes place, and when a process calls the
bind routine. The multibind facility enables
processes to attach to IFADDR_ANY on a specific port in different compartments having disjoint set of
interface rules. See the following MULTIBIND section.
When multiple network rules are defined for the same compartment, the rules will be aggregated. That
is, the union of all the rules is taken.
Miscellaneous Rules
Other rules are as follows:
• Privilege limitation rules
• Network interface rules
Privilege Limitation Rules
Privilege limitations provide a fine control of privileges that cannot be obtained by the processes in a com-
partment when calling the
execve() routine. See execve (2). Privilege limitation rules use the following
format:
disallowed privileges privilege[,privilege... ]
where the values are define as follows:
disallowed privileges
Identifies this rule as a privilege limitation.
privilege[
,privilege... ]
A comma separated list of privileges. The compound privileges basic, basicroot,
policy, and none can also be used. An exclamation mark (!) before a privilege name
removes it from the list. For example, if the privilege list is specified as
6 Hewlett-Packard Company − 6 − HP-UX 11i Version 3: September 2011