compartments.4 (2011 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

compartments(4) compartments(4)

basicroot,!mount

, all root replacement privileges except mount are disallowed. If

the privilege list is

none,mount, only mount is disallowed. If the privilege list is not

speciﬁed for a compartment, the disallowed privilege list for the compartment defaults to

policy for sealed compartments and none for other compartments.

Note that a disallowed privilege cannot be obtained as a side-effect of

exec() calls even when the binary

being executed has extended security attributes indicating that the process gains that privilege. As an

example, suppose

mount is a disallowed privilege in compartment

no_mounts, and that binary

/usr/bin/magic_mount

is expected to receive the

mount privilege by means of the following com-

mand:

setfilexsec -p mount -P mount /usr/bin/magic_mount

When an unprivileged process in no_mounts compartment executes the binary, it still would not see the

mount privilege in its potential set.

If a root replacement privilege is part of the disallowed privilege, the privilege is not implicitly granted to

a process with an effective uid of

0. As an extension of the above example, if a process with effective uid

0 but without mount privilege in its effective set cannot use the

mount() system call.

A disallowed privilege is still available to processes that somehow obtain the privilege (for example, a pro-

cess with the

mount privilege in its effective set can enter the

no_mounts compartment and use the

mount() system call).

When multiple disallowed privilege rules are deﬁned, the rules will be aggregated. Refer to

priv_str_to_set (3) for information on how the privileges string will be aggregated to the privilege set.

Network Interface Rules

Network interface rules specify the compartment to which a network interface belongs. If a network

interface does not have a compartment, no network trafﬁc in the INET domain (TCP/IP) is allowed to

pass.

Network interface rules use the following format:

interface X[,X...]

where the values are deﬁned as follows:

interface Identiﬁes this as an interface deﬁnition.

,X...] A comma-separated list of the following entities:

• A physical or virtual interface name, such as:

lan0, vlan0.

• An IPv4 address (for example, 192.168.0.1).

• An IPv6 address (for example, FE80::123:1234:F8).

• A range of IPv4 addresses speciﬁed as ipv4_addr /mask, where mask represents

the number of signiﬁcant bits of the address. For instance, an address

192.168.0.1/24 represents the address range from 192.168.0.0 to 192.168.0.255.

• An IPv6 address range speciﬁed as ipv6_address

/mask, where mask represents

the number of signiﬁcant bits of the address.

It is possible to conﬁgure the network interface rules such that there are conﬂicts. Consider the fol-

lowing example:

Interface

lan0 is assigned to compartment LAN0, IP address range 192.168.0.0/16 is assigned

to compartment IP_16, IP address range 192.0.0.0/8 is assigned to compartment IP_8, and IP

address 192.168.0.0 is assigned to compartment IP.

Note that IPv4 address 192.168.0.0 belongs to all these ranges speciﬁed in the rules for IP_8,

IP_16, and IP. If the interface lan0 is assigned an address of 192.168.0.0, there is an addi-

tional conﬂict.

Such conﬂicts are resolved as follows:

• An IP address or address range assignment has higher precedence than a name assignment. For

instance, if lan0 is assigned an IP address of 192.200.1.1, it would belong to compartment IP_8,

not LAN0.

• A rule specifying a more speciﬁc IP address range has a precedence over a less speciﬁc IP

address range. For instance, if lan1 is assigned 192.168.0.1, it would belong to compartment

HP-UX 11i Version 3: September 2011 − 7 − Hewlett-Packard Company 7