compartments man page on HP-UX

Man page or keyword search:  
man Server   10987 pages
apropos Keyword Search (all sections)
Output format
HP-UX logo
[printable version]

compartments(5)						       compartments(5)

       compartments - description of HP-UX compartments

       The operating system has traditionally used a single compartment model.
       The relatively free access in traditional  single  compartment  systems
       can  lead  to problems with malicious software or with compromised pro‐
       grams.  If a way to exploit a daemon process is discovered and used, an
       intruder	 gains	considerable  access  to  the  system.	 If the daemon
       process is running with an effective uid of while being exploited, this
       could  translate	 to  complete system access.  With the use of compart‐
       ments, you can limit access to only what the process needs, thus reduc‐
       ing the amount of damage malicious or exploited programs can do.

       A  compartment  isolates	 a  process so that it can only access objects
       within the same compartment,  unless  a	compartment  rule  grants  the
       process	access to other compartments.  Other access control methodolo‐
       gies, such as file permissions and ACLs, still apply.

       You can override compartment restrictions with appropriate  privileges.
       See privileges(5) for a list of privileges.

       Compartments  control process access to several different types of sys‐
       tem objects.  Some of these object types are persistent, and are	 typi‐
       cally  referenced by name (such as files).  These objects do not have a
       compartment directly associated with them.   Instead,  the  rules  that
       govern  access  to  these  objects  are associated with the name of the
       object.	Other object types are transient, lasting only as long as  the
       process	that  created  them, or while the system is booted.  Transient
       objects are labeled with the compartment of the	process	 that  creates
       them.   The  rules that govern access to these objects is a direct com‐
       partment-to-compartment relationship.

       Compartments govern three types of system objects: file system  objects
       (persistent),  inter-process  communication  (IPC) objects (transient),
       network objects (transient):

       ·  File System Objects.	Includes files and directories.	  By  default,
	  all file system objects are accessible by any compartment.  However,
	  specific compartment configuration  can  define  rules  to  restrict
	  access to various file system objects.

       ·  Inter-process	 Communication (IPC) Objects.  Enable or restrict com‐
	  munication between processes on a single system.  The types  of  IPC
	  objects  are	System	V shared memory, System V semaphores, System V
	  message queues, POSIX semaphores, POSIX message queues, PTYs, FIFOs,
	  UNIX domain sockets, and processes (signal mechanism).  POSIX shared
	  memory is implemented as file	 system	 objects;  hence,  compartment
	  access  is controlled with file system rules.	 By default, processes
	  in a given compartment cannot access IPC objects in another compart‐
	  ment unless explicitly configured otherwise.

       ·  Network  Communication Objects.  Includes network endpoints (sockets
	  and streams) and network LAN interfaces.  These objects are used  to
	  communicate via the TCP/IP protocol with processes on both local and
	  remote systems.  Access is controlled	 between  a  process'  network
	  endpoints  and  the  LAN  interfaces through which traffic passes to
	  remote systems.  As with IPC objects, processes in a given  compart‐
	  ment cannot access network objects in a different compartment unless
	  explicitly configured to do so.

	  Each network LAN interface (logical/physical/virtual) can belong  to
	  a  compartment  of  its own.	For example, it is possible to set the
	  rules such that logical interfaces and belong to different  compart‐

       At system start up, the compartment configuration is read from files in
       the directory.  The configuration is placed in files ending with suffix
       under  These files are pre-processed with before they are applied.  You
       can use mechanisms such as C/C++ comments, and to organize  the	files.
       See compartments(4) for the syntax of the configuration files.

       Compartments  use  four	types  of rules: file system rules, IPC rules,
       network rules, miscellaneous rules.

   File System Rules
       File system rules govern access to the files  and  directories  of  the
       file  system.   You can restrict access to directories to the following

	      ·	 For searching a directory.

	      ·	 For directory listing and searching

	      ·	 For creation of new elements under the directory

	      ·	 For removing elements under the directory

	      ·	 Any combination of the above four

       You can restrict access to files to the following actions:

	      ·	 For reading or executing the file

	      ·	 For writing the file

	      ·	 Any combination of the two

       All the file  system  rules  are	 inherited  except  the	 access.   For
       instance,  if  has a permission of and would have a permission of alone
       unless a different set of permissions is assigned to it.

   IPC Rules
       IPC rules govern how processes in this  compartment  can	 access	 other
       compartment's  IPC  mechanisms  and how processes in other compartments
       can access this compartment's IPC mechanisms.  By  default,  a  process
       can access only the IPC objects in its own compartment.

   Network Rules
       Network rules control access between a process and a network interface,
       as well as between two processes using loopback communications.	 These
       rules  control the direction of network traffic (incoming, outgoing, or
       both) between the subject compartment and the target compartment speci‐
       fied  in	 the rule.  Each rule specifies the direction of traffic flow,
       the protocol (TCP, UDP, or a raw protocol), and the target  compartment
       (for  either  the  network  interface  or a local compartment for local
       process communications).	 Optionally, the rule can filter on local  and
       peer port numbers (for TCP and UDP only).

       Compartments  are associated with network endpoints when they are first
       created.	 When a process makes the system call that  creates  the  end‐
       point  or the compartment of the process at that time is applied to the
       network object.	(See socket(2) or open(2)).  This compartment is  used
       in  all network communication access checks that the object is involved
       in.  For TCP, rules are applied at connection establishment time.   For
       all  other  network  communications,  each  inbound and outbound packet
       delivery is checked against the rules.

   Miscellaneous Rules
       Miscellaneous rules appear  within  a  compartment  definition.	 These
       rules include the following:

	      Disallowed Privileges
		     Disallowed privileges define specific privileges that may
		     not be obtained as a side effect of calls even  when  the
		     binary   being  executed  specifies  that	the  privilege
		     becomes available.	 See exec(2).  See the description  of
		     the  and flags for the command.  See setfilexsec(1M)) for
		     information on how a process can  gain  privileges	 as  a
		     side effect of an call.

	      Network Interface Rules
		     Interface	rules  define which network interfaces (Physi‐
		     cal/Virtual/Logical) are in this compartment.  Each  net‐
		     work interface can belong to only one compartment, though
		     multiple interfaces can be assigned to the same  compart‐
		     ment.  Also note that certain special logical interfaces,
		     such as the loopback interface and tunneling  interfaces,
		     are   not	valid  configuration  parameters.   These  are
		     silently ignored.

       The following set of privileges (see privileges(5)) affect  the	opera‐
       tion of compartments:

	      Grants a process the ability to change its compartment.

	      Allows  a	 process to open a file or directory for reading, exe‐
				  (in the case of a file),  or	searching  (in
				  the case of a directory), bypassing compart‐
				  ment rules that would otherwise  not	permit
				  the operation.

	      Allows  a	 process  to write into a file, or to create or delete
	      files in a
				  directory, bypassing compartment rules  that
				  would otherwise not permit the operation.

	      Allows  a	 process  to  override	compartment IPC and networking

	      Allows a process to modify compartment rules on the system.

       Note: These privileges are not automatically granted by	default	 to  a
       process with an effective uid of

Default Compartments
       When  compartments  are	installed  on  the  system,  there is only one
       default compartment, the	 compartment.	When  the  system  boots,  the
       process belongs to this compartment.  This compartment has been defined
       to have access to all other compartments that  are  explicitly  defined
       for  the	 system.  The compartment need not be defined in a rules file.
       If you re-define the compartment by making an explicit reference to  it
       in  a  rules  file,  all special characteristics are lost and cannot be
       restored without rebooting the system.

Compartment Manipulation Commands
       Several commands review and modify the compartment configuration	 on  a

	      Queries, enables, and disables the compartments feature.
			     See cmpt_tune(1M) for more information.

	      Displays compartment rules.
			     See getrules(1M) for more information.

	      Parses and puts the rules into action.
			     See setrules(1M) for more information.

       Note: Currently, no command is available to modify the compartment con‐
       figuration files.  You must  edit  the  configuration  files  directly.
       Once  that  is  done,  you  can use the above commands to put them into

       All files under this directory whose names end with are used to	create
       the  compartment	 configuration.	 All files intended to be used to con‐
       figure compartment rules on the system (except those files referred  by
       a directive) must be in this directory.

       Binary file containing the machine readable compartment rules.
	      Do edit this file directly.

       File that maps compartment names to the ID numbers used
	      internally by the system.	 Do edit this file directly.

       cmpt_tune(1M), getrules(1M), setrules(1M), exec(2), open(2), socket(2),
       compartments(4), privileges(5).


List of man pages available for HP-UX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net