getrules(1M)getrules(1M)NAMEgetrules - display compartment rules
displays rules defined for compartment(s) or network interface(s).
This command can only be used when compartmentalization is enabled (see
If no options are specified, all subsystem rules for the given compart‐
ment are displayed. If no compartment_name is specified, information
on all compartments is displayed.
recognizes the following options:
Displays all the compartments configured on the system.
Displays the file system rules for the compartment(s).
Displays the IPC system rules for the compartment(s).
Displays the compartment names associated with the
interface(s) and the IP address/mask as set by a previous
invocation of Either the interface_name or the ipaddr/mask
must be specified. More than one interface_name and/or
IPaddress can be specified.
Displays the compartment names associated with the logical
interface(s) and the IP addresses as applied by the kernel.
When interface rules conflict with each other, this option
can be used to find how the conflicts are resolved. If no
arguments are specified, information about all currently
active interfaces is displayed.
Displays the network system rules for the compartment(s).
Displays all the interface rules being applied by the kernel on
the specified compartment(s). If no compartment name is
specified all the interface rules being applied by the ker‐
nel on all the existing compartments will be displayed.
Displays the disallowed privileges list in short form for com‐
The short form includes compound privileges in the privi‐
Displays the disallowed privileges list in literal form for com‐
The literal form expands compound privileges in the privi‐
Displays all the compartment rules of the specified compart‐
ment(s) in the
machine parsable format. Using the "" or "" command is
useful when used in combination with discover mode. See
recognizes the following operands:
compartment_name Name of the compartment for which information
Name of the network interface for which information is
An IPv4 or IPv6 address
An IPv4 address or an IPv6 address and the corresponding
The command is provided for diagnostic purposes, and as such the output
of the command may change.
Some rules can be expressed in multiple forms. For instance, specify‐
ing that it can send a signal to is the same as specifying that it can
receive signals from As this command displays the rules only once, it
can be misleading when interpreting the output.
The user invoking this command must have one of the following autho‐
returns the following values:
The rules are displayed.
An error occurred.
An error can be caused by an invalid option or because the
user does not have permissions to perform the operation.
Example: Display all file system rules for the compartment named web:
Compartment Name: web : sealed
Disallowed Privileges: POLICY
File System Rules:
read, write, create, unlink /
SEE ALSOcmpt_tune(1M), setrules(1M), compartments(4), compartments(5), privi‐