cmpt_tune(1M)cmpt_tune(1M)NAMEcmpt_tune - query, enable, or disable compartmentalization feature
SYNOPSIS
boot_image]
boot_image]
DESCRIPTION
queries, enables, or disables the compartmentalization feature. Com‐
partmentalization is not a dynamic feature; enabling or disabling the
feature requires a reboot. If you make a change and do not specify the
flag, reports a reboot reminder message. If no options are specified,
the option is assumed.
If no compartments have been defined when compartmentalization is
enabled, the network interfaces currently installed on the system are
assigned to a new compartment and the administrator is given the oppor‐
tunity to reassign these interfaces (see getrules(1M)).
The system initially boots into a predefined compartment, A process in
the compartment can access all objects (that is, all processes, files,
IPC objects, etc., are accessible from the compartment). See compart‐
ments(5) for more information. Using the command (see set‐
filexsec(1M)), an administrator can set specific binaries to start
automatically in other compartments; that is, when a process executes
the binary, it may find its compartment modified as a side-effect.
This concept is similar to a setuid binary changing a process's euid.
When the or option is specified without the option, the current running
configuration is modified. If or is specified with the option and
boot_image does not exist, it is created as though the administrator
ran the following command:
In any case, boot_image is marked for use on the next boot.
Options
The command recognizes the following options:
Disables compartments.
Enables compartments.
Prints a help message.
Makes changes to or queries the specified
boot_image. If this option is not specified, defaults
to If no other options are specified, the option is
assumed.
Queries the current state of compartments.
Queries the state of compartments after the next reboot.
Reboots after making changes.
You can only use this option with the or options.
Sets silent mode.
Only the exit status is set.
RETURN VALUE
returns the following values:
When querying, the compartmentalization feature is enabled.
When making changes, the changes are successfully
applied.
An option processing error occurred.
When querying, the compartmentalization feature is dis‐
abled. When making changes, and is specified, the reboot
option is ignored (for example, to allow for editing of
compartment configuration files).
When querying, the kernel configuration specified does not exist
or has no support for compartmentalization.
WARNINGS
A network interface that is not assigned to any compartment cannot be
accessed by any process and effectively cannot be used. Assign at
least one network interface to a compartment so that network communica‐
tions can function.
If the or option is used in conjunction with the option, any prior
changes pending to the current configuration are lost.
If the compartments feature is enabled on a kernel configuration that
does not reflect the required patch levels (for example, patch
PHKL_32798 is missing), the system may not boot properly or may not
have network connectivity.
SEE ALSOauthadm(1M), kconfig(1M), getrules(1M), setfilexsec(1M), setrules(1M),
compartments(4), compartments(5).
cmpt_tune(1M)
