compartments(5)compartments(5)NAMEcompartments - description of HP-UX compartmentsDESCRIPTION
The operating system has traditionally used a single compartment model.
The relatively free access in traditional single compartment systems
can lead to problems with malicious software or with compromised pro‐
grams. If a way to exploit a daemon process is discovered and used, an
intruder gains considerable access to the system. If the daemon
process is running with an effective uid of while being exploited, this
could translate to complete system access. With the use of compart‐
ments, you can limit access to only what the process needs, thus reduc‐
ing the amount of damage malicious or exploited programs can do.
A compartment isolates a process so that it can only access objects
within the same compartment, unless a compartment rule grants the
process access to other compartments. Other access control methodolo‐
gies, such as file permissions and ACLs, still apply.
You can override compartment restrictions with appropriate privileges.
See privileges(5) for a list of privileges.
Compartments control process access to several different types of sys‐
tem objects. Some of these object types are persistent, and are typi‐
cally referenced by name (such as files). These objects do not have a
compartment directly associated with them. Instead, the rules that
govern access to these objects are associated with the name of the
object. Other object types are transient, lasting only as long as the
process that created them, or while the system is booted. Transient
objects are labeled with the compartment of the process that creates
them. The rules that govern access to these objects is a direct com‐
partment-to-compartment relationship.
Compartments govern three types of system objects: file system objects
(persistent), inter-process communication (IPC) objects (transient),
network objects (transient):
· File System Objects. Includes files and directories. By default,
all file system objects are accessible by any compartment. However,
specific compartment configuration can define rules to restrict
access to various file system objects.
· Inter-process Communication (IPC) Objects. Enable or restrict com‐
munication between processes on a single system. The types of IPC
objects are System V shared memory, System V semaphores, System V
message queues, POSIX semaphores, POSIX message queues, PTYs, FIFOs,
UNIX domain sockets, and processes (signal mechanism). POSIX shared
memory is implemented as file system objects; hence, compartment
access is controlled with file system rules. By default, processes
in a given compartment cannot access IPC objects in another compart‐
ment unless explicitly configured otherwise.
· Network Communication Objects. Includes network endpoints (sockets
and streams) and network LAN interfaces. These objects are used to
communicate via the TCP/IP protocol with processes on both local and
remote systems. Access is controlled between a process' network
endpoints and the LAN interfaces through which traffic passes to
remote systems. As with IPC objects, processes in a given compart‐
ment cannot access network objects in a different compartment unless
explicitly configured to do so.
Each network LAN interface (logical/physical/virtual) can belong to
a compartment of its own. For example, it is possible to set the
rules such that logical interfaces and belong to different compart‐
ments.
CONFIGURATION RULES
At system start up, the compartment configuration is read from files in
the directory. The configuration is placed in files ending with suffix
under These files are pre-processed with before they are applied. You
can use mechanisms such as C/C++ comments, and to organize the files.
See compartments(4) for the syntax of the configuration files.
Compartments use four types of rules: file system rules, IPC rules,
network rules, miscellaneous rules.
File System Rules
File system rules govern access to the files and directories of the
file system. You can restrict access to directories to the following
actions:
· For searching a directory.
· For directory listing and searching
· For creation of new elements under the directory
· For removing elements under the directory
· Any combination of the above four
You can restrict access to files to the following actions:
· For reading or executing the file
· For writing the file
· Any combination of the two
All the file system rules are inherited except the access. For
instance, if has a permission of and would have a permission of alone
unless a different set of permissions is assigned to it.
IPC Rules
IPC rules govern how processes in this compartment can access other
compartment's IPC mechanisms and how processes in other compartments
can access this compartment's IPC mechanisms. By default, a process
can access only the IPC objects in its own compartment.
Network Rules
Network rules control access between a process and a network interface,
as well as between two processes using loopback communications. These
rules control the direction of network traffic (incoming, outgoing, or
both) between the subject compartment and the target compartment speci‐
fied in the rule. Each rule specifies the direction of traffic flow,
the protocol (TCP, UDP, or a raw protocol), and the target compartment
(for either the network interface or a local compartment for local
process communications). Optionally, the rule can filter on local and
peer port numbers (for TCP and UDP only).
Compartments are associated with network endpoints when they are first
created. When a process makes the system call that creates the end‐
point or the compartment of the process at that time is applied to the
network object. (See socket(2) or open(2)). This compartment is used
in all network communication access checks that the object is involved
in. For TCP, rules are applied at connection establishment time. For
all other network communications, each inbound and outbound packet
delivery is checked against the rules.
Miscellaneous Rules
Miscellaneous rules appear within a compartment definition. These
rules include the following:
Disallowed Privileges
Disallowed privileges define specific privileges that may
not be obtained as a side effect of calls even when the
binary being executed specifies that the privilege
becomes available. See exec(2). See the description of
the and flags for the command. See setfilexsec(1M)) for
information on how a process can gain privileges as a
side effect of an call.
Network Interface Rules
Interface rules define which network interfaces (Physi‐
cal/Virtual/Logical) are in this compartment. Each net‐
work interface can belong to only one compartment, though
multiple interfaces can be assigned to the same compart‐
ment. Also note that certain special logical interfaces,
such as the loopback interface and tunneling interfaces,
are not valid configuration parameters. These are
silently ignored.
COMPARTMENT-RELATED PRIVILEGES
The following set of privileges (see privileges(5)) affect the opera‐
tion of compartments:
Grants a process the ability to change its compartment.
Allows a process to open a file or directory for reading, exe‐
cuting
(in the case of a file), or searching (in
the case of a directory), bypassing compart‐
ment rules that would otherwise not permit
the operation.
Allows a process to write into a file, or to create or delete
files in a
directory, bypassing compartment rules that
would otherwise not permit the operation.
Allows a process to override compartment IPC and networking
rules.
Allows a process to modify compartment rules on the system.
Note: These privileges are not automatically granted by default to a
process with an effective uid of
Default Compartments
When compartments are installed on the system, there is only one
default compartment, the compartment. When the system boots, the
process belongs to this compartment. This compartment has been defined
to have access to all other compartments that are explicitly defined
for the system. The compartment need not be defined in a rules file.
If you re-define the compartment by making an explicit reference to it
in a rules file, all special characteristics are lost and cannot be
restored without rebooting the system.
Compartment Manipulation Commands
Several commands review and modify the compartment configuration on a
system:
Queries, enables, and disables the compartments feature.
See cmpt_tune(1M) for more information.
Displays compartment rules.
See getrules(1M) for more information.
Parses and puts the rules into action.
See setrules(1M) for more information.
Note: Currently, no command is available to modify the compartment con‐
figuration files. You must edit the configuration files directly.
Once that is done, you can use the above commands to put them into
action.
FILES
All files under this directory whose names end with are used to create
the compartment configuration. All files intended to be used to con‐
figure compartment rules on the system (except those files referred by
a directive) must be in this directory.
Binary file containing the machine readable compartment rules.
Do edit this file directly.
File that maps compartment names to the ID numbers used
internally by the system. Do edit this file directly.
SEE ALSOcmpt_tune(1M), getrules(1M), setrules(1M), exec(2), open(2), socket(2),
compartments(4), privileges(5).
compartments(5)