cmpt_tune(1M)

NAME

cmpt_tune — query, enable, or disable compartmentalization feature

SYNOPSIS

cmpt_tune -h

cmpt_tune [-q] [-s]

cmpt_tune -Q [-s] [-n boot_image]

cmpt_tune [-Q] [-s] -n boot_image

cmpt_tune {-d|-e} [-r] [-s] [-n boot_image]

DESCRIPTION

cmpt_tune queries, enables, or disables the compartmentalization feature. Compartmentalization is not a dynamic feature; enabling or disabling the feature requires a reboot. If you make a change and do not specify the -r flag, cmpt_tune reports a reboot reminder message. If no options are specified, the -q option is assumed.

If no compartments have been defined when compartmentalization is enabled, the network interfaces currently installed on the system are assigned to a new compartment ifaces, and the administrator is given the opportunity to reassign these interfaces (see getrules(1M)).

The system initially boots into a predefined compartment, INIT. A process in the INIT compartment can access all objects (that is, all processes, files, IPC objects, etc., are accessible from the INIT compartment). See compartments(5) for more information. Using the setfilexsec command (see setfilexsec(1M)), an administrator can set specific binaries to start automatically in other compartments; that is, when a process executes the binary, it may find its compartment modified as a side-effect. This concept is similar to a setuid binary changing a process's euid.

When the -e or -d option is specified without the -n option, the current running configuration is modified. If -e or -d is specified with the -n option and boot_image does not exist, it is created as though the administrator ran the following command:

kconfig -s boot_image 

In any case, boot_image is marked for use on the next boot.

Options

The cmpt_tune command recognizes the following options:

-d: Disables compartments.
-e: Enables compartments.
-h: Prints a help message.
-n boot_image: Makes changes to or queries the specified boot_image. If this option is not specified, boot_image defaults to nextboot. If no other options are specified, the -Q option is assumed.
-q: Queries the current state of compartments.
-Q: Queries the state of compartments after the next reboot.
-r: Reboots after making changes. You can only use this option with the -d or -e options.
-s: Sets silent mode. Only the exit status is set.

RETURN VALUE

cmpt_tune returns the following values:

0: When querying, the compartmentalization feature is enabled. When making changes, the changes are successfully applied.
1: An option processing error occurred. When querying, the compartmentalization feature is disabled. When making changes, and -r is specified, the reboot option is ignored (for example, to allow for editing of compartment configuration files).
2: When querying, the kernel configuration specified does not exist or has no support for compartmentalization.

WARNINGS

A network interface that is not assigned to any compartment cannot be accessed by any process and effectively cannot be used. Assign at least one network interface to a compartment so that network communications can function.

If the -e or -d option is used in conjunction with the -n option, any prior changes pending to the current configuration are lost.

If the compartments feature is enabled on a kernel configuration that does not reflect the required patch levels (for example, patch PHKL_32798 is missing), the system may not boot properly or may not have network connectivity.

cmpt_tune(1M)

Technical documentation

» Table of Contents

» Index