Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 7 Compartments



Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

Compartments are a method of isolating components of a system from one another. When configured properly, they can be an effective method to safeguard the HP-UX system and the data that resides on it.

Compartments allow you to isolate processes, or subjects, from each other and also from resources, or objects.

Conceptually, each process belongs to a compartment, and resources are handled in one of two ways.

  1. The resource is labeled with the compartment of the creating process. This is how transient resources, such as communication endpoints and shared memory, are assigned a compartment.

  2. Resources can be associated with an access list that specifies how processes in different compartments can access them, for persistent resources such as files and directories. That is, processes can access resources or communicate with processes belonging to a different compartment only if a rule exists between those compartments. Processes that belong to the same compartment can communicate with each other and access resources in that compartment without a rule.

Compartments separate subjects from objects. This enables a virtual grouping of related subjects and objects. You can configure the system so that, if a service running in a compartment is compromised, it does not affect services running in other compartments. This restricts any damage to the affected compartment only.

Compartment Architecture

Compartments isolate a process and its child processes within a system. Figure 7-1 shows a parent process that spawns a number of handler processes that need to access various parts of the system. The compartments on the system are configured so that the processes can access the resources they need.

Figure 7-1 Compartment Architecture

Compartment Architecture

In Figure 7-1, the parent process is configured in a compartment, compartment A. As part of its functioning, the parent process spawns a number of handler processes in a different compartment, compartment B. The handler processes inherit the compartment configuration of the parent process. The network card that connects this system to the LAN is configured in another compartment, compartment C. The file system is configured to allow full access to compartment A, but only allow partial access to compartment B. Communication between the system components in their separate compartments is configured as follows:

  • All handler processes are configured to communicate with the network.

  • The recorder can access the file system.

  • The handler processes have read, and read/write access to parts of the file system.

  • The handler processes can communicate with the parent process, and with the recorder using IPC and signals.

  • The network is isolated from the recorder and the parent process.

This compartment configuration provides security for the file system and the recorder. Both are isolated by their compartments. Though the handler processes can communicate with the network, the network cannot be accessed by the recorder or the parent process.

Default Compartment Configuration

When you enable compartments, a default compartment named INIT is created. When you boot up the system, the init process belongs to this compartment. The INIT compartment is defined to have access to all other compartments and is not defined in a compartment rules file.

IMPORTANT: If you redefine the INIT compartment by creating explicit rules in a rules file, all special characteristics of the compartment are lost and cannot be restored without rebooting the system.
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.