Compartments are a method of isolating
components of a system from one another. When configured properly,
they can be an effective method to safeguard the HP-UX system and
the data that resides on it.
Compartments allow you to isolate processes, or
subjects, from each other and also from resources, or objects.
Conceptually, each process belongs to a compartment,
and resources are handled in one of two ways.
The resource is labeled with the compartment of the
creating process. This is how transient resources, such as communication
endpoints and shared memory, are assigned a compartment.
Resources can be associated with an access list that
specifies how processes in different compartments can access them,
for persistent resources such as files and directories. That is, processes
can access resources or communicate with processes belonging to a
different compartment only if a rule exists between those compartments.
Processes that belong to the same compartment can communicate with
each other and access resources in that compartment without a rule.
Compartments separate subjects from objects. This
enables a virtual grouping of related subjects and objects. You can
configure the system so that, if a service running in a compartment
is compromised, it does not affect services running in other compartments.
This restricts any damage to the affected compartment only.
Compartments isolate a process and its child processes
within a system. Figure 7-1 shows
a parent process that spawns a number of handler processes that need
to access various parts of the system. The compartments on the system
are configured so that the processes can access the resources they
Figure 7-1 Compartment Architecture
In Figure 7-1, the parent process is configured in a compartment, compartment
A. As part of its functioning, the parent process spawns a number
of handler processes in a different compartment, compartment B. The
handler processes inherit the compartment configuration of the parent
process. The network card that connects this system to the LAN is
configured in another compartment, compartment C. The file system
is configured to allow full access to compartment A, but only allow
partial access to compartment B. Communication between the system
components in their separate compartments is configured as follows:
All handler processes are
configured to communicate with the network.
The recorder can access
the file system.
The handler processes have
read, and read/write access to parts of the file system.
The handler processes can
communicate with the parent process, and with the recorder using IPC
The network is isolated
from the recorder and the parent process.
This compartment configuration provides security
for the file system and the recorder. Both are isolated by their compartments.
Though the handler processes can communicate with the network, the
network cannot be accessed by the recorder or the parent process.