|HP-UX Reference > C
HP-UX 11i Version 3: February 2007
compartments — description of HP-UX compartments
The UNIX® operating system has traditionally used a single compartment model. The relatively free access in traditional single compartment systems can lead to problems with malicious software or with compromised programs. If a way to exploit a daemon process is discovered and used, an intruder gains considerable access to the system. If the daemon process is running with an effective uid of 0 while being exploited, this could translate to complete system access. With the use of compartments, you can limit access to only what the process needs, thus reducing the amount of damage malicious or exploited programs can do.
A compartment isolates a process so that it can only access objects within the same compartment, unless a compartment rule grants the process access to other compartments. Other access control methodologies, such as file permissions and ACLs, still apply.
You can override compartment restrictions with appropriate privileges. See privileges(5) for a list of privileges.
Compartments control process access to several different types of system objects. Some of these object types are persistent, and are typically referenced by name (such as files). These objects do not have a compartment directly associated with them. Instead, the rules that govern access to these objects are associated with the name of the object. Other object types are transient, lasting only as long as the process that created them, or while the system is booted. Transient objects are labeled with the compartment of the process that creates them. The rules that govern access to these objects is a direct compartment-to-compartment relationship.
Compartments govern three types of system objects: file system objects (persistent), inter-process communication (IPC) objects (transient), network objects (transient):
At system start up, the compartment configuration is read from files in the /etc/cmpt directory. The configuration is placed in files ending with .rules suffix under /etc/cmpt. These files are pre-processed with cpp before they are applied. You can use cpp's mechanisms such as C/C++ comments, #ifdef, and #include to organize the files. See compartments(4) for the syntax of the configuration files.
Compartments use four types of rules: file system rules, IPC rules, network rules, miscellaneous rules.
File System Rules
File system rules govern access to the files and directories of the file system. You can restrict access to directories to the following actions:
You can restrict access to files to the following actions:
All the file system rules are inherited except the nsearch access. For instance, if /a has a permission of nsearch and create, /a/b would have a permission of create alone unless a different set of permissions is assigned to it.
IPC rules govern how processes in this compartment can access other compartment's IPC mechanisms and how processes in other compartments can access this compartment's IPC mechanisms. By default, a process can access only the IPC objects in its own compartment.
Network rules control access between a process and a network interface, as well as between two processes using loopback communications. These rules control the direction of network traffic (incoming, outgoing, or both) between the subject compartment and the target compartment specified in the rule. Each rule specifies the direction of traffic flow, the protocol (TCP, UDP, or a raw protocol), and the target compartment (for either the network interface or a local compartment for local process communications). Optionally, the rule can filter on local and peer port numbers (for TCP and UDP only).
Compartments are associated with network endpoints when they are first created. When a process makes the system call that creates the endpoint (socket() or open()), the compartment of the process at that time is applied to the network object. (See socket(2) or open(2)). This compartment is used in all network communication access checks that the object is involved in. For TCP, rules are applied at connection establishment time. For all other network communications, each inbound and outbound packet delivery is checked against the rules.
Miscellaneous rules appear within a compartment definition. These rules include the following:
The following set of privileges (see privileges(5)) affect the operation of compartments:
Note: These privileges are not automatically granted by default to a process with an effective uid of 0.
When compartments are installed on the system, there is only one default compartment, the init compartment. When the system boots, the init process belongs to this compartment. This compartment has been defined to have access to all other compartments that are explicitly defined for the system. The init compartment need not be defined in a rules file. If you re-define the init compartment by making an explicit reference to it in a rules file, all special characteristics are lost and cannot be restored without rebooting the system.
Compartment Manipulation Commands
Several commands review and modify the compartment configuration on a system:
Note: Currently, no command is available to modify the compartment configuration files. You must edit the configuration files directly. Once that is done, you can use the above commands to put them into action.