NAME
getrules — display compartment rules
SYNOPSIS
getrules
[-c]
getrules
[-f]
[-i]
[-n]
[-T]
[-p|-P]
[-m]
[compartment_name]...
getrules
-l
interface_name[...]
ipaddr/mask[...]
getrules
-L
[interface_name...]
[IPaddress...]
DESCRIPTION
getrules
displays rules defined for compartment(s) or network interface(s).
This command can only be used when compartmentalization
is enabled
(see
cmpt_tune(1M)).
If no options are specified, all subsystem rules for the
given compartment are displayed.
If no
compartment_name
is specified, information on all compartments is displayed.
Options
getrules
recognizes the following options:
- -c
Displays all the compartments configured on the system.
- -f
Displays the file system rules for the compartment(s).
- -i
Displays the IPC system rules for the compartment(s).
- -l
Displays the compartment names associated with the
interface(s) and the IP address/mask as set by a previous invocation of
setrules.
Either the
interface_name
or the
ipaddr/mask
must be specified.
More than one
interface_name
and/or
IPaddress
can be specified.
- -L
Displays the compartment names associated with the logical
interface(s) and the IP addresses as applied by the kernel.
When interface rules conflict with each other, this option can be used
to find how the conflicts are resolved.
If no arguments are specified, information about all currently
active interfaces is displayed.
- -n
Displays the network system rules for the compartment(s).
- -T
Displays all the interface rules being applied by the kernel on
the specified compartment(s).
If no compartment name is specified
all the interface rules being applied by the kernel on all the
existing compartments will be displayed.
- -p
Displays the disallowed privileges list in short form for compartment(s).
The short form includes compound privileges in the privilege list.
- -P
Displays the disallowed privileges list in literal form for compartment(s).
The literal form expands compound privileges in the privilege list.
- -m
Displays all the compartment rules of the specified compartment(s) in the
machine parsable format.
Using the "getrules -m compartment_name>file
" or "getrules -m> file
" command is useful when used in combination with discover mode.
See
compartments(5).
Operands
getrules
recognizes the following operands:
- compartment_name
Name of the compartment for which information is displayed.
- interface_name
Name of the network interface for which information is displayed.
- IPaddress
An IPv4 or IPv6 address
- ipaddr/mask
An IPv4 address or an IPv6 address and the corresponding mask.
Notes
The
getrules
command is provided for diagnostic purposes, and as such the output
of the command may change.
Some rules can be expressed in multiple forms.
For instance,
compartment A
specifying that it can send a signal to
compartment B
is the same as
compartment B
specifying that it can receive signals from
compartment A.
As this command displays the rules only once, it can be misleading when
interpreting the output.
Security Restrictions
The user invoking this command must have one of the following
authorizations:
hpux.security.xsec.secrules.unrestricted
hpux.security.xsec.secrules.restricted
See
authadm(1M)).
RETURN VALUE
getrules
returns the following values:
- 0
Successful completion.
The rules are displayed.
- >0
An error occurred.
An error can be caused by an invalid option or because the user
does not have permissions to perform the operation.
EXAMPLES
Example: Display all file system rules for the compartment named web:
Sample output:
Compartment Name: web : sealed
Disallowed Privileges: POLICY
File System Rules:
------------------
PERMISSION PATHNAME
read, write, create, unlink /
Printable version
