Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

cmpt_tune(1m) [hpux man page]

cmpt_tune(1M)															     cmpt_tune(1M)

NAME
cmpt_tune - query, enable, or disable compartmentalization feature SYNOPSIS
boot_image] boot_image] DESCRIPTION
queries, enables, or disables the compartmentalization feature. Compartmentalization is not a dynamic feature; enabling or disabling the feature requires a reboot. If you make a change and do not specify the flag, reports a reboot reminder message. If no options are speci- fied, the option is assumed. If no compartments have been defined when compartmentalization is enabled, the network interfaces currently installed on the system are assigned to a new compartment and the administrator is given the opportunity to reassign these interfaces (see getrules(1M)). The system initially boots into a predefined compartment, A process in the compartment can access all objects (that is, all processes, files, IPC objects, etc., are accessible from the compartment). See compartments(5) for more information. Using the command (see set- filexsec(1M)), an administrator can set specific binaries to start automatically in other compartments; that is, when a process executes the binary, it may find its compartment modified as a side-effect. This concept is similar to a setuid binary changing a process's euid. When the or option is specified without the option, the current running configuration is modified. If or is specified with the option and boot_image does not exist, it is created as though the administrator ran the following command: In any case, boot_image is marked for use on the next boot. Options The command recognizes the following options: Disables compartments. Enables compartments. Prints a help message. Makes changes to or queries the specified boot_image. If this option is not specified, defaults to If no other options are specified, the option is assumed. Queries the current state of compartments. Queries the state of compartments after the next reboot. Reboots after making changes. You can only use this option with the or options. Sets silent mode. Only the exit status is set. RETURN VALUE
returns the following values: When querying, the compartmentalization feature is enabled. When making changes, the changes are successfully applied. An option processing error occurred. When querying, the compartmentalization feature is disabled. When making changes, and is specified, the reboot option is ignored (for example, to allow for editing of compartment configuration files). When querying, the kernel configuration specified does not exist or has no support for compartmentalization. WARNINGS
A network interface that is not assigned to any compartment cannot be accessed by any process and effectively cannot be used. Assign at least one network interface to a compartment so that network communications can function. If the or option is used in conjunction with the option, any prior changes pending to the current configuration are lost. If the compartments feature is enabled on a kernel configuration that does not reflect the required patch levels (for example, patch PHKL_32798 is missing), the system may not boot properly or may not have network connectivity. SEE ALSO
authadm(1M), kconfig(1M), getrules(1M), setfilexsec(1M), setrules(1M), compartments(4), compartments(5). cmpt_tune(1M)

Check Out this Related Man Page

getprocxsec(1M) 														   getprocxsec(1M)

NAME
getprocxsec - display security attributes of a process SYNOPSIS
DESCRIPTION
The command displays security attributes associated with a running process. These attributes include the permitted privilege set, effec- tive privilege set, retained privilege set, euid, and the compartment name. See privileges(5) and compartments(5). Each process has a permitted privilege set, effective privilege set, and retained privilege set. If the compartmentalization feature is enabled, it also has a compartment. When a process is created, the child process inherits these attributes from the parent. When a process executes a binary, these attributes can be changed. See setfilexsec(1M) and getfilexsec(1M) for information on how these extended attributes can be manipulated at execution time. For compatibility, the kernel handles processes with effective uid of zero in special ways. If the compartmentalization feature is dis- abled, these processes are treated as though they have all root replacement privileges. If, on the other hand, the compartmentalization feature is enabled, these processes are treated as though they have all the root replacement privileges except those configured as disal- lowed privileges for the compartment. Options recognizes the following options: Displays the compartment name of the process. If compartments are not enabled, nothing is reported for this option. If compartments are enabled, all the kernel processes would be reported as running in "RESERVED CMPT" . Displays the implementation effective privilege set. Displays the full form of the lists. Displays the implementation permitted privilege set. Display the implementation retained privilege set. If none of the above options are specified, the default is Operands recognizes the following operand: pid The process ID of the process whose attributes are being displayed. If pid is displays attributes of this process. If pid is it displays attributes of the process' parent. If pid is not specified, it defaults to this process (equivalent to Security Restrictions The specified process must be visible to the user invoking this command or the user must have the privilege. RETURN VALUE
returns the following values: Successful completion. The attributes are displayed. An error occurred. An error can be caused by an invalid option or because the specified process is not visible to the user. EXAMPLES
Example 1: Display the privilege sets and compartment of the current process: Sample output: effective= BASIC permitted= BASIC retained= BASIC cmpt= init euid= zero Example 2: Display the privilege sets and compartment of the parent process: Sample output: effective= BASIC permitted= BASIC retained= BASIC cmpt= init euid= zero Example 3: Display the full privilege sets and compartment of an arbitrary process: Sample output: effective= FORK EXEC SESSION LINKANY permitted= FORK EXEC SESSION LINKANY retained= FORK EXEC SESSION LINKANY cmpt= web euid= non-zero SEE ALSO
getfilexsec(1M), setfilexsec(1M), compartments(5), privileges(5). getprocxsec(1M)
Man Page

Featured Tech Videos