The following table shows the main security options (including both the security policy for the -s option for the aps command and the corresponding SchedCtl() flag), in increasing order of security. For information about enabling PROCMGR_AID_APS_ROOT, see the entry for procmgr_ability() in the C Library Reference.
aps | SchedCtl() | Description |
---|---|---|
none | SCHED_APS_SEC_OFF | Anyone on the system can add partitions and modify their attributes. |
basic | SCHED_APS_SEC_BASIC | Only processes with PROCMGR_AID_APS_ROOT enabled and running in the System partition can change the overall scheduling parameters and set critical budgets. |
flexible | SCHED_APS_SEC_FLEXIBLE | Only processes with PROCMGR_AID_APS_ROOT enabled and running in the System partition can change scheduling parameters or change critical budgets. However, processes with PROCMGR_AID_APS_ROOT enabled and running in any partition can create subpartitions, join threads into their own subpartitions and modify subpartitions. This lets applications create their own local subpartitions out of their own budgets. The percentage for budgets must not be zero. |
recommended | SCHED_APS_SEC_RECOMMENDED | Only processes with PROCMGR_AID_APS_ROOT enabled and running in the System partition can create partitions or change parameters. This creates a two-level hierarchy of partitions: the System partition and its children. Only processes with PROCMGR_AID_APS_ROOT enabled and running in the System partition can join their own threads to partitions. The percentage for budgets must not be zero. |
After setting up the scheduler partitions, you can use SCHED_APS_SEC_PARTITIONS_LOCKED to prevent further unauthorized changes. For example:
sched_aps_security_parms p; APS_INIT_DATA( &p ); p.sec_flags = SCHED_APS_SEC_PARTITIONS_LOCKED; SchedCtl( SCHED_APS_ADD_SECURITY, &p, sizeof(p));
The security options listed above are composed of the following options (but it's more convenient to use the compound options):
aps | SchedCtl() | Description |
---|---|---|
root0_overall | SCHED_APS_SEC_ROOT0_OVERALL | You must have PROCMGR_AID_APS_ROOT enabled and be in the System partition in order to change the overall scheduling parameters, such as the averaging window size. |
root_makes_partitions | SCHED_APS_SEC_ROOT_MAKES_PARTITIONS | You must have PROCMGR_AID_APS_ROOT enabled in order to create or modify partitions. |
sys_makes_partitions | SCHED_APS_SEC_SYS_MAKES_PARTITIONS | You must be running in the System partition in order to create or modify partitions. |
parent_modifies | SCHED_APS_SEC_PARENT_MODIFIES | Allows partitions to be modified (SCHED_APS_MODIFY_PARTITION), but you must be running in the parent partition of the partition being modified. Modify means to change a partition's percentage or critical budget, or attach events with the SCHED_APS_ATTACH_EVENTS command. |
nonzero_budgets | SCHED_APS_SEC_NONZERO_BUDGETS | A partition may not be created with, or modified to have, a zero budget. Unless you know your partition needs to run only in response to client requests, i.e. receipt of messages, you should set this option. |
root_makes_critical | SCHED_APS_SEC_ROOT_MAKES_CRITICAL | You must have PROCMGR_AID_APS_ROOT enabled in order to create a nonzero critical budget or change an existing critical budget. |
sys_makes_critical | SCHED_APS_SEC_SYS_MAKES_CRITICAL | You must be running in the System partition to create a nonzero critical budget or change an existing critical budget. |
root_joins | SCHED_APS_SEC_ROOT_JOINS | You must have PROCMGR_AID_APS_ROOT enabled in order to join a thread to a partition. |
sys_joins | SCHED_APS_SEC_SYS_JOINS | You must be running in the System partition in order to join a thread. |
parent_joins | SCHED_APS_SEC_PARENT_JOINS | You must be running in the parent partition of the partition you wish to join. |
join_self_only | SCHED_APS_SEC_JOIN_SELF_ONLY | A process may join only itself to a partition. |
partitions_locked | SCHED_APS_SEC_PARTITIONS_LOCKED | Prevent further changes to any partition's budget, or overall scheduling parameters, such as the window size. Set this after you've set up your partitions. |