Adaptive partitioning

Updated: April 19, 2023

If you have enabled adaptive partitioning, it is important to enable security for it. By default, the only restriction the feature places on processes is their ability to set security options.

You define security for adaptive partitioning by setting one or more options. Because a security option can't be cleared after it is set, security for the feature can only be strengthened, never relaxed.

Many adaptive partitioning security options come in two forms: an option that restricts an action for processes that have the ability PROCMGR_AID_APS_ROOT, and one that restricts an action for processes in the system partition. Because processes can inherit a partition when they receive a message, QNX recommends that security be based on the ability and not the partition.

If a process is able to join a partition, it can also make any other process join that partition (unless the option SCHED_APS_SEC_JOIN_SELF_ONLY has been set). To avoid this potential vulnerability, set the option SCHED_APS_SEC_ROOT_JOINS, which requires the process to have the PROCMGR_AID_APS_ROOT ability to make another process join a partition.

Ideally, partitions should be configured once on startup and then locked to prevent further changes.

For more information, see “Security for Scheduler Partitions” in the Adaptive Partitioning User's Guide.