Security for Scheduler Partitions

By default, anyone on the system can add partitions and modify their attributes. We recommend that you use the SCHED_APS_ADD_SECURITY command to SchedCtl(), or the aps command to specify the level of security that suits your system.

The following table shows the main security options (including both the security policy for the -s option for the aps command and the corresponding SchedCtl() flag), in increasing order of security. For information about enabling PROCMGR_AID_APS_ROOT, see the entry for procmgr_ability() in the C Library Reference.

aps	SchedCtl()	Description
`none`	SCHED_APS_SEC_OFF	Anyone on the system can add partitions and modify their attributes.
`basic`	SCHED_APS_SEC_BASIC	Only processes with PROCMGR_AID_APS_ROOT enabled and running in the System partition can change the overall scheduling parameters. Processes with PROCMGR_AID_APS_ROOT enabled and running in any partition can set critical budgets.
`flexible`	SCHED_APS_SEC_FLEXIBLE	Only processes with PROCMGR_AID_APS_ROOT enabled and running in the `System` partition can change scheduling parameters. However, processes with PROCMGR_AID_APS_ROOT enabled and running in any partition can create subpartitions, join threads into their own subpartitions, modify subpartitions, and change critical budgets. This lets applications create their own local subpartitions out of their own budgets. The percentage for budgets must not be zero.
`recommended`	SCHED_APS_SEC_RECOMMENDED	Only processes with PROCMGR_AID_APS_ROOT enabled and running in the System partition can create partitions or change parameters. This creates a two-level hierarchy of partitions: the System partition and its children. Only processes with PROCMGR_AID_APS_ROOT enabled and running in the System partition can join their own threads to partitions. The percentage for budgets must not be zero.

Note: Unless you're testing the partitioning aspects and want to change all of the parameters without restarting, you should set at least basic security.

After setting up the scheduler partitions, you can use SCHED_APS_SEC_PARTITIONS_LOCKED to prevent further unauthorized changes. For example:

sched_aps_security_parms p;

APS_INIT_DATA( &p );
p.sec_flags = SCHED_APS_SEC_PARTITIONS_LOCKED;
SchedCtl( SCHED_APS_ADD_SECURITY, &p, sizeof(p));

Note: Before you call SchedCtl(), ensure that you initialize all the members of the data structure associated with the command. You can use the APS_INIT_DATA() macro to do this.

The security options listed above are combinations of individual options (but it's more convenient to use the compound options):

#define SCHED_APS_SEC_BASIC        (SCHED_APS_SEC_ROOT0_OVERALL | SCHED_APS_SEC_ROOT_MAKES_CRITICAL)

#define SCHED_APS_SEC_FLEXIBLE     (SCHED_APS_SEC_BASIC | SCHED_APS_SEC_NONZERO_BUDGETS |\
                                    SCHED_APS_SEC_ROOT_MAKES_PARTITIONS |\
                                    SCHED_APS_SEC_PARENT_JOINS | SCHED_APS_SEC_PARENT_MODIFIES )

#define SCHED_APS_SEC_RECOMMENDED  (SCHED_APS_SEC_FLEXIBLE | SCHED_APS_SEC_SYS_MAKES_PARTITIONS |\
                                    SCHED_APS_SEC_SYS_JOINS | SCHED_APS_SEC_JOIN_SELF_ONLY)

#define SCHED_APS_SEC_OFF          0x00000000

The individual options are as follows:

aps	SchedCtl()	Description
`root0_overall`	SCHED_APS_SEC_ROOT0_OVERALL	You must have PROCMGR_AID_APS_ROOT enabled and be in the System partition in order to change the overall scheduling parameters, such as the averaging window size.
`root_makes_partitions`	SCHED_APS_SEC_ROOT_MAKES_PARTITIONS	You must have PROCMGR_AID_APS_ROOT enabled in order to create or modify partitions.
`sys_makes_partitions`	SCHED_APS_SEC_SYS_MAKES_PARTITIONS	You must be running in the System partition in order to create or modify partitions.
`parent_modifies`	SCHED_APS_SEC_PARENT_MODIFIES	Allows partitions to be modified (SCHED_APS_MODIFY_PARTITION), but you must be running in the parent partition of the partition being modified. Modify means to change a partition's percentage or critical budget, or attach events with the SCHED_APS_ATTACH_EVENTS command.
`nonzero_budgets`	SCHED_APS_SEC_NONZERO_BUDGETS	A partition may not be created with, or modified to have, a zero budget. Unless you know your partition needs to run only in response to client requests, i.e. receipt of messages, you should set this option.
`root_makes_critical`	SCHED_APS_SEC_ROOT_MAKES_CRITICAL	You must have PROCMGR_AID_APS_ROOT enabled in order to create a nonzero critical budget or change an existing critical budget.
`sys_makes_critical`	SCHED_APS_SEC_SYS_MAKES_CRITICAL	You must be running in the System partition to create a nonzero critical budget or change an existing critical budget.
`root_joins`	SCHED_APS_SEC_ROOT_JOINS	You must have PROCMGR_AID_APS_ROOT enabled in order to join a thread to a partition.
`sys_joins`	SCHED_APS_SEC_SYS_JOINS	You must be running in the System partition in order to join a thread.
`parent_joins`	SCHED_APS_SEC_PARENT_JOINS	You must be running in the parent partition of the partition you wish to join.
`join_self_only`	SCHED_APS_SEC_JOIN_SELF_ONLY	A process may join only itself to a partition.
`partitions_locked`	SCHED_APS_SEC_PARTITIONS_LOCKED	Prevent further changes to any partition's budget, or overall scheduling parameters, such as the window size. Set this after you've set up your partitions.

Security and critical threads

Any thread can make itself critical, and any designer can make any sigevent critical (meaning that it will cause the eventual receiver to run as critical), but this isn't a security issue. That's because a thread marked as critical has no effect on the thread scheduler unless the thread is in a partition that has a critical budget. The thread scheduler has security options that control who may set or change a partition's critical budget.

For the system to be secure against possible critical thread abuse, it's important to:

assign a critical budget only to the partitions that need one
move as much application software as possible out of the System partition (which has an infinite critical budget)