[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH v1] xen/flask: limit sidtable size


  • To: Jan Beulich <jbeulich@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: Sergiy Kibrik <sergiy_kibrik@xxxxxxxx>
  • Date: Fri, 29 Aug 2025 14:33:28 +0300
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Cu5gAfnYkpQbwWuB5nlZDeH0TzXsI0/gEp1DAt75ReI=; b=cNa/sJ0GThWfWuRXC6zDyOodsu4TKeiUJI6t+vcLomj1ndSRtQQWuUiqzEOj3fXs/wILXGt8kPDbJg7rfG40/yEwYqY5FQt7R9WeIZF8ShCL1AfqCskzJs8Immug0uTrk6vULc7qC9lmTj/wH29ctA0rBD8s7MoWbYnmJLkwAv1BQvoSOV6RQlWRr6m6l+OCsoNMVsjXnnpQ/unHZoU3/K+OSTZ8c7bREviS6GJ/bsZYXL0U6u6rgesoYlJb3vHPxhcQc55ZBwMJkL2UbSkMBT8lztYXZToV17rDIfDXt0O3LoOtz922K9eR5GO6Quz+VK4A5xOk/3ZEISA0lrF2bA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=TUSMpMABNOFNYRECkpDCfWU6WuNbuDZvrl2HOXuGEjYP7wnKtlN2RyAAoe/XXsqKgYa89J8C5PSrUp9gIBd7QeaFPBo8z8ID5YuOH6KEtVDGPdrqLTtrcV3qexoRNKg7MD3RZFA/eoSWPbHsYpsMZFWxC9r/NmWx508ZTlRMJ9nZmNTNzj/iKxJA5fBzVQ8b5BmE+0uwRpam4n1Jg8Ygt75IMvit6/YELQWLK0Ra2FzZLS3Nqzqpoxw3c0EIjsV2XHyM50BlGyRbD/LpWd+OMIQe5R3BK1uUuNOS2kQWOOhwrFEX0bV9YciK3IsGqd4n2kE3XALVSQeaoUA56M2SkQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>
  • Delivery-date: Fri, 29 Aug 2025 11:33:48 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

25.08.25 15:00, Jan Beulich:
On 22.08.2025 11:51, Sergiy Kibrik wrote:
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig

I wonder whether we wouldn't better move XSM's controls to a dedicated Kconfig
file there.

you mean something like Kconfig.xsm in the same common/ directory? Or move this Kconfig out into xsm/ directory with the rest of flask code?


@@ -418,6 +418,25 @@ config XSM_FLASK_AVC_STATS
If unsure, say Y. +config XSM_FLASK_SIDTABLE_LIMIT
+       def_bool n

This makes little sense; just "bool" would have the same effect. Yet then
you can combine that with ...

+       prompt "Limit the size of SID table" if EXPERT

... this line.

+       depends on XSM_FLASK
+       ---help---

No triple dashes around "help" anymore, please.

+         Limit the number of security identifiers allocated and operated by 
Xen.
+         This will limit the number of security contexts and heap memory
+         allocated for SID table entries.
+
+         If unsure, say N.
+
+config XSM_FLASK_MAX_SID
+       int "Max SID table size" if XSM_FLASK_SIDTABLE_LIMIT
+       default 512

Hmm, wouldn't the default better be what we had so far? As per the justification
you aim at a special case (embedded) with this limit.


yes, we can have a default value of UINT_MAX specified here if we'll use base-2 exponent as a value. And get rid of second option.


  -Sergiy



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.