[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH v2] xen/flask: limit sidtable size

  • To: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>
  • From: Sergiy Kibrik <sergiy_kibrik@xxxxxxxx>
  • Date: Fri, 26 Sep 2025 09:32:36 +0300
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=m4ah3Tq65ga8DUMZGxx2igrEChh0oFq2p5n4iT/UrUU=; b=H0n2zMMlsmAHC+Jb5z/cAKackkFngunvRiktl1q7Yf/VcobRS3Qmjeo5DmzzrqDCnWiDje06KSUD5FX3jedRYkbAGSZf0/h1dlBnrHyIFH/X2rQVnLooaS5/oErWacGOjNpg97dg7cXiFswk9KSUu6MYueLccgrEJUdB/BimeNNIFnlewSEcGAFjjcc86cjsm2GK801pnXF1zu5knko+ofZLUPc5iLsJ2fbpThxnwZ2gdl2WKdtwMAtZUntEdNAuVYJWOQF74zyP0xTS7856FBNmIHPtVta3PlvYty7BGroAkWomsQZE/3J8tX0tr+o5utKYVoT3ZA/12qvwF4EHZw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=VNLUr2yUHIVT59pl8K+2UUS3fmJJxPHm9lCtPTquEbHRLi5vRlVESlSHPDCECZn50rtqgRRSnNRoGLc/v1EHKYZkYMx/UtrXsXRHIM35TmHt8osCuMHTTGmNOGOhTOO/l+RwC2Mfomn/CQc6wculflAjnnTDCYUhWBvGGM9x99WXcefSSFiB0hQ9PB16YgYC4ZaGHJKUg3OM1TTjwYDtpuTIFyxxSLg4oFfpZl14cxqBNWjPlS8NzMA2f+tanyIR0K6eSuToVIQhKn/UoquiODuUwry0vUiCO7LrbRLwqBgB5qeGM+w74QZ62QAPOHol6QI6dFkAw8hgmHaCvHv/3g==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Fri, 26 Sep 2025 06:32:57 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
06.09.25 01:01, Daniel P. Smith:

Hi Sergiy,
If you don't mind, please CC me directly, as I am the only XSM maintainer for which you will need my Ack. And for whatever reason, I cannot find the v2 post in my xen-devel folder. If you want to resend me v2, it would be greatly appreciated. 



yes, sure



On 9/2/25 05:41, Jan Beulich wrote:

On 01.09.2025 12:52, Sergiy Kibrik wrote:

--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -418,6 +418,17 @@ config XSM_FLASK_AVC_STATS
If unsure, say Y. +config XSM_FLASK_SIDTABLE_ORDER 
+       int "Maximum number of security identifiers (base-2 exponent)" if EXPERT
+       range 4 32
+       default 32

When 32 is chosen (i.e. also the default when the prompt is hidden), ...


--- a/xen/xsm/flask/ss/sidtab.c
+++ b/xen/xsm/flask/ss/sidtab.c
@@ -14,6 +14,8 @@
  #include "security.h"
  #include "sidtab.h"
+#define SID_LIMIT ((1UL << CONFIG_XSM_FLASK_SIDTABLE_ORDER) - 1) 
... for Arm32 I expect either already the compiler will not like this construct,
or the latest an UBSAN checker would object.



you're right, arm32 toolchain is not building this.
Would the following be acceptable then? :

#define SID_LIMIT ((1ULL << CONFIG_XSM_FLASK_SIDTABLE_ORDER) - 1)

  -Sergiy

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.