Xen project Mailing List

[XEN PATCH v2] xen/flask: limit sidtable size

From: Sergiy Kibrik <Sergiy_Kibrik@xxxxxxxx>

Date: Mon, 1 Sep 2025 13:52:31 +0300

Cc: Sergiy Kibrik <Sergiy_Kibrik@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>

Delivery-date: Mon, 01 Sep 2025 10:52:47 +0000

Feedback-id: ife053c87:Fastmail

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Currently Xen lacks a defined largest number of security IDs it can potentially use. The number of SIDs are naturally limited by number of security contexts provided by a given security policy, i.e. how many combination of user, role and type there can be, and is dependant on the policy being used. Since the policy is generally not known in advance the size of sidtable in Xen has a rather high limit of UINT_MAX entries. However in the embedded environment configured for safety it is desirable to avoid guest-triggered dynamic memory allocations at runtime, or at least limit them to some decent and predictable amounts. This patch provides a configuration option to impose such a limit. Signed-off-by: Sergiy Kibrik <Sergiy_Kibrik@xxxxxxxx> CC: Jan Beulich <jbeulich@xxxxxxxx> --- changes in v2: - use one config option instead of 2 - use base 2 exponent patch v1 here: https://lore.kernel.org/xen-devel/20250822095123.998313-1-Sergiy_Kibrik@xxxxxxxx/ -Sergiy --- xen/common/Kconfig | 11 +++++++++++ xen/xsm/flask/ss/sidtab.c | 4 +++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 76f9ce705f..83bc9870dc 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -418,6 +418,17 @@ config XSM_FLASK_AVC_STATS If unsure, say Y. +config XSM_FLASK_SIDTABLE_ORDER + int "Maximum number of security identifiers (base-2 exponent)" if EXPERT + range 4 32 + default 32 + depends on XSM_FLASK + help + Limit the number of security identifiers allocated and operated by Xen. + The value is a base-2 exponent. This will set the max number of SIDs + and hence the max number of security contexts and heap memory + allocated for SID table entries. + config XSM_FLASK_POLICY bool "Compile Xen with a built-in FLASK security policy" default y if "$(XEN_HAS_CHECKPOLICY)" = "y" diff --git a/xen/xsm/flask/ss/sidtab.c b/xen/xsm/flask/ss/sidtab.c index 69fc3389b3..0081abdc86 100644 --- a/xen/xsm/flask/ss/sidtab.c +++ b/xen/xsm/flask/ss/sidtab.c @@ -14,6 +14,8 @@ #include "security.h" #include "sidtab.h" +#define SID_LIMIT ((1UL << CONFIG_XSM_FLASK_SIDTABLE_ORDER) - 1) + #define SIDTAB_HASH(sid) ((sid) & SIDTAB_HASH_MASK) #define INIT_SIDTAB_LOCK(s) spin_lock_init(&(s)->lock) @@ -228,7 +230,7 @@ int sidtab_context_to_sid(struct sidtab *s, struct context *context, if ( sid ) goto unlock_out; /* No SID exists for the context. Allocate a new one. */ - if ( s->next_sid == UINT_MAX || s->shutdown ) + if ( s->next_sid == SID_LIMIT || s->shutdown ) { ret = -ENOMEM; goto unlock_out; -- 2.25.1

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.