On 22.08.2025 11:51, Sergiy Kibrik wrote: > --- a/xen/common/Kconfig > +++ b/xen/common/Kconfig
I wonder whether we wouldn't better move XSM's controls to a dedicated Kconfig file there. > @@ -418,6 +418,25 @@ config XSM_FLASK_AVC_STATS > > If unsure, say Y. > > +config XSM_FLASK_SIDTABLE_LIMIT > + def_bool n This makes little sense; just "bool" would have the same effect. Yet then you can combine that with ... > + prompt "Limit the size of SID table" if EXPERT ... this line. > + depends on XSM_FLASK > + ---help--- No triple dashes around "help" anymore, please. > + Limit the number of security identifiers allocated and operated by > Xen. > + This will limit the number of security contexts and heap memory > + allocated for SID table entries. > + > + If unsure, say N. > + > +config XSM_FLASK_MAX_SID > + int "Max SID table size" if XSM_FLASK_SIDTABLE_LIMIT > + default 512 Hmm, wouldn't the default better be what we had so far? As per the justification you aim at a special case (embedded) with this limit. > + help > + The maximum amount of SIDs allocated by Xen. Default value is > + approximately double the size of contexts that default Xen policy can > + potentially have. Do we need two controls? Can't 0 mean "no limit"? Or else what use is permitting 0 here as a value? Jan
