Currently Xen lacks a defined largest number of security IDs it can potentially use. The number of SIDs are naturally limited by number of security contexts provided by a given security policy, i.e. how many combination of user, role and type there can be, and is dependant on the policy being used. Since the policy is generally not known in advance the size of sidtable in Xen has a rather high limit of UINT_MAX entries.
However in the embedded environment configured for safety it is desirable to avoid guest-triggered dynamic memory allocations at runtime, or at least limit them to some decent and predictable amounts. This patch provides a configuration option to impose such a limit. Signed-off-by: Sergiy Kibrik <sergiy_kib...@epam.com> CC: Jan Beulich <jbeul...@suse.com> --- After RFC patch discussion it's been suggested to use Kconfig option instead of estimation of sidtable size at build time: https://lore.kernel.org/xen-devel/20250630085559.554334-1-sergiy_kib...@epam.com/ -Sergiy --- xen/common/Kconfig | 19 +++++++++++++++++++ xen/xsm/flask/ss/sidtab.c | 8 +++++++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 76f9ce705f..f956a93fb3 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -418,6 +418,25 @@ config XSM_FLASK_AVC_STATS If unsure, say Y. +config XSM_FLASK_SIDTABLE_LIMIT + def_bool n + prompt "Limit the size of SID table" if EXPERT + depends on XSM_FLASK + ---help--- + Limit the number of security identifiers allocated and operated by Xen. + This will limit the number of security contexts and heap memory + allocated for SID table entries. + + If unsure, say N. + +config XSM_FLASK_MAX_SID + int "Max SID table size" if XSM_FLASK_SIDTABLE_LIMIT + default 512 + help + The maximum amount of SIDs allocated by Xen. Default value is + approximately double the size of contexts that default Xen policy can + potentially have. + config XSM_FLASK_POLICY bool "Compile Xen with a built-in FLASK security policy" default y if "$(XEN_HAS_CHECKPOLICY)" = "y" diff --git a/xen/xsm/flask/ss/sidtab.c b/xen/xsm/flask/ss/sidtab.c index 69fc3389b3..1dd0700b8c 100644 --- a/xen/xsm/flask/ss/sidtab.c +++ b/xen/xsm/flask/ss/sidtab.c @@ -14,6 +14,12 @@ #include "security.h" #include "sidtab.h" +#ifdef CONFIG_XSM_FLASK_SIDTABLE_LIMIT +#define SID_LIMIT CONFIG_XSM_FLASK_MAX_SID +#else +#define SID_LIMIT UINT_MAX +#endif + #define SIDTAB_HASH(sid) ((sid) & SIDTAB_HASH_MASK) #define INIT_SIDTAB_LOCK(s) spin_lock_init(&(s)->lock) @@ -228,7 +234,7 @@ int sidtab_context_to_sid(struct sidtab *s, struct context *context, if ( sid ) goto unlock_out; /* No SID exists for the context. Allocate a new one. */ - if ( s->next_sid == UINT_MAX || s->shutdown ) + if ( s->next_sid == SID_LIMIT || s->shutdown ) { ret = -ENOMEM; goto unlock_out; -- 2.25.1
