[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 15/22] xen: domctl XSM hook removal



A number of the domctl XSM hooks do nothing except pass the domain and
operation ID, making them redundant with the xsm_domctl hook. Remove
these redundant hooks.

The remaining domctls all use individual hooks because they pass extra
details of the call to the XSM module in order to allow a more
fine-grained access decision to be made - for example, considering the
exact device or memory range being set up for guest access.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Cc: Keir Fraser <keir@xxxxxxx>
Cc: Jan Beulich <jbeulich@xxxxxxxx>
---
 xen/arch/x86/domctl.c   |  76 +---------
 xen/common/domctl.c     |  59 +-------
 xen/include/xsm/dummy.h | 135 -----------------
 xen/include/xsm/xsm.h   | 161 ---------------------
 xen/xsm/dummy.c         |  27 ----
 xen/xsm/flask/hooks.c   | 378 ++++++++++++------------------------------------
 6 files changed, 98 insertions(+), 738 deletions(-)

diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
index 10558a0..6ab2006 100644
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -97,10 +97,6 @@ long arch_do_domctl(
 
         page = mfn_to_page(mfn);
 
-        ret = xsm_getpageframeinfo(d);
-        if ( ret )
-            break;
-
         if ( likely(get_page(page, d)) )
         {
             ret = 0;
@@ -141,10 +137,6 @@ long arch_do_domctl(
             struct page_info *page;
             xen_pfn_t *arr;
 
-            ret = xsm_getpageframeinfo(d);
-            if ( ret )
-                break;
-
             if ( unlikely(num > 1024) ||
                  unlikely(num != domctl->u.getpageframeinfo3.num) )
             {
@@ -239,10 +231,6 @@ long arch_do_domctl(
         int num = domctl->u.getpageframeinfo2.num;
         uint32_t *arr32;
 
-        ret = xsm_getpageframeinfo(d);
-        if ( ret )
-            break;
-
         if ( unlikely(num > 1024) )
         {
             ret = -E2BIG;
@@ -334,10 +322,6 @@ long arch_do_domctl(
         uint64_t mfn;
         struct page_info *page;
 
-        ret = xsm_getmemlist(d);
-        if ( ret )
-            break;
-
         if ( unlikely(d->is_dying) ) {
             ret = -EINVAL;
             break;
@@ -373,10 +357,6 @@ long arch_do_domctl(
         struct page_info *page;
         void *hypercall_page;
 
-        ret = xsm_hypercall_init(d);
-        if ( ret )
-            break;
-
         page = get_page_from_gfn(d, gmfn, NULL, P2M_ALLOC);
 
         ret = -EACCES;
@@ -401,10 +381,6 @@ long arch_do_domctl(
     { 
         struct hvm_domain_context c = { .size = domctl->u.hvmcontext.size };
 
-        ret = xsm_hvmcontext(d, domctl->cmd);
-        if ( ret )
-            goto sethvmcontext_out;
-
         ret = -EINVAL;
         if ( !is_hvm_domain(d) ) 
             goto sethvmcontext_out;
@@ -431,10 +407,6 @@ long arch_do_domctl(
     { 
         struct hvm_domain_context c = { 0 };
 
-        ret = xsm_hvmcontext(d, domctl->cmd);
-        if ( ret )
-            goto gethvmcontext_out;
-
         ret = -EINVAL;
         if ( !is_hvm_domain(d) ) 
             goto gethvmcontext_out;
@@ -477,10 +449,6 @@ long arch_do_domctl(
 
     case XEN_DOMCTL_gethvmcontext_partial:
     { 
-        ret = xsm_hvmcontext(d, domctl->cmd);
-        if ( ret )
-            break;
-
         ret = -EINVAL;
         if ( !is_hvm_domain(d) ) 
             break;
@@ -496,10 +464,6 @@ long arch_do_domctl(
 
     case XEN_DOMCTL_set_address_size:
     {
-        ret = xsm_address_size(d, domctl->cmd);
-        if ( ret )
-            break;
-
         switch ( domctl->u.address_size.size )
         {
         case 32:
@@ -517,10 +481,6 @@ long arch_do_domctl(
 
     case XEN_DOMCTL_get_address_size:
     {
-        ret = xsm_address_size(d, domctl->cmd);
-        if ( ret )
-            break;
-
         domctl->u.address_size.size =
             is_pv_32on64_domain(d) ? 32 : BITS_PER_LONG;
 
@@ -531,10 +491,6 @@ long arch_do_domctl(
 
     case XEN_DOMCTL_set_machine_address_size:
     {
-        ret = xsm_machine_address_size(d, domctl->cmd);
-        if ( ret )
-            break;
-
         ret = -EBUSY;
         if ( d->tot_pages > 0 )
             break;
@@ -547,10 +503,6 @@ long arch_do_domctl(
 
     case XEN_DOMCTL_get_machine_address_size:
     {
-        ret = xsm_machine_address_size(d, domctl->cmd);
-        if ( ret )
-            break;
-
         domctl->u.address_size.size = d->arch.physaddr_bitsize;
 
         ret = 0;
@@ -562,10 +514,6 @@ long arch_do_domctl(
     {
         struct vcpu *v;
 
-        ret = xsm_sendtrigger(d);
-        if ( ret )
-            break;
-
         ret = -EINVAL;
         if ( domctl->u.sendtrigger.vcpu >= MAX_VIRT_CPUS )
             break;
@@ -832,10 +780,6 @@ long arch_do_domctl(
 
     case XEN_DOMCTL_pin_mem_cacheattr:
     {
-        ret = xsm_pin_mem_cacheattr(d);
-        if ( ret )
-            break;
-
         ret = hvm_set_mem_pinned_cacheattr(
             d, domctl->u.pin_mem_cacheattr.start,
             domctl->u.pin_mem_cacheattr.end,
@@ -851,10 +795,6 @@ long arch_do_domctl(
 
         evc = &domctl->u.ext_vcpucontext;
 
-        ret = xsm_ext_vcpucontext(d, domctl->cmd);
-        if ( ret )
-            break;
-
         ret = -ESRCH;
         if ( (evc->vcpu >= d->max_vcpus) ||
              ((v = d->vcpu[evc->vcpu]) == NULL) )
@@ -1118,10 +1058,6 @@ long arch_do_domctl(
 
         evc = &domctl->u.vcpuextstate;
 
-        ret = xsm_vcpuextstate(d, domctl->cmd);
-        if ( ret )
-            goto vcpuextstate_out;
-
         ret = -ESRCH;
         if ( (evc->vcpu >= d->max_vcpus) ||
              ((v = d->vcpu[evc->vcpu]) == NULL) )
@@ -1231,9 +1167,7 @@ long arch_do_domctl(
 
     case XEN_DOMCTL_mem_sharing_op:
     {
-        ret = xsm_mem_sharing(d);
-        if ( !ret )
-            ret = mem_sharing_domctl(d, &domctl->u.mem_sharing_op);
+        ret = mem_sharing_domctl(d, &domctl->u.mem_sharing_op);
     }
     break;
 
@@ -1263,11 +1197,9 @@ long arch_do_domctl(
         if ( current->domain == d )
             break;
 
-        ret = xsm_mem_event_setup(d);
-        if ( !ret ) {
-            p2m = p2m_get_hostp2m(d);
-            p2m->access_required = domctl->u.access_required.access_required;
-        }
+        ret = 0;
+        p2m = p2m_get_hostp2m(d);
+        p2m->access_required = domctl->u.access_required.access_required;
     }
     break;
 
diff --git a/xen/common/domctl.c b/xen/common/domctl.c
index b32e614..e1fb75d 100644
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -290,10 +290,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
u_domctl)
         if ( d == NULL )
             break;
 
-        ret = xsm_setvcpucontext(d);
-        if ( ret )
-            goto svc_out;
-
         ret = -EINVAL;
         if ( (d == current->domain) || /* no domain_pause() */
              (vcpu >= d->max_vcpus) || ((v = d->vcpu[vcpu]) == NULL) )
@@ -340,10 +336,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
u_domctl)
 
     case XEN_DOMCTL_pausedomain:
     {
-        ret = xsm_pausedomain(d);
-        if ( ret )
-            break;
-
         ret = -EINVAL;
         if ( d != current->domain )
         {
@@ -355,10 +347,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
u_domctl)
 
     case XEN_DOMCTL_unpausedomain:
     {
-        ret = xsm_unpausedomain(d);
-        if ( ret )
-            break;
-
         domain_unpause_by_systemcontroller(d);
         ret = 0;
     }
@@ -366,10 +354,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
u_domctl)
 
     case XEN_DOMCTL_resumedomain:
     {
-        ret = xsm_resumedomain(d);
-        if ( ret )
-            break;
-
         domain_resume(d);
         ret = 0;
     }
@@ -452,10 +436,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
u_domctl)
              (is_hvm_domain(d) && (max > MAX_HVM_VCPUS)) )
             break;
 
-        ret = xsm_max_vcpus(d);
-        if ( ret )
-            break;
-
         /* Until Xenoprof can dynamically grow its vcpu-s array... */
         if ( d->xenoprof )
         {
@@ -538,7 +518,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
u_domctl)
 
     case XEN_DOMCTL_destroydomain:
     {
-        ret = xsm_destroydomain(d) ? : domain_kill(d);
+        ret = domain_kill(d);
     }
     break;
 
@@ -547,10 +527,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
u_domctl)
     {
         struct vcpu *v;
 
-        ret = xsm_vcpuaffinity(op->cmd, d);
-        if ( ret )
-            break;
-
         ret = -EINVAL;
         if ( op->u.vcpuaffinity.vcpu >= d->max_vcpus )
             break;
@@ -581,10 +557,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
u_domctl)
 
     case XEN_DOMCTL_scheduler_op:
     {
-        ret = xsm_scheduler(d);
-        if ( ret )
-            break;
-
         ret = sched_adjust(d, &op->u.scheduler_op);
         copyback = 1;
     }
@@ -627,10 +599,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
u_domctl)
         vcpu_guest_context_u c = { .nat = NULL };
         struct vcpu         *v;
 
-        ret = xsm_getvcpucontext(d);
-        if ( ret )
-            goto getvcpucontext_out;
-
         ret = -EINVAL;
         if ( op->u.vcpucontext.vcpu >= d->max_vcpus )
             goto getvcpucontext_out;
@@ -684,10 +652,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
u_domctl)
         struct vcpu   *v;
         struct vcpu_runstate_info runstate;
 
-        ret = xsm_getvcpuinfo(d);
-        if ( ret )
-            break;
-
         ret = -EINVAL;
         if ( op->u.getvcpuinfo.vcpu >= d->max_vcpus )
             break;
@@ -712,10 +676,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
u_domctl)
     {
         unsigned long new_max;
 
-        ret = xsm_setdomainmaxmem(d);
-        if ( ret )
-            break;
-
         ret = -EINVAL;
         new_max = op->u.max_mem.max_memkb >> (PAGE_SHIFT-10);
 
@@ -733,10 +693,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
u_domctl)
 
     case XEN_DOMCTL_setdomainhandle:
     {
-        ret = xsm_setdomainhandle(d);
-        if ( ret )
-            break;
-
         memcpy(d->handle, op->u.setdomainhandle.handle,
                sizeof(xen_domain_handle_t));
         ret = 0;
@@ -749,10 +705,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
u_domctl)
         if ( d == current->domain ) /* no domain_pause() */
             break;
 
-        ret = xsm_setdebugging(d);
-        if ( ret )
-            break;
-
         domain_pause(d);
         d->debugger_attached = !!op->u.setdebugging.enable;
         domain_unpause(d); /* causes guest to latch new status */
@@ -797,10 +749,6 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
u_domctl)
 
     case XEN_DOMCTL_settimeoffset:
     {
-        ret = xsm_domain_settime(d);
-        if ( ret )
-            break;
-
         domain_set_time_offset(d, op->u.settimeoffset.time_offset_seconds);
         ret = 0;
     }
@@ -850,10 +798,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
u_domctl)
     case XEN_DOMCTL_set_virq_handler:
     {
         uint32_t virq = op->u.set_virq_handler.virq;
-
-        ret = xsm_set_virq_handler(d, virq);
-        if ( !ret )
-            ret = set_global_virq_handler(d, virq);
+        ret = set_global_virq_handler(d, virq);
     }
     break;
 
diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h
index 9894d8d..2b18f51 100644
--- a/xen/include/xsm/dummy.h
+++ b/xen/include/xsm/dummy.h
@@ -17,71 +17,16 @@ static XSM_INLINE void xsm_security_domaininfo(struct 
domain *d,
     return;
 }
 
-static XSM_INLINE int xsm_setvcpucontext(struct domain *d)
-{
-    return 0;
-}
-
-static XSM_INLINE int xsm_pausedomain(struct domain *d)
-{
-    return 0;
-}
-
-static XSM_INLINE int xsm_unpausedomain(struct domain *d)
-{
-    return 0;
-}
-
-static XSM_INLINE int xsm_resumedomain(struct domain *d)
-{
-    return 0;
-}
-
 static XSM_INLINE int xsm_domain_create(struct domain *d, u32 ssidref)
 {
     return 0;
 }
 
-static XSM_INLINE int xsm_max_vcpus(struct domain *d)
-{
-    return 0;
-}
-
-static XSM_INLINE int xsm_destroydomain(struct domain *d)
-{
-    return 0;
-}
-
-static XSM_INLINE int xsm_vcpuaffinity(int cmd, struct domain *d)
-{
-    return 0;
-}
-
-static XSM_INLINE int xsm_scheduler(struct domain *d)
-{
-    return 0;
-}
-
 static XSM_INLINE int xsm_getdomaininfo(struct domain *d)
 {
     return 0;
 }
 
-static XSM_INLINE int xsm_getvcpucontext(struct domain *d)
-{
-    return 0;
-}
-
-static XSM_INLINE int xsm_getvcpuinfo(struct domain *d)
-{
-    return 0;
-}
-
-static XSM_INLINE int xsm_domain_settime(struct domain *d)
-{
-    return 0;
-}
-
 static XSM_INLINE int xsm_set_target(struct domain *d, struct domain *e)
 {
     return 0;
@@ -113,11 +58,6 @@ static XSM_INLINE int xsm_sysctl(int cmd)
     return 0;
 }
 
-static XSM_INLINE int xsm_set_virq_handler(struct domain *d, uint32_t virq)
-{
-    return 0;
-}
-
 static XSM_INLINE int xsm_tbufcontrol(void)
 {
     return 0;
@@ -133,21 +73,6 @@ static XSM_INLINE int xsm_sched_id(void)
     return 0;
 }
 
-static XSM_INLINE int xsm_setdomainmaxmem(struct domain *d)
-{
-    return 0;
-}
-
-static XSM_INLINE int xsm_setdomainhandle(struct domain *d)
-{
-    return 0;
-}
-
-static XSM_INLINE int xsm_setdebugging(struct domain *d)
-{
-    return 0;
-}
-
 static XSM_INLINE int xsm_perfcontrol(void)
 {
     return 0;
@@ -493,36 +418,6 @@ static XSM_INLINE int xsm_shadow_control(struct domain *d, 
uint32_t op)
     return 0;
 }
 
-static XSM_INLINE int xsm_getpageframeinfo(struct domain *d)
-{
-    return 0;
-}
-
-static XSM_INLINE int xsm_getmemlist(struct domain *d)
-{
-    return 0;
-}
-
-static XSM_INLINE int xsm_hypercall_init(struct domain *d)
-{
-    return 0;
-}
-
-static XSM_INLINE int xsm_hvmcontext(struct domain *d, uint32_t cmd)
-{
-    return 0;
-}
-
-static XSM_INLINE int xsm_address_size(struct domain *d, uint32_t cmd)
-{
-    return 0;
-}
-
-static XSM_INLINE int xsm_machine_address_size(struct domain *d, uint32_t cmd)
-{
-    return 0;
-}
-
 static XSM_INLINE int xsm_hvm_param(struct domain *d, unsigned long op)
 {
     if ( current->domain != d && !IS_PRIV_FOR(current->domain, d) )
@@ -558,11 +453,6 @@ static XSM_INLINE int xsm_hvm_inject_msi(struct domain *d)
     return 0;
 }
 
-static XSM_INLINE int xsm_mem_event_setup(struct domain *d)
-{
-    return 0;
-}
-
 static XSM_INLINE int xsm_mem_event_control(struct domain *d, int mode, int op)
 {
     if ( !IS_PRIV(current->domain) )
@@ -577,11 +467,6 @@ static XSM_INLINE int xsm_mem_event_op(struct domain *d, 
int op)
     return 0;
 }
 
-static XSM_INLINE int xsm_mem_sharing(struct domain *d)
-{
-    return 0;
-}
-
 static XSM_INLINE int xsm_mem_sharing_op(struct domain *d, struct domain *cd, 
int op)
 {
     if ( !IS_PRIV_FOR(current->domain, cd) )
@@ -708,11 +593,6 @@ static XSM_INLINE int xsm_remove_from_physmap(struct 
domain *d1, struct domain *
     return 0;
 }
 
-static XSM_INLINE int xsm_sendtrigger(struct domain *d)
-{
-    return 0;
-}
-
 static XSM_INLINE int xsm_bind_pt_irq(struct domain *d, struct 
xen_domctl_bind_pt_irq *bind)
 {
     return 0;
@@ -723,21 +603,6 @@ static XSM_INLINE int xsm_unbind_pt_irq(struct domain *d, 
struct xen_domctl_bind
     return 0;
 }
 
-static XSM_INLINE int xsm_pin_mem_cacheattr(struct domain *d)
-{
-    return 0;
-}
-
-static XSM_INLINE int xsm_ext_vcpucontext(struct domain *d, uint32_t cmd)
-{
-    return 0;
-}
-
-static XSM_INLINE int xsm_vcpuextstate(struct domain *d, uint32_t cmd)
-{
-    return 0;
-}
-
 static XSM_INLINE int xsm_ioport_permission(struct domain *d, uint32_t s, 
uint32_t e, uint8_t allow)
 {
     return 0;
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index a8c1d87..4676c75 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -41,29 +41,14 @@ extern xsm_initcall_t __xsm_initcall_start[], 
__xsm_initcall_end[];
 struct xsm_operations {
     void (*security_domaininfo) (struct domain *d,
                                         struct xen_domctl_getdomaininfo *info);
-    int (*setvcpucontext) (struct domain *d);
-    int (*pausedomain) (struct domain *d);
-    int (*unpausedomain) (struct domain *d);
-    int (*resumedomain) (struct domain *d);
     int (*domain_create) (struct domain *d, u32 ssidref);
-    int (*max_vcpus) (struct domain *d);
-    int (*destroydomain) (struct domain *d);
-    int (*vcpuaffinity) (int cmd, struct domain *d);
-    int (*scheduler) (struct domain *d);
     int (*getdomaininfo) (struct domain *d);
-    int (*getvcpucontext) (struct domain *d);
-    int (*getvcpuinfo) (struct domain *d);
-    int (*domain_settime) (struct domain *d);
     int (*set_target) (struct domain *d, struct domain *e);
     int (*domctl) (struct domain *d, int cmd);
     int (*sysctl) (int cmd);
-    int (*set_virq_handler) (struct domain *d, uint32_t virq);
     int (*tbufcontrol) (void);
     int (*readconsole) (uint32_t clear);
     int (*sched_id) (void);
-    int (*setdomainmaxmem) (struct domain *d);
-    int (*setdomainhandle) (struct domain *d);
-    int (*setdebugging) (struct domain *d);
     int (*perfcontrol) (void);
     int (*debug_keys) (void);
     int (*getcpuinfo) (void);
@@ -139,21 +124,13 @@ struct xsm_operations {
 
 #ifdef CONFIG_X86
     int (*shadow_control) (struct domain *d, uint32_t op);
-    int (*getpageframeinfo) (struct domain *d);
-    int (*getmemlist) (struct domain *d);
-    int (*hypercall_init) (struct domain *d);
-    int (*hvmcontext) (struct domain *d, uint32_t op);
-    int (*address_size) (struct domain *d, uint32_t op);
-    int (*machine_address_size) (struct domain *d, uint32_t op);
     int (*hvm_param) (struct domain *d, unsigned long op);
     int (*hvm_set_pci_intx_level) (struct domain *d);
     int (*hvm_set_isa_irq_level) (struct domain *d);
     int (*hvm_set_pci_link_route) (struct domain *d);
     int (*hvm_inject_msi) (struct domain *d);
-    int (*mem_event_setup) (struct domain *d);
     int (*mem_event_control) (struct domain *d, int mode, int op);
     int (*mem_event_op) (struct domain *d, int op);
-    int (*mem_sharing) (struct domain *d);
     int (*mem_sharing_op) (struct domain *d, struct domain *cd, int op);
     int (*apic) (struct domain *d, int cmd);
     int (*xen_settime) (void);
@@ -178,12 +155,8 @@ struct xsm_operations {
     int (*mmuext_op) (struct domain *d, struct domain *f);
     int (*update_va_mapping) (struct domain *d, struct domain *f, l1_pgentry_t 
pte);
     int (*add_to_physmap) (struct domain *d1, struct domain *d2);
-    int (*sendtrigger) (struct domain *d);
     int (*bind_pt_irq) (struct domain *d, struct xen_domctl_bind_pt_irq *bind);
     int (*unbind_pt_irq) (struct domain *d, struct xen_domctl_bind_pt_irq 
*bind);
-    int (*pin_mem_cacheattr) (struct domain *d);
-    int (*ext_vcpucontext) (struct domain *d, uint32_t cmd);
-    int (*vcpuextstate) (struct domain *d, uint32_t cmd);
     int (*ioport_permission) (struct domain *d, uint32_t s, uint32_t e, 
uint8_t allow);
     int (*ioport_mapping) (struct domain *d, uint32_t s, uint32_t e, uint8_t 
allow);
 #endif
@@ -201,71 +174,16 @@ static inline void xsm_security_domaininfo (struct domain 
*d,
     xsm_ops->security_domaininfo(d, info);
 }
 
-static inline int xsm_setvcpucontext(struct domain *d)
-{
-    return xsm_ops->setvcpucontext(d);
-}
-
-static inline int xsm_pausedomain (struct domain *d)
-{
-    return xsm_ops->pausedomain(d);
-}
-
-static inline int xsm_unpausedomain (struct domain *d)
-{
-    return xsm_ops->unpausedomain(d);
-}
-
-static inline int xsm_resumedomain (struct domain *d)
-{
-    return xsm_ops->resumedomain(d);
-}
-
 static inline int xsm_domain_create (struct domain *d, u32 ssidref)
 {
     return xsm_ops->domain_create(d, ssidref);
 }
 
-static inline int xsm_max_vcpus(struct domain *d)
-{
-    return xsm_ops->max_vcpus(d);
-}
-
-static inline int xsm_destroydomain (struct domain *d)
-{
-    return xsm_ops->destroydomain(d);
-}
-
-static inline int xsm_vcpuaffinity (int cmd, struct domain *d)
-{
-    return xsm_ops->vcpuaffinity(cmd, d);
-}
-
-static inline int xsm_scheduler (struct domain *d)
-{
-    return xsm_ops->scheduler(d);
-}
-
 static inline int xsm_getdomaininfo (struct domain *d)
 {
     return xsm_ops->getdomaininfo(d);
 }
 
-static inline int xsm_getvcpucontext (struct domain *d)
-{
-    return xsm_ops->getvcpucontext(d);
-}
-
-static inline int xsm_getvcpuinfo (struct domain *d)
-{
-    return xsm_ops->getvcpuinfo(d);
-}
-
-static inline int xsm_domain_settime (struct domain *d)
-{
-    return xsm_ops->domain_settime(d);
-}
-
 static inline int xsm_set_target (struct domain *d, struct domain *e)
 {
     return xsm_ops->set_target(d, e);
@@ -281,11 +199,6 @@ static inline int xsm_sysctl (int cmd)
     return xsm_ops->sysctl(cmd);
 }
 
-static inline int xsm_set_virq_handler (struct domain *d, uint32_t virq)
-{
-    return xsm_ops->set_virq_handler(d, virq);
-}
-
 static inline int xsm_tbufcontrol (void)
 {
     return xsm_ops->tbufcontrol();
@@ -301,21 +214,6 @@ static inline int xsm_sched_id (void)
     return xsm_ops->sched_id();
 }
 
-static inline int xsm_setdomainmaxmem (struct domain *d)
-{
-    return xsm_ops->setdomainmaxmem(d);
-}
-
-static inline int xsm_setdomainhandle (struct domain *d)
-{
-    return xsm_ops->setdomainhandle(d);
-}
-
-static inline int xsm_setdebugging (struct domain *d)
-{
-    return xsm_ops->setdebugging(d);
-}
-
 static inline int xsm_perfcontrol (void)
 {
     return xsm_ops->perfcontrol();
@@ -623,36 +521,6 @@ static inline int xsm_shadow_control (struct domain *d, 
uint32_t op)
     return xsm_ops->shadow_control(d, op);
 }
 
-static inline int xsm_getpageframeinfo (struct domain *d)
-{
-    return xsm_ops->getpageframeinfo(d);
-}
-
-static inline int xsm_getmemlist (struct domain *d)
-{
-    return xsm_ops->getmemlist(d);
-}
-
-static inline int xsm_hypercall_init (struct domain *d)
-{
-    return xsm_ops->hypercall_init(d);
-}
-
-static inline int xsm_hvmcontext (struct domain *d, uint32_t cmd)
-{
-    return xsm_ops->hvmcontext(d, cmd);
-}
-
-static inline int xsm_address_size (struct domain *d, uint32_t cmd)
-{
-    return xsm_ops->address_size(d, cmd);
-}
-
-static inline int xsm_machine_address_size (struct domain *d, uint32_t cmd)
-{
-    return xsm_ops->machine_address_size(d, cmd);
-}
-
 static inline int xsm_hvm_param (struct domain *d, unsigned long op)
 {
     return xsm_ops->hvm_param(d, op);
@@ -678,11 +546,6 @@ static inline int xsm_hvm_inject_msi (struct domain *d)
     return xsm_ops->hvm_inject_msi(d);
 }
 
-static inline int xsm_mem_event_setup (struct domain *d)
-{
-    return xsm_ops->mem_event_setup(d);
-}
-
 static inline int xsm_mem_event_control (struct domain *d, int mode, int op)
 {
     return xsm_ops->mem_event_control(d, mode, op);
@@ -693,11 +556,6 @@ static inline int xsm_mem_event_op (struct domain *d, int 
op)
     return xsm_ops->mem_event_op(d, op);
 }
 
-static inline int xsm_mem_sharing (struct domain *d)
-{
-    return xsm_ops->mem_sharing(d);
-}
-
 static inline int xsm_mem_sharing_op (struct domain *d, struct domain *cd, int 
op)
 {
     return xsm_ops->mem_sharing_op(d, cd, op);
@@ -795,11 +653,6 @@ static inline int xsm_add_to_physmap(struct domain *d1, 
struct domain *d2)
     return xsm_ops->add_to_physmap(d1, d2);
 }
 
-static inline int xsm_sendtrigger(struct domain *d)
-{
-    return xsm_ops->sendtrigger(d);
-}
-
 static inline int xsm_bind_pt_irq(struct domain *d, 
                                                 struct xen_domctl_bind_pt_irq 
*bind)
 {
@@ -812,20 +665,6 @@ static inline int xsm_unbind_pt_irq(struct domain *d,
     return xsm_ops->unbind_pt_irq(d, bind);
 }
 
-static inline int xsm_pin_mem_cacheattr(struct domain *d)
-{
-    return xsm_ops->pin_mem_cacheattr(d);
-}
-
-static inline int xsm_ext_vcpucontext(struct domain *d, uint32_t cmd)
-{
-    return xsm_ops->ext_vcpucontext(d, cmd);
-}
-static inline int xsm_vcpuextstate(struct domain *d, uint32_t cmd)
-{
-    return xsm_ops->vcpuextstate(d, cmd);
-}
-
 static inline int xsm_ioport_permission (struct domain *d, uint32_t s, 
uint32_t e, uint8_t allow)
 {
     return xsm_ops->ioport_permission(d, s, e, allow);
diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c
index 71299d5..a14a755 100644
--- a/xen/xsm/dummy.c
+++ b/xen/xsm/dummy.c
@@ -30,29 +30,14 @@ struct xsm_operations dummy_xsm_ops;
 void xsm_fixup_ops (struct xsm_operations *ops)
 {
     set_to_dummy_if_null(ops, security_domaininfo);
-    set_to_dummy_if_null(ops, setvcpucontext);
-    set_to_dummy_if_null(ops, pausedomain);
-    set_to_dummy_if_null(ops, unpausedomain);
-    set_to_dummy_if_null(ops, resumedomain);
     set_to_dummy_if_null(ops, domain_create);
-    set_to_dummy_if_null(ops, max_vcpus);
-    set_to_dummy_if_null(ops, destroydomain);
-    set_to_dummy_if_null(ops, vcpuaffinity);
-    set_to_dummy_if_null(ops, scheduler);
     set_to_dummy_if_null(ops, getdomaininfo);
-    set_to_dummy_if_null(ops, getvcpucontext);
-    set_to_dummy_if_null(ops, getvcpuinfo);
-    set_to_dummy_if_null(ops, domain_settime);
     set_to_dummy_if_null(ops, set_target);
     set_to_dummy_if_null(ops, domctl);
     set_to_dummy_if_null(ops, sysctl);
-    set_to_dummy_if_null(ops, set_virq_handler);
     set_to_dummy_if_null(ops, tbufcontrol);
     set_to_dummy_if_null(ops, readconsole);
     set_to_dummy_if_null(ops, sched_id);
-    set_to_dummy_if_null(ops, setdomainmaxmem);
-    set_to_dummy_if_null(ops, setdomainhandle);
-    set_to_dummy_if_null(ops, setdebugging);
     set_to_dummy_if_null(ops, perfcontrol);
     set_to_dummy_if_null(ops, debug_keys);
     set_to_dummy_if_null(ops, getcpuinfo);
@@ -126,21 +111,13 @@ void xsm_fixup_ops (struct xsm_operations *ops)
 
 #ifdef CONFIG_X86
     set_to_dummy_if_null(ops, shadow_control);
-    set_to_dummy_if_null(ops, getpageframeinfo);
-    set_to_dummy_if_null(ops, getmemlist);
-    set_to_dummy_if_null(ops, hypercall_init);
-    set_to_dummy_if_null(ops, hvmcontext);
-    set_to_dummy_if_null(ops, address_size);
-    set_to_dummy_if_null(ops, machine_address_size);
     set_to_dummy_if_null(ops, hvm_param);
     set_to_dummy_if_null(ops, hvm_set_pci_intx_level);
     set_to_dummy_if_null(ops, hvm_set_isa_irq_level);
     set_to_dummy_if_null(ops, hvm_set_pci_link_route);
     set_to_dummy_if_null(ops, hvm_inject_msi);
-    set_to_dummy_if_null(ops, mem_event_setup);
     set_to_dummy_if_null(ops, mem_event_control);
     set_to_dummy_if_null(ops, mem_event_op);
-    set_to_dummy_if_null(ops, mem_sharing);
     set_to_dummy_if_null(ops, mem_sharing_op);
     set_to_dummy_if_null(ops, apic);
     set_to_dummy_if_null(ops, xen_settime);
@@ -161,12 +138,8 @@ void xsm_fixup_ops (struct xsm_operations *ops)
     set_to_dummy_if_null(ops, update_va_mapping);
     set_to_dummy_if_null(ops, add_to_physmap);
     set_to_dummy_if_null(ops, remove_from_physmap);
-    set_to_dummy_if_null(ops, sendtrigger);
     set_to_dummy_if_null(ops, bind_pt_irq);
     set_to_dummy_if_null(ops, unbind_pt_irq);
-    set_to_dummy_if_null(ops, pin_mem_cacheattr);
-    set_to_dummy_if_null(ops, ext_vcpucontext);
-    set_to_dummy_if_null(ops, vcpuextstate);
     set_to_dummy_if_null(ops, ioport_permission);
     set_to_dummy_if_null(ops, ioport_mapping);
 #endif
diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c
index 7707ac2..d137146 100644
--- a/xen/xsm/flask/hooks.c
+++ b/xen/xsm/flask/hooks.c
@@ -484,26 +484,6 @@ static void flask_security_domaininfo(struct domain *d,
     info->ssidref = domain_sid(d);
 }
 
-static int flask_setvcpucontext(struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETVCPUCONTEXT);
-}
-
-static int flask_pausedomain(struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__PAUSE);
-}
-
-static int flask_unpausedomain(struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__UNPAUSE);
-}
-
-static int flask_resumedomain(struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__RESUME);
-}
-
 static int flask_domain_create(struct domain *d, u32 ssidref)
 {
     int rc;
@@ -532,66 +512,11 @@ static int flask_domain_create(struct domain *d, u32 
ssidref)
     return rc;
 }
 
-static int flask_max_vcpus(struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__MAX_VCPUS);
-}
-
-static int flask_destroydomain(struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__DESTROY);
-}
-
-static int flask_vcpuaffinity(int cmd, struct domain *d)
-{
-    u32 perm;
-
-    switch ( cmd )
-    {
-    case XEN_DOMCTL_setvcpuaffinity:
-        perm = DOMAIN__SETVCPUAFFINITY;
-        break;
-    case XEN_DOMCTL_getvcpuaffinity:
-        perm = DOMAIN__GETVCPUAFFINITY;
-        break;
-    default:
-        return -EPERM;
-    }
-
-    return current_has_perm(d, SECCLASS_DOMAIN, perm );
-}
-
-static int flask_scheduler(struct domain *d)
-{
-    int rc = 0;
-
-    rc = domain_has_xen(current->domain, XEN__SCHEDULER);
-    if ( rc )
-        return rc;
-
-    return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SCHEDULER);
-}
-
 static int flask_getdomaininfo(struct domain *d)
 {
     return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETDOMAININFO);
 }
 
-static int flask_getvcpucontext(struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETVCPUCONTEXT);
-}
-
-static int flask_getvcpuinfo(struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETVCPUINFO);
-}
-
-static int flask_domain_settime(struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETTIME);
-}
-
 static int flask_set_target(struct domain *d, struct domain *t)
 {
     int rc;
@@ -622,62 +547,121 @@ static int flask_domctl(struct domain *d, int cmd)
     {
     /* These have individual XSM hooks (common/domctl.c) */
     case XEN_DOMCTL_createdomain:
+    case XEN_DOMCTL_getdomaininfo:
+    case XEN_DOMCTL_irq_permission:
+    case XEN_DOMCTL_iomem_permission:
+    case XEN_DOMCTL_set_target:
+#ifdef CONFIG_X86
+    /* These have individual XSM hooks (arch/x86/domctl.c) */
+    case XEN_DOMCTL_shadow_op:
+    case XEN_DOMCTL_ioport_permission:
+    case XEN_DOMCTL_bind_pt_irq:
+    case XEN_DOMCTL_unbind_pt_irq:
+    case XEN_DOMCTL_memory_mapping:
+    case XEN_DOMCTL_ioport_mapping:
+    case XEN_DOMCTL_mem_event_op:
+    /* These have individual XSM hooks (drivers/passthrough/iommu.c) */
+    case XEN_DOMCTL_get_device_group:
+    case XEN_DOMCTL_test_assign_device:
+    case XEN_DOMCTL_assign_device:
+    case XEN_DOMCTL_deassign_device:
+#endif
+        return 0;
+
     case XEN_DOMCTL_destroydomain:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__DESTROY);
+
     case XEN_DOMCTL_pausedomain:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__PAUSE);
+
     case XEN_DOMCTL_unpausedomain:
-    case XEN_DOMCTL_getdomaininfo:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__UNPAUSE);
+
     case XEN_DOMCTL_setvcpuaffinity:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETVCPUAFFINITY);
+
+    case XEN_DOMCTL_getvcpuaffinity:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETVCPUAFFINITY);
+
+    case XEN_DOMCTL_resumedomain:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__RESUME);
+
+    case XEN_DOMCTL_scheduler_op:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SCHEDULER);
+
+    case XEN_DOMCTL_max_vcpus:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__MAX_VCPUS);
+
     case XEN_DOMCTL_max_mem:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINMAXMEM);
+
+    case XEN_DOMCTL_setdomainhandle:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE);
+
     case XEN_DOMCTL_setvcpucontext:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETVCPUCONTEXT);
+
     case XEN_DOMCTL_getvcpucontext:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETVCPUCONTEXT);
+
     case XEN_DOMCTL_getvcpuinfo:
-    case XEN_DOMCTL_max_vcpus:
-    case XEN_DOMCTL_scheduler_op:
-    case XEN_DOMCTL_setdomainhandle:
-    case XEN_DOMCTL_setdebugging:
-    case XEN_DOMCTL_irq_permission:
-    case XEN_DOMCTL_iomem_permission:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETVCPUINFO);
+
     case XEN_DOMCTL_settimeoffset:
-    case XEN_DOMCTL_getvcpuaffinity:
-    case XEN_DOMCTL_resumedomain:
-    case XEN_DOMCTL_set_target:
-    case XEN_DOMCTL_set_virq_handler:
-#ifdef CONFIG_X86
-    /* These have individual XSM hooks (arch/x86/domctl.c) */
-    case XEN_DOMCTL_shadow_op:
-    case XEN_DOMCTL_ioport_permission:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETTIME);
+
+    case XEN_DOMCTL_setdebugging:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDEBUGGING);
+
     case XEN_DOMCTL_getpageframeinfo:
     case XEN_DOMCTL_getpageframeinfo2:
     case XEN_DOMCTL_getpageframeinfo3:
+        return current_has_perm(d, SECCLASS_MMU, MMU__PAGEINFO);
+
     case XEN_DOMCTL_getmemlist:
+        return current_has_perm(d, SECCLASS_MMU, MMU__PAGELIST);
+
     case XEN_DOMCTL_hypercall_init:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__HYPERCALL);
+
     case XEN_DOMCTL_sethvmcontext:
+        return current_has_perm(d, SECCLASS_HVM, HVM__SETHVMC);
+
     case XEN_DOMCTL_gethvmcontext:
     case XEN_DOMCTL_gethvmcontext_partial:
+        return current_has_perm(d, SECCLASS_HVM, HVM__GETHVMC);
+
     case XEN_DOMCTL_set_address_size:
-    case XEN_DOMCTL_get_address_size:
     case XEN_DOMCTL_set_machine_address_size:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETADDRSIZE);
+
+    case XEN_DOMCTL_get_address_size:
     case XEN_DOMCTL_get_machine_address_size:
-    case XEN_DOMCTL_sendtrigger:
-    case XEN_DOMCTL_bind_pt_irq:
-    case XEN_DOMCTL_unbind_pt_irq:
-    case XEN_DOMCTL_memory_mapping:
-    case XEN_DOMCTL_ioport_mapping:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETADDRSIZE);
+
+    case XEN_DOMCTL_mem_sharing_op:
+        return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING);
+
     case XEN_DOMCTL_pin_mem_cacheattr:
+        return current_has_perm(d, SECCLASS_HVM, HVM__CACHEATTR);
+
     case XEN_DOMCTL_set_ext_vcpucontext:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETEXTVCPUCONTEXT);
+
     case XEN_DOMCTL_get_ext_vcpucontext:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETEXTVCPUCONTEXT);
+
     case XEN_DOMCTL_setvcpuextstate:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETVCPUEXTSTATE);
+
     case XEN_DOMCTL_getvcpuextstate:
-    case XEN_DOMCTL_mem_event_op:
-    case XEN_DOMCTL_mem_sharing_op:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__GETVCPUEXTSTATE);
+
+    case XEN_DOMCTL_sendtrigger:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__TRIGGER);
+
     case XEN_DOMCTL_set_access_required:
-    /* These have individual XSM hooks (drivers/passthrough/iommu.c) */
-    case XEN_DOMCTL_get_device_group:
-    case XEN_DOMCTL_test_assign_device:
-    case XEN_DOMCTL_assign_device:
-    case XEN_DOMCTL_deassign_device:
-#endif
-        return 0;
+        return current_has_perm(d, SECCLASS_HVM, HVM__MEM_EVENT);
 
     case XEN_DOMCTL_debug_op:
     case XEN_DOMCTL_gdbsx_guestmemio:
@@ -691,6 +675,9 @@ static int flask_domctl(struct domain *d, int cmd)
     case XEN_DOMCTL_suppress_spurious_page_faults:
         return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SET_MISC_INFO);
 
+    case XEN_DOMCTL_set_virq_handler:
+        return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SET_VIRQ_HANDLER);
+
     case XEN_DOMCTL_set_cpuid:
         return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__SET_CPUID);
 
@@ -741,11 +728,6 @@ static int flask_sysctl(int cmd)
     }
 }
 
-static int flask_set_virq_handler(struct domain *d, uint32_t virq)
-{
-    return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SET_VIRQ_HANDLER);
-}
-
 static int flask_tbufcontrol(void)
 {
     return domain_has_xen(current->domain, XEN__TBUFCONTROL);
@@ -766,21 +748,6 @@ static int flask_sched_id(void)
     return domain_has_xen(current->domain, XEN__SCHEDULER);
 }
 
-static int flask_setdomainmaxmem(struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINMAXMEM);
-}
-
-static int flask_setdomainhandle(struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDOMAINHANDLE);
-}
-
-static int flask_setdebugging(struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__SETDEBUGGING);
-}
-
 static int flask_debug_keys(void)
 {
     return domain_has_xen(current->domain, XEN__DEBUG);
@@ -1165,82 +1132,6 @@ static int flask_ioport_mapping(struct domain *d, 
uint32_t start, uint32_t end,
     return flask_ioport_permission(d, start, end, access);
 }
 
-static int flask_getpageframeinfo(struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_MMU, MMU__PAGEINFO);
-}
-
-static int flask_getmemlist(struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_MMU, MMU__PAGELIST);
-}
-
-static int flask_hypercall_init(struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__HYPERCALL);
-}
-
-static int flask_hvmcontext(struct domain *d, uint32_t cmd)
-{
-    u32 perm;
-
-    switch ( cmd )
-    {
-    case XEN_DOMCTL_sethvmcontext:
-        perm = HVM__SETHVMC;
-        break;
-    case XEN_DOMCTL_gethvmcontext:
-    case XEN_DOMCTL_gethvmcontext_partial:
-        perm = HVM__GETHVMC;
-        break;
-    case HVMOP_track_dirty_vram:
-        perm = HVM__TRACKDIRTYVRAM;
-        break;
-    default:
-        return -EPERM;
-    }
-
-    return current_has_perm(d, SECCLASS_HVM, perm);
-}
-
-static int flask_address_size(struct domain *d, uint32_t cmd)
-{
-    u32 perm;
-
-    switch ( cmd )
-    {
-    case XEN_DOMCTL_set_address_size:
-        perm = DOMAIN__SETADDRSIZE;
-        break;
-    case XEN_DOMCTL_get_address_size:
-        perm = DOMAIN__GETADDRSIZE;
-        break;
-    default:
-        return -EPERM;
-    }
-
-    return current_has_perm(d, SECCLASS_DOMAIN, perm);
-}
-
-static int flask_machine_address_size(struct domain *d, uint32_t cmd)
-{
-    u32 perm;
-
-    switch ( cmd )
-    {
-    case XEN_DOMCTL_set_machine_address_size:
-        perm = DOMAIN__SETADDRSIZE;
-        break;
-    case XEN_DOMCTL_get_machine_address_size:
-        perm = DOMAIN__GETADDRSIZE;
-        break;
-    default:
-        return -EPERM;
-    }
-
-    return domain_has_perm(current->domain, d, SECCLASS_DOMAIN, perm);
-}
-
 static int flask_hvm_param(struct domain *d, unsigned long op)
 {
     u32 perm;
@@ -1283,11 +1174,6 @@ static int flask_hvm_inject_msi(struct domain *d)
     return current_has_perm(d, SECCLASS_HVM, HVM__SEND_IRQ);
 }
 
-static int flask_mem_event_setup(struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_HVM, HVM__MEM_EVENT);
-}
-
 static int flask_mem_event_control(struct domain *d, int mode, int op)
 {
     return current_has_perm(d, SECCLASS_HVM, HVM__MEM_EVENT);
@@ -1298,11 +1184,6 @@ static int flask_mem_event_op(struct domain *d, int op)
     return current_has_perm(d, SECCLASS_HVM, HVM__MEM_EVENT);
 }
 
-static int flask_mem_sharing(struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_HVM, HVM__MEM_SHARING);
-}
-
 static int flask_mem_sharing_op(struct domain *d, struct domain *cd, int op)
 {
     int rc = current_has_perm(cd, SECCLASS_HVM, HVM__MEM_SHARING);
@@ -1490,11 +1371,6 @@ static int flask_remove_from_physmap(struct domain *d1, 
struct domain *d2)
     return domain_has_perm(d1, d2, SECCLASS_MMU, MMU__PHYSMAP);
 }
 
-static int flask_sendtrigger(struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_DOMAIN, DOMAIN__TRIGGER);
-}
-
 static int flask_get_device_group(uint32_t machine_bdf)
 {
     u32 rsid;
@@ -1588,78 +1464,20 @@ static int flask_unbind_pt_irq (struct domain *d, 
struct xen_domctl_bind_pt_irq
 {
     return current_has_perm(d, SECCLASS_RESOURCE, RESOURCE__REMOVE);
 }
-
-static int flask_pin_mem_cacheattr (struct domain *d)
-{
-    return current_has_perm(d, SECCLASS_HVM, HVM__CACHEATTR);
-}
-
-static int flask_ext_vcpucontext (struct domain *d, uint32_t cmd)
-{
-    u32 perm;
-
-    switch ( cmd )
-    {
-    case XEN_DOMCTL_set_ext_vcpucontext:
-        perm = DOMAIN__SETEXTVCPUCONTEXT;
-        break;
-    case XEN_DOMCTL_get_ext_vcpucontext:
-        perm = DOMAIN__GETEXTVCPUCONTEXT;
-        break;
-    default:
-        return -EPERM;
-    }
-
-    return current_has_perm(d, SECCLASS_DOMAIN, perm);
-}
-
-static int flask_vcpuextstate (struct domain *d, uint32_t cmd)
-{
-    u32 perm;
-
-    switch ( cmd )
-    {
-        case XEN_DOMCTL_setvcpuextstate:
-            perm = DOMAIN__SETVCPUEXTSTATE;
-        break;
-        case XEN_DOMCTL_getvcpuextstate:
-            perm = DOMAIN__GETVCPUEXTSTATE;
-        break;
-        default:
-            return -EPERM;
-    }
-
-    return current_has_perm(d, SECCLASS_DOMAIN, perm);
-}
 #endif
 
 long do_flask_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) u_flask_op);
 
 static struct xsm_operations flask_ops = {
     .security_domaininfo = flask_security_domaininfo,
-    .setvcpucontext = flask_setvcpucontext,
-    .pausedomain = flask_pausedomain,
-    .unpausedomain = flask_unpausedomain,    
-    .resumedomain = flask_resumedomain,    
     .domain_create = flask_domain_create,
-    .max_vcpus = flask_max_vcpus,
-    .destroydomain = flask_destroydomain,
-    .vcpuaffinity = flask_vcpuaffinity,
-    .scheduler = flask_scheduler,
     .getdomaininfo = flask_getdomaininfo,
-    .getvcpucontext = flask_getvcpucontext,
-    .getvcpuinfo = flask_getvcpuinfo,
-    .domain_settime = flask_domain_settime,
     .set_target = flask_set_target,
     .domctl = flask_domctl,
     .sysctl = flask_sysctl,
-    .set_virq_handler = flask_set_virq_handler,
     .tbufcontrol = flask_tbufcontrol,
     .readconsole = flask_readconsole,
     .sched_id = flask_sched_id,
-    .setdomainmaxmem = flask_setdomainmaxmem,
-    .setdomainhandle = flask_setdomainhandle,
-    .setdebugging = flask_setdebugging,
     .perfcontrol = flask_perfcontrol,
     .debug_keys = flask_debug_keys,
     .getcpuinfo = flask_getcpuinfo,
@@ -1729,21 +1547,13 @@ static struct xsm_operations flask_ops = {
 
 #ifdef CONFIG_X86
     .shadow_control = flask_shadow_control,
-    .getpageframeinfo = flask_getpageframeinfo,
-    .getmemlist = flask_getmemlist,
-    .hypercall_init = flask_hypercall_init,
-    .hvmcontext = flask_hvmcontext,
-    .address_size = flask_address_size,
-    .machine_address_size = flask_machine_address_size,
     .hvm_param = flask_hvm_param,
     .hvm_set_pci_intx_level = flask_hvm_set_pci_intx_level,
     .hvm_set_isa_irq_level = flask_hvm_set_isa_irq_level,
     .hvm_set_pci_link_route = flask_hvm_set_pci_link_route,
     .hvm_inject_msi = flask_hvm_inject_msi,
-    .mem_event_setup = flask_mem_event_setup,
     .mem_event_control = flask_mem_event_control,
     .mem_event_op = flask_mem_event_op,
-    .mem_sharing = flask_mem_sharing,
     .mem_sharing_op = flask_mem_sharing_op,
     .apic = flask_apic,
     .xen_settime = flask_xen_settime,
@@ -1764,16 +1574,12 @@ static struct xsm_operations flask_ops = {
     .update_va_mapping = flask_update_va_mapping,
     .add_to_physmap = flask_add_to_physmap,
     .remove_from_physmap = flask_remove_from_physmap,
-    .sendtrigger = flask_sendtrigger,
     .get_device_group = flask_get_device_group,
     .test_assign_device = flask_test_assign_device,
     .assign_device = flask_assign_device,
     .deassign_device = flask_deassign_device,
     .bind_pt_irq = flask_bind_pt_irq,
     .unbind_pt_irq = flask_unbind_pt_irq,
-    .pin_mem_cacheattr = flask_pin_mem_cacheattr,
-    .ext_vcpucontext = flask_ext_vcpucontext,
-    .vcpuextstate = flask_vcpuextstate,
     .ioport_permission = flask_ioport_permission,
     .ioport_mapping = flask_ioport_mapping,
 #endif
-- 
1.7.11.7


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.