xsm: Add support for HVMOP_track_dirty_vram.

Xen try to inforce the xsm policy when a HVMOP_track_dirty_vram
is received (xen/arch/x86/hvm/hvm.c:3637). It was failing because
in flask_hvmcontext, xsm didn't have any case for this operation.

Signed-off-by: Jean Guyader <jean.guyader@eu.citrix.com>
Committed-by: Keir Fraser <keir@xen.org>

2 files changed, 2 insertions, 1 deletions

diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors
index 27fb9d7913..9d09c5bfce 100644
--- a/tools/flask/policy/policy/flask/access_vectors
+++ b/tools/flask/policy/policy/flask/access_vectors
@@ -90,6 +90,7 @@ class hvm
     pciroute
 	bind_irq
 	cacheattr
+    trackdirtyvram
 }
 
 class event
diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index 99afad6f6b..bf3b794c8e 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -22,7 +22,7 @@ define(`create_domain', `
 ################################################################################
 define(`create_hvm_dom', `
 	create_domain($1, $2, $3)
-	allow $1 $2:hvm { setparam getparam cacheattr pciroute irqlevel	pcilevel };
+	allow $1 $2:hvm { setparam getparam cacheattr pciroute irqlevel	pcilevel trackdirtyvram };
 	allow $2 $2:hvm setparam;
 ')