aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGerrit Code Review <gerrit@automotivelinux.org>2017-03-28 13:52:42 +0000
committerGerrit Code Review <gerrit@automotivelinux.org>2017-03-28 13:52:42 +0000
commit2ceaa31f4137a5a9fb759338827f4b5d1d995772 (patch)
tree154a25036134c42d5ed51ab471b90b4e20d607fb
parentef0b30d05bd1d04ebe5edfafd1c26d2b09bd7d6e (diff)
parent7fcf42ba21c2a00a60f32140924fefc3cc39ad28 (diff)
Merge "Merge: migrate appfw from meta-agl-extra"
-rw-r--r--meta-app-framework/classes/aglwgt.bbclass61
-rw-r--r--meta-app-framework/conf/include/agl-appfw-smack.inc16
-rw-r--r--meta-app-framework/conf/layer.conf11
-rw-r--r--meta-app-framework/recipes-config/agl-users/agl-users_0.1.bb21
-rw-r--r--meta-app-framework/recipes-core/af-binder/af-binder_1.0.bb78
-rw-r--r--meta-app-framework/recipes-core/af-main/af-main/Hack-to-allow-the-debugging.patch29
-rw-r--r--meta-app-framework/recipes-core/af-main/af-main/add-qt-wayland-shell-integration.patch12
-rwxr-xr-xmeta-app-framework/recipes-core/af-main/af-main/afm-install44
-rw-r--r--meta-app-framework/recipes-core/af-main/af-main_1.0.bb106
-rw-r--r--meta-app-framework/recipes-core/af-main/af-main_1.0.inc26
-rw-r--r--meta-app-framework/recipes-core/af-main/nativesdk-af-main_1.0.bb26
-rw-r--r--meta-app-framework/recipes-core/base-files/base-files_%.bbappend22
-rw-r--r--meta-app-framework/recipes-core/packagegroups/nativesdk-packagegroup-sdk-host.bbappend2
-rw-r--r--meta-app-framework/recipes-core/packagegroups/packagegroup-agl-app-framework-examples.bb16
-rw-r--r--meta-app-framework/recipes-core/packagegroups/packagegroup-agl-app-framework.bb20
-rw-r--r--meta-app-framework/recipes-core/packagegroups/packagegroup-agl-core-security.bbappend9
-rw-r--r--meta-app-framework/recipes-core/packagegroups/packagegroup-agl-image-minimal.bbappend3
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch50
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch40
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch38
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch196
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service15
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh6
-rw-r--r--meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend22
-rwxr-xr-xmeta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime2
-rw-r--r--meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime-webkit.qml13
-rw-r--r--meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime.qml13
-rw-r--r--meta-app-framework/recipes-core/web-runtime/web-runtime_0.1.bb34
-rw-r--r--meta-app-framework/recipes-devtools/run-agl-postinsts/run-agl-postinsts_1.0.bbappend1
-rw-r--r--meta-app-framework/recipes-example/afb-client/afb-client_1.0.bb29
-rw-r--r--meta-app-framework/recipes-example/afb-client/files/afb-client7
-rw-r--r--meta-app-framework/recipes-example/afm-client/afm-client_1.0.bb40
-rw-r--r--meta-app-framework/recipes-example/afm-client/files/afm-client7
-rw-r--r--meta-app-framework/recipes-example/afm-client/files/afm-client.service11
-rw-r--r--meta-app-framework/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home-native.patch45
-rw-r--r--meta-app-framework/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch45
-rw-r--r--meta-app-framework/recipes-extended/shadow/shadow_%.bbappend4
-rw-r--r--meta-app-framework/recipes-kernel/linux/linux-%.bbappend3
-rw-r--r--meta-app-framework/recipes-kernel/linux/linux-yocto_4.1.bbappend12
-rw-r--r--meta-app-framework/recipes-kernel/linux/linux-yocto_4.4.bbappend11
-rw-r--r--meta-app-framework/recipes-kernel/linux/linux/audit.cfg2
-rw-r--r--meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch62
-rw-r--r--meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0002-smack-fix-cache-of-access-labels.patch43
-rw-r--r--meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch39
-rw-r--r--meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch49
-rw-r--r--meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0001-Smack-File-receive-for-sockets.patch65
-rw-r--r--meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0002-smack-fix-cache-of-access-labels.patch43
-rw-r--r--meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0003-Smack-ignore-null-signal-in-smack_task_kill.patch39
-rw-r--r--meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch49
-rw-r--r--meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch87
-rw-r--r--meta-app-framework/recipes-support/libcap/libcap_%.bbappend5
-rw-r--r--meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd/allows-upgrade.patch81
-rw-r--r--meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd_0.9.49.bb25
-rw-r--r--meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd_0.9.49.bbappend5
-rw-r--r--meta-app-framework/recipes-support/libzip/libzip_1.1.1.bb32
-rw-r--r--meta-app-framework/recipes-support/xmlsec1/xmlsec1/Only-require-libxslt-in-.pc-files-when-necessary.patch115
-rw-r--r--meta-app-framework/recipes-support/xmlsec1/xmlsec1_1.%.bbappend6
-rw-r--r--templates/feature/agl-appfw-smack/50_bblayers.conf.inc6
-rw-r--r--templates/feature/agl-appfw-smack/50_local.conf.inc2
59 files changed, 1901 insertions, 0 deletions
diff --git a/meta-app-framework/classes/aglwgt.bbclass b/meta-app-framework/classes/aglwgt.bbclass
new file mode 100644
index 000000000..afe9a5516
--- /dev/null
+++ b/meta-app-framework/classes/aglwgt.bbclass
@@ -0,0 +1,61 @@
+#
+# aglwgt bbclass
+#
+# Jan-Simon Moeller, jsmoeller@linuxfoundation.org
+#
+# This class expects a "make package" target in the makefile
+# which creates the wgt files in the package/ subfolder.
+# The makefile needs to use wgtpkg-pack.
+#
+
+
+# 'wgtpkg-pack' in af-main-native is required.
+DEPENDS_append = " af-main-native"
+
+# for bindings af-binder is required.
+DEPENDS_append = " af-binder"
+
+do_aglwgt_package() {
+ cd ${B}
+ make package || ( \
+ bbwarn "Your makefile must support the 'make package' target" ; \
+ bbwarn "and generate a .wgt file using wgtpack in the"; \
+ bbwarn "subfolder ./package/ !" ; \
+ bbwarn "Fix your package as it will not work within the SDK" ; \
+ bbwarn "See: https://wiki.automotivelinux.org/troubleshooting/app-recipes" \
+ )
+}
+
+python () {
+ d.setVarFlag('do_aglwgt_deploy', 'fakeroot', '1')
+}
+
+
+POST_INSTALL_LEVEL ?= "10"
+POST_INSTALL_SCRIPT ?= "${POST_INSTALL_LEVEL}-${PN}.sh"
+
+EXTRA_WGT_POSTINSTALL ?= ""
+
+do_aglwgt_deploy() {
+ install -d ${D}/usr/AGL/apps
+ install -m 0644 ${B}/package/*.wgt ${D}/usr/AGL/apps/
+ APP_FILES=""
+ for file in ${D}/usr/AGL/apps/*.wgt;do
+ APP_FILES="${APP_FILES} $(basename $file)";
+ done
+ install -d ${D}/${sysconfdir}/agl-postinsts
+ cat > ${D}/${sysconfdir}/agl-postinsts/${POST_INSTALL_SCRIPT} <<EOF
+#!/bin/sh -e
+for file in ${APP_FILES}; do
+ /usr/bin/afm-install install /usr/AGL/apps/\$file
+done
+sync
+${EXTRA_WGT_POSTINSTALL}
+EOF
+ chmod a+x ${D}/${sysconfdir}/agl-postinsts/${POST_INSTALL_SCRIPT}
+}
+
+FILES_${PN} += "/usr/AGL/apps/*.wgt ${sysconfdir}/agl-postinsts/${POST_INSTALL_SCRIPT}"
+
+addtask aglwgt_deploy before do_package after do_install
+addtask aglwgt_package before do_aglwgt_deploy after do_compile
diff --git a/meta-app-framework/conf/include/agl-appfw-smack.inc b/meta-app-framework/conf/include/agl-appfw-smack.inc
new file mode 100644
index 000000000..133f6b04c
--- /dev/null
+++ b/meta-app-framework/conf/include/agl-appfw-smack.inc
@@ -0,0 +1,16 @@
+# enable security features (smack, cynara) - required by Application Framework
+OVERRIDES .= ":smack"
+DISTRO_FEATURES_append = " smack dbus-cynara xattr"
+
+# use tar-native to support SMACK extended attributes independently of host config
+IMAGE_CMD_TAR = "tar --xattrs --xattrs-include='*'"
+IMAGE_DEPENDS_tar_append = " tar-replacement-native"
+EXTRANATIVEPATH += "tar-native"
+
+# security: enable ssh server in place of dropbear to support PAM on user sessions
+IMAGE_FEATURES += "ssh-server-openssh"
+
+# enforce copy of xattrs (to be removed, see SPEC-475)
+PACKAGECONFIG_append_pn-shadow = " attr"
+PACKAGECONFIG_append_pn-shadow-native = " attr"
+
diff --git a/meta-app-framework/conf/layer.conf b/meta-app-framework/conf/layer.conf
new file mode 100644
index 000000000..f74ebd658
--- /dev/null
+++ b/meta-app-framework/conf/layer.conf
@@ -0,0 +1,11 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have recipes-* directories, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+ ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "app-framework"
+BBFILE_PATTERN_app-framework = "^${LAYERDIR}/"
+BBFILE_PRIORITY_app-framework = "7"
+
diff --git a/meta-app-framework/recipes-config/agl-users/agl-users_0.1.bb b/meta-app-framework/recipes-config/agl-users/agl-users_0.1.bb
new file mode 100644
index 000000000..832c51c99
--- /dev/null
+++ b/meta-app-framework/recipes-config/agl-users/agl-users_0.1.bb
@@ -0,0 +1,21 @@
+inherit allarch useradd
+
+SUMMARY = "AGL Users Seed"
+DESCRIPTION = "This is a core framework component that\
+ defines how users are managed and who are the default users."
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+
+SRC_URI = ""
+
+ALLOW_EMPTY_${PN} = "1"
+
+USERADD_PACKAGES = "${PN}"
+
+USERADD_PARAM_${PN} = "\
+ -g users -d /home/agl-driver -m -K PASS_MAX_DAYS=-1 agl-driver ; \
+ -g users -d /home/agl-passenger -m -K PASS_MAX_DAYS=-1 agl-passenger \
+"
+
diff --git a/meta-app-framework/recipes-core/af-binder/af-binder_1.0.bb b/meta-app-framework/recipes-core/af-binder/af-binder_1.0.bb
new file mode 100644
index 000000000..2ecb2aa94
--- /dev/null
+++ b/meta-app-framework/recipes-core/af-binder/af-binder_1.0.bb
@@ -0,0 +1,78 @@
+SUMMARY = "HTTP REST interface to automotive backends for HTML5 UI support"
+DESCRIPTION = "Automotive-Framework-Binder Daemon provides a HTTP REST \
+interface to various automotive-oriented bindings, \
+allowing HTML5 UIs to send platform-specific requests in a secure way."
+HOMEPAGE = "https://gerrit.automotivelinux.org/gerrit/#/admin/projects/src/app-framework-binder"
+
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE-2.0.txt;md5=3b83ef96387f14655fc854ddc3c6bd57"
+
+DEPENDS = "file json-c libmicrohttpd systemd util-linux openssl"
+
+SRC_URI_git = "git://gerrit.automotivelinux.org/gerrit/src/app-framework-binder;protocol=https;branch=master"
+SRC_URI_files = ""
+SRC_URI = "${SRC_URI_git} \
+ ${SRC_URI_files} \
+ "
+
+SRCREV = "e85e5d8ffe242f826b5f98e2834407b5d4c46690"
+S = "${WORKDIR}/git"
+
+inherit cmake pkgconfig
+
+FILES_${PN} += "${datadir}"
+
+pkg_postinst_${PN}() {
+ mkdir -p "$D${libdir}/afb"
+}
+
+#############################################
+# setup meta package
+#############################################
+PACKAGES += "${PN}-meta"
+ALLOW_EMPTY_${PN}-meta = "1"
+
+#############################################
+# setup sample binding packages
+#############################################
+PACKAGES_DYNAMIC = "${PN}-binding-*"
+
+python populate_packages_prepend () {
+ afb_libdir = d.expand('${libdir}/afb')
+ postinst = d.getVar('binding_postinst', True)
+ pkgs = []
+ pkgs_dbg = []
+
+ pkgs += do_split_packages(d, afb_libdir, '(.*)-api\.so$', d.expand('${PN}-binding-%s'), 'AFB binding for %s', postinst=postinst, extra_depends=d.expand('${PN}'))
+ pkgs += do_split_packages(d, afb_libdir, '(.*(?!-api))\.so$', d.expand('${PN}-binding-%s'), 'AFB binding for %s', postinst=postinst, extra_depends=d.expand('${PN}'))
+
+ pkgs_dbg += do_split_packages(d, oe.path.join(afb_libdir, ".debug"), '(.*)-api\.so$', d.expand('${PN}-binding-%s-dbg'), 'AFB binding for %s, debug info', postinst=postinst, extra_depends=d.expand('${PN}'))
+ pkgs_dbg += do_split_packages(d, oe.path.join(afb_libdir, ".debug"), '(.*(?!-api))\.so$', d.expand('${PN}-binding-%s-dbg'), 'AFB binding for %s, debug info', postinst=postinst, extra_depends=d.expand('${PN}'))
+
+ metapkg = d.getVar('PN', True) + '-meta'
+ d.setVar('RDEPENDS_' + metapkg, ' '.join(pkgs))
+}
+
+#############################################
+# setup libafbwsc package
+#############################################
+PACKAGES =+ "libafbwsc libafbwsc-dev libafbwsc-dbg"
+
+FILES_libafbwsc = "\
+ ${libdir}/libafbwsc.so.* \
+"
+FILES_libafbwsc-dev = "\
+ ${includedir}/afb/afb-wsj1.h \
+ ${includedir}/afb/afb-ws-client.h \
+ ${bindir}/afb-client-demo \
+ ${libdir}/libafbwsc.so \
+ ${libdir}/pkgconfig/libafbwsc.pc \
+"
+FILES_libafbwsc-dbg = "\
+ ${libdir}/.debug/libafbwsc.so.* \
+ ${bindir}/.debug/afb-client-demo \
+"
+RDEPENDS_libafbwsc-dbg += "${PN}-dbg libafbwsc-dev"
+
+RDEPENDS_${PN}-dev += "libafbwsc-dev"
+
diff --git a/meta-app-framework/recipes-core/af-main/af-main/Hack-to-allow-the-debugging.patch b/meta-app-framework/recipes-core/af-main/af-main/Hack-to-allow-the-debugging.patch
new file mode 100644
index 000000000..44e8bce1e
--- /dev/null
+++ b/meta-app-framework/recipes-core/af-main/af-main/Hack-to-allow-the-debugging.patch
@@ -0,0 +1,29 @@
+From a4fbfb88f1b7c4f4287d9279767220fae80d26da Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Thu, 21 Jan 2016 15:07:29 +0100
+Subject: [PATCH] Hack to allow the debugging
+
+This is a temporarily fix to continue debugging
+afm-main. This should be removed later.
+
+Change-Id: I2f10f0cb1fce2ee30bd0754ad2e7bc8e2f6513aa
+---
+ conf/afm-user-daemon.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/conf/afm-user-daemon.conf b/conf/afm-user-daemon.conf
+index 801c7ae..98a3152 100644
+--- a/conf/afm-user-daemon.conf
++++ b/conf/afm-user-daemon.conf
+@@ -25,7 +25,7 @@
+ </policy>
+
+ <policy context="default">
+- <deny own="org.AGL.afm.user"/>
++ <allow own="org.AGL.afm.user"/>
+ <allow send_destination="org.AGL.afm.system"/>
+ </policy>
+
+--
+2.1.4
+
diff --git a/meta-app-framework/recipes-core/af-main/af-main/add-qt-wayland-shell-integration.patch b/meta-app-framework/recipes-core/af-main/af-main/add-qt-wayland-shell-integration.patch
new file mode 100644
index 000000000..c92415b80
--- /dev/null
+++ b/meta-app-framework/recipes-core/af-main/af-main/add-qt-wayland-shell-integration.patch
@@ -0,0 +1,12 @@
+diff --git a/conf/afm-unit.conf b/conf/afm-unit.conf
+index 82113ef..2fbc9e2 100644
+--- a/conf/afm-unit.conf
++++ b/conf/afm-unit.conf
+@@ -127,6 +127,7 @@ SuccessExitStatus=0 SIGKILL
+ WorkingDirectory=-{{&#metadata.app-data-dir}}/{{id}}
+ ExecStartPre=/bin/mkdir -p {{&#metadata.app-data-dir}}/{{id}}
+ Environment=AFM_APP_INSTALL_DIR={{:#metadata.install-dir}}
++Environment=QT_WAYLAND_SHELL_INTEGRATION=ivi-shell
+
+ %systemd-unit user
+ {{#required-permission.urn:AGL:permission::public:hidden}}\
diff --git a/meta-app-framework/recipes-core/af-main/af-main/afm-install b/meta-app-framework/recipes-core/af-main/af-main/afm-install
new file mode 100755
index 000000000..6d37baed8
--- /dev/null
+++ b/meta-app-framework/recipes-core/af-main/af-main/afm-install
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+pretty() {
+ sed \
+ -e '/^method return .*/d' \
+ -e 's/^Error org.freedesktop.DBus.Error.Failed: "\?\(.*\)"\?$/ERROR: \1/' \
+ -e 's/^ string "\(.*\)"/\1/' \
+ -e 's/},/&\n/'
+}
+
+send() {
+ dbus-send --system --print-reply \
+ --dest=org.AGL.afm.system \
+ /org/AGL/afm/system \
+ org.AGL.afm.system.$1 \
+ "string:$2" |
+ pretty
+}
+
+case "$1" in
+
+ add|install)
+ f=$(realpath $2)
+ send install '{"wgt":"'"$f"'","force":true}'
+ ;;
+
+ -h|--help|help)
+ cat << EOC
+
+The commands are:
+
+ add wgt
+ install wgt install the wgt file
+
+EOC
+ ;;
+
+ *)
+ echo "unknown command $1" >&2
+ exit 1
+ ;;
+esac
+
+
diff --git a/meta-app-framework/recipes-core/af-main/af-main_1.0.bb b/meta-app-framework/recipes-core/af-main/af-main_1.0.bb
new file mode 100644
index 000000000..3c1b692f3
--- /dev/null
+++ b/meta-app-framework/recipes-core/af-main/af-main_1.0.bb
@@ -0,0 +1,106 @@
+require af-main_${PV}.inc
+
+# NOTE: using libcap-native and setcap in install doesn't work
+# NOTE: there is no SYSTEMD_USER_SERVICE_...
+# NOTE: maybe setting afm_name to agl-framework is cleaner but has implications
+# NOTE: there is a hack of security for using groups and dbus (to be checked)
+# NOTE: using ZIP programs creates directories with mode 777 (very bad)
+
+inherit cmake pkgconfig useradd systemd
+BBCLASSEXTEND = "native"
+
+SECTION = "base"
+
+DEPENDS = "openssl libxml2 xmlsec1 systemd libzip json-c systemd security-manager libcap-native af-binder"
+DEPENDS_class-native = "openssl libxml2 xmlsec1 libzip json-c"
+
+EXTRA_OECMAKE_class-native = "\
+ -DUSE_LIBZIP=1 \
+ -DUSE_SIMULATION=1 \
+ -DUSE_SDK=1 \
+ -Dafm_name=${afm_name} \
+ -Dafm_confdir=${afm_confdir} \
+ -Dafm_datadir=${afm_datadir} \
+"
+
+EXTRA_OECMAKE = "\
+ -DUSE_LIBZIP=1 \
+ -DUSE_SIMULATION=0 \
+ -DUSE_SDK=0 \
+ -Dafm_name=${afm_name} \
+ -Dafm_confdir=${afm_confdir} \
+ -Dafm_datadir=${afm_datadir} \
+ -Dsystemd_units_root=${systemd_units_root} \
+ -DUNITDIR_USER=${systemd_user_unitdir} \
+ -DUNITDIR_SYSTEM=${systemd_system_unitdir} \
+"
+
+USERADD_PACKAGES = "${PN}"
+USERADD_PARAM_${PN} = "-g ${afm_name} -d ${afm_datadir} -r ${afm_name}"
+GROUPADD_PARAM_${PN} = "-r ${afm_name}"
+
+SYSTEMD_SERVICE_${PN} = "afm-system-daemon.service"
+SYSTEMD_AUTO_ENABLE = "enable"
+
+FILES_${PN} += "\
+ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${systemd_user_unitdir}/afm-user-daemon.service', '', d)} \
+"
+RDEPENDS_${PN}_append_smack = " smack-userspace"
+DEPENDS_append_smack = " smack-userspace-native"
+
+# short hacks here
+SRC_URI += "\
+ file://Hack-to-allow-the-debugging.patch \
+"
+
+# tools used to install wgt at first boot
+SRC_URI += "\
+ file://afm-install \
+ file://add-qt-wayland-shell-integration.patch \
+"
+
+do_install_append() {
+ install -d ${D}${bindir}
+ install -d -m 0775 ${D}${systemd_units_root}/{system,user}
+ install -d -m 0775 ${D}${systemd_units_root}/{system,user}/default.target.wants
+ install -d ${D}${afm_datadir}/{applications,icons}
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ mkdir -p ${D}${sysconfdir}/systemd/{system,user}/default.target.wants
+ ln -sf ${systemd_user_unitdir}/afm-user-daemon.service ${D}${sysconfdir}/systemd/user/default.target.wants
+ fi
+ install -m 0755 ${WORKDIR}/afm-install ${D}${bindir}
+}
+
+do_install_append_qemux86-64() {
+ sed -i -e '/LD_PRELOAD=\/usr\/lib\/libEGL.so/d' ${D}${systemd_user_unitdir}/afm-user-daemon.service
+}
+
+pkg_postinst_${PN}() {
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ chgrp ${afm_name} $D${systemd_units_root}/{system,user}/{default.target.wants,.}
+ fi
+ chown ${afm_name}:${afm_name} $D${afm_datadir}/{applications,icons,.}
+ setcap cap_mac_override,cap_dac_override=ep $D${bindir}/afm-system-daemon
+ setcap cap_mac_override,cap_mac_admin,cap_setgid=ep $D${bindir}/afm-user-daemon
+}
+
+pkg_postinst_${PN}_smack() {
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ chgrp ${afm_name} $D${systemd_units_root}/{system,user}/{default.target.wants,.}
+ chsmack -a 'System::Shared' -t $D${systemd_units_root}/{system,user}/{default.target.wants,.}
+ fi
+ chown ${afm_name}:${afm_name} $D${afm_datadir}/{applications,icons,.}
+ chsmack -a 'System::Shared' -t $D${afm_datadir}/{applications,icons,.}
+ setcap cap_mac_override,cap_dac_override=ep $D${bindir}/afm-system-daemon
+ setcap cap_mac_override,cap_mac_admin,cap_setgid=ep $D${bindir}/afm-user-daemon
+}
+FILES_${PN} += " ${systemd_units_root} "
+
+PACKAGES =+ "${PN}-binding ${PN}-binding-dbg"
+FILES_${PN}-binding = " ${afb_binding_dir}/afm-main-binding.so "
+FILES_${PN}-binding-dbg = " ${afb_binding_dir}/.debug/afm-main-binding.so "
+
+PACKAGES =+ "${PN}-tools ${PN}-tools-dbg"
+FILES_${PN}-tools = "${bindir}/wgtpkg-*"
+FILES_${PN}-tools-dbg = "${bindir}/.debug/wgtpkg-*"
+
diff --git a/meta-app-framework/recipes-core/af-main/af-main_1.0.inc b/meta-app-framework/recipes-core/af-main/af-main_1.0.inc
new file mode 100644
index 000000000..6ce87ed71
--- /dev/null
+++ b/meta-app-framework/recipes-core/af-main/af-main_1.0.inc
@@ -0,0 +1,26 @@
+SUMMARY = "AGL Framework Main part"
+DESCRIPTION = "\
+This is a core framework component for managing \
+applications, widgets, and components. \
+"
+
+HOMEPAGE = "https://gerrit.automotivelinux.org/gerrit/#/admin/projects/src/app-framework-main"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://COPYING;md5=3b83ef96387f14655fc854ddc3c6bd57"
+
+SRC_URI_git = "git://gerrit.automotivelinux.org/gerrit/src/app-framework-main;protocol=https;branch=master"
+SRC_URI_files = ""
+SRC_URI = "${SRC_URI_git} \
+ ${SRC_URI_files} \
+ "
+
+SRCREV = "255c83029f56e8d90e7ce185b007c4ca65afec1e"
+
+S = "${WORKDIR}/git"
+
+afm_name = "afm"
+afm_confdir = "${sysconfdir}/${afm_name}"
+afm_datadir = "/var/local/lib/${afm_name}"
+afb_binding_dir = "${libdir}/afb"
+systemd_units_root = "/usr/local/lib/systemd"
+
diff --git a/meta-app-framework/recipes-core/af-main/nativesdk-af-main_1.0.bb b/meta-app-framework/recipes-core/af-main/nativesdk-af-main_1.0.bb
new file mode 100644
index 000000000..8d044345f
--- /dev/null
+++ b/meta-app-framework/recipes-core/af-main/nativesdk-af-main_1.0.bb
@@ -0,0 +1,26 @@
+require af-main_${PV}.inc
+
+inherit nativesdk cmake pkgconfig
+
+SECTION = "base"
+
+DEPENDS = "nativesdk-openssl nativesdk-libxml2 nativesdk-xmlsec1 nativesdk-libzip nativesdk-json-c"
+
+EXTRA_OECMAKE = "\
+ -DUSE_LIBZIP=1 \
+ -DUSE_SIMULATION=1 \
+ -DUSE_SDK=1 \
+ -Dafm_name=${afm_name} \
+ -Dafm_confdir=${afm_confdir} \
+ -Dafm_datadir=${afm_datadir} \
+"
+
+do_install_append() {
+ # remove unused .pc file we don't want to package
+ rm -rf ${D}/${libdir}
+}
+
+PACKAGES = "${PN}-tools ${PN}-tools-dbg"
+FILES_${PN}-tools = "${bindir}/wgtpkg-* ${afm_confdir}/*"
+FILES_${PN}-tools-dbg = "${bindir}/.debug/wgtpkg-*"
+
diff --git a/meta-app-framework/recipes-core/base-files/base-files_%.bbappend b/meta-app-framework/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 000000000..7e12bc829
--- /dev/null
+++ b/meta-app-framework/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1,22 @@
+DEPENDS_append_smack = " smack-userspace-native"
+RDEPENDS_${PN}_append_smack = " smack-userspace"
+
+do_install_append() {
+ install -d ${D}/${sysconfdir}/skel/app-data
+ install -d ${D}/${sysconfdir}/skel/.config
+}
+
+do_install_append_smack () {
+ install -d ${D}/${sysconfdir}/smack/accesses.d
+ cat > ${D}/${sysconfdir}/smack/accesses.d/default-access-domains-no-user <<EOF
+System User::App-Shared rwxat
+System User::Home rwxat
+EOF
+ chmod 0644 ${D}/${sysconfdir}/smack/accesses.d/default-access-domains-no-user
+}
+
+pkg_postinst_${PN}_append_smack() {
+ chsmack -r -a 'User::Home' -t -D $D/${sysconfdir}/skel
+ chsmack -a 'User::App-Shared' -D $D/${sysconfdir}/skel/app-data
+}
+
diff --git a/meta-app-framework/recipes-core/packagegroups/nativesdk-packagegroup-sdk-host.bbappend b/meta-app-framework/recipes-core/packagegroups/nativesdk-packagegroup-sdk-host.bbappend
new file mode 100644
index 000000000..ca0b54f73
--- /dev/null
+++ b/meta-app-framework/recipes-core/packagegroups/nativesdk-packagegroup-sdk-host.bbappend
@@ -0,0 +1,2 @@
+RDEPENDS_${PN} =+ "nativesdk-af-main-tools"
+
diff --git a/meta-app-framework/recipes-core/packagegroups/packagegroup-agl-app-framework-examples.bb b/meta-app-framework/recipes-core/packagegroups/packagegroup-agl-app-framework-examples.bb
new file mode 100644
index 000000000..e95b7548b
--- /dev/null
+++ b/meta-app-framework/recipes-core/packagegroups/packagegroup-agl-app-framework-examples.bb
@@ -0,0 +1,16 @@
+SUMMARY = "AGL Application Framework examples"
+DESCRIPTION = "The set of examples associated to the AGL Application Framework"
+LICENSE = "MIT"
+
+inherit packagegroup
+
+PACKAGES = "\
+ packagegroup-agl-app-framework-examples \
+ "
+
+ALLOW_EMPTY_${PN} = "1"
+
+RDEPENDS_${PN} += "\
+ afm-client \
+ afb-client \
+ "
diff --git a/meta-app-framework/recipes-core/packagegroups/packagegroup-agl-app-framework.bb b/meta-app-framework/recipes-core/packagegroups/packagegroup-agl-app-framework.bb
new file mode 100644
index 000000000..0fdaabc91
--- /dev/null
+++ b/meta-app-framework/recipes-core/packagegroups/packagegroup-agl-app-framework.bb
@@ -0,0 +1,20 @@
+SUMMARY = "AGL Application Framework core packages"
+DESCRIPTION = "The set of packages required by the AGL Application Framework"
+LICENSE = "MIT"
+
+inherit packagegroup
+
+PACKAGES = "\
+ packagegroup-agl-app-framework \
+ "
+
+ALLOW_EMPTY_${PN} = "1"
+
+RDEPENDS_${PN} += "\
+ af-binder \
+ af-binder-binding-afb-dbus-binding \
+ af-binder-binding-authlogin \
+ libafbwsc \
+ af-main \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'webruntime', 'virtual/webruntime', '', d)} \
+ "
diff --git a/meta-app-framework/recipes-core/packagegroups/packagegroup-agl-core-security.bbappend b/meta-app-framework/recipes-core/packagegroups/packagegroup-agl-core-security.bbappend
new file mode 100644
index 000000000..0c9efe465
--- /dev/null
+++ b/meta-app-framework/recipes-core/packagegroups/packagegroup-agl-core-security.bbappend
@@ -0,0 +1,9 @@
+RDEPENDS_${PN} += "\
+ xmlsec1 \
+ cynara \
+ dbus-cynara \
+ security-manager \
+ security-manager-policy \
+ agl-users \
+ "
+
diff --git a/meta-app-framework/recipes-core/packagegroups/packagegroup-agl-image-minimal.bbappend b/meta-app-framework/recipes-core/packagegroups/packagegroup-agl-image-minimal.bbappend
new file mode 100644
index 000000000..ad09e5ddf
--- /dev/null
+++ b/meta-app-framework/recipes-core/packagegroups/packagegroup-agl-image-minimal.bbappend
@@ -0,0 +1,3 @@
+RDEPENDS_${PN} += "\
+ packagegroup-agl-app-framework \
+ "
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch
new file mode 100644
index 000000000..4c91f7fa3
--- /dev/null
+++ b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch
@@ -0,0 +1,50 @@
+From 935e4e4e746b5ffcda80c80097dc75c2581c1a89 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Wed, 19 Oct 2016 13:45:54 +0200
+Subject: [PATCH] Adapt rules to AGL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+AGL distribution uses the repository https://github.com/01org/meta-intel-iot-security.git
+as basis for the integration of security framework. The security framework
+that it provides is an evolution of the security framework of tizen refited
+to the distribution Ostro of Intel. This refit took the decision to simplify
+the model by removing the running label "User". More can be viewed here:
+https://github.com/01org/meta-intel-iot-security/pull/116
+
+This commits adapt the template to the rules that are now needed
+after this evolution.
+
+It also integrates one other evolutions: the shared label becomes User::App-Shared instead
+of User::App::Shared to avoid collision with application of id "Shared".
+
+Change-Id: Ieb566b63f8c8e691b5f75e06499a3b576d042546
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ policy/app-rules-template.smack | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/policy/app-rules-template.smack b/policy/app-rules-template.smack
+index 1311169..b4cd2e3 100644
+--- a/policy/app-rules-template.smack
++++ b/policy/app-rules-template.smack
+@@ -1,12 +1,10 @@
+-System ~APP~ rwx
++System ~APP~ rwxa
++System ~PKG~ rwxat
+ ~APP~ System wx
+ ~APP~ System::Shared rx
+ ~APP~ System::Run rwxat
+ ~APP~ System::Log rwxa
+ ~APP~ _ l
+-User ~APP~ rwxa
+-User ~PKG~ rwxat
+-~APP~ User wx
+ ~APP~ User::Home rxl
+-~APP~ User::App::Shared rwxat
++~APP~ User::App-Shared rwxat
+ ~APP~ ~PKG~ rwxat
+--
+2.7.4
+
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch
new file mode 100644
index 000000000..43a3ee103
--- /dev/null
+++ b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-Cmake-conf-for-gcc6-build.patch
@@ -0,0 +1,40 @@
+From 19c99315a5dcba3b696c30d1fdd42a1dcd574a80 Mon Sep 17 00:00:00 2001
+From: Ronan <ronan.lemartret@iot.bzh>
+Date: Thu, 13 Oct 2016 11:37:47 +0200
+Subject: [PATCH] Fix Cmake conf for gcc6 build
+
+Signed-off-by: Ronan <ronan.lemartret@iot.bzh>
+---
+ src/cmd/CMakeLists.txt | 4 +---
+ src/server/CMakeLists.txt | 1 -
+ 2 files changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/src/cmd/CMakeLists.txt b/src/cmd/CMakeLists.txt
+index ee9a160..aa7a12c 100644
+--- a/src/cmd/CMakeLists.txt
++++ b/src/cmd/CMakeLists.txt
+@@ -1,8 +1,6 @@
+ FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options)
+
+-INCLUDE_DIRECTORIES(SYSTEM
+- ${Boost_INCLUDE_DIRS}
+- )
++
+
+ INCLUDE_DIRECTORIES(
+ ${INCLUDE_PATH}
+diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt
+index 753eb96..8eef25d 100644
+--- a/src/server/CMakeLists.txt
++++ b/src/server/CMakeLists.txt
+@@ -8,7 +8,6 @@ FIND_PACKAGE(Threads REQUIRED)
+
+ INCLUDE_DIRECTORIES(SYSTEM
+ ${SERVER_DEP_INCLUDE_DIRS}
+- ${Boost_INCLUDE_DIRS}
+ ${Threads_INCLUDE_DIRS}
+ )
+
+--
+2.6.6
+
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch
new file mode 100644
index 000000000..1b3c8c427
--- /dev/null
+++ b/meta-app-framework/recipes-core/security-manager/security-manager/0001-Fix-gcc6-build.patch
@@ -0,0 +1,38 @@
+From cb9acc2b723b297ee373bf814282711f02657aa5 Mon Sep 17 00:00:00 2001
+From: Ronan <ronan.lemartret@iot.bzh>
+Date: Wed, 12 Oct 2016 17:48:55 +0200
+Subject: [PATCH] Fix gcc6 build
+
+Signed-off-by: ronan <ronan@ot.bzh>
+---
+ src/client/client-security-manager.cpp | 1 +
+ src/common/include/privilege_db.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp
+index 74a6b30..347cddd 100644
+--- a/src/client/client-security-manager.cpp
++++ b/src/client/client-security-manager.cpp
+@@ -46,6 +46,7 @@
+ #include <service_impl.h>
+ #include <security-manager.h>
+ #include <client-offline.h>
++#include <linux/xattr.h>
+
+ static const char *EMPTY = "";
+
+diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h
+index 03c6680..8dd39a1 100644
+--- a/src/common/include/privilege_db.h
++++ b/src/common/include/privilege_db.h
+@@ -32,6 +32,7 @@
+ #include <map>
+ #include <stdbool.h>
+ #include <string>
++#include <vector>
+
+ #include <dpl/db/sql_connection.h>
+
+--
+2.6.6
+
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch b/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch
new file mode 100644
index 000000000..4830db2a8
--- /dev/null
+++ b/meta-app-framework/recipes-core/security-manager/security-manager/Removing-tizen-platform-config.patch
@@ -0,0 +1,196 @@
+From 72e66d0e42f3bb6efd689ce33b1df407d94b3c60 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Mon, 16 Nov 2015 14:26:25 +0100
+Subject: [PATCH] Removing tizen-platform-config
+
+Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121
+---
+ policy/security-manager-policy-reload | 2 +-
+ src/common/file-lock.cpp | 4 +---
+ src/common/include/file-lock.h | 1 -
+ src/common/include/privilege_db.h | 3 +--
+ src/common/service_impl.cpp | 39 +++++++++++------------------------
+ src/common/smack-rules.cpp | 12 ++++-------
+ 6 files changed, 19 insertions(+), 42 deletions(-)
+
+diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload
+index 6f211c6..ed8047a 100755
+--- a/policy/security-manager-policy-reload
++++ b/policy/security-manager-policy-reload
+@@ -2,7 +2,7 @@
+
+ POLICY_PATH=/usr/share/security-manager/policy
+ PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list
+-DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db
++DB_FILE=/var/db/security-manager/.security-manager.db
+
+ # Create default buckets
+ while read bucket default_policy
+diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp
+index 6f3996c..1dada17 100644
+--- a/src/common/file-lock.cpp
++++ b/src/common/file-lock.cpp
+@@ -30,9 +30,7 @@
+
+ namespace SecurityManager {
+
+-char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN,
+- "lock",
+- "security-manager.lock");
++char const * const SERVICE_LOCK_FILE = "/var/run/lock/security-manager.lock";
+
+ FileLocker::FileLocker(const std::string &lockFile, bool blocking)
+ {
+diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h
+index 604b019..21a86a0 100644
+--- a/src/common/include/file-lock.h
++++ b/src/common/include/file-lock.h
+@@ -29,7 +29,6 @@
+
+ #include <dpl/exception.h>
+ #include <dpl/noncopyable.h>
+-#include <tzplatform_config.h>
+
+ namespace SecurityManager {
+
+diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h
+index 4d73d90..03c6680 100644
+--- a/src/common/include/privilege_db.h
++++ b/src/common/include/privilege_db.h
+@@ -34,14 +34,13 @@
+ #include <string>
+
+ #include <dpl/db/sql_connection.h>
+-#include <tzplatform_config.h>
+
+ #ifndef PRIVILEGE_DB_H_
+ #define PRIVILEGE_DB_H_
+
+ namespace SecurityManager {
+
+-const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db");
++const char *const PRIVILEGE_DB_PATH = "/var/db/security-manager/.security-manager.db";
+
+ enum class QueryType {
+ EGetPkgPrivileges,
+diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
+index ae305d3..65cc8b5 100644
+--- a/src/common/service_impl.cpp
++++ b/src/common/service_impl.cpp
+@@ -32,7 +32,6 @@
+ #include <algorithm>
+
+ #include <dpl/log/log.h>
+-#include <tzplatform_config.h>
+
+ #include "protocols.h"
+ #include "privilege_db.h"
+@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr,
+
+ static uid_t getGlobalUserId(void)
+ {
+- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
++ static uid_t globaluid = 0;
++ if (!globaluid) {
++ struct passwd pw, *p;
++ char buf[4096];
++ int rc = getpwnam_r("userapp", &pw, buf, sizeof buf, &p);
++ globaluid = (rc || p == NULL) ? 555 : p->pw_uid;
++ }
+ return globaluid;
+ }
+
+@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir)
+
+ static bool getUserAppDir(const uid_t &uid, std::string &userAppDir)
+ {
+- struct tzplatform_context *tz_ctx = nullptr;
+-
+- if (tzplatform_context_create(&tz_ctx))
+- return false;
+-
+- if (tzplatform_context_set_user(tz_ctx, uid)) {
+- tzplatform_context_destroy(tz_ctx);
+- tz_ctx = nullptr;
++ struct passwd pw, *p;
++ char buf[4096];
++ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p);
++ if (rc || p == NULL)
+ return false;
+- }
+-
+- enum tzplatform_variable id =
+- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP;
+- const char *appDir = tzplatform_context_getenv(tz_ctx, id);
+- if (!appDir) {
+- tzplatform_context_destroy(tz_ctx);
+- tz_ctx = nullptr;
+- return false;
+- }
+-
+- userAppDir = appDir;
+-
+- tzplatform_context_destroy(tz_ctx);
+- tz_ctx = nullptr;
+-
++ userAppDir = p->pw_dir;
+ return true;
+ }
+
+ static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath)
+ {
+- std::string userHome;
+ std::string userAppDir;
+ std::stringstream correctPath;
+
+diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
+index d834e42..8b5728b 100644
+--- a/src/common/smack-rules.cpp
++++ b/src/common/smack-rules.cpp
+@@ -34,7 +34,6 @@
+ #include <memory>
+
+ #include <dpl/log/log.h>
+-#include <tzplatform_config.h>
+
+ #include "smack-labels.h"
+ #include "smack-rules.h"
+@@ -43,7 +42,7 @@ namespace SecurityManager {
+
+ const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~";
+ const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~";
+-const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack");
++const char *const APP_RULES_TEMPLATE_FILE_PATH = "/usr/share/security-manager/policy/app-rules-template.smack";
+ const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat";
+
+ SmackRules::SmackRules()
+@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgCon
+
+ std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId)
+ {
+- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str()));
+- return path;
++ return "/etc/smack/accesses.d/pkg_" + pkgId;
+ }
+
+ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId)
+ {
+- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str()));
+- return path;
++ return "/etc/smack/accesses.d/app_" + appId;
+ }
+ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
+ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges)
+@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con
+ for (auto privilege : privileges) {
+ if (privilege.empty())
+ continue;
+- std::string fprivilege ( privilege + "-template.smack");
+- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str()));
++ std::string path = "/usr/share/security-manager/policy/" + privilege + "-template.smack";
+ if( stat(path.c_str(), &buffer) == 0)
+ smackRules.addFromTemplateFile(appId, pkgId, path);
+ }
+--
+2.1.4
+
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service
new file mode 100644
index 000000000..8ed5e8601
--- /dev/null
+++ b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.service
@@ -0,0 +1,15 @@
+#
+# Install security-manager DB to /var
+
+[Unit]
+Description=Install Security Manager database
+After=sysinit.target
+Before=security-manager.service
+
+[Install]
+WantedBy=default.target
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/bin/init-security-manager-db.sh
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh
new file mode 100644
index 000000000..ef41286c8
--- /dev/null
+++ b/meta-app-framework/recipes-core/security-manager/security-manager/init-security-manager-db.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+if [ ! -e "/var/db/security-manager" ]; then
+ mkdir -p /var/db
+ cp -ra /usr/dbspace/ /var/db/security-manager
+fi
diff --git a/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend
new file mode 100644
index 000000000..23ceb2937
--- /dev/null
+++ b/meta-app-framework/recipes-core/security-manager/security-manager_%.bbappend
@@ -0,0 +1,22 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/security-manager:"
+
+SRC_URI += " file://0001-Adapt-rules-to-AGL.patch \
+ file://init-security-manager-db.service \
+ file://init-security-manager-db.sh \
+ file://0001-Fix-gcc6-build.patch \
+ file://0001-Fix-Cmake-conf-for-gcc6-build.patch \
+"
+
+FILES_${PN}_append = "${bindir}/init-security-manager-db.sh \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '${systemd_unitdir}/system/init-security-manager-db.service', '', d)} \
+"
+
+do_install_append () {
+ install -p -D ${WORKDIR}/init-security-manager-db.sh ${D}${bindir}/init-security-manager-db.sh
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ mkdir -p ${D}${systemd_unitdir}/system
+ mkdir -p ${D}${sysconfdir}/systemd/system/default.target.wants
+ install -m 644 -p -D ${WORKDIR}/init-security-manager-db.service ${D}${systemd_unitdir}/system/init-security-manager-db.service
+ ln -sf ${systemd_unitdir}/system/init-security-manager-db.service ${D}${sysconfdir}/systemd/system/default.target.wants
+ fi
+}
diff --git a/meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime b/meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime
new file mode 100755
index 000000000..ca712e155
--- /dev/null
+++ b/meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /usr/bin/qt5/qmlscene "$1" /usr/bin/web-runtime-webkit.qml
diff --git a/meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime-webkit.qml b/meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime-webkit.qml
new file mode 100644
index 000000000..d18b672cd
--- /dev/null
+++ b/meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime-webkit.qml
@@ -0,0 +1,13 @@
+import QtQuick 2.1
+import QtQuick.Controls 1.1
+import QtWebKit 3.0
+
+ApplicationWindow {
+ width: 1024
+ height: 768
+ visible: true
+ WebView {
+ url: Qt.application.arguments[1]
+ anchors.fill: parent
+ }
+}
diff --git a/meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime.qml b/meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime.qml
new file mode 100644
index 000000000..afe8a77d0
--- /dev/null
+++ b/meta-app-framework/recipes-core/web-runtime/web-runtime/web-runtime.qml
@@ -0,0 +1,13 @@
+import QtQuick 2.1
+import QtQuick.Controls 1.1
+import QtWebEngine 1.1
+
+ApplicationWindow {
+ width: 1024
+ height: 768
+ visible: true
+ WebEngineView {
+ url: Qt.application.arguments[1]
+ anchors.fill: parent
+ }
+}
diff --git a/meta-app-framework/recipes-core/web-runtime/web-runtime_0.1.bb b/meta-app-framework/recipes-core/web-runtime/web-runtime_0.1.bb
new file mode 100644
index 000000000..fa149875c
--- /dev/null
+++ b/meta-app-framework/recipes-core/web-runtime/web-runtime_0.1.bb
@@ -0,0 +1,34 @@
+inherit allarch
+
+SUMMARY = "Provides the 'web-runtime' command"
+DESCRIPTION = "The command 'web-runtime' is an abstraction that allows to "
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+SRC_URI = "\
+ file://web-runtime;md5sum=6114c0bdd20290912a423fa01beb50f0 \
+ file://web-runtime.qml;md5sum=5d6a379e9b7e5654319e5ba638824a58 \
+ file://web-runtime-webkit.qml;md5sum=4daf9df39078634c27a7923d37e82e3d \
+"
+
+RDEPENDS_${PN} = "qtwebkit-qmlplugins"
+
+do_configure() {
+ :
+}
+
+do_install() {
+ install -d ${D}${bindir}
+ install -m 0755 ${WORKDIR}/web-runtime ${D}${bindir}/web-runtime
+ install -m 0644 ${WORKDIR}/web-runtime.qml ${D}${bindir}/web-runtime.qml
+ install -m 0644 ${WORKDIR}/web-runtime-webkit.qml ${D}${bindir}/web-runtime-webkit.qml
+}
+
+do_install_append_rcar-gen2() {
+ # workaround for porter board: force the use of libEGL provided by mesa at runtime
+ # otherwise, the proprietary libEGL is used and a problem then occurs due to a missing EGL function
+ sed -i 's|^\(exec /usr/bin/qt5/qmlscene\)|LD_PRELOAD=/usr/lib/libEGL.so \1|g' ${D}${bindir}/web-runtime
+}
+
+
diff --git a/meta-app-framework/recipes-devtools/run-agl-postinsts/run-agl-postinsts_1.0.bbappend b/meta-app-framework/recipes-devtools/run-agl-postinsts/run-agl-postinsts_1.0.bbappend
new file mode 100644
index 000000000..590ab708a
--- /dev/null
+++ b/meta-app-framework/recipes-devtools/run-agl-postinsts/run-agl-postinsts_1.0.bbappend
@@ -0,0 +1 @@
+SYSTEMD_SERVICE_AFTER_append = " afm-system-daemon.service"
diff --git a/meta-app-framework/recipes-example/afb-client/afb-client_1.0.bb b/meta-app-framework/recipes-example/afb-client/afb-client_1.0.bb
new file mode 100644
index 000000000..21605d20b
--- /dev/null
+++ b/meta-app-framework/recipes-example/afb-client/afb-client_1.0.bb
@@ -0,0 +1,29 @@
+SUMMARY = "HTML5 demo template for AFB"
+DESCRIPTION = "afb-client is a sample AngularJS/HTML5 application using \
+Application Framework Binder with token binding."
+HOMEPAGE = "http://www.iot.bzh"
+
+LICENSE = "GPLv3+"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=6cb04bdb88e11107e3af4d8e3f301be5"
+
+#DEPENDS = "nodejs-native"
+RDEPENDS_${PN} = "af-binder af-binder-binding-authlogin"
+
+SRC_URI_git = "git://gerrit.automotivelinux.org/gerrit/src/app-framework-demo;protocol=https;branch=master"
+SRC_URI_files = "file://afb-client \
+ "
+SRC_URI = "${SRC_URI_git} \
+ ${SRC_URI_files} \
+ "
+SRCREV = "9e9b459fa27d7a359a060024c9639b99b45813d5"
+S = "${WORKDIR}/git/afb-client"
+
+do_install () {
+ mkdir -p ${D}/${datadir}/agl/afb-client
+ cp -ra ${S}/dist.prod/* ${D}/${datadir}/agl/afb-client/
+
+ mkdir -p ${D}/${bindir}
+ install -m 0755 ${WORKDIR}/afb-client ${D}/${bindir}/afb-client
+}
+
+FILES_${PN} += "${datadir}"
diff --git a/meta-app-framework/recipes-example/afb-client/files/afb-client b/meta-app-framework/recipes-example/afb-client/files/afb-client
new file mode 100644
index 000000000..99e6aa968
--- /dev/null
+++ b/meta-app-framework/recipes-example/afb-client/files/afb-client
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if [ -z "${XDG_RUNTIME_DIR+1}" ]; then
+ export XDG_RUNTIME_DIR=/run/user/$UID
+fi
+LD_PRELOAD=/usr/lib/libEGL.so /usr/bin/qt5/qmlscene http://localhost:1234/opa /usr/share/agl/afb-viewer.qml
+
diff --git a/meta-app-framework/recipes-example/afm-client/afm-client_1.0.bb b/meta-app-framework/recipes-example/afm-client/afm-client_1.0.bb
new file mode 100644
index 000000000..4cd80db64
--- /dev/null
+++ b/meta-app-framework/recipes-example/afm-client/afm-client_1.0.bb
@@ -0,0 +1,40 @@
+SUMMARY = "Sample client for AFM to install/start/stop/remove applications"
+DESCRIPTION = "afm-client is a sample AngularJS/HTML5 application using \
+Application Framework Manager to install, start, stop, or remove \
+applications provided as .wgt widget packages."
+HOMEPAGE = "http://www.iot.bzh"
+
+inherit systemd
+
+LICENSE = "GPLv3+"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=6cb04bdb88e11107e3af4d8e3f301be5"
+
+#DEPENDS = "nodejs-native"
+RDEPENDS_${PN} = "af-main af-binder af-main-binding af-binder-binding-demopost af-binder-binding-authlogin"
+
+SRC_URI_git = "git://gerrit.automotivelinux.org/gerrit/src/app-framework-demo;protocol=https;branch=master"
+SRC_URI_files = "file://afm-client \
+ file://afm-client.service \
+ "
+SRC_URI = "${SRC_URI_git} \
+ ${SRC_URI_files} \
+ "
+SRCREV = "9e9b459fa27d7a359a060024c9639b99b45813d5"
+S = "${WORKDIR}/git/afm-client"
+
+do_install () {
+ mkdir -p ${D}/${datadir}/agl/afm-client
+ cp -ra ${S}/dist.prod/* ${D}/${datadir}/agl/afm-client/
+
+ mkdir -p ${D}/${bindir}
+ install -m 0755 ${WORKDIR}/afm-client ${D}/${bindir}/afm-client
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}${systemd_user_unitdir}
+ install -d ${D}${sysconfdir}/systemd/user/default.target.wants
+ install -m 0644 ${WORKDIR}/afm-client.service ${D}/${systemd_user_unitdir}/afm-client.service
+ ln -sf ${systemd_user_unitdir}/afm-client.service ${D}${sysconfdir}/systemd/user/default.target.wants
+ fi
+}
+
+FILES_${PN} += "${datadir} ${systemd_user_unitdir}"
diff --git a/meta-app-framework/recipes-example/afm-client/files/afm-client b/meta-app-framework/recipes-example/afm-client/files/afm-client
new file mode 100644
index 000000000..ba868e93d
--- /dev/null
+++ b/meta-app-framework/recipes-example/afm-client/files/afm-client
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if [ -z "${XDG_RUNTIME_DIR+1}" ]; then
+ export XDG_RUNTIME_DIR=/run/user/$UID
+fi
+LD_PRELOAD=/usr/lib/libEGL.so /usr/bin/web-runtime http://localhost:1236/opa
+
diff --git a/meta-app-framework/recipes-example/afm-client/files/afm-client.service b/meta-app-framework/recipes-example/afm-client/files/afm-client.service
new file mode 100644
index 000000000..735717439
--- /dev/null
+++ b/meta-app-framework/recipes-example/afm-client/files/afm-client.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Simplest application manager
+
+[Service]
+ExecStart=/usr/bin/afb-daemon --mode=remote --port=1234 --token='' --sessiondir=/home/root/.afb-daemon --rootdir=/usr/share/agl/afm-client --alias=/icons:/var/lib/afm/icons
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=default.target
+
diff --git a/meta-app-framework/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home-native.patch b/meta-app-framework/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home-native.patch
new file mode 100644
index 000000000..ff420d8a2
--- /dev/null
+++ b/meta-app-framework/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home-native.patch
@@ -0,0 +1,45 @@
+From 008637fc8bd7f601eb6554d572bba025613913b7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Wed, 8 Mar 2017 14:10:10 +0100
+Subject: [PATCH] useradd: copy extended attributes of home (native)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The Home directory wasn't getting the extended attributes
+of /etc/skel. This patch fixes that issue and adds the copy
+of the extended attributes of the root of the home directory.
+
+Change-Id: Ib6836e1b18c4c7f73e02c1f1fc9558dc749ba9da
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ src/useradd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index 4c418af..8ba8af6 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -55,6 +55,9 @@
+ #include <sys/stat.h>
+ #include <sys/types.h>
+ #include <time.h>
++#ifdef WITH_ATTR
++#include <attr/libattr.h>
++#endif
+ #include "chkname.h"
+ #include "defines.h"
+ #include "faillog.h"
+@@ -1950,6 +1953,9 @@ static void create_home (void)
+ chown (user_home, user_id, user_gid);
+ chmod (user_home,
+ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
++#ifdef WITH_ATTR
++ attr_copy_file (def_template, user_home, NULL, NULL);
++#endif
+ home_added = true;
+ #ifdef WITH_AUDIT
+ audit_logger (AUDIT_ADD_USER, Prog,
+--
+2.9.3
+
diff --git a/meta-app-framework/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch b/meta-app-framework/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch
new file mode 100644
index 000000000..f231c3cfe
--- /dev/null
+++ b/meta-app-framework/recipes-extended/shadow/files/0001-useradd-copy-extended-attributes-of-home.patch
@@ -0,0 +1,45 @@
+From acec93540eba6899661c607408498ac72ab07a47 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Tue, 7 Mar 2017 16:03:03 +0100
+Subject: [PATCH] useradd: copy extended attributes of home
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The Home directory wasn't getting the extended attributes
+of /etc/skel. This patch fixes that issue and adds the copy
+of the extended attributes of the root of the home directory.
+
+Change-Id: Icd633f7c6c494efd2a30cb8f04c306f749ad0c3b
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ src/useradd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index a8a1f76..8aefb9c 100644
+--- a/src/useradd.c
++++ b/src/useradd.c
+@@ -52,6 +52,9 @@
+ #include <sys/stat.h>
+ #include <sys/types.h>
+ #include <time.h>
++#ifdef WITH_ATTR
++#include <attr/libattr.h>
++#endif
+ #include "chkname.h"
+ #include "defines.h"
+ #include "faillog.h"
+@@ -1915,6 +1918,9 @@ static void create_home (void)
+ chown (user_home, user_id, user_gid);
+ chmod (user_home,
+ 0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
++#ifdef WITH_ATTR
++ attr_copy_file (def_template, user_home, NULL, NULL);
++#endif
+ home_added = true;
+ #ifdef WITH_AUDIT
+ audit_logger (AUDIT_ADD_USER, Prog,
+--
+2.9.3
+
diff --git a/meta-app-framework/recipes-extended/shadow/shadow_%.bbappend b/meta-app-framework/recipes-extended/shadow/shadow_%.bbappend
new file mode 100644
index 000000000..f08435502
--- /dev/null
+++ b/meta-app-framework/recipes-extended/shadow/shadow_%.bbappend
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+SRC_URI_append_class-target = " file://0001-useradd-copy-extended-attributes-of-home.patch "
+SRC_URI_append_class-native = " file://0001-useradd-copy-extended-attributes-of-home-native.patch "
diff --git a/meta-app-framework/recipes-kernel/linux/linux-%.bbappend b/meta-app-framework/recipes-kernel/linux/linux-%.bbappend
new file mode 100644
index 000000000..02595efdf
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux-%.bbappend
@@ -0,0 +1,3 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux:"
+SRC_URI_append_smack = " file://audit.cfg"
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux-yocto_4.1.bbappend b/meta-app-framework/recipes-kernel/linux/linux-yocto_4.1.bbappend
new file mode 100644
index 000000000..c1c657201
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux-yocto_4.1.bbappend
@@ -0,0 +1,12 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux/linux-yocto-4.1:"
+
+#-------------------------------------------------------------------------
+# smack patches for handling bluetooth
+
+SRC_URI_append_smack = "\
+ file://0001-Smack-File-receive-for-sockets.patch \
+ file://0002-smack-fix-cache-of-access-labels.patch \
+ file://0003-Smack-ignore-null-signal-in-smack_task_kill.patch \
+ file://0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch \
+"
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux-yocto_4.4.bbappend b/meta-app-framework/recipes-kernel/linux/linux-yocto_4.4.bbappend
new file mode 100644
index 000000000..51df08719
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux-yocto_4.4.bbappend
@@ -0,0 +1,11 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux/linux-yocto-4.4:"
+
+#-------------------------------------------------------------------------
+# smack patches for handling bluetooth
+
+SRC_URI_append_smack = "\
+ file://0002-smack-fix-cache-of-access-labels.patch \
+ file://0003-Smack-ignore-null-signal-in-smack_task_kill.patch \
+ file://0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch \
+"
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux/audit.cfg b/meta-app-framework/recipes-kernel/linux/linux/audit.cfg
new file mode 100644
index 000000000..214dbe33f
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/audit.cfg
@@ -0,0 +1,2 @@
+CONFIG_AUDIT=y
+CONFIG_AUDITSYSCALL=y
diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch
new file mode 100644
index 000000000..b0c5ee8f4
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0001-Smack-File-receive-for-sockets.patch
@@ -0,0 +1,62 @@
+From 2e65b888820ea372984d412cee3bd7dcba05d7d2 Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Mon, 7 Dec 2015 14:34:32 -0800
+Subject: [PATCH 1/4] Smack: File receive for sockets
+
+The existing file receive hook checks for access on
+the file inode even for UDS. This is not right, as
+the inode is not used by Smack to make access checks
+for sockets. This change checks for an appropriate
+access relationship between the receiving (current)
+process and the socket. If the process can't write
+to the socket's send label or the socket's receive
+label can't write to the process fail.
+
+This will allow the legitimate cases, where the
+socket sender and socket receiver can freely communicate.
+Only strangly set socket labels should cause a problem.
+
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack_lsm.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index b644757..487b2f3 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1672,9 +1672,31 @@ static int smack_file_receive(struct file *file)
+ int may = 0;
+ struct smk_audit_info ad;
+ struct inode *inode = file_inode(file);
++ struct socket *sock;
++ struct task_smack *tsp;
++ struct socket_smack *ssp;
+
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
+ smk_ad_setfield_u_fs_path(&ad, file->f_path);
++
++ if (S_ISSOCK(inode->i_mode)) {
++ sock = SOCKET_I(inode);
++ ssp = sock->sk->sk_security;
++ tsp = current_security();
++ /*
++ * If the receiving process can't write to the
++ * passed socket or if the passed socket can't
++ * write to the receiving process don't accept
++ * the passed socket.
++ */
++ rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad);
++ rc = smk_bu_file(file, may, rc);
++ if (rc < 0)
++ return rc;
++ rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad);
++ rc = smk_bu_file(file, may, rc);
++ return rc;
++ }
+ /*
+ * This code relies on bitmasks.
+ */
+--
+2.7.4
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0002-smack-fix-cache-of-access-labels.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0002-smack-fix-cache-of-access-labels.patch
new file mode 100644
index 000000000..51c3b31ec
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0002-smack-fix-cache-of-access-labels.patch
@@ -0,0 +1,43 @@
+From 5bcea0fc4e5360deca133e211fdc76717a1693a4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net>
+Date: Tue, 12 Jan 2016 21:23:40 +0100
+Subject: [PATCH 2/4] smack: fix cache of access labels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Before this commit, removing the access property of
+a file, aka, the extended attribute security.SMACK64
+was not effictive until the cache had been cleaned.
+
+This patch fixes that problem.
+
+Signed-off-by: José Bollo <jobol@nonadev.net>
+Acked-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack_lsm.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 487b2f3..b9393e3 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1256,9 +1256,13 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
+ * Don't do anything special for these.
+ * XATTR_NAME_SMACKIPIN
+ * XATTR_NAME_SMACKIPOUT
+- * XATTR_NAME_SMACKEXEC
+ */
+- if (strcmp(name, XATTR_NAME_SMACK) == 0)
++ if (strcmp(name, XATTR_NAME_SMACK) == 0) {
++ struct super_block *sbp = d_backing_inode(dentry)->i_sb;
++ struct superblock_smack *sbsp = sbp->s_security;
++
++ isp->smk_inode = sbsp->smk_default;
++ } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0)
+ isp->smk_task = NULL;
+ else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0)
+ isp->smk_mmap = NULL;
+--
+2.7.4
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch
new file mode 100644
index 000000000..67761ae46
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0003-Smack-ignore-null-signal-in-smack_task_kill.patch
@@ -0,0 +1,39 @@
+From aa63c4f8ece0c54a9be735ac38667f11fcd6f44a Mon Sep 17 00:00:00 2001
+From: Rafal Krypa <r.krypa@samsung.com>
+Date: Mon, 4 Apr 2016 11:14:53 +0200
+Subject: [PATCH 3/4] Smack: ignore null signal in smack_task_kill
+
+Kill with signal number 0 is commonly used for checking PID existence.
+Smack treated such cases like any other kills, although no signal is
+actually delivered when sig == 0.
+
+Checking permissions when sig == 0 didn't prevent an unprivileged caller
+from learning whether PID exists or not. When it existed, kernel returned
+EPERM, when it didn't - ESRCH. The only effect of policy check in such
+case is noise in audit logs.
+
+This change lets Smack silently ignore kill() invocations with sig == 0.
+
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+Acked-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack_lsm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index b9393e3..c916f58 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -2056,6 +2056,9 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
+ struct smack_known *tkp = smk_of_task_struct(p);
+ int rc;
+
++ if (!sig)
++ return 0; /* null signal; existence test */
++
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+ smk_ad_setfield_u_tsk(&ad, p);
+ /*
+--
+2.7.4
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch
new file mode 100644
index 000000000..4281c201c
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.1/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch
@@ -0,0 +1,49 @@
+From b2b9e7ec8e79ede841104f76464f4b77c057b011 Mon Sep 17 00:00:00 2001
+From: jooseong lee <jooseong.lee@samsung.com>
+Date: Thu, 3 Nov 2016 10:55:43 +0100
+Subject: [PATCH 4/4] Smack: Assign smack_known_web label for kernel thread's
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Assign smack_known_web label for kernel thread's socket in the sk_alloc_security hook
+
+Creating struct sock by sk_alloc function in various kernel subsystems
+like bluetooth dosen't call smack_socket_post_create(). In such case,
+received sock label is the floor('_') label and makes access deny.
+
+Refers-to: https://review.tizen.org/gerrit/#/c/80717/4
+
+Change-Id: I2e5c9359bfede84a988fd4d4d74cdb9dfdfc52d8
+Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ security/smack/smack_lsm.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index c916f58..cc6769b 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -2138,8 +2138,16 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
+ if (ssp == NULL)
+ return -ENOMEM;
+
+- ssp->smk_in = skp;
+- ssp->smk_out = skp;
++ /*
++ * Sockets created by kernel threads receive web label.
++ */
++ if (unlikely(current->flags & PF_KTHREAD)) {
++ ssp->smk_in = &smack_known_web;
++ ssp->smk_out = &smack_known_web;
++ } else {
++ ssp->smk_in = skp;
++ ssp->smk_out = skp;
++ }
+ ssp->smk_packet = NULL;
+
+ sk->sk_security = ssp;
+--
+2.7.4
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0001-Smack-File-receive-for-sockets.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0001-Smack-File-receive-for-sockets.patch
new file mode 100644
index 000000000..4021e5d38
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0001-Smack-File-receive-for-sockets.patch
@@ -0,0 +1,65 @@
+From 2b206c36b16e72cfe41cd22448d8527359ffd962 Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Mon, 7 Dec 2015 14:34:32 -0800
+Subject: [PATCH 1/4] Smack: File receive for sockets
+
+The existing file receive hook checks for access on
+the file inode even for UDS. This is not right, as
+the inode is not used by Smack to make access checks
+for sockets. This change checks for an appropriate
+access relationship between the receiving (current)
+process and the socket. If the process can't write
+to the socket's send label or the socket's receive
+label can't write to the process fail.
+
+This will allow the legitimate cases, where the
+socket sender and socket receiver can freely communicate.
+Only strangly set socket labels should cause a problem.
+
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack_lsm.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index ff81026..b20ef06 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1860,12 +1860,34 @@ static int smack_file_receive(struct file *file)
+ int may = 0;
+ struct smk_audit_info ad;
+ struct inode *inode = file_inode(file);
++ struct socket *sock;
++ struct task_smack *tsp;
++ struct socket_smack *ssp;
+
+ if (unlikely(IS_PRIVATE(inode)))
+ return 0;
+
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
+ smk_ad_setfield_u_fs_path(&ad, file->f_path);
++
++ if (S_ISSOCK(inode->i_mode)) {
++ sock = SOCKET_I(inode);
++ ssp = sock->sk->sk_security;
++ tsp = current_security();
++ /*
++ * If the receiving process can't write to the
++ * passed socket or if the passed socket can't
++ * write to the receiving process don't accept
++ * the passed socket.
++ */
++ rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad);
++ rc = smk_bu_file(file, may, rc);
++ if (rc < 0)
++ return rc;
++ rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad);
++ rc = smk_bu_file(file, may, rc);
++ return rc;
++ }
+ /*
+ * This code relies on bitmasks.
+ */
+--
+2.7.4
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0002-smack-fix-cache-of-access-labels.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0002-smack-fix-cache-of-access-labels.patch
new file mode 100644
index 000000000..c516f3aa5
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0002-smack-fix-cache-of-access-labels.patch
@@ -0,0 +1,43 @@
+From 99267706991ab84bd44ceaea9a7ec886bbdd58e0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net>
+Date: Tue, 12 Jan 2016 21:23:40 +0100
+Subject: [PATCH 2/4] smack: fix cache of access labels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Before this commit, removing the access property of
+a file, aka, the extended attribute security.SMACK64
+was not effictive until the cache had been cleaned.
+
+This patch fixes that problem.
+
+Signed-off-by: José Bollo <jobol@nonadev.net>
+Acked-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack_lsm.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index b20ef06..b2bcb14 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -1444,9 +1444,13 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
+ * Don't do anything special for these.
+ * XATTR_NAME_SMACKIPIN
+ * XATTR_NAME_SMACKIPOUT
+- * XATTR_NAME_SMACKEXEC
+ */
+- if (strcmp(name, XATTR_NAME_SMACK) == 0)
++ if (strcmp(name, XATTR_NAME_SMACK) == 0) {
++ struct super_block *sbp = d_backing_inode(dentry)->i_sb;
++ struct superblock_smack *sbsp = sbp->s_security;
++
++ isp->smk_inode = sbsp->smk_default;
++ } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0)
+ isp->smk_task = NULL;
+ else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0)
+ isp->smk_mmap = NULL;
+--
+2.7.4
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0003-Smack-ignore-null-signal-in-smack_task_kill.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0003-Smack-ignore-null-signal-in-smack_task_kill.patch
new file mode 100644
index 000000000..c9180bb9f
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0003-Smack-ignore-null-signal-in-smack_task_kill.patch
@@ -0,0 +1,39 @@
+From ec4eb03af07b0fbc330aecca6ac4ebd6accd8825 Mon Sep 17 00:00:00 2001
+From: Rafal Krypa <r.krypa@samsung.com>
+Date: Mon, 4 Apr 2016 11:14:53 +0200
+Subject: [PATCH 3/4] Smack: ignore null signal in smack_task_kill
+
+Kill with signal number 0 is commonly used for checking PID existence.
+Smack treated such cases like any other kills, although no signal is
+actually delivered when sig == 0.
+
+Checking permissions when sig == 0 didn't prevent an unprivileged caller
+from learning whether PID exists or not. When it existed, kernel returned
+EPERM, when it didn't - ESRCH. The only effect of policy check in such
+case is noise in audit logs.
+
+This change lets Smack silently ignore kill() invocations with sig == 0.
+
+Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
+Acked-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack_lsm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index b2bcb14..cf8a93f 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -2239,6 +2239,9 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
+ struct smack_known *tkp = smk_of_task_struct(p);
+ int rc;
+
++ if (!sig)
++ return 0; /* null signal; existence test */
++
+ smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
+ smk_ad_setfield_u_tsk(&ad, p);
+ /*
+--
+2.7.4
+
diff --git a/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch
new file mode 100644
index 000000000..a1eeac3d7
--- /dev/null
+++ b/meta-app-framework/recipes-kernel/linux/linux/linux-yocto-4.4/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch
@@ -0,0 +1,49 @@
+From c8bbb0f916de54610513e376070aea531af19dd6 Mon Sep 17 00:00:00 2001
+From: jooseong lee <jooseong.lee@samsung.com>
+Date: Thu, 3 Nov 2016 10:55:43 +0100
+Subject: [PATCH 4/4] Smack: Assign smack_known_web label for kernel thread's
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Assign smack_known_web label for kernel thread's socket in the sk_alloc_security hook
+
+Creating struct sock by sk_alloc function in various kernel subsystems
+like bluetooth dosen't call smack_socket_post_create(). In such case,
+received sock label is the floor('_') label and makes access deny.
+
+Refers-to: https://review.tizen.org/gerrit/#/c/80717/4
+
+Change-Id: I2e5c9359bfede84a988fd4d4d74cdb9dfdfc52d8
+Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ security/smack/smack_lsm.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index cf8a93f..21651bc 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -2321,8 +2321,16 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
+ if (ssp == NULL)
+ return -ENOMEM;
+
+- ssp->smk_in = skp;
+- ssp->smk_out = skp;
++ /*
++ * Sockets created by kernel threads receive web label.
++ */
++ if (unlikely(current->flags & PF_KTHREAD)) {
++ ssp->smk_in = &smack_known_web;
++ ssp->smk_out = &smack_known_web;
++ } else {
++ ssp->smk_in = skp;
++ ssp->smk_out = skp;
++ }
+ ssp->smk_packet = NULL;
+
+ sk->sk_security = ssp;
+--
+2.7.4
+
diff --git a/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch b/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch
new file mode 100644
index 000000000..fa359fa87
--- /dev/null
+++ b/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch
@@ -0,0 +1,87 @@
+From c34b2725817d4fd1fd6878bbb16617cb9e3e3a70 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Fri, 22 Jan 2016 16:23:59 +0100
+Subject: [PATCH] removing capability enforcement
+
+Signed-off-by: ronan <ronan@iot.bzh>
+
+Change-Id: Idb724192ceab176a611bbed45c0ebc9c8eb5dd30
+---
+ progs/setcap.c | 45 +--------------------------------------------
+ 1 file changed, 1 insertion(+), 44 deletions(-)
+
+diff --git a/progs/setcap.c b/progs/setcap.c
+index 7304343..71999b6 100644
+--- a/progs/setcap.c
++++ b/progs/setcap.c
+@@ -58,11 +58,9 @@ static int read_caps(int quiet, const char *filename, char *buffer)
+
+ int main(int argc, char **argv)
+ {
+- int tried_to_cap_setfcap = 0;
+ char buffer[MAXCAP+1];
+ int retval, quiet=0, verify=0;
+ cap_t mycaps;
+- cap_value_t capflag;
+
+ if (argc < 3) {
+ usage();
+@@ -150,54 +148,13 @@ int main(int argc, char **argv)
+ printf("%s: OK\n", *argv);
+ }
+ } else {
+- if (!tried_to_cap_setfcap) {
+- capflag = CAP_SETFCAP;
+-
+- /*
+- * Raise the effective CAP_SETFCAP.
+- */
+- if (cap_set_flag(mycaps, CAP_EFFECTIVE, 1, &capflag, CAP_SET)
+- != 0) {
+- perror("unable to manipulate CAP_SETFCAP - "
+- "try a newer libcap?");
+- exit(1);
+- }
+- if (cap_set_proc(mycaps) != 0) {
+- perror("unable to set CAP_SETFCAP effective capability");
+- exit(1);
+- }
+- tried_to_cap_setfcap = 1;
+- }
+ retval = cap_set_file(*++argv, cap_d);
+ if (retval != 0) {
+- int explained = 0;
+ int oerrno = errno;
+-#ifdef linux
+- cap_value_t cap;
+- cap_flag_value_t per_state;
+-
+- for (cap = 0;
+- cap_get_flag(cap_d, cap, CAP_PERMITTED, &per_state) != -1;
+- cap++) {
+- cap_flag_value_t inh_state, eff_state;
+-
+- cap_get_flag(cap_d, cap, CAP_INHERITABLE, &inh_state);
+- cap_get_flag(cap_d, cap, CAP_EFFECTIVE, &eff_state);
+- if ((inh_state | per_state) != eff_state) {
+- fprintf(stderr, "NOTE: Under Linux, effective file capabilities must either be empty, or\n"
+- " exactly match the union of selected permitted and inheritable bits.\n");
+- explained = 1;
+- break;
+- }
+- }
+-#endif /* def linux */
+-
+ fprintf(stderr,
+ "Failed to set capabilities on file `%s' (%s)\n",
+ argv[0], strerror(oerrno));
+- if (!explained) {
+- usage();
+- }
++
+ }
+ }
+ if (cap_d) {
+--
+2.6.6
+
diff --git a/meta-app-framework/recipes-support/libcap/libcap_%.bbappend b/meta-app-framework/recipes-support/libcap/libcap_%.bbappend
new file mode 100644
index 000000000..fbe893501
--- /dev/null
+++ b/meta-app-framework/recipes-support/libcap/libcap_%.bbappend
@@ -0,0 +1,5 @@
+FILESEXTRAPATHS_append_class-native := ":${THISDIR}/${PN}"
+SRC_URI_append_class-native = " file://removing-capability-enforcement.patch"
+PACKAGECONFIG_class-native ?= "attr"
+DEPENDS_append_class-native = " attr-native"
+
diff --git a/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd/allows-upgrade.patch b/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd/allows-upgrade.patch
new file mode 100644
index 000000000..19601a537
--- /dev/null
+++ b/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd/allows-upgrade.patch
@@ -0,0 +1,81 @@
+diff -Naur a/src/microhttpd/connection.c b/src/microhttpd/connection.c
+--- a/src/microhttpd/connection.c 2016-04-08 21:02:26.000000000 +0200
++++ b/src/microhttpd/connection.c 2016-08-29 22:41:53.790560238 +0200
+@@ -708,6 +708,8 @@
+ * "keep-alive", we proceed to use the default for the respective HTTP
+ * version (which is conservative for HTTP 1.0, but might be a bit
+ * optimistic for HTTP 1.1).
++ * In the case of Upgrade, the header Connection should not be set
++ * to keep-alive.
+ *
+ * @param connection the connection to check for keepalive
+ * @return #MHD_YES if (based on the request), a keepalive is
+@@ -750,6 +752,59 @@
+
+
+ /**
++ * Should we try to keep the given connection alive? We can use the
++ * TCP stream for a second request if the connection is HTTP 1.1 and
++ * the "Connection" header either does not exist or is not set to
++ * "close", or if the connection is HTTP 1.0 and the "Connection"
++ * header is explicitly set to "keep-alive". If no HTTP version is
++ * specified (or if it is not 1.0 or 1.1), we definitively close the
++ * connection. If the "Connection" header is not exactly "close" or
++ * "keep-alive", we proceed to use the default for the respective HTTP
++ * version (which is conservative for HTTP 1.0, but might be a bit
++ * optimistic for HTTP 1.1).
++ * In the case of Upgrade, the connection should be kept alive even if
++ * the header Connection is not keep-alive.
++ *
++ * @param connection the connection to check for keepalive
++ * @return #MHD_YES if (based on the request), a keepalive is
++ * legal
++ */
++static int
++should_keepalive (struct MHD_Connection *connection)
++{
++ const char *end;
++
++ if (NULL == connection->version)
++ return MHD_NO;
++ if ( (NULL != connection->response) &&
++ (0 != (connection->response->flags & MHD_RF_HTTP_VERSION_1_0_ONLY) ) )
++ return MHD_NO;
++ end = MHD_lookup_connection_value (connection,
++ MHD_HEADER_KIND,
++ MHD_HTTP_HEADER_CONNECTION);
++ if (MHD_str_equal_caseless_(connection->version,
++ MHD_HTTP_VERSION_1_1))
++ {
++ if (NULL == end)
++ return MHD_YES;
++ if ( (MHD_str_equal_caseless_ (end, "close")) )
++ return MHD_NO;
++ return MHD_YES;
++ }
++ if (MHD_str_equal_caseless_(connection->version,
++ MHD_HTTP_VERSION_1_0))
++ {
++ if (NULL == end)
++ return MHD_NO;
++ if (MHD_str_equal_caseless_(end, "Keep-Alive"))
++ return MHD_YES;
++ return MHD_NO;
++ }
++ return MHD_NO;
++}
++
++
++/**
+ * Produce HTTP "Date:" header.
+ *
+ * @param date where to write the header, with
+@@ -2795,7 +2850,7 @@
+ }
+ if (((MHD_YES == connection->read_closed) &&
+ (0 == connection->read_buffer_offset)) ||
+- (MHD_NO == keepalive_possible (connection)))
++ (MHD_NO == should_keepalive (connection)))
+ {
+ /* have to close for some reason */
+ MHD_connection_close_ (connection,
diff --git a/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd_0.9.49.bb b/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd_0.9.49.bb
new file mode 100644
index 000000000..9abb2004e
--- /dev/null
+++ b/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd_0.9.49.bb
@@ -0,0 +1,25 @@
+DESCRIPTION = "A small C library that is supposed to make it easy to run an HTTP server as part of another application"
+HOMEPAGE = "http://www.gnu.org/software/libmicrohttpd/"
+LICENSE = "LGPL-2.1+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=9331186f4f80db7da0e724bdd6554ee5"
+SECTION = "net"
+DEPENDS = "libgcrypt gnutls file"
+
+SRC_URI = "http://ftp.gnu.org/gnu/libmicrohttpd/${BPN}-${PV}.tar.gz"
+SRC_URI[md5sum] = "3209aa2ac6199b874a6325342b86edbc"
+SRC_URI[sha256sum] = "9407d8252548ab97ace3276e0032f073820073c0599d43baff832902a8dab11c"
+
+inherit autotools lib_package pkgconfig
+
+EXTRA_OECONF += "--disable-static --with-gnutls=${STAGING_LIBDIR}/../"
+
+PACKAGECONFIG ?= "curl"
+PACKAGECONFIG_append_class-target = "\
+ ${@bb.utils.contains('DISTRO_FEATURES', 'largefile', 'largefile', '', d)} \
+"
+PACKAGECONFIG[largefile] = "--enable-largefile,--disable-largefile,,"
+PACKAGECONFIG[curl] = "--enable-curl,--disable-curl,curl,"
+
+do_compile_append() {
+ sed -i s:-L${STAGING_LIBDIR}::g libmicrohttpd.pc
+}
diff --git a/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd_0.9.49.bbappend b/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd_0.9.49.bbappend
new file mode 100644
index 000000000..c26b8119f
--- /dev/null
+++ b/meta-app-framework/recipes-support/libmicrohttpd/libmicrohttpd_0.9.49.bbappend
@@ -0,0 +1,5 @@
+
+FILESEXTRAPATHS_append := ":${THISDIR}/${PN}"
+SRC_URI += " file://allows-upgrade.patch"
+
+
diff --git a/meta-app-framework/recipes-support/libzip/libzip_1.1.1.bb b/meta-app-framework/recipes-support/libzip/libzip_1.1.1.bb
new file mode 100644
index 000000000..450971176
--- /dev/null
+++ b/meta-app-framework/recipes-support/libzip/libzip_1.1.1.bb
@@ -0,0 +1,32 @@
+inherit autotools
+
+SUMMARY = "Library providing support for handling zip files"
+DESCRIPTION = "\
+ This library is wrapping zlib and allows \
+ to easily create, browse, inflate of deflate \
+ the zip files. \
+ It also provides tools for zip comparing, merging or browsing.\
+"
+
+HOMEPAGE = "http://nih.at/libzip/index.html"
+LICENSE = "BSD"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=23ebf7ca347ed9703b4ef40824d0ef66"
+
+SRC_URI = "http://nih.at/libzip/libzip-1.1.1.tar.xz;md5sum=0c86a1a94fbc3ec6724801036726ae1f"
+
+#SRC_URI = "hg://hg.nih.at/libzip;module=libzip;protocol=http"
+#SRCREV = "5895e34af7f9"
+#S = "${HGDIR}"
+
+SECTION = "base"
+
+DEPENDS = "zlib"
+
+RDEPENDS_${PN} = "zlib"
+
+PROVIDES += "${PN}-tools"
+RDEPENDS_${PN}-tools = "${PN}"
+FILES_${PN}-tools = "${bindir}/zipcmp ${bindir}/zipmerge ${bindir}/ziptool"
+
+BBCLASSEXTEND = "native nativesdk"
+
diff --git a/meta-app-framework/recipes-support/xmlsec1/xmlsec1/Only-require-libxslt-in-.pc-files-when-necessary.patch b/meta-app-framework/recipes-support/xmlsec1/xmlsec1/Only-require-libxslt-in-.pc-files-when-necessary.patch
new file mode 100644
index 000000000..c92df77f0
--- /dev/null
+++ b/meta-app-framework/recipes-support/xmlsec1/xmlsec1/Only-require-libxslt-in-.pc-files-when-necessary.patch
@@ -0,0 +1,115 @@
+From 1e39acf581ef47876b058da41774cbc92560d797 Mon Sep 17 00:00:00 2001
+From: Manuel Bachmann <manuel.bachmann@iot.bzh>
+Date: Wed, 27 Jan 2016 14:16:40 +0100
+Subject: [PATCH] Only require libxslt in .pc files when necessary
+
+If we build xmlsec without libxslt ("--without-libxslt" at
+configure time), dependent packages will still require it
+because it is unconditionally mentioned in .pc files (used
+by pkg-config).
+
+We now make sure that this dependency is mentioned only if
+the configure script validates libxslt presence.
+
+Signed-off-by: Manuel Bachmann <manuel.bachmann@iot.bzh>
+---
+ configure.in | 4 ++++
+ xmlsec-gcrypt.pc.in | 2 +-
+ xmlsec-gnutls.pc.in | 2 +-
+ xmlsec-nss.pc.in | 2 +-
+ xmlsec-openssl.pc.in | 2 +-
+ xmlsec.pc.in | 2 +-
+ 6 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/configure.in b/configure.in
+index 7d976d0..a8350a9 100644
+--- a/configure.in
++++ b/configure.in
+@@ -255,6 +255,7 @@ dnl ==========================================================================
+ dnl find libxslt
+ dnl ==========================================================================
+ XMLSEC_NO_LIBXSLT="1"
++LIBXSLT_COND="libxslt >="
+ LIBXSLT_MIN_VERSION=1.0.20
+ LIBXSLT_CONFIG="xslt-config"
+ LIBXSLT_CFLAGS=""
+@@ -324,6 +325,8 @@ fi
+ if test "z$LIBXSLT_FOUND" = "zyes" ; then
+ XMLSEC_NO_LIBXSLT="0"
+ else
++ LIBXSLT_COND=""
++ LIBXSLT_MIN_VERSION=""
+ XMLSEC_DEFINES="$XMLSEC_DEFINES -DXMLSEC_NO_XSLT=1"
+ fi
+
+@@ -332,6 +335,7 @@ AC_SUBST(LIBXSLT_CFLAGS)
+ AC_SUBST(LIBXSLT_LIBS)
+ AC_SUBST(LIBXSLT_CONFIG)
+ AC_SUBST(LIBXSLT_MIN_VERSION)
++AC_SUBST(LIBXSLT_COND)
+
+ dnl ==========================================================================
+ dnl See if we can find a crypto library
+diff --git a/xmlsec-gcrypt.pc.in b/xmlsec-gcrypt.pc.in
+index 1c00496..33bc2ff 100644
+--- a/xmlsec-gcrypt.pc.in
++++ b/xmlsec-gcrypt.pc.in
+@@ -6,6 +6,6 @@ includedir=@includedir@
+ Name: xmlsec1-gcrypt
+ Version: @VERSION@
+ Description: XML Security Library implements XML Signature and XML Encryption standards
+-Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ libxslt >= @LIBXSLT_MIN_VERSION@
++Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ @LIBXSLT_COND@ @LIBXSLT_MIN_VERSION@
+ Cflags: -DXMLSEC_CRYPTO=\"gcrypt\" @XMLSEC_GCRYPT_CFLAGS@
+ Libs: @XMLSEC_GCRYPT_LIBS@
+diff --git a/xmlsec-gnutls.pc.in b/xmlsec-gnutls.pc.in
+index e538cd4..d01cf82 100644
+--- a/xmlsec-gnutls.pc.in
++++ b/xmlsec-gnutls.pc.in
+@@ -6,6 +6,6 @@ includedir=@includedir@
+ Name: xmlsec1-gnutls
+ Version: @VERSION@
+ Description: XML Security Library implements XML Signature and XML Encryption standards
+-Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ libxslt >= @LIBXSLT_MIN_VERSION@
++Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ @LIBXSLT_COND@ @LIBXSLT_MIN_VERSION@
+ Cflags: -DXMLSEC_CRYPTO=\"gnutls\" @XMLSEC_GNUTLS_CFLAGS@
+ Libs: @XMLSEC_GNUTLS_LIBS@
+diff --git a/xmlsec-nss.pc.in b/xmlsec-nss.pc.in
+index a6d6c5c..75f0232 100644
+--- a/xmlsec-nss.pc.in
++++ b/xmlsec-nss.pc.in
+@@ -6,6 +6,6 @@ includedir=@includedir@
+ Name: xmlsec1-nss
+ Version: @VERSION@
+ Description: XML Security Library implements XML Signature and XML Encryption standards
+-Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ libxslt >= @LIBXSLT_MIN_VERSION@ @NSPR_PACKAGE@ >= @MOZILLA_MIN_VERSION@ @NSS_PACKAGE@ >= @MOZILLA_MIN_VERSION@
++Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ @LIBXSLT_COND@ @LIBXSLT_MIN_VERSION@ @NSPR_PACKAGE@ >= @MOZILLA_MIN_VERSION@ @NSS_PACKAGE@ >= @MOZILLA_MIN_VERSION@
+ Cflags: -DXMLSEC_CRYPTO=\"nss\" -DXMLSEC_CRYPTO_NSS=1 @XMLSEC_CORE_CFLAGS@
+ Libs: -L${libdir} -lxmlsec1-nss @XMLSEC_CORE_LIBS@
+diff --git a/xmlsec-openssl.pc.in b/xmlsec-openssl.pc.in
+index 85ee2b0..e9d0651 100644
+--- a/xmlsec-openssl.pc.in
++++ b/xmlsec-openssl.pc.in
+@@ -6,6 +6,6 @@ includedir=@includedir@
+ Name: xmlsec1-openssl
+ Version: @VERSION@
+ Description: XML Security Library implements XML Signature and XML Encryption standards
+-Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ libxslt >= @LIBXSLT_MIN_VERSION@
++Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ @LIBXSLT_COND@ @LIBXSLT_MIN_VERSION@
+ Cflags: -DXMLSEC_CRYPTO=\"openssl\" @XMLSEC_OPENSSL_CFLAGS@
+ Libs: @XMLSEC_OPENSSL_LIBS@
+diff --git a/xmlsec.pc.in b/xmlsec.pc.in
+index a750ab8..14ea670 100644
+--- a/xmlsec.pc.in
++++ b/xmlsec.pc.in
+@@ -6,6 +6,6 @@ includedir=@includedir@
+ Name: xmlsec1
+ Version: @VERSION@
+ Description: XML Security Library implements XML Signature and XML Encryption standards
+-Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ libxslt >= @LIBXSLT_MIN_VERSION@
++Requires: libxml-2.0 >= @LIBXML_MIN_VERSION@ @LIBXSLT_COND@ @LIBXSLT_MIN_VERSION@
+ Cflags: -DXMLSEC_CRYPTO=\"@XMLSEC_CRYPTO@\" -DXMLSEC_CRYPTO_DYNAMIC_LOADING=1 @XMLSEC_CORE_CFLAGS@
+ Libs: -L${libdir} @XMLSEC_CORE_LIBS@
+--
+2.6.2
+
diff --git a/meta-app-framework/recipes-support/xmlsec1/xmlsec1_1.%.bbappend b/meta-app-framework/recipes-support/xmlsec1/xmlsec1_1.%.bbappend
new file mode 100644
index 000000000..8f1972f07
--- /dev/null
+++ b/meta-app-framework/recipes-support/xmlsec1/xmlsec1_1.%.bbappend
@@ -0,0 +1,6 @@
+FILESEXTRAPATHS_append := ":${THISDIR}/${PN}"
+SRC_URI += "file://Only-require-libxslt-in-.pc-files-when-necessary.patch"
+
+DEPENDS += "libxml2"
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/templates/feature/agl-appfw-smack/50_bblayers.conf.inc b/templates/feature/agl-appfw-smack/50_bblayers.conf.inc
new file mode 100644
index 000000000..344c25070
--- /dev/null
+++ b/templates/feature/agl-appfw-smack/50_bblayers.conf.inc
@@ -0,0 +1,6 @@
+BBLAYERS =+ " \
+ ${METADIR}/meta-intel-iot-security/meta-security-smack \
+ ${METADIR}/meta-intel-iot-security/meta-security-framework \
+ ${METADIR}/meta-agl/meta-app-framework \
+ "
+
diff --git a/templates/feature/agl-appfw-smack/50_local.conf.inc b/templates/feature/agl-appfw-smack/50_local.conf.inc
new file mode 100644
index 000000000..0a11f07c2
--- /dev/null
+++ b/templates/feature/agl-appfw-smack/50_local.conf.inc
@@ -0,0 +1,2 @@
+#see meta-agl/meta-app-framework/conf/include/agl-appfw-smack.inc
+require conf/include/agl-appfw-smack.inc