aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-security/COPYING.MIT17
-rw-r--r--meta-security/README.md31
-rw-r--r--meta-security/classes/deploy-files.bbclass68
-rw-r--r--meta-security/classes/xattr-images.bbclass137
-rw-r--r--meta-security/conf/layer.conf12
-rw-r--r--meta-security/lib/oeqa/runtime/__init__.py0
-rw-r--r--meta-security/lib/oeqa/runtime/files/notroot.py33
-rw-r--r--meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh54
-rw-r--r--meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh18
-rw-r--r--meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh27
-rw-r--r--meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh108
-rw-r--r--meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh107
-rw-r--r--meta-security/lib/oeqa/runtime/securitymanager.py108
-rw-r--r--meta-security/lib/oeqa/runtime/smack.py589
-rw-r--r--meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend55
-rw-r--r--meta-security/recipes-connectivity/connman/connman_%.bbappend32
-rw-r--r--meta-security/recipes-core/base-files/base-files_%.bbappend73
-rw-r--r--meta-security/recipes-core/coreutils/coreutils_%.bbappend7
-rw-r--r--meta-security/recipes-core/dbus/dbus-cynara/0001-Fix-memleak-in-GetConnectionCredentials-handler.patch32
-rw-r--r--meta-security/recipes-core/dbus/dbus-cynara/0002-New-a-sv-helper-for-using-byte-arrays-as-the-variant.patch97
-rw-r--r--meta-security/recipes-core/dbus/dbus-cynara/0003-Add-LSM-agnostic-support-for-LinuxSecurityLabel-cred.patch515
-rw-r--r--meta-security/recipes-core/dbus/dbus-cynara/0004-Integration-of-Cynara-asynchronous-security-checks.patch2253
-rw-r--r--meta-security/recipes-core/dbus/dbus-cynara/0005-Disable-message-dispatching-when-send-rule-result-is.patch941
-rw-r--r--meta-security/recipes-core/dbus/dbus-cynara/0006-Handle-unavailability-of-policy-results-for-broadcas.patch1071
-rw-r--r--meta-security/recipes-core/dbus/dbus-cynara/0007-Add-own-rule-result-unavailability-handling.patch1142
-rw-r--r--meta-security/recipes-core/dbus/dbus-cynara/0008-Add-GetConnectionSmackContext-D-Bus-daemon-method.patch99
-rw-r--r--meta-security/recipes-core/dbus/dbus-cynara/Perform-Cynara-runtime-policy-checks-by-default.patch116
-rw-r--r--meta-security/recipes-core/dbus/dbus-cynara_1.8.18.bb58
-rw-r--r--meta-security/recipes-core/dbus/dbus-oe-core.inc170
-rw-r--r--meta-security/recipes-core/dbus/dbus_%.bbappend27
-rw-r--r--meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb22
-rw-r--r--meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch49
-rw-r--r--meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch50
-rw-r--r--meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev-v216.patch82
-rw-r--r--meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev.patch68
-rw-r--r--meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v216.patch107
-rw-r--r--meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v225.patch191
-rw-r--r--meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v228.patch179
-rw-r--r--meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch106
-rw-r--r--meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch41
-rw-r--r--meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with.patch37
-rw-r--r--meta-security/recipes-core/systemd/systemd/mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch58
-rw-r--r--meta-security/recipes-core/systemd/systemd/udev-smack-default.rules23
-rw-r--r--meta-security/recipes-core/systemd/systemd_%.bbappend120
-rw-r--r--meta-security/recipes-core/util-linux/util-linux_%.bbappend8
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/e2fsprogs.inc27
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/e2fsprogs/acinclude.m4135
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/e2fsprogs/mkdir.patch18
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/e2fsprogs/ptest.patch67
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch19
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/e2fsprogs/remove.ldconfig.call.patch44
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest11
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend14
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/e2fsprogs_git.bb106
-rw-r--r--meta-security/recipes-devtools/e2fsprogs/files/ext_attr.c-fix-adding-multiple-xattrs-during-image-c.patch51
-rw-r--r--meta-security/recipes-kernel/linux/linux-%.bbappend17
-rw-r--r--meta-security/recipes-kernel/linux/linux/audit.cfg2
-rw-r--r--meta-security/recipes-kernel/linux/linux/smack-default-lsm.cfg2
-rw-r--r--meta-security/recipes-kernel/linux/linux/smack.cfg8
-rw-r--r--meta-security/recipes-security/audit/audit/add-system-call-table-for-ARM.patch46
-rw-r--r--meta-security/recipes-security/audit/audit/audit-for-cross-compiling.patch2938
-rw-r--r--meta-security/recipes-security/audit/audit/audit-python-configure.patch27
-rw-r--r--meta-security/recipes-security/audit/audit/audit-python.patch31
-rw-r--r--meta-security/recipes-security/audit/audit/audit-volatile.conf1
-rwxr-xr-xmeta-security/recipes-security/audit/audit/auditd153
-rw-r--r--meta-security/recipes-security/audit/audit/auditd.service20
-rw-r--r--meta-security/recipes-security/audit/audit/disable-ldap.patch59
-rw-r--r--meta-security/recipes-security/audit/audit/fix-swig-host-contamination.patch48
-rw-r--r--meta-security/recipes-security/audit/audit_2.3.2.bb102
-rw-r--r--meta-security/recipes-security/cynara/cynara.inc158
-rw-r--r--meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch119
-rw-r--r--meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch31
-rw-r--r--meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch31
-rwxr-xr-xmeta-security/recipes-security/cynara/cynara/run-ptest4
-rw-r--r--meta-security/recipes-security/cynara/cynara_git.bb11
-rw-r--r--meta-security/recipes-security/keyutils/keyutils/keyutils-arm-remove-m32-m64.patch19
-rw-r--r--meta-security/recipes-security/keyutils/keyutils/keyutils_fix_library_install.patch30
-rw-r--r--meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch13
-rw-r--r--meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86_cflags.patch13
-rw-r--r--meta-security/recipes-security/keyutils/keyutils_1.5.8.bb44
-rw-r--r--meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch79
-rw-r--r--meta-security/recipes-security/libcap-ng/libcap-ng/python.patch39
-rw-r--r--meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb39
-rw-r--r--meta-security/recipes-security/security-manager/security-manager.inc98
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch116
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/0002-app-install-implement-multiple-set-of-smack-rules.patch34
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch196
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/c-11-replace-depracated-auto_ptr.patch32
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch24
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch32
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch78
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/security-manager-policy-reload-do-not-depend-on-GNU-.patch35
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/socket-manager-removes-tizen-specific-call.patch47
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/systemd-stop-using-compat-libs.patch47
-rw-r--r--meta-security/recipes-security/security-manager/security-manager_git.bb34
-rw-r--r--meta-security/recipes-security/smack/smack-userspace_git.bb27
-rw-r--r--meta-security/recipes-security/smacknet/files/smacknet184
-rw-r--r--meta-security/recipes-security/smacknet/files/smacknet.service11
-rw-r--r--meta-security/recipes-security/smacknet/smacknet.bb29
-rw-r--r--meta-security/recipes-test/app-runas/app-runas.bb17
-rw-r--r--meta-security/recipes-test/app-runas/files/app-runas.cpp221
-rw-r--r--meta-security/recipes-test/mmap-smack-test/files/mmap.c7
-rw-r--r--meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bb16
-rw-r--r--meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bbappend2
-rw-r--r--meta-security/recipes-test/tcp-smack-test/files/tcp_client.c111
-rw-r--r--meta-security/recipes-test/tcp-smack-test/files/tcp_server.c118
-rw-r--r--meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bb20
-rw-r--r--meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bbappend2
-rw-r--r--meta-security/recipes-test/udp-smack-test/files/udp_client.c75
-rw-r--r--meta-security/recipes-test/udp-smack-test/files/udp_server.c93
-rw-r--r--meta-security/recipes-test/udp-smack-test/udp-smack-test.bb20
-rw-r--r--meta-security/recipes-test/udp-smack-test/udp-smack-test.bbappend2
112 files changed, 15442 insertions, 0 deletions
diff --git a/meta-security/COPYING.MIT b/meta-security/COPYING.MIT
new file mode 100644
index 000000000..89de35479
--- /dev/null
+++ b/meta-security/COPYING.MIT
@@ -0,0 +1,17 @@
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/meta-security/README.md b/meta-security/README.md
new file mode 100644
index 000000000..0bae9f3fb
--- /dev/null
+++ b/meta-security/README.md
@@ -0,0 +1,31 @@
+This README file contains information on the contents of the
+meta-security layer.
+
+Please see the corresponding sections below for details.
+
+
+Dependencies
+============
+
+This layer depends on:
+
+ URI: git://git.openembedded.org/bitbake
+ branch: master
+
+ URI: git://git.openembedded.org/openembedded-core
+ layers: meta
+ branch: master
+
+ URI: git://git.yoctoproject.org/meta-security
+ branch: master
+
+
+Patches
+=======
+
+Please submit any patches against the meta-security layer via gerrit
+reviews.
+
+For discussion use the discussion mailing list
+mailto:automotive-discussions@lists.linuxfoundation.org
+
diff --git a/meta-security/classes/deploy-files.bbclass b/meta-security/classes/deploy-files.bbclass
new file mode 100644
index 000000000..ec19323a3
--- /dev/null
+++ b/meta-security/classes/deploy-files.bbclass
@@ -0,0 +1,68 @@
+DEPLOY_FILES_DIR = "${WORKDIR}/deploy-files-${PN}"
+SSTATETASKS += "do_deploy_files"
+do_deploy_files[sstate-inputdirs] = "${DEPLOY_FILES_DIR}"
+do_deploy_files[sstate-outputdirs] = "${DEPLOY_DIR}/files/"
+
+python do_deploy_files_setscene () {
+ sstate_setscene(d)
+}
+addtask do_deploy_files_setscene
+do_deploy_files[dirs] = "${DEPLOY_FILES_DIR} ${B}"
+
+# Use like this:
+# DEPLOY_FILES = "abc xyz"
+# DEPLOY_FILES_FROM[abc] = "file-ab dir-c"
+# DEPLOY_FILES_TO[abc] = "directory-for-abc"
+# DEPLOY_FILES_FROM[xyz] = "file-xyz"
+# DEPLOY_FILES_TO[xyz] = "directory-for-xyz"
+#
+# The destination directory will be created inside
+# ${DEPLOYDIR}. The source files and directories
+# will be copied such that their name and (for
+# directories) the directory tree below it will
+# be preserved. Shell wildcards are supported.
+#
+# The default DEPLOY_FILES copies files for the native host
+# and the target into two different directories. Use that as follows:
+# DEPLOY_FILES_FROM_native = "native-file"
+# DEPLOY_FILES_FROM_target = "target-file"
+
+DEPLOY_FILES ?= "native target"
+DEPLOY_FILES_FROM[native] ?= ""
+DEPLOY_FILES_TO[native] = "native/${BUILD_ARCH}"
+DEPLOY_FILES_FROM[target] ?= ""
+DEPLOY_FILES_TO[target] = "target/${MACHINE}"
+
+# We have to use a Python function to access variable flags. Because
+# bitbake then does not know about the dependency on these variables,
+# we need to explicitly declare that. DEPLOYDIR may change without
+# invalidating the sstate, therefore it is not listed.
+do_deploy_files[vardeps] = "DEPLOY_FILES DEPLOY_FILES_FROM DEPLOY_FILES_TO"
+python do_deploy_files () {
+ import glob
+ import os
+ import shutil
+
+ for file in (d.getVar('DEPLOY_FILES', True) or '').split():
+ bb.note('file: %s' % file)
+ from_pattern = d.getVarFlag('DEPLOY_FILES_FROM', file, True)
+ bb.note('from: %s' % from_pattern)
+ if from_pattern:
+ to = os.path.join(d.getVar('DEPLOY_FILES_DIR', True), d.getVarFlag('DEPLOY_FILES_TO', file, True))
+ bb.note('to: %s' % to)
+ if not os.path.isdir(to):
+ os.makedirs(to)
+ for from_path in from_pattern.split():
+ for src in (glob.glob(from_path) or [from_path]):
+ bb.note('Deploying %s to %s' % (src, to))
+ if os.path.isdir(src):
+ src_dirname = shutil._basename(src)
+ to = os.path.join(to, src_dirname)
+ if os.path.exists(to):
+ bb.utils.remove(to, True)
+ shutil.copytree(src, to)
+ else:
+ shutil.copy(src, to)
+}
+
+addtask deploy_files before do_build after do_compile
diff --git a/meta-security/classes/xattr-images.bbclass b/meta-security/classes/xattr-images.bbclass
new file mode 100644
index 000000000..565a3fb6e
--- /dev/null
+++ b/meta-security/classes/xattr-images.bbclass
@@ -0,0 +1,137 @@
+# Both Smack and IMA/EVM rely on xattrs. Inheriting this class ensures
+# that these xattrs get preserved in tar and jffs2 images.
+#
+# It also fixes the rootfs so that the content of directories with
+# SMACK::TRANSMUTE is correctly labelled. This is because pseudo does
+# not know the special semantic of SMACK::TRANSMUTE and omits the
+# updating of the Smack label when creating entries inside such a directory,
+# for example /etc (see base-files_%.bbappend). Without the fixup,
+# files already installed during the image creation would have different (and
+# wrong) Smack labels.
+
+# xattr support is expected to be compiled into mtd-utils. We just need to
+# use it.
+EXTRA_IMAGECMD_jffs2_append = " --with-xattr"
+
+# By default, OE-core uses tar from the host, which may or may not have the
+# --xattrs parameter which was introduced in 1.27. For image building we
+# use a recent enough tar instead.
+#
+# The GNU documentation does not specify whether --xattrs-include is necessary.
+# In practice, it turned out to be not needed when creating archives and
+# required when extracting, but it seems prudent to use it in both cases.
+IMAGE_DEPENDS_tar_append = " tar-replacement-native"
+EXTRANATIVEPATH += "tar-native"
+IMAGE_CMD_TAR = "tar --xattrs --xattrs-include=*"
+
+xattr_images_fix_transmute[dirs] = "${IMAGE_ROOTFS}"
+python xattr_images_fix_transmute () {
+ # The recursive updating of the Smack label ensures that each entry
+ # has the label set for its parent directories if one of those was
+ # marked as transmuting.
+ #
+ # In addition, "_" is set explicitly on everything that would not
+ # have a label otherwise. This is a workaround for tools like swupd
+ # which transfers files from a rootfs onto a target device where Smack
+ # is active: on the target, each file gets assigned a label, typically
+ # the one from the process which creates it. swupd (or rather, the tools
+ # it is currently built on) knows how to set security.SMACK64="_" when
+ # it is set on the original files, but it does not know that it needs
+ # to remove that xattr when not set.
+ import os
+ import errno
+
+ if getattr(os, 'getxattr', None):
+ # Python 3: os has xattr support.
+ def lgetxattr(f, attr):
+ try:
+ value = os.getxattr(f, attr, follow_symlinks=False)
+ return value.decode('utf8')
+ except OSError as ex:
+ if ex.errno == errno.ENODATA:
+ return None
+
+ def lsetxattr(f, attr, value):
+ os.setxattr(f, attr.encode('utf8'), value.encode('utf8'), follow_symlinks=False)
+ else:
+ # Python 2: xattr support only in xattr module.
+ #
+ # Cannot use the 'xattr' module, it is not part of a standard Python
+ # installation. Instead re-implement using ctypes. Only has to be good
+ # enough for xattrs that are strings. Always operates on the symlinks themselves,
+ # not what they point to.
+ import ctypes
+
+ # We cannot look up the xattr functions inside libc. That bypasses
+ # pseudo, which overrides these functions via LD_PRELOAD. Instead we have to
+ # find the function address and then create a ctypes function from it.
+ libdl = ctypes.CDLL("libdl.so.2")
+ _dlsym = libdl.dlsym
+ _dlsym.restype = ctypes.c_void_p
+ RTLD_DEFAULT = ctypes.c_void_p(0)
+ _lgetxattr = ctypes.CFUNCTYPE(ctypes.c_ssize_t, ctypes.c_char_p, ctypes.c_char_p, ctypes.c_void_p, ctypes.c_size_t,
+ use_errno=True)(_dlsym(RTLD_DEFAULT, 'lgetxattr'))
+ _lsetxattr = ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_char_p, ctypes.c_char_p, ctypes.c_void_p, ctypes.c_size_t, ctypes.c_int,
+ use_errno=True)(_dlsym(RTLD_DEFAULT, 'lsetxattr'))
+
+ def lgetxattr(f, attr):
+ len = 32
+ while True:
+ buffer = ctypes.create_string_buffer('\000' * len)
+ res = _lgetxattr(f, attr, buffer, ctypes.c_size_t(len))
+ if res >= 0:
+ return buffer.value
+ else:
+ error = ctypes.get_errno()
+ if ctypes.get_errno() == errno.ERANGE:
+ len *= 2
+ elif error == errno.ENODATA:
+ return None
+ else:
+ raise IOError(error, 'lgetxattr(%s, %s): %d = %s = %s' %
+ (f, attr, error, errno.errorcode[error], os.strerror(error)))
+
+ def lsetxattr(f, attr, value):
+ res = _lsetxattr(f, attr, value, ctypes.c_size_t(len(value)), ctypes.c_int(0))
+ if res != 0:
+ error = ctypes.get_errno()
+ raise IOError(error, 'lsetxattr(%s, %s, %s): %d = %s = %s' %
+ (f, attr, value, error, errno.errorcode[error], os.strerror(error)))
+
+ def visit(path, deflabel, deftransmute):
+ isrealdir = os.path.isdir(path) and not os.path.islink(path)
+ curlabel = lgetxattr(path, 'security.SMACK64')
+ transmute = lgetxattr(path, 'security.SMACK64TRANSMUTE') == 'TRUE'
+
+ if not curlabel:
+ # Since swupd doesn't remove the label from an updated file assigned by
+ # the target device's kernel upon unpacking the file from an update,
+ # we have to set the floor label explicitly even though it is the default label
+ # and thus adding it would create additional overhead. Otherwise this
+ # would result in hash mismatches reported by `swupd verify`.
+ lsetxattr(path, 'security.SMACK64', deflabel)
+ if not transmute and deftransmute and isrealdir:
+ lsetxattr(path, 'security.SMACK64TRANSMUTE', 'TRUE')
+
+ # Identify transmuting directories and change the default Smack
+ # label inside them. In addition, directories themselves must become
+ # transmuting.
+ if isrealdir:
+ if transmute:
+ deflabel = lgetxattr(path, 'security.SMACK64')
+ deftransmute = True
+ if deflabel is None:
+ raise RuntimeError('%s: transmuting directory without Smack label' % path)
+ elif curlabel:
+ # Directory with explicit label set and not transmuting => do not
+ # change the content unless we run into another transmuting directory.
+ deflabel = '_'
+ deftransmute = False
+
+ for entry in os.listdir(path):
+ visit(os.path.join(path, entry), deflabel, deftransmute)
+
+ visit('.', '_', False)
+}
+# Same logic as in ima-evm-rootfs.bbclass: try to run as late as possible.
+IMAGE_PREPROCESS_COMMAND_append_with-lsm-smack = " xattr_images_fix_transmute ; "
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf
new file mode 100644
index 000000000..c051e5885
--- /dev/null
+++ b/meta-security/conf/layer.conf
@@ -0,0 +1,12 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH =. "${LAYERDIR}:"
+
+# We have a packages directory, add to BBFILES
+BBFILES := "${BBFILES} \
+ ${LAYERDIR}/recipes-*/*/*.bb \
+ ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+# Must prioritize our rpm recipe over the default ones.
+BBFILE_COLLECTIONS += "security-smack"
+BBFILE_PATTERN_security-smack := "^${LAYERDIR}/"
+BBFILE_PRIORITY_security-smack = "8"
diff --git a/meta-security/lib/oeqa/runtime/__init__.py b/meta-security/lib/oeqa/runtime/__init__.py
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/__init__.py
diff --git a/meta-security/lib/oeqa/runtime/files/notroot.py b/meta-security/lib/oeqa/runtime/files/notroot.py
new file mode 100644
index 000000000..f0eb0b5b9
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/files/notroot.py
@@ -0,0 +1,33 @@
+#!/usr/bin/env python
+#
+# Script used for running executables with custom labels, as well as custom uid/gid
+# Process label is changed by writing to /proc/self/attr/curent
+#
+# Script expects user id and group id to exist, and be the same.
+#
+# From adduser manual:
+# """By default, each user in Debian GNU/Linux is given a corresponding group
+# with the same name. """
+#
+# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
+# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
+#
+# Author: Alexandru Cornea <alexandru.cornea@intel.com>
+import os
+import sys
+
+try:
+ uid = int(sys.argv[1])
+ sys.argv.pop(1)
+ label = sys.argv[1]
+ sys.argv.pop(1)
+ open("/proc/self/attr/current", "w").write(label)
+ path=sys.argv[1]
+ sys.argv.pop(0)
+ os.setgid(uid)
+ os.setuid(uid)
+ os.execv(path,sys.argv)
+
+except Exception,e:
+ print e.message
+ sys.exit(1)
diff --git a/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh b/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh
new file mode 100644
index 000000000..5a0ce84f2
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+RC=0
+TMP="/tmp"
+test_file=$TMP/smack_test_access_file
+CAT=`which cat`
+ECHO=`which echo`
+uid=1000
+initial_label=`cat /proc/self/attr/current`
+python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
+chsmack -a "TheOther" $test_file
+
+# 12345678901234567890123456789012345678901234567890123456
+delrule="TheOne TheOther -----"
+rule_ro="TheOne TheOther r----"
+
+# Remove pre-existent rules for "TheOne TheOther <access>"
+echo -n "$delrule" > $SMACK_PATH/load
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
+if [ $RC -ne 0 ]; then
+ echo "Process with different label than the test file and no read access on it can read it"
+ exit $RC
+fi
+
+# adding read access
+echo -n "$rule_ro" > $SMACK_PATH/load
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+if [ $RC -ne 0 ]; then
+ echo "Process with different label than the test file but with read access on it cannot read it"
+ exit $RC
+fi
+
+# Remove pre-existent rules for "TheOne TheOther <access>"
+echo -n "$delrule" > $SMACK_PATH/load
+# changing label of test file to *
+# according to SMACK documentation, read access on a * object is always permitted
+chsmack -a '*' $test_file
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+if [ $RC -ne 0 ]; then
+ echo "Process cannot read file with * label"
+ exit $RC
+fi
+
+# changing subject label to *
+# according to SMACK documentation, every access requested by a star labeled subject is rejected
+TOUCH=`which touch`
+python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
+ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
+if [ $RC -ne 0 ];then
+ echo "Process with label '*' should not have any access"
+ exit $RC
+fi
+exit 0
diff --git a/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh b/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh
new file mode 100644
index 000000000..26d9e9d22
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+initial_label=`cat /proc/self/attr/current 2>/dev/null`
+modified_label="test_label"
+
+echo "$modified_label" >/proc/self/attr/current 2>/dev/null
+
+new_label=`cat /proc/self/attr/current 2>/dev/null`
+
+if [ "$new_label" != "$modified_label" ]; then
+ # restore proper label
+ echo $initial_label >/proc/self/attr/current
+ echo "Privileged process could not change its label"
+ exit 1
+fi
+
+echo "$initial_label" >/proc/self/attr/current 2>/dev/null
+exit 0 \ No newline at end of file
diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh b/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh
new file mode 100644
index 000000000..1c4a93ab6
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+RC=0
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'`
+test_label="test_label"
+onlycap_initial=`cat $SMACK_PATH/onlycap`
+smack_initial=`cat /proc/self/attr/current`
+
+# need to set out label to be the same as onlycap, otherwise we lose our smack privileges
+# even if we are root
+echo "$test_label" > /proc/self/attr/current
+
+echo "$test_label" > $SMACK_PATH/onlycap || RC=$?
+if [ $RC -ne 0 ]; then
+ echo "Onlycap label could not be set"
+ return $RC
+fi
+
+if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then
+ echo "Onlycap label was not set correctly."
+ return 1
+fi
+
+# resetting original onlycap label
+echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null
+
+# resetting our initial's process label
+echo "$smack_initial" > /proc/self/attr/current
diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh
new file mode 100644
index 000000000..ed18f2371
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh
@@ -0,0 +1,108 @@
+#!/bin/sh
+RC=0
+test_file=/tmp/smack_socket_tcp
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+# make sure no access is granted
+# 12345678901234567890123456789012345678901234567890123456
+echo -n "label1 label2 -----" > $SMACK_PATH/load
+
+tcp_server=`which tcp_server`
+if [ -z $tcp_server ]; then
+ if [ -f "/tmp/tcp_server" ]; then
+ tcp_server="/tmp/tcp_server"
+ else
+ echo "tcp_server binary not found"
+ exit 1
+ fi
+fi
+tcp_client=`which tcp_client`
+if [ -z $tcp_client ]; then
+ if [ -f "/tmp/tcp_client" ]; then
+ tcp_client="/tmp/tcp_client"
+ else
+ echo "tcp_client binary not found"
+ exit 1
+ fi
+fi
+
+# checking access for sockets with different labels
+$tcp_server 50016 label1 &>/dev/null &
+server_pid=$!
+sleep 2
+$tcp_client 50016 label2 label1 &>/dev/null &
+client_pid=$!
+
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+
+if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then
+ echo "Sockets with different labels should not communicate on tcp"
+ exit 1
+fi
+
+# granting access between different labels
+# 12345678901234567890123456789012345678901234567890123456
+echo -n "label1 label2 rw---" > $SMACK_PATH/load
+# checking access for sockets with different labels, but having a rule granting rw
+$tcp_server 50017 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50017 label2 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+ echo "Sockets with different labels, but having rw access, should communicate on tcp"
+ exit 1
+fi
+
+# checking access for sockets with the same label
+$tcp_server 50018 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50018 label1 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+ echo "Sockets with same labels should communicate on tcp"
+ exit 1
+fi
+
+# checking access on socket labeled star (*)
+# should always be permitted
+$tcp_server 50019 \* 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50019 label1 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+ echo "Should have access on tcp socket labeled star (*)"
+ exit 1
+fi
+
+# checking access from socket labeled star (*)
+# all access from subject star should be denied
+$tcp_server 50020 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50020 label1 \* 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then
+ echo "Socket labeled star should not have access to any tcp socket"
+ exit 1
+fi
diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh
new file mode 100644
index 000000000..419ab9f91
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh
@@ -0,0 +1,107 @@
+#!/bin/sh
+RC=0
+test_file="/tmp/smack_socket_udp"
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+
+udp_server=`which udp_server`
+if [ -z $udp_server ]; then
+ if [ -f "/tmp/udp_server" ]; then
+ udp_server="/tmp/udp_server"
+ else
+ echo "udp_server binary not found"
+ exit 1
+ fi
+fi
+udp_client=`which udp_client`
+if [ -z $udp_client ]; then
+ if [ -f "/tmp/udp_client" ]; then
+ udp_client="/tmp/udp_client"
+ else
+ echo "udp_client binary not found"
+ exit 1
+ fi
+fi
+
+# make sure no access is granted
+# 12345678901234567890123456789012345678901234567890123456
+echo -n "label1 label2 -----" > $SMACK_PATH/load
+
+# checking access for sockets with different labels
+$udp_server 50021 label2 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50021 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 ]; then
+ echo "Sockets with different labels should not communicate on udp"
+ exit 1
+fi
+
+# granting access between different labels
+# 12345678901234567890123456789012345678901234567890123456
+echo -n "label1 label2 rw---" > $SMACK_PATH/load
+# checking access for sockets with different labels, but having a rule granting rw
+$udp_server 50022 label2 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50022 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+ echo "Sockets with different labels, but having rw access, should communicate on udp"
+ exit 1
+fi
+
+# checking access for sockets with the same label
+$udp_server 50023 label1 &
+server_pid=$!
+sleep 1
+$udp_client 50023 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+ echo "Sockets with same labels should communicate on udp"
+ exit 1
+fi
+
+# checking access on socket labeled star (*)
+# should always be permitted
+$udp_server 50024 \* 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50024 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+ echo "Should have access on udp socket labeled star (*)"
+ exit 1
+fi
+
+# checking access from socket labeled star (*)
+# all access from subject star should be denied
+$udp_server 50025 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50025 \* 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 ]; then
+ echo "Socket labeled star should not have access to any udp socket"
+ exit 1
+fi
diff --git a/meta-security/lib/oeqa/runtime/securitymanager.py b/meta-security/lib/oeqa/runtime/securitymanager.py
new file mode 100644
index 000000000..ab0df5a42
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/securitymanager.py
@@ -0,0 +1,108 @@
+import unittest
+import re
+import os
+import string
+from oeqa.oetest import oeRuntimeTest, skipModule
+from oeqa.utils.decorators import *
+
+def get_files_dir():
+ """Get directory of supporting files"""
+ pkgarch = oeRuntimeTest.tc.d.getVar('MACHINE', True)
+ deploydir = oeRuntimeTest.tc.d.getVar('DEPLOY_DIR', True)
+ return os.path.join(deploydir, "files", "target", pkgarch)
+
+MAX_LABEL_LEN = 255
+LABEL = "a" * MAX_LABEL_LEN
+
+def setUpModule():
+ if not oeRuntimeTest.hasPackage('security-manager'):
+ skipModule(
+ "security-manager module skipped: "
+ "target doesn't have security-manager installed")
+
+class SecurityManagerBasicTest(oeRuntimeTest):
+ ''' base smack test '''
+ def setUp(self):
+ # TODO: avoid hardcoding path (also in SecurityManager itself)
+ self.security_manager_db = '/usr/dbspace/.security-manager.db'
+ cmd = "sqlite3 %s 'SELECT name from privilege ORDER BY privilege_id'" % self.security_manager_db
+ status, output = self.target.run(cmd)
+ self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
+ self.privileges = output.split()
+ if not self.privileges:
+ # Only privileges that map to a Unix group need to be known to
+ # SecurityManager. Therefore it is possible that the query above
+ # returns nothing. In that case, make up something for the tests.
+ self.privileges.append('FoobarPrivilege')
+ self.appid = 'test-app-id'
+ self.pkgid = 'test-pkg-id'
+ self.user = 'security-manager-user'
+ idcmd = 'id -u %s' % self.user
+ status, output = self.target.run(idcmd)
+ if status:
+ # -D is from busybox. It disables setting a password.
+ createcmd = 'adduser -D %s' % self.user
+ status, output = self.target.run(createcmd)
+ self.assertFalse(status, msg="%s failed: %s" % (createcmd, output))
+ status, output = self.target.run(idcmd)
+ self.assertTrue(output.isdigit(), msg="Unexpected output from %s: %s" % (idcmd, output))
+ self.uid = output
+
+class SecurityManagerApp(SecurityManagerBasicTest):
+ '''Tests covering app installation. Ordering is important, therefore tests are numbered.'''
+
+ @skipUnlessPassed('test_ssh')
+ def test_security_manager_01_setup(self):
+ '''Check that basic SecurityManager setup is in place.'''
+ # If we get this far, then at least the sqlite db must have been in place.
+ # This does not mean much, but we need to start somewhere.
+ pass
+
+ @skipUnlessPassed('test_security_manager_01_setup')
+ def test_security_manager_02_install(self):
+ '''Test if installing an app sets up privilege rules for it, also in Cynara.'''
+ self.target.copy_to(os.path.join(get_files_dir(), "app-runas"), "/tmp/")
+ cmd = '/tmp/app-runas -a %s -p %s -u %s -r %s -i' % \
+ (self.appid, self.pkgid, self.uid, self.privileges[0])
+ status, output = self.target.run(cmd)
+ self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
+ cmd = '''sqlite3 %s 'SELECT uid,app_name,pkg_name from app_pkg_view WHERE app_name = "%s"' ''' % \
+ (self.security_manager_db, self.appid)
+ status, output = self.target.run(cmd)
+ self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
+ self.assertEqual(output, '|'.join((self.uid, self.appid, self.pkgid)))
+ cmd = 'grep -r %s /var/cynara/db/' % self.appid
+ status, output = self.target.run(cmd)
+ self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
+ # User::App:: prefix still hard-coded here because it is not customizable at the moment.
+ self.assertEqual(output, '/var/cynara/db/_MANIFESTS:User::App::%s;%s;%s;0xFFFF;' % \
+ (self.appid, self.uid, self.privileges[0]))
+
+ @skipUnlessPassed('test_security_manager_02_install')
+ def test_security_manager_03_run(self):
+ '''Test running as app. Depends on preparations in test_security_manager_install().'''
+ cmd = '''/tmp/app-runas -a %s -u %s -e -- sh -c 'id -u && cat /proc/self/attr/current' ''' % \
+ (self.appid, self.uid)
+ status, output = self.target.run(cmd)
+ self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
+ self.assertEqual(output, '%s\nUser::App::%s' % (self.uid, self.appid))
+
+ @skipUnlessPassed('test_security_manager_02_install')
+ def test_security_manager_03_uninstall(self):
+ '''Test removal of an app.'''
+ cmd = '/tmp/app-runas -a %s -p %s -u %s -d' % \
+ (self.appid, self.pkgid, self.uid)
+ status, output = self.target.run(cmd)
+ self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
+ cmd = '''sqlite3 %s 'SELECT uid,app_name,pkg_name from app_pkg_view WHERE app_name = "%s"' ''' % \
+ (self.security_manager_db, self.appid)
+ status, output = self.target.run(cmd)
+ self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
+ # Entry does not really get removed. Bug filed here:
+ # https://github.com/Samsung/security-manager/issues/2
+ # self.assertEqual(output, '')
+ cmd = 'grep -r %s /var/cynara/db/' % self.appid
+ status, output = self.target.run(cmd)
+ self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
+ # This also does not get removed. Perhaps same root cause.
+ # self.assertEqual(output, '')
diff --git a/meta-security/lib/oeqa/runtime/smack.py b/meta-security/lib/oeqa/runtime/smack.py
new file mode 100644
index 000000000..96af443b8
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/smack.py
@@ -0,0 +1,589 @@
+import unittest
+import re
+import os
+import string
+from oeqa.oetest import oeRuntimeTest, skipModule
+from oeqa.utils.decorators import *
+
+def get_files_dir():
+ """Get directory of supporting files"""
+ pkgarch = oeRuntimeTest.tc.d.getVar('MACHINE', True)
+ deploydir = oeRuntimeTest.tc.d.getVar('DEPLOY_DIR', True)
+ return os.path.join(deploydir, "files", "target", pkgarch)
+
+MAX_LABEL_LEN = 255
+LABEL = "a" * MAX_LABEL_LEN
+
+def setUpModule():
+ if not oeRuntimeTest.hasFeature('smack'):
+ skipModule(
+ "smack module skipped: "
+ "target doesn't have smack in DISTRO_FEATURES")
+
+class SmackBasicTest(oeRuntimeTest):
+ ''' base smack test '''
+ def setUp(self):
+ status, output = self.target.run(
+ "grep smack /proc/mounts | awk '{print $2}'")
+ self.smack_path = output
+ self.files_dir = os.path.join(
+ os.path.abspath(os.path.dirname(__file__)), 'files')
+ self.uid = 1000
+ status,output = self.target.run("cat /proc/self/attr/current")
+ self.current_label = output.strip()
+
+class SmackAccessLabel(SmackBasicTest):
+
+ @skipUnlessPassed('test_ssh')
+ def test_add_access_label(self):
+ ''' Test if chsmack can correctly set a SMACK label '''
+ filename = "/tmp/test_access_label"
+ self.target.run("touch %s" %filename)
+ status, output = self.target.run("chsmack -a %s %s" %(LABEL, filename))
+ self.assertEqual(
+ status, 0,
+ "Cannot set smack access label. "
+ "Status and output: %d %s" %(status, output))
+ status, output = self.target.run("chsmack %s" %filename)
+ self.target.run("rm %s" %filename)
+ m = re.search('(?<=access=")\S+(?=")', output)
+ if m is None:
+ self.fail("Did not find access attribute")
+ else:
+ label_retrieved = m .group(0)
+ self.assertEqual(
+ LABEL, label_retrieved,
+ "label not set correctly. expected and gotten: "
+ "%s %s" %(LABEL,label_retrieved))
+
+class SmackExecLabel(SmackBasicTest):
+
+ @skipUnlessPassed('test_ssh')
+ def test_add_exec_label(self):
+ '''Test if chsmack can correctly set a SMACK Exec label'''
+ filename = "/tmp/test_exec_label"
+ self.target.run("touch %s" %filename)
+ status, output = self.target.run("chsmack -e %s %s" %(LABEL, filename))
+ self.assertEqual(
+ status, 0,
+ "Cannot set smack exec label. "
+ "Status and output: %d %s" %(status, output))
+ status, output = self.target.run("chsmack %s" %filename)
+ self.target.run("rm %s" %filename)
+ m= re.search('(?<=execute=")\S+(?=")', output)
+ if m is None:
+ self.fail("Did not find execute attribute")
+ else:
+ label_retrieved = m.group(0)
+ self.assertEqual(
+ LABEL, label_retrieved,
+ "label not set correctly. expected and gotten: " +
+ "%s %s" %(LABEL,label_retrieved))
+
+class SmackMmapLabel(SmackBasicTest):
+
+ @skipUnlessPassed('test_ssh')
+ def test_add_mmap_label(self):
+ '''Test if chsmack can correctly set a SMACK mmap label'''
+ filename = "/tmp/test_exec_label"
+ self.target.run("touch %s" %filename)
+ status, output = self.target.run("chsmack -m %s %s" %(LABEL, filename))
+ self.assertEqual(
+ status, 0,
+ "Cannot set smack mmap label. "
+ "Status and output: %d %s" %(status, output))
+ status, output = self.target.run("chsmack %s" %filename)
+ self.target.run("rm %s" %filename)
+ m = re.search('(?<=mmap=")\S+(?=")', output)
+ if m is None:
+ self.fail("Did not find mmap attribute")
+ else:
+ label_retrieved = m.group(0)
+ self.assertEqual(
+ LABEL, label_retrieved,
+ "label not set correctly. expected and gotten: " +
+ "%s %s" %(LABEL,label_retrieved))
+
+class SmackTransmutable(SmackBasicTest):
+
+ @skipUnlessPassed('test_ssh')
+ def test_add_transmutable(self):
+ '''Test if chsmack can correctly set a SMACK transmutable mode'''
+
+ directory = "~/test_transmutable"
+ self.target.run("mkdir -p %s" %directory)
+ status, output = self.target.run("chsmack -t %s" %directory)
+ self.assertEqual(status, 0, "Cannot set smack transmutable. "
+ "Status and output: %d %s" %(status, output))
+ status, output = self.target.run("chsmack %s" %directory)
+ self.target.run("rmdir %s" %directory)
+ m = re.search('(?<=transmute=")\S+(?=")', output)
+ if m is None:
+ self.fail("Did not find transmute attribute")
+ else:
+ label_retrieved = m.group(0)
+ self.assertEqual(
+ "TRUE", label_retrieved,
+ "label not set correctly. expected and gotten: " +
+ "%s %s" %(LABEL,label_retrieved))
+
+class SmackChangeSelfLabelPrivilege(SmackBasicTest):
+
+ @skipUnlessPassed('test_ssh')
+ def test_privileged_change_self_label(self):
+ '''Test if privileged process (with CAP_MAC_ADMIN privilege)
+ can change its label.
+ '''
+
+ status, output = self.target.run("ls /tmp/notroot.py")
+ if status != 0:
+ self.target.copy_to(
+ os.path.join(self.files_dir, 'notroot.py'),
+ "/tmp/notroot.py")
+
+ labelf = "/proc/self/attr/current"
+ command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf)
+
+ status, output = self.target.run(
+ "python /tmp/notroot.py 0 %s %s" %(self.current_label, command))
+
+ self.assertIn("PRIVILEGED", output,
+ "Privilege process did not change label.Output: %s" %output)
+
+class SmackChangeSelfLabelUnprivilege(SmackBasicTest):
+
+ @skipUnlessPassed('test_ssh')
+ def test_unprivileged_change_self_label(self):
+ '''Test if unprivileged process (without CAP_MAC_ADMIN privilege)
+ cannot change its label'''
+
+ status, output = self.target.run("ls /tmp/notroot.py")
+ if status != 0:
+ self.target.copy_to(
+ os.path.join(self.files_dir, 'notroot.py'),
+ "/tmp/notroot.py")
+
+ command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL
+ status, output = self.target.run(
+ "python /tmp/notroot.py %d %s %s"
+ %(self.uid, self.current_label, command) +
+ " 2>&1 | grep 'Operation not permitted'" )
+
+ self.assertEqual(
+ status, 0,
+ "Unprivileged process should not be able to change its label")
+
+
+class SmackChangeFileLabelPrivilege(SmackBasicTest):
+
+ @skipUnlessPassed('test_ssh')
+ def test_unprivileged_change_file_label(self):
+ '''Test if unprivileged process cannot change file labels'''
+
+ status, chsmack = self.target.run("which chsmack")
+ status, touch = self.target.run("which touch")
+ filename = "/tmp/test_unprivileged_change_file_label"
+
+ status, output = self.target.run("ls /tmp/notroot.py")
+ if status != 0:
+ self.target.copy_to(
+ os.path.join(self.files_dir, 'notroot.py'),
+ "/tmp/notroot.py")
+
+ self.target.run("python /tmp/notroot.py %d %s %s %s" %(self.uid, self.current_label, touch, filename))
+ status, output = self.target.run(
+ "python /tmp/notroot.py " +
+ "%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) +
+ "| grep 'Operation not permitted'" )
+
+ self.target.run("rm %s" %filename)
+ self.assertEqual(
+ status, 0,
+ "Unprivileged process changed label for %s" %filename)
+
+class SmackLoadRule(SmackBasicTest):
+
+ @skipUnlessPassed('test_ssh')
+ def test_load_smack_rule(self):
+ '''Test if new smack access rules can be loaded'''
+
+ # old 23 character format requires special spaces formatting
+ # 12345678901234567890123456789012345678901234567890123
+ ruleA="TheOne TheOther rwxat"
+ ruleB="TheOne TheOther r----"
+ clean="TheOne TheOther -----"
+ modeA = "rwxat"
+ modeB = "r"
+
+ status, output = self.target.run(
+ 'echo -n "%s" > %s/load' %(ruleA, self.smack_path))
+ status, output = self.target.run(
+ 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path)
+ self.assertEqual(status, 0, "Rule A was not added")
+ mode = list(filter(bool, output.split(" ")))[2].strip()
+ self.assertEqual(
+ mode, modeA,
+ "Mode A was not set correctly; mode: %s" %mode)
+
+ status, output = self.target.run(
+ 'echo -n "%s" > %s/load' %(ruleB, self.smack_path))
+ status, output = self.target.run(
+ 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path)
+ mode = list(filter(bool, output.split(" ")))[2].strip()
+ self.assertEqual(
+ mode, modeB,
+ "Mode B was not set correctly; mode: %s" %mode)
+
+ self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path))
+
+
+class SmackOnlycap(SmackBasicTest):
+
+ @skipUnlessPassed('test_ssh')
+ def test_smack_onlycap(self):
+ '''Test if smack onlycap label can be set
+
+ test needs to change the running label of the current process,
+ so whole test takes places on image
+ '''
+ status, output = self.target.run("ls /tmp/test_smack_onlycap.sh")
+ if status != 0:
+ self.target.copy_to(
+ os.path.join(self.files_dir, 'test_smack_onlycap.sh'),
+ "/tmp/test_smack_onlycap.sh")
+
+ status, output = self.target.run("sh /tmp/test_smack_onlycap.sh")
+ self.assertEqual(status, 0, output)
+
+class SmackNetlabel(SmackBasicTest):
+ @skipUnlessPassed('test_ssh')
+ def test_smack_netlabel(self):
+
+ test_label="191.191.191.191 TheOne"
+ expected_label="191.191.191.191/32 TheOne"
+
+ status, output = self.target.run(
+ "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path))
+ self.assertEqual(
+ status, 0,
+ "Netlabel /32 could not be set. Output: %s" %output)
+
+ status, output = self.target.run("cat %s/netlabel" %self.smack_path)
+ self.assertIn(
+ expected_label, output,
+ "Did not find expected label in output: %s" %output)
+
+ test_label="253.253.253.0/24 TheOther"
+ status, output = self.target.run(
+ "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path))
+ self.assertEqual(
+ status, 0,
+ "Netlabel /24 could not be set. Output: %s" %output)
+
+ status, output = self.target.run("cat %s/netlabel" %self.smack_path)
+ self.assertIn(
+ test_label, output,
+ "Did not find expected label in output: %s" %output)
+
+class SmackCipso(SmackBasicTest):
+ @skipUnlessPassed('test_ssh')
+ def test_smack_cipso(self):
+ '''Test if smack cipso rules can be set'''
+ # 12345678901234567890123456789012345678901234567890123456
+ ruleA="TheOneA 2 0 "
+ ruleB="TheOneB 3 1 55 "
+ ruleC="TheOneC 4 2 17 33 "
+
+ status, output = self.target.run(
+ "echo -n '%s' > %s/cipso" %(ruleA, self.smack_path))
+ self.assertEqual(status, 0,
+ "Could not set cipso label A. Ouput: %s" %output)
+
+ status, output = self.target.run(
+ "cat %s/cipso | grep '^TheOneA'" %self.smack_path)
+ self.assertEqual(status, 0, "Cipso rule A was not set")
+ self.assertIn(" 2", output, "Rule A was not set correctly")
+
+ status, output = self.target.run(
+ "echo -n '%s' > %s/cipso" %(ruleB, self.smack_path))
+ self.assertEqual(status, 0,
+ "Could not set cipso label B. Ouput: %s" %output)
+
+ status, output = self.target.run(
+ "cat %s/cipso | grep '^TheOneB'" %self.smack_path)
+ self.assertEqual(status, 0, "Cipso rule B was not set")
+ self.assertIn("/55", output, "Rule B was not set correctly")
+
+ status, output = self.target.run(
+ "echo -n '%s' > %s/cipso" %(ruleC, self.smack_path))
+ self.assertEqual(
+ status, 0,
+ "Could not set cipso label C. Ouput: %s" %output)
+
+ status, output = self.target.run(
+ "cat %s/cipso | grep '^TheOneC'" %self.smack_path)
+ self.assertEqual(status, 0, "Cipso rule C was not set")
+ self.assertIn("/17,33", output, "Rule C was not set correctly")
+
+class SmackDirect(SmackBasicTest):
+ @skipUnlessPassed('test_ssh')
+ def test_smack_direct(self):
+ status, initial_direct = self.target.run(
+ "cat %s/direct" %self.smack_path)
+
+ test_direct="17"
+ status, output = self.target.run(
+ "echo '%s' > %s/direct" %(test_direct, self.smack_path))
+ self.assertEqual(status, 0 ,
+ "Could not set smack direct. Output: %s" %output)
+ status, new_direct = self.target.run("cat %s/direct" %self.smack_path)
+ # initial label before checking
+ status, output = self.target.run(
+ "echo '%s' > %s/direct" %(initial_direct, self.smack_path))
+ self.assertEqual(
+ test_direct, new_direct.strip(),
+ "Smack direct label does not match.")
+
+
+class SmackAmbient(SmackBasicTest):
+ @skipUnlessPassed('test_ssh')
+ def test_smack_ambient(self):
+ test_ambient = "test_ambient"
+ status, initial_ambient = self.target.run("cat %s/ambient" %self.smack_path)
+ status, output = self.target.run(
+ "echo '%s' > %s/ambient" %(test_ambient, self.smack_path))
+ self.assertEqual(status, 0,
+ "Could not set smack ambient. Output: %s" %output)
+
+ status, output = self.target.run("cat %s/ambient" %self.smack_path)
+ # Filter '\x00', which is sometimes added to the ambient label
+ new_ambient = ''.join(filter(lambda x: x in string.printable, output))
+ initial_ambient = ''.join(filter(lambda x: x in string.printable, initial_ambient))
+ status, output = self.target.run(
+ "echo '%s' > %s/ambient" %(initial_ambient, self.smack_path))
+ self.assertEqual(
+ test_ambient, new_ambient.strip(),
+ "Ambient label does not match")
+
+
+class SmackloadBinary(SmackBasicTest):
+ @skipUnlessPassed('test_ssh')
+ def test_smackload(self):
+ '''Test if smackload command works'''
+ rule="testobject testsubject rwx"
+
+ status, output = self.target.run("echo -n '%s' > /tmp/rules" %rule)
+ status, output = self.target.run("smackload /tmp/rules")
+ self.assertEqual(
+ status, 0,
+ "Smackload failed to load rule. Output: %s" %output)
+
+ status, output = self.target.run(
+ "cat %s/load | grep '%s'" %(self.smack_path, rule))
+ self.assertEqual(status, 0, "Smackload rule was loaded correctly")
+
+class SmackcipsoBinary(SmackBasicTest):
+
+ @skipUnlessPassed('test_ssh')
+ def test_smackcipso(self):
+ '''Test if smackcipso command works'''
+ # 12345678901234567890123456789012345678901234567890123456
+ rule="cipsolabel 2 2 "
+
+ status, output = self.target.run("echo '%s' | smackcipso" %rule)
+ self.assertEqual(
+ status, 0,
+ "Smackcipso failed to load rule. Output: %s" %output)
+
+ status, output = self.target.run(
+ "cat %s/cipso | grep 'cipsolabel'" %self.smack_path)
+ self.assertEqual(status, 0, "Smackload rule was loaded correctly")
+ self.assertIn(
+ "2/2", output,
+ "Rule was not set correctly. Got: %s" %output)
+
+class SmackEnforceFileAccess(SmackBasicTest):
+ @skipUnlessPassed('test_ssh')
+ def test_smack_enforce_file_access(self):
+ '''Test if smack file access is enforced (rwx)
+
+ test needs to change the running label of the current process,
+ so whole test takes places on image
+ '''
+ status, output = self.target.run("ls /tmp/smack_test_file_access.sh")
+ if status != 0:
+ self.target.copy_to(
+ os.path.join(self.files_dir, 'smack_test_file_access.sh'),
+ "/tmp/smack_test_file_access.sh")
+
+ status, output = self.target.run("sh /tmp/smack_test_file_access.sh")
+ self.assertEqual(status, 0, output)
+
+class SmackEnforceMmap(SmackBasicTest):
+
+ @skipUnlessPassed('test_ssh')
+ def test_smack_mmap_enforced(self):
+ '''Test if smack mmap access is enforced'''
+ raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.")
+
+ # 12345678901234567890123456789012345678901234567890123456
+ delr1="mmap_label mmap_test_label1 -----"
+ delr2="mmap_label mmap_test_label2 -----"
+ delr3="mmap_file_label mmap_test_label1 -----"
+ delr4="mmap_file_label mmap_test_label2 -----"
+
+ RuleA="mmap_label mmap_test_label1 rw---"
+ RuleB="mmap_label mmap_test_label2 r--at"
+ RuleC="mmap_file_label mmap_test_label1 rw---"
+ RuleD="mmap_file_label mmap_test_label2 rwxat"
+
+ mmap_label="mmap_label"
+ file_label="mmap_file_label"
+ test_file = "/tmp/smack_test_mmap"
+ self.target.copy_to(os.path.join(get_files_dir(), "mmap_test"), "/tmp/")
+ mmap_exe = "/tmp/mmap_test"
+ status, echo = self.target.run("which echo")
+ status, output = self.target.run("ls /tmp/notroot.py")
+ if status != 0:
+ self.target.copy_to(
+ os.path.join(self.files_dir, 'notroot.py'),
+ "/tmp/notroot.py")
+ status, output = self.target.run(
+ "python /tmp/notroot.py %d %s %s 'test' > %s" \
+ %(self.uid, self.current_label, echo, test_file))
+ status, output = self.target.run("ls %s" %test_file)
+ self.assertEqual(status, 0, "Could not create mmap test file")
+ self.target.run("chsmack -m %s %s" %(file_label, test_file))
+ self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe))
+
+ # test with no rules with mmap label or exec label as subject
+ # access should be granted
+ self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path))
+ self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path))
+ self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path))
+ self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path))
+ status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
+ self.assertEqual(
+ status, 0,
+ "Should have mmap access without rules. Output: %s" %output)
+
+ # add rules that do not match access required
+ self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path))
+ self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path))
+ status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
+ self.assertNotEqual(
+ status, 0,
+ "Should not have mmap access with unmatching rules. " +
+ "Output: %s" %output)
+ self.assertIn(
+ "Permission denied", output,
+ "Mmap access should be denied with unmatching rules")
+
+ # add rule to match only partially (one way)
+ self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path))
+ status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
+ self.assertNotEqual(
+ status, 0,
+ "Should not have mmap access with partial matching rules. " +
+ "Output: %s" %output)
+ self.assertIn(
+ "Permission denied", output,
+ "Mmap access should be denied with partial matching rules")
+
+ # add rule to match fully
+ self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path))
+ status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
+ self.assertEqual(
+ status, 0,
+ "Should have mmap access with full matching rules." +
+ "Output: %s" %output)
+
+class SmackEnforceTransmutable(SmackBasicTest):
+
+ def test_smack_transmute_dir(self):
+ '''Test if smack transmute attribute works
+
+ test needs to change the running label of the current process,
+ so whole test takes places on image
+ '''
+ test_dir = "/tmp/smack_transmute_dir"
+ label="transmute_label"
+ status, initial_label = self.target.run("cat /proc/self/attr/current")
+
+ self.target.run("mkdir -p %s" %test_dir)
+ self.target.run("chsmack -a %s %s" %(label, test_dir))
+ self.target.run("chsmack -t %s" %test_dir)
+ self.target.run(
+ "echo -n '%s %s rwxat' | smackload" %(initial_label, label) )
+
+ self.target.run("touch %s/test" %test_dir)
+ status, output = self.target.run("chsmack %s/test" %test_dir)
+ self.assertIn(
+ 'access="%s"' %label, output,
+ "Did not get expected label. Output: %s" %output)
+
+
+class SmackTcpSockets(SmackBasicTest):
+ def test_smack_tcp_sockets(self):
+ '''Test if smack is enforced on tcp sockets
+
+ whole test takes places on image, depends on tcp_server/tcp_client'''
+
+ self.target.copy_to(os.path.join(get_files_dir(), "tcp_client"), "/tmp/")
+ self.target.copy_to(os.path.join(get_files_dir(), "tcp_server"), "/tmp/")
+ status, output = self.target.run("ls /tmp/test_smack_tcp_sockets.sh")
+ if status != 0:
+ self.target.copy_to(
+ os.path.join(self.files_dir, 'test_smack_tcp_sockets.sh'),
+ "/tmp/test_smack_tcp_sockets.sh")
+
+ status, output = self.target.run("sh /tmp/test_smack_tcp_sockets.sh")
+ self.assertEqual(status, 0, output)
+
+class SmackUdpSockets(SmackBasicTest):
+ def test_smack_udp_sockets(self):
+ '''Test if smack is enforced on udp sockets
+
+ whole test takes places on image, depends on udp_server/udp_client'''
+
+ self.target.copy_to(os.path.join(get_files_dir(), "udp_client"), "/tmp/")
+ self.target.copy_to(os.path.join(get_files_dir(), "udp_server"), "/tmp/")
+ status, output = self.target.run("ls /tmp/test_smack_udp_sockets.sh")
+ if status != 0:
+ self.target.copy_to(
+ os.path.join(self.files_dir, 'test_smack_udp_sockets.sh'),
+ "/tmp/test_smack_udp_sockets.sh")
+
+ status, output = self.target.run("sh /tmp/test_smack_udp_sockets.sh")
+ self.assertEqual(status, 0, output)
+
+class SmackFileLabels(SmackBasicTest):
+
+ @skipUnlessPassed('test_ssh')
+ def test_smack_labels(self):
+ '''Check for correct Smack labels.'''
+ expected = '''
+/tmp/ access="*"
+/etc/ access="System::Shared" transmute="TRUE"
+/etc/passwd access="System::Shared"
+/etc/terminfo access="System::Shared" transmute="TRUE"
+/etc/skel/ access="System::Shared" transmute="TRUE"
+/etc/skel/.profile access="System::Shared"
+/var/log/ access="System::Log" transmute="TRUE"
+/var/tmp/ access="*"
+'''
+ files = ' '.join([x.split()[0] for x in expected.split('\n') if x])
+ files_wildcard = ' '.join([x + '/*' for x in files.split()])
+ # Auxiliary information.
+ status, output = self.target.run(
+ 'set -x; mount; ls -l -d %s; find %s | xargs ls -d -l; find %s | xargs chsmack' % (
+ ' '.join([x.rstrip('/') for x in files.split()]), files, files
+ )
+ )
+ msg = "File status:\n" + output
+ status, output = self.target.run('chsmack %s' % files)
+ self.assertEqual(
+ status, 0, msg="status and output: %s and %s\n%s" % (status,output, msg))
+ self.longMessage = True
+ self.maxDiff = None
+ self.assertEqual(output.strip().split('\n'), expected.strip().split('\n'), msg=msg)
diff --git a/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend b/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend
new file mode 100644
index 000000000..c62842d5b
--- /dev/null
+++ b/meta-security/recipes-connectivity/bluez5/bluez5_%.bbappend
@@ -0,0 +1,55 @@
+# Recent bluez5 releases started limiting the capabilities of
+# bluetoothd. When running on a Smack-enabled system, that change has the
+# effect that bluetoothd can no longer create the input device under
+# /sys because bluez5 running with label "System" has no write
+# access to that.
+#
+# It works when running as normal root with unrestricted capabilities
+# because then CAP_MAC_OVERRIDE (a Smack-specific capability) allows
+# the process to ignore Smack rules.
+#
+# We need to ensure that bluetoothd still has that capability.
+#
+# To fix the issue, Patick and Casey(the Smack architect) had a talk
+# about it in Ostro dev mail list. Casey has some ideas about the issue:
+# "Turning off privilege is a great thing to do *so long as you don't
+# really need the privilege*. In this case you really need it.
+# The application package isn't written to account for Smack's use of
+# CAP_MAC_OVERRIDE as the mechanism for controlling this dangerous operation.
+# Yes, it would be possible to change /proc to change the Smack label on
+# that particular file, but that might open other paths for exploit.
+# I say give the program the required capability. The program maintainer
+# may well say change the kernel handling of /proc. You're stuck in the
+# middle, as both work the way they're intended and hence the system
+# doesn't work. :( There isn't a way to make this work without "loosening"
+# something."
+# Therefore, when we we run the program with CAP_MAC_OVERRIDE,
+# the whole reason for having capabilities is so the we can give a
+# process the ability to bypass one kind of check without giving it the
+# ability to bypass other, unrelated checks. A process with
+# CAP_MAC_OVERRIDE is still constrained by the file mode bits.
+# We was overly worried about granting that capability.
+# When it has no other effect than excluding a process from Smack MAC enforcement,
+# then adding to the process seems like the right solution for now.
+#
+# The conclusion from Patick and Casey is that the Smack architect give the key point
+# that this is the solution preferred.
+#
+# Because the solution is to some extend specific to the environment
+# in which connmand runs, this change is not submitted upstream
+# and it can be overridden by a distro via FIX_BLUEZ5_CAPABILITIES.
+#
+# The related patch has been submitted to upstream too.
+# upstream link: http://permalink.gmane.org/gmane.linux.bluez.kernel/67993
+
+FIX_BLUEZ5_CAPABILITIES ??= ""
+FIX_BLUEZ5_CAPABILITIES_with-lsm-smack ??= "fix_bluez5_capabilities"
+do_install[postfuncs] += "${FIX_BLUEZ5_CAPABILITIES}"
+
+fix_bluez5_capabilities () {
+ service="${D}/${systemd_unitdir}/system/bluetooth.service"
+ if [ -f "$service" ] &&
+ grep -q '^CapabilityBoundingSet=' "$service"; then
+ sed -i -e 's/^CapabilityBoundingSet=/CapabilityBoundingSet=CAP_MAC_OVERRIDE /' "$service"
+ fi
+}
diff --git a/meta-security/recipes-connectivity/connman/connman_%.bbappend b/meta-security/recipes-connectivity/connman/connman_%.bbappend
new file mode 100644
index 000000000..f66c1e79b
--- /dev/null
+++ b/meta-security/recipes-connectivity/connman/connman_%.bbappend
@@ -0,0 +1,32 @@
+# Recent ConnMan releases started limiting the capabilities of
+# ConnMan. When running on a Smack-enabled system, that change has the
+# effect that connmand can no longer change network settings under
+# /proc/net because the Smack label of /proc is "_", and connmand
+# running with label "System" has no write access to that.
+#
+# It works when running as normal root with unrestricted capabilities
+# because then CAP_MAC_OVERRIDE (a Smack-specific capability) allows
+# the process to ignore Smack rules.
+#
+# We need to ensure that connmand still has that capability.
+#
+# The alternative would be to set up fine-grained labelling of
+# /proc with corresponding rules, which is considerably more work
+# and also may depend on kernel changes (like supporting smackfsroot
+# for procfs, which seems to be missing at the moment).
+#
+# Because the solution is to some extend specific to the environment
+# in which connmand runs, this change is not submitted upstream
+# and it can be overridden by a distro via FIX_CONNMAN_CAPABILITIES.
+
+FIX_CONNMAN_CAPABILITIES ??= ""
+FIX_CONNMAN_CAPABILITIES_with-lsm-smack ??= "fix_connman_capabilities"
+do_install[postfuncs] += "${FIX_CONNMAN_CAPABILITIES}"
+
+fix_connman_capabilities () {
+ service="${D}/${systemd_unitdir}/system/connman.service"
+ if [ -f "$service" ] &&
+ grep -q '^CapabilityBoundingSet=' "$service"; then
+ sed -i -e 's/^CapabilityBoundingSet=/CapabilityBoundingSet=CAP_MAC_OVERRIDE /' "$service"
+ fi
+}
diff --git a/meta-security/recipes-core/base-files/base-files_%.bbappend b/meta-security/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 000000000..7a37eb9dc
--- /dev/null
+++ b/meta-security/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1,73 @@
+# Install default Smack rules, copied from a running Tizen IVI 3.0.
+# Corresponds to manifest file from default-access-domains in Tizen:
+# https://review.tizen.org/git?p=platform/core/security/default-ac-domains.git;a=blob;f=packaging/default-ac-domains.manifest
+do_install_append_with-lsm-smack () {
+ install -d ${D}/${sysconfdir}/smack/accesses.d
+ cat >${D}/${sysconfdir}/smack/accesses.d/default-access-domains <<EOF
+System _ -----l
+System System::Log rwxa--
+System System::Run rwxat-
+System System::Shared rwxat-
+System ^ rwxa--
+_ System::Run rwxat-
+_ System -wx---
+^ System::Log rwxa--
+^ System::Run rwxat-
+^ System rwxa--
+EOF
+ chmod 0644 ${D}/${sysconfdir}/smack/accesses.d/default-access-domains
+
+ install -d ${D}/${libdir}/tmpfiles.d
+ cat >${D}/${libdir}/tmpfiles.d/packet-forwarding.conf <<EOF
+t /proc/sys/net/ipv4/conf/all/forwarding - - - - security.SMACK64=*
+t /proc/sys/net/ipv6/conf/all/forwarding - - - - security.SMACK64=*
+t /proc/sys/net/ipv4/conf/default/forwarding - - - - security.SMACK64=*
+t /proc/sys/net/ipv6/conf/default/forwarding - - - - security.SMACK64=*
+EOF
+ chmod 0644 ${D}/${libdir}/tmpfiles.d/packet-forwarding.conf
+
+ install -d ${D}/${base_libdir}/udev/rules.d
+ cat >${D}/${base_libdir}/udev/rules.d/85-netdev-ipconf-smacklabel.rules <<EOF
+SUBSYSTEM=="net", ENV{ID_NET_NAME}=="", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv4/conf/%k/*'", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv6/conf/%k/*'"
+
+SUBSYSTEM=="net", ENV{ID_NET_NAME}!="", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv4/conf/\$env{ID_NET_NAME}/*'", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv6/conf/\$env{ID_NET_NAME}/*'"
+EOF
+ chmod 0644 ${D}/${base_libdir}/udev/rules.d/85-netdev-ipconf-smacklabel.rules
+}
+
+# Do not rely on an rpm with manifest support. Apparently that approach
+# will no longer be used in Tizen 3.0. Instead set special Smack attributes
+# via postinst. This is much easier to use with bitbake, too:
+# - no need to maintain a patched rpm
+# - works for directories which are not packaged by default when empty
+RDEPENDS_${PN}_append_with-lsm-smack = " smack-userspace"
+DEPENDS_append_with-lsm-smack = " smack-userspace-native"
+pkg_postinst_${PN}_with-lsm-smack() {
+ #!/bin/sh -e
+
+ # https://review.tizen.org/gerrit/gitweb?p=platform/upstream/filesystem.git;a=blob;f=packaging/filesystem.manifest:
+ # <filesystem path="/etc" label="System::Shared" type="transmutable" />
+ install -d $D${sysconfdir}
+ # This has no effect on files installed into /etc during image construction
+ # because pseudo does not know the special semantic of SMACK::TRANSMUTE.
+ # To avoid having different xattrs on files inside /etc when pre-installed
+ # in an image vs. installed on a device, the xattr-images.bbclass has
+ # a workaround for this deficiency in pseudo.
+ chsmack -t $D${sysconfdir}
+ chsmack -a 'System::Shared' $D${sysconfdir}
+
+ # Same for /var. Any daemon running as "System" will get write access
+ # to everything.
+ install -d $D${localstatedir}
+ chsmack -t $D${localstatedir}
+ chsmack -a 'System::Shared' $D${localstatedir}
+
+ # <filesystem path="/tmp" label="*" />
+ mkdir -p $D/tmp
+ chsmack -a '*' $D/tmp
+
+ # <filesystem path="/var/log" label="System::Log" type="transmutable" />
+ # <filesystem path="/var/tmp" label="*" />
+ # These are in a file system mounted by systemd. We patch the systemd service
+ # to set these attributes.
+}
diff --git a/meta-security/recipes-core/coreutils/coreutils_%.bbappend b/meta-security/recipes-core/coreutils/coreutils_%.bbappend
new file mode 100644
index 000000000..ceaf6a29c
--- /dev/null
+++ b/meta-security/recipes-core/coreutils/coreutils_%.bbappend
@@ -0,0 +1,7 @@
+# Smack patches are included in coreutils v8.22, we just need to enable them.
+# The default is not deterministic (enabled if libsmack found), so disable
+# explicitly otherwise.
+EXTRA_OECONF_SMACK = "--disable-libsmack"
+EXTRA_OECONF_SMACK_with-lsm-smack = "--enable-libsmack"
+EXTRA_OECONF_append = " ${EXTRA_OECONF_SMACK}"
+DEPENDS_append_with-lsm-smack = " smack"
diff --git a/meta-security/recipes-core/dbus/dbus-cynara/0001-Fix-memleak-in-GetConnectionCredentials-handler.patch b/meta-security/recipes-core/dbus/dbus-cynara/0001-Fix-memleak-in-GetConnectionCredentials-handler.patch
new file mode 100644
index 000000000..271ac48a1
--- /dev/null
+++ b/meta-security/recipes-core/dbus/dbus-cynara/0001-Fix-memleak-in-GetConnectionCredentials-handler.patch
@@ -0,0 +1,32 @@
+From eacdc525a1f7bfc534e248a5a946c08b6f4aab35 Mon Sep 17 00:00:00 2001
+From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
+Date: Wed, 17 Jun 2015 18:53:41 +0100
+Subject: [PATCH 1/8] Fix memleak in GetConnectionCredentials handler
+
+Reply message was not unreferenced when GetConnectionCredentials
+handler was successful.
+
+Signed-off-by: Jacek Bukarewicz <j.bukarewicz@samsung.com>
+[smcv: changed bus_message_unref() to dbus_message_unref()]
+Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=91008
+---
+ bus/driver.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/bus/driver.c b/bus/driver.c
+index f5d3ebe..888c7ca 100644
+--- a/bus/driver.c
++++ b/bus/driver.c
+@@ -1613,6 +1613,8 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection,
+ goto oom;
+ }
+
++ dbus_message_unref (reply);
++
+ return TRUE;
+
+ oom:
+--
+2.1.4
+
diff --git a/meta-security/recipes-core/dbus/dbus-cynara/0002-New-a-sv-helper-for-using-byte-arrays-as-the-variant.patch b/meta-security/recipes-core/dbus/dbus-cynara/0002-New-a-sv-helper-for-using-byte-arrays-as-the-variant.patch
new file mode 100644
index 000000000..64c8b9b50
--- /dev/null
+++ b/meta-security/recipes-core/dbus/dbus-cynara/0002-New-a-sv-helper-for-using-byte-arrays-as-the-variant.patch
@@ -0,0 +1,97 @@
+From 25cb15916402c55112cae2be0954d24afe74e2f2 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu, 13 Mar 2014 17:37:38 -0500
+Subject: [PATCH 2/8] New a{sv} helper for using byte arrays as the variant
+
+Create a new helper for using a byte array as the value in the mapping
+from string to variant.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=75113
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89041
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
+---
+ dbus/dbus-asv-util.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ dbus/dbus-asv-util.h | 4 ++++
+ 2 files changed, 58 insertions(+)
+
+diff --git a/dbus/dbus-asv-util.c b/dbus/dbus-asv-util.c
+index 583e41f..d3ac5e9 100644
+--- a/dbus/dbus-asv-util.c
++++ b/dbus/dbus-asv-util.c
+@@ -258,3 +258,57 @@ _dbus_asv_add_string (DBusMessageIter *arr_iter,
+
+ return TRUE;
+ }
++
++/**
++ * Create a new entry in an a{sv} (map from string to variant)
++ * with a byte array value.
++ *
++ * If this function fails, the a{sv} must be abandoned, for instance
++ * with _dbus_asv_abandon().
++ *
++ * @param arr_iter the iterator which is appending to the array
++ * @param key a UTF-8 key for the map
++ * @param value the value
++ * @param n_elements the number of elements to append
++ * @returns #TRUE on success, or #FALSE if not enough memory
++ */
++dbus_bool_t
++_dbus_asv_add_byte_array (DBusMessageIter *arr_iter,
++ const char *key,
++ const void *value,
++ int n_elements)
++{
++ DBusMessageIter entry_iter;
++ DBusMessageIter var_iter;
++ DBusMessageIter byte_array_iter;
++
++ if (!_dbus_asv_open_entry (arr_iter, &entry_iter, key, "ay", &var_iter))
++ return FALSE;
++
++ if (!dbus_message_iter_open_container (&var_iter, DBUS_TYPE_ARRAY,
++ DBUS_TYPE_BYTE_AS_STRING,
++ &byte_array_iter))
++ {
++ _dbus_asv_abandon_entry (arr_iter, &entry_iter, &var_iter);
++ return FALSE;
++ }
++
++ if (!dbus_message_iter_append_fixed_array (&byte_array_iter, DBUS_TYPE_BYTE,
++ &value, n_elements))
++ {
++ dbus_message_iter_abandon_container (&var_iter, &byte_array_iter);
++ _dbus_asv_abandon_entry (arr_iter, &entry_iter, &var_iter);
++ return FALSE;
++ }
++
++ if (!dbus_message_iter_close_container (&var_iter, &byte_array_iter))
++ {
++ _dbus_asv_abandon_entry (arr_iter, &entry_iter, &var_iter);
++ return FALSE;
++ }
++
++ if (!_dbus_asv_close_entry (arr_iter, &entry_iter, &var_iter))
++ return FALSE;
++
++ return TRUE;
++}
+diff --git a/dbus/dbus-asv-util.h b/dbus/dbus-asv-util.h
+index 0337260..277ab80 100644
+--- a/dbus/dbus-asv-util.h
++++ b/dbus/dbus-asv-util.h
+@@ -42,5 +42,9 @@ dbus_bool_t _dbus_asv_add_uint32 (DBusMessageIter *arr_iter,
+ dbus_bool_t _dbus_asv_add_string (DBusMessageIter *arr_iter,
+ const char *key,
+ const char *value);
++dbus_bool_t _dbus_asv_add_byte_array (DBusMessageIter *arr_iter,
++ const char *key,
++ const void *value,
++ int n_elements);
+
+ #endif
+--
+2.1.4
+
diff --git a/meta-security/recipes-core/dbus/dbus-cynara/0003-Add-LSM-agnostic-support-for-LinuxSecurityLabel-cred.patch b/meta-security/recipes-core/dbus/dbus-cynara/0003-Add-LSM-agnostic-support-for-LinuxSecurityLabel-cred.patch
new file mode 100644
index 000000000..fcb85504d
--- /dev/null
+++ b/meta-security/recipes-core/dbus/dbus-cynara/0003-Add-LSM-agnostic-support-for-LinuxSecurityLabel-cred.patch
@@ -0,0 +1,515 @@
+From 9da49d4eb6982c659fec988231baef8cd1b05be2 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Date: Wed, 11 Feb 2015 13:19:15 +0000
+Subject: [PATCH 3/8] Add LSM-agnostic support for LinuxSecurityLabel
+ credential
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89041
+Change-Id: I70512843d1a7661c87461b1b6d86fbfbda934ad5
+Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov> (for SELinux)
+Acked-by: John Johansen <john.johansen@canonical.com> (for AppArmor)
+Acked-by: Casey Schaufler <casey@schaufler-ca.com> (for Smack)
+Tested-by: Tyler Hicks <tyhicks@canonical.com>
+---
+ bus/driver.c | 19 ++++++++
+ dbus/dbus-auth.c | 11 +++--
+ dbus/dbus-connection-internal.h | 3 ++
+ dbus/dbus-connection.c | 26 ++++++++++
+ dbus/dbus-credentials.c | 68 ++++++++++++++++++++++++++
+ dbus/dbus-credentials.h | 4 ++
+ dbus/dbus-sysdeps-unix.c | 105 ++++++++++++++++++++++++++++++++++++++++
+ dbus/dbus-transport.c | 27 +++++++++++
+ dbus/dbus-transport.h | 3 ++
+ 9 files changed, 262 insertions(+), 4 deletions(-)
+
+diff --git a/bus/driver.c b/bus/driver.c
+index 888c7ca..11706f8 100644
+--- a/bus/driver.c
++++ b/bus/driver.c
+@@ -34,6 +34,7 @@
+ #include "utils.h"
+
+ #include <dbus/dbus-asv-util.h>
++#include <dbus/dbus-connection-internal.h>
+ #include <dbus/dbus-string.h>
+ #include <dbus/dbus-internals.h>
+ #include <dbus/dbus-message.h>
+@@ -1567,6 +1568,7 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection,
+ DBusMessageIter reply_iter;
+ DBusMessageIter array_iter;
+ unsigned long ulong_val;
++ char *s;
+ const char *service;
+
+ _DBUS_ASSERT_ERROR_IS_CLEAR (error);
+@@ -1601,6 +1603,23 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection,
+ goto oom;
+ }
+
++ if (_dbus_connection_get_linux_security_label (conn, &s))
++ {
++ if (s == NULL)
++ goto oom;
++
++ /* use the GVariant bytestring convention for strings of unknown
++ * encoding: include the \0 in the payload, for zero-copy reading */
++ if (!_dbus_asv_add_byte_array (&array_iter, "LinuxSecurityLabel",
++ s, strlen (s) + 1))
++ {
++ dbus_free (s);
++ goto oom;
++ }
++
++ dbus_free (s);
++ }
++
+ if (!_dbus_asv_close (&reply_iter, &array_iter))
+ goto oom;
+
+diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c
+index 6a07665..aee877d 100644
+--- a/dbus/dbus-auth.c
++++ b/dbus/dbus-auth.c
+@@ -1102,20 +1102,23 @@ handle_server_data_external_mech (DBusAuth *auth,
+ auth->desired_identity))
+ return FALSE;
+
+- /* also copy process ID from the socket credentials
++ /* also copy misc process info from the socket credentials
+ */
+ if (!_dbus_credentials_add_credential (auth->authorized_identity,
+ DBUS_CREDENTIAL_UNIX_PROCESS_ID,
+ auth->credentials))
+ return FALSE;
+
+- /* also copy audit data from the socket credentials
+- */
+ if (!_dbus_credentials_add_credential (auth->authorized_identity,
+ DBUS_CREDENTIAL_ADT_AUDIT_DATA_ID,
+ auth->credentials))
+ return FALSE;
+-
++
++ if (!_dbus_credentials_add_credential (auth->authorized_identity,
++ DBUS_CREDENTIAL_LINUX_SECURITY_LABEL,
++ auth->credentials))
++ return FALSE;
++
+ if (!send_ok (auth))
+ return FALSE;
+
+diff --git a/dbus/dbus-connection-internal.h b/dbus/dbus-connection-internal.h
+index 2897404..64ef336 100644
+--- a/dbus/dbus-connection-internal.h
++++ b/dbus/dbus-connection-internal.h
+@@ -107,6 +107,9 @@ void _dbus_connection_set_pending_fds_function (DBusConnectio
+ DBusPendingFdsChangeFunction callback,
+ void *data);
+
++dbus_bool_t _dbus_connection_get_linux_security_label (DBusConnection *connection,
++ char **label_p);
++
+ /* if DBUS_ENABLE_STATS */
+ void _dbus_connection_get_stats (DBusConnection *connection,
+ dbus_uint32_t *in_messages,
+diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c
+index b574207..8952b75 100644
+--- a/dbus/dbus-connection.c
++++ b/dbus/dbus-connection.c
+@@ -5322,6 +5322,32 @@ dbus_connection_set_unix_user_function (DBusConnection *connection,
+ (* old_free_function) (old_data);
+ }
+
++/* Same calling convention as dbus_connection_get_windows_user */
++dbus_bool_t
++_dbus_connection_get_linux_security_label (DBusConnection *connection,
++ char **label_p)
++{
++ dbus_bool_t result;
++
++ _dbus_assert (connection != NULL);
++ _dbus_assert (label_p != NULL);
++
++ CONNECTION_LOCK (connection);
++
++ if (!_dbus_transport_try_to_authenticate (connection->transport))
++ result = FALSE;
++ else
++ result = _dbus_transport_get_linux_security_label (connection->transport,
++ label_p);
++#ifndef __linux__
++ _dbus_assert (!result);
++#endif
++
++ CONNECTION_UNLOCK (connection);
++
++ return result;
++}
++
+ /**
+ * Gets the Windows user SID of the connection if known. Returns
+ * #TRUE if the ID is filled in. Always returns #FALSE on non-Windows
+diff --git a/dbus/dbus-credentials.c b/dbus/dbus-credentials.c
+index 7325125..151bb00 100644
+--- a/dbus/dbus-credentials.c
++++ b/dbus/dbus-credentials.c
+@@ -50,6 +50,7 @@ struct DBusCredentials {
+ dbus_uid_t unix_uid;
+ dbus_pid_t pid;
+ char *windows_sid;
++ char *linux_security_label;
+ void *adt_audit_data;
+ dbus_int32_t adt_audit_data_size;
+ };
+@@ -79,6 +80,7 @@ _dbus_credentials_new (void)
+ creds->unix_uid = DBUS_UID_UNSET;
+ creds->pid = DBUS_PID_UNSET;
+ creds->windows_sid = NULL;
++ creds->linux_security_label = NULL;
+ creds->adt_audit_data = NULL;
+ creds->adt_audit_data_size = 0;
+
+@@ -133,6 +135,7 @@ _dbus_credentials_unref (DBusCredentials *credentials)
+ if (credentials->refcount == 0)
+ {
+ dbus_free (credentials->windows_sid);
++ dbus_free (credentials->linux_security_label);
+ dbus_free (credentials->adt_audit_data);
+ dbus_free (credentials);
+ }
+@@ -193,6 +196,30 @@ _dbus_credentials_add_windows_sid (DBusCredentials *credentials,
+ }
+
+ /**
++ * Add a Linux security label, as used by LSMs such as SELinux, Smack and
++ * AppArmor, to the credentials.
++ *
++ * @param credentials the object
++ * @param label the label
++ * @returns #FALSE if no memory
++ */
++dbus_bool_t
++_dbus_credentials_add_linux_security_label (DBusCredentials *credentials,
++ const char *label)
++{
++ char *copy;
++
++ copy = _dbus_strdup (label);
++ if (copy == NULL)
++ return FALSE;
++
++ dbus_free (credentials->linux_security_label);
++ credentials->linux_security_label = copy;
++
++ return TRUE;
++}
++
++/**
+ * Add ADT audit data to the credentials.
+ *
+ * @param credentials the object
+@@ -236,6 +263,8 @@ _dbus_credentials_include (DBusCredentials *credentials,
+ return credentials->unix_uid != DBUS_UID_UNSET;
+ case DBUS_CREDENTIAL_WINDOWS_SID:
+ return credentials->windows_sid != NULL;
++ case DBUS_CREDENTIAL_LINUX_SECURITY_LABEL:
++ return credentials->linux_security_label != NULL;
+ case DBUS_CREDENTIAL_ADT_AUDIT_DATA_ID:
+ return credentials->adt_audit_data != NULL;
+ }
+@@ -284,6 +313,19 @@ _dbus_credentials_get_windows_sid (DBusCredentials *credentials)
+ }
+
+ /**
++ * Gets the Linux security label (as used by LSMs) from the credentials,
++ * or #NULL if the credentials object doesn't contain a security label.
++ *
++ * @param credentials the object
++ * @returns the security label
++ */
++const char *
++_dbus_credentials_get_linux_security_label (DBusCredentials *credentials)
++{
++ return credentials->linux_security_label;
++}
++
++/**
+ * Gets the ADT audit data in the credentials, or #NULL if
+ * the credentials object doesn't contain ADT audit data.
+ *
+@@ -329,6 +371,10 @@ _dbus_credentials_are_superset (DBusCredentials *credentials,
+ (possible_subset->windows_sid == NULL ||
+ (credentials->windows_sid && strcmp (possible_subset->windows_sid,
+ credentials->windows_sid) == 0)) &&
++ (possible_subset->linux_security_label == NULL ||
++ (credentials->linux_security_label != NULL &&
++ strcmp (possible_subset->linux_security_label,
++ credentials->linux_security_label) == 0)) &&
+ (possible_subset->adt_audit_data == NULL ||
+ (credentials->adt_audit_data && memcmp (possible_subset->adt_audit_data,
+ credentials->adt_audit_data,
+@@ -348,6 +394,7 @@ _dbus_credentials_are_empty (DBusCredentials *credentials)
+ credentials->pid == DBUS_PID_UNSET &&
+ credentials->unix_uid == DBUS_UID_UNSET &&
+ credentials->windows_sid == NULL &&
++ credentials->linux_security_label == NULL &&
+ credentials->adt_audit_data == NULL;
+ }
+
+@@ -388,6 +435,9 @@ _dbus_credentials_add_credentials (DBusCredentials *credentials,
+ DBUS_CREDENTIAL_ADT_AUDIT_DATA_ID,
+ other_credentials) &&
+ _dbus_credentials_add_credential (credentials,
++ DBUS_CREDENTIAL_LINUX_SECURITY_LABEL,
++ other_credentials) &&
++ _dbus_credentials_add_credential (credentials,
+ DBUS_CREDENTIAL_WINDOWS_SID,
+ other_credentials);
+ }
+@@ -427,6 +477,13 @@ _dbus_credentials_add_credential (DBusCredentials *credentials,
+ if (!_dbus_credentials_add_windows_sid (credentials, other_credentials->windows_sid))
+ return FALSE;
+ }
++ else if (which == DBUS_CREDENTIAL_LINUX_SECURITY_LABEL &&
++ other_credentials->linux_security_label != NULL)
++ {
++ if (!_dbus_credentials_add_linux_security_label (credentials,
++ other_credentials->linux_security_label))
++ return FALSE;
++ }
+ else if (which == DBUS_CREDENTIAL_ADT_AUDIT_DATA_ID &&
+ other_credentials->adt_audit_data != NULL)
+ {
+@@ -449,6 +506,8 @@ _dbus_credentials_clear (DBusCredentials *credentials)
+ credentials->unix_uid = DBUS_UID_UNSET;
+ dbus_free (credentials->windows_sid);
+ credentials->windows_sid = NULL;
++ dbus_free (credentials->linux_security_label);
++ credentials->linux_security_label = NULL;
+ dbus_free (credentials->adt_audit_data);
+ credentials->adt_audit_data = NULL;
+ credentials->adt_audit_data_size = 0;
+@@ -540,6 +599,15 @@ _dbus_credentials_to_string_append (DBusCredentials *credentials,
+ else
+ join = FALSE;
+
++ if (credentials->linux_security_label != NULL)
++ {
++ if (!_dbus_string_append_printf (string, "%slsm='%s'",
++ join ? " " : "",
++ credentials->linux_security_label))
++ goto oom;
++ join = TRUE;
++ }
++
+ return TRUE;
+ oom:
+ return FALSE;
+diff --git a/dbus/dbus-credentials.h b/dbus/dbus-credentials.h
+index abcc4bb..ab74eac 100644
+--- a/dbus/dbus-credentials.h
++++ b/dbus/dbus-credentials.h
+@@ -34,6 +34,7 @@ typedef enum {
+ DBUS_CREDENTIAL_UNIX_PROCESS_ID,
+ DBUS_CREDENTIAL_UNIX_USER_ID,
+ DBUS_CREDENTIAL_ADT_AUDIT_DATA_ID,
++ DBUS_CREDENTIAL_LINUX_SECURITY_LABEL,
+ DBUS_CREDENTIAL_WINDOWS_SID
+ } DBusCredentialType;
+
+@@ -47,6 +48,8 @@ dbus_bool_t _dbus_credentials_add_unix_uid (DBusCredentials
+ dbus_uid_t uid);
+ dbus_bool_t _dbus_credentials_add_windows_sid (DBusCredentials *credentials,
+ const char *windows_sid);
++dbus_bool_t _dbus_credentials_add_linux_security_label (DBusCredentials *credentials,
++ const char *label);
+ dbus_bool_t _dbus_credentials_add_adt_audit_data (DBusCredentials *credentials,
+ void *audit_data,
+ dbus_int32_t size);
+@@ -55,6 +58,7 @@ dbus_bool_t _dbus_credentials_include (DBusCredentials
+ dbus_pid_t _dbus_credentials_get_pid (DBusCredentials *credentials);
+ dbus_uid_t _dbus_credentials_get_unix_uid (DBusCredentials *credentials);
+ const char* _dbus_credentials_get_windows_sid (DBusCredentials *credentials);
++const char * _dbus_credentials_get_linux_security_label (DBusCredentials *credentials);
+ void * _dbus_credentials_get_adt_audit_data (DBusCredentials *credentials);
+ dbus_int32_t _dbus_credentials_get_adt_audit_data_size (DBusCredentials *credentials);
+ dbus_bool_t _dbus_credentials_are_superset (DBusCredentials *credentials,
+diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
+index fe891ab..61af423 100644
+--- a/dbus/dbus-sysdeps-unix.c
++++ b/dbus/dbus-sysdeps-unix.c
+@@ -1639,6 +1639,105 @@ write_credentials_byte (int server_fd,
+ }
+ }
+
++/* return FALSE on OOM, TRUE otherwise, even if no credentials were found */
++static dbus_bool_t
++add_linux_security_label_to_credentials (int client_fd,
++ DBusCredentials *credentials)
++{
++#if defined(__linux__) && defined(SO_PEERSEC)
++ DBusString buf;
++ socklen_t len = 1024;
++ dbus_bool_t oom = FALSE;
++
++ if (!_dbus_string_init_preallocated (&buf, len) ||
++ !_dbus_string_set_length (&buf, len))
++ return FALSE;
++
++ while (getsockopt (client_fd, SOL_SOCKET, SO_PEERSEC,
++ _dbus_string_get_data (&buf), &len) < 0)
++ {
++ int e = errno;
++
++ _dbus_verbose ("getsockopt failed with %s, len now %lu\n",
++ _dbus_strerror (e), (unsigned long) len);
++
++ if (e != ERANGE || len <= _dbus_string_get_length (&buf))
++ {
++ _dbus_verbose ("Failed to getsockopt(SO_PEERSEC): %s\n",
++ _dbus_strerror (e));
++ goto out;
++ }
++
++ /* If not enough space, len is updated to be enough.
++ * Try again with a large enough buffer. */
++ if (!_dbus_string_set_length (&buf, len))
++ {
++ oom = TRUE;
++ goto out;
++ }
++
++ _dbus_verbose ("will try again with %lu\n", (unsigned long) len);
++ }
++
++ if (len <= 0)
++ {
++ _dbus_verbose ("getsockopt(SO_PEERSEC) yielded <= 0 bytes: %lu\n",
++ (unsigned long) len);
++ goto out;
++ }
++
++ if (len > _dbus_string_get_length (&buf))
++ {
++ _dbus_verbose ("%lu > %d", (unsigned long) len,
++ _dbus_string_get_length (&buf));
++ _dbus_assert_not_reached ("getsockopt(SO_PEERSEC) overflowed");
++ }
++
++ if (_dbus_string_get_byte (&buf, len - 1) == 0)
++ {
++ /* the kernel included the trailing \0 in its count,
++ * but DBusString always has an extra \0 after the data anyway */
++ _dbus_verbose ("subtracting trailing \\0\n");
++ len--;
++ }
++
++ if (!_dbus_string_set_length (&buf, len))
++ {
++ _dbus_assert_not_reached ("shortening string should not lead to OOM");
++ oom = TRUE;
++ goto out;
++ }
++
++ if (strlen (_dbus_string_get_const_data (&buf)) != len)
++ {
++ /* LSM people on the linux-security-module@ mailing list say this
++ * should never happen: the label should be a bytestring with
++ * an optional trailing \0 */
++ _dbus_verbose ("security label from kernel had an embedded \\0, "
++ "ignoring it\n");
++ goto out;
++ }
++
++ _dbus_verbose ("getsockopt(SO_PEERSEC): %lu bytes excluding \\0: %s\n",
++ (unsigned long) len,
++ _dbus_string_get_const_data (&buf));
++
++ if (!_dbus_credentials_add_linux_security_label (credentials,
++ _dbus_string_get_const_data (&buf)))
++ {
++ oom = TRUE;
++ goto out;
++ }
++
++out:
++ _dbus_string_free (&buf);
++ return !oom;
++#else
++ /* no error */
++ return TRUE;
++#endif
++}
++
+ /**
+ * Reads a single byte which must be nul (an error occurs otherwise),
+ * and reads unix credentials if available. Clears the credentials
+@@ -1922,6 +2021,12 @@ _dbus_read_credentials_socket (int client_fd,
+ }
+ }
+
++ if (!add_linux_security_label_to_credentials (client_fd, credentials))
++ {
++ _DBUS_SET_OOM (error);
++ return FALSE;
++ }
++
+ return TRUE;
+ }
+
+diff --git a/dbus/dbus-transport.c b/dbus/dbus-transport.c
+index e9dcc56..a43e7bb 100644
+--- a/dbus/dbus-transport.c
++++ b/dbus/dbus-transport.c
+@@ -1425,6 +1425,33 @@ _dbus_transport_set_unix_user_function (DBusTransport *transport,
+ transport->free_unix_user_data = free_data_function;
+ }
+
++dbus_bool_t
++_dbus_transport_get_linux_security_label (DBusTransport *transport,
++ char **label_p)
++{
++ DBusCredentials *auth_identity;
++
++ *label_p = NULL;
++
++ if (!transport->authenticated)
++ return FALSE;
++
++ auth_identity = _dbus_auth_get_identity (transport->auth);
++
++ if (_dbus_credentials_include (auth_identity,
++ DBUS_CREDENTIAL_LINUX_SECURITY_LABEL))
++ {
++ /* If no memory, we are supposed to return TRUE and set NULL */
++ *label_p = _dbus_strdup (_dbus_credentials_get_linux_security_label (auth_identity));
++
++ return TRUE;
++ }
++ else
++ {
++ return FALSE;
++ }
++}
++
+ /**
+ * See dbus_connection_get_windows_user().
+ *
+diff --git a/dbus/dbus-transport.h b/dbus/dbus-transport.h
+index 39c74c4..843f231 100644
+--- a/dbus/dbus-transport.h
++++ b/dbus/dbus-transport.h
+@@ -87,6 +87,9 @@ void _dbus_transport_set_unix_user_function (DBusTransport
+ DBusFreeFunction *old_free_data_function);
+ dbus_bool_t _dbus_transport_get_windows_user (DBusTransport *transport,
+ char **windows_sid_p);
++dbus_bool_t _dbus_transport_get_linux_security_label (DBusTransport *transport,
++ char **label_p);
++
+ void _dbus_transport_set_windows_user_function (DBusTransport *transport,
+ DBusAllowWindowsUserFunction function,
+ void *data,
+--
+2.1.4
+
diff --git a/meta-security/recipes-core/dbus/dbus-cynara/0004-Integration-of-Cynara-asynchronous-security-checks.patch b/meta-security/recipes-core/dbus/dbus-cynara/0004-Integration-of-Cynara-asynchronous-security-checks.patch
new file mode 100644
index 000000000..70d5fc9d7
--- /dev/null
+++ b/meta-security/recipes-core/dbus/dbus-cynara/0004-Integration-of-Cynara-asynchronous-security-checks.patch
@@ -0,0 +1,2253 @@
+From 4dcfb02f17247ff9de966b62182cd2e08f301238 Mon Sep 17 00:00:00 2001
+From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
+Date: Thu, 27 Nov 2014 18:11:05 +0100
+Subject: [PATCH 4/8] Integration of Cynara asynchronous security checks
+
+This commit introduces basic framework for asynchronous policy
+checks and Cynara integration code. Functions for checking security
+policy can now return third value - BUS_RESULT_LATER denoting check
+result unavailability. Whenever policy checker cannot decide on the
+result of the check it is supposed to allocate DeferredMessage structure
+that will be passed to the upper layers which can decide what should be
+done in such situation.
+Proper handling of such case will be implemented in subsequent commits.
+Currently such return value results in message denial.
+
+Change-Id: I9bcbce34577e5dc2a3cecf6233a0a2b0e43e1108
+---
+ bus/Makefile.am | 6 +
+ bus/bus.c | 134 +++++---
+ bus/bus.h | 58 ++--
+ bus/check.c | 215 ++++++++++++
+ bus/check.h | 68 ++++
+ bus/config-parser-common.c | 6 +
+ bus/config-parser-common.h | 1 +
+ bus/config-parser.c | 71 +++-
+ bus/connection.c | 56 ++-
+ bus/connection.h | 5 +
+ bus/cynara.c | 374 +++++++++++++++++++++
+ bus/cynara.h | 37 ++
+ bus/dispatch.c | 51 ++-
+ bus/policy.c | 193 +++++++----
+ bus/policy.h | 51 ++-
+ configure.ac | 13 +
+ test/Makefile.am | 1 +
+ test/data/invalid-config-files/badcheck-1.conf | 9 +
+ test/data/invalid-config-files/badcheck-2.conf | 9 +
+ test/data/valid-config-files/check-1.conf | 9 +
+ .../valid-config-files/debug-check-some.conf.in | 18 +
+ 22 files changed, 1211 insertions(+), 180 deletions(-)
+ create mode 100644 bus/check.c
+ create mode 100644 bus/check.h
+ create mode 100644 bus/cynara.c
+ create mode 100644 bus/cynara.h
+ create mode 100644 test/data/invalid-config-files/badcheck-1.conf
+ create mode 100644 test/data/invalid-config-files/badcheck-2.conf
+ create mode 100644 test/data/valid-config-files/check-1.conf
+ create mode 100644 test/data/valid-config-files/debug-check-some.conf.in
+
+diff --git a/bus/Makefile.am b/bus/Makefile.am
+index f335e30..b057d6b 100644
+--- a/bus/Makefile.am
++++ b/bus/Makefile.am
+@@ -7,6 +7,7 @@ DBUS_BUS_LIBS = \
+ $(THREAD_LIBS) \
+ $(ADT_LIBS) \
+ $(NETWORK_libs) \
++ $(CYNARA_LIBS) \
+ $(NULL)
+
+ DBUS_LAUNCHER_LIBS = \
+@@ -21,6 +22,7 @@ AM_CPPFLAGS = \
+ -DDBUS_SYSTEM_CONFIG_FILE=\""$(configdir)/system.conf"\" \
+ -DDBUS_COMPILATION \
+ -DDBUS_STATIC_BUILD \
++ $(CYNARA_CFLAGS) \
+ $(NULL)
+
+ # if assertions are enabled, improve backtraces
+@@ -60,12 +62,16 @@ BUS_SOURCES= \
+ activation-exit-codes.h \
+ bus.c \
+ bus.h \
++ check.c \
++ check.h \
+ config-parser.c \
+ config-parser.h \
+ config-parser-common.c \
+ config-parser-common.h \
+ connection.c \
+ connection.h \
++ cynara.c \
++ cynara.h \
+ desktop-file.c \
+ desktop-file.h \
+ $(DIR_WATCH_SOURCE) \
+diff --git a/bus/bus.c b/bus/bus.c
+index f0d980e..ac9ea8d 100644
+--- a/bus/bus.c
++++ b/bus/bus.c
+@@ -35,6 +35,7 @@
+ #include "signals.h"
+ #include "selinux.h"
+ #include "dir-watch.h"
++#include "check.h"
+ #include <dbus/dbus-list.h>
+ #include <dbus/dbus-hash.h>
+ #include <dbus/dbus-credentials.h>
+@@ -63,6 +64,7 @@ struct BusContext
+ BusRegistry *registry;
+ BusPolicy *policy;
+ BusMatchmaker *matchmaker;
++ BusCheck *check;
+ BusLimits limits;
+ DBusRLimit *initial_fd_limit;
+ unsigned int fork : 1;
+@@ -962,6 +964,10 @@ bus_context_new (const DBusString *config_file,
+ #endif
+ }
+
++ context->check = bus_check_new(context, error);
++ if (context->check == NULL)
++ goto failed;
++
+ dbus_server_free_data_slot (&server_data_slot);
+
+ return context;
+@@ -1086,6 +1092,12 @@ bus_context_unref (BusContext *context)
+
+ bus_context_shutdown (context);
+
++ if (context->check)
++ {
++ bus_check_unref(context->check);
++ context->check = NULL;
++ }
++
+ if (context->connections)
+ {
+ bus_connections_unref (context->connections);
+@@ -1215,6 +1227,12 @@ bus_context_get_loop (BusContext *context)
+ return context->loop;
+ }
+
++BusCheck*
++bus_context_get_check (BusContext *context)
++{
++ return context->check;
++}
++
+ dbus_bool_t
+ bus_context_allow_unix_user (BusContext *context,
+ unsigned long uid)
+@@ -1386,6 +1404,7 @@ complain_about_message (BusContext *context,
+ DBusConnection *proposed_recipient,
+ dbus_bool_t requested_reply,
+ dbus_bool_t log,
++ const char *privilege,
+ DBusError *error)
+ {
+ DBusError stack_error = DBUS_ERROR_INIT;
+@@ -1415,7 +1434,8 @@ complain_about_message (BusContext *context,
+ dbus_set_error (&stack_error, error_name,
+ "%s, %d matched rules; type=\"%s\", sender=\"%s\" (%s) "
+ "interface=\"%s\" member=\"%s\" error name=\"%s\" "
+- "requested_reply=\"%d\" destination=\"%s\" (%s)",
++ "requested_reply=\"%d\" destination=\"%s\" (%s) "
++ "privilege=\"%s\"",
+ complaint,
+ matched_rules,
+ dbus_message_type_to_string (dbus_message_get_type (message)),
+@@ -1426,7 +1446,8 @@ complain_about_message (BusContext *context,
+ nonnull (dbus_message_get_error_name (message), "(unset)"),
+ requested_reply,
+ nonnull (dbus_message_get_destination (message), DBUS_SERVICE_DBUS),
+- proposed_recipient_loginfo);
++ proposed_recipient_loginfo,
++ nonnull (privilege, "(n/a)"));
+
+ /* If we hit OOM while setting the error, this will syslog "out of memory"
+ * which is itself an indication that something is seriously wrong */
+@@ -1450,14 +1471,15 @@ complain_about_message (BusContext *context,
+ * NULL for addressed_recipient may mean the bus driver, or may mean
+ * no destination was specified in the message (e.g. a signal).
+ */
+-dbus_bool_t
+-bus_context_check_security_policy (BusContext *context,
+- BusTransaction *transaction,
+- DBusConnection *sender,
+- DBusConnection *addressed_recipient,
+- DBusConnection *proposed_recipient,
+- DBusMessage *message,
+- DBusError *error)
++BusResult
++bus_context_check_security_policy (BusContext *context,
++ BusTransaction *transaction,
++ DBusConnection *sender,
++ DBusConnection *addressed_recipient,
++ DBusConnection *proposed_recipient,
++ DBusMessage *message,
++ DBusError *error,
++ BusDeferredMessage **deferred_message)
+ {
+ const char *dest;
+ BusClientPolicy *sender_policy;
+@@ -1466,6 +1488,7 @@ bus_context_check_security_policy (BusContext *context,
+ dbus_bool_t log;
+ int type;
+ dbus_bool_t requested_reply;
++ const char *privilege;
+
+ type = dbus_message_get_type (message);
+ dest = dbus_message_get_destination (message);
+@@ -1493,7 +1516,7 @@ bus_context_check_security_policy (BusContext *context,
+ dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
+ "Message bus will not accept messages of unknown type\n");
+
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ requested_reply = FALSE;
+@@ -1517,11 +1540,11 @@ bus_context_check_security_policy (BusContext *context,
+ complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
+ "An SELinux policy prevents this sender from sending this "
+ "message to this recipient",
+- 0, message, sender, proposed_recipient, FALSE, FALSE, error);
++ 0, message, sender, proposed_recipient, FALSE, FALSE, NULL, error);
+ _dbus_verbose ("SELinux security check denying send to service\n");
+ }
+
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ if (bus_connection_is_active (sender))
+@@ -1547,7 +1570,7 @@ bus_context_check_security_policy (BusContext *context,
+ if (dbus_error_is_set (&error2))
+ {
+ dbus_move_error (&error2, error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+ }
+ }
+@@ -1564,7 +1587,7 @@ bus_context_check_security_policy (BusContext *context,
+ {
+ _dbus_verbose ("security check allowing %s message\n",
+ "Hello");
+- return TRUE;
++ return BUS_RESULT_TRUE;
+ }
+ else
+ {
+@@ -1575,7 +1598,7 @@ bus_context_check_security_policy (BusContext *context,
+ "Client tried to send a message other than %s without being registered",
+ "Hello");
+
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+ }
+ }
+@@ -1624,20 +1647,29 @@ bus_context_check_security_policy (BusContext *context,
+ (proposed_recipient == NULL && recipient_policy == NULL));
+
+ log = FALSE;
+- if (sender_policy &&
+- !bus_client_policy_check_can_send (sender_policy,
+- context->registry,
+- requested_reply,
+- proposed_recipient,
+- message, &toggles, &log))
+- {
+- complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
+- "Rejected send message", toggles,
+- message, sender, proposed_recipient, requested_reply,
+- (addressed_recipient == proposed_recipient), error);
+- _dbus_verbose ("security policy disallowing message due to sender policy\n");
+- return FALSE;
+- }
++ if (sender_policy)
++ {
++ BusResult res = bus_client_policy_check_can_send (sender,
++ sender_policy,
++ context->registry,
++ requested_reply,
++ addressed_recipient,
++ proposed_recipient,
++ message, &toggles, &log, &privilege,
++ deferred_message);
++ if (res == BUS_RESULT_FALSE)
++ {
++ complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
++ "Rejected send message", toggles,
++ message, sender, proposed_recipient, requested_reply,
++ (addressed_recipient == proposed_recipient), privilege,
++ error);
++ _dbus_verbose ("security policy disallowing message due to sender policy\n");
++ return BUS_RESULT_FALSE;
++ }
++ else if (res == BUS_RESULT_LATER)
++ return BUS_RESULT_LATER;
++ }
+
+ if (log)
+ {
+@@ -1646,23 +1678,29 @@ bus_context_check_security_policy (BusContext *context,
+ complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
+ "Would reject message", toggles,
+ message, sender, proposed_recipient, requested_reply,
+- TRUE, NULL);
++ TRUE, privilege, NULL);
+ }
+
+- if (recipient_policy &&
+- !bus_client_policy_check_can_receive (recipient_policy,
+- context->registry,
+- requested_reply,
+- sender,
+- addressed_recipient, proposed_recipient,
+- message, &toggles))
++ if (recipient_policy)
+ {
+- complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
+- "Rejected receive message", toggles,
+- message, sender, proposed_recipient, requested_reply,
+- (addressed_recipient == proposed_recipient), error);
+- _dbus_verbose ("security policy disallowing message due to recipient policy\n");
+- return FALSE;
++ BusResult res;
++ res = bus_client_policy_check_can_receive (recipient_policy,
++ context->registry,
++ requested_reply,
++ sender,
++ addressed_recipient, proposed_recipient,
++ message, &toggles, &privilege, deferred_message);
++ if (res == BUS_RESULT_FALSE)
++ {
++ complain_about_message(context, DBUS_ERROR_ACCESS_DENIED, "Rejected receive message",
++ toggles, message, sender, proposed_recipient, requested_reply,
++ (addressed_recipient == proposed_recipient), privilege, error);
++ _dbus_verbose(
++ "security policy disallowing message due to recipient policy\n");
++ return BUS_RESULT_FALSE;
++ }
++ else if (res == BUS_RESULT_LATER)
++ return BUS_RESULT_LATER;
+ }
+
+ /* See if limits on size have been exceeded */
+@@ -1672,10 +1710,10 @@ bus_context_check_security_policy (BusContext *context,
+ {
+ complain_about_message (context, DBUS_ERROR_LIMITS_EXCEEDED,
+ "Rejected: destination has a full message queue",
+- 0, message, sender, proposed_recipient, requested_reply, TRUE,
++ 0, message, sender, proposed_recipient, requested_reply, TRUE, NULL,
+ error);
+ _dbus_verbose ("security policy disallowing message due to full message queue\n");
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ /* Record that we will allow a reply here in the future (don't
+@@ -1692,11 +1730,11 @@ bus_context_check_security_policy (BusContext *context,
+ message, error))
+ {
+ _dbus_verbose ("Failed to record reply expectation or problem with the message expecting a reply\n");
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ _dbus_verbose ("security policy allowing message\n");
+- return TRUE;
++ return BUS_RESULT_TRUE;
+ }
+
+ void
+diff --git a/bus/bus.h b/bus/bus.h
+index dac6ea5..78084dd 100644
+--- a/bus/bus.h
++++ b/bus/bus.h
+@@ -30,19 +30,35 @@
+ #include <dbus/dbus-pipe.h>
+ #include <dbus/dbus-sysdeps.h>
+
+-typedef struct BusActivation BusActivation;
+-typedef struct BusConnections BusConnections;
+-typedef struct BusContext BusContext;
+-typedef struct BusPolicy BusPolicy;
+-typedef struct BusClientPolicy BusClientPolicy;
+-typedef struct BusPolicyRule BusPolicyRule;
+-typedef struct BusRegistry BusRegistry;
+-typedef struct BusSELinuxID BusSELinuxID;
+-typedef struct BusService BusService;
+-typedef struct BusOwner BusOwner;
+-typedef struct BusTransaction BusTransaction;
+-typedef struct BusMatchmaker BusMatchmaker;
+-typedef struct BusMatchRule BusMatchRule;
++typedef struct BusActivation BusActivation;
++typedef struct BusConnections BusConnections;
++typedef struct BusContext BusContext;
++typedef struct BusPolicy BusPolicy;
++typedef struct BusClientPolicy BusClientPolicy;
++typedef struct BusPolicyRule BusPolicyRule;
++typedef struct BusRegistry BusRegistry;
++typedef struct BusSELinuxID BusSELinuxID;
++typedef struct BusService BusService;
++typedef struct BusOwner BusOwner;
++typedef struct BusTransaction BusTransaction;
++typedef struct BusMatchmaker BusMatchmaker;
++typedef struct BusMatchRule BusMatchRule;
++typedef struct BusCheck BusCheck;
++typedef struct BusDeferredMessage BusDeferredMessage;
++typedef struct BusCynara BusCynara;
++
++/**
++ * BusResult is defined as a pointer to a dummy structure to allow detection of type mismatches.
++ * The disadvantage of such solution is that now BusResult variables cannot be used in switch
++ * statement.
++ * Additionally, BUS_RESULT_TRUE is defined as 0 instead of 1 to help detect type mismatches
++ * at runtime.
++ */
++typedef const struct BusResultStruct { int dummy; } *BusResult;
++
++static const BusResult BUS_RESULT_TRUE = (BusResult)0x0;
++static const BusResult BUS_RESULT_FALSE = (BusResult)0x1;
++static const BusResult BUS_RESULT_LATER = (BusResult)0x2;
+
+ typedef struct
+ {
+@@ -96,6 +112,7 @@ BusConnections* bus_context_get_connections (BusContext
+ BusActivation* bus_context_get_activation (BusContext *context);
+ BusMatchmaker* bus_context_get_matchmaker (BusContext *context);
+ DBusLoop* bus_context_get_loop (BusContext *context);
++BusCheck * bus_context_get_check (BusContext *context);
+ dbus_bool_t bus_context_allow_unix_user (BusContext *context,
+ unsigned long uid);
+ dbus_bool_t bus_context_allow_windows_user (BusContext *context,
+@@ -121,13 +138,14 @@ void bus_context_log (BusContext
+ DBusSystemLogSeverity severity,
+ const char *msg,
+ ...);
+-dbus_bool_t bus_context_check_security_policy (BusContext *context,
+- BusTransaction *transaction,
+- DBusConnection *sender,
+- DBusConnection *addressed_recipient,
+- DBusConnection *proposed_recipient,
+- DBusMessage *message,
+- DBusError *error);
+ void bus_context_check_all_watches (BusContext *context);
++BusResult bus_context_check_security_policy (BusContext *context,
++ BusTransaction *transaction,
++ DBusConnection *sender,
++ DBusConnection *addressed_recipient,
++ DBusConnection *proposed_recipient,
++ DBusMessage *message,
++ DBusError *error,
++ BusDeferredMessage **deferred_message);
+
+ #endif /* BUS_BUS_H */
+diff --git a/bus/check.c b/bus/check.c
+new file mode 100644
+index 0000000..d2f418a
+--- /dev/null
++++ b/bus/check.c
+@@ -0,0 +1,215 @@
++/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
++/* check.c Bus security policy runtime check
++ *
++ * Copyright (C) 2014 Intel, Inc.
++ * Copyright (c) 2014 Samsung Electronics, Ltd.
++ *
++ * Licensed under the Academic Free License version 2.1
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
++ *
++ */
++
++#include <config.h>
++#include "check.h"
++#include "connection.h"
++#include "dispatch.h"
++#include "cynara.h"
++#include "utils.h"
++#include <dbus/dbus-connection-internal.h>
++#include <dbus/dbus-message-internal.h>
++#include <dbus/dbus-internals.h>
++
++
++typedef struct BusCheck
++{
++ int refcount;
++
++ BusContext *context;
++ BusCynara *cynara;
++} BusCheck;
++
++typedef struct BusDeferredMessage
++{
++ int refcount;
++
++ DBusMessage *message;
++ DBusConnection *sender;
++ DBusConnection *proposed_recipient;
++ DBusConnection *addressed_recipient;
++ dbus_bool_t full_dispatch;
++ BusDeferredMessageStatus status;
++ BusResult response;
++ BusCheckResponseFunc response_callback;
++} BusDeferredMessage;
++
++BusCheck *
++bus_check_new (BusContext *context, DBusError *error)
++{
++ BusCheck *check;
++
++ check = dbus_new(BusCheck, 1);
++ if (check == NULL)
++ {
++ BUS_SET_OOM(error);
++ return NULL;
++ }
++
++ check->refcount = 1;
++ check->context = context;
++ check->cynara = bus_cynara_new(check, error);
++ if (dbus_error_is_set(error))
++ {
++ dbus_free(check);
++ return NULL;
++ }
++
++ return check;
++}
++
++BusCheck *
++bus_check_ref (BusCheck *check)
++{
++ _dbus_assert (check->refcount > 0);
++ check->refcount += 1;
++
++ return check;
++}
++
++void
++bus_check_unref (BusCheck *check)
++{
++ _dbus_assert (check->refcount > 0);
++
++ check->refcount -= 1;
++
++ if (check->refcount == 0)
++ {
++ bus_cynara_unref(check->cynara);
++ dbus_free(check);
++ }
++}
++
++BusContext *
++bus_check_get_context (BusCheck *check)
++{
++ return check->context;
++}
++
++BusCynara *
++bus_check_get_cynara (BusCheck *check)
++{
++ return check->cynara;
++}
++
++BusResult
++bus_check_privilege (BusCheck *check,
++ DBusMessage *message,
++ DBusConnection *sender,
++ DBusConnection *addressed_recipient,
++ DBusConnection *proposed_recipient,
++ const char *privilege,
++ BusDeferredMessageStatus check_type,
++ BusDeferredMessage **deferred_message)
++{
++ BusResult result = BUS_RESULT_FALSE;
++ BusCynara *cynara;
++ DBusConnection *connection;
++
++ connection = check_type == BUS_DEFERRED_MESSAGE_CHECK_RECEIVE ? proposed_recipient : sender;
++
++ if (!dbus_connection_get_is_connected(connection))
++ {
++ return BUS_RESULT_FALSE;
++ }
++
++ /* ask policy checkers */
++#ifdef DBUS_ENABLE_CYNARA
++ cynara = bus_check_get_cynara(check);
++ result = bus_cynara_check_privilege(cynara, message, sender, addressed_recipient,
++ proposed_recipient, privilege, check_type, deferred_message);
++#endif
++
++ if (result == BUS_RESULT_LATER && deferred_message != NULL)
++ {
++ (*deferred_message)->status |= check_type;
++ }
++ return result;
++}
++
++BusDeferredMessage *bus_deferred_message_new (DBusMessage *message,
++ DBusConnection *sender,
++ DBusConnection *addressed_recipient,
++ DBusConnection *proposed_recipient,
++ BusResult response)
++{
++ BusDeferredMessage *deferred_message;
++
++ deferred_message = dbus_new(BusDeferredMessage, 1);
++ if (deferred_message == NULL)
++ {
++ return NULL;
++ }
++
++ deferred_message->refcount = 1;
++ deferred_message->sender = sender != NULL ? dbus_connection_ref(sender) : NULL;
++ deferred_message->addressed_recipient = addressed_recipient != NULL ? dbus_connection_ref(addressed_recipient) : NULL;
++ deferred_message->proposed_recipient = proposed_recipient != NULL ? dbus_connection_ref(proposed_recipient) : NULL;
++ deferred_message->message = dbus_message_ref(message);
++ deferred_message->response = response;
++ deferred_message->status = 0;
++ deferred_message->full_dispatch = FALSE;
++ deferred_message->response_callback = NULL;
++
++ return deferred_message;
++}
++
++BusDeferredMessage *
++bus_deferred_message_ref (BusDeferredMessage *deferred_message)
++{
++ _dbus_assert (deferred_message->refcount > 0);
++ deferred_message->refcount += 1;
++ return deferred_message;
++}
++
++void
++bus_deferred_message_unref (BusDeferredMessage *deferred_message)
++{
++ _dbus_assert (deferred_message->refcount > 0);
++
++ deferred_message->refcount -= 1;
++
++ if (deferred_message->refcount == 0)
++ {
++ dbus_message_unref(deferred_message->message);
++ if (deferred_message->sender != NULL)
++ dbus_connection_unref(deferred_message->sender);
++ if (deferred_message->addressed_recipient != NULL)
++ dbus_connection_unref(deferred_message->addressed_recipient);
++ if (deferred_message->proposed_recipient != NULL)
++ dbus_connection_unref(deferred_message->proposed_recipient);
++ dbus_free(deferred_message);
++ }
++}
++
++void
++bus_deferred_message_response_received (BusDeferredMessage *deferred_message,
++ BusResult result)
++{
++ if (deferred_message->response_callback != NULL)
++ {
++ deferred_message->response_callback(deferred_message, result);
++ }
++}
+diff --git a/bus/check.h b/bus/check.h
+new file mode 100644
+index 0000000..c3fcaf9
+--- /dev/null
++++ b/bus/check.h
+@@ -0,0 +1,68 @@
++/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
++/* check.h Bus security policy runtime check
++ *
++ * Copyright (C) 2014 Intel, Inc.
++ * Copyright (c) 2014 Samsung Electronics, Ltd.
++ *
++ * Licensed under the Academic Free License version 2.1
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
++ *
++ */
++
++#ifndef BUS_CHECK_H
++#define BUS_CHECK_H
++
++#include "bus.h"
++#include "policy.h"
++
++
++typedef void (*BusCheckResponseFunc) (BusDeferredMessage *message,
++ BusResult result);
++
++typedef enum {
++ BUS_DEFERRED_MESSAGE_CHECK_SEND = 1 << 0,
++ BUS_DEFERRED_MESSAGE_CHECK_RECEIVE = 1 << 1,
++ BUS_DEFERRED_MESSAGE_CHECK_OWN = 1 << 2,
++} BusDeferredMessageStatus;
++
++
++BusCheck *bus_check_new (BusContext *context,
++ DBusError *error);
++BusCheck *bus_check_ref (BusCheck *check);
++void bus_check_unref (BusCheck *check);
++
++BusContext *bus_check_get_context (BusCheck *check);
++BusCynara *bus_check_get_cynara (BusCheck *check);
++BusResult bus_check_privilege (BusCheck *check,
++ DBusMessage *message,
++ DBusConnection *sender,
++ DBusConnection *addressed_recipient,
++ DBusConnection *proposed_recipient,
++ const char *privilege,
++ BusDeferredMessageStatus check_type,
++ BusDeferredMessage **deferred_message);
++
++BusDeferredMessage *bus_deferred_message_new (DBusMessage *message,
++ DBusConnection *sender,
++ DBusConnection *addressed_recipient,
++ DBusConnection *proposed_recipient,
++ BusResult response);
++
++BusDeferredMessage *bus_deferred_message_ref (BusDeferredMessage *deferred_message);
++void bus_deferred_message_unref (BusDeferredMessage *deferred_message);
++void bus_deferred_message_response_received (BusDeferredMessage *deferred_message,
++ BusResult result);
++#endif /* BUS_CHECK_H */
+diff --git a/bus/config-parser-common.c b/bus/config-parser-common.c
+index c522ff4..1cfe4c8 100644
+--- a/bus/config-parser-common.c
++++ b/bus/config-parser-common.c
+@@ -75,6 +75,10 @@ bus_config_parser_element_name_to_type (const char *name)
+ {
+ return ELEMENT_DENY;
+ }
++ else if (strcmp (name, "check") == 0)
++ {
++ return ELEMENT_CHECK;
++ }
+ else if (strcmp (name, "servicehelper") == 0)
+ {
+ return ELEMENT_SERVICEHELPER;
+@@ -155,6 +159,8 @@ bus_config_parser_element_type_to_name (ElementType type)
+ return "allow";
+ case ELEMENT_DENY:
+ return "deny";
++ case ELEMENT_CHECK:
++ return "check";
+ case ELEMENT_FORK:
+ return "fork";
+ case ELEMENT_PIDFILE:
+diff --git a/bus/config-parser-common.h b/bus/config-parser-common.h
+index 186bf4c..bff6fdb 100644
+--- a/bus/config-parser-common.h
++++ b/bus/config-parser-common.h
+@@ -36,6 +36,7 @@ typedef enum
+ ELEMENT_LIMIT,
+ ELEMENT_ALLOW,
+ ELEMENT_DENY,
++ ELEMENT_CHECK,
+ ELEMENT_FORK,
+ ELEMENT_PIDFILE,
+ ELEMENT_SERVICEDIR,
+diff --git a/bus/config-parser.c b/bus/config-parser.c
+index ee2d4e7..73c9e6f 100644
+--- a/bus/config-parser.c
++++ b/bus/config-parser.c
+@@ -1150,7 +1150,7 @@ append_rule_from_element (BusConfigParser *parser,
+ const char *element_name,
+ const char **attribute_names,
+ const char **attribute_values,
+- dbus_bool_t allow,
++ BusPolicyRuleAccess access,
+ DBusError *error)
+ {
+ const char *log;
+@@ -1173,6 +1173,7 @@ append_rule_from_element (BusConfigParser *parser,
+ const char *own_prefix;
+ const char *user;
+ const char *group;
++ const char *privilege;
+
+ BusPolicyRule *rule;
+
+@@ -1200,6 +1201,7 @@ append_rule_from_element (BusConfigParser *parser,
+ "user", &user,
+ "group", &group,
+ "log", &log,
++ "privilege", &privilege,
+ NULL))
+ return FALSE;
+
+@@ -1208,6 +1210,7 @@ append_rule_from_element (BusConfigParser *parser,
+ receive_interface || receive_member || receive_error || receive_sender ||
+ receive_type || receive_path || eavesdrop ||
+ send_requested_reply || receive_requested_reply ||
++ privilege ||
+ own || own_prefix || user || group))
+ {
+ dbus_set_error (error, DBUS_ERROR_FAILED,
+@@ -1224,7 +1227,30 @@ append_rule_from_element (BusConfigParser *parser,
+ element_name);
+ return FALSE;
+ }
+-
++
++ if (access == BUS_POLICY_RULE_ACCESS_CHECK)
++ {
++ if (privilege == NULL || !*privilege)
++ {
++ dbus_set_error (error, DBUS_ERROR_FAILED,
++ "On element <%s>, you must specify the privilege to be checked.",
++ element_name);
++ return FALSE;
++ }
++ }
++ else
++ {
++ if (privilege != NULL && *privilege)
++ {
++ dbus_set_error (error, DBUS_ERROR_FAILED,
++ "On element <%s>, privilege %s is used outside of a check rule.",
++ element_name, privilege);
++ return FALSE;
++ }
++ else
++ privilege = NULL; /* replace (potentially) empty string with NULL pointer, it wouldn't be used anyway */
++ }
++
+ /* Allowed combinations of elements are:
+ *
+ * base, must be all send or all receive:
+@@ -1398,7 +1424,7 @@ append_rule_from_element (BusConfigParser *parser,
+ return FALSE;
+ }
+
+- rule = bus_policy_rule_new (BUS_POLICY_RULE_SEND, allow);
++ rule = bus_policy_rule_new (BUS_POLICY_RULE_SEND, access);
+ if (rule == NULL)
+ goto nomem;
+
+@@ -1480,7 +1506,7 @@ append_rule_from_element (BusConfigParser *parser,
+ return FALSE;
+ }
+
+- rule = bus_policy_rule_new (BUS_POLICY_RULE_RECEIVE, allow);
++ rule = bus_policy_rule_new (BUS_POLICY_RULE_RECEIVE, access);
+ if (rule == NULL)
+ goto nomem;
+
+@@ -1510,7 +1536,7 @@ append_rule_from_element (BusConfigParser *parser,
+ }
+ else if (own || own_prefix)
+ {
+- rule = bus_policy_rule_new (BUS_POLICY_RULE_OWN, allow);
++ rule = bus_policy_rule_new (BUS_POLICY_RULE_OWN, access);
+ if (rule == NULL)
+ goto nomem;
+
+@@ -1536,7 +1562,7 @@ append_rule_from_element (BusConfigParser *parser,
+ {
+ if (IS_WILDCARD (user))
+ {
+- rule = bus_policy_rule_new (BUS_POLICY_RULE_USER, allow);
++ rule = bus_policy_rule_new (BUS_POLICY_RULE_USER, access);
+ if (rule == NULL)
+ goto nomem;
+
+@@ -1551,7 +1577,7 @@ append_rule_from_element (BusConfigParser *parser,
+
+ if (_dbus_parse_unix_user_from_config (&username, &uid))
+ {
+- rule = bus_policy_rule_new (BUS_POLICY_RULE_USER, allow);
++ rule = bus_policy_rule_new (BUS_POLICY_RULE_USER, access);
+ if (rule == NULL)
+ goto nomem;
+
+@@ -1568,7 +1594,7 @@ append_rule_from_element (BusConfigParser *parser,
+ {
+ if (IS_WILDCARD (group))
+ {
+- rule = bus_policy_rule_new (BUS_POLICY_RULE_GROUP, allow);
++ rule = bus_policy_rule_new (BUS_POLICY_RULE_GROUP, access);
+ if (rule == NULL)
+ goto nomem;
+
+@@ -1583,7 +1609,7 @@ append_rule_from_element (BusConfigParser *parser,
+
+ if (_dbus_parse_unix_group_from_config (&groupname, &gid))
+ {
+- rule = bus_policy_rule_new (BUS_POLICY_RULE_GROUP, allow);
++ rule = bus_policy_rule_new (BUS_POLICY_RULE_GROUP, access);
+ if (rule == NULL)
+ goto nomem;
+
+@@ -1607,6 +1633,10 @@ append_rule_from_element (BusConfigParser *parser,
+ _dbus_assert (pe != NULL);
+ _dbus_assert (pe->type == ELEMENT_POLICY);
+
++ rule->privilege = _dbus_strdup (privilege);
++ if (privilege && !rule->privilege)
++ goto nomem;
++
+ switch (pe->d.policy.type)
+ {
+ case POLICY_IGNORED:
+@@ -1681,7 +1711,7 @@ start_policy_child (BusConfigParser *parser,
+ {
+ if (!append_rule_from_element (parser, element_name,
+ attribute_names, attribute_values,
+- TRUE, error))
++ BUS_POLICY_RULE_ACCESS_ALLOW, error))
+ return FALSE;
+
+ if (push_element (parser, ELEMENT_ALLOW) == NULL)
+@@ -1696,7 +1726,7 @@ start_policy_child (BusConfigParser *parser,
+ {
+ if (!append_rule_from_element (parser, element_name,
+ attribute_names, attribute_values,
+- FALSE, error))
++ BUS_POLICY_RULE_ACCESS_DENY, error))
+ return FALSE;
+
+ if (push_element (parser, ELEMENT_DENY) == NULL)
+@@ -1707,6 +1737,21 @@ start_policy_child (BusConfigParser *parser,
+
+ return TRUE;
+ }
++ else if (strcmp (element_name, "check") == 0)
++ {
++ if (!append_rule_from_element (parser, element_name,
++ attribute_names, attribute_values,
++ BUS_POLICY_RULE_ACCESS_CHECK, error))
++ return FALSE;
++
++ if (push_element (parser, ELEMENT_CHECK) == NULL)
++ {
++ BUS_SET_OOM (error);
++ return FALSE;
++ }
++
++ return TRUE;
++ }
+ else
+ {
+ dbus_set_error (error, DBUS_ERROR_FAILED,
+@@ -2066,6 +2111,7 @@ bus_config_parser_end_element (BusConfigParser *parser,
+ case ELEMENT_POLICY:
+ case ELEMENT_ALLOW:
+ case ELEMENT_DENY:
++ case ELEMENT_CHECK:
+ case ELEMENT_FORK:
+ case ELEMENT_SYSLOG:
+ case ELEMENT_KEEP_UMASK:
+@@ -2365,6 +2411,7 @@ bus_config_parser_content (BusConfigParser *parser,
+ case ELEMENT_POLICY:
+ case ELEMENT_ALLOW:
+ case ELEMENT_DENY:
++ case ELEMENT_CHECK:
+ case ELEMENT_FORK:
+ case ELEMENT_SYSLOG:
+ case ELEMENT_KEEP_UMASK:
+@@ -2829,6 +2876,8 @@ do_load (const DBusString *full_path,
+ dbus_error_init (&error);
+
+ parser = bus_config_load (full_path, TRUE, NULL, &error);
++ if (dbus_error_is_set (&error))
++ _dbus_verbose ("Failed to load file: %s\n", error.message);
+ if (parser == NULL)
+ {
+ _DBUS_ASSERT_ERROR_IS_SET (&error);
+diff --git a/bus/connection.c b/bus/connection.c
+index 7107434..a6d87e5 100644
+--- a/bus/connection.c
++++ b/bus/connection.c
+@@ -34,6 +34,10 @@
+ #include <dbus/dbus-hash.h>
+ #include <dbus/dbus-timeout.h>
+ #include <dbus/dbus-connection-internal.h>
++#ifdef DBUS_ENABLE_CYNARA
++#include <stdlib.h>
++#include <cynara-session.h>
++#endif
+
+ /* Trim executed commands to this length; we want to keep logs readable */
+ #define MAX_LOG_COMMAND_LEN 50
+@@ -105,6 +109,9 @@ typedef struct
+ #endif
+ int n_pending_unix_fds;
+ DBusTimeout *pending_unix_fds_timeout;
++#ifdef DBUS_ENABLE_CYNARA
++ char *cynara_session_id;
++#endif
+ } BusConnectionData;
+
+ static dbus_bool_t bus_pending_reply_expired (BusExpireList *list,
+@@ -118,8 +125,8 @@ static dbus_bool_t expire_incomplete_timeout (void *data);
+
+ #define BUS_CONNECTION_DATA(connection) (dbus_connection_get_data ((connection), connection_data_slot))
+
+-static DBusLoop*
+-connection_get_loop (DBusConnection *connection)
++DBusLoop*
++bus_connection_get_loop (DBusConnection *connection)
+ {
+ BusConnectionData *d;
+
+@@ -331,7 +338,7 @@ add_connection_watch (DBusWatch *watch,
+ {
+ DBusConnection *connection = data;
+
+- return _dbus_loop_add_watch (connection_get_loop (connection), watch);
++ return _dbus_loop_add_watch (bus_connection_get_loop (connection), watch);
+ }
+
+ static void
+@@ -340,7 +347,7 @@ remove_connection_watch (DBusWatch *watch,
+ {
+ DBusConnection *connection = data;
+
+- _dbus_loop_remove_watch (connection_get_loop (connection), watch);
++ _dbus_loop_remove_watch (bus_connection_get_loop (connection), watch);
+ }
+
+ static void
+@@ -349,7 +356,7 @@ toggle_connection_watch (DBusWatch *watch,
+ {
+ DBusConnection *connection = data;
+
+- _dbus_loop_toggle_watch (connection_get_loop (connection), watch);
++ _dbus_loop_toggle_watch (bus_connection_get_loop (connection), watch);
+ }
+
+ static dbus_bool_t
+@@ -358,7 +365,7 @@ add_connection_timeout (DBusTimeout *timeout,
+ {
+ DBusConnection *connection = data;
+
+- return _dbus_loop_add_timeout (connection_get_loop (connection), timeout);
++ return _dbus_loop_add_timeout (bus_connection_get_loop (connection), timeout);
+ }
+
+ static void
+@@ -367,7 +374,7 @@ remove_connection_timeout (DBusTimeout *timeout,
+ {
+ DBusConnection *connection = data;
+
+- _dbus_loop_remove_timeout (connection_get_loop (connection), timeout);
++ _dbus_loop_remove_timeout (bus_connection_get_loop (connection), timeout);
+ }
+
+ static void
+@@ -425,6 +432,10 @@ free_connection_data (void *data)
+
+ dbus_free (d->name);
+
++#ifdef DBUS_ENABLE_CYNARA
++ free (d->cynara_session_id);
++#endif
++
+ dbus_free (d);
+ }
+
+@@ -984,6 +995,22 @@ bus_connection_get_policy (DBusConnection *connection)
+ return d->policy;
+ }
+
++#ifdef DBUS_ENABLE_CYNARA
++const char *bus_connection_get_cynara_session_id (DBusConnection *connection)
++{
++ BusConnectionData *d = BUS_CONNECTION_DATA (connection);
++ _dbus_assert (d != NULL);
++
++ if (d->cynara_session_id == NULL)
++ {
++ unsigned long pid;
++ if (dbus_connection_get_unix_process_id(connection, &pid))
++ d->cynara_session_id = cynara_session_from_pid(pid);
++ }
++ return d->cynara_session_id;
++}
++#endif
++
+ static dbus_bool_t
+ foreach_active (BusConnections *connections,
+ BusConnectionForeachFunction function,
+@@ -2104,6 +2131,7 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
+ DBusConnection *connection,
+ DBusMessage *message)
+ {
++ BusResult res;
+ /* We have to set the sender to the driver, and have
+ * to check security policy since it was not done in
+ * dispatch.c
+@@ -2132,10 +2160,18 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
+ /* If security policy doesn't allow the message, we silently
+ * eat it; the driver doesn't care about getting a reply.
+ */
+- if (!bus_context_check_security_policy (bus_transaction_get_context (transaction),
+- transaction,
+- NULL, connection, connection, message, NULL))
++ res = bus_context_check_security_policy (bus_transaction_get_context (transaction),
++ transaction,
++ NULL, connection, connection, message, NULL,
++ NULL);
++
++ if (res == BUS_RESULT_FALSE)
+ return TRUE;
++ else if (res == BUS_RESULT_LATER)
++ {
++ _dbus_verbose ("Cannot delay sending message from bus driver, dropping it\n");
++ return TRUE;
++ }
+
+ return bus_transaction_send (transaction, connection, message);
+ }
+diff --git a/bus/connection.h b/bus/connection.h
+index 6fbcd38..7433746 100644
+--- a/bus/connection.h
++++ b/bus/connection.h
+@@ -31,6 +31,7 @@
+ typedef dbus_bool_t (* BusConnectionForeachFunction) (DBusConnection *connection,
+ void *data);
+
++DBusLoop* bus_connection_get_loop (DBusConnection *connection);
+
+ BusConnections* bus_connections_new (BusContext *context);
+ BusConnections* bus_connections_ref (BusConnections *connections);
+@@ -116,6 +117,10 @@ dbus_bool_t bus_connection_get_unix_groups (DBusConnection *connecti
+ DBusError *error);
+ BusClientPolicy* bus_connection_get_policy (DBusConnection *connection);
+
++#ifdef DBUS_ENABLE_CYNARA
++const char *bus_connection_get_cynara_session_id (DBusConnection *connection);
++#endif
++
+ /* transaction API so we can send or not send a block of messages as a whole */
+
+ typedef void (* BusTransactionCancelFunction) (void *data);
+diff --git a/bus/cynara.c b/bus/cynara.c
+new file mode 100644
+index 0000000..57a4c45
+--- /dev/null
++++ b/bus/cynara.c
+@@ -0,0 +1,374 @@
++/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
++/* cynara.c Cynara runtime privilege checking
++ *
++ * Copyright (c) 2014 Samsung Electronics, Ltd.
++ *
++ * Licensed under the Academic Free License version 2.1
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
++ *
++ */
++
++#include <config.h>
++#include "cynara.h"
++#include "check.h"
++#include "utils.h"
++
++#include <stdio.h>
++
++#include <dbus/dbus.h>
++#include <dbus/dbus-watch.h>
++#include <dbus/dbus-connection-internal.h>
++#include <bus/connection.h>
++#ifdef DBUS_ENABLE_CYNARA
++#include <cynara-client-async.h>
++#endif
++
++
++#ifdef DBUS_ENABLE_CYNARA
++typedef struct BusCynara
++{
++ int refcount;
++
++ BusContext *context;
++ BusCheck *check;
++ cynara_async *cynara;
++ DBusWatch *cynara_watch;
++} BusCynara;
++
++#define USE_CYNARA_CACHE 1
++#ifdef USE_CYNARA_CACHE
++#define CYNARA_CACHE_SIZE 1000
++#endif
++
++static dbus_bool_t bus_cynara_watch_callback(DBusWatch *watch,
++ unsigned int flags,
++ void *data);
++
++static void status_callback(int old_fd,
++ int new_fd,
++ cynara_async_status status,
++ void *user_status_data);
++static void bus_cynara_check_response_callback (cynara_check_id check_id,
++ cynara_async_call_cause cause,
++ int response,
++ void *user_response_data);
++#endif
++
++
++BusCynara *
++bus_cynara_new(BusCheck *check, DBusError *error)
++{
++#ifdef DBUS_ENABLE_CYNARA
++ BusContext *context;
++ BusCynara *cynara;
++ cynara_async_configuration *conf = NULL;
++ int ret;
++
++ cynara = dbus_new(BusCynara, 1);
++ if (cynara == NULL)
++ {
++ BUS_SET_OOM(error);
++ return NULL;
++ }
++
++ context = bus_check_get_context(check);
++
++ cynara->refcount = 1;
++ cynara->check = check;
++ cynara->context = context;
++ cynara->cynara_watch = NULL;
++
++ ret = cynara_async_configuration_create(&conf);
++ if (ret != CYNARA_API_SUCCESS)
++ {
++ dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to create Cynara configuration");
++ goto out;
++ }
++
++#ifdef CYNARA_CACHE_SIZE
++ ret = cynara_async_configuration_set_cache_size(conf, CYNARA_CACHE_SIZE);
++ if (ret != CYNARA_API_SUCCESS)
++ {
++ dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to Cynara cache size");
++ goto out;
++ }
++#endif
++
++ ret = cynara_async_initialize(&cynara->cynara, conf, &status_callback, cynara);
++ if (ret != CYNARA_API_SUCCESS)
++ {
++ dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to initialize Cynara client");
++ goto out;
++ }
++
++out:
++ cynara_async_configuration_destroy(conf);
++ if (ret != CYNARA_API_SUCCESS)
++ {
++ dbus_free(cynara);
++ return NULL;
++ }
++
++ return cynara;
++#else
++ return NULL;
++#endif
++}
++
++BusCynara *
++bus_cynara_ref (BusCynara *cynara)
++{
++#ifdef DBUS_ENABLE_CYNARA
++ _dbus_assert (cynara->refcount > 0);
++ cynara->refcount += 1;
++
++ return cynara;
++#else
++ return NULL;
++#endif
++}
++
++void
++bus_cynara_unref (BusCynara *cynara)
++{
++#ifdef DBUS_ENABLE_CYNARA
++ _dbus_assert (cynara->refcount > 0);
++
++ cynara->refcount -= 1;
++
++ if (cynara->refcount == 0)
++ {
++ cynara_async_finish(cynara->cynara);
++ dbus_free(cynara);
++ }
++#endif
++}
++
++BusResult
++bus_cynara_check_privilege (BusCynara *cynara,
++ DBusMessage *message,
++ DBusConnection *sender,
++ DBusConnection *addressed_recipient,
++ DBusConnection *proposed_recipient,
++ const char *privilege,
++ BusDeferredMessageStatus check_type,
++ BusDeferredMessage **deferred_message_param)
++{
++#ifdef DBUS_ENABLE_CYNARA
++ int result;
++ unsigned long uid;
++ char *label;
++ const char *session_id;
++ char user[32];
++ cynara_check_id check_id;
++ DBusConnection *connection = check_type == BUS_DEFERRED_MESSAGE_CHECK_RECEIVE ? proposed_recipient : sender;
++ BusDeferredMessage *deferred_message;
++ BusResult ret;
++
++ _dbus_assert(connection != NULL);
++
++ if (dbus_connection_get_unix_user(connection, &uid) == FALSE)
++ return BUS_RESULT_FALSE;
++
++ if (_dbus_connection_get_linux_security_label(connection, &label) == FALSE || label == NULL)
++ {
++ _dbus_warn("Failed to obtain security label for connection\n");
++ return BUS_RESULT_FALSE;
++ }
++
++ session_id = bus_connection_get_cynara_session_id (connection);
++ if (session_id == NULL)
++ {
++ ret = BUS_RESULT_FALSE;
++ goto out;
++ }
++
++ snprintf(user, sizeof(user), "%lu", uid);
++
++#if USE_CYNARA_CACHE
++ result = cynara_async_check_cache(cynara->cynara, label, session_id, user, privilege);
++#else
++ result = CYNARA_API_CACHE_MISS;
++#endif
++
++ switch (result)
++ {
++ case CYNARA_API_ACCESS_ALLOWED:
++ _dbus_verbose("Cynara: got ALLOWED answer from cache (client=%s session_id=%s user=%s privilege=%s)\n",
++ label, session_id, user, privilege);
++ ret = BUS_RESULT_TRUE;
++ break;
++
++ case CYNARA_API_ACCESS_DENIED:
++ _dbus_verbose("Cynara: got DENIED answer from cache (client=%s session_id=%s user=%s privilege=%s)\n",
++ label, session_id, user, privilege);
++ ret = BUS_RESULT_FALSE;
++ break;
++
++ case CYNARA_API_CACHE_MISS:
++ deferred_message = bus_deferred_message_new(message, sender, addressed_recipient,
++ proposed_recipient, BUS_RESULT_LATER);
++ if (deferred_message == NULL)
++ {
++ _dbus_verbose("Failed to allocate memory for deferred message\n");
++ ret = BUS_RESULT_FALSE;
++ goto out;
++ }
++
++ /* callback is supposed to unref deferred_message*/
++ result = cynara_async_create_request(cynara->cynara, label, session_id, user, privilege, &check_id,
++ &bus_cynara_check_response_callback, deferred_message);
++ if (result == CYNARA_API_SUCCESS)
++ {
++ _dbus_verbose("Created Cynara request: client=%s session_id=%s user=%s privilege=%s check_id=%u "
++ "deferred_message=%p\n", label, session_id, user, privilege, (unsigned int)check_id, deferred_message);
++ if (deferred_message_param != NULL)
++ *deferred_message_param = deferred_message;
++ ret = BUS_RESULT_LATER;
++ }
++ else
++ {
++ _dbus_verbose("Error on cynara request create: %i\n", result);
++ bus_deferred_message_unref(deferred_message);
++ ret = BUS_RESULT_FALSE;
++ }
++ break;
++ default:
++ _dbus_verbose("Error when accessing Cynara cache: %i\n", result);
++ ret = BUS_RESULT_FALSE;
++ }
++out:
++ dbus_free(label);
++ return ret;
++
++#else
++ return BUS_RESULT_FALSE;
++#endif
++}
++
++
++
++#ifdef DBUS_ENABLE_CYNARA
++static void
++status_callback(int old_fd, int new_fd, cynara_async_status status,
++ void *user_status_data)
++{
++ BusCynara *cynara = (BusCynara *)user_status_data;
++ DBusLoop *loop = bus_context_get_loop(cynara->context);
++
++ if (cynara->cynara_watch != NULL)
++ {
++ _dbus_loop_remove_watch(loop, cynara->cynara_watch);
++ _dbus_watch_invalidate(cynara->cynara_watch);
++ _dbus_watch_unref(cynara->cynara_watch);
++ cynara->cynara_watch = NULL;
++ }
++
++ if (new_fd != -1)
++ {
++ unsigned int flags;
++ DBusWatch *watch;
++
++ switch (status)
++ {
++ case CYNARA_STATUS_FOR_READ:
++ flags = DBUS_WATCH_READABLE;
++ break;
++ case CYNARA_STATUS_FOR_RW:
++ flags = DBUS_WATCH_READABLE | DBUS_WATCH_WRITABLE;
++ break;
++ default:
++ /* Cynara passed unknown status - warn and add RW watch */
++ _dbus_verbose("Cynara passed unknown status value: 0x%08X\n", (unsigned int)status);
++ flags = DBUS_WATCH_READABLE | DBUS_WATCH_WRITABLE;
++ break;
++ }
++
++ watch = _dbus_watch_new(new_fd, flags, TRUE, &bus_cynara_watch_callback, cynara, NULL);
++ if (watch != NULL)
++ {
++ if (_dbus_loop_add_watch(loop, watch) == TRUE)
++ {
++ cynara->cynara_watch = watch;
++ return;
++ }
++
++ _dbus_watch_invalidate(watch);
++ _dbus_watch_unref(watch);
++ }
++
++ /* It seems like not much can be done at this point. Cynara events won't be processed
++ * until next Cynara function call triggering status callback */
++ _dbus_verbose("Failed to add dbus watch\n");
++ }
++}
++
++static dbus_bool_t
++bus_cynara_watch_callback(DBusWatch *watch,
++ unsigned int flags,
++ void *data)
++{
++ BusCynara *cynara = (BusCynara *)data;
++ int result = cynara_async_process(cynara->cynara);
++ if (result != CYNARA_API_SUCCESS)
++ _dbus_verbose("cynara_async_process returned %d\n", result);
++
++ return result != CYNARA_API_OUT_OF_MEMORY ? TRUE : FALSE;
++}
++
++static inline const char *
++call_cause_to_string(cynara_async_call_cause cause)
++{
++ switch (cause)
++ {
++ case CYNARA_CALL_CAUSE_ANSWER:
++ return "ANSWER";
++ case CYNARA_CALL_CAUSE_CANCEL:
++ return "CANCEL";
++ case CYNARA_CALL_CAUSE_FINISH:
++ return "FINSIH";
++ case CYNARA_CALL_CAUSE_SERVICE_NOT_AVAILABLE:
++ return "SERVICE NOT AVAILABLE";
++ default:
++ return "INVALID";
++ }
++}
++
++static void
++bus_cynara_check_response_callback (cynara_check_id check_id,
++ cynara_async_call_cause cause,
++ int response,
++ void *user_response_data)
++{
++ BusDeferredMessage *deferred_message = user_response_data;
++ BusResult result;
++
++ _dbus_verbose("Cynara callback: check_id=%u, cause=%s response=%i response_data=%p\n",
++ (unsigned int)check_id, call_cause_to_string(cause), response, user_response_data);
++
++ if (deferred_message == NULL)
++ return;
++
++ if (cause == CYNARA_CALL_CAUSE_ANSWER && response == CYNARA_API_ACCESS_ALLOWED)
++ result = BUS_RESULT_TRUE;
++ else
++ result = BUS_RESULT_FALSE;
++
++ bus_deferred_message_response_received(deferred_message, result);
++ bus_deferred_message_unref(deferred_message);
++}
++
++#endif /* DBUS_ENABLE_CYNARA */
+diff --git a/bus/cynara.h b/bus/cynara.h
+new file mode 100644
+index 0000000..c4728bb
+--- /dev/null
++++ b/bus/cynara.h
+@@ -0,0 +1,37 @@
++/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
++/* cynara.h Cynara runtime privilege checking
++ *
++ * Copyright (c) 2014 Samsung Electronics, Ltd.
++ *
++ * Licensed under the Academic Free License version 2.1
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
++ *
++ */
++
++#include "bus.h"
++#include "check.h"
++
++BusCynara *bus_cynara_new (BusCheck *check, DBusError *error);
++BusCynara *bus_cynara_ref (BusCynara *cynara);
++void bus_cynara_unref (BusCynara *cynara);
++BusResult bus_cynara_check_privilege (BusCynara *cynara,
++ DBusMessage *message,
++ DBusConnection *sender,
++ DBusConnection *addressed_recipient,
++ DBusConnection *proposed_recipient,
++ const char *privilege,
++ BusDeferredMessageStatus check_type,
++ BusDeferredMessage **deferred_message);
+diff --git a/bus/dispatch.c b/bus/dispatch.c
+index 7a61953..ce4076d 100644
+--- a/bus/dispatch.c
++++ b/bus/dispatch.c
+@@ -25,6 +25,7 @@
+
+ #include <config.h>
+ #include "dispatch.h"
++#include "check.h"
+ #include "connection.h"
+ #include "driver.h"
+ #include "services.h"
+@@ -56,13 +57,14 @@ send_one_message (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusError *error)
+ {
+- if (!bus_context_check_security_policy (context, transaction,
+- sender,
+- addressed_recipient,
+- connection,
+- message,
+- NULL))
+- return TRUE; /* silently don't send it */
++ BusDeferredMessage *deferred_message;
++ BusResult result;
++
++ result = bus_context_check_security_policy (context, transaction, sender, addressed_recipient,
++ connection, message, NULL, &deferred_message);
++
++ if (result != BUS_RESULT_TRUE)
++ return TRUE; /* silently don't send it */
+
+ if (dbus_message_contains_unix_fds(message) &&
+ !dbus_connection_can_send_type(connection, DBUS_TYPE_UNIX_FD))
+@@ -92,6 +94,7 @@ bus_dispatch_matches (BusTransaction *transaction,
+ BusMatchmaker *matchmaker;
+ DBusList *link;
+ BusContext *context;
++ BusDeferredMessage *deferred_message;
+
+ _DBUS_ASSERT_ERROR_IS_CLEAR (error);
+
+@@ -107,11 +110,21 @@ bus_dispatch_matches (BusTransaction *transaction,
+ /* First, send the message to the addressed_recipient, if there is one. */
+ if (addressed_recipient != NULL)
+ {
+- if (!bus_context_check_security_policy (context, transaction,
+- sender, addressed_recipient,
+- addressed_recipient,
+- message, error))
++ BusResult res;
++ res = bus_context_check_security_policy (context, transaction,
++ sender, addressed_recipient,
++ addressed_recipient,
++ message, error,
++ &deferred_message);
++ if (res == BUS_RESULT_FALSE)
+ return FALSE;
++ else if (res == BUS_RESULT_LATER)
++ {
++ dbus_set_error (error,
++ DBUS_ERROR_ACCESS_DENIED,
++ "Rejecting message because time is needed to check security policy");
++ return FALSE;
++ }
+
+ if (dbus_message_contains_unix_fds (message) &&
+ !dbus_connection_can_send_type (addressed_recipient,
+@@ -273,12 +286,24 @@ bus_dispatch (DBusConnection *connection,
+ if (service_name &&
+ strcmp (service_name, DBUS_SERVICE_DBUS) == 0) /* to bus driver */
+ {
+- if (!bus_context_check_security_policy (context, transaction,
+- connection, NULL, NULL, message, &error))
++ BusDeferredMessage *deferred_message;
++ BusResult res;
++ res = bus_context_check_security_policy (context, transaction,
++ connection, NULL, NULL, message, &error,
++ &deferred_message);
++ if (res == BUS_RESULT_FALSE)
+ {
+ _dbus_verbose ("Security policy rejected message\n");
+ goto out;
+ }
++ else if (res == BUS_RESULT_LATER)
++ {
++ dbus_set_error (&error,
++ DBUS_ERROR_ACCESS_DENIED,
++ "Rejecting message because time is needed to check security policy");
++ _dbus_verbose ("Security policy needs time to check policy. Dropping message\n");
++ goto out;
++ }
+
+ _dbus_verbose ("Giving message to %s\n", DBUS_SERVICE_DBUS);
+ if (!bus_driver_handle_message (connection, transaction, message, &error))
+diff --git a/bus/policy.c b/bus/policy.c
+index 082f385..ec888df 100644
+--- a/bus/policy.c
++++ b/bus/policy.c
+@@ -22,6 +22,7 @@
+ */
+
+ #include <config.h>
++#include "check.h"
+ #include "policy.h"
+ #include "services.h"
+ #include "test.h"
+@@ -32,7 +33,7 @@
+
+ BusPolicyRule*
+ bus_policy_rule_new (BusPolicyRuleType type,
+- dbus_bool_t allow)
++ BusPolicyRuleAccess access)
+ {
+ BusPolicyRule *rule;
+
+@@ -42,7 +43,7 @@ bus_policy_rule_new (BusPolicyRuleType type,
+
+ rule->type = type;
+ rule->refcount = 1;
+- rule->allow = allow;
++ rule->access = access;
+
+ switch (rule->type)
+ {
+@@ -54,18 +55,19 @@ bus_policy_rule_new (BusPolicyRuleType type,
+ break;
+ case BUS_POLICY_RULE_SEND:
+ rule->d.send.message_type = DBUS_MESSAGE_TYPE_INVALID;
+-
+ /* allow rules default to TRUE (only requested replies allowed)
++ * check rules default to TRUE (only requested replies are checked)
+ * deny rules default to FALSE (only unrequested replies denied)
+ */
+- rule->d.send.requested_reply = rule->allow;
++ rule->d.send.requested_reply = rule->access != BUS_POLICY_RULE_ACCESS_DENY;
+ break;
+ case BUS_POLICY_RULE_RECEIVE:
+ rule->d.receive.message_type = DBUS_MESSAGE_TYPE_INVALID;
+ /* allow rules default to TRUE (only requested replies allowed)
++ * check rules default to TRUE (only requested replies are checked)
+ * deny rules default to FALSE (only unrequested replies denied)
+ */
+- rule->d.receive.requested_reply = rule->allow;
++ rule->d.receive.requested_reply = rule->access != BUS_POLICY_RULE_ACCESS_DENY;
+ break;
+ case BUS_POLICY_RULE_OWN:
+ break;
+@@ -117,7 +119,8 @@ bus_policy_rule_unref (BusPolicyRule *rule)
+ case BUS_POLICY_RULE_GROUP:
+ break;
+ }
+-
++
++ dbus_free (rule->privilege);
+ dbus_free (rule);
+ }
+ }
+@@ -427,7 +430,10 @@ list_allows_user (dbus_bool_t def,
+ else
+ continue;
+
+- allowed = rule->allow;
++ /* We don't intend to support <check user="..." /> and <check group="..." />
++ rules. They are treated like deny.
++ */
++ allowed = rule->access == BUS_POLICY_RULE_ACCESS_ALLOW;
+ }
+
+ return allowed;
+@@ -862,18 +868,23 @@ bus_client_policy_append_rule (BusClientPolicy *policy,
+ return TRUE;
+ }
+
+-dbus_bool_t
+-bus_client_policy_check_can_send (BusClientPolicy *policy,
+- BusRegistry *registry,
+- dbus_bool_t requested_reply,
+- DBusConnection *receiver,
+- DBusMessage *message,
+- dbus_int32_t *toggles,
+- dbus_bool_t *log)
++BusResult
++bus_client_policy_check_can_send (DBusConnection *sender,
++ BusClientPolicy *policy,
++ BusRegistry *registry,
++ dbus_bool_t requested_reply,
++ DBusConnection *addressed_recipient,
++ DBusConnection *receiver,
++ DBusMessage *message,
++ dbus_int32_t *toggles,
++ dbus_bool_t *log,
++ const char **privilege_param,
++ BusDeferredMessage **deferred_message)
+ {
+ DBusList *link;
+- dbus_bool_t allowed;
+-
++ BusResult result;
++ const char *privilege;
++
+ /* policy->rules is in the order the rules appeared
+ * in the config file, i.e. last rule that applies wins
+ */
+@@ -881,7 +892,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
+ _dbus_verbose (" (policy) checking send rules\n");
+ *toggles = 0;
+
+- allowed = FALSE;
++ result = BUS_RESULT_FALSE;
+ link = _dbus_list_get_first_link (&policy->rules);
+ while (link != NULL)
+ {
+@@ -912,13 +923,14 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
+ /* If it's a reply, the requested_reply flag kicks in */
+ if (dbus_message_get_reply_serial (message) != 0)
+ {
+- /* for allow, requested_reply=true means the rule applies
+- * only when reply was requested. requested_reply=false means
+- * always allow.
++ /* for allow or check requested_reply=true means the rule applies
++ * only when reply was requested. requested_reply=false means the
++ * rule always applies
+ */
+- if (!requested_reply && rule->allow && rule->d.send.requested_reply && !rule->d.send.eavesdrop)
++ if (!requested_reply && rule->access != BUS_POLICY_RULE_ACCESS_DENY && rule->d.send.requested_reply && !rule->d.send.eavesdrop)
+ {
+- _dbus_verbose (" (policy) skipping allow rule since it only applies to requested replies and does not allow eavesdropping\n");
++ _dbus_verbose (" (policy) skipping %s rule since it only applies to requested replies and does not allow eavesdropping\n",
++ rule->access == BUS_POLICY_RULE_ACCESS_ALLOW ? "allow" : "check");
+ continue;
+ }
+
+@@ -926,7 +938,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
+ * when the reply was not requested. requested_reply=true means the
+ * rule always applies.
+ */
+- if (requested_reply && !rule->allow && !rule->d.send.requested_reply)
++ if (requested_reply && rule->access == BUS_POLICY_RULE_ACCESS_DENY && !rule->d.send.requested_reply)
+ {
+ _dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n");
+ continue;
+@@ -949,13 +961,15 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
+ /* The interface is optional in messages. For allow rules, if the message
+ * has no interface we want to skip the rule (and thus not allow);
+ * for deny rules, if the message has no interface we want to use the
+- * rule (and thus deny).
++ * rule (and thus deny). Check rules are meant to be used like allow
++ * rules (they can grant access, but not remove it), so we treat it like
++ * allow here.
+ */
+ dbus_bool_t no_interface;
+
+ no_interface = dbus_message_get_interface (message) == NULL;
+
+- if ((no_interface && rule->allow) ||
++ if ((no_interface && rule->access != BUS_POLICY_RULE_ACCESS_DENY) ||
+ (!no_interface &&
+ strcmp (dbus_message_get_interface (message),
+ rule->d.send.interface) != 0))
+@@ -1029,33 +1043,63 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
+ }
+
+ /* Use this rule */
+- allowed = rule->allow;
++ switch (rule->access)
++ {
++ case BUS_POLICY_RULE_ACCESS_ALLOW:
++ result = BUS_RESULT_TRUE;
++ break;
++ case BUS_POLICY_RULE_ACCESS_DENY:
++ result = BUS_RESULT_FALSE;
++ break;
++ case BUS_POLICY_RULE_ACCESS_CHECK:
++ result = BUS_RESULT_LATER;
++ privilege = rule->privilege;
++ break;
++ }
++
+ *log = rule->d.send.log;
+ (*toggles)++;
+
+- _dbus_verbose (" (policy) used rule, allow now = %d\n",
+- allowed);
++ _dbus_verbose (" (policy) used rule, result now = %d\n",
++ result);
+ }
+
+- return allowed;
++ if (result == BUS_RESULT_LATER)
++ {
++ BusContext *context = bus_connection_get_context(sender);
++ BusCheck *check = bus_context_get_check(context);
++
++ result = bus_check_privilege(check, message, sender, addressed_recipient, receiver,
++ privilege, BUS_DEFERRED_MESSAGE_CHECK_SEND, deferred_message);
++ }
++ else
++ privilege = NULL;
++
++ if (privilege_param != NULL)
++ *privilege_param = privilege;
++
++ return result;
+ }
+
+ /* See docs on what the args mean on bus_context_check_security_policy()
+ * comment
+ */
+-dbus_bool_t
+-bus_client_policy_check_can_receive (BusClientPolicy *policy,
+- BusRegistry *registry,
+- dbus_bool_t requested_reply,
+- DBusConnection *sender,
+- DBusConnection *addressed_recipient,
+- DBusConnection *proposed_recipient,
+- DBusMessage *message,
+- dbus_int32_t *toggles)
++BusResult
++bus_client_policy_check_can_receive (BusClientPolicy *policy,
++ BusRegistry *registry,
++ dbus_bool_t requested_reply,
++ DBusConnection *sender,
++ DBusConnection *addressed_recipient,
++ DBusConnection *proposed_recipient,
++ DBusMessage *message,
++ dbus_int32_t *toggles,
++ const char **privilege_param,
++ BusDeferredMessage **deferred_message)
+ {
+ DBusList *link;
+- dbus_bool_t allowed;
+ dbus_bool_t eavesdropping;
++ BusResult result;
++ const char *privilege;
+
+ eavesdropping =
+ addressed_recipient != proposed_recipient &&
+@@ -1068,7 +1112,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+ _dbus_verbose (" (policy) checking receive rules, eavesdropping = %d\n", eavesdropping);
+ *toggles = 0;
+
+- allowed = FALSE;
++ result = BUS_RESULT_FALSE;
+ link = _dbus_list_get_first_link (&policy->rules);
+ while (link != NULL)
+ {
+@@ -1091,19 +1135,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+ }
+ }
+
+- /* for allow, eavesdrop=false means the rule doesn't apply when
+- * eavesdropping. eavesdrop=true means always allow.
++
++ /* for allow or check, eavesdrop=false means the rule doesn't apply when
++ * eavesdropping. eavesdrop=true means the rule always applies
+ */
+- if (eavesdropping && rule->allow && !rule->d.receive.eavesdrop)
++ if (eavesdropping && rule->access != BUS_POLICY_RULE_ACCESS_DENY && !rule->d.receive.eavesdrop)
+ {
+- _dbus_verbose (" (policy) skipping allow rule since it doesn't apply to eavesdropping\n");
++ _dbus_verbose (" (policy) skipping %s rule since it doesn't apply to eavesdropping\n",
++ rule->access == BUS_POLICY_RULE_ACCESS_ALLOW ? "allow" : "check");
+ continue;
+ }
+
+ /* for deny, eavesdrop=true means the rule applies only when
+ * eavesdropping; eavesdrop=false means always deny.
+ */
+- if (!eavesdropping && !rule->allow && rule->d.receive.eavesdrop)
++ if (!eavesdropping && rule->access == BUS_POLICY_RULE_ACCESS_DENY && rule->d.receive.eavesdrop)
+ {
+ _dbus_verbose (" (policy) skipping deny rule since it only applies to eavesdropping\n");
+ continue;
+@@ -1112,13 +1158,14 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+ /* If it's a reply, the requested_reply flag kicks in */
+ if (dbus_message_get_reply_serial (message) != 0)
+ {
+- /* for allow, requested_reply=true means the rule applies
+- * only when reply was requested. requested_reply=false means
+- * always allow.
++ /* for allow or check requested_reply=true means the rule applies
++ * only when reply was requested. requested_reply=false means the
++ * rule always applies
+ */
+- if (!requested_reply && rule->allow && rule->d.receive.requested_reply && !rule->d.receive.eavesdrop)
++ if (!requested_reply && rule->access != BUS_POLICY_RULE_ACCESS_DENY && rule->d.send.requested_reply && !rule->d.send.eavesdrop)
+ {
+- _dbus_verbose (" (policy) skipping allow rule since it only applies to requested replies and does not allow eavesdropping\n");
++ _dbus_verbose (" (policy) skipping %s rule since it only applies to requested replies and does not allow eavesdropping\n",
++ rule->access == BUS_POLICY_RULE_ACCESS_DENY ? "allow" : "deny");
+ continue;
+ }
+
+@@ -1126,7 +1173,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+ * when the reply was not requested. requested_reply=true means the
+ * rule always applies.
+ */
+- if (requested_reply && !rule->allow && !rule->d.receive.requested_reply)
++ if (requested_reply && rule->access == BUS_POLICY_RULE_ACCESS_DENY && !rule->d.receive.requested_reply)
+ {
+ _dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n");
+ continue;
+@@ -1149,13 +1196,13 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+ /* The interface is optional in messages. For allow rules, if the message
+ * has no interface we want to skip the rule (and thus not allow);
+ * for deny rules, if the message has no interface we want to use the
+- * rule (and thus deny).
++ * rule (and thus deny). Check rules are treated like allow rules.
+ */
+ dbus_bool_t no_interface;
+
+ no_interface = dbus_message_get_interface (message) == NULL;
+
+- if ((no_interface && rule->allow) ||
++ if ((no_interface && rule->access != BUS_POLICY_RULE_ACCESS_DENY) ||
+ (!no_interface &&
+ strcmp (dbus_message_get_interface (message),
+ rule->d.receive.interface) != 0))
+@@ -1230,14 +1277,42 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+ }
+
+ /* Use this rule */
+- allowed = rule->allow;
++ switch (rule->access)
++ {
++ case BUS_POLICY_RULE_ACCESS_ALLOW:
++ result = BUS_RESULT_TRUE;
++ break;
++ case BUS_POLICY_RULE_ACCESS_DENY:
++ result = BUS_RESULT_FALSE;
++ break;
++ case BUS_POLICY_RULE_ACCESS_CHECK:
++ result = BUS_RESULT_LATER;
++ privilege = rule->privilege;
++ break;
++ }
++
+ (*toggles)++;
+
+- _dbus_verbose (" (policy) used rule, allow now = %d\n",
+- allowed);
++ _dbus_verbose (" (policy) used rule, result now = %d\n",
++ result);
+ }
+
+- return allowed;
++
++ if (result == BUS_RESULT_LATER)
++ {
++ BusContext *context = bus_connection_get_context(proposed_recipient);
++ BusCheck *check = bus_context_get_check(context);
++
++ result = bus_check_privilege(check, message, sender, addressed_recipient, proposed_recipient,
++ privilege, BUS_DEFERRED_MESSAGE_CHECK_RECEIVE, deferred_message);
++ }
++ else
++ privilege = NULL;
++
++ if (privilege_param != NULL)
++ *privilege_param = privilege;
++
++ return result;
+ }
+
+
+@@ -1289,7 +1364,7 @@ bus_rules_check_can_own (DBusList *rules,
+ }
+
+ /* Use this rule */
+- allowed = rule->allow;
++ allowed = rule->access == BUS_POLICY_RULE_ACCESS_ALLOW;
+ }
+
+ return allowed;
+diff --git a/bus/policy.h b/bus/policy.h
+index d1d3e72..e9f193a 100644
+--- a/bus/policy.h
++++ b/bus/policy.h
+@@ -39,6 +39,14 @@ typedef enum
+ BUS_POLICY_RULE_GROUP
+ } BusPolicyRuleType;
+
++typedef enum
++{
++ BUS_POLICY_RULE_ACCESS_DENY,
++ BUS_POLICY_RULE_ACCESS_ALLOW,
++ /** runtime check resulting in allow or deny */
++ BUS_POLICY_RULE_ACCESS_CHECK
++} BusPolicyRuleAccess;
++
+ /** determines whether the rule affects a connection, or some global item */
+ #define BUS_POLICY_RULE_IS_PER_CLIENT(rule) (!((rule)->type == BUS_POLICY_RULE_USER || \
+ (rule)->type == BUS_POLICY_RULE_GROUP))
+@@ -49,8 +57,9 @@ struct BusPolicyRule
+
+ BusPolicyRuleType type;
+
+- unsigned int allow : 1; /**< #TRUE if this allows, #FALSE if it denies */
+-
++ unsigned int access : 2; /**< BusPolicyRuleAccess */
++ char *privilege; /**< for BUS_POLICY_RULE_ACCESS_CHECK */
++
+ union
+ {
+ struct
+@@ -106,7 +115,7 @@ struct BusPolicyRule
+ };
+
+ BusPolicyRule* bus_policy_rule_new (BusPolicyRuleType type,
+- dbus_bool_t allow);
++ BusPolicyRuleAccess access);
+ BusPolicyRule* bus_policy_rule_ref (BusPolicyRule *rule);
+ void bus_policy_rule_unref (BusPolicyRule *rule);
+
+@@ -140,21 +149,27 @@ dbus_bool_t bus_policy_merge (BusPolicy *policy,
+ BusClientPolicy* bus_client_policy_new (void);
+ BusClientPolicy* bus_client_policy_ref (BusClientPolicy *policy);
+ void bus_client_policy_unref (BusClientPolicy *policy);
+-dbus_bool_t bus_client_policy_check_can_send (BusClientPolicy *policy,
+- BusRegistry *registry,
+- dbus_bool_t requested_reply,
+- DBusConnection *receiver,
+- DBusMessage *message,
+- dbus_int32_t *toggles,
+- dbus_bool_t *log);
+-dbus_bool_t bus_client_policy_check_can_receive (BusClientPolicy *policy,
+- BusRegistry *registry,
+- dbus_bool_t requested_reply,
+- DBusConnection *sender,
+- DBusConnection *addressed_recipient,
+- DBusConnection *proposed_recipient,
+- DBusMessage *message,
+- dbus_int32_t *toggles);
++BusResult bus_client_policy_check_can_send (DBusConnection *sender,
++ BusClientPolicy *policy,
++ BusRegistry *registry,
++ dbus_bool_t requested_reply,
++ DBusConnection *addressed_recipient,
++ DBusConnection *receiver,
++ DBusMessage *message,
++ dbus_int32_t *toggles,
++ dbus_bool_t *log,
++ const char **privilege_param,
++ BusDeferredMessage **deferred_message);
++BusResult bus_client_policy_check_can_receive (BusClientPolicy *policy,
++ BusRegistry *registry,
++ dbus_bool_t requested_reply,
++ DBusConnection *sender,
++ DBusConnection *addressed_recipient,
++ DBusConnection *proposed_recipient,
++ DBusMessage *message,
++ dbus_int32_t *toggles,
++ const char **privilege_param,
++ BusDeferredMessage **deferred_message);
+ dbus_bool_t bus_client_policy_check_can_own (BusClientPolicy *policy,
+ const DBusString *service_name);
+ dbus_bool_t bus_client_policy_append_rule (BusClientPolicy *policy,
+diff --git a/configure.ac b/configure.ac
+index eb803af..b131f30 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1748,6 +1748,18 @@ if test "x$enable_stats" = xyes; then
+ [Define to enable bus daemon usage statistics])
+ fi
+
++#enable cynara integration
++AC_ARG_ENABLE([cynara], [AS_HELP_STRING([--enable-cynara], [enable Cynara integration])], [], [enable_cynara=no])
++if test "x$enable_cynara" = xyes; then
++ PKG_CHECK_MODULES([CYNARA], [cynara-client-async >= 0.6.0 cynara-session >= 0.6.0],
++ [AC_DEFINE([DBUS_ENABLE_CYNARA], [1], [Define to enable Cynara privilege checks in dbus-daemon])],
++ [AC_MSG_ERROR([libcynara-client-async and cynara-session are required to enable Cynara integration])])
++fi
++
++AC_SUBST([CYNARA_CFLAGS])
++AC_SUBST([CYNARA_LIBS])
++
++
+ AC_CONFIG_FILES([
+ Doxyfile
+ dbus/versioninfo.rc
+@@ -1778,6 +1790,7 @@ dbus-1.pc
+ dbus-1-uninstalled.pc
+ test/data/valid-config-files/debug-allow-all.conf
+ test/data/valid-config-files/debug-allow-all-sha1.conf
++test/data/valid-config-files/debug-check-some.conf
+ test/data/valid-config-files/incoming-limit.conf
+ test/data/valid-config-files-system/debug-allow-all-pass.conf
+ test/data/valid-config-files-system/debug-allow-all-fail.conf
+diff --git a/test/Makefile.am b/test/Makefile.am
+index e0ed3c8..ab63edc 100644
+--- a/test/Makefile.am
++++ b/test/Makefile.am
+@@ -254,6 +254,7 @@ in_data = \
+ data/valid-config-files-system/debug-allow-all-pass.conf.in \
+ data/valid-config-files/debug-allow-all-sha1.conf.in \
+ data/valid-config-files/debug-allow-all.conf.in \
++ data/valid-config-files/debug-check-some.conf.in \
+ data/valid-config-files/incoming-limit.conf.in \
+ data/invalid-service-files-system/org.freedesktop.DBus.TestSuiteNoExec.service.in \
+ data/invalid-service-files-system/org.freedesktop.DBus.TestSuiteNoService.service.in \
+diff --git a/test/data/invalid-config-files/badcheck-1.conf b/test/data/invalid-config-files/badcheck-1.conf
+new file mode 100644
+index 0000000..fad9f50
+--- /dev/null
++++ b/test/data/invalid-config-files/badcheck-1.conf
+@@ -0,0 +1,9 @@
++<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
++ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
++<busconfig>
++ <user>mybususer</user>
++ <listen>unix:path=/foo/bar</listen>
++ <policy context="default">
++ <allow privilege="foo" send_destination="*"/> <!-- extra privilege="foo" -->
++ </policy>
++</busconfig>
+diff --git a/test/data/invalid-config-files/badcheck-2.conf b/test/data/invalid-config-files/badcheck-2.conf
+new file mode 100644
+index 0000000..63c7ef2
+--- /dev/null
++++ b/test/data/invalid-config-files/badcheck-2.conf
+@@ -0,0 +1,9 @@
++<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
++ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
++<busconfig>
++ <user>mybususer</user>
++ <listen>unix:path=/foo/bar</listen>
++ <policy context="default">
++ <check send_destination="*"/> <!-- missing privilege="foo" -->
++ </policy>
++</busconfig>
+diff --git a/test/data/valid-config-files/check-1.conf b/test/data/valid-config-files/check-1.conf
+new file mode 100644
+index 0000000..ad71473
+--- /dev/null
++++ b/test/data/valid-config-files/check-1.conf
+@@ -0,0 +1,9 @@
++<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
++ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
++<busconfig>
++ <user>mybususer</user>
++ <listen>unix:path=/foo/bar</listen>
++ <policy context="default">
++ <check privilege="foo" send_destination="*"/>
++ </policy>
++</busconfig>
+diff --git a/test/data/valid-config-files/debug-check-some.conf.in b/test/data/valid-config-files/debug-check-some.conf.in
+new file mode 100644
+index 0000000..47ee854
+--- /dev/null
++++ b/test/data/valid-config-files/debug-check-some.conf.in
+@@ -0,0 +1,18 @@
++<!-- Bus that listens on a debug pipe and doesn't create any restrictions -->
++
++<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
++ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
++<busconfig>
++ <listen>debug-pipe:name=test-server</listen>
++ <listen>@TEST_LISTEN@</listen>
++ <servicedir>@DBUS_TEST_DATA@/valid-service-files</servicedir>
++ <policy context="default">
++ <allow send_interface="*"/>
++ <allow receive_interface="*"/>
++ <allow own="*"/>
++ <allow user="*"/>
++
++ <deny send_interface="org.freedesktop.TestSuite" send_member="Echo"/>
++ <check privilege="foo" send_interface="org.freedesktop.TestSuite" send_member="Echo"/>
++ </policy>
++</busconfig>
+--
+2.1.4
+
diff --git a/meta-security/recipes-core/dbus/dbus-cynara/0005-Disable-message-dispatching-when-send-rule-result-is.patch b/meta-security/recipes-core/dbus/dbus-cynara/0005-Disable-message-dispatching-when-send-rule-result-is.patch
new file mode 100644
index 000000000..ca787149e
--- /dev/null
+++ b/meta-security/recipes-core/dbus/dbus-cynara/0005-Disable-message-dispatching-when-send-rule-result-is.patch
@@ -0,0 +1,941 @@
+From b1b87ad9f20b2052c28431b48e81073078a745ce Mon Sep 17 00:00:00 2001
+From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
+Date: Fri, 28 Nov 2014 12:07:39 +0100
+Subject: [PATCH 5/8] Disable message dispatching when send rule result is not
+ known
+
+When unicast message is sent to addressed recipient and policy result
+is not available message dispatch from the sender is disabled.
+This also means that any further messages from the given connection are
+put into the incoming queue without being processed. If response is received
+message dispatching is resumed. This time answer is attached to the message
+which is now processed synchronously.
+Receive rule result unavailability is not yet handled - such messages are
+rejected. Also, if message is sent to non-addressed recipient and policy result
+is unknown, message is silently dropped.
+
+Change-Id: I57eccbf973525fd51369c7d4e58908292f44da80
+---
+ bus/activation.c | 79 +++++++++++++++--
+ bus/check.c | 109 ++++++++++++++++++++++--
+ bus/check.h | 10 +++
+ bus/cynara.c | 1 -
+ bus/dispatch.c | 183 ++++++++++++++++++++++++++++++++++++----
+ bus/dispatch.h | 2 +-
+ bus/driver.c | 13 ++-
+ dbus/dbus-connection-internal.h | 9 ++
+ dbus/dbus-connection.c | 125 +++++++++++++++++++++++++--
+ dbus/dbus-list.c | 29 +++++++
+ dbus/dbus-list.h | 2 +
+ dbus/dbus-shared.h | 3 +-
+ 12 files changed, 522 insertions(+), 43 deletions(-)
+
+diff --git a/bus/activation.c b/bus/activation.c
+index ecd19bb..8c43941 100644
+--- a/bus/activation.c
++++ b/bus/activation.c
+@@ -31,6 +31,7 @@
+ #include "services.h"
+ #include "test.h"
+ #include "utils.h"
++#include <dbus/dbus-connection-internal.h>
+ #include <dbus/dbus-internals.h>
+ #include <dbus/dbus-hash.h>
+ #include <dbus/dbus-list.h>
+@@ -91,6 +92,8 @@ struct BusPendingActivationEntry
+ DBusConnection *connection;
+
+ dbus_bool_t auto_activation;
++
++ dbus_bool_t is_put_back;
+ };
+
+ typedef struct
+@@ -1180,20 +1183,23 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation
+ BusPendingActivationEntry *entry = link->data;
+ DBusList *next = _dbus_list_get_next_link (&pending_activation->entries, link);
+
+- if (entry->auto_activation && (entry->connection == NULL || dbus_connection_get_is_connected (entry->connection)))
++ if (entry->auto_activation && !entry->is_put_back &&
++ (entry->connection == NULL || dbus_connection_get_is_connected (entry->connection)))
+ {
+ DBusConnection *addressed_recipient;
+ DBusError error;
++ BusResult res;
+
+ dbus_error_init (&error);
+
+ addressed_recipient = bus_service_get_primary_owners_connection (service);
+
+ /* Resume dispatching where we left off in bus_dispatch() */
+- if (!bus_dispatch_matches (transaction,
+- entry->connection,
+- addressed_recipient,
+- entry->activation_message, &error))
++ res = bus_dispatch_matches (transaction,
++ entry->connection,
++ addressed_recipient,
++ entry->activation_message, &error);
++ if (res == BUS_RESULT_FALSE)
+ {
+ /* If permission is denied, we just want to return the error
+ * to the original method invoker; in particular, we don't
+@@ -1205,9 +1211,40 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation
+ bus_connection_send_oom_error (entry->connection,
+ entry->activation_message);
+ }
++ }
++ else if (res == BUS_RESULT_LATER)
++ {
++ DBusList *putback_message_link = link;
++ DBusMessage *last_inserted_message = NULL;
++
++ /* NULL entry->connection implies sending pending ActivationRequest message to systemd */
++ if (entry->connection == NULL)
++ {
++ _dbus_assert_not_reached ("bus_dispatch_matches returned BUS_RESULT_LATER unexpectedly when sender is NULL");
++ link = next;
++ continue;
++ }
+
+- link = next;
+- continue;
++ /**
++ * Getting here means that policy check result is not yet available and dispatching
++ * messages from entry->connection has been disabled.
++ * Let's put back all messages for the given connection in the incoming queue and mark
++ * this entry as put back so they are not handled twice.
++ */
++ while (putback_message_link != NULL)
++ {
++ BusPendingActivationEntry *putback_message = putback_message_link->data;
++ if (putback_message->connection == entry->connection)
++ {
++ if (!_dbus_connection_putback_message (putback_message->connection, last_inserted_message,
++ putback_message->activation_message, &error))
++ goto error;
++ last_inserted_message = putback_message->activation_message;
++ putback_message->is_put_back = TRUE;
++ }
++
++ putback_message_link = _dbus_list_get_next_link(&pending_activation->entries, putback_message_link);
++ }
+ }
+ }
+
+@@ -1225,6 +1262,19 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation
+ return TRUE;
+
+ error:
++ /* remove all messages that have been put to connections' incoming queues */
++ link = _dbus_list_get_first_link (&pending_activation->entries);
++ while (link != NULL)
++ {
++ BusPendingActivationEntry *entry = link->data;
++ if (entry->is_put_back)
++ {
++ _dbus_connection_remove_message(entry->connection, entry->activation_message);
++ entry->is_put_back = FALSE;
++ }
++ link = _dbus_list_get_next_link(&pending_activation->entries, link);
++ }
++
+ return FALSE;
+ }
+
+@@ -2009,13 +2059,24 @@ bus_activation_activate_service (BusActivation *activation,
+
+ if (service != NULL)
+ {
++ BusResult res;
+ bus_context_log (activation->context,
+ DBUS_SYSTEM_LOG_INFO, "Activating via systemd: service name='%s' unit='%s'",
+ service_name,
+ entry->systemd_service);
+ /* Wonderful, systemd is connected, let's just send the msg */
+- retval = bus_dispatch_matches (activation_transaction, NULL, bus_service_get_primary_owners_connection (service),
+- message, error);
++ res = bus_dispatch_matches (activation_transaction, NULL, bus_service_get_primary_owners_connection (service),
++ message, error);
++
++ if (res == BUS_RESULT_TRUE)
++ retval = TRUE;
++ else if (res == BUS_RESULT_FALSE)
++ retval = FALSE;
++ else if (res == BUS_RESULT_LATER)
++ {
++ _dbus_verbose("Unexpectedly need time to check message from bus driver to systemd - dropping the message.\n");
++ retval = FALSE;
++ }
+ }
+ else
+ {
+diff --git a/bus/check.c b/bus/check.c
+index d2f418a..cd6a74b 100644
+--- a/bus/check.c
++++ b/bus/check.c
+@@ -55,6 +55,8 @@ typedef struct BusDeferredMessage
+ BusCheckResponseFunc response_callback;
+ } BusDeferredMessage;
+
++static dbus_int32_t deferred_message_data_slot = -1;
++
+ BusCheck *
+ bus_check_new (BusContext *context, DBusError *error)
+ {
+@@ -67,11 +69,19 @@ bus_check_new (BusContext *context, DBusError *error)
+ return NULL;
+ }
+
++ if (!dbus_message_allocate_data_slot(&deferred_message_data_slot))
++ {
++ dbus_free(check);
++ BUS_SET_OOM(error);
++ return NULL;
++ }
++
+ check->refcount = 1;
+ check->context = context;
+ check->cynara = bus_cynara_new(check, error);
+ if (dbus_error_is_set(error))
+ {
++ dbus_message_free_data_slot(&deferred_message_data_slot);
+ dbus_free(check);
+ return NULL;
+ }
+@@ -98,6 +108,7 @@ bus_check_unref (BusCheck *check)
+ if (check->refcount == 0)
+ {
+ bus_cynara_unref(check->cynara);
++ dbus_message_free_data_slot(&deferred_message_data_slot);
+ dbus_free(check);
+ }
+ }
+@@ -114,6 +125,45 @@ bus_check_get_cynara (BusCheck *check)
+ return check->cynara;
+ }
+
++static void
++bus_check_enable_dispatch_callback (BusDeferredMessage *deferred_message,
++ BusResult result)
++{
++ _dbus_verbose("bus_check_enable_dispatch_callback called deferred_message=%p\n", deferred_message);
++
++ deferred_message->response = result;
++ _dbus_connection_enable_dispatch(deferred_message->sender);
++}
++
++static void
++deferred_message_free_function(void *data)
++{
++ BusDeferredMessage *deferred_message = (BusDeferredMessage *)data;
++ bus_deferred_message_unref(deferred_message);
++}
++
++void
++bus_deferred_message_disable_sender (BusDeferredMessage *deferred_message)
++{
++ _dbus_assert(deferred_message != NULL);
++ _dbus_assert(deferred_message->sender != NULL);
++
++ if (dbus_message_get_data(deferred_message->message, deferred_message_data_slot) == NULL)
++ {
++ if (dbus_message_set_data(deferred_message->message, deferred_message_data_slot, deferred_message,
++ deferred_message_free_function))
++ bus_deferred_message_ref(deferred_message);
++ }
++
++ _dbus_connection_disable_dispatch(deferred_message->sender);
++ deferred_message->response_callback = bus_check_enable_dispatch_callback;
++}
++
++#ifdef DBUS_ENABLE_EMBEDDED_TESTS
++dbus_bool_t (*bus_check_test_override) (DBusConnection *connection,
++ const char *privilege);
++#endif
++
+ BusResult
+ bus_check_privilege (BusCheck *check,
+ DBusMessage *message,
+@@ -124,6 +174,7 @@ bus_check_privilege (BusCheck *check,
+ BusDeferredMessageStatus check_type,
+ BusDeferredMessage **deferred_message)
+ {
++ BusDeferredMessage *previous_deferred_message;
+ BusResult result = BUS_RESULT_FALSE;
+ BusCynara *cynara;
+ DBusConnection *connection;
+@@ -135,16 +186,54 @@ bus_check_privilege (BusCheck *check,
+ return BUS_RESULT_FALSE;
+ }
+
+- /* ask policy checkers */
+-#ifdef DBUS_ENABLE_CYNARA
+- cynara = bus_check_get_cynara(check);
+- result = bus_cynara_check_privilege(cynara, message, sender, addressed_recipient,
+- proposed_recipient, privilege, check_type, deferred_message);
++#ifdef DBUS_ENABLE_EMBEDDED_TESTS
++ if (bus_check_test_override)
++ return bus_check_test_override (connection, privilege);
+ #endif
+
+- if (result == BUS_RESULT_LATER && deferred_message != NULL)
++ previous_deferred_message = dbus_message_get_data(message, deferred_message_data_slot);
++ /* check if message blocked at sender's queue is being processed */
++ if (previous_deferred_message != NULL)
++ {
++ if ((check_type & BUS_DEFERRED_MESSAGE_CHECK_SEND) &&
++ !(previous_deferred_message->status & BUS_DEFERRED_MESSAGE_CHECK_SEND))
++ {
++ /**
++ * Message has been deferred due to receive or own rule which means that sending this message
++ * is allowed - it must have been checked previously.
++ * This might happen when client calls RequestName method which depending on security
++ * policy might result in both "can_send" and "can_own" Cynara checks.
++ */
++ result = BUS_RESULT_TRUE;
++ }
++ else
++ {
++ result = previous_deferred_message->response;
++ if (result == BUS_RESULT_LATER)
++ {
++ /* result is still not known - reuse deferred message object */
++ if (deferred_message != NULL)
++ *deferred_message = previous_deferred_message;
++ }
++ else
++ {
++ /* result is available - we can remove deferred message from the processed message */
++ dbus_message_set_data(message, deferred_message_data_slot, NULL, NULL);
++ }
++ }
++ }
++ else
+ {
+- (*deferred_message)->status |= check_type;
++ /* ask policy checkers */
++#ifdef DBUS_ENABLE_CYNARA
++ cynara = bus_check_get_cynara(check);
++ result = bus_cynara_check_privilege(cynara, message, sender, addressed_recipient,
++ proposed_recipient, privilege, check_type, deferred_message);
++#endif
++ if (result == BUS_RESULT_LATER && deferred_message != NULL)
++ {
++ (*deferred_message)->status |= check_type;
++ }
+ }
+ return result;
+ }
+@@ -204,6 +293,12 @@ bus_deferred_message_unref (BusDeferredMessage *deferred_message)
+ }
+ }
+
++BusDeferredMessageStatus
++bus_deferred_message_get_status (BusDeferredMessage *deferred_message)
++{
++ return deferred_message->status;
++}
++
+ void
+ bus_deferred_message_response_received (BusDeferredMessage *deferred_message,
+ BusResult result)
+diff --git a/bus/check.h b/bus/check.h
+index c3fcaf9..f381789 100644
+--- a/bus/check.h
++++ b/bus/check.h
+@@ -55,6 +55,7 @@ BusResult bus_check_privilege (BusCheck *check,
+ BusDeferredMessageStatus check_type,
+ BusDeferredMessage **deferred_message);
+
++
+ BusDeferredMessage *bus_deferred_message_new (DBusMessage *message,
+ DBusConnection *sender,
+ DBusConnection *addressed_recipient,
+@@ -65,4 +66,13 @@ BusDeferredMessage *bus_deferred_message_ref (BusDeferredMessage
+ void bus_deferred_message_unref (BusDeferredMessage *deferred_message);
+ void bus_deferred_message_response_received (BusDeferredMessage *deferred_message,
+ BusResult result);
++void bus_deferred_message_disable_sender (BusDeferredMessage *deferred_message);
++
++BusDeferredMessageStatus bus_deferred_message_get_status (BusDeferredMessage *deferred_message);
++
++#ifdef DBUS_ENABLE_EMBEDDED_TESTS
++extern dbus_bool_t (*bus_check_test_override) (DBusConnection *connection,
++ const char *privilege);
++#endif
++
+ #endif /* BUS_CHECK_H */
+diff --git a/bus/cynara.c b/bus/cynara.c
+index 57a4c45..77aed62 100644
+--- a/bus/cynara.c
++++ b/bus/cynara.c
+@@ -36,7 +36,6 @@
+ #include <cynara-client-async.h>
+ #endif
+
+-
+ #ifdef DBUS_ENABLE_CYNARA
+ typedef struct BusCynara
+ {
+diff --git a/bus/dispatch.c b/bus/dispatch.c
+index ce4076d..6b0eadc 100644
+--- a/bus/dispatch.c
++++ b/bus/dispatch.c
+@@ -81,7 +81,7 @@ send_one_message (DBusConnection *connection,
+ return TRUE;
+ }
+
+-dbus_bool_t
++BusResult
+ bus_dispatch_matches (BusTransaction *transaction,
+ DBusConnection *sender,
+ DBusConnection *addressed_recipient,
+@@ -117,13 +117,29 @@ bus_dispatch_matches (BusTransaction *transaction,
+ message, error,
+ &deferred_message);
+ if (res == BUS_RESULT_FALSE)
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ else if (res == BUS_RESULT_LATER)
+ {
+- dbus_set_error (error,
+- DBUS_ERROR_ACCESS_DENIED,
+- "Rejecting message because time is needed to check security policy");
+- return FALSE;
++ BusDeferredMessageStatus status;
++ status = bus_deferred_message_get_status(deferred_message);
++
++ if (status & BUS_DEFERRED_MESSAGE_CHECK_SEND)
++ {
++ /* send rule result not available - disable dispatching messages from the sender */
++ bus_deferred_message_disable_sender(deferred_message);
++ return BUS_RESULT_LATER;
++ }
++ else if (status & BUS_DEFERRED_MESSAGE_CHECK_RECEIVE)
++ {
++ dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
++ "Rejecting message because time is needed to check security policy");
++ return BUS_RESULT_FALSE;
++ }
++ else
++ {
++ _dbus_verbose("deferred message has no status field set to send or receive unexpectedly\n");
++ return BUS_RESULT_FALSE;
++ }
+ }
+
+ if (dbus_message_contains_unix_fds (message) &&
+@@ -134,14 +150,14 @@ bus_dispatch_matches (BusTransaction *transaction,
+ DBUS_ERROR_NOT_SUPPORTED,
+ "Tried to send message with Unix file descriptors"
+ "to a client that doesn't support that.");
+- return FALSE;
+- }
++ return BUS_RESULT_FALSE;
++ }
+
+ /* Dispatch the message */
+ if (!bus_transaction_send (transaction, addressed_recipient, message))
+ {
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+ }
+
+@@ -156,7 +172,7 @@ bus_dispatch_matches (BusTransaction *transaction,
+ &recipients))
+ {
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ link = _dbus_list_get_first_link (&recipients);
+@@ -178,10 +194,10 @@ bus_dispatch_matches (BusTransaction *transaction,
+ if (dbus_error_is_set (&tmp_error))
+ {
+ dbus_move_error (&tmp_error, error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+ else
+- return TRUE;
++ return BUS_RESULT_TRUE;
+ }
+
+ static DBusHandlerResult
+@@ -298,10 +314,12 @@ bus_dispatch (DBusConnection *connection,
+ }
+ else if (res == BUS_RESULT_LATER)
+ {
+- dbus_set_error (&error,
+- DBUS_ERROR_ACCESS_DENIED,
+- "Rejecting message because time is needed to check security policy");
+- _dbus_verbose ("Security policy needs time to check policy. Dropping message\n");
++ /* Disable dispatching messages from the sender,
++ * roll back and dispatch the message once the policy result is available */
++ bus_deferred_message_disable_sender(deferred_message);
++ bus_transaction_cancel_and_free (transaction);
++ transaction = NULL;
++ result = DBUS_HANDLER_RESULT_LATER;
+ goto out;
+ }
+
+@@ -366,8 +384,14 @@ bus_dispatch (DBusConnection *connection,
+ * addressed_recipient == NULL), and match it against other connections'
+ * match rules.
+ */
+- if (!bus_dispatch_matches (transaction, connection, addressed_recipient, message, &error))
+- goto out;
++ if (BUS_RESULT_LATER == bus_dispatch_matches (transaction, connection, addressed_recipient,
++ message, &error))
++ {
++ /* Roll back and dispatch the message once the policy result is available */
++ bus_transaction_cancel_and_free (transaction);
++ transaction = NULL;
++ result = DBUS_HANDLER_RESULT_LATER;
++ }
+
+ out:
+ if (dbus_error_is_set (&error))
+@@ -4714,9 +4738,132 @@ bus_dispatch_test_conf_fail (const DBusString *test_data_dir,
+ return TRUE;
+ }
+
++typedef struct {
++ DBusTimeout *timeout;
++ DBusConnection *connection;
++ dbus_bool_t timedout;
++ int check_counter;
++} BusTestCheckData;
++
++static BusTestCheckData *cdata;
++
++static dbus_bool_t
++bus_dispatch_test_check_timeout (void *data)
++{
++ _dbus_verbose ("timeout triggered - pretend that privilege check result is available\n");
++
++ /* should only happen once during the test */
++ _dbus_assert (!cdata->timedout);
++ cdata->timedout = TRUE;
++ _dbus_connection_enable_dispatch (cdata->connection);
++
++ /* don't call this again */
++ _dbus_loop_remove_timeout (bus_connection_get_loop (cdata->connection),
++ cdata->timeout);
++ dbus_connection_unref (cdata->connection);
++ cdata->connection = NULL;
++ return TRUE;
++}
++
++static dbus_bool_t
++bus_dispatch_test_check_override (DBusConnection *connection,
++ const char *privilege)
++{
++ _dbus_verbose ("overriding privilege check %s #%d\n", privilege, cdata->check_counter);
++ cdata->check_counter++;
++ if (!cdata->timedout)
++ {
++ dbus_bool_t added;
++
++ /* Should be the first privilege check for the "Echo" method. */
++ _dbus_assert (cdata->check_counter == 1);
++ cdata->timeout = _dbus_timeout_new (1, bus_dispatch_test_check_timeout,
++ NULL, NULL);
++ _dbus_assert (cdata->timeout);
++ added = _dbus_loop_add_timeout (bus_connection_get_loop (connection),
++ cdata->timeout);
++ _dbus_assert (added);
++ cdata->connection = connection;
++ dbus_connection_ref (connection);
++ _dbus_connection_disable_dispatch (connection);
++ return BUS_RESULT_LATER;
++ }
++ else
++ {
++ /* Should only be checked one more time, and this time succeeds. */
++ _dbus_assert (cdata->check_counter == 2);
++ return BUS_RESULT_TRUE;
++ }
++}
++
++static dbus_bool_t
++bus_dispatch_test_check (const DBusString *test_data_dir)
++{
++ const char *filename = "valid-config-files/debug-check-some.conf";
++ BusContext *context;
++ DBusConnection *foo;
++ DBusError error;
++ dbus_bool_t result = TRUE;
++ BusTestCheckData data;
++
++ /* save the config name for the activation helper */
++ if (!setenv_TEST_LAUNCH_HELPER_CONFIG (test_data_dir, filename))
++ _dbus_assert_not_reached ("no memory setting TEST_LAUNCH_HELPER_CONFIG");
++
++ dbus_error_init (&error);
++
++ context = bus_context_new_test (test_data_dir, filename);
++ if (context == NULL)
++ return FALSE;
++
++ foo = dbus_connection_open_private (TEST_DEBUG_PIPE, &error);
++ if (foo == NULL)
++ _dbus_assert_not_reached ("could not alloc connection");
++
++ if (!bus_setup_debug_client (foo))
++ _dbus_assert_not_reached ("could not set up connection");
++
++ spin_connection_until_authenticated (context, foo);
++
++ if (!check_hello_message (context, foo))
++ _dbus_assert_not_reached ("hello message failed");
++
++ if (!check_double_hello_message (context, foo))
++ _dbus_assert_not_reached ("double hello message failed");
++
++ if (!check_add_match_all (context, foo))
++ _dbus_assert_not_reached ("AddMatch message failed");
++
++ /*
++ * Cause bus_check_send_privilege() to return BUS_RESULT_LATER in the
++ * first call, then BUS_RESULT_TRUE.
++ */
++ cdata = &data;
++ memset (cdata, 0, sizeof(*cdata));
++ bus_check_test_override = bus_dispatch_test_check_override;
++
++ result = check_existent_service_auto_start (context, foo);
++
++ _dbus_assert (cdata->check_counter == 2);
++ _dbus_assert (cdata->timedout);
++ _dbus_assert (cdata->timeout);
++ _dbus_assert (!cdata->connection);
++ _dbus_timeout_unref (cdata->timeout);
++
++ kill_client_connection_unchecked (foo);
++
++ bus_context_unref (context);
++
++ return result;
++}
++
+ dbus_bool_t
+ bus_dispatch_test (const DBusString *test_data_dir)
+ {
++ _dbus_verbose ("<check> tests\n");
++ if (!bus_dispatch_test_check (test_data_dir))
++ return FALSE;
++
+ /* run normal activation tests */
+ _dbus_verbose ("Normal activation tests\n");
+ if (!bus_dispatch_test_conf (test_data_dir,
+diff --git a/bus/dispatch.h b/bus/dispatch.h
+index fb5ba7a..afba6a2 100644
+--- a/bus/dispatch.h
++++ b/bus/dispatch.h
+@@ -29,7 +29,7 @@
+
+ dbus_bool_t bus_dispatch_add_connection (DBusConnection *connection);
+ void bus_dispatch_remove_connection (DBusConnection *connection);
+-dbus_bool_t bus_dispatch_matches (BusTransaction *transaction,
++BusResult bus_dispatch_matches (BusTransaction *transaction,
+ DBusConnection *sender,
+ DBusConnection *recipient,
+ DBusMessage *message,
+diff --git a/bus/driver.c b/bus/driver.c
+index 11706f8..4dbce3d 100644
+--- a/bus/driver.c
++++ b/bus/driver.c
+@@ -97,6 +97,7 @@ bus_driver_send_service_owner_changed (const char *service_name,
+ {
+ DBusMessage *message;
+ dbus_bool_t retval;
++ BusResult res;
+ const char *null_service;
+
+ _DBUS_ASSERT_ERROR_IS_CLEAR (error);
+@@ -129,7 +130,17 @@ bus_driver_send_service_owner_changed (const char *service_name,
+
+ _dbus_assert (dbus_message_has_signature (message, "sss"));
+
+- retval = bus_dispatch_matches (transaction, NULL, NULL, message, error);
++ res = bus_dispatch_matches (transaction, NULL, NULL, message, error);
++ if (res == BUS_RESULT_TRUE)
++ retval = TRUE;
++ else if (res == BUS_RESULT_FALSE)
++ retval = FALSE;
++ else if (res == BUS_RESULT_LATER)
++ {
++ /* should never happen */
++ _dbus_assert_not_reached ("bus_dispatch_matches returned BUS_RESULT_LATER unexpectedly");
++ retval = FALSE;
++ }
+ dbus_message_unref (message);
+
+ return retval;
+diff --git a/dbus/dbus-connection-internal.h b/dbus/dbus-connection-internal.h
+index 64ef336..4fcd118 100644
+--- a/dbus/dbus-connection-internal.h
++++ b/dbus/dbus-connection-internal.h
+@@ -109,6 +109,15 @@ void _dbus_connection_set_pending_fds_function (DBusConnectio
+
+ dbus_bool_t _dbus_connection_get_linux_security_label (DBusConnection *connection,
+ char **label_p);
++void _dbus_connection_enable_dispatch (DBusConnection *connection);
++void _dbus_connection_disable_dispatch (DBusConnection *connection);
++dbus_bool_t _dbus_connection_putback_message (DBusConnection *connection,
++ DBusMessage *after_message,
++ DBusMessage *message,
++ DBusError *error);
++
++dbus_bool_t _dbus_connection_remove_message (DBusConnection *connection,
++ DBusMessage *message);
+
+ /* if DBUS_ENABLE_STATS */
+ void _dbus_connection_get_stats (DBusConnection *connection,
+diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c
+index 8952b75..5d8d943 100644
+--- a/dbus/dbus-connection.c
++++ b/dbus/dbus-connection.c
+@@ -311,7 +311,8 @@ struct DBusConnection
+ */
+ dbus_bool_t dispatch_acquired; /**< Someone has dispatch path (can drain incoming queue) */
+ dbus_bool_t io_path_acquired; /**< Someone has transport io path (can use the transport to read/write messages) */
+-
++
++ unsigned int dispatch_disabled : 1; /**< if true, then dispatching incoming messages is stopped until enabled again */
+ unsigned int shareable : 1; /**< #TRUE if libdbus owns a reference to the connection and can return it from dbus_connection_open() more than once */
+
+ unsigned int exit_on_disconnect : 1; /**< If #TRUE, exit after handling disconnect signal */
+@@ -439,6 +440,39 @@ _dbus_connection_wakeup_mainloop (DBusConnection *connection)
+ (*connection->wakeup_main_function) (connection->wakeup_main_data);
+ }
+
++static void
++_dbus_connection_set_dispatch(DBusConnection *connection,
++ dbus_bool_t disabled)
++{
++ CONNECTION_LOCK (connection);
++ if (connection->dispatch_disabled != disabled)
++ {
++ DBusDispatchStatus status;
++
++ connection->dispatch_disabled = disabled;
++ status = _dbus_connection_get_dispatch_status_unlocked (connection);
++ _dbus_connection_update_dispatch_status_and_unlock (connection, status);
++ }
++ else
++ {
++ CONNECTION_UNLOCK (connection);
++ }
++}
++
++
++void
++_dbus_connection_enable_dispatch (DBusConnection *connection)
++{
++ _dbus_connection_set_dispatch (connection, FALSE);
++}
++
++void
++ _dbus_connection_disable_dispatch (DBusConnection *connection)
++{
++ _dbus_connection_set_dispatch (connection, TRUE);
++}
++
++
+ #ifdef DBUS_ENABLE_EMBEDDED_TESTS
+ /**
+ * Gets the locks so we can examine them
+@@ -4068,6 +4102,82 @@ _dbus_connection_putback_message_link_unlocked (DBusConnection *connection,
+ "_dbus_connection_putback_message_link_unlocked");
+ }
+
++dbus_bool_t
++_dbus_connection_putback_message (DBusConnection *connection,
++ DBusMessage *after_message,
++ DBusMessage *message,
++ DBusError *error)
++{
++ DBusDispatchStatus status;
++ DBusList *message_link = _dbus_list_alloc_link (message);
++ DBusList *after_link;
++ if (message_link == NULL)
++ {
++ _DBUS_SET_OOM (error);
++ return FALSE;
++ }
++ dbus_message_ref (message);
++
++ CONNECTION_LOCK (connection);
++ _dbus_connection_acquire_dispatch (connection);
++ HAVE_LOCK_CHECK (connection);
++
++ after_link = _dbus_list_find_first(&connection->incoming_messages, after_message);
++ _dbus_list_insert_after_link (&connection->incoming_messages, after_link, message_link);
++ connection->n_incoming += 1;
++
++ _dbus_verbose ("Message %p (%s %s %s '%s') put back into queue %p, %d incoming\n",
++ message_link->data,
++ dbus_message_type_to_string (dbus_message_get_type (message_link->data)),
++ dbus_message_get_interface (message_link->data) ?
++ dbus_message_get_interface (message_link->data) :
++ "no interface",
++ dbus_message_get_member (message_link->data) ?
++ dbus_message_get_member (message_link->data) :
++ "no member",
++ dbus_message_get_signature (message_link->data),
++ connection, connection->n_incoming);
++
++ _dbus_message_trace_ref (message_link->data, -1, -1,
++ "_dbus_connection_putback_message");
++
++ _dbus_connection_release_dispatch (connection);
++
++ status = _dbus_connection_get_dispatch_status_unlocked (connection);
++ _dbus_connection_update_dispatch_status_and_unlock (connection, status);
++
++ return TRUE;
++}
++
++dbus_bool_t
++_dbus_connection_remove_message (DBusConnection *connection,
++ DBusMessage *message)
++{
++ DBusDispatchStatus status;
++ dbus_bool_t removed;
++
++ CONNECTION_LOCK (connection);
++ _dbus_connection_acquire_dispatch (connection);
++ HAVE_LOCK_CHECK (connection);
++
++ removed = _dbus_list_remove(&connection->incoming_messages, message);
++
++ if (removed)
++ {
++ connection->n_incoming -= 1;
++ dbus_message_unref(message);
++ _dbus_verbose ("Message %p removed from incoming queue\n", message);
++ }
++ else
++ _dbus_verbose ("Message %p not found in the incoming queue\n", message);
++
++ _dbus_connection_release_dispatch (connection);
++
++ status = _dbus_connection_get_dispatch_status_unlocked (connection);
++ _dbus_connection_update_dispatch_status_and_unlock (connection, status);
++ return removed;
++}
++
+ /**
+ * Returns the first-received message from the incoming message queue,
+ * removing it from the queue. The caller owns a reference to the
+@@ -4251,8 +4361,9 @@ static DBusDispatchStatus
+ _dbus_connection_get_dispatch_status_unlocked (DBusConnection *connection)
+ {
+ HAVE_LOCK_CHECK (connection);
+-
+- if (connection->n_incoming > 0)
++ if (connection->dispatch_disabled && dbus_connection_get_is_connected(connection))
++ return DBUS_DISPATCH_COMPLETE;
++ else if (connection->n_incoming > 0)
+ return DBUS_DISPATCH_DATA_REMAINS;
+ else if (!_dbus_transport_queue_messages (connection->transport))
+ return DBUS_DISPATCH_NEED_MEMORY;
+@@ -4689,6 +4800,8 @@ dbus_connection_dispatch (DBusConnection *connection)
+
+ CONNECTION_LOCK (connection);
+
++ if (result == DBUS_HANDLER_RESULT_LATER)
++ goto out;
+ if (result == DBUS_HANDLER_RESULT_NEED_MEMORY)
+ {
+ _dbus_verbose ("No memory\n");
+@@ -4811,9 +4924,11 @@ dbus_connection_dispatch (DBusConnection *connection)
+ connection);
+
+ out:
+- if (result == DBUS_HANDLER_RESULT_NEED_MEMORY)
++ if (result == DBUS_HANDLER_RESULT_LATER ||
++ result == DBUS_HANDLER_RESULT_NEED_MEMORY)
+ {
+- _dbus_verbose ("out of memory\n");
++ if (result == DBUS_HANDLER_RESULT_NEED_MEMORY)
++ _dbus_verbose ("out of memory\n");
+
+ /* Put message back, and we'll start over.
+ * Yes this means handlers must be idempotent if they
+diff --git a/dbus/dbus-list.c b/dbus/dbus-list.c
+index c4c1856..f84918b 100644
+--- a/dbus/dbus-list.c
++++ b/dbus/dbus-list.c
+@@ -459,6 +459,35 @@ _dbus_list_remove_last (DBusList **list,
+ }
+
+ /**
++ * Finds a value in the list. Returns the first link
++ * with value equal to the given data pointer.
++ * This is a linear-time operation.
++ * Returns #NULL if no value found that matches.
++ *
++ * @param list address of the list head.
++ * @param data the value to find.
++ * @returns the link if found
++ */
++DBusList*
++_dbus_list_find_first (DBusList **list,
++ void *data)
++{
++ DBusList *link;
++
++ link = _dbus_list_get_first_link (list);
++
++ while (link != NULL)
++ {
++ if (link->data == data)
++ return link;
++
++ link = _dbus_list_get_next_link (list, link);
++ }
++
++ return NULL;
++}
++
++/**
+ * Finds a value in the list. Returns the last link
+ * with value equal to the given data pointer.
+ * This is a linear-time operation.
+diff --git a/dbus/dbus-list.h b/dbus/dbus-list.h
+index 910d738..abe8331 100644
+--- a/dbus/dbus-list.h
++++ b/dbus/dbus-list.h
+@@ -59,6 +59,8 @@ dbus_bool_t _dbus_list_remove_last (DBusList **list,
+ void *data);
+ void _dbus_list_remove_link (DBusList **list,
+ DBusList *link);
++DBusList* _dbus_list_find_first (DBusList **list,
++ void *data);
+ DBusList* _dbus_list_find_last (DBusList **list,
+ void *data);
+ void _dbus_list_clear (DBusList **list);
+diff --git a/dbus/dbus-shared.h b/dbus/dbus-shared.h
+index 6a57670..5371d88 100644
+--- a/dbus/dbus-shared.h
++++ b/dbus/dbus-shared.h
+@@ -67,7 +67,8 @@ typedef enum
+ {
+ DBUS_HANDLER_RESULT_HANDLED, /**< Message has had its effect - no need to run more handlers. */
+ DBUS_HANDLER_RESULT_NOT_YET_HANDLED, /**< Message has not had any effect - see if other handlers want it. */
+- DBUS_HANDLER_RESULT_NEED_MEMORY /**< Need more memory in order to return #DBUS_HANDLER_RESULT_HANDLED or #DBUS_HANDLER_RESULT_NOT_YET_HANDLED. Please try again later with more memory. */
++ DBUS_HANDLER_RESULT_NEED_MEMORY, /**< Need more memory in order to return #DBUS_HANDLER_RESULT_HANDLED or #DBUS_HANDLER_RESULT_NOT_YET_HANDLED. Please try again later with more memory. */
++ DBUS_HANDLER_RESULT_LATER /**< Message dispatch deferred due to pending policy check */
+ } DBusHandlerResult;
+
+ /* Bus names */
+--
+2.1.4
+
diff --git a/meta-security/recipes-core/dbus/dbus-cynara/0006-Handle-unavailability-of-policy-results-for-broadcas.patch b/meta-security/recipes-core/dbus/dbus-cynara/0006-Handle-unavailability-of-policy-results-for-broadcas.patch
new file mode 100644
index 000000000..66f4e14e5
--- /dev/null
+++ b/meta-security/recipes-core/dbus/dbus-cynara/0006-Handle-unavailability-of-policy-results-for-broadcas.patch
@@ -0,0 +1,1071 @@
+From 1e231194610892dd4360224998d91336097b05a1 Mon Sep 17 00:00:00 2001
+From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
+Date: Fri, 28 Nov 2014 12:39:33 +0100
+Subject: [PATCH 6/8] Handle unavailability of policy results for broadcasts
+ and receive rules
+
+When message is sent to the addressed recipient and receive rule
+result is unavailable we don't want to block the sender
+as it most likely will be the privileged service, so instead we queue
+it at the recipient. Any further messages sent to it will be queued to
+maintain message order. Once the answer from Cynara arrives messages are
+dispatched from the recipient queue. In such case full dispatch is
+performed - messages are sent to addressed recipient and other
+interested connections.
+Messages sent to non-addressed recipients (eavesdroppers or broadcast
+message recipients) are handled in a similar way. The difference is
+that it is not full dispatch meaning message is sent to a single recipient.
+
+Change-Id: Iecd5395f75a4c7811fa97247a37d8fc4d42e8814
+---
+ bus/activation.c | 4 +-
+ bus/bus.c | 50 +++++++--
+ bus/bus.h | 19 ++++
+ bus/check.c | 307 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ bus/check.h | 25 +++++
+ bus/connection.c | 166 ++++++++++++++++++++++++++++--
+ bus/connection.h | 19 +++-
+ bus/dispatch.c | 122 ++++++++++++++++++----
+ bus/dispatch.h | 11 +-
+ bus/driver.c | 2 +-
+ bus/policy.c | 6 ++
+ 11 files changed, 685 insertions(+), 46 deletions(-)
+
+diff --git a/bus/activation.c b/bus/activation.c
+index 8c43941..308bf41 100644
+--- a/bus/activation.c
++++ b/bus/activation.c
+@@ -1198,7 +1198,7 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation
+ res = bus_dispatch_matches (transaction,
+ entry->connection,
+ addressed_recipient,
+- entry->activation_message, &error);
++ entry->activation_message, NULL, &error);
+ if (res == BUS_RESULT_FALSE)
+ {
+ /* If permission is denied, we just want to return the error
+@@ -2066,7 +2066,7 @@ bus_activation_activate_service (BusActivation *activation,
+ entry->systemd_service);
+ /* Wonderful, systemd is connected, let's just send the msg */
+ res = bus_dispatch_matches (activation_transaction, NULL, bus_service_get_primary_owners_connection (service),
+- message, error);
++ message, NULL, error);
+
+ if (res == BUS_RESULT_TRUE)
+ retval = TRUE;
+diff --git a/bus/bus.c b/bus/bus.c
+index ac9ea8d..b478b8e 100644
+--- a/bus/bus.c
++++ b/bus/bus.c
+@@ -1704,17 +1704,9 @@ bus_context_check_security_policy (BusContext *context,
+ }
+
+ /* See if limits on size have been exceeded */
+- if (proposed_recipient &&
+- ((dbus_connection_get_outgoing_size (proposed_recipient) > context->limits.max_outgoing_bytes) ||
+- (dbus_connection_get_outgoing_unix_fds (proposed_recipient) > context->limits.max_outgoing_unix_fds)))
+- {
+- complain_about_message (context, DBUS_ERROR_LIMITS_EXCEEDED,
+- "Rejected: destination has a full message queue",
+- 0, message, sender, proposed_recipient, requested_reply, TRUE, NULL,
+- error);
+- _dbus_verbose ("security policy disallowing message due to full message queue\n");
++ if (!bus_context_check_recipient_message_limits(context, proposed_recipient, sender, message,
++ requested_reply, error))
+ return BUS_RESULT_FALSE;
+- }
+
+ /* Record that we will allow a reply here in the future (don't
+ * bother if the recipient is the bus or this is an eavesdropping
+@@ -1769,3 +1761,41 @@ bus_context_check_all_watches (BusContext *context)
+ _dbus_server_toggle_all_watches (server, enabled);
+ }
+ }
++
++void
++bus_context_complain_about_message (BusContext *context,
++ const char *error_name,
++ const char *complaint,
++ int matched_rules,
++ DBusMessage *message,
++ DBusConnection *sender,
++ DBusConnection *proposed_recipient,
++ dbus_bool_t requested_reply,
++ dbus_bool_t log,
++ const char *privilege,
++ DBusError *error)
++{
++ complain_about_message(context, error_name, complaint, matched_rules, message, sender,
++ proposed_recipient, requested_reply, log, privilege, error);
++}
++
++dbus_bool_t bus_context_check_recipient_message_limits (BusContext *context,
++ DBusConnection *recipient,
++ DBusConnection *sender,
++ DBusMessage *message,
++ dbus_bool_t requested_reply,
++ DBusError *error)
++{
++ if (recipient &&
++ ((dbus_connection_get_outgoing_size (recipient) > context->limits.max_outgoing_bytes) ||
++ (dbus_connection_get_outgoing_unix_fds (recipient) > context->limits.max_outgoing_unix_fds)))
++ {
++ complain_about_message (context, DBUS_ERROR_LIMITS_EXCEEDED,
++ "Rejected: destination has a full message queue",
++ 0, message, sender, recipient, requested_reply, TRUE, NULL,
++ error);
++ _dbus_verbose ("security policy disallowing message due to full message queue\n");
++ return FALSE;
++ }
++ return TRUE;
++}
+diff --git a/bus/bus.h b/bus/bus.h
+index 78084dd..27a5e49 100644
+--- a/bus/bus.h
++++ b/bus/bus.h
+@@ -148,4 +148,23 @@ BusResult bus_context_check_security_policy (BusContext
+ DBusError *error,
+ BusDeferredMessage **deferred_message);
+
++dbus_bool_t bus_context_check_recipient_message_limits (BusContext *context,
++ DBusConnection *recipient,
++ DBusConnection *sender,
++ DBusMessage *message,
++ dbus_bool_t requested_reply,
++ DBusError *error);
++void bus_context_complain_about_message (BusContext *context,
++ const char *error_name,
++ const char *complaint,
++ int matched_rules,
++ DBusMessage *message,
++ DBusConnection *sender,
++ DBusConnection *proposed_recipient,
++ dbus_bool_t requested_reply,
++ dbus_bool_t log,
++ const char *privilege,
++ DBusError *error);
++
++
+ #endif /* BUS_BUS_H */
+diff --git a/bus/check.c b/bus/check.c
+index cd6a74b..733763a 100644
+--- a/bus/check.c
++++ b/bus/check.c
+@@ -49,6 +49,9 @@ typedef struct BusDeferredMessage
+ DBusConnection *sender;
+ DBusConnection *proposed_recipient;
+ DBusConnection *addressed_recipient;
++ dbus_bool_t requested_reply;
++ int matched_rules;
++ const char *privilege;
+ dbus_bool_t full_dispatch;
+ BusDeferredMessageStatus status;
+ BusResult response;
+@@ -136,6 +139,89 @@ bus_check_enable_dispatch_callback (BusDeferredMessage *deferred_message,
+ }
+
+ static void
++bus_check_queued_message_reply_callback (BusDeferredMessage *deferred_message,
++ BusResult result)
++{
++ int status;
++
++ _dbus_verbose("bus_check_queued_message_reply_callback called message=%p\n", deferred_message);
++
++ if (!bus_connection_is_active(deferred_message->proposed_recipient))
++ return;
++
++ status = deferred_message->status;
++
++ deferred_message->status = 0; /* mark message as not waiting for response */
++ deferred_message->response = result;
++
++ /*
++ * If send rule allows us to send message we still need to check receive rules.
++ */
++ if ((status & BUS_DEFERRED_MESSAGE_CHECK_SEND) && (result == BUS_RESULT_TRUE))
++ {
++ int toggles;
++ BusContext *context;
++ BusRegistry *registry;
++ BusClientPolicy *recipient_policy;
++ BusDeferredMessage *deferred_message_receive;
++
++ context = bus_connection_get_context(deferred_message->proposed_recipient);
++ registry = bus_context_get_registry(context);
++ recipient_policy = bus_connection_get_policy(deferred_message->proposed_recipient);
++
++ deferred_message->response = bus_client_policy_check_can_receive(recipient_policy, registry,
++ deferred_message->requested_reply, deferred_message->sender,
++ deferred_message->addressed_recipient, deferred_message->proposed_recipient, deferred_message->message,
++ &toggles, NULL, &deferred_message_receive);
++ if (deferred_message->response == BUS_RESULT_LATER)
++ {
++ /* replace deferred message associated with send check with the one associated with
++ * receive check */
++ if (!bus_deferred_message_replace(deferred_message, deferred_message_receive))
++ {
++ /* failed to replace deferred message (due to oom). Set it to rejected */
++ deferred_message->response = BUS_RESULT_FALSE;
++ }
++ }
++ }
++
++ bus_connection_dispatch_deferred(deferred_message->proposed_recipient);
++}
++
++static void
++queue_deferred_message_cancel_transaction_hook (void *data)
++{
++ BusDeferredMessage *deferred_message = (BusDeferredMessage *)data;
++ bus_connection_remove_deferred_message(deferred_message->proposed_recipient, deferred_message);
++}
++
++
++dbus_bool_t
++bus_deferred_message_queue_at_recipient (BusDeferredMessage *deferred_message,
++ BusTransaction *transaction,
++ dbus_bool_t full_dispatch,
++ dbus_bool_t prepend)
++{
++ _dbus_assert(deferred_message != NULL);
++ _dbus_assert(deferred_message->proposed_recipient != NULL);
++
++ if (!bus_connection_queue_deferred_message(deferred_message->proposed_recipient,
++ deferred_message, prepend))
++ return FALSE;
++
++ if (!bus_transaction_add_cancel_hook(transaction, queue_deferred_message_cancel_transaction_hook,
++ deferred_message, NULL))
++ {
++ bus_connection_remove_deferred_message(deferred_message->proposed_recipient, deferred_message);
++ return FALSE;
++ }
++ deferred_message->response_callback = bus_check_queued_message_reply_callback;
++ deferred_message->full_dispatch = full_dispatch;
++
++ return TRUE;
++}
++
++static void
+ deferred_message_free_function(void *data)
+ {
+ BusDeferredMessage *deferred_message = (BusDeferredMessage *)data;
+@@ -159,6 +245,20 @@ bus_deferred_message_disable_sender (BusDeferredMessage *deferred_message)
+ deferred_message->response_callback = bus_check_enable_dispatch_callback;
+ }
+
++void
++bus_deferred_message_set_policy_check_info (BusDeferredMessage *deferred_message,
++ dbus_bool_t requested_reply,
++ int matched_rules,
++ const char *privilege)
++{
++ _dbus_assert(deferred_message != NULL);
++
++ deferred_message->requested_reply = requested_reply;
++ deferred_message->matched_rules = matched_rules;
++ deferred_message->privilege = privilege;
++}
++
++
+ #ifdef DBUS_ENABLE_EMBEDDED_TESTS
+ dbus_bool_t (*bus_check_test_override) (DBusConnection *connection,
+ const char *privilege);
+@@ -257,6 +357,9 @@ BusDeferredMessage *bus_deferred_message_new (DBusMessage *message,
+ deferred_message->addressed_recipient = addressed_recipient != NULL ? dbus_connection_ref(addressed_recipient) : NULL;
+ deferred_message->proposed_recipient = proposed_recipient != NULL ? dbus_connection_ref(proposed_recipient) : NULL;
+ deferred_message->message = dbus_message_ref(message);
++ deferred_message->requested_reply = FALSE;
++ deferred_message->matched_rules = 0;
++ deferred_message->privilege = NULL;
+ deferred_message->response = response;
+ deferred_message->status = 0;
+ deferred_message->full_dispatch = FALSE;
+@@ -293,12 +396,215 @@ bus_deferred_message_unref (BusDeferredMessage *deferred_message)
+ }
+ }
+
++dbus_bool_t
++bus_deferred_message_check_message_limits (BusDeferredMessage *deferred_message, DBusError *error)
++{
++ BusContext *context = bus_connection_get_context(deferred_message->proposed_recipient);
++
++ return bus_context_check_recipient_message_limits(context, deferred_message->proposed_recipient,
++ deferred_message->sender, deferred_message->message, deferred_message->requested_reply,
++ error);
++}
++
++dbus_bool_t
++bus_deferred_message_expect_method_reply(BusDeferredMessage *deferred_message, BusTransaction *transaction, DBusError *error)
++{
++ int type = dbus_message_get_type(deferred_message->message);
++ if (type == DBUS_MESSAGE_TYPE_METHOD_CALL &&
++ deferred_message->sender &&
++ deferred_message->addressed_recipient &&
++ deferred_message->addressed_recipient == deferred_message->proposed_recipient && /* not eavesdropping */
++ !bus_connections_expect_reply (bus_connection_get_connections (deferred_message->sender),
++ transaction,
++ deferred_message->sender, deferred_message->addressed_recipient,
++ deferred_message->message, error))
++ {
++ _dbus_verbose ("Failed to record reply expectation or problem with the message expecting a reply\n");
++ return FALSE;
++ }
++ return TRUE;
++}
++
++void
++bus_deferred_message_create_error(BusDeferredMessage *deferred_message,
++ const char *error_message, DBusError *error)
++{
++ BusContext *context;
++ _dbus_assert (deferred_message->status == 0 && deferred_message->response == BUS_RESULT_FALSE);
++
++ if (deferred_message->sender == NULL)
++ return; /* error won't be sent to bus driver anyway */
++
++ context = bus_connection_get_context(deferred_message->sender);
++ bus_context_complain_about_message(context, DBUS_ERROR_ACCESS_DENIED, "Rejected message",
++ deferred_message->matched_rules, deferred_message->message, deferred_message->sender,
++ deferred_message->proposed_recipient, deferred_message->requested_reply, FALSE,
++ deferred_message->privilege, error);
++}
++
++BusResult
++bus_deferred_message_dispatch (BusDeferredMessage *deferred_message)
++{
++ BusContext *context = bus_connection_get_context (deferred_message->proposed_recipient);
++ BusTransaction *transaction = bus_transaction_new (context);
++ BusResult result = BUS_RESULT_TRUE;
++ DBusError error;
++
++ if (transaction == NULL)
++ {
++ return BUS_RESULT_FALSE;
++ }
++
++ dbus_error_init(&error);
++
++ if (!deferred_message->full_dispatch)
++ {
++ result = deferred_message->response;
++ if (result == BUS_RESULT_TRUE)
++ {
++ if (!bus_context_check_recipient_message_limits(context, deferred_message->proposed_recipient,
++ deferred_message->sender, deferred_message->message, deferred_message->requested_reply, &error))
++ result = BUS_RESULT_FALSE;
++ }
++ else if (result == BUS_RESULT_LATER)
++ {
++ BusDeferredMessage *deferred_message2;
++ result = bus_context_check_security_policy (context, transaction,
++ deferred_message->sender,
++ deferred_message->addressed_recipient,
++ deferred_message->proposed_recipient,
++ deferred_message->message, NULL,
++ &deferred_message2);
++
++ if (result == BUS_RESULT_LATER)
++ {
++ /* prepend at recipient */
++ if (!bus_deferred_message_queue_at_recipient(deferred_message2, transaction,
++ FALSE, TRUE))
++ result = BUS_RESULT_FALSE;
++ }
++ }
++
++ /* silently drop messages on access denial */
++ if (result == BUS_RESULT_TRUE)
++ {
++ if (!bus_transaction_send (transaction, deferred_message->proposed_recipient, deferred_message->message, TRUE))
++ result = BUS_RESULT_FALSE;
++ }
++
++ bus_transaction_execute_and_free(transaction);
++
++ goto out;
++ }
++
++ /* do not attempt to send message if sender has disconnected */
++ if (deferred_message->sender != NULL && !bus_connection_is_active(deferred_message->sender))
++ {
++ bus_transaction_cancel_and_free(transaction);
++ result = BUS_RESULT_FALSE;
++ goto out;
++ }
++
++ result = bus_dispatch_matches(transaction, deferred_message->sender,
++ deferred_message->addressed_recipient, deferred_message->message, deferred_message, &error);
++
++ if (result == BUS_RESULT_LATER)
++ {
++ /* Message deferring was already done in bus_dispatch_matches */
++ bus_transaction_cancel_and_free(transaction);
++ goto out;
++ }
++
++ /* this part is a copy & paste from bus_dispatch function. Probably can be moved to a function */
++ if (dbus_error_is_set (&error))
++ {
++ if (!dbus_connection_get_is_connected (deferred_message->sender))
++ {
++ /* If we disconnected it, we won't bother to send it any error
++ * messages.
++ */
++ _dbus_verbose ("Not sending error to connection we disconnected\n");
++ }
++ else if (dbus_error_has_name (&error, DBUS_ERROR_NO_MEMORY))
++ {
++ bus_connection_send_oom_error (deferred_message->sender, deferred_message->message);
++
++ /* cancel transaction due to OOM */
++ if (transaction != NULL)
++ {
++ bus_transaction_cancel_and_free (transaction);
++ transaction = NULL;
++ }
++ }
++ else
++ {
++ /* Try to send the real error, if no mem to do that, send
++ * the OOM error
++ */
++ _dbus_assert (transaction != NULL);
++ if (!bus_transaction_send_error_reply (transaction, deferred_message->sender,
++ &error, deferred_message->message))
++ {
++ bus_connection_send_oom_error (deferred_message->sender, deferred_message->message);
++
++ /* cancel transaction due to OOM */
++ if (transaction != NULL)
++ {
++ bus_transaction_cancel_and_free (transaction);
++ transaction = NULL;
++ }
++ }
++ }
++ }
++
++ if (transaction != NULL)
++ {
++ bus_transaction_execute_and_free (transaction);
++ }
++
++out:
++ dbus_error_free(&error);
++
++ return result;
++}
++
++dbus_bool_t
++bus_deferred_message_replace (BusDeferredMessage *old_message, BusDeferredMessage *new_message)
++{
++ if (bus_connection_replace_deferred_message(old_message->proposed_recipient,
++ old_message, new_message))
++ {
++ new_message->response_callback = old_message->response_callback;
++ new_message->full_dispatch = old_message->full_dispatch;
++ return TRUE;
++ }
++ return FALSE;
++}
++
++dbus_bool_t
++bus_deferred_message_waits_for_check(BusDeferredMessage *deferred_message)
++{
++ return deferred_message->status != 0;
++}
++
++DBusConnection *
++bus_deferred_message_get_recipient(BusDeferredMessage *deferred_message)
++{
++ return deferred_message->proposed_recipient;
++}
++
+ BusDeferredMessageStatus
+ bus_deferred_message_get_status (BusDeferredMessage *deferred_message)
+ {
+ return deferred_message->status;
+ }
+
++BusResult
++bus_deferred_message_get_response (BusDeferredMessage *deferred_message)
++{
++ return deferred_message->response;
++}
++
+ void
+ bus_deferred_message_response_received (BusDeferredMessage *deferred_message,
+ BusResult result)
+@@ -308,3 +614,4 @@ bus_deferred_message_response_received (BusDeferredMessage *deferred_message,
+ deferred_message->response_callback(deferred_message, result);
+ }
+ }
++
+diff --git a/bus/check.h b/bus/check.h
+index f381789..3c6b2a1 100644
+--- a/bus/check.h
++++ b/bus/check.h
+@@ -64,12 +64,37 @@ BusDeferredMessage *bus_deferred_message_new (DBusMessage *messag
+
+ BusDeferredMessage *bus_deferred_message_ref (BusDeferredMessage *deferred_message);
+ void bus_deferred_message_unref (BusDeferredMessage *deferred_message);
++BusResult bus_deferred_message_dispatch (BusDeferredMessage *deferred_message);
++dbus_bool_t bus_deferred_message_waits_for_check (BusDeferredMessage *deferred_message);
++DBusConnection *bus_deferred_message_get_recipient (BusDeferredMessage *deferred_message);
+ void bus_deferred_message_response_received (BusDeferredMessage *deferred_message,
+ BusResult result);
++dbus_bool_t bus_deferred_message_queue_at_recipient (BusDeferredMessage *deferred_message,
++ BusTransaction *transaction,
++ dbus_bool_t full_dispatch,
++ dbus_bool_t prepend);
++dbus_bool_t bus_deferred_message_replace (BusDeferredMessage *old_message,
++ BusDeferredMessage *new_message);
+ void bus_deferred_message_disable_sender (BusDeferredMessage *deferred_message);
++BusResult bus_deferred_message_get_response (BusDeferredMessage *deferred_message);
+
+ BusDeferredMessageStatus bus_deferred_message_get_status (BusDeferredMessage *deferred_message);
+
++
++dbus_bool_t bus_deferred_message_expect_method_reply (BusDeferredMessage *deferred_message,
++ BusTransaction *transaction,
++ DBusError *error);
++void bus_deferred_message_create_error (BusDeferredMessage *deferred_message,
++ const char *error_message,
++ DBusError *error);
++void bus_deferred_message_set_policy_check_info (BusDeferredMessage *deferred_message,
++ dbus_bool_t requested_reply,
++ int matched_rules,
++ const char *privilege);
++dbus_bool_t bus_deferred_message_check_message_limits (BusDeferredMessage *deferred_message,
++ DBusError *error);
++
++
+ #ifdef DBUS_ENABLE_EMBEDDED_TESTS
+ extern dbus_bool_t (*bus_check_test_override) (DBusConnection *connection,
+ const char *privilege);
+diff --git a/bus/connection.c b/bus/connection.c
+index a6d87e5..d2ebe82 100644
+--- a/bus/connection.c
++++ b/bus/connection.c
+@@ -30,10 +30,12 @@
+ #include "signals.h"
+ #include "expirelist.h"
+ #include "selinux.h"
++#include "check.h"
+ #include <dbus/dbus-list.h>
+ #include <dbus/dbus-hash.h>
+ #include <dbus/dbus-timeout.h>
+ #include <dbus/dbus-connection-internal.h>
++#include <dbus/dbus-message-internal.h>
+ #ifdef DBUS_ENABLE_CYNARA
+ #include <stdlib.h>
+ #include <cynara-session.h>
+@@ -95,6 +97,7 @@ typedef struct
+ DBusMessage *oom_message;
+ DBusPreallocatedSend *oom_preallocated;
+ BusClientPolicy *policy;
++ DBusList *deferred_messages; /**< Queue of messages deferred due to pending policy check */
+
+ char *cached_loginfo_string;
+ BusSELinuxID *selinux_id;
+@@ -256,6 +259,8 @@ bus_connection_disconnected (DBusConnection *connection)
+ bus_transaction_execute_and_free (transaction);
+ }
+
++ bus_connection_clear_deferred_messages(connection);
++
+ bus_dispatch_remove_connection (connection);
+
+ /* no more watching */
+@@ -2132,6 +2137,7 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
+ DBusMessage *message)
+ {
+ BusResult res;
++ BusDeferredMessage *deferred_message;
+ /* We have to set the sender to the driver, and have
+ * to check security policy since it was not done in
+ * dispatch.c
+@@ -2163,23 +2169,25 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
+ res = bus_context_check_security_policy (bus_transaction_get_context (transaction),
+ transaction,
+ NULL, connection, connection, message, NULL,
+- NULL);
++ &deferred_message);
+
+ if (res == BUS_RESULT_FALSE)
+ return TRUE;
+ else if (res == BUS_RESULT_LATER)
+ {
+- _dbus_verbose ("Cannot delay sending message from bus driver, dropping it\n");
+- return TRUE;
++ if (!bus_deferred_message_queue_at_recipient(deferred_message, transaction, FALSE, FALSE))
++ return FALSE;
++ return TRUE; /* pretend to have sent it */
+ }
+
+- return bus_transaction_send (transaction, connection, message);
++ return bus_transaction_send (transaction, connection, message, FALSE);
+ }
+
+ dbus_bool_t
+ bus_transaction_send (BusTransaction *transaction,
+ DBusConnection *connection,
+- DBusMessage *message)
++ DBusMessage *message,
++ dbus_bool_t deferred_dispatch)
+ {
+ MessageToSend *to_send;
+ BusConnectionData *d;
+@@ -2205,7 +2213,28 @@ bus_transaction_send (BusTransaction *transaction,
+
+ d = BUS_CONNECTION_DATA (connection);
+ _dbus_assert (d != NULL);
+-
++
++ if (!deferred_dispatch && d->deferred_messages != NULL)
++ {
++ BusDeferredMessage *deferred_message;
++ dbus_bool_t success;
++ /* sender and addressed recipient are not required at this point as we only need to send message
++ * to a single recipient without performing policy check. */
++ deferred_message = bus_deferred_message_new (message,
++ NULL,
++ NULL,
++ connection,
++ BUS_RESULT_TRUE);
++ if (deferred_message == NULL)
++ return FALSE;
++
++ success = bus_deferred_message_queue_at_recipient(deferred_message, transaction,
++ FALSE, FALSE);
++ bus_deferred_message_unref(deferred_message);
++
++ return success;
++ }
++
+ to_send = dbus_new (MessageToSend, 1);
+ if (to_send == NULL)
+ {
+@@ -2457,6 +2486,131 @@ bus_transaction_add_cancel_hook (BusTransaction *transaction,
+ return TRUE;
+ }
+
++void
++bus_connection_dispatch_deferred (DBusConnection *connection)
++{
++ BusDeferredMessage *message;
++
++ _dbus_return_if_fail (connection != NULL);
++
++ while ((message = bus_connection_pop_deferred_message(connection)) != NULL)
++ {
++ bus_deferred_message_dispatch(message);
++ bus_deferred_message_unref(message);
++ }
++}
++
++dbus_bool_t
++bus_connection_has_deferred_messages (DBusConnection *connection)
++{
++ BusConnectionData *d = BUS_CONNECTION_DATA(connection);
++ return d->deferred_messages != NULL ? TRUE : FALSE;
++}
++
++dbus_bool_t
++bus_connection_queue_deferred_message (DBusConnection *connection,
++ BusDeferredMessage *message,
++ dbus_bool_t prepend)
++{
++ BusConnectionData *d = BUS_CONNECTION_DATA(connection);
++ dbus_bool_t success;
++ if (prepend)
++ success = _dbus_list_prepend(&d->deferred_messages, message);
++ else
++ success = _dbus_list_append(&d->deferred_messages, message);
++
++ if (success)
++ {
++ bus_deferred_message_ref(message);
++ return TRUE;
++ }
++
++ return FALSE;
++}
++
++dbus_bool_t
++bus_connection_replace_deferred_message (DBusConnection *connection,
++ BusDeferredMessage *oldMessage,
++ BusDeferredMessage *newMessage)
++{
++ DBusList *link;
++ BusConnectionData *d = BUS_CONNECTION_DATA(connection);
++
++ link = _dbus_list_find_first(&d->deferred_messages, oldMessage);
++ if (link == NULL)
++ return FALSE;
++
++ if (!_dbus_list_insert_after(&d->deferred_messages, link, newMessage))
++ return FALSE;
++
++ bus_deferred_message_ref(newMessage);
++ _dbus_list_remove_link(&d->deferred_messages, link);
++ bus_deferred_message_unref(oldMessage);
++ return TRUE;
++}
++
++BusDeferredMessage *
++bus_connection_pop_deferred_message (DBusConnection *connection)
++{
++ DBusList *link;
++ BusDeferredMessage *message;
++ BusConnectionData *d = BUS_CONNECTION_DATA(connection);
++
++ link =_dbus_list_get_first_link(&d->deferred_messages);
++ if (link != NULL)
++ {
++ message = link->data;
++ if (!bus_deferred_message_waits_for_check(message))
++ {
++ _dbus_list_remove_link(&d->deferred_messages, link);
++ return message;
++ }
++ }
++
++ return NULL;
++}
++
++dbus_bool_t
++bus_connection_putback_deferred_message (DBusConnection *connection, BusDeferredMessage *message)
++{
++ BusConnectionData *d = BUS_CONNECTION_DATA(connection);
++ if (_dbus_list_prepend(&d->deferred_messages, message))
++ {
++ return TRUE;
++ }
++ return FALSE;
++}
++
++void
++bus_connection_clear_deferred_messages (DBusConnection *connection)
++{
++ BusConnectionData *d = BUS_CONNECTION_DATA(connection);
++ DBusList *link;
++ DBusList *next;
++ BusDeferredMessage *message;
++
++ link =_dbus_list_get_first_link(&d->deferred_messages);
++ while (link != NULL)
++ {
++ next = _dbus_list_get_next_link (&d->deferred_messages, link);
++ message = link->data;
++
++ bus_deferred_message_unref(message);
++ _dbus_list_remove_link(&d->deferred_messages, link);
++
++ link = next;
++ }
++}
++
++void
++bus_connection_remove_deferred_message (DBusConnection *connection,
++ BusDeferredMessage *message)
++{
++ BusConnectionData *d = BUS_CONNECTION_DATA(connection);
++ if (_dbus_list_remove(&d->deferred_messages, message))
++ bus_deferred_message_unref(message);
++}
++
+ int
+ bus_connections_get_n_active (BusConnections *connections)
+ {
+diff --git a/bus/connection.h b/bus/connection.h
+index 7433746..8d49b25 100644
+--- a/bus/connection.h
++++ b/bus/connection.h
+@@ -82,6 +82,22 @@ dbus_bool_t bus_connection_preallocate_oom_error (DBusConnection *connection);
+ void bus_connection_send_oom_error (DBusConnection *connection,
+ DBusMessage *in_reply_to);
+
++dbus_bool_t bus_connection_has_deferred_messages (DBusConnection *connection);
++dbus_bool_t bus_connection_queue_deferred_message (DBusConnection *connection,
++ BusDeferredMessage *message,
++ dbus_bool_t prepend);
++BusDeferredMessage *bus_connection_pop_deferred_message (DBusConnection *connection);
++dbus_bool_t bus_connection_putback_deferred_message (DBusConnection *connection,
++ BusDeferredMessage *message);
++void bus_connection_remove_deferred_message (DBusConnection *connection,
++ BusDeferredMessage *message);
++dbus_bool_t bus_connection_replace_deferred_message (DBusConnection *connection,
++ BusDeferredMessage *oldMessage,
++ BusDeferredMessage *newMessage);
++void bus_connection_dispatch_deferred (DBusConnection *connection);
++void bus_connection_clear_deferred_messages (DBusConnection *connection);
++
++
+ /* called by signals.c */
+ dbus_bool_t bus_connection_add_match_rule (DBusConnection *connection,
+ BusMatchRule *rule);
+@@ -129,7 +145,8 @@ BusTransaction* bus_transaction_new (BusContext *
+ BusContext* bus_transaction_get_context (BusTransaction *transaction);
+ dbus_bool_t bus_transaction_send (BusTransaction *transaction,
+ DBusConnection *connection,
+- DBusMessage *message);
++ DBusMessage *message,
++ dbus_bool_t deferred_dispatch);
+ dbus_bool_t bus_transaction_send_from_driver (BusTransaction *transaction,
+ DBusConnection *connection,
+ DBusMessage *message);
+diff --git a/bus/dispatch.c b/bus/dispatch.c
+index 6b0eadc..9972e76 100644
+--- a/bus/dispatch.c
++++ b/bus/dispatch.c
+@@ -33,8 +33,10 @@
+ #include "utils.h"
+ #include "bus.h"
+ #include "signals.h"
++#include "dispatch.h"
+ #include "test.h"
+ #include <dbus/dbus-internals.h>
++#include <dbus/dbus-connection-internal.h>
+ #include <dbus/dbus-misc.h>
+ #include <string.h>
+
+@@ -63,16 +65,26 @@ send_one_message (DBusConnection *connection,
+ result = bus_context_check_security_policy (context, transaction, sender, addressed_recipient,
+ connection, message, NULL, &deferred_message);
+
+- if (result != BUS_RESULT_TRUE)
++ if (result == BUS_RESULT_FALSE)
+ return TRUE; /* silently don't send it */
+
+ if (dbus_message_contains_unix_fds(message) &&
+ !dbus_connection_can_send_type(connection, DBUS_TYPE_UNIX_FD))
+ return TRUE; /* silently don't send it */
+
++ if (result == BUS_RESULT_LATER)
++ {
++ if (!bus_deferred_message_queue_at_recipient(deferred_message, transaction, FALSE, FALSE))
++ {
++ BUS_SET_OOM (error);
++ return FALSE;
++ }
++ return TRUE; /* pretend to have sent it */
++ }
++
+ if (!bus_transaction_send (transaction,
+ connection,
+- message))
++ message, FALSE))
+ {
+ BUS_SET_OOM (error);
+ return FALSE;
+@@ -82,11 +94,12 @@ send_one_message (DBusConnection *connection,
+ }
+
+ BusResult
+-bus_dispatch_matches (BusTransaction *transaction,
+- DBusConnection *sender,
+- DBusConnection *addressed_recipient,
+- DBusMessage *message,
+- DBusError *error)
++bus_dispatch_matches (BusTransaction *transaction,
++ DBusConnection *sender,
++ DBusConnection *addressed_recipient,
++ DBusMessage *message,
++ BusDeferredMessage *dispatched_deferred_message,
++ DBusError *error)
+ {
+ DBusError tmp_error;
+ BusConnections *connections;
+@@ -110,17 +123,78 @@ bus_dispatch_matches (BusTransaction *transaction,
+ /* First, send the message to the addressed_recipient, if there is one. */
+ if (addressed_recipient != NULL)
+ {
+- BusResult res;
+- res = bus_context_check_security_policy (context, transaction,
+- sender, addressed_recipient,
+- addressed_recipient,
+- message, error,
+- &deferred_message);
+- if (res == BUS_RESULT_FALSE)
++ BusResult result;
++ /* To maintain message order message needs to be appended at the recipient if there are already
++ * deferred messages and we are not doing deferred dispatch
++ */
++ if (dispatched_deferred_message == NULL && bus_connection_has_deferred_messages(addressed_recipient))
++ {
++ deferred_message = bus_deferred_message_new(message, sender,
++ addressed_recipient, addressed_recipient, BUS_RESULT_LATER);
++
++ if (deferred_message == NULL)
++ {
++ BUS_SET_OOM(error);
++ return BUS_RESULT_FALSE;
++ }
++
++ if (!bus_deferred_message_queue_at_recipient(deferred_message, transaction, TRUE, FALSE))
++ {
++ bus_deferred_message_unref(deferred_message);
++ BUS_SET_OOM(error);
++ return BUS_RESULT_FALSE;
++ }
++
++ bus_deferred_message_unref(deferred_message);
++ return BUS_RESULT_TRUE; /* pretend to have sent it */
++ }
++
++ if (dispatched_deferred_message != NULL)
++ {
++ result = bus_deferred_message_get_response(dispatched_deferred_message);
++ if (result == BUS_RESULT_TRUE)
++ {
++ /* if we know the result of policy check we still need to check if message limits
++ * are not exceeded. It is also required to add entry in expected replies list if
++ * this is a method call
++ */
++ if (!bus_deferred_message_check_message_limits(dispatched_deferred_message, error))
++ return BUS_RESULT_FALSE;
++
++ if (!bus_deferred_message_expect_method_reply(dispatched_deferred_message, transaction, error))
++ return BUS_RESULT_FALSE;
++ }
++ else if (result == BUS_RESULT_FALSE)
++ {
++ bus_deferred_message_create_error(dispatched_deferred_message, "Rejected message", error);
++ return BUS_RESULT_FALSE;
++ }
++ }
++ else
++ result = BUS_RESULT_LATER;
++
++ if (result == BUS_RESULT_LATER)
++ result = bus_context_check_security_policy(context, transaction,
++ sender, addressed_recipient, addressed_recipient, message, error,
++ &deferred_message);
++
++ if (result == BUS_RESULT_FALSE)
+ return BUS_RESULT_FALSE;
+- else if (res == BUS_RESULT_LATER)
++ else if (result == BUS_RESULT_LATER)
+ {
+ BusDeferredMessageStatus status;
++
++ if (dispatched_deferred_message != NULL)
++ {
++ /* for deferred dispatch prepend message at the recipient */
++ if (!bus_deferred_message_queue_at_recipient(deferred_message, transaction, TRUE, TRUE))
++ {
++ BUS_SET_OOM(error);
++ return BUS_RESULT_FALSE;
++ }
++ return BUS_RESULT_TRUE; /* pretend to have sent it */
++ }
++
+ status = bus_deferred_message_get_status(deferred_message);
+
+ if (status & BUS_DEFERRED_MESSAGE_CHECK_SEND)
+@@ -131,13 +205,18 @@ bus_dispatch_matches (BusTransaction *transaction,
+ }
+ else if (status & BUS_DEFERRED_MESSAGE_CHECK_RECEIVE)
+ {
+- dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
+- "Rejecting message because time is needed to check security policy");
+- return BUS_RESULT_FALSE;
++ /* receive rule result not available - queue message at the recipient */
++ if (!bus_deferred_message_queue_at_recipient(deferred_message, transaction, TRUE, FALSE))
++ {
++ BUS_SET_OOM(error);
++ return BUS_RESULT_FALSE;
++ }
++
++ return BUS_RESULT_TRUE; /* pretend to have sent it */
+ }
+ else
+ {
+- _dbus_verbose("deferred message has no status field set to send or receive unexpectedly\n");
++ _dbus_verbose("deferred message has no status field set unexpectedly\n");
+ return BUS_RESULT_FALSE;
+ }
+ }
+@@ -154,7 +233,8 @@ bus_dispatch_matches (BusTransaction *transaction,
+ }
+
+ /* Dispatch the message */
+- if (!bus_transaction_send (transaction, addressed_recipient, message))
++ if (!bus_transaction_send(transaction, addressed_recipient, message,
++ dispatched_deferred_message != NULL ? TRUE : FALSE))
+ {
+ BUS_SET_OOM (error);
+ return BUS_RESULT_FALSE;
+@@ -385,7 +465,7 @@ bus_dispatch (DBusConnection *connection,
+ * match rules.
+ */
+ if (BUS_RESULT_LATER == bus_dispatch_matches (transaction, connection, addressed_recipient,
+- message, &error))
++ message, NULL, &error))
+ {
+ /* Roll back and dispatch the message once the policy result is available */
+ bus_transaction_cancel_and_free (transaction);
+diff --git a/bus/dispatch.h b/bus/dispatch.h
+index afba6a2..f6102e8 100644
+--- a/bus/dispatch.h
++++ b/bus/dispatch.h
+@@ -29,10 +29,11 @@
+
+ dbus_bool_t bus_dispatch_add_connection (DBusConnection *connection);
+ void bus_dispatch_remove_connection (DBusConnection *connection);
+-BusResult bus_dispatch_matches (BusTransaction *transaction,
+- DBusConnection *sender,
+- DBusConnection *recipient,
+- DBusMessage *message,
+- DBusError *error);
++BusResult bus_dispatch_matches (BusTransaction *transaction,
++ DBusConnection *sender,
++ DBusConnection *recipient,
++ DBusMessage *message,
++ BusDeferredMessage *dispatched_deferred_message,
++ DBusError *error);
+
+ #endif /* BUS_DISPATCH_H */
+diff --git a/bus/driver.c b/bus/driver.c
+index 4dbce3d..2fb1385 100644
+--- a/bus/driver.c
++++ b/bus/driver.c
+@@ -130,7 +130,7 @@ bus_driver_send_service_owner_changed (const char *service_name,
+
+ _dbus_assert (dbus_message_has_signature (message, "sss"));
+
+- res = bus_dispatch_matches (transaction, NULL, NULL, message, error);
++ res = bus_dispatch_matches (transaction, NULL, NULL, message, NULL, error);
+ if (res == BUS_RESULT_TRUE)
+ retval = TRUE;
+ else if (res == BUS_RESULT_FALSE)
+diff --git a/bus/policy.c b/bus/policy.c
+index ec888df..448147f 100644
+--- a/bus/policy.c
++++ b/bus/policy.c
+@@ -1071,6 +1071,9 @@ bus_client_policy_check_can_send (DBusConnection *sender,
+
+ result = bus_check_privilege(check, message, sender, addressed_recipient, receiver,
+ privilege, BUS_DEFERRED_MESSAGE_CHECK_SEND, deferred_message);
++ if (result == BUS_RESULT_LATER && deferred_message != NULL)
++ bus_deferred_message_set_policy_check_info(*deferred_message, requested_reply,
++ *toggles, privilege);
+ }
+ else
+ privilege = NULL;
+@@ -1305,6 +1308,9 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+
+ result = bus_check_privilege(check, message, sender, addressed_recipient, proposed_recipient,
+ privilege, BUS_DEFERRED_MESSAGE_CHECK_RECEIVE, deferred_message);
++ if (result == BUS_RESULT_LATER && deferred_message != NULL)
++ bus_deferred_message_set_policy_check_info(*deferred_message, requested_reply,
++ *toggles, privilege);
+ }
+ else
+ privilege = NULL;
+--
+2.1.4
+
diff --git a/meta-security/recipes-core/dbus/dbus-cynara/0007-Add-own-rule-result-unavailability-handling.patch b/meta-security/recipes-core/dbus/dbus-cynara/0007-Add-own-rule-result-unavailability-handling.patch
new file mode 100644
index 000000000..e1b1e62f1
--- /dev/null
+++ b/meta-security/recipes-core/dbus/dbus-cynara/0007-Add-own-rule-result-unavailability-handling.patch
@@ -0,0 +1,1142 @@
+From 35ef89cd6777ea2430077fc621d21bd01df92349 Mon Sep 17 00:00:00 2001
+From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
+Date: Thu, 27 Nov 2014 11:26:21 +0100
+Subject: [PATCH 7/8] Add own rule result unavailability handling
+
+Own rule result unavailability is handled like send rules - dispatching
+messages from the sender is blocked and resumed when result becomes
+available.
+
+Handler of "RequestName" method needs to return BUS_RESULT_LATER when
+policy result is not known therefore its return type is modified.
+Since bus message handlers are put into function pointer array other
+message handler function singatures are also affected.
+
+Change-Id: I4c2cbd4585e41fccd8a30f825a8f0d342ab56755
+---
+ bus/dispatch.c | 11 ++-
+ bus/driver.c | 227 ++++++++++++++++++++++++++++++---------------------------
+ bus/driver.h | 2 +-
+ bus/policy.c | 51 ++++++++++---
+ bus/policy.h | 6 +-
+ bus/services.c | 26 +++++--
+ bus/services.h | 3 +-
+ bus/stats.c | 16 ++--
+ 8 files changed, 204 insertions(+), 138 deletions(-)
+
+diff --git a/bus/dispatch.c b/bus/dispatch.c
+index 9972e76..d3b970f 100644
+--- a/bus/dispatch.c
++++ b/bus/dispatch.c
+@@ -404,8 +404,17 @@ bus_dispatch (DBusConnection *connection,
+ }
+
+ _dbus_verbose ("Giving message to %s\n", DBUS_SERVICE_DBUS);
+- if (!bus_driver_handle_message (connection, transaction, message, &error))
++ res = bus_driver_handle_message (connection, transaction, message, &error);
++ if (res == BUS_RESULT_FALSE)
+ goto out;
++ else if (res == BUS_RESULT_LATER)
++ {
++ /* connection has been disabled in message handler */
++ bus_transaction_cancel_and_free (transaction);
++ transaction = NULL;
++ result = DBUS_HANDLER_RESULT_LATER;
++ goto out;
++ }
+ }
+ else if (!bus_connection_is_active (connection)) /* clients must talk to bus driver first */
+ {
+diff --git a/bus/driver.c b/bus/driver.c
+index 2fb1385..9708f49 100644
+--- a/bus/driver.c
++++ b/bus/driver.c
+@@ -297,7 +297,7 @@ create_unique_client_name (BusRegistry *registry,
+ return TRUE;
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_hello (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -305,7 +305,7 @@ bus_driver_handle_hello (DBusConnection *connection,
+ {
+ DBusString unique_name;
+ BusService *service;
+- dbus_bool_t retval;
++ BusResult retval;
+ BusRegistry *registry;
+ BusConnections *connections;
+
+@@ -316,7 +316,7 @@ bus_driver_handle_hello (DBusConnection *connection,
+ /* We already handled an Hello message for this connection. */
+ dbus_set_error (error, DBUS_ERROR_FAILED,
+ "Already handled an Hello message");
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ /* Note that when these limits are exceeded we don't disconnect the
+@@ -330,16 +330,16 @@ bus_driver_handle_hello (DBusConnection *connection,
+ error))
+ {
+ _DBUS_ASSERT_ERROR_IS_SET (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ if (!_dbus_string_init (&unique_name))
+ {
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+- retval = FALSE;
++ retval = BUS_RESULT_FALSE;
+
+ registry = bus_connection_get_registry (connection);
+
+@@ -372,7 +372,7 @@ bus_driver_handle_hello (DBusConnection *connection,
+ goto out_0;
+
+ _dbus_assert (bus_connection_is_active (connection));
+- retval = TRUE;
++ retval = BUS_RESULT_TRUE;
+
+ out_0:
+ _dbus_string_free (&unique_name);
+@@ -424,7 +424,7 @@ bus_driver_send_welcome_message (DBusConnection *connection,
+ }
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_list_services (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -446,14 +446,14 @@ bus_driver_handle_list_services (DBusConnection *connection,
+ if (reply == NULL)
+ {
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ if (!bus_registry_list_services (registry, &services, &len))
+ {
+ dbus_message_unref (reply);
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ dbus_message_iter_init_append (reply, &iter);
+@@ -465,7 +465,7 @@ bus_driver_handle_list_services (DBusConnection *connection,
+ dbus_free_string_array (services);
+ dbus_message_unref (reply);
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ {
+@@ -477,7 +477,7 @@ bus_driver_handle_list_services (DBusConnection *connection,
+ dbus_free_string_array (services);
+ dbus_message_unref (reply);
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+ }
+
+@@ -490,7 +490,7 @@ bus_driver_handle_list_services (DBusConnection *connection,
+ dbus_free_string_array (services);
+ dbus_message_unref (reply);
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+ ++i;
+ }
+@@ -501,23 +501,23 @@ bus_driver_handle_list_services (DBusConnection *connection,
+ {
+ dbus_message_unref (reply);
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ if (!bus_transaction_send_from_driver (transaction, connection, reply))
+ {
+ dbus_message_unref (reply);
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+ else
+ {
+ dbus_message_unref (reply);
+- return TRUE;
++ return BUS_RESULT_TRUE;
+ }
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_list_activatable_services (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -539,14 +539,14 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
+ if (reply == NULL)
+ {
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ if (!bus_activation_list_services (activation, &services, &len))
+ {
+ dbus_message_unref (reply);
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ dbus_message_iter_init_append (reply, &iter);
+@@ -558,7 +558,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
+ dbus_free_string_array (services);
+ dbus_message_unref (reply);
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ {
+@@ -570,7 +570,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
+ dbus_free_string_array (services);
+ dbus_message_unref (reply);
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+ }
+
+@@ -583,7 +583,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
+ dbus_free_string_array (services);
+ dbus_message_unref (reply);
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+ ++i;
+ }
+@@ -594,23 +594,23 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
+ {
+ dbus_message_unref (reply);
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ if (!bus_transaction_send_from_driver (transaction, connection, reply))
+ {
+ dbus_message_unref (reply);
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+ else
+ {
+ dbus_message_unref (reply);
+- return TRUE;
++ return BUS_RESULT_TRUE;
+ }
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_acquire_service (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -621,7 +621,8 @@ bus_driver_handle_acquire_service (DBusConnection *connection,
+ const char *name;
+ dbus_uint32_t service_reply;
+ dbus_uint32_t flags;
+- dbus_bool_t retval;
++ BusResult retval;
++ BusResult res;
+ BusRegistry *registry;
+
+ _DBUS_ASSERT_ERROR_IS_CLEAR (error);
+@@ -632,20 +633,24 @@ bus_driver_handle_acquire_service (DBusConnection *connection,
+ DBUS_TYPE_STRING, &name,
+ DBUS_TYPE_UINT32, &flags,
+ DBUS_TYPE_INVALID))
+- return FALSE;
++ return BUS_RESULT_FALSE;
+
+ _dbus_verbose ("Trying to own name %s with flags 0x%x\n", name, flags);
+
+- retval = FALSE;
++ retval = BUS_RESULT_FALSE;
+ reply = NULL;
+
+ _dbus_string_init_const (&service_name, name);
+
+- if (!bus_registry_acquire_service (registry, connection,
+- &service_name, flags,
+- &service_reply, transaction,
+- error))
+- goto out;
++ res = bus_registry_acquire_service (registry, connection, message,
++ &service_name, flags,
++ &service_reply, transaction,
++ error);
++ if (res != BUS_RESULT_TRUE)
++ {
++ retval = res;
++ goto out;
++ }
+
+ reply = dbus_message_new_method_return (message);
+ if (reply == NULL)
+@@ -666,7 +671,7 @@ bus_driver_handle_acquire_service (DBusConnection *connection,
+ goto out;
+ }
+
+- retval = TRUE;
++ retval = BUS_RESULT_TRUE;
+
+ out:
+ if (reply)
+@@ -674,7 +679,7 @@ bus_driver_handle_acquire_service (DBusConnection *connection,
+ return retval;
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_release_service (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -684,7 +689,7 @@ bus_driver_handle_release_service (DBusConnection *connection,
+ DBusString service_name;
+ const char *name;
+ dbus_uint32_t service_reply;
+- dbus_bool_t retval;
++ BusResult retval;
+ BusRegistry *registry;
+
+ _DBUS_ASSERT_ERROR_IS_CLEAR (error);
+@@ -694,11 +699,11 @@ bus_driver_handle_release_service (DBusConnection *connection,
+ if (!dbus_message_get_args (message, error,
+ DBUS_TYPE_STRING, &name,
+ DBUS_TYPE_INVALID))
+- return FALSE;
++ return BUS_RESULT_FALSE;
+
+ _dbus_verbose ("Trying to release name %s\n", name);
+
+- retval = FALSE;
++ retval = BUS_RESULT_FALSE;
+ reply = NULL;
+
+ _dbus_string_init_const (&service_name, name);
+@@ -727,7 +732,7 @@ bus_driver_handle_release_service (DBusConnection *connection,
+ goto out;
+ }
+
+- retval = TRUE;
++ retval = BUS_RESULT_TRUE;
+
+ out:
+ if (reply)
+@@ -735,7 +740,7 @@ bus_driver_handle_release_service (DBusConnection *connection,
+ return retval;
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_service_exists (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -746,7 +751,7 @@ bus_driver_handle_service_exists (DBusConnection *connection,
+ BusService *service;
+ dbus_bool_t service_exists;
+ const char *name;
+- dbus_bool_t retval;
++ BusResult retval;
+ BusRegistry *registry;
+
+ _DBUS_ASSERT_ERROR_IS_CLEAR (error);
+@@ -756,9 +761,9 @@ bus_driver_handle_service_exists (DBusConnection *connection,
+ if (!dbus_message_get_args (message, error,
+ DBUS_TYPE_STRING, &name,
+ DBUS_TYPE_INVALID))
+- return FALSE;
++ return BUS_RESULT_FALSE;
+
+- retval = FALSE;
++ retval = BUS_RESULT_FALSE;
+
+ if (strcmp (name, DBUS_SERVICE_DBUS) == 0)
+ {
+@@ -792,7 +797,7 @@ bus_driver_handle_service_exists (DBusConnection *connection,
+ goto out;
+ }
+
+- retval = TRUE;
++ retval = BUS_RESULT_TRUE;
+
+ out:
+ if (reply)
+@@ -801,7 +806,7 @@ bus_driver_handle_service_exists (DBusConnection *connection,
+ return retval;
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_activate_service (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -809,7 +814,7 @@ bus_driver_handle_activate_service (DBusConnection *connection,
+ {
+ dbus_uint32_t flags;
+ const char *name;
+- dbus_bool_t retval;
++ BusResult retval;
+ BusActivation *activation;
+
+ _DBUS_ASSERT_ERROR_IS_CLEAR (error);
+@@ -823,10 +828,10 @@ bus_driver_handle_activate_service (DBusConnection *connection,
+ {
+ _DBUS_ASSERT_ERROR_IS_SET (error);
+ _dbus_verbose ("No memory to get arguments to StartServiceByName\n");
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+- retval = FALSE;
++ retval = BUS_RESULT_FALSE;
+
+ if (!bus_activation_activate_service (activation, connection, transaction, FALSE,
+ message, name, error))
+@@ -836,7 +841,7 @@ bus_driver_handle_activate_service (DBusConnection *connection,
+ goto out;
+ }
+
+- retval = TRUE;
++ retval = BUS_RESULT_TRUE;
+
+ out:
+ return retval;
+@@ -872,13 +877,13 @@ send_ack_reply (DBusConnection *connection,
+ return TRUE;
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_update_activation_environment (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+ DBusError *error)
+ {
+- dbus_bool_t retval;
++ BusResult retval;
+ BusActivation *activation;
+ DBusMessageIter iter;
+ DBusMessageIter dict_iter;
+@@ -939,7 +944,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection,
+
+ dbus_message_iter_recurse (&iter, &dict_iter);
+
+- retval = FALSE;
++ retval = BUS_RESULT_FALSE;
+
+ /* Then loop through the sent dictionary, add the location of
+ * the environment keys and values to lists. The result will
+@@ -1026,7 +1031,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection,
+ message, error))
+ goto out;
+
+- retval = TRUE;
++ retval = BUS_RESULT_TRUE;
+
+ out:
+ _dbus_list_clear (&keys);
+@@ -1034,7 +1039,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection,
+ return retval;
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_add_match (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -1093,16 +1098,16 @@ bus_driver_handle_add_match (DBusConnection *connection,
+
+ bus_match_rule_unref (rule);
+
+- return TRUE;
++ return BUS_RESULT_TRUE;
+
+ failed:
+ _DBUS_ASSERT_ERROR_IS_SET (error);
+ if (rule)
+ bus_match_rule_unref (rule);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_remove_match (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -1146,16 +1151,16 @@ bus_driver_handle_remove_match (DBusConnection *connection,
+
+ bus_match_rule_unref (rule);
+
+- return TRUE;
++ return BUS_RESULT_TRUE;
+
+ failed:
+ _DBUS_ASSERT_ERROR_IS_SET (error);
+ if (rule)
+ bus_match_rule_unref (rule);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_get_service_owner (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -1225,7 +1230,7 @@ bus_driver_handle_get_service_owner (DBusConnection *connection,
+
+ dbus_message_unref (reply);
+
+- return TRUE;
++ return BUS_RESULT_TRUE;
+
+ oom:
+ BUS_SET_OOM (error);
+@@ -1234,10 +1239,10 @@ bus_driver_handle_get_service_owner (DBusConnection *connection,
+ _DBUS_ASSERT_ERROR_IS_SET (error);
+ if (reply)
+ dbus_message_unref (reply);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_list_queued_owners (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -1328,7 +1333,7 @@ bus_driver_handle_list_queued_owners (DBusConnection *connection,
+
+ dbus_message_unref (reply);
+
+- return TRUE;
++ return BUS_RESULT_TRUE;
+
+ oom:
+ BUS_SET_OOM (error);
+@@ -1341,10 +1346,10 @@ bus_driver_handle_list_queued_owners (DBusConnection *connection,
+ if (base_names)
+ _dbus_list_clear (&base_names);
+
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_get_connection_unix_user (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -1389,7 +1394,7 @@ bus_driver_handle_get_connection_unix_user (DBusConnection *connection,
+
+ dbus_message_unref (reply);
+
+- return TRUE;
++ return BUS_RESULT_TRUE;
+
+ oom:
+ BUS_SET_OOM (error);
+@@ -1398,10 +1403,10 @@ bus_driver_handle_get_connection_unix_user (DBusConnection *connection,
+ _DBUS_ASSERT_ERROR_IS_SET (error);
+ if (reply)
+ dbus_message_unref (reply);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -1446,7 +1451,7 @@ bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection,
+
+ dbus_message_unref (reply);
+
+- return TRUE;
++ return BUS_RESULT_TRUE;
+
+ oom:
+ BUS_SET_OOM (error);
+@@ -1455,10 +1460,10 @@ bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection,
+ _DBUS_ASSERT_ERROR_IS_SET (error);
+ if (reply)
+ dbus_message_unref (reply);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -1502,7 +1507,7 @@ bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection,
+
+ dbus_message_unref (reply);
+
+- return TRUE;
++ return BUS_RESULT_TRUE;
+
+ oom:
+ BUS_SET_OOM (error);
+@@ -1511,10 +1516,10 @@ bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection,
+ _DBUS_ASSERT_ERROR_IS_SET (error);
+ if (reply)
+ dbus_message_unref (reply);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_get_connection_selinux_security_context (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -1556,7 +1561,7 @@ bus_driver_handle_get_connection_selinux_security_context (DBusConnection *conne
+
+ dbus_message_unref (reply);
+
+- return TRUE;
++ return BUS_RESULT_TRUE;
+
+ oom:
+ BUS_SET_OOM (error);
+@@ -1565,10 +1570,10 @@ bus_driver_handle_get_connection_selinux_security_context (DBusConnection *conne
+ _DBUS_ASSERT_ERROR_IS_SET (error);
+ if (reply)
+ dbus_message_unref (reply);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_get_connection_credentials (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -1645,7 +1650,7 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection,
+
+ dbus_message_unref (reply);
+
+- return TRUE;
++ return BUS_RESULT_TRUE;
+
+ oom:
+ BUS_SET_OOM (error);
+@@ -1659,10 +1664,10 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection,
+ dbus_message_unref (reply);
+ }
+
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_reload_config (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -1687,7 +1692,7 @@ bus_driver_handle_reload_config (DBusConnection *connection,
+ goto oom;
+
+ dbus_message_unref (reply);
+- return TRUE;
++ return BUS_RESULT_TRUE;
+
+ oom:
+ BUS_SET_OOM (error);
+@@ -1696,10 +1701,10 @@ bus_driver_handle_reload_config (DBusConnection *connection,
+ _DBUS_ASSERT_ERROR_IS_SET (error);
+ if (reply)
+ dbus_message_unref (reply);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_get_id (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -1715,7 +1720,7 @@ bus_driver_handle_get_id (DBusConnection *connection,
+ if (!_dbus_string_init (&uuid))
+ {
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ reply = NULL;
+@@ -1741,7 +1746,7 @@ bus_driver_handle_get_id (DBusConnection *connection,
+
+ _dbus_string_free (&uuid);
+ dbus_message_unref (reply);
+- return TRUE;
++ return BUS_RESULT_TRUE;
+
+ oom:
+ _DBUS_ASSERT_ERROR_IS_CLEAR (error);
+@@ -1751,7 +1756,7 @@ bus_driver_handle_get_id (DBusConnection *connection,
+ if (reply)
+ dbus_message_unref (reply);
+ _dbus_string_free (&uuid);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ typedef struct
+@@ -1759,10 +1764,10 @@ typedef struct
+ const char *name;
+ const char *in_args;
+ const char *out_args;
+- dbus_bool_t (* handler) (DBusConnection *connection,
+- BusTransaction *transaction,
+- DBusMessage *message,
+- DBusError *error);
++ BusResult (* handler) (DBusConnection *connection,
++ BusTransaction *transaction,
++ DBusMessage *message,
++ DBusError *error);
+ } MessageHandler;
+
+ /* For speed it might be useful to sort this in order of
+@@ -1847,7 +1852,7 @@ static const MessageHandler dbus_message_handlers[] = {
+ { NULL, NULL, NULL, NULL }
+ };
+
+-static dbus_bool_t bus_driver_handle_introspect (DBusConnection *,
++static BusResult bus_driver_handle_introspect (DBusConnection *,
+ BusTransaction *, DBusMessage *, DBusError *);
+
+ static const MessageHandler introspectable_message_handlers[] = {
+@@ -1973,7 +1978,7 @@ bus_driver_generate_introspect_string (DBusString *xml)
+ return TRUE;
+ }
+
+-static dbus_bool_t
++static BusResult
+ bus_driver_handle_introspect (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -1993,13 +1998,13 @@ bus_driver_handle_introspect (DBusConnection *connection,
+ DBUS_TYPE_INVALID))
+ {
+ _DBUS_ASSERT_ERROR_IS_SET (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ if (!_dbus_string_init (&xml))
+ {
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ if (!bus_driver_generate_introspect_string (&xml))
+@@ -2022,7 +2027,7 @@ bus_driver_handle_introspect (DBusConnection *connection,
+ dbus_message_unref (reply);
+ _dbus_string_free (&xml);
+
+- return TRUE;
++ return BUS_RESULT_TRUE;
+
+ oom:
+ BUS_SET_OOM (error);
+@@ -2032,7 +2037,7 @@ bus_driver_handle_introspect (DBusConnection *connection,
+
+ _dbus_string_free (&xml);
+
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ /*
+@@ -2067,7 +2072,7 @@ bus_driver_check_message_is_for_us (DBusMessage *message,
+ return TRUE;
+ }
+
+-dbus_bool_t
++BusResult
+ bus_driver_handle_message (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -2077,6 +2082,7 @@ bus_driver_handle_message (DBusConnection *connection,
+ const InterfaceHandler *ih;
+ const MessageHandler *mh;
+ dbus_bool_t found_interface = FALSE;
++ BusResult res;
+
+ _DBUS_ASSERT_ERROR_IS_CLEAR (error);
+
+@@ -2085,13 +2091,13 @@ bus_driver_handle_message (DBusConnection *connection,
+ BusContext *context;
+
+ context = bus_connection_get_context (connection);
+- return dbus_activation_systemd_failure(bus_context_get_activation(context), message);
++ return dbus_activation_systemd_failure(bus_context_get_activation(context), message) == TRUE ? BUS_RESULT_TRUE : BUS_RESULT_FALSE;
+ }
+
+ if (dbus_message_get_type (message) != DBUS_MESSAGE_TYPE_METHOD_CALL)
+ {
+ _dbus_verbose ("Driver got a non-method-call message, ignoring\n");
+- return TRUE; /* we just ignore this */
++ return BUS_RESULT_TRUE; /* we just ignore this */
+ }
+
+ /* may be NULL, which means "any interface will do" */
+@@ -2133,20 +2139,27 @@ bus_driver_handle_message (DBusConnection *connection,
+ name, dbus_message_get_signature (message),
+ mh->in_args);
+ _DBUS_ASSERT_ERROR_IS_SET (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+- if ((* mh->handler) (connection, transaction, message, error))
++ res = (* mh->handler) (connection, transaction, message, error);
++ if (res == BUS_RESULT_TRUE)
+ {
+ _DBUS_ASSERT_ERROR_IS_CLEAR (error);
+ _dbus_verbose ("Driver handler succeeded\n");
+- return TRUE;
++ return BUS_RESULT_TRUE;
+ }
+- else
++ else if (res == BUS_RESULT_FALSE)
+ {
+ _DBUS_ASSERT_ERROR_IS_SET (error);
+ _dbus_verbose ("Driver handler returned failure\n");
+- return FALSE;
++ return BUS_RESULT_FALSE;
++ }
++ else if (res == BUS_RESULT_LATER)
++ {
++ _DBUS_ASSERT_ERROR_IS_CLEAR (error);
++ _dbus_verbose ("Driver handler delayed message processing due to policy check\n");
++ return BUS_RESULT_LATER;
+ }
+ }
+ }
+@@ -2158,7 +2171,7 @@ bus_driver_handle_message (DBusConnection *connection,
+ "%s does not understand message %s",
+ DBUS_SERVICE_DBUS, name);
+
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ void
+diff --git a/bus/driver.h b/bus/driver.h
+index 201709c..3ff4ff1 100644
+--- a/bus/driver.h
++++ b/bus/driver.h
+@@ -28,7 +28,7 @@
+ #include "connection.h"
+
+ void bus_driver_remove_connection (DBusConnection *connection);
+-dbus_bool_t bus_driver_handle_message (DBusConnection *connection,
++BusResult bus_driver_handle_message (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+ DBusError *error);
+diff --git a/bus/policy.c b/bus/policy.c
+index 448147f..3672ff9 100644
+--- a/bus/policy.c
++++ b/bus/policy.c
+@@ -1323,18 +1323,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+
+
+
+-static dbus_bool_t
++static BusResult
+ bus_rules_check_can_own (DBusList *rules,
+- const DBusString *service_name)
++ const DBusString *service_name,
++ DBusConnection *connection,
++ DBusMessage *message)
+ {
+ DBusList *link;
+- dbus_bool_t allowed;
++ BusResult result;
++ const char *privilege;
+
+ /* rules is in the order the rules appeared
+ * in the config file, i.e. last rule that applies wins
+ */
+
+- allowed = FALSE;
++ result = BUS_RESULT_FALSE;
+ link = _dbus_list_get_first_link (&rules);
+ while (link != NULL)
+ {
+@@ -1370,17 +1373,45 @@ bus_rules_check_can_own (DBusList *rules,
+ }
+
+ /* Use this rule */
+- allowed = rule->access == BUS_POLICY_RULE_ACCESS_ALLOW;
++ switch (rule->access)
++ {
++ case BUS_POLICY_RULE_ACCESS_ALLOW:
++ result = BUS_RESULT_TRUE;
++ break;
++ case BUS_POLICY_RULE_ACCESS_DENY:
++ result = BUS_RESULT_FALSE;
++ break;
++ case BUS_POLICY_RULE_ACCESS_CHECK:
++ result = BUS_RESULT_LATER;
++ privilege = rule->privilege;
++ break;
++ }
+ }
+
+- return allowed;
++ if (result == BUS_RESULT_LATER)
++ {
++ BusContext *context = bus_connection_get_context(connection);
++ BusCheck *check = bus_context_get_check(context);
++ BusDeferredMessage *deferred_message;
++
++ result = bus_check_privilege(check, message, connection, NULL, NULL,
++ privilege, BUS_DEFERRED_MESSAGE_CHECK_OWN, &deferred_message);
++ if (result == BUS_RESULT_LATER)
++ {
++ bus_deferred_message_disable_sender(deferred_message);
++ }
++ }
++
++ return result;
+ }
+
+-dbus_bool_t
++BusResult
+ bus_client_policy_check_can_own (BusClientPolicy *policy,
+- const DBusString *service_name)
++ const DBusString *service_name,
++ DBusConnection *connection,
++ DBusMessage *message)
+ {
+- return bus_rules_check_can_own (policy->rules, service_name);
++ return bus_rules_check_can_own (policy->rules, service_name, connection, message);
+ }
+
+ #ifdef DBUS_ENABLE_EMBEDDED_TESTS
+@@ -1388,7 +1419,7 @@ dbus_bool_t
+ bus_policy_check_can_own (BusPolicy *policy,
+ const DBusString *service_name)
+ {
+- return bus_rules_check_can_own (policy->default_rules, service_name);
++ return bus_rules_check_can_own (policy->default_rules, service_name, NULL, NULL);
+ }
+ #endif /* DBUS_ENABLE_EMBEDDED_TESTS */
+
+diff --git a/bus/policy.h b/bus/policy.h
+index e9f193a..1f23431 100644
+--- a/bus/policy.h
++++ b/bus/policy.h
+@@ -170,8 +170,10 @@ BusResult bus_client_policy_check_can_receive (BusClientPolicy *polic
+ dbus_int32_t *toggles,
+ const char **privilege_param,
+ BusDeferredMessage **deferred_message);
+-dbus_bool_t bus_client_policy_check_can_own (BusClientPolicy *policy,
+- const DBusString *service_name);
++BusResult bus_client_policy_check_can_own (BusClientPolicy *policy,
++ const DBusString *service_name,
++ DBusConnection *connection,
++ DBusMessage *message);
+ dbus_bool_t bus_client_policy_append_rule (BusClientPolicy *policy,
+ BusPolicyRule *rule);
+ void bus_client_policy_optimize (BusClientPolicy *policy);
+diff --git a/bus/services.c b/bus/services.c
+index 584485b..f25fdf3 100644
+--- a/bus/services.c
++++ b/bus/services.c
+@@ -374,24 +374,26 @@ bus_registry_list_services (BusRegistry *registry,
+ return FALSE;
+ }
+
+-dbus_bool_t
++BusResult
+ bus_registry_acquire_service (BusRegistry *registry,
+ DBusConnection *connection,
++ DBusMessage *message,
+ const DBusString *service_name,
+ dbus_uint32_t flags,
+ dbus_uint32_t *result,
+ BusTransaction *transaction,
+ DBusError *error)
+ {
+- dbus_bool_t retval;
++ BusResult retval;
+ DBusConnection *old_owner_conn;
+ BusClientPolicy *policy;
+ BusService *service;
+ BusActivation *activation;
+ BusSELinuxID *sid;
+ BusOwner *primary_owner;
++ BusResult res;
+
+- retval = FALSE;
++ retval = BUS_RESULT_FALSE;
+
+ if (!_dbus_validate_bus_name (service_name, 0,
+ _dbus_string_get_length (service_name)))
+@@ -459,7 +461,8 @@ bus_registry_acquire_service (BusRegistry *registry,
+ goto out;
+ }
+
+- if (!bus_client_policy_check_can_own (policy, service_name))
++ res = bus_client_policy_check_can_own (policy, service_name, connection, message);
++ if (res == BUS_RESULT_FALSE)
+ {
+ dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
+ "Connection \"%s\" is not allowed to own the service \"%s\" due "
+@@ -470,6 +473,11 @@ bus_registry_acquire_service (BusRegistry *registry,
+ _dbus_string_get_const_data (service_name));
+ goto out;
+ }
++ else if (res == BUS_RESULT_LATER)
++ {
++ retval = BUS_RESULT_LATER;
++ goto out;
++ }
+
+ if (bus_connection_get_n_services_owned (connection) >=
+ bus_context_get_max_services_per_connection (registry->context))
+@@ -586,11 +594,13 @@ bus_registry_acquire_service (BusRegistry *registry,
+ }
+
+ activation = bus_context_get_activation (registry->context);
+- retval = bus_activation_send_pending_auto_activation_messages (activation,
++
++ if (bus_activation_send_pending_auto_activation_messages (activation,
+ service,
+- transaction);
+- if (!retval)
+- BUS_SET_OOM (error);
++ transaction))
++ retval = BUS_RESULT_TRUE;
++ else
++ BUS_SET_OOM (error);
+
+ out:
+ return retval;
+diff --git a/bus/services.h b/bus/services.h
+index 056dd9f..3df3dd7 100644
+--- a/bus/services.h
++++ b/bus/services.h
+@@ -50,8 +50,9 @@ void bus_registry_foreach (BusRegistry *registry
+ dbus_bool_t bus_registry_list_services (BusRegistry *registry,
+ char ***listp,
+ int *array_len);
+-dbus_bool_t bus_registry_acquire_service (BusRegistry *registry,
++BusResult bus_registry_acquire_service (BusRegistry *registry,
+ DBusConnection *connection,
++ DBusMessage *message,
+ const DBusString *service_name,
+ dbus_uint32_t flags,
+ dbus_uint32_t *result,
+diff --git a/bus/stats.c b/bus/stats.c
+index 20321e5..61dc428 100644
+--- a/bus/stats.c
++++ b/bus/stats.c
+@@ -35,7 +35,7 @@
+
+ #ifdef DBUS_ENABLE_STATS
+
+-dbus_bool_t
++BusResult
+ bus_stats_handle_get_stats (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -106,17 +106,17 @@ bus_stats_handle_get_stats (DBusConnection *connection,
+ goto oom;
+
+ dbus_message_unref (reply);
+- return TRUE;
++ return BUS_RESULT_TRUE;
+
+ oom:
+ if (reply != NULL)
+ dbus_message_unref (reply);
+
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+-dbus_bool_t
++BusResult
+ bus_stats_handle_get_connection_stats (DBusConnection *caller_connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+@@ -143,7 +143,7 @@ bus_stats_handle_get_connection_stats (DBusConnection *caller_connection,
+ if (! dbus_message_get_args (message, error,
+ DBUS_TYPE_STRING, &bus_name,
+ DBUS_TYPE_INVALID))
+- return FALSE;
++ return BUS_RESULT_FALSE;
+
+ _dbus_string_init_const (&bus_name_str, bus_name);
+ service = bus_registry_lookup (registry, &bus_name_str);
+@@ -152,7 +152,7 @@ bus_stats_handle_get_connection_stats (DBusConnection *caller_connection,
+ {
+ dbus_set_error (error, DBUS_ERROR_NAME_HAS_NO_OWNER,
+ "Bus name '%s' has no owner", bus_name);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ stats_connection = bus_service_get_primary_owners_connection (service);
+@@ -214,14 +214,14 @@ bus_stats_handle_get_connection_stats (DBusConnection *caller_connection,
+ goto oom;
+
+ dbus_message_unref (reply);
+- return TRUE;
++ return BUS_RESULT_TRUE;
+
+ oom:
+ if (reply != NULL)
+ dbus_message_unref (reply);
+
+ BUS_SET_OOM (error);
+- return FALSE;
++ return BUS_RESULT_FALSE;
+ }
+
+ #endif
+--
+2.1.4
+
diff --git a/meta-security/recipes-core/dbus/dbus-cynara/0008-Add-GetConnectionSmackContext-D-Bus-daemon-method.patch b/meta-security/recipes-core/dbus/dbus-cynara/0008-Add-GetConnectionSmackContext-D-Bus-daemon-method.patch
new file mode 100644
index 000000000..43a1ef658
--- /dev/null
+++ b/meta-security/recipes-core/dbus/dbus-cynara/0008-Add-GetConnectionSmackContext-D-Bus-daemon-method.patch
@@ -0,0 +1,99 @@
+From 6c9997fb1cdff4281166e8c2fb8276018b1025dd Mon Sep 17 00:00:00 2001
+From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
+Date: Mon, 15 Jun 2015 11:46:47 +0200
+Subject: [PATCH 8/8] Add "GetConnectionSmackContext" D-Bus daemon method
+
+This method is used to obtain smack label of given D-Bus client.
+Note that it is deprecated and is included only for compatilibity with
+existing D-Bus users. GetConnectionCredentials should be used to obtain
+client's credentials.
+
+Change-Id: Idf9648032ca5cbd9605ffab055e6384baa4eb9b4
+---
+ bus/driver.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 63 insertions(+)
+
+diff --git a/bus/driver.c b/bus/driver.c
+index 9708f49..4e76224 100644
+--- a/bus/driver.c
++++ b/bus/driver.c
+@@ -1759,6 +1759,65 @@ bus_driver_handle_get_id (DBusConnection *connection,
+ return BUS_RESULT_FALSE;
+ }
+
++static BusResult
++bus_driver_handle_get_connection_smack_context (DBusConnection *connection,
++ BusTransaction *transaction,
++ DBusMessage *message,
++ DBusError *error)
++{
++ DBusConnection *conn;
++ DBusMessage *reply = NULL;
++ char *label = NULL;
++ const char *service;
++
++ _DBUS_ASSERT_ERROR_IS_CLEAR (error);
++
++ conn = bus_driver_get_conn_helper (connection, message, "credentials",
++ &service, error);
++ if (conn == NULL)
++ goto err;
++
++ reply = dbus_message_new_method_return (message);
++ if (reply == NULL)
++ goto oom;
++
++ if (!_dbus_connection_get_linux_security_label (conn, &label))
++ {
++ dbus_set_error (error, DBUS_ERROR_FAILED,
++ "Failed to get smack label of connection",
++ conn);
++ goto err;
++ }
++
++ if (label == NULL)
++ goto oom;
++
++ if (!dbus_message_append_args (reply,
++ DBUS_TYPE_STRING, &label,
++ DBUS_TYPE_INVALID))
++ goto oom;
++
++ if (!bus_transaction_send_from_driver (transaction, connection, reply))
++ goto oom;
++
++ dbus_message_unref (reply);
++ dbus_free(label);
++
++ return BUS_RESULT_TRUE;
++
++oom:
++ BUS_SET_OOM (error);
++
++err:
++ if (reply != NULL)
++ dbus_message_unref (reply);
++
++ dbus_free(label);
++
++ return BUS_RESULT_FALSE;
++}
++
++
+ typedef struct
+ {
+ const char *name;
+@@ -1849,6 +1908,10 @@ static const MessageHandler dbus_message_handlers[] = {
+ bus_driver_handle_get_id },
+ { "GetConnectionCredentials", "s", "a{sv}",
+ bus_driver_handle_get_connection_credentials },
++ { "GetConnectionSmackContext", /* deprecated - you should use GetConnectionCredentials instead */
++ DBUS_TYPE_STRING_AS_STRING,
++ DBUS_TYPE_STRING_AS_STRING,
++ bus_driver_handle_get_connection_smack_context },
+ { NULL, NULL, NULL, NULL }
+ };
+
+--
+2.1.4
+
diff --git a/meta-security/recipes-core/dbus/dbus-cynara/Perform-Cynara-runtime-policy-checks-by-default.patch b/meta-security/recipes-core/dbus/dbus-cynara/Perform-Cynara-runtime-policy-checks-by-default.patch
new file mode 100644
index 000000000..e573fb3b3
--- /dev/null
+++ b/meta-security/recipes-core/dbus/dbus-cynara/Perform-Cynara-runtime-policy-checks-by-default.patch
@@ -0,0 +1,116 @@
+From e8610297cf7031e94eb314a2e8c11246f4405403 Mon Sep 17 00:00:00 2001
+From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
+Date: Tue, 23 Jun 2015 11:08:48 +0200
+Subject: [PATCH] Perform Cynara runtime policy checks by default
+
+This change introduces http://tizen.org/privilege/internal/dbus privilege
+which is supposed to be available only to trusted system resources.
+Checks for this privilege are used in place of certain allow rules to
+make security policy more strict.
+
+For system bus sending and receiving signals now requires
+http://tizen.org/privilege/internal/dbus privilege. Requesting name
+ownership and sending methods is still denied by default.
+
+For session bus http://tizen.org/privilege/internal/dbus privilege
+is now required for requesting name, calling methods, sending and receiving
+signals.
+
+Services are supposed to override these default settings to implement their
+own security policy.
+
+Change-Id: Ifb4a160bf6e0638404e0295a2e4fa3077efd881c
+Signed-off-by: Jacek Bukarewicz <j.bukarewicz@samsung.com>
+---
+ bus/session.conf.in | 32 ++++++++++++++++++++++++++------
+ bus/system.conf.in | 22 ++++++++++++++++------
+ 2 files changed, 42 insertions(+), 12 deletions(-)
+
+diff --git a/bus/session.conf.in b/bus/session.conf.in
+index 74d9d1f..fa5c232 100644
+--- a/bus/session.conf.in
++++ b/bus/session.conf.in
+@@ -17,12 +17,32 @@
+ <standard_session_servicedirs />
+
+ <policy context="default">
+- <!-- Allow everything to be sent -->
+- <allow send_destination="*" eavesdrop="true"/>
+- <!-- Allow everything to be received -->
+- <allow eavesdrop="true"/>
+- <!-- Allow anyone to own anything -->
+- <allow own="*"/>
++ <!-- By default clients require internal/dbus privilege to communicate
++ with D-Bus services and to claim name ownership. This is internal privilege that
++ is only accessible to trusted system services -->
++ <check own="*" privilege="http://tizen.org/privilege/internal/dbus" />
++ <check send_type="method_call" privilege="http://tizen.org/privilege/internal/dbus" />
++ <check send_type="signal" privilege="http://tizen.org/privilege/internal/dbus" />
++ <check receive_type="signal" privilege="http://tizen.org/privilege/internal/dbus" />
++
++ <!-- Reply messages (method returns, errors) are allowed
++ by default -->
++ <allow send_requested_reply="true" send_type="method_return"/>
++ <allow send_requested_reply="true" send_type="error"/>
++
++ <!-- All messages but signals may be received by default -->
++ <allow receive_type="method_call"/>
++ <allow receive_type="method_return"/>
++ <allow receive_type="error"/>
++
++ <!-- Allow anyone to talk to the message bus -->
++ <allow send_destination="org.freedesktop.DBus"/>
++ <allow receive_sender="org.freedesktop.DBus"/>
++
++ <!-- But disallow some specific bus services -->
++ <deny send_destination="org.freedesktop.DBus"
++ send_interface="org.freedesktop.DBus"
++ send_member="UpdateActivationEnvironment"/>
+ </policy>
+
+ <!-- Config files are placed here that among other things,
+diff --git a/bus/system.conf.in b/bus/system.conf.in
+index 92f4cc4..dd16947 100644
+--- a/bus/system.conf.in
++++ b/bus/system.conf.in
+@@ -50,21 +50,31 @@
+ <deny own="*"/>
+ <deny send_type="method_call"/>
+
+- <!-- Signals and reply messages (method returns, errors) are allowed
++ <!-- By default clients require internal/dbus privilege to send and receive signaks.
++ This is internal privilege that is only accessible to trusted system services -->
++ <check send_type="signal" privilege="http://tizen.org/privilege/internal/dbus" />
++ <check receive_type="signal" privilege="http://tizen.org/privilege/internal/dbus" />
++
++ <!-- Reply messages (method returns, errors) are allowed
+ by default -->
+- <allow send_type="signal"/>
+ <allow send_requested_reply="true" send_type="method_return"/>
+ <allow send_requested_reply="true" send_type="error"/>
+
+- <!-- All messages may be received by default -->
++ <!-- All messages but signals may be received by default -->
+ <allow receive_type="method_call"/>
+ <allow receive_type="method_return"/>
+ <allow receive_type="error"/>
+- <allow receive_type="signal"/>
+
+- <!-- Allow anyone to talk to the message bus -->
++ <!-- If there is a need specific bus services could be protected by Cynara as well.
++ However, this can lead to deadlock during the boot process when such check is made and
++ Cynara is not yet activated (systemd calls protected method synchronously,
++ dbus daemon tries to consult Cynara, Cynara waits for systemd activation).
++ Therefore it is advised to allow root processes to use bus services.
++ Currently anyone is allowed to talk to the message bus -->
+ <allow send_destination="org.freedesktop.DBus"/>
+- <!-- But disallow some specific bus services -->
++ <allow receive_sender="org.freedesktop.DBus"/>
++
++ <!-- Disallow some specific bus services -->
+ <deny send_destination="org.freedesktop.DBus"
+ send_interface="org.freedesktop.DBus"
+ send_member="UpdateActivationEnvironment"/>
+--
+2.1.4
+
diff --git a/meta-security/recipes-core/dbus/dbus-cynara_1.8.18.bb b/meta-security/recipes-core/dbus/dbus-cynara_1.8.18.bb
new file mode 100644
index 000000000..bcff737cd
--- /dev/null
+++ b/meta-security/recipes-core/dbus/dbus-cynara_1.8.18.bb
@@ -0,0 +1,58 @@
+require dbus-oe-core.inc
+FILESEXTRAPATHS_prepend := "${COREBASE}/meta/recipes-core/dbus/dbus:${THISDIR}/dbus-cynara:"
+S = "${WORKDIR}/dbus-${PV}"
+libexecdir = "${libdir}/dbus"
+
+SRC_URI[md5sum] = "83e607e9ccb1c921d5b6bbea2376a36c"
+SRC_URI[sha256sum] = "36f2eb9c777a3c71562573da36a147e900a642afcd44d2b0470d992a4898c4f2"
+
+# From https://review.tizen.org/gerrit/#/admin/projects/platform/upstream/dbus
+# revision 6c9997fb1cdff4281166e8c2fb8276018b1025dd
+# aka https://review.tizen.org/git/?p=platform%2Fupstream%2Fdbus.git;a=shortlog;h=refs%2Fheads%2Fsandbox%2Fjacekbe%2Fupgrade
+# as announced in https://bugs.tizen.org/jira/browse/TC-2520 "D-Bus: local denial of service attack"
+SRC_URI += " \
+file://0001-Fix-memleak-in-GetConnectionCredentials-handler.patch \
+file://0002-New-a-sv-helper-for-using-byte-arrays-as-the-variant.patch \
+file://0003-Add-LSM-agnostic-support-for-LinuxSecurityLabel-cred.patch \
+file://0004-Integration-of-Cynara-asynchronous-security-checks.patch \
+file://0005-Disable-message-dispatching-when-send-rule-result-is.patch \
+file://0006-Handle-unavailability-of-policy-results-for-broadcas.patch \
+file://0007-Add-own-rule-result-unavailability-handling.patch \
+"
+
+# Provides a legacy API which shouldn't be used in new code. It is
+# still needed at the moment because cynara helper methods call it
+# (creds-dbus-inner.cpp, creds-gdbus.cpp).
+SRC_URI += "file://0008-Add-GetConnectionSmackContext-D-Bus-daemon-method.patch"
+
+# Depends on special Cynara rules which get installed in the
+# security-manager-policy package. From patch set 5 in:
+# https://review.tizen.org/gerrit/#/c/31310/
+SRC_URI += "file://Perform-Cynara-runtime-policy-checks-by-default.patch"
+
+DEPENDS += "cynara smack"
+EXTRA_OECONF += "--enable-cynara"
+
+inherit distro_features_check
+REQUIRED_DISTRO_FEATURES += "smack"
+
+# Only the main package gets created here, everything else remains in the
+# normal dbus recipe.
+do_install_append () {
+ for i in ${@' '.join([d.getVar('D', True) + x for x in (' '.join([d.getVar('FILES_${PN}-' + p, True) or '' for p in ['lib', 'dev', 'staticdev', 'doc', 'locale', 'ptest']])).split()])}; do
+ rm -rf $i
+ done
+
+ # Try to remove empty directories, starting with the
+ # longest path (= deepest directory) first.
+ # Find needs a valid current directory. Somehow the directory
+ # we get called in is gone by the time that we get invoked.
+ ( cd ${D}
+ for i in `find . -type d | sort -r`; do
+ rmdir $i || true
+ done
+ )
+}
+
+# Avoid warning about dbus and dbus-cynara providing dbus-x11.
+RPROVIDES_${PN}_remove = "${OLDPKGNAME}"
diff --git a/meta-security/recipes-core/dbus/dbus-oe-core.inc b/meta-security/recipes-core/dbus/dbus-oe-core.inc
new file mode 100644
index 000000000..3971081fd
--- /dev/null
+++ b/meta-security/recipes-core/dbus/dbus-oe-core.inc
@@ -0,0 +1,170 @@
+SUMMARY = "D-Bus message bus"
+DESCRIPTION = "D-Bus is a message bus system, a simple way for applications to talk to one another. In addition to interprocess communication, D-Bus helps coordinate process lifecycle; it makes it simple and reliable to code a \"single instance\" application or daemon, and to launch applications and daemons on demand when their services are needed."
+HOMEPAGE = "http://dbus.freedesktop.org"
+SECTION = "base"
+LICENSE = "AFL-2 | GPLv2+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=10dded3b58148f3f1fd804b26354af3e \
+ file://dbus/dbus.h;beginline=6;endline=20;md5=7755c9d7abccd5dbd25a6a974538bb3c"
+DEPENDS = "expat virtual/libintl"
+RDEPENDS_dbus_class-native = ""
+RDEPENDS_dbus_class-nativesdk = ""
+PACKAGES += "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', '${PN}-ptest', '', d)}"
+ALLOW_EMPTY_dbus-ptest = "1"
+RDEPENDS_dbus-ptest_class-target = "dbus-test-ptest"
+
+SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
+ file://tmpdir.patch \
+ file://dbus-1.init \
+ file://os-test.patch \
+ file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+"
+
+inherit useradd autotools pkgconfig gettext update-rc.d
+
+INITSCRIPT_NAME = "dbus-1"
+INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ."
+
+python __anonymous() {
+ if not bb.utils.contains('DISTRO_FEATURES', 'sysvinit', True, False, d):
+ d.setVar("INHIBIT_UPDATERCD_BBCLASS", "1")
+}
+
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM_${PN} = "-r netdev"
+USERADD_PARAM_${PN} = "--system --home ${localstatedir}/lib/dbus \
+ --no-create-home --shell /bin/false \
+ --user-group messagebus"
+
+CONFFILES_${PN} = "${sysconfdir}/dbus-1/system.conf ${sysconfdir}/dbus-1/session.conf"
+
+DEBIANNAME_${PN} = "dbus-1"
+
+PACKAGES =+ "${PN}-lib"
+
+OLDPKGNAME = "dbus-x11"
+OLDPKGNAME_class-nativesdk = ""
+
+# for compatibility
+RPROVIDES_${PN} = "${OLDPKGNAME}"
+RREPLACES_${PN} += "${OLDPKGNAME}"
+
+FILES_${PN} = "${bindir}/dbus-daemon* \
+ ${bindir}/dbus-uuidgen \
+ ${bindir}/dbus-cleanup-sockets \
+ ${bindir}/dbus-send \
+ ${bindir}/dbus-monitor \
+ ${bindir}/dbus-launch \
+ ${bindir}/dbus-run-session \
+ ${libexecdir}/dbus* \
+ ${sysconfdir} \
+ ${localstatedir} \
+ ${datadir}/dbus-1/services \
+ ${datadir}/dbus-1/system-services \
+ ${systemd_unitdir}/system/"
+FILES_${PN}-lib = "${libdir}/lib*.so.*"
+RRECOMMENDS_${PN}-lib = "${PN}"
+FILES_${PN}-dev += "${libdir}/dbus-1.0/include ${bindir}/dbus-glib-tool"
+
+pkg_postinst_dbus() {
+ # If both systemd and sysvinit are enabled, mask the dbus-1 init script
+ if ${@bb.utils.contains('DISTRO_FEATURES','systemd sysvinit','true','false',d)}; then
+ if [ -n "$D" ]; then
+ OPTS="--root=$D"
+ fi
+ systemctl $OPTS mask dbus-1.service
+ fi
+
+ if [ -z "$D" ] && [ -e /etc/init.d/populate-volatile.sh ] ; then
+ /etc/init.d/populate-volatile.sh update
+ fi
+}
+
+EXTRA_OECONF = "--disable-tests \
+ --disable-xml-docs \
+ --disable-doxygen-docs \
+ --disable-libaudit \
+ --disable-systemd \
+ --without-dbus-glib"
+
+EXTRA_OECONF_append_class-native = " --disable-selinux"
+
+PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)} \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}"
+PACKAGECONFIG_class-native = ""
+PACKAGECONFIG_class-nativesdk = ""
+
+# Would like to --enable-systemd but that's a circular build-dependency between
+# systemd<->dbus
+PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/,--without-systemdsystemunitdir"
+PACKAGECONFIG[x11] = "--with-x --enable-x11-autolaunch,--without-x --disable-x11-autolaunch, virtual/libx11 libsm"
+
+do_install() {
+ autotools_do_install
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
+ install -d ${D}${sysconfdir}/init.d
+ sed 's:@bindir@:${bindir}:' < ${WORKDIR}/dbus-1.init >${WORKDIR}/dbus-1.init.sh
+ install -m 0755 ${WORKDIR}/dbus-1.init.sh ${D}${sysconfdir}/init.d/dbus-1
+ fi
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ for i in dbus.target.wants sockets.target.wants multi-user.target.wants; do \
+ install -d ${D}${systemd_unitdir}/system/$i; done
+ install -m 0644 ${B}/bus/dbus.service ${B}/bus/dbus.socket ${D}${systemd_unitdir}/system/
+ cd ${D}${systemd_unitdir}/system/dbus.target.wants/
+ ln -fs ../dbus.socket ${D}${systemd_unitdir}/system/dbus.target.wants/dbus.socket
+ ln -fs ../dbus.socket ${D}${systemd_unitdir}/system/sockets.target.wants/dbus.socket
+ ln -fs ../dbus.service ${D}${systemd_unitdir}/system/multi-user.target.wants/dbus.service
+ fi
+
+ install -d ${D}${sysconfdir}/default/volatiles
+ echo "d messagebus messagebus 0755 ${localstatedir}/run/dbus none" \
+ > ${D}${sysconfdir}/default/volatiles/99_dbus
+
+
+ mkdir -p ${D}${localstatedir}/lib/dbus
+
+ chown messagebus:messagebus ${D}${localstatedir}/lib/dbus
+
+ chown root:messagebus ${D}${libexecdir}/dbus-daemon-launch-helper
+ chmod 4755 ${D}${libexecdir}/dbus-daemon-launch-helper
+
+ # Remove Red Hat initscript
+ rm -rf ${D}${sysconfdir}/rc.d
+
+ # Remove empty testexec directory as we don't build tests
+ rm -rf ${D}${libdir}/dbus-1.0/test
+
+ # Remove /var/run as it is created on startup
+ rm -rf ${D}${localstatedir}/run
+}
+
+do_install_class-native() {
+ autotools_do_install
+
+ # for dbus-glib-native introspection generation
+ install -d ${D}${STAGING_DATADIR_NATIVE}/dbus/
+ # N.B. is below install actually required?
+ install -m 0644 bus/session.conf ${D}${STAGING_DATADIR_NATIVE}/dbus/session.conf
+
+ # dbus-glib-native and dbus-glib need this xml file
+ ./bus/dbus-daemon --introspect > ${D}${STAGING_DATADIR_NATIVE}/dbus/dbus-bus-introspect.xml
+
+ # dbus-launch has no X support so lets not install it in case the host
+ # has a more featured and useful version
+ rm -f ${D}${bindir}/dbus-launch
+}
+
+do_install_class-nativesdk() {
+ autotools_do_install
+
+ # dbus-launch has no X support so lets not install it in case the host
+ # has a more featured and useful version
+ rm -f ${D}${bindir}/dbus-launch
+
+ # Remove /var/run to avoid QA error
+ rm -rf ${D}${localstatedir}/run
+}
+BBCLASSEXTEND = "native nativesdk"
+
+INSANE_SKIP_${PN}-ptest += "build-deps"
diff --git a/meta-security/recipes-core/dbus/dbus_%.bbappend b/meta-security/recipes-core/dbus/dbus_%.bbappend
new file mode 100644
index 000000000..e352b4d05
--- /dev/null
+++ b/meta-security/recipes-core/dbus/dbus_%.bbappend
@@ -0,0 +1,27 @@
+# Optionally, compilation of the main package with the daemon gets moved into
+# dbus-cynara. That is necessary to break a dependency cycle once the
+# daemon gets compiled with Cynara support (dbus -> cynara -> systemd
+# -> dbus).
+do_install_append_class-target () {
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'dbus-cynara', 'true', 'false', d)}; then
+ for i in ${@' '.join([d.getVar('D', True) + x for x in (d.getVar('FILES_${PN}', True) or '').split()])}; do
+ rm -rf $i
+ done
+
+ # Try to remove empty directories, starting with the
+ # longest path (= deepest directory) first.
+ # Find needs a valid current directory. Somehow the directory
+ # we get called in is gone by the time that we get invoked.
+ ( cd ${D}
+ for i in `find . -type d | sort -r`; do
+ rmdir $i || true
+ done
+ )
+ fi
+}
+
+# The main package will be empty, but we want to have it created
+# anyway because of the dependencies on it. Installing it will pull in
+# the replacement dbus-cynara package.
+ALLOW_EMPTY_${PN}_class-target = "1"
+RDEPENDS_${PN}_append_class-target = "${@bb.utils.contains('DISTRO_FEATURES', 'dbus-cynara', ' dbus-cynara', '', d)}"
diff --git a/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb b/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb
new file mode 100644
index 000000000..c728da3b9
--- /dev/null
+++ b/meta-security/recipes-core/packagegroups/packagegroup-security-framework.bb
@@ -0,0 +1,22 @@
+SUMMARY = "Security middleware components"
+LICENSE = "MIT"
+
+inherit packagegroup
+
+# Install Cynara and security-manager by default if (and only if)
+# Smack is enabled.
+#
+# Cynara does not have a hard dependency on Smack security,
+# but is meant to be used with it. security-manager however
+# links against smack-userspace and expects Smack to be active,
+# so we do not have any choice.
+#
+# Without configuration, security-manager is not usable. We use
+# the policy packaged from the upstream source code here. Adapting
+# it for the distro can be done by patching that source.
+RDEPENDS_${PN}_append_with-lsm-smack = " \
+ cynara \
+ security-manager \
+ security-manager-policy \
+ smacknet \
+"
diff --git a/meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch b/meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch
new file mode 100644
index 000000000..2ff51f86b
--- /dev/null
+++ b/meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch
@@ -0,0 +1,49 @@
+From da574755b8abe1d5fb9151f901ccea51d40d9509 Mon Sep 17 00:00:00 2001
+From: Michael Demeter <michael.demeter@intel.com>
+Date: Fri, 30 Oct 2015 11:25:50 +0100
+Subject: [PATCH] tizen-smack: Handling of /run and /sys/fs/cgroup
+
+Make /run a transmuting directory to enable systemd
+communications with services in the User domain.
+
+Upstream-Status: Pending
+
+Change-Id: I9e23b78d17a108d8e56ad85a9e839b6ccbe4feff
+---
+ src/core/mount-setup.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
+index cc2633e..3dc7cd7 100644
+--- a/src/core/mount-setup.c
++++ b/src/core/mount-setup.c
+@@ -85,19 +85,23 @@ static const MountPoint mount_table[] = {
+ use_smack, MNT_FATAL },
+ { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+ use_smack, MNT_FATAL },
+-#endif
++#else
+ { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+ NULL, MNT_FATAL|MNT_IN_CONTAINER },
++#endif
+ { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
+ NULL, MNT_IN_CONTAINER },
+ #ifdef HAVE_SMACK
+- { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
++ { "tmpfs", "/run", "tmpfs", "mode=755,smackfstransmute=System::Run", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+ use_smack, MNT_FATAL },
+-#endif
++ { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
++ use_smack, MNT_IN_CONTAINER },
++#else
+ { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+ NULL, MNT_FATAL|MNT_IN_CONTAINER },
+ { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
+ NULL, MNT_FATAL|MNT_IN_CONTAINER },
++#endif
+ { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV,
+ NULL, MNT_IN_CONTAINER },
+ { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV,
+--
+2.1.4
+
diff --git a/meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch b/meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch
new file mode 100644
index 000000000..a4a3e50a6
--- /dev/null
+++ b/meta-security/recipes-core/systemd/systemd/0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch
@@ -0,0 +1,50 @@
+From 831d552a9589bb2b99c042d01672409efa3d94fc Mon Sep 17 00:00:00 2001
+From: Michael Demeter <michael.demeter@intel.com>
+Date: Fri, 11 Oct 2013 15:37:57 -0700
+Subject: [PATCH 3/9] tizen-smack: Handling of /run and /sys/fs/cgroup
+
+Make /run a transmuting directory to enable systemd
+communications with services in the User domain.
+
+Upstream-Status: Pending
+
+Change-Id: I9e23b78d17a108d8e56ad85a9e839b6ccbe4feff
+---
+ src/core/mount-setup.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
+index 521545e..ba0867c 100644
+--- a/src/core/mount-setup.c
++++ b/src/core/mount-setup.c
+@@ -85,19 +85,23 @@ static const MountPoint mount_table[] = {
+ mac_smack_use, MNT_FATAL },
+ { "tmpfs", "/dev/shm", "tmpfs", "mode=1777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+ mac_smack_use, MNT_FATAL },
+-#endif
++#else
+ { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+ NULL, MNT_FATAL|MNT_IN_CONTAINER },
++#endif
+ { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
+ NULL, MNT_IN_CONTAINER },
+ #ifdef HAVE_SMACK
+- { "tmpfs", "/run", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+- mac_smack_use, MNT_FATAL },
+-#endif
++ { "tmpfs", "/run", "tmpfs", "mode=755,smackfstransmute=System::Run", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
++ mac_smack_use, MNT_FATAL },
++ { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
++ mac_smack_use, MNT_IN_CONTAINER },
++#else
+ { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+ NULL, MNT_FATAL|MNT_IN_CONTAINER },
+ { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
+ NULL, MNT_FATAL|MNT_IN_CONTAINER },
++#endif
+ { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV,
+ NULL, MNT_IN_CONTAINER },
+ { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV,
+--
+1.8.4.5
+
diff --git a/meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev-v216.patch b/meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev-v216.patch
new file mode 100644
index 000000000..88c100fed
--- /dev/null
+++ b/meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev-v216.patch
@@ -0,0 +1,82 @@
+From 468ef790a7a0e53c390cec9c63090a0ae04a4d58 Mon Sep 17 00:00:00 2001
+From: Michael Demeter <michael.demeter@intel.com>
+Date: Fri, 11 Oct 2013 15:37:57 -0700
+Subject: [PATCH 4/9] tizen-smack: Handling of /dev
+
+Smack enabled systems need /dev special devices correctly labeled
+
+- Add AC_DEFINE for HAVE_SMACK to configure.ac
+- Add Check for smack in Makefile.am to include smack default rules
+- Add smack default rules to label /dev/xxx correctly for access
+
+Upstream-Status: Inappropriate [configuration]
+
+Change-Id: Iebe2e349cbedb3013abdf32edb55e9310f1d17f5
+---
+ configure.ac | 2 ++
+ Makefile.am | 5 +++++
+ rules/55-udev-smack-default.rules | 23 +++++++++++++++++++++++
+ 3 files changed, 30 insertions(+)
+ create mode 100644 rules/55-udev-smack-default.rules
+
+diff --git a/configure.ac b/configure.ac
+index 18b7198..05f49ed 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -635,6 +635,8 @@ if test "x${have_smack}" = xyes ; then
+ AC_DEFINE(HAVE_SMACK, 1, [Define if SMACK is available])
+ fi
+
++AM_CONDITIONAL([HAVE_SMACK], [test "x$have_smack" = "xyes"])
++
+ # ------------------------------------------------------------------------------
+ AC_ARG_ENABLE([gcrypt],
+ AS_HELP_STRING([--disable-gcrypt],[Disable optional GCRYPT support]),
+diff --git a/Makefile.am b/Makefile.am
+index bf04d31..1a05607 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -3108,6 +3108,11 @@ dist_udevrules_DATA += \
+ nodist_udevrules_DATA += \
+ rules/99-systemd.rules
+
++if HAVE_SMACK
++dist_udevrules_DATA += \
++ rules/55-udev-smack-default.rules
++endif
++
+ dist_udevhwdb_DATA = \
+ hwdb/20-pci-vendor-model.hwdb \
+ hwdb/20-pci-classes.hwdb \
+diff --git a/rules/55-udev-smack-default.rules b/rules/55-udev-smack-default.rules
+new file mode 100644
+index 0000000..3829019
+--- /dev/null
++++ b/rules/55-udev-smack-default.rules
+@@ -0,0 +1,23 @@
++# do not edit this file, it will be overwritten on update
++
++KERNEL=="null", SECLABEL{smack}="*"
++KERNEL=="zero", SECLABEL{smack}="*"
++KERNEL=="console", SECLABEL{smack}="*"
++KERNEL=="kmsg", SECLABEL{smack}="*"
++KERNEL=="video*", SECLABEL{smack}="*"
++KERNEL=="card*", SECLABEL{smack}="*"
++KERNEL=="ptmx", SECLABEL{smack}="*"
++KERNEL=="tty", SECLABEL{smack}="*"
++
++SUBSYSTEM=="graphics", GROUP="video", SECLABEL{smack}="*"
++SUBSYSTEM=="drm", GROUP="video", SECLABEL{smack}="*"
++SUBSYSTEM=="dvb", GROUP="video", SECLABEL{smack}="*"
++
++SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666", SECLABEL{smack}="*"
++SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666", SECLABEL{smack}="*"
++SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620", SECLABEL{smack}="*"
++SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty", SECLABEL{smack}="*"
++KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", SECLABEL{smack}="*"
++
++SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640", SECLABEL{smack}="*"
++SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640", SECLABEL{smack}="*"
+--
+1.8.4.5
+
diff --git a/meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev.patch b/meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev.patch
new file mode 100644
index 000000000..b12caaec5
--- /dev/null
+++ b/meta-security/recipes-core/systemd/systemd/0004-tizen-smack-Handling-of-dev.patch
@@ -0,0 +1,68 @@
+From 468ef790a7a0e53c390cec9c63090a0ae04a4d58 Mon Sep 17 00:00:00 2001
+From: Michael Demeter <michael.demeter@intel.com>
+Date: Fri, 11 Oct 2013 15:37:57 -0700
+Subject: [PATCH 4/9] tizen-smack: Handling of /dev
+
+Smack enabled systems need /dev special devices correctly labeled
+
+- Add AC_DEFINE for HAVE_SMACK to configure.ac
+- Add Check for smack in Makefile.am to include smack default rules
+- Add smack default rules to label /dev/xxx correctly for access
+
+Upstream-Status: Inappropriate [configuration]
+
+Change-Id: Iebe2e349cbedb3013abdf32edb55e9310f1d17f5
+---
+ Makefile.am | 5 +++++
+ rules/55-udev-smack-default.rules | 23 +++++++++++++++++++++++
+ 2 files changed, 28 insertions(+)
+ create mode 100644 rules/55-udev-smack-default.rules
+
+diff --git a/Makefile.am b/Makefile.am
+index bf04d31..1a05607 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -3571,6 +3571,11 @@ dist_udevrules_DATA += \
+ nodist_udevrules_DATA += \
+ rules/99-systemd.rules
+
++if HAVE_SMACK
++dist_udevrules_DATA += \
++ rules/55-udev-smack-default.rules
++endif
++
+ udevconfdir = $(sysconfdir)/udev
+ dist_udevconf_DATA = \
+ src/udev/udev.conf
+diff --git a/rules/55-udev-smack-default.rules b/rules/55-udev-smack-default.rules
+new file mode 100644
+index 0000000..3829019
+--- /dev/null
++++ b/rules/55-udev-smack-default.rules
+@@ -0,0 +1,23 @@
++# do not edit this file, it will be overwritten on update
++
++KERNEL=="null", SECLABEL{smack}="*"
++KERNEL=="zero", SECLABEL{smack}="*"
++KERNEL=="console", SECLABEL{smack}="*"
++KERNEL=="kmsg", SECLABEL{smack}="*"
++KERNEL=="video*", SECLABEL{smack}="*"
++KERNEL=="card*", SECLABEL{smack}="*"
++KERNEL=="ptmx", SECLABEL{smack}="*"
++KERNEL=="tty", SECLABEL{smack}="*"
++
++SUBSYSTEM=="graphics", GROUP="video", SECLABEL{smack}="*"
++SUBSYSTEM=="drm", GROUP="video", SECLABEL{smack}="*"
++SUBSYSTEM=="dvb", GROUP="video", SECLABEL{smack}="*"
++
++SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666", SECLABEL{smack}="*"
++SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666", SECLABEL{smack}="*"
++SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620", SECLABEL{smack}="*"
++SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty", SECLABEL{smack}="*"
++KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", SECLABEL{smack}="*"
++
++SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640", SECLABEL{smack}="*"
++SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640", SECLABEL{smack}="*"
+--
+1.8.4.5
+
diff --git a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v216.patch b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v216.patch
new file mode 100644
index 000000000..3d69bb2a8
--- /dev/null
+++ b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v216.patch
@@ -0,0 +1,107 @@
+From c257eade1a39ea00d26c4c297efd654b6ad4edb4 Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Fri, 8 Nov 2013 09:42:26 -0800
+Subject: [PATCH 5/9] tizen-smack: Handling network
+
+- Set Smack ambient to match run label
+- Set Smack netlabel host rules
+
+Set Smack ambient to match run label
+------------------------------------
+Set the Smack networking ambient label to match the
+run label of systemd. System services may expect to
+communicate with external services over IP. Setting
+the ambient label assigns that label to IP packets
+that do not include CIPSO headers. This allows systemd
+and the services it spawns access to unlabeled IP
+packets, and hence external services.
+
+A system may choose to restrict network access to
+particular services later in the startup process.
+This is easily done by resetting the ambient label
+elsewhere.
+
+Set Smack netlabel host rules
+-----------------------------
+If SMACK_RUN_LABEL is defined set all other hosts to be
+single label hosts at the specified label. Set the loopback
+address to be a CIPSO host.
+
+If any netlabel host rules are defined in /etc/smack/netlabel.d
+install them into the smackfs netlabel interface.
+
+Upstream-Status: Pending
+
+---
+ src/core/smack-setup.c | 33 ++++++++++++++++++++++++++++++++-
+ 1 file changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
+index 59f6832..33dc1ca 100644
+--- a/src/core/smack-setup.c
++++ b/src/core/smack-setup.c
+@@ -42,6 +42,7 @@
+
+ #define SMACK_CONFIG "/etc/smack/accesses.d/"
+ #define CIPSO_CONFIG "/etc/smack/cipso.d/"
++#define NETLABEL_CONFIG "/etc/smack/netlabel.d/"
+
+ #ifdef HAVE_SMACK
+
+@@ -146,6 +147,19 @@ int smack_setup(bool *loaded_policy) {
+ if (r)
+ log_warning("Failed to set SMACK label \"%s\" on self: %s",
+ SMACK_RUN_LABEL, strerror(-r));
++ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL);
++ if (r)
++ log_warning("Failed to set SMACK ambient label \"%s\": %s",
++ SMACK_RUN_LABEL, strerror(-r));
++ r = write_string_file("/sys/fs/smackfs/netlabel",
++ "0.0.0.0/0 " SMACK_RUN_LABEL);
++ if (r)
++ log_warning("Failed to set SMACK netlabel rule \"%s\": %s",
++ "0.0.0.0/0 " SMACK_RUN_LABEL, strerror(-r));
++ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO");
++ if (r)
++ log_warning("Failed to set SMACK netlabel rule \"%s\": %s",
++ "127.0.0.1 -CIPSO", strerror(-r));
+ #endif
+
+ r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG);
+@@ -155,14 +169,31 @@ int smack_setup(bool *loaded_policy) {
+ return 0;
+ case ENOENT:
+ log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found");
+- return 0;
++ break;
+ case 0:
+ log_info("Successfully loaded Smack/CIPSO policies.");
+- return 0;
++ break;
+ default:
+ log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.",
+ strerror(abs(r)));
++ break;
++ }
++
++ r = write_rules("/sys/fs/smackfs/netlabel", NETLABEL_CONFIG);
++ switch(r) {
++ case -ENOENT:
++ log_debug("Smack/CIPSO is not enabled in the kernel.");
+ return 0;
++ case ENOENT:
++ log_debug("Smack network host rules directory " NETLABEL_CONFIG " not found");
++ break;
++ case 0:
++ log_info("Successfully loaded Smack network host rules.");
++ break;
++ default:
++ log_warning("Failed to load Smack network host rules: %s, ignoring.",
++ strerror(abs(r)));
++ break;
+ }
+
+ *loaded_policy = true;
+--
+1.8.4.5
+
diff --git a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v225.patch b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v225.patch
new file mode 100644
index 000000000..d5678f2e6
--- /dev/null
+++ b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v225.patch
@@ -0,0 +1,191 @@
+From 513a8d943538643fabf0d31f1eed261677dfbddc Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Fri, 8 Nov 2013 09:42:26 -0800
+Subject: [PATCH] tizen-smack: Handling network
+
+- Set Smack ambient to match run label
+- Set Smack netlabel host rules
+
+Set Smack ambient to match run label
+------------------------------------
+Set the Smack networking ambient label to match the
+run label of systemd. System services may expect to
+communicate with external services over IP. Setting
+the ambient label assigns that label to IP packets
+that do not include CIPSO headers. This allows systemd
+and the services it spawns access to unlabeled IP
+packets, and hence external services.
+
+A system may choose to restrict network access to
+particular services later in the startup process.
+This is easily done by resetting the ambient label
+elsewhere.
+
+Set Smack netlabel host rules
+-----------------------------
+If SMACK_RUN_LABEL is defined set all other hosts to be
+single label hosts at the specified label. Set the loopback
+address to be a CIPSO host.
+
+If any netlabel host rules are defined in /etc/smack/netlabel.d
+install them into the smackfs netlabel interface.
+
+[Patrick Ohly: adapt to write_string_file() change in "fileio: consolidate write_string_file*()"]
+[Patrick Ohly: create write_netlabel_rules() based on the original write_rules() that was removed in "smack: support smack access change-rule"]
+
+Upstream-Status: Pending
+---
+ src/core/smack-setup.c | 109 +++++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 106 insertions(+), 3 deletions(-)
+
+diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
+index cbe7d0b..b384aa0 100644
+--- a/src/core/smack-setup.c
++++ b/src/core/smack-setup.c
+@@ -34,6 +34,9 @@
+ #include "fileio.h"
+ #include "log.h"
+
++#define CIPSO_CONFIG "/etc/smack/cipso.d/"
++#define NETLABEL_CONFIG "/etc/smack/netlabel.d/"
++
+ #ifdef HAVE_SMACK
+
+ static int write_access2_rules(const char* srcdir) {
+@@ -193,6 +196,76 @@ static int write_cipso2_rules(const char* srcdir) {
+ return r;
+ }
+
++static int write_netlabel_rules(const char* srcdir) {
++ _cleanup_fclose_ FILE *dst = NULL;
++ _cleanup_closedir_ DIR *dir = NULL;
++ struct dirent *entry;
++ char buf[NAME_MAX];
++ int dfd = -1;
++ int r = 0;
++ static const char dstpath[] = "/sys/fs/smackfs/netlabel";
++
++ dst = fopen(dstpath, "we");
++ if (!dst) {
++ if (errno != ENOENT)
++ log_warning_errno(errno, "Failed to open %s: %m", dstpath);
++ return -errno; /* negative error */
++ }
++
++ /* write rules to dst from every file in the directory */
++ dir = opendir(srcdir);
++ if (!dir) {
++ if (errno != ENOENT)
++ log_warning_errno(errno, "Failed to opendir %s: %m", srcdir);
++ return errno; /* positive on purpose */
++ }
++
++ dfd = dirfd(dir);
++ assert(dfd >= 0);
++
++ FOREACH_DIRENT(entry, dir, return 0) {
++ int fd;
++ _cleanup_fclose_ FILE *policy = NULL;
++
++ fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC);
++ if (fd < 0) {
++ if (r == 0)
++ r = -errno;
++ log_warning_errno(errno, "Failed to open %s: %m", entry->d_name);
++ continue;
++ }
++
++ policy = fdopen(fd, "re");
++ if (!policy) {
++ if (r == 0)
++ r = -errno;
++ safe_close(fd);
++ log_error_errno(errno, "Failed to open %s: %m", entry->d_name);
++ continue;
++ }
++
++ /* load2 write rules in the kernel require a line buffered stream */
++ FOREACH_LINE(buf, policy,
++ log_error_errno(errno, "Failed to read line from %s: %m",
++ entry->d_name)) {
++ if (!fputs(buf, dst)) {
++ if (r == 0)
++ r = -EINVAL;
++ log_error("Failed to write line to %s", dstpath);
++ break;
++ }
++ if (fflush(dst)) {
++ if (r == 0)
++ r = -errno;
++ log_error_errno(errno, "Failed to flush writes to %s: %m", dstpath);
++ break;
++ }
++ }
++ }
++
++ return r;
++}
++
+ #endif
+
+ int mac_smack_setup(bool *loaded_policy) {
+@@ -225,23 +298,53 @@ int mac_smack_setup(bool *loaded_policy) {
+ if (r)
+ log_warning("Failed to set SMACK label \"%s\" on self: %s",
+ SMACK_RUN_LABEL, strerror(-r));
++ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL, 0);
++ if (r)
++ log_warning("Failed to set SMACK ambient label \"%s\": %s",
++ SMACK_RUN_LABEL, strerror(-r));
++ r = write_string_file("/sys/fs/smackfs/netlabel",
++ "0.0.0.0/0 " SMACK_RUN_LABEL, 0);
++ if (r)
++ log_warning("Failed to set SMACK netlabel rule \"%s\": %s",
++ "0.0.0.0/0 " SMACK_RUN_LABEL, strerror(-r));
++ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO", 0);
++ if (r)
++ log_warning("Failed to set SMACK netlabel rule \"%s\": %s",
++ "127.0.0.1 -CIPSO", strerror(-r));
+ #endif
+
+- r = write_cipso2_rules("/etc/smack/cipso.d/");
++ r = write_cipso2_rules(CIPSO_CONFIG);
+ switch(r) {
+ case -ENOENT:
+ log_debug("Smack/CIPSO is not enabled in the kernel.");
+ return 0;
+ case ENOENT:
+- log_debug("Smack/CIPSO access rules directory '/etc/smack/cipso.d/' not found");
+- return 0;
++ log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found");
++ break;
+ case 0:
+ log_info("Successfully loaded Smack/CIPSO policies.");
+ break;
+ default:
+ log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.",
+ strerror(abs(r)));
++ break;
++ }
++
++ r = write_netlabel_rules(NETLABEL_CONFIG);
++ switch(r) {
++ case -ENOENT:
++ log_debug("Smack/CIPSO is not enabled in the kernel.");
+ return 0;
++ case ENOENT:
++ log_debug("Smack network host rules directory " NETLABEL_CONFIG " not found");
++ break;
++ case 0:
++ log_info("Successfully loaded Smack network host rules.");
++ break;
++ default:
++ log_warning("Failed to load Smack network host rules: %s, ignoring.",
++ strerror(abs(r)));
++ break;
+ }
+
+ *loaded_policy = true;
+--
+2.1.4
+
diff --git a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v228.patch b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v228.patch
new file mode 100644
index 000000000..bc6b97c8f
--- /dev/null
+++ b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network-v228.patch
@@ -0,0 +1,179 @@
+From e714327016fb65a0bf977588efaecbaf41ac3cfc Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Fri, 8 Nov 2013 09:42:26 -0800
+Subject: [PATCH 4/6] tizen-smack: Handling network
+
+- Set Smack ambient to match run label
+- Set Smack netlabel host rules
+
+Set Smack ambient to match run label
+------------------------------------
+Set the Smack networking ambient label to match the
+run label of systemd. System services may expect to
+communicate with external services over IP. Setting
+the ambient label assigns that label to IP packets
+that do not include CIPSO headers. This allows systemd
+and the services it spawns access to unlabeled IP
+packets, and hence external services.
+
+A system may choose to restrict network access to
+particular services later in the startup process.
+This is easily done by resetting the ambient label
+elsewhere.
+
+Set Smack netlabel host rules
+-----------------------------
+If SMACK_RUN_LABEL is defined set all other hosts to be
+single label hosts at the specified label. Set the loopback
+address to be a CIPSO host.
+
+If any netlabel host rules are defined in /etc/smack/netlabel.d
+install them into the smackfs netlabel interface.
+
+[Patrick Ohly: copied from https://review.tizen.org/git/?p=platform/upstream/systemd.git;a=commit;h=db4f6c9a074644aa2bf]
+[Patrick Ohly: adapt to write_string_file() change in "fileio: consolidate write_string_file*()"]
+[Patrick Ohly: create write_netlabel_rules() based on the original write_rules() that was removed in "smack: support smack access change-rule"]
+[Patrick Ohly: adapted to upstream code review feedback: error logging, string constants]
+
+Upstream-Status: Accepted [https://github.com/systemd/systemd/pull/2262]
+
+%% original patch: 0005-tizen-smack-Handling-network-v225.patch
+---
+ src/core/smack-setup.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 98 insertions(+), 3 deletions(-)
+
+diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
+index 0661ff9..c9374ca 100644
+--- a/src/core/smack-setup.c
++++ b/src/core/smack-setup.c
+@@ -197,6 +197,75 @@ static int write_cipso2_rules(const char* srcdir) {
+ return r;
+ }
+
++static int write_netlabel_rules(const char* srcdir) {
++ _cleanup_fclose_ FILE *dst = NULL;
++ _cleanup_closedir_ DIR *dir = NULL;
++ struct dirent *entry;
++ char buf[NAME_MAX];
++ int dfd = -1;
++ int r = 0;
++
++ dst = fopen("/sys/fs/smackfs/netlabel", "we");
++ if (!dst) {
++ if (errno != ENOENT)
++ log_warning_errno(errno, "Failed to open /sys/fs/smackfs/netlabel: %m");
++ return -errno; /* negative error */
++ }
++
++ /* write rules to dst from every file in the directory */
++ dir = opendir(srcdir);
++ if (!dir) {
++ if (errno != ENOENT)
++ log_warning_errno(errno, "Failed to opendir %s: %m", srcdir);
++ return errno; /* positive on purpose */
++ }
++
++ dfd = dirfd(dir);
++ assert(dfd >= 0);
++
++ FOREACH_DIRENT(entry, dir, return 0) {
++ int fd;
++ _cleanup_fclose_ FILE *policy = NULL;
++
++ fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC);
++ if (fd < 0) {
++ if (r == 0)
++ r = -errno;
++ log_warning_errno(errno, "Failed to open %s: %m", entry->d_name);
++ continue;
++ }
++
++ policy = fdopen(fd, "re");
++ if (!policy) {
++ if (r == 0)
++ r = -errno;
++ safe_close(fd);
++ log_error_errno(errno, "Failed to open %s: %m", entry->d_name);
++ continue;
++ }
++
++ /* load2 write rules in the kernel require a line buffered stream */
++ FOREACH_LINE(buf, policy,
++ log_error_errno(errno, "Failed to read line from %s: %m",
++ entry->d_name)) {
++ if (!fputs(buf, dst)) {
++ if (r == 0)
++ r = -EINVAL;
++ log_error_errno(errno, "Failed to write line to /sys/fs/smackfs/netlabel");
++ break;
++ }
++ if (fflush(dst)) {
++ if (r == 0)
++ r = -errno;
++ log_error_errno(errno, "Failed to flush writes to /sys/fs/smackfs/netlabel: %m");
++ break;
++ }
++ }
++ }
++
++ return r;
++}
++
+ #endif
+
+ int mac_smack_setup(bool *loaded_policy) {
+@@ -225,8 +294,18 @@ int mac_smack_setup(bool *loaded_policy) {
+
+ #ifdef SMACK_RUN_LABEL
+ r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL, 0);
+- if (r)
+- log_warning_errno(r, "Failed to set SMACK label \"%s\" on self: %m", SMACK_RUN_LABEL);
++ if (r < 0)
++ log_warning_errno(r, "Failed to set SMACK label \"" SMACK_RUN_LABEL "\" on self: %m");
++ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL, 0);
++ if (r < 0)
++ log_warning_errno(r, "Failed to set SMACK ambient label \"" SMACK_RUN_LABEL "\": %m");
++ r = write_string_file("/sys/fs/smackfs/netlabel",
++ "0.0.0.0/0 " SMACK_RUN_LABEL, 0);
++ if (r < 0)
++ log_warning_errno(r, "Failed to set SMACK netlabel rule \"0.0.0.0/0 " SMACK_RUN_LABEL "\": %m");
++ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO", 0);
++ if (r < 0)
++ log_warning_errno(r, "Failed to set SMACK netlabel rule \"127.0.0.1 -CIPSO\": %m");
+ #endif
+
+ r = write_cipso2_rules("/etc/smack/cipso.d/");
+@@ -236,13 +315,29 @@ int mac_smack_setup(bool *loaded_policy) {
+ return 0;
+ case ENOENT:
+ log_debug("Smack/CIPSO access rules directory '/etc/smack/cipso.d/' not found");
+- return 0;
++ break;
+ case 0:
+ log_info("Successfully loaded Smack/CIPSO policies.");
+ break;
+ default:
+ log_warning_errno(r, "Failed to load Smack/CIPSO access rules, ignoring: %m");
++ break;
++ }
++
++ r = write_netlabel_rules("/etc/smack/netlabel.d/");
++ switch(r) {
++ case -ENOENT:
++ log_debug("Smack/CIPSO is not enabled in the kernel.");
+ return 0;
++ case ENOENT:
++ log_debug("Smack network host rules directory '/etc/smack/netlabel.d/' not found");
++ break;
++ case 0:
++ log_info("Successfully loaded Smack network host rules.");
++ break;
++ default:
++ log_warning_errno(r, "Failed to load Smack network host rules: %m, ignoring.");
++ break;
+ }
+
+ *loaded_policy = true;
+--
+2.1.4
+
diff --git a/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch
new file mode 100644
index 000000000..cd6a3c90b
--- /dev/null
+++ b/meta-security/recipes-core/systemd/systemd/0005-tizen-smack-Handling-network.patch
@@ -0,0 +1,106 @@
+From c257eade1a39ea00d26c4c297efd654b6ad4edb4 Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Fri, 8 Nov 2013 09:42:26 -0800
+Subject: [PATCH 5/9] tizen-smack: Handling network
+
+- Set Smack ambient to match run label
+- Set Smack netlabel host rules
+
+Set Smack ambient to match run label
+------------------------------------
+Set the Smack networking ambient label to match the
+run label of systemd. System services may expect to
+communicate with external services over IP. Setting
+the ambient label assigns that label to IP packets
+that do not include CIPSO headers. This allows systemd
+and the services it spawns access to unlabeled IP
+packets, and hence external services.
+
+A system may choose to restrict network access to
+particular services later in the startup process.
+This is easily done by resetting the ambient label
+elsewhere.
+
+Set Smack netlabel host rules
+-----------------------------
+If SMACK_RUN_LABEL is defined set all other hosts to be
+single label hosts at the specified label. Set the loopback
+address to be a CIPSO host.
+
+If any netlabel host rules are defined in /etc/smack/netlabel.d
+install them into the smackfs netlabel interface.
+
+Upstream-Status: Pending
+
+---
+ src/core/smack-setup.c | 33 ++++++++++++++++++++++++++++++++-
+ 1 file changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
+index 59f6832..33dc1ca 100644
+--- a/src/core/smack-setup.c
++++ b/src/core/smack-setup.c
+@@ -42,6 +42,7 @@
+
+ #define SMACK_CONFIG "/etc/smack/accesses.d/"
+ #define CIPSO_CONFIG "/etc/smack/cipso.d/"
++#define NETLABEL_CONFIG "/etc/smack/netlabel.d/"
+
+ #ifdef HAVE_SMACK
+
+@@ -146,6 +147,19 @@ int mac_smack_setup(bool *loaded_policy) {
+ if (r)
+ log_warning("Failed to set SMACK label \"%s\" on self: %s",
+ SMACK_RUN_LABEL, strerror(-r));
++ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL);
++ if (r)
++ log_warning("Failed to set SMACK ambient label \"%s\": %s",
++ SMACK_RUN_LABEL, strerror(-r));
++ r = write_string_file("/sys/fs/smackfs/netlabel",
++ "0.0.0.0/0 " SMACK_RUN_LABEL);
++ if (r)
++ log_warning("Failed to set SMACK netlabel rule \"%s\": %s",
++ "0.0.0.0/0 " SMACK_RUN_LABEL, strerror(-r));
++ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO");
++ if (r)
++ log_warning("Failed to set SMACK netlabel rule \"%s\": %s",
++ "127.0.0.1 -CIPSO", strerror(-r));
+ #endif
+
+ r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG);
+@@ -155,14 +169,31 @@ int mac_smack_setup(bool *loaded_policy) {
+ return 0;
+ case ENOENT:
+ log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found");
+- return 0;
++ break;
+ case 0:
+ log_info("Successfully loaded Smack/CIPSO policies.");
+ break;
+ default:
+ log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.",
+ strerror(abs(r)));
++ break;
++ }
++
++ r = write_rules("/sys/fs/smackfs/netlabel", NETLABEL_CONFIG);
++ switch(r) {
++ case -ENOENT:
++ log_debug("Smack/CIPSO is not enabled in the kernel.");
+ return 0;
++ case ENOENT:
++ log_debug("Smack network host rules directory " NETLABEL_CONFIG " not found");
++ break;
++ case 0:
++ log_info("Successfully loaded Smack network host rules.");
++ break;
++ default:
++ log_warning("Failed to load Smack network host rules: %s, ignoring.",
++ strerror(abs(r)));
++ break;
+ }
+
+ *loaded_policy = true;
+--
+1.8.4.5
+
diff --git a/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch b/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch
new file mode 100644
index 000000000..dd2c6542e
--- /dev/null
+++ b/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with-v216.patch
@@ -0,0 +1,41 @@
+From ccf384ca0f1cabe37e07e752df95ddb1e017a7ef Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Thu, 19 Dec 2013 16:49:28 -0800
+Subject: [PATCH 7/9] tizen-smack: Runs systemd-journald with ^
+
+Run systemd-journald with the hat ("^") Smack label.
+
+The journal daemon needs global read access to gather information
+about the services spawned by systemd. The hat label is intended
+for this purpose. The journal daemon is the only part of the
+System domain that needs read access to the User domain. Giving
+the journal daemon the hat label means that we can remove the
+System domain's read access to the User domain.
+
+Upstream-Status: Inappropriate [configuration]
+
+Change-Id: Ic22633f0c9d99c04f873be8a346786ea577d0370
+Signed-off-by: Casey Schaufler <casey.schaufler@intel.com>
+---
+ units/systemd-journald.service.in | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
+index a3540c6..745dd84 100644
+--- a/units/systemd-journald.service.in
++++ b/units/systemd-journald.service.in
+@@ -20,8 +20,10 @@ Restart=always
+ RestartSec=0
+ NotifyAccess=all
+ StandardOutput=null
++SmackProcessLabel=^
+-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID
++CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
+ WatchdogSec=1min
++FileDescriptorStoreMax=1024
+
+ # Increase the default a bit in order to allow many simultaneous
+ # services being run since we keep one fd open per service.
+--
+1.8.4.5
+
diff --git a/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with.patch b/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with.patch
new file mode 100644
index 000000000..27a9d0bc6
--- /dev/null
+++ b/meta-security/recipes-core/systemd/systemd/0007-tizen-smack-Runs-systemd-journald-with.patch
@@ -0,0 +1,37 @@
+From ccf384ca0f1cabe37e07e752df95ddb1e017a7ef Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Thu, 19 Dec 2013 16:49:28 -0800
+Subject: [PATCH 7/9] tizen-smack: Runs systemd-journald with ^
+
+Run systemd-journald with the hat ("^") Smack label.
+
+The journal daemon needs global read access to gather information
+about the services spawned by systemd. The hat label is intended
+for this purpose. The journal daemon is the only part of the
+System domain that needs read access to the User domain. Giving
+the journal daemon the hat label means that we can remove the
+System domain's read access to the User domain.
+
+Upstream-Status: Inappropriate [configuration]
+
+Change-Id: Ic22633f0c9d99c04f873be8a346786ea577d0370
+Signed-off-by: Casey Schaufler <casey.schaufler@intel.com>
+---
+ units/systemd-journald.service.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
+index a3540c6..745dd84 100644
+--- a/units/systemd-journald.service.in
++++ b/units/systemd-journald.service.in
+@@ -21,6 +21,7 @@ Restart=always
+ RestartSec=0
+ NotifyAccess=all
+ StandardOutput=null
++SmackProcessLabel=^
+ CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
+ WatchdogSec=1min
+ FileDescriptorStoreMax=1024
+--
+1.8.4.5
+
diff --git a/meta-security/recipes-core/systemd/systemd/mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch b/meta-security/recipes-core/systemd/systemd/mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch
new file mode 100644
index 000000000..5a1baefed
--- /dev/null
+++ b/meta-security/recipes-core/systemd/systemd/mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch
@@ -0,0 +1,58 @@
+From fd84be63d15fc94c1f396979c67e070c6cd7451b Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Mon, 21 Dec 2015 14:56:00 +0100
+Subject: [PATCH] mount-setup.c: fix handling of symlink Smack labelling in
+ cgroup setup
+
+The code introduced in f8c1a81c51 (= systemd 227) failed for me with:
+ Failed to copy smack label from net_cls to /sys/fs/cgroup/net_cls: No such file or directory
+
+There is no need for a symlink in this case because source and target
+are identical. The symlink() call is allowed to fail when the target
+already exists. When that happens, copying the Smack label must be
+skipped.
+
+But the code also failed when there is a symlink, like "cpu ->
+cpu,cpuacct", because mac_smack_copy() got called with
+src="cpu,cpuacct" which fails to find the entry because the current
+directory is not inside /sys/fs/cgroup. The absolute path to the existing
+entry must be used instead.
+
+Upstream-Status: Accepted [https://github.com/systemd/systemd/pull/2205]
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+---
+ src/core/mount-setup.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
+index 2b8d590..d73b319 100644
+--- a/src/core/mount-setup.c
++++ b/src/core/mount-setup.c
+@@ -304,13 +304,18 @@ int mount_cgroup_controllers(char ***join_controllers) {
+ return log_oom();
+
+ r = symlink(options, t);
+- if (r < 0 && errno != EEXIST)
+- return log_error_errno(errno, "Failed to create symlink %s: %m", t);
++ if (r >= 0) {
+ #ifdef SMACK_RUN_LABEL
+- r = mac_smack_copy(t, options);
+- if (r < 0 && r != -EOPNOTSUPP)
+- return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", options, t);
++ _cleanup_free_ char *src;
++ src = strappend("/sys/fs/cgroup/", options);
++ if (!src)
++ return log_oom();
++ r = mac_smack_copy(t, src);
++ if (r < 0 && r != -EOPNOTSUPP)
++ return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", src, t);
+ #endif
++ } else if (errno != EEXIST)
++ return log_error_errno(errno, "Failed to create symlink %s: %m", t);
+ }
+ }
+ }
+--
+2.1.4
+
diff --git a/meta-security/recipes-core/systemd/systemd/udev-smack-default.rules b/meta-security/recipes-core/systemd/systemd/udev-smack-default.rules
new file mode 100644
index 000000000..3829019de
--- /dev/null
+++ b/meta-security/recipes-core/systemd/systemd/udev-smack-default.rules
@@ -0,0 +1,23 @@
+# do not edit this file, it will be overwritten on update
+
+KERNEL=="null", SECLABEL{smack}="*"
+KERNEL=="zero", SECLABEL{smack}="*"
+KERNEL=="console", SECLABEL{smack}="*"
+KERNEL=="kmsg", SECLABEL{smack}="*"
+KERNEL=="video*", SECLABEL{smack}="*"
+KERNEL=="card*", SECLABEL{smack}="*"
+KERNEL=="ptmx", SECLABEL{smack}="*"
+KERNEL=="tty", SECLABEL{smack}="*"
+
+SUBSYSTEM=="graphics", GROUP="video", SECLABEL{smack}="*"
+SUBSYSTEM=="drm", GROUP="video", SECLABEL{smack}="*"
+SUBSYSTEM=="dvb", GROUP="video", SECLABEL{smack}="*"
+
+SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666", SECLABEL{smack}="*"
+SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666", SECLABEL{smack}="*"
+SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620", SECLABEL{smack}="*"
+SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty", SECLABEL{smack}="*"
+KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", SECLABEL{smack}="*"
+
+SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640", SECLABEL{smack}="*"
+SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640", SECLABEL{smack}="*"
diff --git a/meta-security/recipes-core/systemd/systemd_%.bbappend b/meta-security/recipes-core/systemd/systemd_%.bbappend
new file mode 100644
index 000000000..bea5a3731
--- /dev/null
+++ b/meta-security/recipes-core/systemd/systemd_%.bbappend
@@ -0,0 +1,120 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+# Most patches from sandbox/jobol/v219. Cannot be applied unconditionally
+# because systemd panics when booted without Smack support:
+# systemd[1]: Cannot determine cgroup we are running in: No such file or directory
+# systemd[1]: Failed to allocate manager object: No such file or directory
+# [!!!!!!] Failed to allocate manager object, freezing.
+#
+# There's a slight dependency on the base systemd in 0005-tizen-smack-Handling-network.
+# We use the beginning of PV (unexpanded here to prevent a cyclic dependency
+# during resolution apparently caused by ${SRCPV}) to pick the right set of
+# patches.
+#
+# Patches are optional. Hopefully we won't need any for systemd >= 229.
+SRC_URI_append_with-lsm-smack = " ${@d.getVar('SYSTEMD_SMACK_PATCHES_' + d.getVar('PV', False)[0:3], True) or ''}"
+
+SYSTEMD_SMACK_PATCHES_216 = " \
+file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup-v216.patch \
+file://0004-tizen-smack-Handling-of-dev-v216.patch \
+file://0005-tizen-smack-Handling-network-v216.patch \
+file://0007-tizen-smack-Runs-systemd-journald-with-v216.patch \
+"
+
+SYSTEMD_SMACK_PATCHES_219 = " \
+file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch \
+file://0004-tizen-smack-Handling-of-dev.patch \
+file://0005-tizen-smack-Handling-network.patch \
+file://0007-tizen-smack-Runs-systemd-journald-with.patch \
+"
+SYSTEMD_SMACK_PATCHES_225 = " \
+file://0003-tizen-smack-Handling-of-run-and-sys-fs-cgroup.patch \
+file://0004-tizen-smack-Handling-of-dev.patch \
+file://0005-tizen-smack-Handling-network-v225.patch \
+file://0007-tizen-smack-Runs-systemd-journald-with.patch \
+"
+
+SYSTEMD_SMACK_PATCHES_228 = " \
+file://0005-tizen-smack-Handling-network-v228.patch \
+file://mount-setup.c-fix-handling-of-symlink-Smack-labellin-v228.patch \
+"
+
+# From Tizen .spec file.
+EXTRA_OECONF_append_with-lsm-smack = " --with-smack-run-label=System"
+
+install_file() {
+ install -d $(dirname $1)
+ cat >>$1
+ chmod ${2:-0644} $1
+}
+
+# We need to emulate parts of the filesystem permissions from Tizen here.
+# The part for regular files is in base-files.bbappend, but /var/log and
+# /var/tmp point into /var/volatile (tmpfs) and get created anew during
+# startup. We set these permissions directly after creating them via
+# /etc/tmpfiles.d/00-create-volatile.conf
+RDEPENDS_${PN}_append_with-lsm-smack = " smack-userspace"
+do_install_append_with-lsm-smack() {
+ install_file ${D}${systemd_unitdir}/system/systemd-tmpfiles-setup.service.d/smack.conf <<EOF
+[Service]
+ExecStartPost=/bin/sh -c '([ ! -d /var/tmp ] || chsmack -L -a \"*\" /var/tmp) && ([ ! -d /var/log ] || chsmack -L -a System::Log /var/log && chsmack -L -t /var/log)'
+EOF
+
+ # Mount /tmp publicly accessable. Based on patch by Michael Demeter <michael.demeter@intel.com>.
+ # Upstream systemd temporarily had SmackFileSystemRoot for this (https://github.com/systemd/systemd/pull/1664),
+ # but it was removed again (https://github.com/systemd/systemd/issues/1696) because
+ # util-linux mount will ignore smackfsroot when Smack is not active. However,
+ # busybox is not that intelligent.
+ #
+ # When using busybox mount, adding smackfsroot=* and booting without
+ # Smack (i.e. security=none), tmp.mount will fail with an error about
+ # "Bad mount option smackfsroot".
+ install_file ${D}${systemd_unitdir}/system/tmp.mount.d/smack.conf <<EOF
+[Mount]
+Options=smackfsroot=*
+EOF
+
+ # Run systemd-journald with the hat ("^") Smack label.
+ #
+ # The journal daemon needs global read access to gather information
+ # about the services spawned by systemd. The hat label is intended
+ # for this purpose. The journal daemon is the only part of the
+ # System domain that needs read access to the User domain. Giving
+ # the journal daemon the hat label means that we can remove the
+ # System domain's read access to the User domain and we can avoid
+ # hard-coding a specific label name for that domain.
+ #
+ # Original author: Casey Schaufler <casey@schaufler-ca.com>
+ #
+ # This is considered a configuration change and thus distro specific.
+ install_file ${D}${systemd_unitdir}/system/systemd-journald.service.d/smack.conf <<EOF
+[Service]
+SmackProcessLabel=^
+EOF
+}
+
+# Will get installed in ${sysconfdir}/udev/rules.d/ by base systemd recipe.
+SRC_URI += "file://udev-smack-default.rules"
+
+# A workaround for a missing space in a SRC_URI_append in a private layer elsewhere:
+SRC_URI += ""
+
+# Maintaining trivial, non-upstreamable configuration changes as patches
+# is tedious. But in same cases (like early mounting of special directories)
+# the configuration has to be in code. We make these changes here directly.
+do_patch[prefuncs] += "patch_systemd"
+do_patch[vardeps] += "patch_systemd"
+patch_systemd() {
+ # Handling of /run and /sys/fs/cgroup. Make /run a transmuting directory to
+ # enable systemd communications with services in the User domain.
+ # Original patch by Michael Demeter <michael.demeter@intel.com>.
+ #
+ # We simplify the patching by touching only lines which check the result of
+ # mac_smack_use(). Those are the ones which are used when Smack is active.
+ #
+ # smackfsroot=* on /sys/fs/cgroup may be upstreamable, but smackfstransmute=System::Run
+ # is too distro specific (depends on Smack rules) and thus has to remain here.
+ sed -i -e 's;\("/sys/fs/cgroup", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfsroot=*\2;' \
+ -e 's;\("/run", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfstransmute=System::Run\2;' \
+ ${S}/src/core/mount-setup.c
+}
diff --git a/meta-security/recipes-core/util-linux/util-linux_%.bbappend b/meta-security/recipes-core/util-linux/util-linux_%.bbappend
new file mode 100644
index 000000000..05286f80d
--- /dev/null
+++ b/meta-security/recipes-core/util-linux/util-linux_%.bbappend
@@ -0,0 +1,8 @@
+# Enabling Smack support in util-linux enables special support
+# in [lib]mount for Smack mount options: they get removed if
+# Smack is not active in the current kernel. Important for
+# booting with "security=none" when userspace otherwise is
+# compiled to use Smack.
+
+PACKAGECONFIG_append_with-lsm-smack_class-target = " smack"
+PACKAGECONFIG[smack] = "--with-smack, --without-smack"
diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs.inc b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs.inc
new file mode 100644
index 000000000..09e4ea5bb
--- /dev/null
+++ b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs.inc
@@ -0,0 +1,27 @@
+SUMMARY = "Ext2 Filesystem Utilities"
+DESCRIPTION = "The Ext2 Filesystem Utilities (e2fsprogs) contain all of the standard utilities for creating, \
+fixing, configuring , and debugging ext2 filesystems."
+HOMEPAGE = "http://e2fsprogs.sourceforge.net/"
+
+LICENSE = "GPLv2 & LGPLv2 & BSD & MIT"
+LICENSE_e2fsprogs-e2fsck = "GPLv2"
+LICENSE_e2fsprogs-mke2fs = "GPLv2"
+LICENSE_e2fsprogs-fsck = "GPLv2"
+LICENSE_e2fsprogs-tune2fs = "GPLv2"
+LICENSE_e2fsprogs-badblocks = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b48f21d765b875bd10400975d12c1ca2 \
+ file://lib/ext2fs/ext2fs.h;beginline=1;endline=9;md5=596a8dedcb4e731c6b21c7a46fba6bef \
+ file://lib/e2p/e2p.h;beginline=1;endline=7;md5=8a74ade8f9d65095d70ef2d4bf48e36a \
+ file://lib/uuid/uuid.h.in;beginline=1;endline=32;md5=dbb8079e114a5f841934b99e59c8820a \
+ file://lib/uuid/COPYING;md5=58dcd8452651fc8b07d1f65ce07ca8af \
+ file://lib/et/et_name.c;beginline=1;endline=11;md5=ead236447dac7b980dbc5b4804d8c836 \
+ file://lib/ss/ss.h;beginline=1;endline=20;md5=6e89ad47da6e75fecd2b5e0e81e1d4a6"
+SECTION = "base"
+DEPENDS = "util-linux"
+
+SRC_URI = "git://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git"
+S = "${WORKDIR}/git"
+
+inherit autotools gettext texinfo pkgconfig multilib_header update-alternatives ptest
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/acinclude.m4 b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/acinclude.m4
new file mode 100644
index 000000000..c0bd7dbde
--- /dev/null
+++ b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/acinclude.m4
@@ -0,0 +1,135 @@
+# Extracted from the package's shipped aclocal.m4. Custom macros should be in
+# acinclude.m4 so running aclocal doesn't blow them away.
+#
+# Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+# from http://autoconf-archive.cryp.to/ax_tls.html
+#
+# This was licensed under the GPL with the following exception:
+#
+# As a special exception, the respective Autoconf Macro's copyright
+# owner gives unlimited permission to copy, distribute and modify the
+# configure scripts that are the output of Autoconf when processing
+# the Macro. You need not follow the terms of the GNU General Public
+# License when using or distributing such scripts, even though
+# portions of the text of the Macro appear in them. The GNU General
+# Public License (GPL) does govern all other use of the material that
+# constitutes the Autoconf Macro.
+#
+# This special exception to the GPL applies to versions of the
+# Autoconf Macro released by the Autoconf Macro Archive. When you make
+# and distribute a modified version of the Autoconf Macro, you may
+# extend this special exception to the GPL to apply to your modified
+# version as well.
+#
+AC_DEFUN([AX_TLS], [
+ AC_MSG_CHECKING(for thread local storage (TLS) class)
+ AC_CACHE_VAL(ac_cv_tls, [
+ ax_tls_keywords="__thread __declspec(thread) none"
+ for ax_tls_keyword in $ax_tls_keywords; do
+ case $ax_tls_keyword in
+ none) ac_cv_tls=none ; break ;;
+ *)
+ AC_TRY_COMPILE(
+ [#include <stdlib.h>
+ static void
+ foo(void) {
+ static ] $ax_tls_keyword [ int bar;
+ exit(1);
+ }],
+ [],
+ [ac_cv_tls=$ax_tls_keyword ; break],
+ ac_cv_tls=none
+ )
+ esac
+ done
+])
+
+ if test "$ac_cv_tls" != "none"; then
+ dnl AC_DEFINE([TLS], [], [If the compiler supports a TLS storage class define it to that here])
+ AC_DEFINE_UNQUOTED([TLS], $ac_cv_tls, [If the compiler supports a TLS storage class define it to that here])
+ fi
+ AC_MSG_RESULT($ac_cv_tls)
+])
+
+# ===========================================================================
+# http://www.nongnu.org/autoconf-archive/check_gnu_make.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# CHECK_GNU_MAKE()
+#
+# DESCRIPTION
+#
+# This macro searches for a GNU version of make. If a match is found, the
+# makefile variable `ifGNUmake' is set to the empty string, otherwise it
+# is set to "#". This is useful for including a special features in a
+# Makefile, which cannot be handled by other versions of make. The
+# variable _cv_gnu_make_command is set to the command to invoke GNU make
+# if it exists, the empty string otherwise.
+#
+# Here is an example of its use:
+#
+# Makefile.in might contain:
+#
+# # A failsafe way of putting a dependency rule into a makefile
+# $(DEPEND):
+# $(CC) -MM $(srcdir)/*.c > $(DEPEND)
+#
+# @ifGNUmake@ ifeq ($(DEPEND),$(wildcard $(DEPEND)))
+# @ifGNUmake@ include $(DEPEND)
+# @ifGNUmake@ endif
+#
+# Then configure.in would normally contain:
+#
+# CHECK_GNU_MAKE()
+# AC_OUTPUT(Makefile)
+#
+# Then perhaps to cause gnu make to override any other make, we could do
+# something like this (note that GNU make always looks for GNUmakefile
+# first):
+#
+# if ! test x$_cv_gnu_make_command = x ; then
+# mv Makefile GNUmakefile
+# echo .DEFAULT: > Makefile ;
+# echo \ $_cv_gnu_make_command \$@ >> Makefile;
+# fi
+#
+# Then, if any (well almost any) other make is called, and GNU make also
+# exists, then the other make wraps the GNU make.
+#
+# LICENSE
+#
+# Copyright (c) 2008 John Darrington <j.darrington@elvis.murdoch.edu.au>
+#
+# Copying and distribution of this file, with or without modification, are
+# permitted in any medium without royalty provided the copyright notice
+# and this notice are preserved.
+#
+# Note: Modified by Ted Ts'o to add @ifNotGNUMake@
+
+AC_DEFUN(
+ [CHECK_GNU_MAKE], [ AC_CACHE_CHECK( for GNU make,_cv_gnu_make_command,
+ _cv_gnu_make_command='' ;
+dnl Search all the common names for GNU make
+ for a in "$MAKE" make gmake gnumake ; do
+ if test -z "$a" ; then continue ; fi ;
+ if ( sh -c "$a --version" 2> /dev/null | grep GNU 2>&1 > /dev/null ) ; then
+ _cv_gnu_make_command=$a ;
+ break;
+ fi
+ done ;
+ ) ;
+dnl If there was a GNU version, then set @ifGNUmake@ to the empty string, '#' otherwise
+ if test "x$_cv_gnu_make_command" != "x" ; then
+ ifGNUmake='' ;
+ ifNotGNUmake='#' ;
+ else
+ ifGNUmake='#' ;
+ ifNotGNUmake='' ;
+ AC_MSG_RESULT("Not found");
+ fi
+ AC_SUBST(ifGNUmake)
+ AC_SUBST(ifNotGNUmake)
+] )
diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/mkdir.patch b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/mkdir.patch
new file mode 100644
index 000000000..2a3aeff61
--- /dev/null
+++ b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/mkdir.patch
@@ -0,0 +1,18 @@
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Mei Lei <lei.mei@intel.com>
+
+diff --git a/configure.ac b/configure.ac
+index c1fe224..f5ac628 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1374,7 +1374,8 @@ if test -n "$WITH_DIET_LIBC" ; then
+ INCLUDES="$INCLUDES -D_REENTRANT"
+ fi
+ AC_SUBST(INCLUDES)
+-AM_MKINSTALLDIRS
++MKINSTALLDIRS="mkdir -p"
++AC_SUBST(MKINSTALLDIRS)
+ dnl
+ dnl Build CFLAGS
+ dnl
diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/ptest.patch b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/ptest.patch
new file mode 100644
index 000000000..ef1ce5872
--- /dev/null
+++ b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/ptest.patch
@@ -0,0 +1,67 @@
+diff --git a/tests/Makefile.in b/tests/Makefile.in
+index 60cf655..ce220f1 100644
+--- a/tests/Makefile.in
++++ b/tests/Makefile.in
+@@ -18,7 +18,7 @@ test_one: $(srcdir)/test_one.in Makefile mke2fs.conf
+ @echo "#!/bin/sh" > test_one
+ @echo "HTREE=y" >> test_one
+ @echo "QUOTA=y" >> test_one
+- @echo "SRCDIR=@srcdir@" >> test_one
++ @echo "SRCDIR=/usr/lib/e2fsprogs/ptest/test" >> test_one
+ @echo "DIFF_OPTS=@UNI_DIFF_OPTS@" >> test_one
+ @cat $(srcdir)/test_one.in >> test_one
+ @chmod +x test_one
+@@ -26,7 +26,7 @@ test_one: $(srcdir)/test_one.in Makefile mke2fs.conf
+ test_script: test_one test_script.in Makefile mke2fs.conf
+ @echo "Creating test_script..."
+ @echo "#!/bin/sh" > test_script
+- @echo "SRCDIR=@srcdir@" >> test_script
++ @echo "SRCDIR=/usr/lib/e2fsprogs/ptest/test" >> test_script
+ @cat $(srcdir)/test_script.in >> test_script
+ @chmod +x test_script
+
+diff --git a/tests/test_config b/tests/test_config
+index 7f39157..c815a44 100644
+--- a/tests/test_config
++++ b/tests/test_config
+@@ -3,24 +3,24 @@
+ #
+
+ unset LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME PAGER
+-FSCK="$USE_VALGRIND ../e2fsck/e2fsck"
+-MKE2FS="$USE_VALGRIND ../misc/mke2fs"
+-DUMPE2FS="$USE_VALGRIND ../misc/dumpe2fs"
+-TUNE2FS="$USE_VALGRIND ../misc/tune2fs"
+-CHATTR="$USE_VALGRIND../misc/chattr"
+-LSATTR="$USE_VALGRIND ../misc/lsattr"
+-E2IMAGE="$USE_VALGRIND ../misc/e2image"
+-E2IMAGE_EXE="../misc/e2image"
+-DEBUGFS="$USE_VALGRIND ../debugfs/debugfs"
+-DEBUGFS_EXE="../debugfs/debugfs"
+-TEST_BITS="../debugfs/debugfs"
+-RESIZE2FS_EXE="../resize/resize2fs"
++FSCK="$USE_VALGRIND e2fsck"
++MKE2FS="$USE_VALGRIND mke2fs"
++DUMPE2FS="$USE_VALGRIND dumpe2fs"
++TUNE2FS="$USE_VALGRIND tune2fs"
++CHATTR="$USE_VALGRIND chattr"
++LSATTR="$USE_VALGRIND lsattr"
++E2IMAGE="$USE_VALGRIND e2image"
++E2IMAGE_EXE="/sbin/e2image"
++DEBUGFS="$USE_VALGRIND debugfs"
++DEBUGFS_EXE="/sbin/debugfs"
++TEST_BITS="/sbin/debugfs"
++RESIZE2FS_EXE="/sbin/resize2fs"
+ RESIZE2FS="$USE_VALGRIND $RESIZE2FS_EXE"
+-E2UNDO_EXE="../misc/e2undo"
++E2UNDO_EXE="/sbin/e2undo"
+ E2UNDO="$USE_VALGRIND $E2UNDO_EXE"
+-TEST_REL=../tests/progs/test_rel
+-TEST_ICOUNT=../tests/progs/test_icount
+-CRCSUM=../tests/progs/crcsum
++TEST_REL=./progs/test_rel
++TEST_ICOUNT=./progs/test_icount
++CRCSUM=./progs/crcsum
+ CLEAN_OUTPUT="sed -f $cmd_dir/filter.sed"
+ LD_LIBRARY_PATH=../lib:../lib/ext2fs:../lib/e2p:../lib/et:../lib/ss:${LD_LIBRARY_PATH}
+ DYLD_LIBRARY_PATH=../lib:../lib/ext2fs:../lib/e2p:../lib/et:../lib/ss:${DYLD_LIBRARY_PATH}
diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch
new file mode 100644
index 000000000..830e9d57a
--- /dev/null
+++ b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/quiet-debugfs.patch
@@ -0,0 +1,19 @@
+When executing a script don't echo every command, as we do this for entire
+filesystems at rootfs time.
+
+Upstream-Status: Inappropriate
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+diff --git a/debugfs/debugfs.c b/debugfs/debugfs.c
+index 5590295..ac57292 100644
+--- a/debugfs/debugfs.c
++++ b/debugfs/debugfs.c
+@@ -2378,7 +2378,7 @@ static int source_file(const char *cmd_file, int ss_idx)
+ cp = strchr(buf, '\r');
+ if (cp)
+ *cp = 0;
+- printf("debugfs: %s\n", buf);
++ /*printf("debugfs: %s\n", buf);*/
+ retval = ss_execute_line(ss_idx, buf);
+ if (retval) {
+ ss_perror(ss_idx, retval, buf);
diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/remove.ldconfig.call.patch b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/remove.ldconfig.call.patch
new file mode 100644
index 000000000..f3e6eb778
--- /dev/null
+++ b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/remove.ldconfig.call.patch
@@ -0,0 +1,44 @@
+From b139e03ac2f72e644e547c7ee9b1514383af4d97 Mon Sep 17 00:00:00 2001
+From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
+Date: Wed, 30 Jan 2013 15:22:04 +0200
+Subject: [PATCH] When /etc/ld.so.cache is writeable by user running bitbake
+ then it creates invalid cache (in my case libstdc++.so
+ cannot be found after building zlib(-native) and I have to
+ call touch */libstdc++.so && /sbin/ldconfig to fix it.
+
+So remove ldconfig call from make install-libs
+
+Patch authored by Martin Jansa.
+
+Upstream-Status: Inappropriate [disable feature]
+
+Signed-off-by: Scott Garman <scott.a.garman@intel.com>
+Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
+---
+ lib/Makefile.elf-lib | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/lib/Makefile.elf-lib b/lib/Makefile.elf-lib
+index 78479d3..4a4a5ac 100644
+--- a/lib/Makefile.elf-lib
++++ b/lib/Makefile.elf-lib
+@@ -50,8 +50,6 @@ install-shlibs install:: $(ELF_LIB) installdirs-elf-lib $(DEP_INSTALL_SYMLINK)
+ $(E) " SYMLINK $(libdir)/$(ELF_IMAGE).so"
+ $(Q) $(INSTALL_SYMLINK) $(ELF_INSTALL_DIR)/$(ELF_SONAME) \
+ $(libdir)/$(ELF_IMAGE).so $(DESTDIR)
+- $(E) " LDCONFIG"
+- $(Q) -$(LDCONFIG)
+
+ install-strip: install
+ $(E) " STRIP-LIB $(ELF_INSTALL_DIR)/$(ELF_LIB)"
+@@ -67,7 +65,6 @@ uninstall-shlibs uninstall::
+ $(RM) -f $(DESTDIR)$(ELF_INSTALL_DIR)/$(ELF_LIB) \
+ $(DESTDIR)$(ELF_INSTALL_DIR)/$(ELF_SONAME) \
+ $(DESTDIR)$(libdir)/$(ELF_IMAGE).so
+- -$(LDCONFIG)
+
+ clean::
+ $(RM) -rf elfshared
+--
+1.7.9.5
+
diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest
new file mode 100644
index 000000000..1ac251324
--- /dev/null
+++ b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+cd ./test
+./test_script &>../test.log
+if [ $? -eq 0 ]
+then
+ echo "PASS: e2fsprogs"
+ rm test.log
+else
+ echo "FAIL: e2fsprogs"
+fi
diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend
new file mode 100644
index 000000000..35dd361d4
--- /dev/null
+++ b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend
@@ -0,0 +1,14 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+# Applying this patch is optional. Only some versions
+# of e2fsprogs need it. So try to apply it, but if it fails,
+# continue and hope the patch wasn't needed. If it is needed
+# and got skipped, the oeqa Smack tests will catch the failure.
+SRC_URI += "file://ext_attr.c-fix-adding-multiple-xattrs-during-image-c.patch;apply=no"
+
+do_patch[postfuncs] += "patch_xattr_support"
+patch_xattr_support () {
+ cd ${S}
+ cp lib/ext2fs/ext_attr.c lib/ext2fs/ext_attr.c.orig
+ patch lib/ext2fs/ext_attr.c <${WORKDIR}/ext_attr.c-fix-adding-multiple-xattrs-during-image-c.patch && rm lib/ext2fs/ext_attr.c.orig || mv lib/ext2fs/ext_attr.c.orig lib/ext2fs/ext_attr.c
+}
diff --git a/meta-security/recipes-devtools/e2fsprogs/e2fsprogs_git.bb b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs_git.bb
new file mode 100644
index 000000000..bc2d201a4
--- /dev/null
+++ b/meta-security/recipes-devtools/e2fsprogs/e2fsprogs_git.bb
@@ -0,0 +1,106 @@
+COREDIR = "${COREBASE}/meta/recipes-devtools/e2fsprogs"
+
+# This recipe is a copy of a e2fsprogs 1.42.99+1.43 from OE-core master and
+# only meant to be used when the current OE-core does not have that version yet.
+python () {
+ import os
+ upstream = os.path.join(d.getVar('COREDIR', True), 'e2fsprogs_1.42.9.bb')
+ if not os.path.exists(upstream):
+ raise bb.parse.SkipRecipe("This recipe replaces e2fsprogs 1.42.9 in OE-core. e2fsprogs from OE-core is something else and thus either recent enough to have xattr support or (less likely) something unexpected.")
+}
+
+
+require e2fsprogs.inc
+
+SRC_URI += "file://acinclude.m4 \
+ file://remove.ldconfig.call.patch \
+ file://quiet-debugfs.patch \
+ file://run-ptest \
+ file://ptest.patch \
+ file://mkdir.patch \
+"
+
+SRCREV = "0f26747167cc9d82df849b0aad387bf824f04544"
+PV = "1.42.99+1.43+git${SRCPV}"
+UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+\.\d+(\.\d+)*)$"
+
+EXTRA_OECONF += "--libdir=${base_libdir} --sbindir=${base_sbindir} \
+ --enable-elf-shlibs --disable-libuuid --disable-uuidd \
+ --disable-libblkid --enable-verbose-makecmds"
+
+EXTRA_OECONF_darwin = "--libdir=${base_libdir} --sbindir=${base_sbindir} --enable-bsd-shlibs"
+
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[fuse] = '--enable-fuse2fs,--disable-fuse2fs,fuse'
+
+do_configure_prepend () {
+ cp ${WORKDIR}/acinclude.m4 ${S}/
+}
+
+do_install () {
+ oe_runmake 'DESTDIR=${D}' install
+ oe_runmake 'DESTDIR=${D}' install-libs
+ # We use blkid from util-linux now so remove from here
+ rm -f ${D}${base_libdir}/libblkid*
+ rm -rf ${D}${includedir}/blkid
+ rm -f ${D}${base_libdir}/pkgconfig/blkid.pc
+ rm -f ${D}${base_sbindir}/blkid
+ rm -f ${D}${base_sbindir}/fsck
+ rm -f ${D}${base_sbindir}/findfs
+
+ # e2initrd_helper and the pkgconfig files belong in libdir
+ if [ ! ${D}${libdir} -ef ${D}${base_libdir} ]; then
+ install -d ${D}${libdir}
+ mv ${D}${base_libdir}/e2initrd_helper ${D}${libdir}
+ mv ${D}${base_libdir}/pkgconfig ${D}${libdir}
+ fi
+
+ oe_multilib_header ext2fs/ext2_types.h
+ install -d ${D}${base_bindir}
+ mv ${D}${bindir}/chattr ${D}${base_bindir}/chattr.e2fsprogs
+
+ install -v -m 755 ${S}/contrib/populate-extfs.sh ${D}${base_sbindir}/
+}
+
+do_install_append_class-target() {
+ # Clean host path in compile_et, mk_cmds
+ sed -i -e "s,ET_DIR=\"${S}/lib/et\",ET_DIR=\"${datadir}/et\",g" ${D}${bindir}/compile_et
+ sed -i -e "s,SS_DIR=\"${S}/lib/ss\",SS_DIR=\"${datadir}/ss\",g" ${D}${bindir}/mk_cmds
+}
+
+RDEPENDS_e2fsprogs = "e2fsprogs-badblocks"
+RRECOMMENDS_e2fsprogs = "e2fsprogs-mke2fs e2fsprogs-e2fsck"
+
+PACKAGES =+ "e2fsprogs-e2fsck e2fsprogs-mke2fs e2fsprogs-tune2fs e2fsprogs-badblocks e2fsprogs-resize2fs"
+PACKAGES =+ "libcomerr libss libe2p libext2fs"
+
+FILES_e2fsprogs-resize2fs = "${base_sbindir}/resize2fs*"
+FILES_e2fsprogs-e2fsck = "${base_sbindir}/e2fsck ${base_sbindir}/fsck.ext*"
+FILES_e2fsprogs-mke2fs = "${base_sbindir}/mke2fs ${base_sbindir}/mkfs.ext* ${sysconfdir}/mke2fs.conf"
+FILES_e2fsprogs-tune2fs = "${base_sbindir}/tune2fs ${base_sbindir}/e2label"
+FILES_e2fsprogs-badblocks = "${base_sbindir}/badblocks"
+FILES_libcomerr = "${base_libdir}/libcom_err.so.*"
+FILES_libss = "${base_libdir}/libss.so.*"
+FILES_libe2p = "${base_libdir}/libe2p.so.*"
+FILES_libext2fs = "${libdir}/e2initrd_helper ${base_libdir}/libext2fs.so.*"
+FILES_${PN}-dev += "${datadir}/*/*.awk ${datadir}/*/*.sed ${base_libdir}/*.so"
+
+ALTERNATIVE_${PN} = "chattr"
+ALTERNATIVE_PRIORITY = "100"
+ALTERNATIVE_LINK_NAME[chattr] = "${base_bindir}/chattr"
+ALTERNATIVE_TARGET[chattr] = "${base_bindir}/chattr.e2fsprogs"
+
+ALTERNATIVE_${PN}-doc = "fsck.8"
+ALTERNATIVE_LINK_NAME[fsck.8] = "${mandir}/man8/fsck.8"
+
+RDEPENDS_${PN}-ptest += "${PN} ${PN}-tune2fs coreutils procps bash"
+
+do_compile_ptest() {
+ oe_runmake -C ${B}/tests
+}
+
+do_install_ptest() {
+ cp -a ${B}/tests ${D}${PTEST_PATH}/test
+ cp -a ${S}/tests/* ${D}${PTEST_PATH}/test
+ sed -e 's!../e2fsck/e2fsck!e2fsck!g' -i ${D}${PTEST_PATH}/test/*/expect*
+}
diff --git a/meta-security/recipes-devtools/e2fsprogs/files/ext_attr.c-fix-adding-multiple-xattrs-during-image-c.patch b/meta-security/recipes-devtools/e2fsprogs/files/ext_attr.c-fix-adding-multiple-xattrs-during-image-c.patch
new file mode 100644
index 000000000..67b8b68fb
--- /dev/null
+++ b/meta-security/recipes-devtools/e2fsprogs/files/ext_attr.c-fix-adding-multiple-xattrs-during-image-c.patch
@@ -0,0 +1,51 @@
+From 3b2b0922e031628f313f5480c4f1f9413c6656bf Mon Sep 17 00:00:00 2001
+From: Richard Purdie <richard.purdie@linuxfoundation.org>
+Date: Wed, 10 Feb 2016 15:51:43 +0100
+Subject: [PATCH] ext_attr.c: fix adding multiple xattrs during image creation
+
+http://www.nongnu.org/ext2-doc/ext2.html#CONTRIB-EXTENDED-ATTRIBUTES
+contains the small snippet that "The entry descriptors are sorted by
+attribute name, so that two extended attribute blocks can be compared
+efficiently".
+
+The libext2fs code in e2fsprogs needs to be taught about this minor
+sorting detail. Otherwise creating an image with "mkfs.ext -d" from a
+filesystem that reports xattrs in listxattr() in an order that does
+not match the expected order will lead to an image where listxattr()
+reports all xattrs, but reading some values fails with ENODATA.
+
+[Patch from RP, commit message from Patrick and RP]
+
+Upstream-Status: Pending [https://bugzilla.yoctoproject.org/show_bug.cgi?id=8992]
+---
+ lib/ext2fs/ext_attr.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/ext2fs/ext_attr.c b/lib/ext2fs/ext_attr.c
+index 0a4f8c0..be8f9c3 100644
+--- a/lib/ext2fs/ext_attr.c
++++ b/lib/ext2fs/ext_attr.c
+@@ -258,6 +258,7 @@ static struct ea_name_index ea_names[] = {
+ static int attr_compare(const void *a, const void *b)
+ {
+ const struct ext2_xattr *xa = a, *xb = b;
++ size_t len;
+
+ if (xa->name == NULL)
+ return +1;
+@@ -267,7 +268,11 @@ static int attr_compare(const void *a, const void *b)
+ return -1;
+ else if (!strcmp(xb->name, "system.data"))
+ return +1;
+- return 0;
++ len = strlen(xa->name) - strlen(xb->name);
++ if (len)
++ return len;
++
++ return strcmp(xa->name, xb->name);
+ }
+
+ static const char *find_ea_prefix(int index)
+--
+2.1.4
+
diff --git a/meta-security/recipes-kernel/linux/linux-%.bbappend b/meta-security/recipes-kernel/linux/linux-%.bbappend
new file mode 100644
index 000000000..717d32e3a
--- /dev/null
+++ b/meta-security/recipes-kernel/linux/linux-%.bbappend
@@ -0,0 +1,17 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux:"
+
+IS_KERNEL_RECIPE := "${@bb.data.inherits_class('kernel', d) and 'yes' or 'no'}"
+SMACK_KERNEL_SRC_URI_no = ""
+SMACK_KERNEL_SRC_URI_yes = ""
+
+# Kernel config fragment enabling Smack, without making it the default explicitly.
+SMACK_KERNEL_SRC_URI_yes += "file://smack.cfg"
+
+# When added, set Smack as the default LSM.
+SMACK_DEFAULT_SECURITY_CFG = "file://smack-default-lsm.cfg"
+
+# Add it by default, can be overridden by changing this variable here.
+SMACK_DEFAULT_SECURITY ??= "${SMACK_DEFAULT_SECURITY_CFG}"
+SMACK_KERNEL_SRC_URI_yes += " ${SMACK_DEFAULT_SECURITY}"
+
+SRC_URI_append_with-lsm-smack = "${SMACK_KERNEL_SRC_URI_${IS_KERNEL_RECIPE}}"
diff --git a/meta-security/recipes-kernel/linux/linux/audit.cfg b/meta-security/recipes-kernel/linux/linux/audit.cfg
new file mode 100644
index 000000000..214dbe33f
--- /dev/null
+++ b/meta-security/recipes-kernel/linux/linux/audit.cfg
@@ -0,0 +1,2 @@
+CONFIG_AUDIT=y
+CONFIG_AUDITSYSCALL=y
diff --git a/meta-security/recipes-kernel/linux/linux/smack-default-lsm.cfg b/meta-security/recipes-kernel/linux/linux/smack-default-lsm.cfg
new file mode 100644
index 000000000..b5c48454e
--- /dev/null
+++ b/meta-security/recipes-kernel/linux/linux/smack-default-lsm.cfg
@@ -0,0 +1,2 @@
+CONFIG_DEFAULT_SECURITY="smack"
+CONFIG_DEFAULT_SECURITY_SMACK=y
diff --git a/meta-security/recipes-kernel/linux/linux/smack.cfg b/meta-security/recipes-kernel/linux/linux/smack.cfg
new file mode 100644
index 000000000..62f465a45
--- /dev/null
+++ b/meta-security/recipes-kernel/linux/linux/smack.cfg
@@ -0,0 +1,8 @@
+CONFIG_IP_NF_SECURITY=m
+CONFIG_IP6_NF_SECURITY=m
+CONFIG_EXT2_FS_SECURITY=y
+CONFIG_EXT3_FS_SECURITY=y
+CONFIG_EXT4_FS_SECURITY=y
+CONFIG_SECURITY=y
+CONFIG_SECURITY_SMACK=y
+CONFIG_TMPFS_XATTR=y
diff --git a/meta-security/recipes-security/audit/audit/add-system-call-table-for-ARM.patch b/meta-security/recipes-security/audit/audit/add-system-call-table-for-ARM.patch
new file mode 100644
index 000000000..ad94d11bd
--- /dev/null
+++ b/meta-security/recipes-security/audit/audit/add-system-call-table-for-ARM.patch
@@ -0,0 +1,46 @@
+From 52ff74be2f01182ed9d4fcc3da059512fad63d72 Mon Sep 17 00:00:00 2001
+From: Han Chao <chan@windriver.com>
+Date: Thu, 27 Feb 2014 14:58:57 +0800
+Subject: [PATCH] add system call table for ARM.
+
+This change enable audit system call on ARM.
+Add arm System call table on machinetabs.h.
+Audit system call need enable kernel config CONFIG_AUDITSYSCALL.
+
+Signed-off-by: Han Chao <chan@windriver.com>
+---
+ lib/machinetabs.h | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/lib/machinetabs.h b/lib/machinetabs.h
+index ec2d033..1c2e284 100644
+--- a/lib/machinetabs.h
++++ b/lib/machinetabs.h
+@@ -1,10 +1,11 @@
+-/* This is a generated file, see Makefile.am for its inputs. */
+-static const char machine_strings[] = "i386\0i486\0i586\0i686\0ia64\0ppc\0ppc64\0s390\0s390x\0x86_64";
++/* Such is aways generated file, see Makefile.am for its inputs.
++ * But this version is not generated file, which is for ARM. */
++static const char machine_strings[] = "armeb\0armv5tejl\0armv5tel\0armv6l\0armv7l";
+ static const unsigned machine_s2i_s[] = {
+- 0,5,10,15,20,25,29,35,40,46,
++ 0,6,16,25,32,
+ };
+ static const int machine_s2i_i[] = {
+- 0,0,0,0,2,4,3,6,5,1,
++ 8,8,8,8,8,
+ };
+ static int machine_s2i(const char *s, int *value) {
+ size_t len, i;
+@@ -19,7 +20,7 @@ static int machine_s2i(const char *s, int *value) {
+ }
+ }
+ static const unsigned machine_i2s_direct[] = {
+- 0,46,20,29,25,40,35,
++ 39,85,59,68,64,
+ };
+ static const char *machine_i2s(int v) {
+ return i2s_direct__(machine_strings, machine_i2s_direct, 0, 6, v);
+--
+1.7.9.5
+
diff --git a/meta-security/recipes-security/audit/audit/audit-for-cross-compiling.patch b/meta-security/recipes-security/audit/audit/audit-for-cross-compiling.patch
new file mode 100644
index 000000000..60a23a8a4
--- /dev/null
+++ b/meta-security/recipes-security/audit/audit/audit-for-cross-compiling.patch
@@ -0,0 +1,2938 @@
+From f73f654734c5f0d1a6568c6c8fba232b01f919f4 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe@deserted.net>
+Date: Wed, 23 Oct 2013 16:02:34 -0400
+Subject: [PATCH] audit: use generated headers for cross compiling
+
+In the same vein as the patch for audit 2.2.1 (commit: 6c77455b), we generate
+the headers which are inherently architecture specific but portable on a
+convenient platform and use them for all platforms.
+
+Upstream-Status: Inappropriate [cross-compile specific]
+
+Signed-off-by: Joe MacDonald <joe@deserted.net>
+---
+ auparse/Makefile.am | 200 ---------------------------------------------
+ auparse/accesstabs.h | 6 ++
+ auparse/captabs.h | 14 ++++
+ auparse/clocktabs.h | 8 ++
+ auparse/clone-flagtabs.h | 10 +++
+ auparse/epoll_ctls.h | 8 ++
+ auparse/famtabs.h | 14 ++++
+ auparse/fcntl-cmdtabs.h | 17 ++++
+ auparse/flagtabs.h | 6 ++
+ auparse/icmptypetabs.h | 10 +++
+ auparse/ip6optnametabs.h | 20 +++++
+ auparse/ipccmdtabs.h | 6 ++
+ auparse/ipctabs.h | 11 +++
+ auparse/ipoptnametabs.h | 17 ++++
+ auparse/mmaptabs.h | 8 ++
+ auparse/mounttabs.h | 10 +++
+ auparse/nfprototabs.h | 9 ++
+ auparse/open-flagtabs.h | 8 ++
+ auparse/persontabs.h | 17 ++++
+ auparse/pktoptnametabs.h | 10 +++
+ auparse/prctl_opttabs.h | 14 ++++
+ auparse/prottabs.h | 6 ++
+ auparse/ptracetabs.h | 17 ++++
+ auparse/recvtabs.h | 8 ++
+ auparse/rlimittabs.h | 10 +++
+ auparse/schedtabs.h | 8 ++
+ auparse/seccomptabs.h | 11 +++
+ auparse/seektabs.h | 8 ++
+ auparse/shm_modetabs.h | 6 ++
+ auparse/signaltabs.h | 14 ++++
+ auparse/sockleveltabs.h | 12 +++
+ auparse/sockoptnametabs.h | 23 ++++++
+ auparse/socktabs.h | 10 +++
+ auparse/socktypetabs.h | 8 ++
+ auparse/tcpoptnametabs.h | 12 +++
+ auparse/typetabs.h | 35 ++++++++
+ auparse/umounttabs.h | 6 ++
+ lib/Makefile.am | 106 ------------------------
+ lib/aarch64_tables.h | 125 ++++++++++++++++++++++++++++
+ lib/actiontabs.h | 26 ++++++
+ lib/alpha_tables.h | 196 ++++++++++++++++++++++++++++++++++++++++++++
+ lib/armeb_tables.h | 165 +++++++++++++++++++++++++++++++++++++
+ lib/errtabs.h | 78 ++++++++++++++++++
+ lib/fieldtabs.h | 49 +++++++++++
+ lib/flagtabs.h | 26 ++++++
+ lib/ftypetabs.h | 29 +++++++
+ lib/i386_tables.h | 163 ++++++++++++++++++++++++++++++++++++
+ lib/ia64_tables.h | 147 +++++++++++++++++++++++++++++++++
+ lib/machinetabs.h | 26 ++++++
+ lib/msg_typetabs.h | 104 +++++++++++++++++++++++
+ lib/optabs.h | 11 +++
+ lib/ppc_tables.h | 163 ++++++++++++++++++++++++++++++++++++
+ lib/s390_tables.h | 153 ++++++++++++++++++++++++++++++++++
+ lib/s390x_tables.h | 144 ++++++++++++++++++++++++++++++++
+ lib/x86_64_tables.h | 150 ++++++++++++++++++++++++++++++++++
+ 55 files changed, 2172 insertions(+), 306 deletions(-)
+ create mode 100644 auparse/accesstabs.h
+ create mode 100644 auparse/captabs.h
+ create mode 100644 auparse/clocktabs.h
+ create mode 100644 auparse/clone-flagtabs.h
+ create mode 100644 auparse/epoll_ctls.h
+ create mode 100644 auparse/famtabs.h
+ create mode 100644 auparse/fcntl-cmdtabs.h
+ create mode 100644 auparse/flagtabs.h
+ create mode 100644 auparse/icmptypetabs.h
+ create mode 100644 auparse/ip6optnametabs.h
+ create mode 100644 auparse/ipccmdtabs.h
+ create mode 100644 auparse/ipctabs.h
+ create mode 100644 auparse/ipoptnametabs.h
+ create mode 100644 auparse/mmaptabs.h
+ create mode 100644 auparse/mounttabs.h
+ create mode 100644 auparse/nfprototabs.h
+ create mode 100644 auparse/open-flagtabs.h
+ create mode 100644 auparse/persontabs.h
+ create mode 100644 auparse/pktoptnametabs.h
+ create mode 100644 auparse/prctl_opttabs.h
+ create mode 100644 auparse/prottabs.h
+ create mode 100644 auparse/ptracetabs.h
+ create mode 100644 auparse/recvtabs.h
+ create mode 100644 auparse/rlimittabs.h
+ create mode 100644 auparse/schedtabs.h
+ create mode 100644 auparse/seccomptabs.h
+ create mode 100644 auparse/seektabs.h
+ create mode 100644 auparse/shm_modetabs.h
+ create mode 100644 auparse/signaltabs.h
+ create mode 100644 auparse/sockleveltabs.h
+ create mode 100644 auparse/sockoptnametabs.h
+ create mode 100644 auparse/socktabs.h
+ create mode 100644 auparse/socktypetabs.h
+ create mode 100644 auparse/tcpoptnametabs.h
+ create mode 100644 auparse/typetabs.h
+ create mode 100644 auparse/umounttabs.h
+ create mode 100644 lib/aarch64_tables.h
+ create mode 100644 lib/actiontabs.h
+ create mode 100644 lib/alpha_tables.h
+ create mode 100644 lib/armeb_tables.h
+ create mode 100644 lib/errtabs.h
+ create mode 100644 lib/fieldtabs.h
+ create mode 100644 lib/flagtabs.h
+ create mode 100644 lib/ftypetabs.h
+ create mode 100644 lib/i386_tables.h
+ create mode 100644 lib/ia64_tables.h
+ create mode 100644 lib/machinetabs.h
+ create mode 100644 lib/msg_typetabs.h
+ create mode 100644 lib/optabs.h
+ create mode 100644 lib/ppc_tables.h
+ create mode 100644 lib/s390_tables.h
+ create mode 100644 lib/s390x_tables.h
+ create mode 100644 lib/x86_64_tables.h
+
+diff --git a/auparse/Makefile.am b/auparse/Makefile.am
+index f0ca18f..7d1527c 100644
+--- a/auparse/Makefile.am
++++ b/auparse/Makefile.am
+@@ -53,203 +53,3 @@ BUILT_SOURCES = accesstabs.h captabs.h clocktabs.h clone-flagtabs.h \
+ seektabs.h shm_modetabs.h signaltabs.h sockoptnametabs.h \
+ socktabs.h sockleveltabs.h socktypetabs.h \
+ tcpoptnametabs.h typetabs.h umounttabs.h
+-noinst_PROGRAMS = gen_accesstabs_h gen_captabs_h gen_clock_h \
+- gen_clone-flagtabs_h \
+- gen_epoll_ctls_h gen_famtabs_h \
+- gen_fcntl-cmdtabs_h gen_flagtabs_h \
+- gen_icmptypetabs_h gen_ipctabs_h gen_ipccmdtabs_h\
+- gen_ipoptnametabs_h gen_ip6optnametabs_h gen_nfprototabs_h \
+- gen_mmaptabs_h gen_mounttabs_h \
+- gen_open-flagtabs_h gen_persontabs_h \
+- gen_prctl_opttabs_h gen_pktoptnametabs_h gen_prottabs_h \
+- gen_recvtabs_h gen_rlimit_h gen_ptracetabs_h \
+- gen_schedtabs_h gen_seccomptabs_h \
+- gen_seektabs_h gen_shm_modetabs_h gen_signals_h \
+- gen_sockoptnametabs_h gen_socktabs_h gen_sockleveltabs_h \
+- gen_socktypetabs_h gen_tcpoptnametabs_h gen_typetabs_h \
+- gen_umounttabs_h
+-
+-gen_accesstabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h
+-gen_accesstabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="accesstab.h"'
+-accesstabs.h: gen_accesstabs_h Makefile
+- ./gen_accesstabs_h --i2s-transtab access > $@
+-
+-gen_captabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h captab.h
+-gen_captabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="captab.h"'
+-captabs.h: gen_captabs_h Makefile
+- ./gen_captabs_h --i2s cap > $@
+-
+-gen_clock_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h clocktab.h
+-gen_clock_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="clocktab.h"'
+-clocktabs.h: gen_clock_h Makefile
+- ./gen_clock_h --i2s clock > $@
+-
+-gen_clone_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+- clone-flagtab.h
+-gen_clone_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="clone-flagtab.h"'
+-clone-flagtabs.h: gen_clone-flagtabs_h Makefile
+- ./gen_clone-flagtabs_h --i2s-transtab clone_flag > $@
+-
+-gen_epoll_ctls_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h epoll_ctl.h
+-gen_epoll_ctls_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="epoll_ctl.h"'
+-epoll_ctls.h: gen_epoll_ctls_h Makefile
+- ./gen_epoll_ctls_h --i2s epoll_ctl > $@
+-
+-gen_famtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h famtab.h
+-gen_famtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="famtab.h"'
+-famtabs.h: gen_famtabs_h Makefile
+- ./gen_famtabs_h --i2s fam > $@
+-
+-gen_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h flagtab.h
+-# ../auparse/ is used to avoid using ../lib/flagtab.h
+-gen_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="../auparse/flagtab.h"'
+-flagtabs.h: gen_flagtabs_h Makefile
+- ./gen_flagtabs_h --i2s-transtab flag > $@
+-
+-gen_fcntl_cmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+- fcntl-cmdtab.h
+-gen_fcntl_cmdtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="fcntl-cmdtab.h"'
+-fcntl-cmdtabs.h: gen_fcntl-cmdtabs_h Makefile
+- ./gen_fcntl-cmdtabs_h --i2s fcntl > $@
+-
+-gen_icmptypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h icmptypetab.h
+-gen_icmptypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="icmptypetab.h"'
+-icmptypetabs.h: gen_icmptypetabs_h Makefile
+- ./gen_icmptypetabs_h --i2s icmptype > $@
+-
+-gen_ipctabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipctab.h
+-gen_ipctabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipctab.h"'
+-ipctabs.h: gen_ipctabs_h Makefile
+- ./gen_ipctabs_h --i2s ipc > $@
+-
+-gen_ipccmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipccmdtab.h
+-gen_ipccmdtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipccmdtab.h"'
+-ipccmdtabs.h: gen_ipccmdtabs_h Makefile
+- ./gen_ipccmdtabs_h --i2s-transtab ipccmd > $@
+-
+-gen_ipoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipoptnametab.h
+-gen_ipoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipoptnametab.h"'
+-ipoptnametabs.h: gen_ipoptnametabs_h Makefile
+- ./gen_ipoptnametabs_h --i2s ipoptname > $@
+-
+-gen_ip6optnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ip6optnametab.h
+-gen_ip6optnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ip6optnametab.h"'
+-ip6optnametabs.h: gen_ip6optnametabs_h Makefile
+- ./gen_ip6optnametabs_h --i2s ip6optname > $@
+-
+-gen_mmaptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mmaptab.h
+-gen_mmaptabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="mmaptab.h"'
+-mmaptabs.h: gen_mmaptabs_h Makefile
+- ./gen_mmaptabs_h --i2s-transtab mmap > $@
+-
+-gen_mounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mounttab.h
+-gen_mounttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="mounttab.h"'
+-mounttabs.h: gen_mounttabs_h Makefile
+- ./gen_mounttabs_h --i2s-transtab mount > $@
+-
+-gen_nfprototabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h nfprototab.h
+-gen_nfprototabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="nfprototab.h"'
+-nfprototabs.h: gen_nfprototabs_h Makefile
+- ./gen_nfprototabs_h --i2s nfproto > $@
+-
+-gen_open_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+- open-flagtab.h
+-gen_open_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="open-flagtab.h"'
+-open-flagtabs.h: gen_open-flagtabs_h Makefile
+- ./gen_open-flagtabs_h --i2s-transtab open_flag > $@
+-
+-gen_persontabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h persontab.h
+-gen_persontabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="persontab.h"'
+-persontabs.h: gen_persontabs_h Makefile
+- ./gen_persontabs_h --i2s person > $@
+-
+-gen_ptracetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ptracetab.h
+-gen_ptracetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ptracetab.h"'
+-ptracetabs.h: gen_ptracetabs_h Makefile
+- ./gen_ptracetabs_h --i2s ptrace > $@
+-
+-gen_prctl_opttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prctl-opt-tab.h
+-gen_prctl_opttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="prctl-opt-tab.h"'
+-prctl_opttabs.h: gen_prctl_opttabs_h Makefile
+- ./gen_prctl_opttabs_h --i2s prctl_opt > $@
+-
+-gen_pktoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h pktoptnametab.h
+-gen_pktoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="pktoptnametab.h"'
+-pktoptnametabs.h: gen_pktoptnametabs_h Makefile
+- ./gen_pktoptnametabs_h --i2s pktoptname > $@
+-
+-gen_prottabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prottab.h
+-gen_prottabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="prottab.h"'
+-prottabs.h: gen_prottabs_h Makefile
+- ./gen_prottabs_h --i2s-transtab prot > $@
+-
+-gen_recvtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h recvtab.h
+-gen_recvtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="recvtab.h"'
+-recvtabs.h: gen_recvtabs_h Makefile
+- ./gen_recvtabs_h --i2s-transtab recv > $@
+-
+-gen_rlimit_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h rlimittab.h
+-gen_rlimit_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="rlimittab.h"'
+-rlimittabs.h: gen_rlimit_h Makefile
+- ./gen_rlimit_h --i2s rlimit > $@
+-
+-gen_schedtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h schedtab.h
+-gen_schedtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="schedtab.h"'
+-schedtabs.h: gen_schedtabs_h Makefile
+- ./gen_schedtabs_h --i2s sched > $@
+-
+-gen_seccomptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seccomptab.h
+-gen_seccomptabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="seccomptab.h"'
+-seccomptabs.h: gen_seccomptabs_h Makefile
+- ./gen_seccomptabs_h --i2s seccomp > $@
+-
+-gen_seektabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seektab.h
+-gen_seektabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="seektab.h"'
+-seektabs.h: gen_seektabs_h Makefile
+- ./gen_seektabs_h --i2s seek > $@
+-
+-gen_shm_modetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h shm_modetab.h
+-gen_shm_modetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="shm_modetab.h"'
+-shm_modetabs.h: gen_shm_modetabs_h Makefile
+- ./gen_shm_modetabs_h --i2s-transtab shm_mode > $@
+-
+-gen_signals_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h signaltab.h
+-gen_signals_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="signaltab.h"'
+-signaltabs.h: gen_signals_h Makefile
+- ./gen_signals_h --i2s signal > $@
+-
+-gen_sockleveltabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockleveltab.h
+-gen_sockleveltabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="sockleveltab.h"'
+-sockleveltabs.h: gen_sockleveltabs_h Makefile
+- ./gen_sockleveltabs_h --i2s socklevel > $@
+-
+-gen_sockoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockoptnametab.h
+-gen_sockoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="sockoptnametab.h"'
+-sockoptnametabs.h: gen_sockoptnametabs_h Makefile
+- ./gen_sockoptnametabs_h --i2s sockoptname > $@
+-
+-gen_socktabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktab.h
+-gen_socktabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="socktab.h"'
+-socktabs.h: gen_socktabs_h Makefile
+- ./gen_socktabs_h --i2s sock > $@
+-
+-gen_socktypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktypetab.h
+-gen_socktypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="socktypetab.h"'
+-socktypetabs.h: gen_socktypetabs_h Makefile
+- ./gen_socktypetabs_h --i2s sock_type > $@
+-
+-gen_tcpoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h tcpoptnametab.h
+-gen_tcpoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="tcpoptnametab.h"'
+-tcpoptnametabs.h: gen_tcpoptnametabs_h Makefile
+- ./gen_tcpoptnametabs_h --i2s tcpoptname > $@
+-
+-gen_typetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h typetab.h
+-gen_typetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="typetab.h"'
+-typetabs.h: gen_typetabs_h Makefile
+- ./gen_typetabs_h --s2i type > $@
+-
+-gen_umounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h umounttab.h
+-gen_umounttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="umounttab.h"'
+-umounttabs.h: gen_umounttabs_h Makefile
+- ./gen_umounttabs_h --i2s-transtab umount > $@
+-
+diff --git a/auparse/accesstabs.h b/auparse/accesstabs.h
+new file mode 100644
+index 0000000..867d99c
+--- /dev/null
++++ b/auparse/accesstabs.h
+@@ -0,0 +1,6 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char access_strings[] = "R_OK\0W_OK\0X_OK";
++static const struct transtab access_table[] = {
++ {1,10},{2,5},{4,0},
++};
++#define ACCESS_NUM_ENTRIES (sizeof(access_table) / sizeof(*access_table))
+diff --git a/auparse/captabs.h b/auparse/captabs.h
+new file mode 100644
+index 0000000..9267466
+--- /dev/null
++++ b/auparse/captabs.h
+@@ -0,0 +1,14 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char cap_strings[] = "audit_control\0audit_write\0block_suspend\0chown\0compromise_kernel\0dac_override\0dac_read_search\0fowner\0fsetid\0ipc_lock\0"
++ "ipc_owner\0kill\0lease\0linux_immutable\0mac_admin\0mac_override\0mknod\0net_admin\0net_bind_service\0net_broadcast\0"
++ "net_raw\0setfcap\0setgid\0setpcap\0setuid\0sys_admin\0sys_boot\0sys_chroot\0sys_module\0sys_nice\0"
++ "sys_pacct\0sys_ptrace\0sys_rawio\0sys_resource\0sys_time\0sys_tty_config\0syslog\0wake_alarm";
++static const unsigned cap_i2s_direct[] = {
++ 40,64,77,93,100,126,239,254,246,137,
++ 192,209,182,223,107,116,291,332,280,321,
++ 311,261,271,302,342,355,364,176,131,14,
++ 0,231,163,153,379,386,26,46,
++};
++static const char *cap_i2s(int v) {
++ return i2s_direct__(cap_strings, cap_i2s_direct, 0, 37, v);
++}
+diff --git a/auparse/clocktabs.h b/auparse/clocktabs.h
+new file mode 100644
+index 0000000..03f9f09
+--- /dev/null
++++ b/auparse/clocktabs.h
+@@ -0,0 +1,8 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char clock_strings[] = "CLOCK_BOOTTIME\0CLOCK_BOOTTIME_ALARM\0CLOCK_MONOTONIC\0CLOCK_MONOTONIC_COARSE\0CLOCK_MONOTONIC_RAW\0CLOCK_PROCESS_CPUTIME_ID\0CLOCK_REALTIME\0CLOCK_REALTIME_ALARM\0CLOCK_REALTIME_COARSE\0CLOCK_THREAD_CPUTIME_ID";
++static const unsigned clock_i2s_direct[] = {
++ 120,36,95,178,75,156,52,0,135,15,
++};
++static const char *clock_i2s(int v) {
++ return i2s_direct__(clock_strings, clock_i2s_direct, 0, 9, v);
++}
+diff --git a/auparse/clone-flagtabs.h b/auparse/clone-flagtabs.h
+new file mode 100644
+index 0000000..b8f815d
+--- /dev/null
++++ b/auparse/clone-flagtabs.h
+@@ -0,0 +1,10 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char clone_flag_strings[] = "CLONE_CHILD_CLEARTID\0CLONE_CHILD_SETTID\0CLONE_DETACHED\0CLONE_FILES\0CLONE_FS\0CLONE_IO\0CLONE_NEWIPC\0CLONE_NEWNET\0CLONE_NEWNS\0CLONE_NEWPID\0"
++ "CLONE_NEWUSER\0CLONE_NEWUTS\0CLONE_PARENT\0CLONE_PARENT_SETTID\0CLONE_PTRACE\0CLONE_SETTLS\0CLONE_SIGHAND\0CLONE_STOPPED\0CLONE_SYSVSEM\0CLONE_THREAD\0"
++ "CLONE_UNTRACED\0CLONE_VFORK\0CLONE_VM";
++static const struct transtab clone_flag_table[] = {
++ {256,304},{512,67},{1024,55},{2048,222},{8192,196},{16384,292},{32768,163},{65536,264},{131072,111},{262144,250},
++ {524288,209},{1048576,176},{2097152,0},{4194304,40},{8388608,277},{16777216,21},{33554432,236},{67108864,150},{134217728,85},{268435456,136},
++ {536870912,123},{1073741824,98},{-2147483648,76},
++};
++#define CLONE_FLAG_NUM_ENTRIES (sizeof(clone_flag_table) / sizeof(*clone_flag_table))
+diff --git a/auparse/epoll_ctls.h b/auparse/epoll_ctls.h
+new file mode 100644
+index 0000000..2787c18
+--- /dev/null
++++ b/auparse/epoll_ctls.h
+@@ -0,0 +1,8 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char epoll_ctl_strings[] = "EPOLL_CTL_ADD\0EPOLL_CTL_DEL\0EPOLL_CTL_MOD";
++static const unsigned epoll_ctl_i2s_direct[] = {
++ 0,14,28,
++};
++static const char *epoll_ctl_i2s(int v) {
++ return i2s_direct__(epoll_ctl_strings, epoll_ctl_i2s_direct, 1, 3, v);
++}
+diff --git a/auparse/famtabs.h b/auparse/famtabs.h
+new file mode 100644
+index 0000000..cae396b
+--- /dev/null
++++ b/auparse/famtabs.h
+@@ -0,0 +1,14 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char fam_strings[] = "alg\0appletalk\0ash\0atmpvc\0atmsvc\0ax25\0bluetooth\0bridge\0caif\0can\0"
++ "decnet\0econet\0ieee802154\0inet\0inet6\0ipx\0irda\0isdn\0iucv\0key\0"
++ "llc\0local\0netbeui\0netlink\0netrom\0nfc\0packet\0phonet\0pppox\0rds\0"
++ "rose\0rxrpc\0security\0sna\0tipc\0vsock\0wanpipe\0x25";
++static const unsigned fam_i2s_direct[] = {
++ 126,88,32,99,4,148,47,18,226,93,
++ 183,63,132,194,118,140,159,14,70,25,
++ 179,203,103,173,218,122,-1u,-1u,59,207,
++ 37,113,188,108,166,77,54,0,155,212,
++};
++static const char *fam_i2s(int v) {
++ return i2s_direct__(fam_strings, fam_i2s_direct, 1, 40, v);
++}
+diff --git a/auparse/fcntl-cmdtabs.h b/auparse/fcntl-cmdtabs.h
+new file mode 100644
+index 0000000..18c6cc7
+--- /dev/null
++++ b/auparse/fcntl-cmdtabs.h
+@@ -0,0 +1,17 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char fcntl_strings[] = "F_CANCELLK\0F_DUPFD\0F_DUPFD_CLOEXEC\0F_GETFD\0F_GETFL\0F_GETLEASE\0F_GETLK\0F_GETLK64\0F_GETOWN\0F_GETOWNER_UIDS\0"
++ "F_GETOWN_EX\0F_GETPIPE_SZ\0F_GETSIG\0F_NOTIFY\0F_SETFD\0F_SETFL\0F_SETLEASE\0F_SETLK\0F_SETLK64\0F_SETLKW\0"
++ "F_SETLKW64\0F_SETOWN\0F_SETOWN_EX\0F_SETPIPE_SZ\0F_SETSIG";
++static const int fcntl_i2s_i[] = {
++ 0,1,2,3,4,5,6,7,8,9,
++ 10,11,12,13,14,15,16,17,1024,1025,
++ 1026,1029,1030,1031,1032,
++};
++static const unsigned fcntl_i2s_s[] = {
++ 11,35,148,43,156,62,175,193,213,80,
++ 247,130,70,183,202,222,105,89,164,51,
++ 139,0,19,234,117,
++};
++static const char *fcntl_i2s(int v) {
++ return i2s_bsearch__(fcntl_strings, fcntl_i2s_i, fcntl_i2s_s, 25, v);
++}
+diff --git a/auparse/flagtabs.h b/auparse/flagtabs.h
+new file mode 100644
+index 0000000..5f57e14
+--- /dev/null
++++ b/auparse/flagtabs.h
+@@ -0,0 +1,6 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char flag_strings[] = "access\0atomic\0continue\0create\0directory\0follow\0noalt\0open\0parent";
++static const struct transtab flag_table[] = {
++ {1,40},{2,30},{4,14},{16,58},{32,47},{64,7},{256,53},{512,23},{1024,0},
++};
++#define FLAG_NUM_ENTRIES (sizeof(flag_table) / sizeof(*flag_table))
+diff --git a/auparse/icmptypetabs.h b/auparse/icmptypetabs.h
+new file mode 100644
+index 0000000..49b44bf
+--- /dev/null
++++ b/auparse/icmptypetabs.h
+@@ -0,0 +1,10 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char icmptype_strings[] = "address-mask-reply\0address-mask-request\0destination-unreachable\0echo\0echo-reply\0info-reply\0info-request\0parameter-problem\0redirect\0source-quench\0"
++ "time-exceeded\0timestamp-reply\0timestamp-request";
++static const unsigned icmptype_i2s_direct[] = {
++ 69,-1u,-1u,40,131,122,-1u,-1u,64,-1u,
++ -1u,145,104,175,159,91,80,19,0,
++};
++static const char *icmptype_i2s(int v) {
++ return i2s_direct__(icmptype_strings, icmptype_i2s_direct, 0, 18, v);
++}
+diff --git a/auparse/ip6optnametabs.h b/auparse/ip6optnametabs.h
+new file mode 100644
+index 0000000..4af11c2
+--- /dev/null
++++ b/auparse/ip6optnametabs.h
+@@ -0,0 +1,20 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char ip6optname_strings[] = "IP6T_SO_GET_REVISION_MATCH\0IP6T_SO_GET_REVISION_TARGET\0IP6T_SO_ORIGINAL_DST\0IP6T_SO_SET_ADD_COUNTERS\0IP6T_SO_SET_REPLACE\0IPV6_2292DSTOPTS\0IPV6_2292HOPLIMIT\0IPV6_2292HOPOPTS\0IPV6_2292PKTINFO\0IPV6_2292PKTOPTIONS\0"
++ "IPV6_2292RTHDR\0IPV6_ADDRFORM\0IPV6_ADDR_PREFERENCES\0IPV6_ADD_MEMBERSHIP\0IPV6_AUTHHDR\0IPV6_CHECKSUM\0IPV6_DONTFRAG\0IPV6_DROP_MEMBERSHIP\0IPV6_DSTOPTS\0IPV6_FLOWINFO\0"
++ "IPV6_FLOWINFO_SEND\0IPV6_FLOWLABEL_MGR\0IPV6_HOPLIMIT\0IPV6_HOPOPTS\0IPV6_IPSEC_POLICY\0IPV6_JOIN_ANYCAST\0IPV6_LEAVE_ANYCAST\0IPV6_MINHOPCOUNT\0IPV6_MTU\0IPV6_MTU_DISCOVER\0"
++ "IPV6_MULTICAST_HOPS\0IPV6_MULTICAST_IF\0IPV6_MULTICAST_LOOP\0IPV6_NEXTHOP\0IPV6_ORIGDSTADDR\0IPV6_PATHMTU\0IPV6_PKTINFO\0IPV6_RECVDSTOPTS\0IPV6_RECVERR\0IPV6_RECVHOPLIMIT\0"
++ "IPV6_RECVHOPOPTS\0IPV6_RECVPATHMTU\0IPV6_RECVPKTINFO\0IPV6_RECVRTHDR\0IPV6_RECVTCLASS\0IPV6_ROUTER_ALERT\0IPV6_RTHDR\0IPV6_RTHDRDSTOPTS\0IPV6_TCLASS\0IPV6_TRANSPARENT\0"
++ "IPV6_UNICAST_HOPS\0IPV6_UNICAST_IF\0IPV6_USE_MIN_MTU\0IPV6_V6ONLY\0IPV6_XFRM_POLICY";
++static const unsigned ip6optname_i2s_direct[] = {
++ 225,173,156,121,210,190,294,138,592,281,
++ 356,-1u,-1u,-1u,-1u,854,554,534,572,261,
++ 322,778,516,507,665,905,453,471,-1u,-1u,
++ -1u,389,370,435,917,-1u,-1u,-1u,-1u,-1u,
++ -1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,730,635,
++ 678,408,696,422,807,747,796,648,343,713,
++ 622,308,888,101,76,762,825,0,27,-1u,
++ -1u,239,490,605,837,872,-1u,-1u,-1u,55,
++};
++static const char *ip6optname_i2s(int v) {
++ return i2s_direct__(ip6optname_strings, ip6optname_i2s_direct, 1, 80, v);
++}
+diff --git a/auparse/ipccmdtabs.h b/auparse/ipccmdtabs.h
+new file mode 100644
+index 0000000..ff43dbb
+--- /dev/null
++++ b/auparse/ipccmdtabs.h
+@@ -0,0 +1,6 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char ipccmd_strings[] = "IPC_CREAT\0IPC_EXCL\0IPC_NOWAIT";
++static const struct transtab ipccmd_table[] = {
++ {512,0},{1024,10},{2048,19},
++};
++#define IPCCMD_NUM_ENTRIES (sizeof(ipccmd_table) / sizeof(*ipccmd_table))
+diff --git a/auparse/ipctabs.h b/auparse/ipctabs.h
+new file mode 100644
+index 0000000..4bf3bcd
+--- /dev/null
++++ b/auparse/ipctabs.h
+@@ -0,0 +1,11 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char ipc_strings[] = "msgctl\0msgget\0msgrcv\0msgsnd\0semctl\0semget\0semop\0semtimedop\0shmat\0shmctl\0"
++ "shmdt\0shmget";
++static const unsigned ipc_i2s_direct[] = {
++ 42,35,28,48,-1u,-1u,-1u,-1u,-1u,-1u,
++ 21,14,7,0,-1u,-1u,-1u,-1u,-1u,-1u,
++ 59,72,78,65,
++};
++static const char *ipc_i2s(int v) {
++ return i2s_direct__(ipc_strings, ipc_i2s_direct, 1, 24, v);
++}
+diff --git a/auparse/ipoptnametabs.h b/auparse/ipoptnametabs.h
+new file mode 100644
+index 0000000..fb0b8b7
+--- /dev/null
++++ b/auparse/ipoptnametabs.h
+@@ -0,0 +1,17 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char ipoptname_strings[] = "IPT_SO_GET_REVISION_TARGET\0IPT_SO_SET_ADD_COUNTERS\0IPT_SO_SET_REPLACE\0IP_ADD_MEMBERSHIP\0IP_ADD_SOURCE_MEMBERSHIP\0IP_BLOCK_SOURCE\0IP_DROP_MEMBERSHIP\0IP_DROP_SOURCE_MEMBERSHIP\0IP_FREEBIND\0IP_HDRINCL\0"
++ "IP_IPSEC_POLICY\0IP_MINTTL\0IP_MSFILTER\0IP_MTU\0IP_MTU_DISCOVER\0IP_MULTICAST_ALL\0IP_MULTICAST_IF\0IP_MULTICAST_LOOP\0IP_MULTICAST_TTL\0IP_NODEFRAG\0"
++ "IP_OPTIONS\0IP_ORIGDSTADDR\0IP_PASSSEC\0IP_PKTINFO\0IP_PKTOPTIONS\0IP_RECVERR\0IP_RECVOPTS\0IP_RECVTTL\0IP_RETOPTS\0IP_ROUTER_ALERT\0"
++ "IP_TOS\0IP_TRANSPARENT\0IP_TTL\0IP_UNBLOCK_SOURCE\0IP_UNICAST_IF\0IP_XFRM_POLICY";
++static const unsigned ipoptname_i2s_direct[] = {
++ 461,483,186,338,445,411,434,375,386,242,
++ 400,423,-1u,235,174,197,522,364,468,349,
++ 213,326,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,
++ -1u,275,309,291,70,129,490,113,88,148,
++ 223,-1u,-1u,-1u,-1u,-1u,-1u,-1u,258,508,
++ -1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,
++ -1u,-1u,-1u,51,27,0,
++};
++static const char *ipoptname_i2s(int v) {
++ return i2s_direct__(ipoptname_strings, ipoptname_i2s_direct, 1, 66, v);
++}
+diff --git a/auparse/mmaptabs.h b/auparse/mmaptabs.h
+new file mode 100644
+index 0000000..386833c
+--- /dev/null
++++ b/auparse/mmaptabs.h
+@@ -0,0 +1,8 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char mmap_strings[] = "MAP_32BIT\0MAP_ANONYMOUS\0MAP_DENYWRITE\0MAP_EXECUTABLE\0MAP_FIXED\0MAP_GROWSDOWN\0MAP_HUGETLB\0MAP_LOCKED\0MAP_NONBLOCK\0MAP_NORESERVE\0"
++ "MAP_POPULATE\0MAP_PRIVATE\0MAP_SHARED\0MAP_STACK";
++static const struct transtab mmap_table[] = {
++ {1,152},{2,140},{16,53},{32,10},{64,0},{256,63},{2048,24},{4096,38},{8192,89},{16384,113},
++ {32768,127},{65536,100},{131072,163},{262144,77},
++};
++#define MMAP_NUM_ENTRIES (sizeof(mmap_table) / sizeof(*mmap_table))
+diff --git a/auparse/mounttabs.h b/auparse/mounttabs.h
+new file mode 100644
+index 0000000..ca66885
+--- /dev/null
++++ b/auparse/mounttabs.h
+@@ -0,0 +1,10 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char mount_strings[] = "MS_ACTIVE\0MS_BIND\0MS_BORN\0MS_DIRSYNC\0MS_I_VERSION\0MS_KERNMOUNT\0MS_MANDLOCK\0MS_MOVE\0MS_NOATIME\0MS_NODEV\0"
++ "MS_NODIRATIME\0MS_NOEXEC\0MS_NOSEC\0MS_NOSUID\0MS_NOUSER\0MS_POSIXACL\0MS_PRIVATE\0MS_RDONLY\0MS_REC\0MS_RELATIME\0"
++ "MS_REMOUNT\0MS_SHARED\0MS_SILENT\0MS_SLAVE\0MS_SNAP_STABLE\0MS_STRICTATIME\0MS_SYNCHRONOUS\0MS_UNBINDABLE";
++static const struct transtab mount_table[] = {
++ {1,179},{2,136},{4,94},{8,117},{16,278},{32,208},{64,63},{128,26},{1024,83},{2048,103},
++ {4096,10},{8192,75},{16384,189},{32768,229},{65536,156},{131072,293},{262144,168},{524288,239},{1048576,219},{2097152,196},
++ {4194304,50},{8388608,37},{16777216,263},{134217728,248},{268435456,127},{536870912,18},{1073741824,0},{-2147483648,146},
++};
++#define MOUNT_NUM_ENTRIES (sizeof(mount_table) / sizeof(*mount_table))
+diff --git a/auparse/nfprototabs.h b/auparse/nfprototabs.h
+new file mode 100644
+index 0000000..9bb2723
+--- /dev/null
++++ b/auparse/nfprototabs.h
+@@ -0,0 +1,9 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char nfproto_strings[] = "arp\0bridge\0decnet\0ipv4\0ipv6\0unspecified";
++static const unsigned nfproto_i2s_direct[] = {
++ 28,-1u,18,0,-1u,-1u,-1u,4,-1u,-1u,
++ 23,-1u,11,
++};
++static const char *nfproto_i2s(int v) {
++ return i2s_direct__(nfproto_strings, nfproto_i2s_direct, 0, 12, v);
++}
+diff --git a/auparse/open-flagtabs.h b/auparse/open-flagtabs.h
+new file mode 100644
+index 0000000..5e3c3eb
+--- /dev/null
++++ b/auparse/open-flagtabs.h
+@@ -0,0 +1,8 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char open_flag_strings[] = "O_APPEND\0O_ASYNC\0O_CLOEXEC\0O_CREAT\0O_DIRECT\0O_DIRECTORY\0O_DSYNC\0O_EXCL\0O_NOATIME\0O_NOCTTY\0"
++ "O_NOFOLLOW\0O_NONBLOCK\0O_PATH\0O_RDWR\0O_TRUNC\0O_WRONLY\0__O_SYNC";
++static const struct transtab open_flag_table[] = {
++ {1,134},{2,119},{64,27},{128,64},{256,81},{512,126},{1024,0},{2048,101},{4096,56},{8192,9},
++ {16384,35},{65536,44},{131072,90},{262144,71},{524288,17},{1048576,143},{2097152,112},
++};
++#define OPEN_FLAG_NUM_ENTRIES (sizeof(open_flag_table) / sizeof(*open_flag_table))
+diff --git a/auparse/persontabs.h b/auparse/persontabs.h
+new file mode 100644
+index 0000000..d099839
+--- /dev/null
++++ b/auparse/persontabs.h
+@@ -0,0 +1,17 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char person_strings[] = "PER_BSD\0PER_HPUX\0PER_IRIX32\0PER_IRIX64\0PER_IRIXN32\0PER_ISCR4\0PER_LINUX\0PER_LINUX32\0PER_LINUX32_3GB\0PER_LINUX_32BIT\0"
++ "PER_OSF4\0PER_OSR5\0PER_RISCOS\0PER_SCOSVR3\0PER_SOLARIS\0PER_SUNOS\0PER_SVR3\0PER_SVR4\0PER_UW7\0PER_WYSEV386\0"
++ "PER_XENIX";
++static const int person_i2s_i[] = {
++ 0,6,8,12,15,16,8388608,67108869,67108870,67108873,
++ 67108874,67108875,67108877,68157441,68157454,83886082,83886084,83886087,100663299,117440515,
++ 134217736,
++};
++static const unsigned person_i2s_s[] = {
++ 61,0,71,133,115,8,99,51,168,17,
++ 39,28,156,187,196,178,204,217,124,144,
++ 83,
++};
++static const char *person_i2s(int v) {
++ return i2s_bsearch__(person_strings, person_i2s_i, person_i2s_s, 21, v);
++}
+diff --git a/auparse/pktoptnametabs.h b/auparse/pktoptnametabs.h
+new file mode 100644
+index 0000000..4613372
+--- /dev/null
++++ b/auparse/pktoptnametabs.h
+@@ -0,0 +1,10 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char pktoptname_strings[] = "PACKET_ADD_MEMBERSHIP\0PACKET_AUXDATA\0PACKET_COPY_THRESH\0PACKET_DROP_MEMBERSHIP\0PACKET_FANOUT\0PACKET_HDRLEN\0PACKET_LOSS\0PACKET_ORIGDEV\0PACKET_RECV_OUTPUT\0PACKET_RESERVE\0"
++ "PACKET_RX_RING\0PACKET_STATISTICS\0PACKET_TIMESTAMP\0PACKET_TX_HAS_OFF\0PACKET_TX_RING\0PACKET_TX_TIMESTAMP\0PACKET_VERSION\0PACKET_VNET_HDR";
++static const unsigned pktoptname_i2s_direct[] = {
++ 0,56,134,-1u,168,183,37,22,119,271,
++ 93,153,236,107,286,251,201,79,218,
++};
++static const char *pktoptname_i2s(int v) {
++ return i2s_direct__(pktoptname_strings, pktoptname_i2s_direct, 1, 19, v);
++}
+diff --git a/auparse/prctl_opttabs.h b/auparse/prctl_opttabs.h
+new file mode 100644
+index 0000000..03707a8
+--- /dev/null
++++ b/auparse/prctl_opttabs.h
+@@ -0,0 +1,14 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char prctl_opt_strings[] = "PR_CAPBSET_DROP\0PR_CAPBSET_READ\0PR_GET_CHILD_SUBREAPER\0PR_GET_DUMPABLE\0PR_GET_ENDIAN\0PR_GET_FPEMU\0PR_GET_FPEXC\0PR_GET_KEEPCAPS\0PR_GET_NAME\0PR_GET_NO_NEW_PRIVS\0"
++ "PR_GET_PDEATHSIG\0PR_GET_SECCOMP\0PR_GET_SECUREBITS\0PR_GET_TID_ADDRESS\0PR_GET_TIMERSLACK\0PR_GET_TIMING\0PR_GET_TSC\0PR_GET_UNALIGN\0PR_MCE_KILL\0PR_MCE_KILL_GET\0"
++ "PR_SET_CHILD_SUBREAPER\0PR_SET_DUMPABLE\0PR_SET_ENDIAN\0PR_SET_FPEMU\0PR_SET_FPEXC\0PR_SET_KEEPCAPS\0PR_SET_MM\0PR_SET_NAME\0PR_SET_NO_NEW_PRIVS\0PR_SET_PDEATHSIG\0"
++ "PR_SET_SECCOMP\0PR_SET_SECUREBITS\0PR_SET_TIMERSLACK\0PR_SET_TIMING\0PR_SET_TSC\0PR_SET_UNALIGN\0PR_TASK_PERF_EVENTS_DISABLE\0PR_TASK_PERF_EVENTS_ENABLE";
++static const unsigned prctl_opt_i2s_direct[] = {
++ 451,159,55,337,271,544,111,393,85,367,
++ 98,380,246,519,419,127,-1u,-1u,71,353,
++ 176,468,16,0,260,533,191,483,501,228,
++ 559,587,286,298,409,314,32,431,139,209,
++};
++static const char *prctl_opt_i2s(int v) {
++ return i2s_direct__(prctl_opt_strings, prctl_opt_i2s_direct, 1, 40, v);
++}
+diff --git a/auparse/prottabs.h b/auparse/prottabs.h
+new file mode 100644
+index 0000000..1727f43
+--- /dev/null
++++ b/auparse/prottabs.h
+@@ -0,0 +1,6 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char prot_strings[] = "PROT_EXEC\0PROT_READ\0PROT_SEM\0PROT_WRITE";
++static const struct transtab prot_table[] = {
++ {1,10},{2,29},{4,0},{8,20},
++};
++#define PROT_NUM_ENTRIES (sizeof(prot_table) / sizeof(*prot_table))
+diff --git a/auparse/ptracetabs.h b/auparse/ptracetabs.h
+new file mode 100644
+index 0000000..6bbfc9b
+--- /dev/null
++++ b/auparse/ptracetabs.h
+@@ -0,0 +1,17 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char ptrace_strings[] = "PTRACE_ATTACH\0PTRACE_CONT\0PTRACE_DETACH\0PTRACE_GETEVENTMSG\0PTRACE_GETFPREGS\0PTRACE_GETFPXREGS\0PTRACE_GETREGS\0PTRACE_GETREGSET\0PTRACE_GETSIGINFO\0PTRACE_INTERRUPT\0"
++ "PTRACE_KILL\0PTRACE_LISTEN\0PTRACE_PEEKDATA\0PTRACE_PEEKTEXT\0PTRACE_PEEKUSER\0PTRACE_POKEDATA\0PTRACE_POKETEXT\0PTRACE_POKEUSER\0PTRACE_SEIZE\0PTRACE_SETFPREGS\0"
++ "PTRACE_SETFPXREGS\0PTRACE_SETOPTIONS\0PTRACE_SETREGS\0PTRACE_SETREGSET\0PTRACE_SETSIGINFO\0PTRACE_SINGLESTEP\0PTRACE_SYSCALL\0PTRACE_TRACEME";
++static const int ptrace_i2s_i[] = {
++ 0,1,2,3,4,5,6,7,8,9,
++ 12,13,14,15,16,17,18,19,24,16896,
++ 16897,16898,16899,16900,16901,16902,16903,16904,
++};
++static const unsigned ptrace_i2s_s[] = {
++ 432,203,187,219,251,235,267,14,161,399,
++ 94,349,59,296,0,26,76,313,417,331,
++ 40,126,381,109,364,283,144,173,
++};
++static const char *ptrace_i2s(int v) {
++ return i2s_bsearch__(ptrace_strings, ptrace_i2s_i, ptrace_i2s_s, 28, v);
++}
+diff --git a/auparse/recvtabs.h b/auparse/recvtabs.h
+new file mode 100644
+index 0000000..9cab5a3
+--- /dev/null
++++ b/auparse/recvtabs.h
+@@ -0,0 +1,8 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char recv_strings[] = "MSG_CMSG_CLOEXEC\0MSG_CONFIRM\0MSG_CTRUNC\0MSG_DONTROUTE\0MSG_DONTWAIT\0MSG_EOR\0MSG_ERRQUEUE\0MSG_FASTOPEN\0MSG_FIN\0MSG_MORE\0"
++ "MSG_NOSIGNAL\0MSG_OOB\0MSG_PEEK\0MSG_PROXY\0MSG_RST\0MSG_SENDPAGE_NOTLAST\0MSG_SYN\0MSG_TRUNC\0MSG_WAITALL\0MSG_WAITFORONE";
++static const struct transtab recv_table[] = {
++ {1,131},{2,139},{4,40},{8,29},{16,148},{32,195},{64,54},{128,67},{256,205},{512,101},
++ {1024,187},{2048,17},{4096,158},{8192,75},{16384,118},{32768,109},{65536,217},{131072,166},{536870912,88},{1073741824,0},
++};
++#define RECV_NUM_ENTRIES (sizeof(recv_table) / sizeof(*recv_table))
+diff --git a/auparse/rlimittabs.h b/auparse/rlimittabs.h
+new file mode 100644
+index 0000000..364ad69
+--- /dev/null
++++ b/auparse/rlimittabs.h
+@@ -0,0 +1,10 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char rlimit_strings[] = "RLIMIT_AS\0RLIMIT_CORE\0RLIMIT_CPU\0RLIMIT_DATA\0RLIMIT_FSIZE\0RLIMIT_LOCKS\0RLIMIT_MEMLOCK\0RLIMIT_MSGQUEUE\0RLIMIT_NICE\0RLIMIT_NOFILE\0"
++ "RLIMIT_NPROC\0RLIMIT_RSS\0RLIMIT_RTPRIO\0RLIMIT_RTTIME\0RLIMIT_SIGPENDING\0RLIMIT_STACK";
++static const unsigned rlimit_i2s_direct[] = {
++ 22,45,33,198,10,141,128,114,71,0,
++ 58,180,86,102,152,166,
++};
++static const char *rlimit_i2s(int v) {
++ return i2s_direct__(rlimit_strings, rlimit_i2s_direct, 0, 15, v);
++}
+diff --git a/auparse/schedtabs.h b/auparse/schedtabs.h
+new file mode 100644
+index 0000000..875317f
+--- /dev/null
++++ b/auparse/schedtabs.h
+@@ -0,0 +1,8 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char sched_strings[] = "SCHED_BATCH\0SCHED_FIFO\0SCHED_IDLE\0SCHED_OTHER\0SCHED_RR";
++static const unsigned sched_i2s_direct[] = {
++ 34,12,46,0,-1u,23,
++};
++static const char *sched_i2s(int v) {
++ return i2s_direct__(sched_strings, sched_i2s_direct, 0, 5, v);
++}
+diff --git a/auparse/seccomptabs.h b/auparse/seccomptabs.h
+new file mode 100644
+index 0000000..5c6c911
+--- /dev/null
++++ b/auparse/seccomptabs.h
+@@ -0,0 +1,11 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char seccomp_strings[] = "allow\0errno\0kill\0trace\0trap";
++static const int seccomp_i2s_i[] = {
++ 0,196608,327680,2146435072,2147418112,
++};
++static const unsigned seccomp_i2s_s[] = {
++ 12,23,6,17,0,
++};
++static const char *seccomp_i2s(int v) {
++ return i2s_bsearch__(seccomp_strings, seccomp_i2s_i, seccomp_i2s_s, 5, v);
++}
+diff --git a/auparse/seektabs.h b/auparse/seektabs.h
+new file mode 100644
+index 0000000..0d0f542
+--- /dev/null
++++ b/auparse/seektabs.h
+@@ -0,0 +1,8 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char seek_strings[] = "SEEK_CUR\0SEEK_DATA\0SEEK_END\0SEEK_HOLE\0SEEK_SET";
++static const unsigned seek_i2s_direct[] = {
++ 38,0,19,9,28,
++};
++static const char *seek_i2s(int v) {
++ return i2s_direct__(seek_strings, seek_i2s_direct, 0, 4, v);
++}
+diff --git a/auparse/shm_modetabs.h b/auparse/shm_modetabs.h
+new file mode 100644
+index 0000000..ddd414d
+--- /dev/null
++++ b/auparse/shm_modetabs.h
+@@ -0,0 +1,6 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char shm_mode_strings[] = "SHM_DEST\0SHM_HUGETLB\0SHM_LOCKED\0SHM_NORESERVE";
++static const struct transtab shm_mode_table[] = {
++ {512,0},{1024,21},{2048,9},{4096,32},
++};
++#define SHM_MODE_NUM_ENTRIES (sizeof(shm_mode_table) / sizeof(*shm_mode_table))
+diff --git a/auparse/signaltabs.h b/auparse/signaltabs.h
+new file mode 100644
+index 0000000..91ce38e
+--- /dev/null
++++ b/auparse/signaltabs.h
+@@ -0,0 +1,14 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char signal_strings[] = "IGPWR\0SIG0\0SIGABRT\0SIGALRM\0SIGBUS\0SIGCHLD\0SIGCONT\0SIGFPE\0SIGHUP\0SIGILL\0"
++ "SIGINT\0SIGIO\0SIGKILL\0SIGPIPE\0SIGPROF\0SIGQUIT\0SIGSEGV\0SIGSTKFLT\0SIGSTOP\0SIGSYS\0"
++ "SIGTERM\0SIGTRAP\0SIGTSTP\0SIGTTIN\0SIGTTOU\0SIGURG\0SIGUSR1\0SIGUSR2\0SIGVTALRM\0SIGWINCH\0"
++ "SIGXCPU\0SIGXFSZ";
++static const unsigned signal_i2s_direct[] = {
++ 6,57,71,108,64,157,11,27,50,84,
++ 196,116,204,92,19,149,124,34,42,134,
++ 165,173,181,189,231,239,212,100,222,78,
++ 0,142,
++};
++static const char *signal_i2s(int v) {
++ return i2s_direct__(signal_strings, signal_i2s_direct, 0, 31, v);
++}
+diff --git a/auparse/sockleveltabs.h b/auparse/sockleveltabs.h
+new file mode 100644
+index 0000000..4473d8c
+--- /dev/null
++++ b/auparse/sockleveltabs.h
+@@ -0,0 +1,12 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char socklevel_strings[] = "SOL_AAL\0SOL_ALG\0SOL_ATALK\0SOL_ATM\0SOL_AX25\0SOL_BLUETOOTH\0SOL_CAIF\0SOL_DCCP\0SOL_DECNET\0SOL_IPX\0"
++ "SOL_IRDA\0SOL_IUCV\0SOL_LLC\0SOL_NETBEUI\0SOL_NETLINK\0SOL_NETROM\0SOL_PACKET\0SOL_PNPIPE\0SOL_PPPOL2TP\0SOL_RAW\0"
++ "SOL_RDS\0SOL_ROSE\0SOL_RXRPC\0SOL_TIPC";
++static const unsigned socklevel_i2s_direct[] = {
++ 190,86,34,16,144,206,75,-1u,155,26,
++ 0,94,120,112,66,132,225,215,177,43,
++ 166,198,103,57,8,
++};
++static const char *socklevel_i2s(int v) {
++ return i2s_direct__(socklevel_strings, socklevel_i2s_direct, 255, 279, v);
++}
+diff --git a/auparse/sockoptnametabs.h b/auparse/sockoptnametabs.h
+new file mode 100644
+index 0000000..831a030
+--- /dev/null
++++ b/auparse/sockoptnametabs.h
+@@ -0,0 +1,23 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char sockoptname_strings[] = "SO_ACCEPTCONN\0SO_ATTACH_FILTER\0SO_BINDTODEVICE\0SO_BROADCAST\0SO_BSDCOMPAT\0SO_DEBUG\0SO_DETACH_FILTER\0SO_DOMAIN\0SO_DONTROUTE\0SO_ERROR\0"
++ "SO_KEEPALIVE\0SO_LINGER\0SO_LOCK_FILTER\0SO_MARK\0SO_NOFCS\0SO_NO_CHECK\0SO_OOBINLINE\0SO_PASSCRED\0SO_PASSCRED\0SO_PASSSEC\0"
++ "SO_PEEK_OFF\0SO_PEERCRED\0SO_PEERCRED\0SO_PEERNAME\0SO_PEERSEC\0SO_PRIORITY\0SO_PROTOCOL\0SO_RCVBUF\0SO_RCVBUFFORCE\0SO_RCVLOWAT\0"
++ "SO_RCVLOWAT\0SO_RCVTIMEO\0SO_RCVTIMEO\0SO_REUSEADDR\0SO_REUSEPORT\0SO_RXQ_OVFL\0SO_SECURITY_AUTHENTICATION\0SO_SECURITY_ENCRYPTION_NETWORK\0SO_SECURITY_ENCRYPTION_TRANSPORT\0SO_SNDBUF\0"
++ "SO_SNDBUFFORCE\0SO_SNDLOWAT\0SO_SNDLOWAT\0SO_SNDTIMEO\0SO_SNDTIMEO\0SO_TIMESTAMP\0SO_TIMESTAMPING\0SO_TIMESTAMPNS\0SO_TYPE\0SO_WIFI_STATUS";
++static const int sockoptname_i2s_i[] = {
++ 1,2,3,4,5,6,7,8,9,10,
++ 11,12,13,14,15,16,17,18,19,20,
++ 21,22,23,24,25,26,27,28,29,30,
++ 31,32,33,34,35,36,37,38,39,40,
++ 41,42,43,44,116,117,118,119,120,121,
++};
++static const unsigned sockoptname_i2s_s[] = {
++ 73,402,648,122,109,47,531,329,131,198,
++ 186,305,144,60,415,211,258,354,556,378,
++ 580,440,498,467,31,14,82,282,604,0,
++ 294,541,339,235,633,169,617,317,99,428,
++ 656,246,177,154,366,568,390,592,223,270,
++};
++static const char *sockoptname_i2s(int v) {
++ return i2s_bsearch__(sockoptname_strings, sockoptname_i2s_i, sockoptname_i2s_s, 50, v);
++}
+diff --git a/auparse/socktabs.h b/auparse/socktabs.h
+new file mode 100644
+index 0000000..66a8235
+--- /dev/null
++++ b/auparse/socktabs.h
+@@ -0,0 +1,10 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char sock_strings[] = "accept\0accept4\0bind\0connect\0getpeername\0getsockname\0getsockopt\0listen\0recv\0recvfrom\0"
++ "recvmmsg\0recvmsg\0send\0sendmmsg\0sendmsg\0sendto\0setsockopt\0shutdown\0socket\0socketpair";
++static const unsigned sock_i2s_direct[] = {
++ 150,15,20,63,0,40,28,157,101,70,
++ 123,75,141,130,52,115,93,7,84,106,
++};
++static const char *sock_i2s(int v) {
++ return i2s_direct__(sock_strings, sock_i2s_direct, 1, 20, v);
++}
+diff --git a/auparse/socktypetabs.h b/auparse/socktypetabs.h
+new file mode 100644
+index 0000000..05e8d36
+--- /dev/null
++++ b/auparse/socktypetabs.h
+@@ -0,0 +1,8 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char sock_type_strings[] = "SOCK_DCCP\0SOCK_DGRAM\0SOCK_PACKET\0SOCK_RAW\0SOCK_RDM\0SOCK_SEQPACKET\0SOCK_STREAM";
++static const unsigned sock_type_i2s_direct[] = {
++ 66,10,33,42,51,0,-1u,-1u,-1u,21,
++};
++static const char *sock_type_i2s(int v) {
++ return i2s_direct__(sock_type_strings, sock_type_i2s_direct, 1, 10, v);
++}
+diff --git a/auparse/tcpoptnametabs.h b/auparse/tcpoptnametabs.h
+new file mode 100644
+index 0000000..061db3f
+--- /dev/null
++++ b/auparse/tcpoptnametabs.h
+@@ -0,0 +1,12 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char tcpoptname_strings[] = "TCP_CONGESTION\0TCP_COOKIE_TRANSACTIONS\0TCP_CORK\0TCP_DEFER_ACCEPT\0TCP_FASTOPEN\0TCP_INFO\0TCP_KEEPCNT\0TCP_KEEPIDLE\0TCP_KEEPINTVL\0TCP_LINGER2\0"
++ "TCP_MAXSEG\0TCP_MD5SIG\0TCP_NODELAY\0TCP_QUEUE_SEQ\0TCP_QUICKACK\0TCP_REPAIR\0TCP_REPAIR_OPTIONS\0TCP_REPAIR_QUEUE\0TCP_SYNCNT\0TCP_THIN_DUPACK\0"
++ "TCP_THIN_LINEAR_TIMEOUTS\0TCP_TIMESTAMP\0TCP_USER_TIMEOUT\0TCP_WINDOW_CLAMP";
++static const unsigned tcpoptname_i2s_direct[] = {
++ 160,138,39,99,112,87,246,126,48,329,
++ 78,186,0,149,15,273,257,312,199,229,
++ 172,210,65,298,
++};
++static const char *tcpoptname_i2s(int v) {
++ return i2s_direct__(tcpoptname_strings, tcpoptname_i2s_direct, 1, 24, v);
++}
+diff --git a/auparse/typetabs.h b/auparse/typetabs.h
+new file mode 100644
+index 0000000..a99d398
+--- /dev/null
++++ b/auparse/typetabs.h
+@@ -0,0 +1,35 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char type_strings[] = "a0\0a1\0a2\0a3\0acct\0addr\0arch\0auid\0cap_fi\0cap_fp\0"
++ "cap_pe\0cap_pi\0cap_pp\0capability\0cgroup\0cmd\0code\0comm\0cwd\0data\0"
++ "device\0dir\0egid\0euid\0exe\0exit\0family\0fe\0fi\0file\0"
++ "flags\0fp\0fsgid\0fsuid\0gid\0icmptype\0id\0igid\0inode_gid\0inode_uid\0"
++ "iuid\0key\0list\0mode\0name\0new-disk\0new-fs\0new-rng\0new_gid\0new_pe\0"
++ "new_pi\0new_pp\0oauid\0obj_gid\0obj_uid\0ocomm\0oflag\0ogid\0old-disk\0old-fs\0"
++ "old-rng\0old_pe\0old_pi\0old_pp\0old_prom\0ouid\0path\0per\0perm\0perm_mask\0"
++ "prom\0proto\0res\0result\0saddr\0sauid\0ses\0sgid\0sig\0sigev_signo\0"
++ "suid\0syscall\0uid\0vm\0watch";
++static const unsigned type_s2i_s[] = {
++ 0,3,6,9,12,17,22,27,32,39,
++ 46,53,60,67,78,85,89,94,99,103,
++ 108,115,119,124,129,133,138,145,148,151,
++ 156,162,165,171,177,181,190,193,198,208,
++ 218,223,227,232,237,242,251,258,266,274,
++ 281,288,295,301,309,317,323,329,334,343,
++ 350,358,365,372,379,388,393,398,402,407,
++ 417,422,428,432,439,445,451,455,460,464,
++ 476,481,489,493,496,
++};
++static const int type_s2i_i[] = {
++ 14,15,16,17,6,26,4,1,22,22,
++ 22,22,22,12,6,6,28,6,6,20,
++ 6,6,2,1,6,5,23,22,22,6,
++ 30,22,2,1,2,24,1,2,2,1,
++ 1,6,19,8,6,6,6,6,2,22,
++ 22,22,1,2,1,6,29,2,6,6,
++ 6,22,22,22,11,1,6,27,7,7,
++ 11,25,13,13,9,1,21,2,18,18,
++ 1,3,1,6,6,
++};
++static int type_s2i(const char *s, int *value) {
++ return s2i__(type_strings, type_s2i_s, type_s2i_i, 85, s, value);
++}
+diff --git a/auparse/umounttabs.h b/auparse/umounttabs.h
+new file mode 100644
+index 0000000..e98118f
+--- /dev/null
++++ b/auparse/umounttabs.h
+@@ -0,0 +1,6 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char umount_strings[] = "MNT_DETACH\0MNT_EXPIRE\0MNT_FORCE\0UMOUNT_NOFOLLOW\0UMOUNT_UNUSED";
++static const struct transtab umount_table[] = {
++ {1,22},{2,0},{4,11},{8,32},{-2147483647,48},
++};
++#define UMOUNT_NUM_ENTRIES (sizeof(umount_table) / sizeof(*umount_table))
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index 5e9f966..5a7d12b 100644
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -50,109 +50,3 @@ endif
+ if USE_AARCH64
+ BUILT_SOURCES += aarch64_tables.h
+ endif
+-noinst_PROGRAMS = gen_actiontabs_h gen_errtabs_h gen_fieldtabs_h \
+- gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \
+- gen_ia64_tables_h gen_machinetabs_h gen_msg_typetabs_h \
+- gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \
+- gen_s390x_tables_h gen_x86_64_tables_h
+-if USE_ALPHA
+-noinst_PROGRAMS += gen_alpha_tables_h
+-endif
+-if USE_ARMEB
+-noinst_PROGRAMS += gen_armeb_tables_h
+-endif
+-if USE_AARCH64
+-noinst_PROGRAMS += gen_aarch64_tables_h
+-endif
+-gen_actiontabs_h_SOURCES = gen_tables.c gen_tables.h actiontab.h
+-gen_actiontabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="actiontab.h"'
+-actiontabs.h: gen_actiontabs_h Makefile
+- ./gen_actiontabs_h --lowercase --i2s --s2i action > $@
+-
+-if USE_ALPHA
+-gen_alpha_tables_h_SOURCES = gen_tables.c gen_tables.h alpha_table.h
+-gen_alpha_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="alpha_table.h"'
+-alpha_tables.h: gen_alpha_tables_h Makefile
+- ./gen_alpha_tables_h --lowercase --i2s --s2i alpha_syscall > $@
+-endif
+-
+-if USE_ARMEB
+-gen_armeb_tables_h_SOURCES = gen_tables.c gen_tables.h armeb_table.h
+-gen_armeb_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="armeb_table.h"'
+-armeb_tables.h: gen_armeb_tables_h Makefile
+- ./gen_armeb_tables_h --lowercase --i2s --s2i armeb_syscall > $@
+-endif
+-
+-if USE_AARCH64
+-gen_aarch64_tables_h_SOURCES = gen_tables.c gen_tables.h aarch64_table.h
+-gen_aarch64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="aarch64_table.h"'
+-aarch64_tables.h: gen_aarch64_tables_h Makefile
+- ./gen_aarch64_tables_h --lowercase --i2s --s2i aarch64_syscall > $@
+-endif
+-
+-gen_errtabs_h_SOURCES = gen_tables.c gen_tables.h errtab.h
+-gen_errtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="errtab.h"'
+-errtabs.h: gen_errtabs_h Makefile
+- ./gen_errtabs_h --duplicate-ints --uppercase --i2s --s2i err > $@
+-
+-gen_fieldtabs_h_SOURCES = gen_tables.c gen_tables.h fieldtab.h
+-gen_fieldtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="fieldtab.h"'
+-fieldtabs.h: gen_fieldtabs_h Makefile
+- ./gen_fieldtabs_h --duplicate-ints --lowercase --i2s --s2i field > $@
+-
+-gen_flagtabs_h_SOURCES = gen_tables.c gen_tables.h flagtab.h
+-gen_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="flagtab.h"'
+-flagtabs.h: gen_flagtabs_h Makefile
+- ./gen_flagtabs_h --lowercase --i2s --s2i flag > $@
+-
+-gen_ftypetabs_h_SOURCES = gen_tables.c gen_tables.h ftypetab.h
+-gen_ftypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ftypetab.h"'
+-ftypetabs.h: gen_ftypetabs_h Makefile
+- ./gen_ftypetabs_h --lowercase --i2s --s2i ftype > $@
+-
+-gen_i386_tables_h_SOURCES = gen_tables.c gen_tables.h i386_table.h
+-gen_i386_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="i386_table.h"'
+-i386_tables.h: gen_i386_tables_h Makefile
+- ./gen_i386_tables_h --duplicate-ints --lowercase --i2s --s2i \
+- i386_syscall > $@
+-
+-gen_ia64_tables_h_SOURCES = gen_tables.c gen_tables.h ia64_table.h
+-gen_ia64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ia64_table.h"'
+-ia64_tables.h: gen_ia64_tables_h Makefile
+- ./gen_ia64_tables_h --lowercase --i2s --s2i ia64_syscall > $@
+-
+-gen_machinetabs_h_SOURCES = gen_tables.c gen_tables.h machinetab.h
+-gen_machinetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="machinetab.h"'
+-machinetabs.h: gen_machinetabs_h Makefile
+- ./gen_machinetabs_h --duplicate-ints --lowercase --i2s --s2i machine \
+- > $@
+-
+-gen_msg_typetabs_h_SOURCES = gen_tables.c gen_tables.h msg_typetab.h
+-gen_msg_typetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="msg_typetab.h"'
+-msg_typetabs.h: gen_msg_typetabs_h Makefile
+- ./gen_msg_typetabs_h --uppercase --i2s --s2i msg_type > $@
+-
+-gen_optabs_h_SOURCES = gen_tables.c gen_tables.h optab.h
+-gen_optabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="optab.h"'
+-optabs.h: gen_optabs_h Makefile
+- ./gen_optabs_h --i2s op > $@
+-
+-gen_ppc_tables_h_SOURCES = gen_tables.c gen_tables.h ppc_table.h
+-gen_ppc_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ppc_table.h"'
+-ppc_tables.h: gen_ppc_tables_h Makefile
+- ./gen_ppc_tables_h --lowercase --i2s --s2i ppc_syscall > $@
+-
+-gen_s390_tables_h_SOURCES = gen_tables.c gen_tables.h s390_table.h
+-gen_s390_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390_table.h"'
+-s390_tables.h: gen_s390_tables_h Makefile
+- ./gen_s390_tables_h --lowercase --i2s --s2i s390_syscall > $@
+-
+-gen_s390x_tables_h_SOURCES = gen_tables.c gen_tables.h s390x_table.h
+-gen_s390x_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390x_table.h"'
+-s390x_tables.h: gen_s390x_tables_h Makefile
+- ./gen_s390x_tables_h --lowercase --i2s --s2i s390x_syscall > $@
+-
+-gen_x86_64_tables_h_SOURCES = gen_tables.c gen_tables.h x86_64_table.h
+-gen_x86_64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="x86_64_table.h"'
+-x86_64_tables.h: gen_x86_64_tables_h Makefile
+- ./gen_x86_64_tables_h --lowercase --i2s --s2i x86_64_syscall > $@
+diff --git a/lib/aarch64_tables.h b/lib/aarch64_tables.h
+new file mode 100644
+index 0000000..571d6ee
+--- /dev/null
++++ b/lib/aarch64_tables.h
+@@ -0,0 +1,125 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char aarch64_syscall_strings[] = "accept\0accept4\0acct\0add_key\0adjtimex\0bind\0brk\0capget\0capset\0chdir\0"
++ "chroot\0clock_adjtime\0clock_getres\0clock_gettime\0clock_nanosleep\0clock_settime\0clone\0close\0connect\0delete_module\0"
++ "dup\0dup3\0epoll_create1\0epoll_ctl\0epoll_pwait\0eventfd2\0execve\0exit\0exit_group\0faccessat\0"
++ "fallocate\0fanotify_init\0fanotify_mark\0fchdir\0fchmod\0fchmodat\0fchown\0fchownat\0fdatasync\0fgetxattr\0"
++ "finit_module\0flistxattr\0flock\0fremovexattr\0fsetxattr\0fsync\0futex\0get_mempolicy\0get_robust_list\0getcpu\0"
++ "getcwd\0getdents64\0getegid\0geteuid\0getgid\0getgroups\0getitimer\0getpeername\0getpgid\0getpid\0"
++ "getppid\0getpriority\0getresgid\0getresuid\0getrlimit\0getrusage\0getsid\0getsockname\0getsockopt\0gettid\0"
++ "gettimeofday\0getuid\0getxattr\0init_module\0inotify_add_watch\0inotify_init1\0inotify_rm_watch\0io_cancel\0io_destroy\0io_getevents\0"
++ "io_setup\0io_submit\0ioctl\0ioprio_get\0ioprio_set\0kcmp\0kexec_load\0keyctl\0kill\0lgetxattr\0"
++ "linkat\0listen\0listxattr\0llistxattr\0lookup_dcookie\0lremovexattr\0lsetxattr\0madvise\0mbind\0migrate_pages\0"
++ "mincore\0mkdirat\0mknodat\0mlock\0mlockall\0mount\0move_pages\0mprotect\0mq_getsetattr\0mq_notify\0"
++ "mq_open\0mq_timedreceive\0mq_timedsend\0mq_unlink\0mremap\0msgctl\0msgget\0msgrcv\0msgsnd\0msync\0"
++ "munlock\0munlockall\0munmap\0name_to_handle_at\0nanosleep\0nfsservctl\0open_by_handle_at\0openat\0perf_event_open\0personality\0"
++ "pipe2\0pivot_root\0ppoll\0prctl\0pread64\0preadv\0prlimit64\0process_vm_readv\0process_vm_writev\0pselect6\0"
++ "ptrace\0pwrite64\0pwritev\0quotactl\0read\0readahead\0readlinkat\0readv\0reboot\0recvfrom\0"
++ "recvmmsg\0recvmsg\0remap_file_pages\0removexattr\0renameat\0request_key\0restart_syscall\0rt_sigaction\0rt_sigpending\0rt_sigprocmask\0"
++ "rt_sigqueueinfo\0rt_sigreturn\0rt_sigsuspend\0rt_sigtimedwait\0rt_tgsigqueueinfo\0sched_get_priority_max\0sched_get_priority_min\0sched_getaffinity\0sched_getparam\0sched_getscheduler\0"
++ "sched_rr_get_interval\0sched_setaffinity\0sched_setparam\0sched_setscheduler\0sched_yield\0semctl\0semget\0semop\0semtimedop\0sendmmsg\0"
++ "sendmsg\0sendto\0set_mempolicy\0set_robust_list\0set_tid_address\0setdomainname\0setfsgid\0setfsuid\0setgid\0setgroups\0"
++ "sethostname\0setitimer\0setns\0setpgid\0setpriority\0setregid\0setresgid\0setresuid\0setreuid\0setrlimit\0"
++ "setsid\0setsockopt\0settimeofday\0setuid\0setxattr\0shmat\0shmctl\0shmdt\0shmget\0shutdown\0"
++ "sigaltstack\0signalfd4\0socket\0socketpair\0splice\0swapoff\0swapon\0symlinkat\0sync\0sync_file_range\0"
++ "syncfs\0sysinfo\0syslog\0tee\0tgkill\0timer_create\0timer_delete\0timer_getoverrun\0timer_gettime\0timer_settime\0"
++ "timerfd_create\0timerfd_gettime\0timerfd_settime\0times\0tkill\0umask\0umount2\0uname\0unlinkat\0unshare\0"
++ "utimensat\0vhangup\0vmsplice\0wait4\0waitid\0write\0writev";
++static const unsigned aarch64_syscall_s2i_s[] = {
++ 0,7,15,20,28,37,42,46,53,60,
++ 66,73,87,100,114,130,144,150,156,164,
++ 178,182,187,201,211,223,232,239,244,255,
++ 265,275,289,303,310,317,326,333,342,352,
++ 362,375,386,392,405,415,421,427,441,457,
++ 464,471,482,490,498,505,515,525,537,545,
++ 552,560,572,582,592,602,612,619,631,642,
++ 649,662,669,678,690,708,722,739,749,760,
++ 773,782,792,798,809,820,825,836,843,848,
++ 858,865,872,882,893,908,921,931,939,945,
++ 959,967,975,983,989,998,1004,1015,1024,1038,
++ 1048,1056,1072,1085,1095,1102,1109,1116,1123,1130,
++ 1136,1144,1155,1162,1180,1190,1201,1219,1226,1242,
++ 1254,1260,1271,1277,1283,1291,1298,1308,1325,1343,
++ 1352,1359,1368,1376,1385,1390,1400,1411,1417,1424,
++ 1433,1442,1450,1467,1479,1488,1500,1516,1529,1543,
++ 1558,1574,1587,1601,1617,1635,1658,1681,1699,1714,
++ 1733,1755,1773,1788,1807,1819,1826,1833,1839,1850,
++ 1859,1867,1874,1888,1904,1920,1934,1943,1952,1959,
++ 1969,1981,1991,1997,2005,2017,2026,2036,2046,2055,
++ 2065,2072,2083,2096,2103,2112,2118,2125,2131,2138,
++ 2147,2159,2169,2176,2187,2194,2202,2209,2219,2224,
++ 2240,2247,2255,2262,2266,2273,2286,2299,2316,2330,
++ 2344,2359,2375,2391,2397,2403,2409,2417,2423,2432,
++ 2440,2450,2458,2467,2473,2480,2486,
++};
++static const int aarch64_syscall_s2i_i[] = {
++ 202,242,89,217,171,200,214,90,91,49,
++ 51,266,114,113,115,112,220,57,203,106,
++ 23,24,20,21,22,19,221,93,94,48,
++ 47,262,263,50,52,53,55,54,83,10,
++ 273,13,32,16,7,82,98,236,100,168,
++ 17,61,177,175,176,158,102,205,155,172,
++ 173,141,150,148,163,165,156,204,209,178,
++ 169,174,8,105,27,26,28,3,1,4,
++ 0,2,29,31,30,272,104,219,129,9,
++ 37,201,11,12,18,15,6,233,235,238,
++ 232,34,33,228,230,40,239,226,185,184,
++ 180,183,182,181,216,187,186,188,189,227,
++ 229,231,215,264,101,42,265,56,241,92,
++ 59,41,73,167,67,69,261,270,271,72,
++ 117,68,70,60,63,213,78,65,142,207,
++ 243,212,234,14,38,218,128,134,136,135,
++ 138,139,133,137,240,125,126,123,121,120,
++ 127,122,118,119,124,191,190,193,192,269,
++ 211,206,237,99,96,162,152,151,144,159,
++ 161,103,268,154,140,143,149,147,145,164,
++ 157,208,170,146,5,196,195,197,194,210,
++ 132,74,198,199,76,225,224,36,81,84,
++ 267,179,116,77,131,107,111,109,108,110,
++ 85,87,86,153,130,166,39,160,35,97,
++ 88,58,75,260,95,64,66,
++};
++static int aarch64_syscall_s2i(const char *s, int *value) {
++ size_t len, i;
++ len = strlen(s);
++ { char copy[len + 1];
++ for (i = 0; i < len; i++) {
++ char c = s[i];
++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c;
++ }
++ copy[i] = 0;
++ return s2i__(aarch64_syscall_strings, aarch64_syscall_s2i_s, aarch64_syscall_s2i_i, 247, copy, value);
++ }
++}
++static const unsigned aarch64_syscall_i2s_direct[] = {
++ 773,749,782,739,760,2103,921,405,669,848,
++ 352,872,882,375,1467,908,392,464,893,223,
++ 187,201,211,178,182,-1u,708,690,722,792,
++ 809,798,386,975,967,2423,2209,858,1479,2409,
++ 998,1260,1190,-1u,-1u,-1u,-1u,265,255,60,
++ 303,66,310,317,333,326,1219,150,2450,1254,
++ 1376,471,-1u,1385,2480,1411,2486,1283,1359,1291,
++ 1368,-1u,1343,1271,2159,2458,2187,2262,1400,-1u,
++ -1u,2219,415,342,2224,2344,2375,2359,2440,15,
++ 46,53,1242,239,244,2473,1904,2432,421,1888,
++ 441,1180,515,1981,825,678,164,2273,2316,2299,
++ 2330,2286,130,100,87,114,2255,1352,1773,1788,
++ 1714,1699,1755,1681,1807,1635,1658,1733,1500,843,
++ 2397,2266,2147,1587,1516,1543,1529,1601,1558,1574,
++ 2005,560,1417,2017,1952,2046,2096,2036,582,2026,
++ 572,1943,1934,2391,1997,537,612,2065,505,1959,
++ 2417,1969,1920,592,2055,602,2403,1277,457,649,
++ 2083,28,545,552,662,490,498,482,642,2247,
++ 1048,1085,1072,1056,1038,1024,1109,1102,1116,1123,
++ 1826,1819,1839,1833,2131,2118,2112,2125,2169,2176,
++ 37,865,0,156,619,525,1867,1424,2072,631,
++ 2138,1859,1442,1390,42,1155,1095,20,1488,836,
++ 144,232,-1u,-1u,2202,2194,1015,1130,983,1136,
++ 989,1144,959,931,1450,939,427,1874,945,1004,
++ 1617,1226,7,1433,-1u,-1u,-1u,-1u,-1u,-1u,
++ -1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,
++ 2467,1298,275,289,1162,1201,73,2240,1991,1850,
++ 1308,1325,820,362,
++};
++static const char *aarch64_syscall_i2s(int v) {
++ return i2s_direct__(aarch64_syscall_strings, aarch64_syscall_i2s_direct, 0, 273, v);
++}
+diff --git a/lib/actiontabs.h b/lib/actiontabs.h
+new file mode 100644
+index 0000000..a7a9e62
+--- /dev/null
++++ b/lib/actiontabs.h
+@@ -0,0 +1,26 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char action_strings[] = "always\0never\0possible";
++static const unsigned action_s2i_s[] = {
++ 0,7,13,
++};
++static const int action_s2i_i[] = {
++ 2,0,1,
++};
++static int action_s2i(const char *s, int *value) {
++ size_t len, i;
++ len = strlen(s);
++ { char copy[len + 1];
++ for (i = 0; i < len; i++) {
++ char c = s[i];
++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c;
++ }
++ copy[i] = 0;
++ return s2i__(action_strings, action_s2i_s, action_s2i_i, 3, copy, value);
++ }
++}
++static const unsigned action_i2s_direct[] = {
++ 7,13,0,
++};
++static const char *action_i2s(int v) {
++ return i2s_direct__(action_strings, action_i2s_direct, 0, 2, v);
++}
+diff --git a/lib/alpha_tables.h b/lib/alpha_tables.h
+new file mode 100644
+index 0000000..b57e54c
+--- /dev/null
++++ b/lib/alpha_tables.h
+@@ -0,0 +1,196 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char alpha_syscall_strings[] = "_sysctl\0accept\0accept4\0access\0acct\0add_key\0adjtimex\0afs_syscall\0bdflush\0bind\0"
++ "brk\0capget\0capset\0chdir\0chmod\0chown\0chroot\0clock_adjtime\0clone\0close\0"
++ "connect\0create_module\0delete_module\0dipc\0dup\0dup2\0dup3\0epoll_create\0epoll_create1\0epoll_ctl\0"
++ "epoll_pwait\0epoll_wait\0eventfd\0eventfd2\0exec_with_loader\0execve\0exit\0exit_group\0faccessat\0fadvise64\0"
++ "fallocate\0fanotify_init\0fanotify_mark\0fchdir\0fchmod\0fchmodat\0fchown\0fchownat\0fcntl\0fdatasync\0"
++ "fgetxattr\0flistxattr\0flock\0fork\0fremovexattr\0fsetxattr\0fstat\0fstat64\0fstatat64\0fstatfs\0"
++ "fsync\0ftruncate\0futex\0futimesat\0get_kernel_syms\0get_mempolicy\0get_robust_list\0getcpu\0getcwd\0getdents\0"
++ "getdents64\0getdtablesize\0getgroups\0gethostname\0getitimer\0getpagesize\0getpeername\0getpgid\0getpgrp\0getpriority\0"
++ "getresgid\0getresuid\0getrlimit\0getrusage\0getsid\0getsockname\0getsockopt\0gettid\0gettimeofday\0getxattr\0"
++ "getxgid\0getxpid\0getxuid\0init_module\0inotify_add_watch\0inotify_init\0inotify_init1\0inotify_rm_watch\0io_cancel\0io_destroy\0"
++ "io_getevents\0io_setup\0io_submit\0ioctl\0ioprio_get\0ioprio_set\0kexec_load\0keyctl\0kill\0lchown\0"
++ "lgetxattr\0link\0linkat\0listen\0listxattr\0llistxattr\0lookup_dcookie\0lremovexattr\0lseek\0lsetxattr\0"
++ "lstat\0lstat64\0madvise\0mbind\0migrate_pages\0mincore\0mkdir\0mkdirat\0mknod\0mknodat\0"
++ "mlock\0mlockall\0mmap\0mount\0move_pages\0mprotect\0mq_getsetattr\0mq_notify\0mq_open\0mq_timedreceive\0"
++ "mq_timedsend\0mq_unlink\0mremap\0msgctl\0msgget\0msgrcv\0msgsnd\0msync\0munlock\0munlockall\0"
++ "munmap\0name_to_handle_at\0nanosleep\0nfsservctl\0old_adjtimex\0oldumount\0open\0open_by_handle_at\0openat\0osf_adjtime\0"
++ "osf_afs_syscall\0osf_alt_plock\0osf_alt_setsid\0osf_alt_sigpending\0osf_asynch_daemon\0osf_audcntl\0osf_audgen\0osf_chflags\0osf_execve\0osf_exportfs\0"
++ "osf_fchflags\0osf_fdatasync\0osf_fpathconf\0osf_fstatfs\0osf_fuser\0osf_getaddressconf\0osf_getdirentries\0osf_getdomainname\0osf_getfh\0osf_getfsstat\0"
++ "osf_gethostid\0osf_getitimer\0osf_getlogin\0osf_getmnt\0osf_getrusage\0osf_getsysinfo\0osf_gettimeofday\0osf_kloadcall\0osf_kmodcall\0osf_memcntl\0"
++ "osf_mincore\0osf_mount\0osf_mremap\0osf_msfs_syscall\0osf_msleep\0osf_mvalid\0osf_mwakeup\0osf_naccept\0osf_nfssvc\0osf_ngetpeername\0"
++ "osf_ngetsockname\0osf_nrecvfrom\0osf_nrecvmsg\0osf_nsendmsg\0osf_ntp_adjtime\0osf_ntp_gettime\0osf_old_creat\0osf_old_fstat\0osf_old_getpgrp\0osf_old_killpg\0"
++ "osf_old_lstat\0osf_old_open\0osf_old_sigaction\0osf_old_sigblock\0osf_old_sigreturn\0osf_old_sigsetmask\0osf_old_sigvec\0osf_old_stat\0osf_old_vadvise\0osf_old_vtrace\0"
++ "osf_old_wait\0osf_oldquota\0osf_pathconf\0osf_pid_block\0osf_pid_unblock\0osf_plock\0osf_priocntlset\0osf_profil\0osf_proplist_syscall\0osf_reboot\0"
++ "osf_revoke\0osf_sbrk\0osf_security\0osf_select\0osf_set_program_attributes\0osf_set_speculative\0osf_sethostid\0osf_setitimer\0osf_setlogin\0osf_setsysinfo\0"
++ "osf_settimeofday\0osf_shmat\0osf_signal\0osf_sigprocmask\0osf_sigsendset\0osf_sigstack\0osf_sigwaitprim\0osf_sstk\0osf_statfs\0osf_subsys_info\0"
++ "osf_swapctl\0osf_swapon\0osf_syscall\0osf_sysinfo\0osf_table\0osf_uadmin\0osf_usleep_thread\0osf_uswitch\0osf_utc_adjtime\0osf_utc_gettime\0"
++ "osf_utimes\0osf_utsname\0osf_wait4\0osf_waitid\0pciconfig_iobase\0pciconfig_read\0pciconfig_write\0perf_event_open\0personality\0pipe\0"
++ "pipe2\0pivot_root\0poll\0ppoll\0prctl\0pread\0preadv\0prlimit64\0process_vm_readv\0process_vm_writev\0"
++ "pselect6\0ptrace\0pwrite\0pwritev\0query_module\0quotactl\0read\0readahead\0readlink\0readlinkat\0"
++ "readv\0reboot\0recv\0recvfrom\0recvmmsg\0recvmsg\0remap_file_pages\0removexattr\0rename\0renameat\0"
++ "request_key\0restart_syscall\0rmdir\0rt_sigaction\0rt_sigpending\0rt_sigprocmask\0rt_sigqueueinfo\0rt_sigreturn\0rt_sigsuspend\0rt_sigtimedwait\0"
++ "rt_tgsigqueueinfo\0sched_get_priority_max\0sched_get_priority_min\0sched_getaffinity\0sched_getparam\0sched_getscheduler\0sched_rr_get_interval\0sched_setaffinity\0sched_setparam\0sched_setscheduler\0"
++ "sched_yield\0select\0semctl\0semget\0semop\0send\0sendfile\0sendmmsg\0sendmsg\0sendto\0"
++ "set_mempolicy\0set_robust_list\0set_tid_address\0setdomainname\0setfsgid\0setfsuid\0setgid\0setgroups\0sethae\0sethostname\0"
++ "setitimer\0setns\0setpgid\0setpgrp\0setpriority\0setregid\0setresgid\0setresuid\0setreuid\0setrlimit\0"
++ "setsid\0setsockopt\0settimeofday\0setuid\0setxattr\0shmctl\0shmdt\0shmget\0shutdown\0sigaction\0"
++ "sigaltstack\0signalfd\0signalfd4\0sigpending\0sigreturn\0sigsuspend\0socket\0socketpair\0splice\0stat\0"
++ "stat64\0statfs\0swapoff\0swapon\0symlink\0symlinkat\0sync\0sync_file_range\0syncfs\0sysfs\0"
++ "sysinfo\0syslog\0tee\0tgkill\0timerfd\0timerfd_create\0timerfd_gettime\0timerfd_settime\0times\0tkill\0"
++ "truncate\0tuxcall\0umask\0umount\0uname\0unlink\0unlinkat\0unshare\0uselib\0ustat\0"
++ "utimensat\0utimes\0vfork\0vhangup\0vmsplice\0vserver\0wait4\0waitid\0write\0writev";
++static const unsigned alpha_syscall_s2i_s[] = {
++ 0,8,15,23,30,35,43,52,64,72,
++ 77,81,88,95,101,107,113,120,134,140,
++ 146,154,168,182,187,191,196,201,214,228,
++ 238,250,261,269,278,295,302,307,318,328,
++ 338,348,362,376,383,390,399,406,415,421,
++ 431,441,452,458,463,476,486,492,500,510,
++ 518,524,534,540,550,566,580,596,603,610,
++ 619,630,644,654,666,676,688,700,708,716,
++ 728,738,748,758,768,775,787,798,805,818,
++ 827,835,843,851,863,881,894,908,925,935,
++ 946,959,968,978,984,995,1006,1017,1024,1029,
++ 1036,1046,1051,1058,1065,1075,1086,1101,1114,1120,
++ 1130,1136,1144,1152,1158,1172,1180,1186,1194,1200,
++ 1208,1214,1223,1228,1234,1245,1254,1268,1278,1286,
++ 1302,1315,1325,1332,1339,1346,1353,1360,1366,1374,
++ 1385,1392,1410,1420,1431,1444,1454,1459,1477,1484,
++ 1496,1512,1526,1541,1560,1578,1590,1601,1613,1624,
++ 1637,1650,1664,1678,1690,1700,1719,1737,1755,1765,
++ 1779,1793,1807,1820,1831,1845,1860,1877,1891,1904,
++ 1916,1928,1938,1949,1966,1977,1988,2000,2012,2023,
++ 2040,2057,2071,2084,2097,2113,2129,2143,2157,2173,
++ 2188,2202,2215,2233,2250,2268,2287,2302,2315,2331,
++ 2346,2359,2372,2385,2399,2415,2425,2441,2452,2473,
++ 2484,2495,2504,2517,2528,2555,2575,2589,2603,2616,
++ 2631,2648,2658,2669,2685,2700,2713,2729,2738,2749,
++ 2765,2777,2788,2800,2812,2822,2833,2851,2863,2879,
++ 2895,2906,2918,2928,2939,2956,2971,2987,3003,3015,
++ 3020,3026,3037,3042,3048,3054,3060,3067,3077,3094,
++ 3112,3121,3128,3135,3143,3156,3165,3170,3180,3189,
++ 3200,3206,3213,3218,3227,3236,3244,3261,3273,3280,
++ 3289,3301,3317,3323,3336,3350,3365,3381,3394,3408,
++ 3424,3442,3465,3488,3506,3521,3540,3562,3580,3595,
++ 3614,3626,3633,3640,3647,3653,3658,3667,3676,3684,
++ 3691,3705,3721,3737,3751,3760,3769,3776,3786,3793,
++ 3805,3815,3821,3829,3837,3849,3858,3868,3878,3887,
++ 3897,3904,3915,3928,3935,3944,3951,3957,3964,3973,
++ 3983,3995,4004,4014,4025,4035,4046,4053,4064,4071,
++ 4076,4083,4090,4098,4105,4113,4123,4128,4144,4151,
++ 4157,4165,4172,4176,4183,4191,4206,4222,4238,4244,
++ 4250,4259,4267,4273,4280,4286,4293,4302,4310,4317,
++ 4323,4333,4340,4346,4354,4363,4371,4377,4384,4390,
++};
++static const int alpha_syscall_s2i_i[] = {
++ 319,99,502,33,51,439,366,338,300,104,
++ 17,368,369,12,15,16,61,499,312,6,
++ 98,306,308,373,41,90,487,407,486,408,
++ 474,409,478,485,25,59,1,405,462,413,
++ 480,494,495,13,124,461,123,453,92,447,
++ 387,390,131,2,393,384,91,427,455,329,
++ 95,130,394,454,309,430,467,473,367,305,
++ 377,89,79,87,361,64,141,233,63,100,
++ 372,344,144,364,234,150,118,378,359,385,
++ 47,20,24,307,445,444,489,446,402,399,
++ 400,398,401,54,443,442,448,441,37,208,
++ 386,9,458,106,388,389,406,392,19,383,
++ 68,426,75,429,449,375,136,451,14,452,
++ 314,316,71,302,472,74,437,436,432,435,
++ 434,433,341,200,201,202,203,217,315,317,
++ 73,497,340,342,303,321,45,498,450,140,
++ 258,181,188,187,163,252,253,34,11,169,
++ 35,261,248,161,243,214,159,165,164,18,
++ 142,86,49,184,117,256,116,223,77,260,
++ 78,21,65,240,215,213,216,30,158,31,
++ 32,29,27,28,245,246,8,62,81,146,
++ 40,5,46,109,139,110,108,38,72,115,
++ 84,149,247,153,154,107,237,44,244,55,
++ 56,69,222,93,43,239,143,83,50,257,
++ 122,209,218,48,238,112,157,70,160,255,
++ 259,199,0,241,85,242,251,250,220,219,
++ 138,207,7,236,376,345,346,493,324,42,
++ 488,374,94,464,348,349,490,496,504,505,
++ 463,26,350,491,347,148,3,379,58,460,
++ 120,311,102,125,479,113,410,391,128,457,
++ 440,412,137,352,354,353,356,351,357,355,
++ 492,335,336,396,331,333,337,395,330,332,
++ 334,358,204,205,206,101,370,503,114,133,
++ 431,466,411,166,326,325,132,80,301,88,
++ 362,501,39,82,96,127,371,343,126,145,
++ 147,105,360,23,382,210,211,212,134,156,
++ 235,476,484,52,103,111,97,135,468,67,
++ 425,328,304,322,57,459,36,469,500,254,
++ 318,310,470,424,477,481,483,482,323,381,
++ 129,397,60,22,339,10,456,465,313,327,
++ 475,363,66,76,471,428,365,438,4,121,
++};
++static int alpha_syscall_s2i(const char *s, int *value) {
++ size_t len, i;
++ len = strlen(s);
++ { char copy[len + 1];
++ for (i = 0; i < len; i++) {
++ char c = s[i];
++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c;
++ }
++ copy[i] = 0;
++ return s2i__(alpha_syscall_strings, alpha_syscall_s2i_s, alpha_syscall_s2i_i, 410, copy, value);
++ }
++}
++static const unsigned alpha_syscall_i2s_direct[] = {
++ 2788,302,458,3165,4384,2202,140,2918,2129,1046,
++ 4286,1613,95,376,1194,101,107,77,1765,1114,
++ 835,1928,4273,3928,843,278,3121,2071,2084,2057,
++ 2000,2023,2040,23,1601,1637,4123,1024,2302,3821,
++ 2188,187,3015,2528,2441,1454,2215,827,2669,1807,
++ 2603,30,4014,-1u,978,2473,2484,4105,3180,295,
++ 4267,113,2143,708,676,1938,4340,4071,1130,2495,
++ 2729,1223,2315,1385,1245,1144,4346,1891,1916,644,
++ 3776,2157,3829,2589,2346,2812,1793,654,3793,630,
++ 191,486,415,2517,3037,518,3837,4046,146,8,
++ 716,3653,3213,4025,72,3904,1058,2415,2287,2233,
++ 2268,4035,2700,3236,3676,2331,1860,1831,787,-1u,
++ 3200,4390,2631,399,383,3218,3878,3849,3273,4250,
++ 524,452,3769,3684,3964,4053,1180,3317,2895,2250,
++ 1484,688,1779,2575,748,3887,2173,3897,3156,2359,
++ 775,-1u,-1u,2385,2399,-1u,3973,2713,2012,1719,
++ 2738,1678,-1u,1560,1755,1737,3737,-1u,-1u,1624,
++ -1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,
++ -1u,1512,-1u,-1u,1820,-1u,-1u,1541,1526,-1u,
++ -1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,2777,
++ 1332,1339,1346,1353,3633,3640,3647,2906,1029,2648,
++ 3944,3951,3957,1977,1700,1966,1988,1360,2658,2879,
++ 2863,-1u,2504,1877,-1u,-1u,-1u,-1u,-1u,-1u,
++ -1u,-1u,-1u,700,768,3983,2928,2425,2685,2555,
++ 1949,2800,2822,1690,2452,2097,2113,2372,1664,-1u,
++ 2851,2833,1578,1590,4151,2749,1845,2616,1496,2765,
++ 1904,1650,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,
++ -1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,
++ -1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,
++ -1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,-1u,
++ 64,3786,1228,1431,4090,610,154,851,168,550,
++ 4165,3206,134,4310,1208,1366,1214,1374,4157,0,
++ -1u,1444,4098,4238,3003,3760,3751,4317,4083,510,
++ 3580,3506,3595,3521,3614,3442,3465,3540,52,4280,
++ 1410,1325,1420,3868,738,2956,2971,3143,3048,3054,
++ 3128,3381,3323,3350,3336,3408,3365,3394,3626,805,
++ 3915,666,3805,4333,758,4371,43,603,81,88,
++ 3658,3858,728,182,3026,1172,2939,619,798,3170,
++ -1u,4244,3935,1120,476,818,1036,431,1065,1075,
++ 441,3261,1101,463,534,3562,3488,4259,959,935,
++ 946,968,925,-1u,-1u,307,1086,201,228,250,
++ 3244,3721,3301,328,-1u,-1u,-1u,-1u,-1u,-1u,
++ -1u,-1u,-1u,-1u,4176,4076,1136,492,4363,1152,
++ 566,3691,1278,1315,1302,1286,1268,1254,4377,35,
++ 3289,1017,995,984,881,863,908,421,1006,1158,
++ 1477,1186,1200,406,540,500,4293,3280,1051,4113,
++ 3189,390,318,3112,3042,4302,3705,580,4064,4128,
++ 4172,4354,1234,596,238,4323,3995,4183,261,3227,
++ 338,4191,4222,4206,4004,269,214,196,3020,894,
++ 3060,3135,3424,2987,348,362,3067,1392,1459,120,
++ 4144,3815,15,3667,3077,3094,
++};
++static const char *alpha_syscall_i2s(int v) {
++ return i2s_direct__(alpha_syscall_strings, alpha_syscall_i2s_direct, 0, 505, v);
++}
+diff --git a/lib/armeb_tables.h b/lib/armeb_tables.h
+new file mode 100644
+index 0000000..dd2bf5f
+--- /dev/null
++++ b/lib/armeb_tables.h
+@@ -0,0 +1,165 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char armeb_syscall_strings[] = "accept\0accept4\0access\0acct\0add_key\0adjtimex\0alarm\0bdflush\0bind\0brk\0"
++ "capget\0capset\0chdir\0chmod\0chown\0chown32\0chroot\0clock_adjtime\0clock_getres\0clock_gettime\0"
++ "clock_nanosleep\0clock_settime\0clone\0close\0connect\0creat\0delete_module\0dup\0dup2\0dup3\0"
++ "epoll_create\0epoll_create1\0epoll_ctl\0epoll_wait\0eventfd\0eventfd2\0execve\0exit\0exit_group\0faccessat\0"
++ "fadvise64_64\0fallocate\0fanotify_init\0fanotify_mark\0fchdir\0fchmod\0fchmodat\0fchown\0fchown32\0fchownat\0"
++ "fcntl\0fcntl64\0fdatasync\0fgetxattr\0finit_module\0flistxattr\0flock\0fork\0fremovexattr\0fsetxattr\0"
++ "fstat\0fstat64\0fstatat64\0fstatfs\0fstatfs64\0fsync\0ftruncate\0ftruncate64\0futex\0futimesat\0"
++ "get_mempolicy\0get_robust_list\0getcpu\0getcwd\0getdents\0getdents64\0getegid\0getegid32\0geteuid\0geteuid32\0"
++ "getgid\0getgid32\0getgroups\0getgroups32\0getitimer\0getpeername\0getpgid\0getpgrp\0getpid\0getppid\0"
++ "getpriority\0getresgid\0getresgid32\0getresuid\0getresuid32\0getrlimit\0getrusage\0getsid\0getsockname\0getsockopt\0"
++ "gettid\0gettimeofday\0getuid\0getuid32\0getxattr\0init_module\0inotify_add_watch\0inotify_init\0inotify_init1\0inotify_rm_watch\0"
++ "io_cancel\0io_destroy\0io_getevents\0io_setup\0io_submit\0ioctl\0ioprio_get\0ioprio_set\0ipc\0kcmp\0"
++ "kexec_load\0keyctl\0kill\0lchown\0lchown32\0lgetxattr\0link\0linkat\0listen\0listxattr\0"
++ "llistxattr\0llseek\0lookup_dcookie\0lremovexattr\0lseek\0lsetxattr\0lstat\0lstat64\0madvise\0mbind\0"
++ "mincore\0mkdir\0mkdirat\0mknod\0mknodat\0mlock\0mlockall\0mmap\0mmap2\0mount\0"
++ "move_pages\0mprotect\0mq_getsetattr\0mq_notify\0mq_open\0mq_timedreceive\0mq_timedsend\0mq_unlink\0mremap\0msgctl\0"
++ "msgget\0msgrcv\0msgsnd\0msync\0munlock\0munlockall\0munmap\0name_to_handle_at\0nanosleep\0newselect\0"
++ "nfsservctl\0nice\0open\0open_by_handle_at\0openat\0pause\0pciconfig_iobase\0pciconfig_read\0pciconfig_write\0perf_event_open\0"
++ "personality\0pipe\0pipe2\0pivot_root\0poll\0prctl\0pread64\0preadv\0prlimit64\0process_vm_readv\0"
++ "process_vm_writev\0ptrace\0pwrite64\0pwritev\0quotactl\0read\0readahead\0readdir\0readlink\0readlinkat\0"
++ "readv\0reboot\0recv\0recvfrom\0recvmmsg\0recvmsg\0remap_file_pages\0removexattr\0rename\0renameat\0"
++ "request_key\0restart_syscall\0rmdir\0rt_sigaction\0rt_sigpending\0rt_sigprocmask\0rt_sigqueueinfo\0rt_sigreturn\0rt_sigsuspend\0rt_sigtimedwait\0"
++ "rt_tgsigqueueinfo\0sched_get_priority_max\0sched_get_priority_min\0sched_getaffinity\0sched_getparam\0sched_getscheduler\0sched_rr_get_interval\0sched_setaffinity\0sched_setparam\0sched_setscheduler\0"
++ "sched_yield\0select\0semctl\0semget\0semop\0semtimedop\0send\0sendfile\0sendfile64\0sendmmsg\0"
++ "sendmsg\0sendto\0set_mempolicy\0set_robust_list\0set_tid_address\0setdomainname\0setfsgid\0setfsgid32\0setfsuid\0setfsuid32\0"
++ "setgid\0setgid32\0setgroups\0setgroups32\0sethostname\0setitimer\0setns\0setpgid\0setpriority\0setregid\0"
++ "setregid32\0setresgid\0setresgid32\0setresuid\0setresuid32\0setreuid\0setreuid32\0setrlimit\0setsid\0setsockopt\0"
++ "settimeofday\0setuid\0setuid32\0setxattr\0shmat\0shmctl\0shmdt\0shmget\0shutdown\0sigaction\0"
++ "sigaltstack\0signalfd\0signalfd4\0sigpending\0sigprocmask\0sigreturn\0sigsuspend\0socket\0socketcall\0socketpair\0"
++ "splice\0stat\0stat64\0statfs\0statfs64\0stime\0swapoff\0swapon\0symlink\0symlinkat\0"
++ "sync\0sync_file_range\0syncfs\0syscall\0sysctl\0sysfs\0sysinfo\0syslog\0tee\0tgkill\0"
++ "time\0timer_create\0timer_delete\0timer_getoverrun\0timer_gettime\0timer_settime\0timerfd_create\0timerfd_gettime\0timerfd_settime\0times\0"
++ "tkill\0truncate\0truncate64\0ugetrlimit\0umask\0umount\0umount2\0uname\0unlink\0unlinkat\0"
++ "unshare\0uselib\0ustat\0utime\0utimensat\0utimes\0vfork\0vhangup\0vmsplice\0vserver\0"
++ "wait4\0waitid\0write\0writev";
++static const unsigned armeb_syscall_s2i_s[] = {
++ 0,7,15,22,27,35,44,50,58,63,
++ 67,74,81,87,93,99,107,114,128,141,
++ 155,171,185,191,197,205,211,225,229,234,
++ 239,252,266,276,287,295,304,311,316,327,
++ 337,350,360,374,388,395,402,411,418,427,
++ 436,442,450,460,470,483,494,500,505,518,
++ 528,534,542,552,560,570,576,586,598,604,
++ 614,628,644,651,658,667,678,686,696,704,
++ 714,721,730,740,752,762,774,782,790,797,
++ 805,817,827,839,849,861,871,881,888,900,
++ 911,918,931,938,947,956,968,986,999,1013,
++ 1030,1040,1051,1064,1073,1083,1089,1100,1111,1115,
++ 1120,1131,1138,1143,1150,1159,1169,1174,1181,1188,
++ 1198,1209,1216,1231,1244,1250,1260,1266,1274,1282,
++ 1288,1296,1302,1310,1316,1324,1330,1339,1344,1350,
++ 1356,1367,1376,1390,1400,1408,1424,1437,1447,1454,
++ 1461,1468,1475,1482,1488,1496,1507,1514,1532,1542,
++ 1552,1563,1568,1573,1591,1598,1604,1621,1636,1652,
++ 1668,1680,1685,1691,1702,1707,1713,1721,1728,1738,
++ 1755,1773,1780,1789,1797,1806,1811,1821,1829,1838,
++ 1849,1855,1862,1867,1876,1885,1893,1910,1922,1929,
++ 1938,1950,1966,1972,1985,1999,2014,2030,2043,2057,
++ 2073,2091,2114,2137,2155,2170,2189,2211,2229,2244,
++ 2263,2275,2282,2289,2296,2302,2313,2318,2327,2338,
++ 2347,2355,2362,2376,2392,2408,2422,2431,2442,2451,
++ 2462,2469,2478,2488,2500,2512,2522,2528,2536,2548,
++ 2557,2568,2578,2590,2600,2612,2621,2632,2642,2649,
++ 2660,2673,2680,2689,2698,2704,2711,2717,2724,2733,
++ 2743,2755,2764,2774,2785,2797,2807,2818,2825,2836,
++ 2847,2854,2859,2866,2873,2882,2888,2896,2903,2911,
++ 2921,2926,2942,2949,2957,2964,2970,2978,2985,2989,
++ 2996,3001,3014,3027,3044,3058,3072,3087,3103,3119,
++ 3125,3131,3140,3151,3162,3168,3175,3183,3189,3196,
++ 3205,3213,3220,3226,3232,3242,3249,3255,3263,3272,
++ 3280,3286,3293,3299,
++};
++static const int armeb_syscall_s2i_i[] = {
++ 285,366,33,51,309,124,27,134,282,45,
++ 184,185,12,15,182,212,61,372,264,263,
++ 265,262,120,6,283,8,129,41,63,358,
++ 250,357,251,252,351,356,11,1,248,334,
++ 270,352,367,368,133,94,333,95,207,325,
++ 55,221,148,231,379,234,143,2,237,228,
++ 108,197,327,100,267,118,93,194,240,326,
++ 320,339,345,183,141,217,50,202,49,201,
++ 47,200,80,205,105,287,132,65,20,64,
++ 96,171,211,165,209,76,77,147,286,295,
++ 224,78,24,199,229,128,317,316,360,318,
++ 247,244,245,243,246,54,315,314,117,378,
++ 347,311,37,16,198,230,9,330,284,232,
++ 233,140,249,236,19,227,107,196,220,319,
++ 219,39,323,14,324,150,152,90,192,21,
++ 344,125,279,278,274,277,276,275,163,304,
++ 303,302,301,144,151,153,91,370,162,142,
++ 169,34,5,371,322,29,271,272,273,364,
++ 136,42,359,218,168,172,180,361,369,376,
++ 377,26,181,362,131,3,225,89,85,332,
++ 145,88,291,292,365,297,253,235,38,329,
++ 310,0,40,174,176,175,178,173,179,177,
++ 363,159,160,242,155,157,161,241,154,156,
++ 158,82,300,299,298,312,289,187,239,374,
++ 296,290,321,338,256,121,139,216,138,215,
++ 46,214,81,206,74,104,375,57,97,71,
++ 204,170,210,164,208,70,203,75,66,294,
++ 79,23,213,226,305,308,306,307,293,67,
++ 186,349,355,73,126,119,72,281,102,288,
++ 340,106,195,99,266,25,115,87,83,331,
++ 36,341,373,113,149,135,116,103,342,268,
++ 13,257,261,260,259,258,350,354,353,43,
++ 238,92,193,191,60,22,52,122,10,328,
++ 337,86,62,30,348,269,190,111,343,313,
++ 114,280,4,146,
++};
++static int armeb_syscall_s2i(const char *s, int *value) {
++ size_t len, i;
++ len = strlen(s);
++ { char copy[len + 1];
++ for (i = 0; i < len; i++) {
++ char c = s[i];
++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c;
++ }
++ copy[i] = 0;
++ return s2i__(armeb_syscall_strings, armeb_syscall_s2i_s, armeb_syscall_s2i_i, 344, copy, value);
++ }
++}
++static const unsigned armeb_syscall_i2s_direct[] = {
++ 1950,311,500,1806,3293,1568,191,-1u,205,1169,
++ 3189,304,81,2996,1310,87,1143,-1u,-1u,1244,
++ 790,1350,3168,2673,931,2882,1773,44,-1u,1598,
++ 3226,-1u,-1u,15,1563,-1u,2921,1138,1922,1296,
++ 1966,225,1680,3119,-1u,63,2462,714,-1u,696,
++ 678,22,3175,-1u,1083,436,-1u,2528,-1u,-1u,
++ 3162,107,3220,229,797,782,2642,2733,-1u,-1u,
++ 2612,2548,2807,2774,2500,2632,861,871,918,2660,
++ 730,2478,2275,2903,-1u,1829,3213,2896,1855,1821,
++ 1339,1507,3131,576,395,411,805,2536,-1u,2866,
++ 552,-1u,2825,2978,2512,752,2854,1260,528,-1u,
++ -1u,3255,-1u,2949,3280,2888,2970,1111,570,2797,
++ 185,2408,3183,-1u,35,1367,2785,-1u,956,211,
++ -1u,1797,774,388,50,2964,1668,-1u,2442,2422,
++ 1209,658,1542,494,1482,1849,3299,881,450,2957,
++ 1324,1488,1330,1496,2229,2155,2244,2170,2263,2091,
++ 2114,2189,1532,1447,2590,839,-1u,-1u,1702,1552,
++ 2568,817,1707,2030,1972,1999,1985,2057,2014,2043,
++ 1713,1780,93,651,67,74,2743,2318,-1u,-1u,
++ 3249,3151,1344,3140,586,2859,1266,534,1150,938,
++ 721,704,686,2621,2557,740,2488,418,2600,849,
++ 2578,827,99,2680,2469,2451,2431,667,1691,1288,
++ 1274,442,-1u,-1u,911,1811,2689,1250,518,947,
++ 1159,460,1188,1198,483,1910,1231,505,3125,2327,
++ 598,2211,2137,1064,1040,1051,1073,1030,316,1216,
++ 239,266,276,1893,-1u,-1u,2392,3001,3058,3044,
++ 3027,3014,171,141,128,155,2873,560,2989,3242,
++ 337,1604,1621,1636,1400,1437,1424,1408,1390,1376,
++ 3286,2818,58,197,1181,0,888,762,2836,2313,
++ 2355,1862,1867,2724,2649,900,2347,1885,2296,2289,
++ 2282,1475,1468,1461,1454,2698,2711,2717,2704,27,
++ 1938,1131,2302,3272,1100,1089,986,968,1013,1282,
++ 614,2362,1591,1302,1316,427,604,542,3196,1929,
++ 1174,2911,1838,402,327,-1u,-1u,3205,2376,628,
++ 2847,2926,2985,3263,1356,644,-1u,1120,3232,2755,
++ 3072,287,350,3103,3087,2764,295,252,234,1685,
++ 999,1721,1789,2073,1652,1876,7,360,374,1728,
++ 1514,1573,114,2942,2338,2522,1738,1755,1115,470,
++};
++static const char *armeb_syscall_i2s(int v) {
++ return i2s_direct__(armeb_syscall_strings, armeb_syscall_i2s_direct, 0, 379, v);
++}
+diff --git a/lib/errtabs.h b/lib/errtabs.h
+new file mode 100644
+index 0000000..53deac2
+--- /dev/null
++++ b/lib/errtabs.h
+@@ -0,0 +1,78 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char err_strings[] = "E2BIG\0EACCES\0EADDRINUSE\0EADDRNOTAVAIL\0EADV\0EAFNOSUPPORT\0EAGAIN\0EALREADY\0EBADE\0EBADF\0"
++ "EBADFD\0EBADMSG\0EBADR\0EBADRQC\0EBADSLT\0EBFONT\0EBUSY\0ECANCELED\0ECHILD\0ECHRNG\0"
++ "ECOMM\0ECONNABORTED\0ECONNREFUSED\0ECONNRESET\0EDEADLK\0EDEADLOCK\0EDESTADDRREQ\0EDOM\0EDOTDOT\0EDQUOT\0"
++ "EEXIST\0EFAULT\0EFBIG\0EHOSTDOWN\0EHOSTUNREACH\0EIDRM\0EILSEQ\0EINPROGRESS\0EINTR\0EINVAL\0"
++ "EIO\0EISCONN\0EISDIR\0EISNAM\0EKEYEXPIRED\0EKEYREJECTED\0EKEYREVOKED\0EL2HLT\0EL2NSYNC\0EL3HLT\0"
++ "EL3RST\0ELIBACC\0ELIBBAD\0ELIBEXEC\0ELIBMAX\0ELIBSCN\0ELNRNG\0ELOOP\0EMEDIUMTYPE\0EMFILE\0"
++ "EMLINK\0EMSGSIZE\0EMULTIHOP\0ENAMETOOLONG\0ENAVAIL\0ENETDOWN\0ENETRESET\0ENETUNREACH\0ENFILE\0ENOANO\0"
++ "ENOBUFS\0ENOCSI\0ENODATA\0ENODEV\0ENOENT\0ENOEXEC\0ENOKEY\0ENOLCK\0ENOLINK\0ENOMEDIUM\0"
++ "ENOMEM\0ENOMSG\0ENONET\0ENOPKG\0ENOPROTOOPT\0ENOSPC\0ENOSR\0ENOSTR\0ENOSYS\0ENOTBLK\0"
++ "ENOTCONN\0ENOTDIR\0ENOTEMPTY\0ENOTNAM\0ENOTRECOVERABLE\0ENOTSOCK\0ENOTTY\0ENOTUNIQ\0ENXIO\0EOPNOTSUPP\0"
++ "EOVERFLOW\0EOWNERDEAD\0EPERM\0EPFNOSUPPORT\0EPIPE\0EPROTO\0EPROTONOSUPPORT\0EPROTOTYPE\0ERANGE\0EREMCHG\0"
++ "EREMOTE\0EREMOTEIO\0ERESTART\0EROFS\0ESHUTDOWN\0ESOCKTNOSUPPORT\0ESPIPE\0ESRCH\0ESRMNT\0ESTALE\0"
++ "ESTRPIPE\0ETIME\0ETIMEDOUT\0ETOOMANYREFS\0ETXTBSY\0EUCLEAN\0EUNATCH\0EUSERS\0EWOULDBLOCK\0EXDEV\0"
++ "EXFULL";
++static const unsigned err_s2i_s[] = {
++ 0,6,13,24,38,43,56,63,72,78,
++ 84,91,99,105,113,121,128,134,144,151,
++ 158,164,177,190,201,209,219,232,237,245,
++ 252,259,266,272,282,295,301,308,320,326,
++ 333,337,345,352,359,371,384,396,403,412,
++ 419,426,434,442,451,459,467,474,480,492,
++ 499,506,515,525,538,546,555,565,577,584,
++ 591,599,606,614,621,628,636,643,650,658,
++ 668,675,682,689,696,708,715,721,728,735,
++ 743,752,760,770,778,794,803,810,819,825,
++ 836,846,857,863,876,882,889,905,916,923,
++ 931,939,949,958,964,974,990,997,1003,1010,
++ 1017,1026,1032,1042,1055,1063,1071,1079,1086,1098,
++ 1104,
++};
++static const int err_s2i_i[] = {
++ 7,13,98,99,68,97,11,114,52,9,
++ 77,74,53,56,57,59,16,125,10,44,
++ 70,103,111,104,35,35,89,33,73,122,
++ 17,14,27,112,113,43,84,115,4,22,
++ 5,106,21,120,127,129,128,51,45,46,
++ 47,79,80,83,82,81,48,40,124,24,
++ 31,90,72,36,119,100,102,101,23,55,
++ 105,50,61,19,2,8,126,37,67,123,
++ 12,42,64,65,92,28,63,60,38,15,
++ 107,20,39,118,131,88,25,76,6,95,
++ 75,130,1,96,32,71,93,91,34,78,
++ 66,121,85,30,108,94,29,3,69,116,
++ 86,62,110,109,26,117,49,87,11,18,
++ 54,
++};
++static int err_s2i(const char *s, int *value) {
++ size_t len, i;
++ len = strlen(s);
++ { char copy[len + 1];
++ for (i = 0; i < len; i++) {
++ char c = s[i];
++ copy[i] = GT_ISLOWER(c) ? c - 'a' + 'A' : c;
++ }
++ copy[i] = 0;
++ return s2i__(err_strings, err_s2i_s, err_s2i_i, 131, copy, value);
++ }
++}
++static const unsigned err_i2s_direct[] = {
++ 857,621,997,320,333,819,0,628,78,144,
++ 56,668,6,259,735,128,252,1098,614,752,
++ 345,326,577,492,803,1055,266,708,990,958,
++ 499,876,232,916,201,525,643,728,760,474,
++ -1u,675,295,151,403,412,419,467,1071,599,
++ 396,72,99,1104,584,105,113,-1u,121,721,
++ 606,1026,715,682,689,931,650,38,1003,158,
++ 882,515,237,91,836,810,84,923,426,434,
++ 459,451,442,301,949,1017,1079,794,219,506,
++ 905,696,889,974,825,863,43,13,24,546,
++ 565,555,164,190,591,337,743,964,1042,1032,
++ 177,272,282,63,308,1010,1063,770,538,352,
++ 939,245,658,480,134,636,359,384,371,846,
++ 778,
++};
++static const char *err_i2s(int v) {
++ return i2s_direct__(err_strings, err_i2s_direct, 1, 131, v);
++}
+diff --git a/lib/fieldtabs.h b/lib/fieldtabs.h
+new file mode 100644
+index 0000000..fb50e08
+--- /dev/null
++++ b/lib/fieldtabs.h
+@@ -0,0 +1,49 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char field_strings[] = "a0\0a1\0a2\0a3\0arch\0auid\0devmajor\0devminor\0dir\0egid\0"
++ "euid\0exit\0field_compare\0filetype\0fsgid\0fsuid\0gid\0inode\0key\0loginuid\0"
++ "msgtype\0obj_gid\0obj_lev_high\0obj_lev_low\0obj_role\0obj_type\0obj_uid\0obj_user\0path\0perm\0"
++ "pers\0pid\0ppid\0sgid\0subj_clr\0subj_role\0subj_sen\0subj_type\0subj_user\0success\0"
++ "suid\0uid";
++static const unsigned field_s2i_s[] = {
++ 0,3,6,9,12,17,22,31,40,44,
++ 49,54,59,73,82,88,94,98,104,108,
++ 117,125,133,146,158,167,176,184,193,198,
++ 203,208,212,217,222,231,241,250,260,270,
++ 278,283,
++};
++static const int field_s2i_i[] = {
++ 200,201,202,203,11,9,100,101,107,6,
++ 2,103,111,108,8,4,5,102,210,9,
++ 12,110,23,22,20,21,109,19,105,106,
++ 10,0,18,7,17,14,16,15,13,104,
++ 3,1,
++};
++static int field_s2i(const char *s, int *value) {
++ size_t len, i;
++ len = strlen(s);
++ { char copy[len + 1];
++ for (i = 0; i < len; i++) {
++ char c = s[i];
++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c;
++ }
++ copy[i] = 0;
++ return s2i__(field_strings, field_s2i_s, field_s2i_i, 42, copy, value);
++ }
++}
++static const int field_i2s_i[] = {
++ 0,1,2,3,4,5,6,7,8,9,
++ 10,11,12,13,14,15,16,17,18,19,
++ 20,21,22,23,100,101,102,103,104,105,
++ 106,107,108,109,110,111,200,201,202,203,
++ 210,
++};
++static const unsigned field_i2s_s[] = {
++ 208,283,49,278,88,94,44,217,82,17,
++ 203,12,117,260,231,250,241,222,212,184,
++ 158,167,146,133,22,31,98,54,270,193,
++ 198,40,73,176,125,59,0,3,6,9,
++ 104,
++};
++static const char *field_i2s(int v) {
++ return i2s_bsearch__(field_strings, field_i2s_i, field_i2s_s, 41, v);
++}
+diff --git a/lib/flagtabs.h b/lib/flagtabs.h
+new file mode 100644
+index 0000000..e191db3
+--- /dev/null
++++ b/lib/flagtabs.h
+@@ -0,0 +1,26 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char flag_strings[] = "entry\0exclude\0exit\0task\0user";
++static const unsigned flag_s2i_s[] = {
++ 0,6,14,19,24,
++};
++static const int flag_s2i_i[] = {
++ 2,5,4,1,0,
++};
++static int flag_s2i(const char *s, int *value) {
++ size_t len, i;
++ len = strlen(s);
++ { char copy[len + 1];
++ for (i = 0; i < len; i++) {
++ char c = s[i];
++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c;
++ }
++ copy[i] = 0;
++ return s2i__(flag_strings, flag_s2i_s, flag_s2i_i, 5, copy, value);
++ }
++}
++static const unsigned flag_i2s_direct[] = {
++ 24,19,0,-1u,14,6,
++};
++static const char *flag_i2s(int v) {
++ return i2s_direct__(flag_strings, flag_i2s_direct, 0, 5, v);
++}
+diff --git a/lib/ftypetabs.h b/lib/ftypetabs.h
+new file mode 100644
+index 0000000..04aaa46
+--- /dev/null
++++ b/lib/ftypetabs.h
+@@ -0,0 +1,29 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char ftype_strings[] = "block\0character\0dir\0fifo\0file\0link\0socket";
++static const unsigned ftype_s2i_s[] = {
++ 0,6,16,20,25,30,35,
++};
++static const int ftype_s2i_i[] = {
++ 24576,8192,16384,4096,32768,40960,49152,
++};
++static int ftype_s2i(const char *s, int *value) {
++ size_t len, i;
++ len = strlen(s);
++ { char copy[len + 1];
++ for (i = 0; i < len; i++) {
++ char c = s[i];
++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c;
++ }
++ copy[i] = 0;
++ return s2i__(ftype_strings, ftype_s2i_s, ftype_s2i_i, 7, copy, value);
++ }
++}
++static const int ftype_i2s_i[] = {
++ 4096,8192,16384,24576,32768,40960,49152,
++};
++static const unsigned ftype_i2s_s[] = {
++ 20,6,16,0,25,30,35,
++};
++static const char *ftype_i2s(int v) {
++ return i2s_bsearch__(ftype_strings, ftype_i2s_i, ftype_i2s_s, 7, v);
++}
+diff --git a/lib/i386_tables.h b/lib/i386_tables.h
+new file mode 100644
+index 0000000..6703ffc
+--- /dev/null
++++ b/lib/i386_tables.h
+@@ -0,0 +1,163 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char i386_syscall_strings[] = "_llseek\0_newselect\0_sysctl\0access\0acct\0add_key\0adjtimex\0afs_syscall\0alarm\0bdflush\0"
++ "break\0brk\0capget\0capset\0chdir\0chmod\0chown\0chown32\0chroot\0clock_adjtime\0"
++ "clock_getres\0clock_gettime\0clock_nanosleep\0clock_settime\0clone\0close\0creat\0create_module\0delete_module\0dup\0"
++ "dup2\0dup3\0epoll_create\0epoll_create1\0epoll_ctl\0epoll_pwait\0epoll_wait\0eventfd\0eventfd2\0execve\0"
++ "exit\0exit_group\0faccessat\0fadvise64\0fadvise64_64\0fallocate\0fanotify_init\0fanotify_mark\0fchdir\0fchmod\0"
++ "fchmodat\0fchown\0fchown32\0fchownat\0fcntl\0fcntl64\0fdatasync\0fgetxattr\0finit_module\0flistxattr\0"
++ "flock\0fork\0fremovexattr\0fsetxattr\0fstat\0fstat64\0fstatat64\0fstatfs\0fstatfs64\0fsync\0"
++ "ftime\0ftruncate\0ftruncate64\0futex\0futimesat\0get_kernel_syms\0get_mempolicy\0get_robust_list\0get_thread_area\0getcpu\0"
++ "getcwd\0getdents\0getdents64\0getegid\0getegid32\0geteuid\0geteuid32\0getgid\0getgid32\0getgroups\0"
++ "getgroups32\0getitimer\0getpgid\0getpgrp\0getpid\0getpmsg\0getppid\0getpriority\0getresgid\0getresgid32\0"
++ "getresuid\0getresuid32\0getrlimit\0getrusage\0getsid\0gettid\0gettimeofday\0getuid\0getuid32\0getxattr\0"
++ "gtty\0idle\0init_module\0inotify_add_watch\0inotify_init\0inotify_init1\0inotify_rm_watch\0io_cancel\0io_destroy\0io_getevents\0"
++ "io_setup\0io_submit\0ioctl\0ioperm\0iopl\0ioprio_get\0ioprio_set\0ipc\0kcmp\0keyctl\0"
++ "kill\0lchown\0lchown32\0lgetxattr\0link\0linkat\0listxattr\0llistxattr\0lock\0lookup_dcookie\0"
++ "lremovexattr\0lseek\0lsetxattr\0lstat\0lstat64\0madvise\0madvise1\0mbind\0migrate_pages\0mincore\0"
++ "mkdir\0mkdirat\0mknod\0mknodat\0mlock\0mlockall\0mmap\0mmap2\0modify_ldt\0mount\0"
++ "move_pages\0mprotect\0mpx\0mq_getsetattr\0mq_notify\0mq_open\0mq_timedreceive\0mq_timedsend\0mq_unlink\0mremap\0"
++ "msync\0munlock\0munlockall\0munmap\0name_to_handle_at\0nanosleep\0nfsservctl\0nice\0oldfstat\0oldlstat\0"
++ "oldolduname\0oldstat\0olduname\0open\0open_by_handle_at\0openat\0pause\0perf_event_open\0personality\0pipe\0"
++ "pipe2\0pivot_root\0poll\0ppoll\0prctl\0pread64\0preadv\0prlimit64\0process_vm_readv\0process_vm_writev\0"
++ "prof\0profil\0pselect6\0ptrace\0putpmsg\0pwrite64\0pwritev\0query_module\0quotactl\0read\0"
++ "readahead\0readdir\0readlink\0readlinkat\0readv\0reboot\0recvmmsg\0remap_file_pages\0removexattr\0rename\0"
++ "renameat\0request_key\0restart_syscall\0rmdir\0rt_sigaction\0rt_sigpending\0rt_sigprocmask\0rt_sigqueueinfo\0rt_sigreturn\0rt_sigsuspend\0"
++ "rt_sigtimedwait\0rt_tgsigqueueinfo\0sched_get_priority_max\0sched_get_priority_min\0sched_getaffinity\0sched_getparam\0sched_getscheduler\0sched_rr_get_interval\0sched_setaffinity\0sched_setparam\0"
++ "sched_setscheduler\0sched_yield\0select\0sendfile\0sendfile64\0sendmmsg\0set_mempolicy\0set_robust_list\0set_thread_area\0set_tid_address\0"
++ "setdomainname\0setfsgid\0setfsgid32\0setfsuid\0setfsuid32\0setgid\0setgid32\0setgroups\0setgroups32\0sethostname\0"
++ "setitimer\0setns\0setpgid\0setpriority\0setregid\0setregid32\0setresgid\0setresgid32\0setresuid\0setresuid32\0"
++ "setreuid\0setreuid32\0setrlimit\0setsid\0settimeofday\0setuid\0setuid32\0setxattr\0sgetmask\0sigaction\0"
++ "sigaltstack\0signal\0signalfd\0signalfd4\0sigpending\0sigprocmask\0sigreturn\0sigsuspend\0socketcall\0splice\0"
++ "ssetmask\0stat\0stat64\0statfs\0statfs64\0stime\0stty\0swapoff\0swapon\0symlink\0"
++ "symlinkat\0sync\0sync_file_range\0syncfs\0sys_kexec_load\0sysfs\0sysinfo\0syslog\0tee\0tgkill\0"
++ "time\0timer_create\0timer_delete\0timer_getoverrun\0timer_gettime\0timer_settime\0timerfd\0timerfd_gettime\0timerfd_settime\0times\0"
++ "tkill\0truncate\0truncate64\0ugetrlimit\0ulimit\0umask\0umount\0umount2\0uname\0unlink\0"
++ "unlinkat\0unshare\0uselib\0ustat\0utime\0utimensat\0utimes\0vfork\0vhangup\0vm86\0"
++ "vm86old\0vmsplice\0vserver\0wait4\0waitid\0waitpid\0write\0writev";
++static const unsigned i386_syscall_s2i_s[] = {
++ 0,8,19,27,34,39,47,56,68,74,
++ 82,88,92,99,106,112,118,124,132,139,
++ 153,166,180,196,210,216,222,228,242,256,
++ 260,265,270,283,297,307,319,330,338,347,
++ 354,359,370,380,390,403,413,427,441,448,
++ 455,464,471,480,489,495,503,513,523,536,
++ 547,553,558,571,581,587,595,605,613,623,
++ 629,635,645,657,663,673,689,703,719,735,
++ 742,749,758,769,777,787,795,805,812,821,
++ 831,843,853,861,869,876,884,892,904,914,
++ 926,936,948,958,968,975,982,995,1002,1011,
++ 1020,1025,1030,1042,1060,1073,1087,1104,1114,1125,
++ 1138,1147,1157,1163,1170,1175,1186,1197,1201,1206,
++ 1213,1218,1225,1234,1244,1249,1256,1266,1277,1282,
++ 1297,1310,1316,1326,1332,1340,1348,1357,1363,1377,
++ 1385,1391,1399,1405,1413,1419,1428,1433,1439,1450,
++ 1456,1467,1476,1480,1494,1504,1512,1528,1541,1551,
++ 1558,1564,1572,1583,1590,1608,1618,1629,1634,1643,
++ 1652,1664,1672,1681,1686,1704,1711,1717,1733,1745,
++ 1750,1756,1767,1772,1778,1784,1792,1799,1809,1826,
++ 1844,1849,1856,1865,1872,1880,1889,1897,1910,1919,
++ 1924,1934,1942,1951,1962,1968,1975,1984,2001,2013,
++ 2020,2029,2041,2057,2063,2076,2090,2105,2121,2134,
++ 2148,2164,2182,2205,2228,2246,2261,2280,2302,2320,
++ 2335,2354,2366,2373,2382,2393,2402,2416,2432,2448,
++ 2464,2478,2487,2498,2507,2518,2525,2534,2544,2556,
++ 2568,2578,2584,2592,2604,2613,2624,2634,2646,2656,
++ 2668,2677,2688,2698,2705,2718,2725,2734,2743,2752,
++ 2762,2774,2781,2790,2800,2811,2823,2833,2844,2855,
++ 2862,2871,2876,2883,2890,2899,2905,2910,2918,2925,
++ 2933,2943,2948,2964,2971,2986,2992,3000,3007,3011,
++ 3018,3023,3036,3049,3066,3080,3094,3102,3118,3134,
++ 3140,3146,3155,3166,3177,3184,3190,3197,3205,3211,
++ 3218,3227,3235,3242,3248,3254,3264,3271,3277,3285,
++ 3290,3298,3307,3315,3321,3328,3336,3342,
++};
++static const int i386_syscall_s2i_i[] = {
++ 140,142,149,33,51,286,124,137,27,134,
++ 17,45,184,185,12,15,182,212,61,343,
++ 266,265,267,264,120,6,8,127,129,41,
++ 63,330,254,329,255,319,256,323,328,11,
++ 1,252,307,250,272,324,338,339,133,94,
++ 306,95,207,298,55,221,148,231,350,234,
++ 143,2,237,228,108,197,300,100,269,118,
++ 35,93,194,240,299,130,275,312,244,318,
++ 183,141,220,50,202,49,201,47,200,80,
++ 205,105,132,65,20,188,64,96,171,211,
++ 165,209,76,77,147,224,78,24,199,229,
++ 32,112,128,292,291,332,293,249,246,247,
++ 245,248,54,101,110,290,289,117,349,288,
++ 37,16,198,230,9,303,232,233,53,253,
++ 236,19,227,107,196,219,219,274,294,218,
++ 39,296,14,297,150,152,90,192,123,21,
++ 317,125,56,282,281,277,280,279,278,163,
++ 144,151,153,91,341,162,169,34,28,84,
++ 59,18,109,5,342,295,29,336,136,42,
++ 331,217,168,309,172,180,333,340,347,348,
++ 44,98,308,26,189,181,334,167,131,3,
++ 225,89,85,305,145,88,337,257,235,38,
++ 302,287,0,40,174,176,175,178,173,179,
++ 177,335,159,160,242,155,157,161,241,154,
++ 156,158,82,187,239,345,276,311,243,258,
++ 121,139,216,138,215,46,214,81,206,74,
++ 104,346,57,97,71,204,170,210,164,208,
++ 70,203,75,66,79,23,213,226,68,67,
++ 186,48,321,327,73,126,119,72,102,313,
++ 69,106,195,99,268,25,31,115,87,83,
++ 304,36,314,344,283,135,116,103,315,270,
++ 13,259,263,262,261,260,322,326,325,43,
++ 238,92,193,191,58,60,22,52,122,10,
++ 301,310,86,62,30,320,271,190,111,166,
++ 113,316,273,114,284,7,4,146,
++};
++static int i386_syscall_s2i(const char *s, int *value) {
++ size_t len, i;
++ len = strlen(s);
++ { char copy[len + 1];
++ for (i = 0; i < len; i++) {
++ char c = s[i];
++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c;
++ }
++ copy[i] = 0;
++ return s2i__(i386_syscall_strings, i386_syscall_s2i_s, i386_syscall_s2i_i, 348, copy, value);
++ }
++}
++static const unsigned i386_syscall_i2s_direct[] = {
++ 2041,354,553,1919,3336,1681,216,3328,222,1244,
++ 3211,347,106,3018,1399,112,1218,82,1664,1310,
++ 869,1450,3190,2718,995,2899,1865,68,1634,1711,
++ 3248,2905,1020,27,1629,629,2943,1213,2013,1385,
++ 2057,256,1745,3134,1844,88,2518,805,2774,787,
++ 769,34,3197,1277,1157,489,1476,2584,3177,1652,
++ 3184,132,3242,260,884,861,2698,2752,2743,2862,
++ 2668,2604,2833,2800,2556,2688,948,958,982,2705,
++ 821,2534,2366,2925,1643,1942,3235,2918,1968,1934,
++ 1428,1583,3146,635,448,464,892,2592,1849,2883,
++ 605,1163,2844,3000,2568,843,2871,1326,581,1672,
++ 1170,3277,1025,3290,3315,2910,2992,1197,623,2823,
++ 210,2464,3205,1439,47,1467,2811,228,1030,242,
++ 673,1910,853,441,74,2986,1733,56,2498,2478,
++ 0,749,8,547,1558,1962,3342,968,503,19,
++ 1413,1564,1419,1572,2320,2246,2335,2261,2354,2182,
++ 2205,2280,1608,1551,2646,926,3285,1897,1767,1618,
++ 2624,904,1778,2121,2063,2090,2076,2148,2105,2134,
++ 1784,1880,118,742,92,99,2762,2373,876,1872,
++ 3271,3166,1433,3155,645,2876,1332,587,1225,1002,
++ 812,795,777,2677,2613,831,2544,471,2656,936,
++ 2634,914,124,2725,2525,2507,2487,1756,1377,1340,
++ 758,495,-1u,-1u,975,1924,2734,1316,571,1011,
++ 1234,513,1256,1266,536,2001,1297,558,3140,2382,
++ 657,2302,2228,2432,719,1138,1114,1125,1147,1104,
++ 380,-1u,359,1282,270,297,319,1984,2448,3023,
++ 3080,3066,3049,3036,196,166,153,180,2890,613,
++ 3011,3264,390,3307,1357,689,2402,1504,1541,1528,
++ 1512,1494,1480,2971,3321,-1u,39,2029,1206,1186,
++ 1175,1060,1042,1087,1363,1704,1391,1405,480,663,
++ 595,3218,2020,1249,2933,1951,455,370,1856,1772,
++ 3227,2416,703,2855,2948,3007,3298,1456,735,307,
++ 3254,2781,3094,330,403,3118,3102,2790,338,283,
++ 265,1750,1073,1792,1889,2164,1717,1975,413,427,
++ 1799,1590,1686,139,2964,2393,2578,1809,1826,1201,
++ 523,
++};
++static const char *i386_syscall_i2s(int v) {
++ return i2s_direct__(i386_syscall_strings, i386_syscall_i2s_direct, 0, 350, v);
++}
+diff --git a/lib/ia64_tables.h b/lib/ia64_tables.h
+new file mode 100644
+index 0000000..9e127a0
+--- /dev/null
++++ b/lib/ia64_tables.h
+@@ -0,0 +1,147 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char ia64_syscall_strings[] = "_sysctl\0accept\0accept4\0access\0acct\0add_key\0adjtimex\0afs_syscall\0bdflush\0bind\0"
++ "brk\0capget\0capset\0chdir\0chmod\0chown\0chroot\0clock_adjtime\0clock_getres\0clock_gettime\0"
++ "clock_nanosleep\0clock_settime\0clone\0clone2\0close\0connect\0creat\0delete_module\0dup\0dup2\0"
++ "dup3\0epoll_create\0epoll_create1\0epoll_ctl\0epoll_pwait\0epoll_wait\0eventfd\0eventfd2\0execve\0exit\0"
++ "exit_group\0faccessat\0fadvise64\0fallocate\0fanotify_init\0fanotify_mark\0fchdir\0fchmod\0fchmodat\0fchown\0"
++ "fchownat\0fcntl\0fdatasync\0fgetxattr\0finit_module\0flistxattr\0flock\0fremovexattr\0fsetxattr\0fstat\0"
++ "fstatfs\0fstatfs64\0fsync\0ftruncate\0futex\0futimesat\0get_mempolicy\0get_robust_list\0getcpu\0getcwd\0"
++ "getdents\0getdents64\0getegid\0geteuid\0getgid\0getgroups\0getitimer\0getpeername\0getpgid\0getpid\0"
++ "getpmsg\0getppid\0getpriority\0getresgid\0getresuid\0getrlimit\0getrusage\0getsid\0getsockname\0getsockopt\0"
++ "gettid\0gettimeofday\0getuid\0getunwind\0getxattr\0init_module\0inotify_add_watch\0inotify_init\0inotify_init1\0inotify_rm_watch\0"
++ "io_cancel\0io_destroy\0io_getevents\0io_setup\0io_submit\0ioctl\0ioprio_get\0ioprio_set\0kexec_load\0keyctl\0"
++ "kill\0lchown\0lgetxattr\0link\0linkat\0listen\0listxattr\0llistxattr\0lookup_dcookie\0lremovexattr\0"
++ "lseek\0lsetxattr\0lstat\0madvise\0mbind\0migrate_pages\0mincore\0mkdir\0mkdirat\0mknod\0"
++ "mknodat\0mlock\0mlockall\0mmap\0mmap2\0mount\0mprotect\0mq_getsetattr\0mq_notify\0mq_open\0"
++ "mq_timedreceive\0mq_timedsend\0mq_unlink\0mremap\0msgctl\0msgget\0msgrcv\0msgsnd\0msync\0munlock\0"
++ "munlockall\0munmap\0name_to_handle_at\0nanosleep\0newfstatat\0nfsservctl\0ni_syscall\0open\0open_by_handle_at\0openat\0"
++ "pciconfig_read\0pciconfig_write\0perfmonctl\0personality\0pipe\0pipe2\0pivot_root\0poll\0ppoll\0prctl\0"
++ "pread64\0preadv\0prlimit64\0process_vm_readv\0process_vm_writev\0pselect\0ptrace\0putpmsg\0pwrite64\0pwritev\0"
++ "quotactl\0read\0readahead\0readlink\0readlinkat\0readv\0reboot\0recv\0recvfrom\0recvmmsg\0"
++ "recvmsg\0remap_file_pages\0removexattr\0rename\0renameat\0request_key\0restart_syscall\0rmdir\0rt_sigaction\0rt_sigpending\0"
++ "rt_sigprocmask\0rt_sigqueueinfo\0rt_sigreturn\0rt_sigsuspend\0rt_sigtimedwait\0rt_tgsigqueueinfo\0sched_get_priority_max\0sched_get_priority_min\0sched_getaffinity\0sched_getparam\0"
++ "sched_getscheduler\0sched_rr_get_interval\0sched_setaffinity\0sched_setparam\0sched_setscheduler\0sched_yield\0select\0semctl\0semget\0semop\0"
++ "semtimedop\0send\0sendfile\0sendmmsg\0sendmsg\0sendto\0set_mempolicy\0set_robust_list\0set_tid_address\0set_zone_reclaim\0"
++ "setdomainname\0setfsgid\0setfsuid\0setgid\0setgroups\0sethostname\0setitimer\0setns\0setpgid\0setpriority\0"
++ "setregid\0setresgid\0setresuid\0setreuid\0setrlimit\0setsid\0setsockopt\0settimeofday\0setuid\0setxattr\0"
++ "shmat\0shmctl\0shmdt\0shmget\0shutdown\0sigaltstack\0signalfd\0signalfd4\0socket\0socketpair\0"
++ "splice\0stat\0statfs\0statfs64\0swapoff\0swapon\0symlink\0symlinkat\0sync\0sync_file_range\0"
++ "syncfs\0sysfs\0sysinfo\0syslog\0tee\0tgkill\0timer_create\0timer_delete\0timer_getoverrun\0timer_gettime\0"
++ "timer_settime\0timerfd\0timerfd_create\0timerfd_gettime\0timerfd_settime\0times\0tkill\0truncate\0tux\0umask\0"
++ "umount\0uname\0unlink\0unlinkat\0unshare\0uselib\0ustat\0utimensat\0utimes\0vhangup\0"
++ "vmsplice\0vserver\0wait4\0waitid\0write\0writev";
++static const unsigned ia64_syscall_s2i_s[] = {
++ 0,8,15,23,30,35,43,52,64,72,
++ 77,81,88,95,101,107,113,120,134,147,
++ 161,177,191,197,204,210,218,224,238,242,
++ 247,252,265,279,289,301,312,320,329,336,
++ 341,352,362,372,382,396,410,417,424,433,
++ 440,449,455,465,475,488,499,505,518,528,
++ 534,542,552,558,568,574,584,598,614,621,
++ 628,637,648,656,664,671,681,691,703,711,
++ 718,726,734,746,756,766,776,786,793,805,
++ 816,823,836,843,853,862,874,892,905,919,
++ 936,946,957,970,979,989,995,1006,1017,1028,
++ 1035,1040,1047,1057,1062,1069,1076,1086,1097,1112,
++ 1125,1131,1141,1147,1155,1161,1175,1183,1189,1197,
++ 1203,1211,1217,1226,1231,1237,1243,1252,1266,1276,
++ 1284,1300,1313,1323,1330,1337,1344,1351,1358,1364,
++ 1372,1383,1390,1408,1418,1429,1440,1451,1456,1474,
++ 1481,1496,1512,1523,1535,1540,1546,1557,1562,1568,
++ 1574,1582,1589,1599,1616,1634,1642,1649,1657,1666,
++ 1674,1683,1688,1698,1707,1718,1724,1731,1736,1745,
++ 1754,1762,1779,1791,1798,1807,1819,1835,1841,1854,
++ 1868,1883,1899,1912,1926,1942,1960,1983,2006,2024,
++ 2039,2058,2080,2098,2113,2132,2144,2151,2158,2165,
++ 2171,2182,2187,2196,2205,2213,2220,2234,2250,2266,
++ 2283,2297,2306,2315,2322,2332,2344,2354,2360,2368,
++ 2380,2389,2399,2409,2418,2428,2435,2446,2459,2466,
++ 2475,2481,2488,2494,2501,2510,2522,2531,2541,2548,
++ 2559,2566,2571,2578,2587,2595,2602,2610,2620,2625,
++ 2641,2648,2654,2662,2669,2673,2680,2693,2706,2723,
++ 2737,2751,2759,2774,2790,2806,2812,2818,2827,2831,
++ 2837,2844,2850,2857,2866,2874,2881,2887,2897,2904,
++ 2912,2921,2929,2935,2942,2948,
++};
++static const int ia64_syscall_s2i_i[] = {
++ 1150,1194,1334,1049,1064,1271,1131,1141,1138,1191,
++ 1060,1185,1186,1034,1038,1039,1068,1328,1255,1254,
++ 1256,1253,1128,1213,1029,1192,1030,1134,1057,1070,
++ 1316,1243,1315,1244,1305,1245,1309,1314,1033,1025,
++ 1236,1293,1234,1303,1323,1324,1035,1099,1292,1100,
++ 1284,1066,1052,1222,1335,1225,1145,1228,1219,1212,
++ 1104,1257,1051,1098,1230,1285,1260,1299,1304,1184,
++ 1144,1214,1063,1047,1062,1077,1119,1196,1079,1041,
++ 1188,1042,1101,1075,1073,1085,1086,1082,1195,1204,
++ 1105,1087,1046,1215,1220,1133,1278,1277,1318,1279,
++ 1242,1239,1240,1238,1241,1065,1275,1274,1268,1273,
++ 1053,1124,1221,1031,1289,1193,1223,1224,1237,1227,
++ 1040,1218,1211,1209,1259,1280,1208,1055,1282,1037,
++ 1283,1153,1154,1151,1172,1043,1155,1267,1266,1262,
++ 1265,1264,1263,1156,1112,1109,1111,1110,1157,1158,
++ 1159,1152,1326,1168,1286,1169,1024,1028,1327,1281,
++ 1173,1174,1175,1140,1058,1317,1207,1090,1295,1170,
++ 1148,1319,1325,1332,1333,1294,1048,1189,1149,1320,
++ 1137,1026,1216,1092,1291,1146,1096,1200,1201,1322,
++ 1206,1125,1226,1054,1288,1272,1246,1056,1177,1178,
++ 1179,1180,1181,1182,1183,1321,1165,1166,1232,1160,
++ 1162,1167,1231,1161,1163,1164,1089,1108,1106,1107,
++ 1247,1198,1187,1331,1205,1199,1261,1298,1233,1276,
++ 1129,1143,1142,1061,1078,1083,1118,1330,1080,1102,
++ 1072,1076,1074,1071,1084,1081,1203,1088,1045,1217,
++ 1114,1116,1115,1113,1202,1176,1307,1313,1190,1197,
++ 1297,1210,1103,1258,1095,1094,1091,1290,1050,1300,
++ 1329,1139,1127,1117,1301,1235,1248,1252,1251,1250,
++ 1249,1308,1310,1312,1311,1059,1229,1097,1120,1067,
++ 1044,1130,1032,1287,1296,1093,1069,1306,1036,1123,
++ 1302,1269,1126,1270,1027,1147,
++};
++static int ia64_syscall_s2i(const char *s, int *value) {
++ size_t len, i;
++ len = strlen(s);
++ { char copy[len + 1];
++ for (i = 0; i < len; i++) {
++ char c = s[i];
++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c;
++ }
++ copy[i] = 0;
++ return s2i__(ia64_syscall_strings, ia64_syscall_s2i_s, ia64_syscall_s2i_i, 306, copy, value);
++ }
++}
++static const unsigned ia64_syscall_i2s_direct[] = {
++ 1440,336,1683,2942,1451,204,218,1057,2850,329,
++ 95,410,2897,1197,101,107,1125,711,726,1237,
++ 2837,2459,836,656,1642,23,2620,552,455,1035,
++ 1791,1183,1835,238,1535,2806,77,2315,664,648,
++ 30,989,449,2831,113,2881,242,2409,2380,756,
++ 2399,746,2389,671,2322,703,2360,2428,786,2332,
++ 2418,766,776,823,2446,2144,1557,2602,1698,2874,
++ 2595,2587,1724,2818,558,417,433,734,2368,2571,
++ 534,816,2158,2165,2151,1337,1351,1344,1330,2494,
++ 2475,2488,2481,2662,2344,681,2827,-1u,-1u,2904,
++ 1040,1762,2929,2654,191,2283,2844,43,-1u,862,
++ 224,-1u,-1u,1674,64,2648,1523,52,2306,2297,
++ 628,499,1718,2948,1574,1657,0,1226,1383,1211,
++ 1217,1243,1323,1358,1364,1372,2024,2098,2039,2113,
++ 2132,1960,1983,2058,1408,1429,1568,-1u,1231,1481,
++ 1496,1512,2510,1841,1854,1868,1883,1899,1912,1926,
++ 621,81,88,2187,718,1649,2541,72,210,1069,
++ 8,793,691,2548,2182,2213,1731,1736,2501,2435,
++ 805,2205,1754,1546,1175,1147,2566,1141,528,197,
++ 637,843,1688,2466,1131,518,853,1047,465,1076,
++ 1086,488,1779,1112,505,2812,568,2080,2006,2250,
++ 362,2673,341,1097,970,946,957,979,936,252,
++ 279,301,1819,2171,2680,2737,2723,2706,2693,177,
++ 147,134,161,542,2578,1155,584,2220,1276,1313,
++ 1300,1284,1266,1252,1017,2921,2935,35,1807,1028,
++ 1006,995,2266,892,874,919,1161,1474,1189,1203,
++ 440,574,1418,2857,1798,1062,2610,1707,424,352,
++ 1634,1562,2866,2559,2234,598,2625,2669,2912,372,
++ 614,289,2887,2522,2751,312,2759,2790,2774,2531,
++ 320,265,247,1540,905,1582,1666,1942,1745,382,
++ 396,1589,1390,1456,120,2641,2354,2196,1599,1616,
++ 15,475,
++};
++static const char *ia64_syscall_i2s(int v) {
++ return i2s_direct__(ia64_syscall_strings, ia64_syscall_i2s_direct, 1024, 1335, v);
++}
+diff --git a/lib/machinetabs.h b/lib/machinetabs.h
+new file mode 100644
+index 0000000..ec2d033
+--- /dev/null
++++ b/lib/machinetabs.h
+@@ -0,0 +1,26 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char machine_strings[] = "i386\0i486\0i586\0i686\0ia64\0ppc\0ppc64\0s390\0s390x\0x86_64";
++static const unsigned machine_s2i_s[] = {
++ 0,5,10,15,20,25,29,35,40,46,
++};
++static const int machine_s2i_i[] = {
++ 0,0,0,0,2,4,3,6,5,1,
++};
++static int machine_s2i(const char *s, int *value) {
++ size_t len, i;
++ len = strlen(s);
++ { char copy[len + 1];
++ for (i = 0; i < len; i++) {
++ char c = s[i];
++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c;
++ }
++ copy[i] = 0;
++ return s2i__(machine_strings, machine_s2i_s, machine_s2i_i, 10, copy, value);
++ }
++}
++static const unsigned machine_i2s_direct[] = {
++ 0,46,20,29,25,40,35,
++};
++static const char *machine_i2s(int v) {
++ return i2s_direct__(machine_strings, machine_i2s_direct, 0, 6, v);
++}
+diff --git a/lib/msg_typetabs.h b/lib/msg_typetabs.h
+new file mode 100644
+index 0000000..770ec21
+--- /dev/null
++++ b/lib/msg_typetabs.h
+@@ -0,0 +1,104 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char msg_type_strings[] = "ADD_GROUP\0ADD_USER\0ANOM_ABEND\0ANOM_ACCESS_FS\0ANOM_ADD_ACCT\0ANOM_AMTU_FAIL\0ANOM_CRYPTO_FAIL\0ANOM_DEL_ACCT\0ANOM_EXEC\0ANOM_LINK\0"
++ "ANOM_LOGIN_ACCT\0ANOM_LOGIN_FAILURES\0ANOM_LOGIN_LOCATION\0ANOM_LOGIN_SESSIONS\0ANOM_LOGIN_TIME\0ANOM_MAX_DAC\0ANOM_MAX_MAC\0ANOM_MK_EXEC\0ANOM_MOD_ACCT\0ANOM_PROMISCUOUS\0"
++ "ANOM_RBAC_FAIL\0ANOM_RBAC_INTEGRITY_FAIL\0ANOM_ROOT_TRANS\0AVC\0AVC_PATH\0BPRM_FCAPS\0CAPSET\0CHGRP_ID\0CHUSER_ID\0CONFIG_CHANGE\0"
++ "CRED_ACQ\0CRED_DISP\0CRED_REFR\0CRYPTO_FAILURE_USER\0CRYPTO_KEY_USER\0CRYPTO_LOGIN\0CRYPTO_LOGOUT\0CRYPTO_PARAM_CHANGE_USER\0CRYPTO_REPLAY_USER\0CRYPTO_SESSION\0"
++ "CRYPTO_TEST_USER\0CWD\0DAC_CHECK\0DAEMON_ABORT\0DAEMON_ACCEPT\0DAEMON_CLOSE\0DAEMON_CONFIG\0DAEMON_END\0DAEMON_RESUME\0DAEMON_ROTATE\0"
++ "DAEMON_START\0DEL_GROUP\0DEL_USER\0DEV_ALLOC\0DEV_DEALLOC\0EOE\0EXECVE\0FD_PAIR\0FS_RELABEL\0GRP_AUTH\0"
++ "INTEGRITY_DATA\0INTEGRITY_HASH\0INTEGRITY_METADATA\0INTEGRITY_PCR\0INTEGRITY_RULE\0INTEGRITY_STATUS\0IPC\0IPC_SET_PERM\0KERNEL\0KERNEL_OTHER\0"
++ "LABEL_LEVEL_CHANGE\0LABEL_OVERRIDE\0LIST_RULES\0LOGIN\0MAC_CIPSOV4_ADD\0MAC_CIPSOV4_DEL\0MAC_CONFIG_CHANGE\0MAC_IPSEC_ADDSA\0MAC_IPSEC_ADDSPD\0MAC_IPSEC_DELSA\0"
++ "MAC_IPSEC_DELSPD\0MAC_IPSEC_EVENT\0MAC_MAP_ADD\0MAC_MAP_DEL\0MAC_POLICY_LOAD\0MAC_STATUS\0MAC_UNLBL_ALLOW\0MAC_UNLBL_STCADD\0MAC_UNLBL_STCDEL\0MMAP\0"
++ "MQ_GETSETATTR\0MQ_NOTIFY\0MQ_OPEN\0MQ_SENDRECV\0NETFILTER_CFG\0NETFILTER_PKT\0OBJ_PID\0PATH\0RESP_ACCT_LOCK\0RESP_ACCT_LOCK_TIMED\0"
++ "RESP_ACCT_REMOTE\0RESP_ACCT_UNLOCK_TIMED\0RESP_ALERT\0RESP_ANOMALY\0RESP_EXEC\0RESP_HALT\0RESP_KILL_PROC\0RESP_SEBOOL\0RESP_SINGLE\0RESP_TERM_ACCESS\0"
++ "RESP_TERM_LOCK\0ROLE_ASSIGN\0ROLE_MODIFY\0ROLE_REMOVE\0SECCOMP\0SELINUX_ERR\0SERVICE_START\0SERVICE_STOP\0SOCKADDR\0SOCKETCALL\0"
++ "SYSCALL\0SYSTEM_BOOT\0SYSTEM_RUNLEVEL\0SYSTEM_SHUTDOWN\0TEST\0TRUSTED_APP\0TTY\0TTY_GET\0TTY_SET\0USER\0"
++ "USER_ACCT\0USER_AUTH\0USER_AVC\0USER_CHAUTHTOK\0USER_CMD\0USER_END\0USER_ERR\0USER_LABELED_EXPORT\0USER_LOGIN\0USER_LOGOUT\0"
++ "USER_MAC_POLICY_LOAD\0USER_MGMT\0USER_ROLE_CHANGE\0USER_SELINUX_ERR\0USER_START\0USER_TTY\0USER_UNLABELED_EXPORT\0USYS_CONFIG\0VIRT_CONTROL\0VIRT_MACHINE_ID\0"
++ "VIRT_RESOURCE";
++static const unsigned msg_type_s2i_s[] = {
++ 0,10,19,30,45,59,74,91,105,115,
++ 125,141,161,181,201,217,230,243,256,270,
++ 287,302,327,343,347,356,367,374,383,393,
++ 407,416,426,436,456,472,485,499,524,543,
++ 558,575,579,589,602,616,629,643,654,668,
++ 682,695,705,714,724,736,740,747,755,766,
++ 775,790,805,824,838,853,870,874,887,894,
++ 907,926,941,952,958,974,990,1008,1024,1041,
++ 1057,1074,1090,1102,1114,1130,1141,1157,1174,1191,
++ 1196,1210,1220,1228,1240,1254,1268,1276,1281,1296,
++ 1317,1334,1357,1368,1381,1391,1401,1416,1428,1440,
++ 1457,1472,1484,1496,1508,1516,1528,1542,1555,1564,
++ 1575,1583,1595,1611,1627,1632,1644,1648,1656,1664,
++ 1669,1679,1689,1698,1713,1722,1731,1740,1760,1771,
++ 1783,1804,1814,1831,1848,1859,1868,1890,1902,1915,
++ 1931,
++};
++static const int msg_type_s2i_i[] = {
++ 1116,1114,1701,2111,2114,2107,2110,2115,2112,1702,
++ 2103,2100,2104,2102,2101,2105,2106,2113,2116,1700,
++ 2108,2109,2117,1400,1402,1321,1322,1119,1125,1305,
++ 1103,1104,1110,2405,2404,2402,2403,2401,2406,2407,
++ 2400,1307,1118,1202,1207,1208,1203,1201,1206,1205,
++ 1200,1117,1115,2307,2308,1320,1309,1317,2309,1126,
++ 1800,1803,1801,1804,1805,1802,1303,1311,2000,1316,
++ 2304,2303,1013,1006,1407,1408,1405,1411,1413,1412,
++ 1414,1415,1409,1410,1403,1404,1406,1416,1417,1323,
++ 1315,1314,1312,1313,1325,1324,1318,1302,2207,2205,
++ 2204,2206,2201,2200,2210,2212,2202,2209,2211,2203,
++ 2208,2301,2311,2302,1326,1401,1130,1131,1306,1304,
++ 1300,1127,1129,1128,1120,1121,1319,1016,1017,1005,
++ 1101,1100,1107,1108,1123,1106,1109,2305,1112,1113,
++ 2310,1102,2300,1122,1105,1124,2306,1111,2500,2502,
++ 2501,
++};
++static int msg_type_s2i(const char *s, int *value) {
++ size_t len, i;
++ len = strlen(s);
++ { char copy[len + 1];
++ for (i = 0; i < len; i++) {
++ char c = s[i];
++ copy[i] = GT_ISLOWER(c) ? c - 'a' + 'A' : c;
++ }
++ copy[i] = 0;
++ return s2i__(msg_type_strings, msg_type_s2i_s, msg_type_s2i_i, 151, copy, value);
++ }
++}
++static const int msg_type_i2s_i[] = {
++ 1005,1006,1013,1016,1017,1100,1101,1102,1103,1104,
++ 1105,1106,1107,1108,1109,1110,1111,1112,1113,1114,
++ 1115,1116,1117,1118,1119,1120,1121,1122,1123,1124,
++ 1125,1126,1127,1128,1129,1130,1131,1200,1201,1202,
++ 1203,1205,1206,1207,1208,1300,1302,1303,1304,1305,
++ 1306,1307,1309,1311,1312,1313,1314,1315,1316,1317,
++ 1318,1319,1320,1321,1322,1323,1324,1325,1326,1400,
++ 1401,1402,1403,1404,1405,1406,1407,1408,1409,1410,
++ 1411,1412,1413,1414,1415,1416,1417,1700,1701,1702,
++ 1800,1801,1802,1803,1804,1805,2000,2100,2101,2102,
++ 2103,2104,2105,2106,2107,2108,2109,2110,2111,2112,
++ 2113,2114,2115,2116,2117,2200,2201,2202,2203,2204,
++ 2205,2206,2207,2208,2209,2210,2211,2212,2300,2301,
++ 2302,2303,2304,2305,2306,2307,2308,2309,2310,2311,
++ 2400,2401,2402,2403,2404,2405,2406,2407,2500,2501,
++ 2502,
++};
++static const unsigned msg_type_i2s_s[] = {
++ 1664,952,941,1648,1656,1679,1669,1804,407,416,
++ 1848,1722,1689,1698,1731,426,1890,1760,1771,10,
++ 705,0,695,579,374,1627,1632,1831,1713,1859,
++ 383,766,1583,1611,1595,1528,1542,682,643,589,
++ 629,668,654,602,616,1575,1276,870,1564,393,
++ 1555,575,740,874,1220,1228,1210,1196,894,747,
++ 1268,1644,736,356,367,1191,1254,1240,1508,343,
++ 1516,347,1114,1130,990,1141,958,974,1090,1102,
++ 1008,1041,1024,1057,1074,1157,1174,270,19,115,
++ 775,805,853,790,824,838,887,141,201,181,
++ 125,161,217,230,59,287,302,74,30,105,
++ 243,45,91,256,327,1368,1357,1401,1440,1317,
++ 1296,1334,1281,1457,1416,1381,1428,1391,1814,1472,
++ 1496,926,907,1740,1868,714,724,755,1783,1484,
++ 558,499,472,485,456,436,524,543,1902,1931,
++ 1915,
++};
++static const char *msg_type_i2s(int v) {
++ return i2s_bsearch__(msg_type_strings, msg_type_i2s_i, msg_type_i2s_s, 151, v);
++}
+diff --git a/lib/optabs.h b/lib/optabs.h
+new file mode 100644
+index 0000000..d79b665
+--- /dev/null
++++ b/lib/optabs.h
+@@ -0,0 +1,11 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char op_strings[] = "!=\0&\0&=\0<\0<=\0=\0>\0>=";
++static const int op_i2s_i[] = {
++ 134217728,268435456,536870912,805306368,1073741824,1207959552,1342177280,1610612736,
++};
++static const unsigned op_i2s_s[] = {
++ 3,8,15,0,13,5,10,17,
++};
++static const char *op_i2s(int v) {
++ return i2s_bsearch__(op_strings, op_i2s_i, op_i2s_s, 8, v);
++}
+diff --git a/lib/ppc_tables.h b/lib/ppc_tables.h
+new file mode 100644
+index 0000000..778fae3
+--- /dev/null
++++ b/lib/ppc_tables.h
+@@ -0,0 +1,163 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char ppc_syscall_strings[] = "_llseek\0_newselect\0_sysctl\0accept\0accept4\0access\0acct\0add_key\0adjtimex\0afs_syscall\0"
++ "alarm\0bdflush\0bind\0break\0brk\0capget\0capset\0chdir\0chmod\0chown\0"
++ "chroot\0clock_adjtime\0clock_getres\0clock_gettime\0clock_nanosleep\0clock_settime\0clone\0close\0connect\0creat\0"
++ "create_module\0delete_module\0dup\0dup2\0dup3\0epoll_create\0epoll_create1\0epoll_ctl\0epoll_pwait\0epoll_wait\0"
++ "eventfd\0eventfd2\0execve\0exit\0exit_group\0faccessat\0fadvise64\0fadvise64_64\0fallocate\0fanotify_init\0"
++ "fanotify_mark\0fchdir\0fchmod\0fchmodat\0fchown\0fchownat\0fcntl\0fcntl64\0fdatasync\0fgetxattr\0"
++ "finit_module\0flistxattr\0flock\0fork\0fremovexattr\0fsetxattr\0fstat\0fstat64\0fstatat\0fstatfs\0"
++ "fstatfs64\0fsync\0ftime\0ftruncate\0ftruncate64\0futex\0futimesat\0get_kernel_syms\0get_robust_list\0getcpu\0"
++ "getcwd\0getdents\0getdents64\0getegid\0geteuid\0getgid\0getgroups\0getitimer\0getpeername\0getpgid\0"
++ "getpgrp\0getpid\0getpmsg\0getppid\0getpriority\0getresgid\0getresuid\0getrlimit\0getrusage\0getsid\0"
++ "getsockname\0getsockopt\0gettid\0gettimeofday\0getuid\0getxattr\0gtty\0idle\0init_module\0inotify_add_watch\0"
++ "inotify_init\0inotify_init1\0inotify_rm_watch\0io_cancel\0io_destroy\0io_getevents\0io_setup\0io_submit\0ioctl\0ioperm\0"
++ "iopl\0ioprio_get\0ioprio_set\0ipc\0kcmp\0kexec_load\0keyctl\0kill\0lchown\0lgetxattr\0"
++ "link\0linkat\0listen\0listxattr\0llistxattr\0lock\0lookup_dcookie\0lremovexattr\0lseek\0lsetxattr\0"
++ "lstat\0lstat64\0madvise\0mincore\0mkdir\0mkdirat\0mknod\0mknodat\0mlock\0mlockall\0"
++ "mmap\0mmap2\0modify_ldt\0mount\0move_pages\0mprotect\0mpx\0mq_getsetattr\0mq_notify\0mq_open\0"
++ "mq_timedreceive\0mq_timedsend\0mq_unlink\0mremap\0msync\0multiplexer\0munlock\0munlockall\0munmap\0name_to_handle_at\0"
++ "nanosleep\0nfsservctl\0nice\0oldfstat\0oldlstat\0oldolduname\0oldstat\0olduname\0open\0open_by_handle_at\0"
++ "openat\0pause\0pciconfig_iobase\0pciconfig_read\0pciconfig_write\0perf_counter_open\0personality\0pipe\0pipe2\0pivot_root\0"
++ "poll\0ppoll\0prctl\0pread\0preadv\0prlimit64\0process_vm_readv\0process_vm_writev\0prof\0profil\0"
++ "pselect6\0ptrace\0putpmsg\0pwrite\0pwritev\0query_module\0quotactl\0read\0readahead\0readdir\0"
++ "readlink\0readlinkat\0readv\0reboot\0recv\0recvfrom\0recvmmsg\0recvmsg\0remap_file_pages\0removexattr\0"
++ "rename\0renameat\0request_key\0rmdir\0rt_sigaction\0rt_sigpending\0rt_sigprocmask\0rt_sigqueueinfo\0rt_sigreturn\0rt_sigsuspend\0"
++ "rt_sigtimedwait\0rt_tgsigqueueinfo\0rtas\0sched_get_priority_max\0sched_get_priority_min\0sched_getaffinity\0sched_getparam\0sched_getscheduler\0sched_rr_get_interval\0sched_setaffinity\0"
++ "sched_setparam\0sched_setscheduler\0sched_yield\0select\0send\0sendfile\0sendfile64\0sendmmsg\0sendmsg\0sendto\0"
++ "set_robust_list\0set_tid_address\0setdomainname\0setfsgid\0setfsuid\0setgid\0setgroups\0sethostname\0setitimer\0setns\0"
++ "setpgid\0setpriority\0setregid\0setresgid\0setresuid\0setreuid\0setrlimit\0setsid\0setsockopt\0settimeofday\0"
++ "setuid\0setxattr\0sgetmask\0shutdown\0sigaction\0sigaltstack\0signal\0signalfd\0signalfd4\0sigpending\0"
++ "sigprocmask\0sigreturn\0sigsuspend\0socket\0socketcall\0socketpair\0splice\0spu_create\0spu_run\0ssetmask\0"
++ "stat\0stat64\0statfs\0statfs64\0stime\0stty\0subpage_prot\0swapcontext\0swapoff\0swapon\0"
++ "symlink\0symlinkat\0sync\0sync_file_range2\0syncfs\0sysfs\0sysinfo\0syslog\0tee\0tgkill\0"
++ "time\0timer_create\0timer_delete\0timer_getoverrun\0timer_gettime\0timer_settime\0timerfd\0timerfd_gettime\0timerfd_settime\0times\0"
++ "tkill\0truncate\0truncate64\0tuxcall\0ugetrlimit\0ulimit\0umask\0umount\0umount2\0uname\0"
++ "unlink\0unlinkat\0unshare\0uselib\0ustat\0utime\0utimensat\0utimes\0vfork\0vhangup\0"
++ "vm86\0vmsplice\0wait4\0waitid\0waitpid\0write\0writev";
++static const unsigned ppc_syscall_s2i_s[] = {
++ 0,8,19,27,34,42,49,54,62,71,
++ 83,89,97,102,108,112,119,126,132,138,
++ 144,151,165,178,192,208,222,228,234,242,
++ 248,262,276,280,285,290,303,317,327,339,
++ 350,358,367,374,379,390,400,410,423,433,
++ 447,461,468,475,484,491,500,506,514,524,
++ 534,547,558,564,569,582,592,598,606,614,
++ 622,632,638,644,654,666,672,682,698,714,
++ 721,728,737,748,756,764,771,781,791,803,
++ 811,819,826,834,842,854,864,874,884,894,
++ 901,913,924,931,944,951,960,965,970,982,
++ 1000,1013,1027,1044,1054,1065,1078,1087,1097,1103,
++ 1110,1115,1126,1137,1141,1146,1157,1164,1169,1176,
++ 1186,1191,1198,1205,1215,1226,1231,1246,1259,1265,
++ 1275,1281,1289,1297,1305,1311,1319,1325,1333,1339,
++ 1348,1353,1359,1370,1376,1387,1396,1400,1414,1424,
++ 1432,1448,1461,1471,1478,1484,1496,1504,1515,1522,
++ 1540,1550,1561,1566,1575,1584,1596,1604,1613,1618,
++ 1636,1643,1649,1666,1681,1697,1715,1727,1732,1738,
++ 1749,1754,1760,1766,1772,1779,1789,1806,1824,1829,
++ 1836,1845,1852,1860,1867,1875,1888,1897,1902,1912,
++ 1920,1929,1940,1946,1953,1958,1967,1976,1984,2001,
++ 2013,2020,2029,2041,2047,2060,2074,2089,2105,2118,
++ 2132,2148,2166,2171,2194,2217,2235,2250,2269,2291,
++ 2309,2324,2343,2355,2362,2367,2376,2387,2396,2404,
++ 2411,2427,2443,2457,2466,2475,2482,2492,2504,2514,
++ 2520,2528,2540,2549,2559,2569,2578,2588,2595,2606,
++ 2619,2626,2635,2644,2653,2663,2675,2682,2691,2701,
++ 2712,2724,2734,2745,2752,2763,2774,2781,2792,2800,
++ 2809,2814,2821,2828,2837,2843,2848,2861,2873,2881,
++ 2888,2896,2906,2911,2928,2935,2941,2949,2956,2960,
++ 2967,2972,2985,2998,3015,3029,3043,3051,3067,3083,
++ 3089,3095,3104,3115,3123,3134,3141,3147,3154,3162,
++ 3168,3175,3184,3192,3199,3205,3211,3221,3228,3234,
++ 3242,3247,3256,3262,3269,3277,3283,
++};
++static const int ppc_syscall_s2i_i[] = {
++ 140,142,149,330,344,33,51,269,124,137,
++ 27,134,327,17,45,183,184,12,15,181,
++ 61,347,247,246,248,245,120,6,328,8,
++ 127,129,41,63,316,236,315,237,303,238,
++ 307,314,11,1,234,298,233,254,309,323,
++ 324,133,94,297,95,289,55,204,148,214,
++ 353,217,143,2,220,211,108,197,291,100,
++ 253,118,35,93,194,221,290,130,299,302,
++ 182,141,202,50,49,47,80,105,332,132,
++ 65,20,187,64,96,170,165,76,77,147,
++ 331,340,207,78,24,212,32,112,128,276,
++ 275,318,277,231,228,229,227,230,54,101,
++ 110,274,273,117,354,268,271,37,16,213,
++ 9,294,329,215,216,53,235,219,19,210,
++ 107,196,205,206,39,287,14,288,150,152,
++ 90,192,123,21,301,125,56,267,266,262,
++ 265,264,263,163,144,201,151,153,91,345,
++ 162,168,34,28,84,59,18,109,5,346,
++ 286,29,200,198,199,319,136,42,317,203,
++ 167,281,171,179,320,325,351,352,44,98,
++ 280,26,188,180,321,166,131,3,191,89,
++ 85,296,145,88,336,337,343,342,239,218,
++ 38,293,270,40,173,175,174,177,172,178,
++ 176,322,255,159,160,223,155,157,161,222,
++ 154,156,158,82,334,186,226,349,341,335,
++ 300,232,121,139,138,46,81,74,104,350,
++ 57,97,71,169,164,70,75,66,339,79,
++ 23,209,68,338,67,185,48,305,313,73,
++ 126,119,72,326,102,333,283,279,278,69,
++ 106,195,99,252,25,31,310,249,115,87,
++ 83,295,36,308,348,135,116,103,284,250,
++ 13,240,244,243,242,241,306,312,311,43,
++ 208,92,193,225,190,58,60,22,52,122,
++ 10,292,282,86,62,30,304,251,189,111,
++ 113,285,114,272,7,4,146,
++};
++static int ppc_syscall_s2i(const char *s, int *value) {
++ size_t len, i;
++ len = strlen(s);
++ { char copy[len + 1];
++ for (i = 0; i < len; i++) {
++ char c = s[i];
++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c;
++ }
++ copy[i] = 0;
++ return s2i__(ppc_syscall_strings, ppc_syscall_s2i_s, ppc_syscall_s2i_i, 347, copy, value);
++ }
++}
++static const unsigned ppc_syscall_i2s_direct[] = {
++ 374,564,1897,3277,1613,228,3269,242,1186,3168,
++ 367,126,2967,1319,132,1169,102,1596,1259,819,
++ 1370,3147,2619,944,2837,1845,83,1566,1643,3205,
++ 2843,960,42,1561,638,2906,1164,2013,1305,2041,
++ 276,1727,3083,1824,108,2475,764,2675,756,748,
++ 49,3154,1226,1097,500,1396,2520,3134,1584,3141,
++ 144,3199,280,834,811,2588,2653,2635,2800,2569,
++ 2540,2734,2701,2492,2578,874,884,931,2606,771,
++ 2482,2355,2888,1575,1920,3192,2881,1946,1912,1348,
++ 1515,3095,644,468,484,842,2528,1829,2821,614,
++ 1103,2752,2949,2504,781,2809,1275,592,1604,1110,
++ 3234,965,3242,3256,2873,2941,1137,632,2724,222,
++ 2443,3162,1359,62,1387,2712,248,970,262,682,
++ 1888,803,461,89,2935,1715,71,2466,2457,0,
++ 728,8,558,1478,1940,3283,894,514,19,1333,
++ 1496,1339,1504,2309,2235,2324,2250,2343,2171,2194,
++ 2269,1540,1471,2559,864,1875,1749,1550,2549,854,
++ 1760,2105,2047,2074,2060,2132,2089,2118,1766,1860,
++ 138,721,112,119,2663,2367,826,1852,3228,3123,
++ 1902,1353,3104,654,2814,1281,598,1666,1681,1649,
++ 1484,737,1738,506,1289,1297,924,3089,2626,1265,
++ 582,951,1176,524,1205,1215,547,2001,1246,569,
++ 666,2291,2217,-1u,3115,2376,1078,1054,1065,1087,
++ 1044,2427,400,379,1231,290,317,339,1984,2972,
++ 3029,3015,2998,2985,208,178,165,192,2861,2960,
++ 3221,2828,622,410,2166,-1u,-1u,-1u,-1u,-1u,
++ -1u,1424,1461,1448,1432,1414,1400,1146,54,2029,
++ 1157,3262,1126,1115,1000,982,1027,2792,2781,1836,
++ 1754,3184,2774,2956,3247,1636,1311,1325,491,672,
++ 606,3175,2020,1191,2896,1929,475,390,698,2411,
++ 1376,714,327,3211,2682,3043,350,2911,423,2848,
++ 3067,3051,2691,358,303,285,1732,1013,1697,1772,
++ 1867,2148,433,447,1779,2745,97,234,1198,27,
++ 901,791,2763,2362,2404,1953,1958,2644,2595,913,
++ 2396,1976,1967,34,1522,1618,151,2928,2387,2514,
++ 1789,1806,534,1141,
++};
++static const char *ppc_syscall_i2s(int v) {
++ return i2s_direct__(ppc_syscall_strings, ppc_syscall_i2s_direct, 1, 354, v);
++}
+diff --git a/lib/s390_tables.h b/lib/s390_tables.h
+new file mode 100644
+index 0000000..218482e
+--- /dev/null
++++ b/lib/s390_tables.h
+@@ -0,0 +1,153 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char s390_syscall_strings[] = "_llseek\0_newselect\0_sysctl\0access\0acct\0add_key\0adjtimex\0afs_syscall\0alarm\0bdflush\0"
++ "brk\0capget\0capset\0chdir\0chmod\0chown\0chown32\0chroot\0clock_adjtime\0clock_getres\0"
++ "clock_gettime\0clock_nanosleep\0clock_settime\0clone\0close\0creat\0create_module\0delete_module\0dup\0dup2\0"
++ "dup3\0epoll_create\0epoll_create1\0epoll_ctl\0epoll_pwait\0epoll_wait\0eventfd\0eventfd2\0execve\0exit\0"
++ "exit_group\0faccessat\0fadvise64\0fadvise64_64\0fallocate\0fanotify_init\0fanotify_mark\0fchdir\0fchmod\0fchmodat\0"
++ "fchown\0fchown32\0fchownat\0fcntl\0fcntl64\0fdatasync\0fgetxattr\0finit_module\0flistxattr\0flock\0"
++ "fork\0fremovexattr\0fsetxattr\0fstat\0fstat64\0fstatat\0fstatfs\0fstatfs64\0fsync\0ftruncate\0"
++ "ftruncate64\0futex\0futimesat\0get_kernel_syms\0get_robust_list\0getcpu\0getcwd\0getdents\0getdents64\0getegid\0"
++ "getegid32\0geteuid\0geteuid32\0getgid\0getgid32\0getgroups\0getgroups32\0getitimer\0getpgid\0getpgrp\0"
++ "getpid\0getpmsg\0getppid\0getpriority\0getresgid\0getresgid32\0getresuid\0getresuid32\0getrlimit\0getrusage\0"
++ "getsid\0gettid\0gettimeofday\0getuid\0getuid32\0getxattr\0idle\0init_module\0inotify_add_watch\0inotify_init\0"
++ "inotify_init1\0inotify_rm_watch\0io_cancel\0io_destroy\0io_getevents\0io_setup\0io_submit\0ioctl\0ioperm\0ioprio_get\0"
++ "ioprio_set\0ipc\0kcmp\0kexec_load\0keyctl\0kill\0lchown\0lchown32\0lgetxattr\0link\0"
++ "linkat\0listxattr\0llistxattr\0lremovexattr\0lseek\0lsetxattr\0lstat\0lstat64\0madvise\0mincore\0"
++ "mkdir\0mkdirat\0mknod\0mknodat\0mlock\0mlockall\0mmap\0mmap2\0mount\0mprotect\0"
++ "mq_getsetattr\0mq_notify\0mq_open\0mq_timedreceive\0mq_timedsend\0mq_unlink\0mremap\0msync\0munlock\0munlockall\0"
++ "munmap\0name_to_handle_at\0nanosleep\0nfsservctl\0nice\0open\0open_by_handle_at\0openat\0pause\0perf_event_open\0"
++ "personality\0pipe\0pipe2\0pivot_root\0poll\0ppoll\0prctl\0pread\0preadv\0prlimit64\0"
++ "process_vm_readv\0process_vm_writev\0pselect6\0ptrace\0putpmsg\0pwrite\0pwritev\0query_module\0quotactl\0read\0"
++ "readahead\0readdir\0readlink\0readlinkat\0readv\0reboot\0remap_file_pages\0removexattr\0rename\0renameat\0"
++ "request_key\0rmdir\0rt_sigaction\0rt_sigpending\0rt_sigprocmask\0rt_sigqueueinfo\0rt_sigreturn\0rt_sigsuspend\0rt_sigtimedwait\0rt_tgsigqueueinfo\0"
++ "s390_runtime_instr\0sched_get_priority_max\0sched_get_priority_min\0sched_getaffinity\0sched_getparam\0sched_getscheduler\0sched_rr_get_interval\0sched_setaffinity\0sched_setparam\0sched_setscheduler\0"
++ "sched_yield\0sendfile\0sendfile64\0set_robust_list\0set_tid_address\0setdomainname\0setfsgid\0setfsgid32\0setfsuid\0setfsuid32\0"
++ "setgid\0setgid32\0setgroups\0setgroups32\0sethostname\0setitimer\0setns\0setpgid\0setpriority\0setregid\0"
++ "setregid32\0setresgid\0setresgid32\0setresuid\0setresuid32\0setreuid\0setreuid32\0setrlimit\0setsid\0settimeofday\0"
++ "setuid\0setuid32\0setxattr\0sigaction\0sigaltstack\0signal\0signalfd\0signalfd4\0sigpending\0sigprocmask\0"
++ "sigreturn\0sigsuspend\0socketcall\0splice\0stat\0stat64\0statfs\0statfs64\0stime\0swapoff\0"
++ "swapon\0symlink\0symlinkat\0sync\0sync_file_range\0syncfs\0sysfs\0sysinfo\0syslog\0tee\0"
++ "tgkill\0time\0timer_create\0timer_delete\0timer_getoverrun\0timer_gettime\0timer_settime\0timerfd\0timerfd_create\0timerfd_gettime\0"
++ "timerfd_settime\0times\0tkill\0truncate\0truncate64\0ugetrlimit\0umask\0umount\0umount2\0uname\0"
++ "unlink\0unlinkat\0unshare\0uselib\0ustat\0utime\0utimensat\0utimes\0vfork\0vhangup\0"
++ "vmsplice\0wait4\0waitid\0write\0writev";
++static const unsigned s390_syscall_s2i_s[] = {
++ 0,8,19,27,34,39,47,56,68,74,
++ 82,86,93,100,106,112,118,126,133,147,
++ 160,174,190,204,210,216,222,236,250,254,
++ 259,264,277,291,301,313,324,332,341,348,
++ 353,364,374,384,397,407,421,435,442,449,
++ 458,465,474,483,489,497,507,517,530,541,
++ 547,552,565,575,581,589,597,605,615,621,
++ 631,643,649,659,675,691,698,705,714,725,
++ 733,743,751,761,768,777,787,799,809,817,
++ 825,832,840,848,860,870,882,892,904,914,
++ 924,931,938,951,958,967,976,981,993,1011,
++ 1024,1038,1055,1065,1076,1089,1098,1108,1114,1121,
++ 1132,1143,1147,1152,1163,1170,1175,1182,1191,1201,
++ 1206,1213,1223,1234,1247,1253,1263,1269,1277,1285,
++ 1293,1299,1307,1313,1321,1327,1336,1341,1347,1353,
++ 1362,1376,1386,1394,1410,1423,1433,1440,1446,1454,
++ 1465,1472,1490,1500,1511,1516,1521,1539,1546,1552,
++ 1568,1580,1585,1591,1602,1607,1613,1619,1625,1632,
++ 1642,1659,1677,1686,1693,1701,1708,1716,1729,1738,
++ 1743,1753,1761,1770,1781,1787,1794,1811,1823,1830,
++ 1839,1851,1857,1870,1884,1899,1915,1928,1942,1958,
++ 1976,1995,2018,2041,2059,2074,2093,2115,2133,2148,
++ 2167,2179,2188,2199,2215,2231,2245,2254,2265,2274,
++ 2285,2292,2301,2311,2323,2335,2345,2351,2359,2371,
++ 2380,2391,2401,2413,2423,2435,2444,2455,2465,2472,
++ 2485,2492,2501,2510,2520,2532,2539,2548,2558,2569,
++ 2581,2591,2602,2613,2620,2625,2632,2639,2648,2654,
++ 2662,2669,2677,2687,2692,2708,2715,2721,2729,2736,
++ 2740,2747,2752,2765,2778,2795,2809,2823,2831,2846,
++ 2862,2878,2884,2890,2899,2910,2921,2927,2934,2942,
++ 2948,2955,2964,2972,2979,2985,2991,3001,3008,3014,
++ 3022,3031,3037,3044,3050,
++};
++static const int s390_syscall_s2i_i[] = {
++ 140,142,149,33,51,278,124,137,27,134,
++ 45,184,185,12,15,182,212,61,337,261,
++ 260,262,259,120,6,8,127,129,41,63,
++ 326,249,327,250,312,251,318,323,11,1,
++ 248,300,253,264,314,332,333,133,94,299,
++ 95,207,291,55,221,148,229,344,232,143,
++ 2,235,226,108,197,293,100,266,118,93,
++ 194,238,292,130,305,311,183,141,220,50,
++ 202,49,201,47,200,80,205,105,132,65,
++ 20,188,64,96,171,211,165,209,76,77,
++ 147,236,78,24,199,227,112,128,285,284,
++ 324,286,247,244,245,243,246,54,101,283,
++ 282,117,343,277,280,37,16,198,228,9,
++ 296,230,231,234,19,225,107,196,219,218,
++ 39,289,14,290,150,152,90,192,21,125,
++ 276,275,271,274,273,272,163,144,151,153,
++ 91,335,162,169,34,5,336,288,29,331,
++ 136,42,325,217,168,302,172,180,328,334,
++ 340,341,301,26,189,181,329,167,131,3,
++ 222,89,85,298,145,88,267,233,38,295,
++ 279,40,174,176,175,178,173,179,177,330,
++ 342,159,160,240,155,157,161,239,154,156,
++ 158,187,223,304,252,121,139,216,138,215,
++ 46,214,81,206,74,104,339,57,97,71,
++ 204,170,210,164,208,70,203,75,66,79,
++ 23,213,224,67,186,48,316,322,73,126,
++ 119,72,102,306,106,195,99,265,25,115,
++ 87,83,297,36,307,338,135,116,103,308,
++ 241,13,254,258,257,256,255,317,319,321,
++ 320,43,237,92,193,191,60,22,52,122,
++ 10,294,303,86,62,30,315,313,190,111,
++ 309,114,281,4,146,
++};
++static int s390_syscall_s2i(const char *s, int *value) {
++ size_t len, i;
++ len = strlen(s);
++ { char copy[len + 1];
++ for (i = 0; i < len; i++) {
++ char c = s[i];
++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c;
++ }
++ copy[i] = 0;
++ return s2i__(s390_syscall_strings, s390_syscall_s2i_s, s390_syscall_s2i_i, 315, copy, value);
++ }
++}
++static const unsigned s390_syscall_i2s_direct[] = {
++ 348,547,1738,3044,1516,210,-1u,216,1201,2948,
++ 341,100,2747,1307,106,1175,-1u,-1u,1247,825,
++ 1347,2927,2485,951,2648,1686,68,-1u,1546,2985,
++ -1u,-1u,27,1511,-1u,2687,1170,1823,1293,1851,
++ 250,1580,2878,-1u,82,2285,761,2532,743,725,
++ 34,2934,-1u,1108,483,-1u,2351,-1u,-1u,2921,
++ 126,2979,254,840,817,2465,2510,-1u,-1u,2435,
++ 2371,2591,2558,2323,2455,904,914,938,2472,777,
++ 2301,-1u,2669,-1u,1761,2972,2662,1787,1753,1336,
++ 1465,2890,621,442,458,848,2359,-1u,2632,597,
++ 1114,2602,2729,2335,799,2620,1263,575,-1u,-1u,
++ 3014,976,-1u,3031,2654,2721,1143,615,2581,204,
++ 2231,2942,-1u,47,1353,2569,222,981,236,659,
++ 1729,809,435,74,2715,1568,56,2265,2245,0,
++ 705,8,541,1440,1781,3050,924,497,19,1321,
++ 1446,1327,1454,2133,2059,2148,2074,2167,1995,2018,
++ 2093,1490,1433,2413,882,-1u,1716,1602,1500,2391,
++ 860,1613,1915,1857,1884,1870,1942,1899,1928,1619,
++ 1701,112,698,86,93,2520,2179,832,1693,3008,
++ 2910,1341,2899,631,2625,1269,581,1182,958,768,
++ 751,733,2444,2380,787,2311,465,2423,892,2401,
++ 870,118,2492,2292,2274,2254,1591,1285,1277,714,
++ 489,1743,2188,2501,1253,565,967,1191,507,1213,
++ 1223,530,1811,1234,552,931,2884,643,2115,2041,
++ 2740,-1u,1089,1065,1076,1098,1055,353,264,291,
++ 313,2215,374,2752,2809,2795,2778,2765,190,160,
++ 147,174,-1u,384,2639,605,1794,-1u,-1u,-1u,
++ 1386,1423,1410,1394,1376,1362,1152,39,1839,1163,
++ 3037,1132,1121,1011,993,1038,-1u,1539,1299,1313,
++ 474,649,589,2955,1830,1206,2677,1770,449,364,
++ 1677,1607,2964,2199,675,2613,2692,2736,3022,-1u,
++ 691,301,3001,397,2991,2539,2823,324,2831,2862,
++ 2846,2548,332,1024,1585,259,277,1625,1708,1958,
++ 1552,407,421,1632,1472,1521,133,2708,2345,1642,
++ 1659,1976,1147,517,
++};
++static const char *s390_syscall_i2s(int v) {
++ return i2s_direct__(s390_syscall_strings, s390_syscall_i2s_direct, 1, 344, v);
++}
+diff --git a/lib/s390x_tables.h b/lib/s390x_tables.h
+new file mode 100644
+index 0000000..36099fc
+--- /dev/null
++++ b/lib/s390x_tables.h
+@@ -0,0 +1,144 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char s390x_syscall_strings[] = "_sysctl\0access\0acct\0add_key\0adjtimex\0afs_syscall\0alarm\0bdflush\0brk\0capget\0"
++ "capset\0chdir\0chmod\0chown\0chroot\0clock_adjtime\0clock_getres\0clock_gettime\0clock_nanosleep\0clock_settime\0"
++ "clone\0close\0creat\0create_module\0delete_module\0dup\0dup2\0dup3\0epoll_create\0epoll_create1\0"
++ "epoll_ctl\0epoll_pwait\0epoll_wait\0eventfd\0eventfd2\0execve\0exit\0exit_group\0faccessat\0fadvise64\0"
++ "fallocate\0fanotify_init\0fanotify_mark\0fchdir\0fchmod\0fchmodat\0fchown\0fchownat\0fcntl\0fdatasync\0"
++ "fgetxattr\0finit_module\0flistxattr\0flock\0fork\0fremovexattr\0fsetxattr\0fstat\0fstatfs\0fstatfs64\0"
++ "fsync\0ftruncate\0futex\0futimesat\0get_kernel_syms\0get_robust_list\0getcpu\0getcwd\0getdents\0getegid\0"
++ "geteuid\0getgid\0getgroups\0getitimer\0getpgid\0getpgrp\0getpid\0getpmsg\0getppid\0getpriority\0"
++ "getresgid\0getresuid\0getrlimit\0getrusage\0getsid\0gettid\0gettimeofday\0getuid\0getxattr\0idle\0"
++ "init_module\0inotify_add_watch\0inotify_init\0inotify_init1\0inotify_rm_watch\0io_cancel\0io_destroy\0io_getevents\0io_setup\0io_submit\0"
++ "ioctl\0ioprio_get\0ioprio_set\0ipc\0kcmp\0kexec_load\0keyctl\0kill\0lchown\0lgetxattr\0"
++ "link\0linkat\0listxattr\0llistxattr\0lremovexattr\0lseek\0lsetxattr\0lstat\0madvise\0mincore\0"
++ "mkdir\0mkdirat\0mknod\0mknodat\0mlock\0mlockall\0mmap\0mount\0mprotect\0mq_getsetattr\0"
++ "mq_notify\0mq_open\0mq_timedreceive\0mq_timedsend\0mq_unlink\0mremap\0msync\0munlock\0munlockall\0munmap\0"
++ "name_to_handle_at\0nanosleep\0newfstatat\0nfsservctl\0nice\0open\0open_by_handle_at\0openat\0pause\0perf_event_open\0"
++ "personality\0pipe\0pipe2\0pivot_root\0poll\0ppoll\0prctl\0pread\0preadv\0prlimit64\0"
++ "process_vm_readv\0process_vm_writev\0pselect6\0ptrace\0putpmsg\0pwrite\0pwritev\0query_module\0quotactl\0read\0"
++ "readahead\0readdir\0readlink\0readlinkat\0readv\0reboot\0remap_file_pages\0removexattr\0rename\0renameat\0"
++ "request_key\0rmdir\0rt_sigaction\0rt_sigpending\0rt_sigprocmask\0rt_sigqueueinfo\0rt_sigreturn\0rt_sigsuspend\0rt_sigtimedwait\0rt_tgsigqueueinfo\0"
++ "s390_runtime_instr\0sched_get_priority_max\0sched_get_priority_min\0sched_getaffinity\0sched_getparam\0sched_getscheduler\0sched_rr_get_interval\0sched_setaffinity\0sched_setparam\0sched_setscheduler\0"
++ "sched_yield\0select\0sendfile\0set_robust_list\0set_tid_address\0setdomainname\0setfsgid\0setfsuid\0setgid\0setgroups\0"
++ "sethostname\0setitimer\0setns\0setpgid\0setpriority\0setregid\0setresgid\0setresuid\0setreuid\0setrlimit\0"
++ "setsid\0settimeofday\0setuid\0setxattr\0sigaction\0sigaltstack\0signal\0signalfd\0signalfd4\0sigpending\0"
++ "sigprocmask\0sigreturn\0sigsuspend\0socketcall\0splice\0stat\0statfs\0statfs64\0swapoff\0swapon\0"
++ "symlink\0symlinkat\0sync\0sync_file_range\0syncfs\0sysfs\0sysinfo\0syslog\0tee\0tgkill\0"
++ "timer_create\0timer_delete\0timer_getoverrun\0timer_gettime\0timer_settime\0timerfd\0timerfd_create\0timerfd_gettime\0timerfd_settime\0times\0"
++ "tkill\0truncate\0umask\0umount\0umount2\0uname\0unlink\0unlinkat\0unshare\0uselib\0"
++ "ustat\0utime\0utimensat\0utimes\0vfork\0vhangup\0vmsplice\0wait4\0waitid\0write\0"
++ "writev";
++static const unsigned s390x_syscall_s2i_s[] = {
++ 0,8,15,20,28,37,49,55,63,67,
++ 74,81,87,93,99,106,120,133,147,163,
++ 177,183,189,195,209,223,227,232,237,250,
++ 264,274,286,297,305,314,321,326,337,347,
++ 357,367,381,395,402,409,418,425,434,440,
++ 450,460,473,484,490,495,508,518,524,532,
++ 542,548,558,564,574,590,606,613,620,629,
++ 637,645,652,662,672,680,688,695,703,711,
++ 723,733,743,753,763,770,777,790,797,806,
++ 811,823,841,854,868,885,895,906,919,928,
++ 938,944,955,966,970,975,986,993,998,1005,
++ 1015,1020,1027,1037,1048,1061,1067,1077,1083,1091,
++ 1099,1105,1113,1119,1127,1133,1142,1147,1153,1162,
++ 1176,1186,1194,1210,1223,1233,1240,1246,1254,1265,
++ 1272,1290,1300,1311,1322,1327,1332,1350,1357,1363,
++ 1379,1391,1396,1402,1413,1418,1424,1430,1436,1443,
++ 1453,1470,1488,1497,1504,1512,1519,1527,1540,1549,
++ 1554,1564,1572,1581,1592,1598,1605,1622,1634,1641,
++ 1650,1662,1668,1681,1695,1710,1726,1739,1753,1769,
++ 1787,1806,1829,1852,1870,1885,1904,1926,1944,1959,
++ 1978,1990,1997,2006,2022,2038,2052,2061,2070,2077,
++ 2087,2099,2109,2115,2123,2135,2144,2154,2164,2173,
++ 2183,2190,2203,2210,2219,2229,2241,2248,2257,2267,
++ 2278,2290,2300,2311,2322,2329,2334,2341,2350,2358,
++ 2365,2373,2383,2388,2404,2411,2417,2425,2432,2436,
++ 2443,2456,2469,2486,2500,2514,2522,2537,2553,2569,
++ 2575,2581,2590,2596,2603,2611,2617,2624,2633,2641,
++ 2648,2654,2660,2670,2677,2683,2691,2700,2706,2713,
++ 2719,
++};
++static const int s390x_syscall_s2i_i[] = {
++ 149,33,51,278,124,137,27,134,45,184,
++ 185,12,15,212,61,337,261,260,262,259,
++ 120,6,8,127,129,41,63,326,249,327,
++ 250,312,251,318,323,11,1,248,300,253,
++ 314,332,333,133,94,299,207,291,55,148,
++ 229,344,232,143,2,235,226,108,100,266,
++ 118,93,238,292,130,305,311,183,141,202,
++ 201,200,205,105,132,65,20,188,64,96,
++ 211,209,191,77,147,236,78,199,227,112,
++ 128,285,284,324,286,247,244,245,243,246,
++ 54,283,282,117,343,277,280,37,198,228,
++ 9,296,230,231,234,19,225,107,219,218,
++ 39,289,14,290,150,152,90,21,125,276,
++ 275,271,274,273,272,163,144,151,153,91,
++ 335,162,293,169,34,5,336,288,29,331,
++ 136,42,325,217,168,302,172,180,328,334,
++ 340,341,301,26,189,181,329,167,131,3,
++ 222,89,85,298,145,88,267,233,38,295,
++ 279,40,174,176,175,178,173,179,177,330,
++ 342,159,160,240,155,157,161,239,154,156,
++ 158,142,187,304,252,121,216,215,214,206,
++ 74,104,339,57,97,204,210,208,203,75,
++ 66,79,213,224,67,186,48,316,322,73,
++ 126,119,72,102,306,106,99,265,115,87,
++ 83,297,36,307,338,135,116,103,308,241,
++ 254,258,257,256,255,317,319,321,320,43,
++ 237,92,60,22,52,122,10,294,303,86,
++ 62,30,315,313,190,111,309,114,281,4,
++ 146,
++};
++static int s390x_syscall_s2i(const char *s, int *value) {
++ size_t len, i;
++ len = strlen(s);
++ { char copy[len + 1];
++ for (i = 0; i < len; i++) {
++ char c = s[i];
++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c;
++ }
++ copy[i] = 0;
++ return s2i__(s390x_syscall_strings, s390x_syscall_s2i_s, s390x_syscall_s2i_i, 281, copy, value);
++ }
++}
++static const unsigned s390x_syscall_i2s_direct[] = {
++ 321,490,1549,2713,1327,183,-1u,189,1015,2617,
++ 314,81,-1u,1113,87,-1u,-1u,-1u,1061,688,
++ 1147,2596,-1u,-1u,-1u,1497,49,-1u,1357,2654,
++ -1u,-1u,8,1322,-1u,2383,993,1634,1099,1662,
++ 223,1391,2569,-1u,63,-1u,-1u,2241,-1u,-1u,
++ 15,2603,-1u,938,434,-1u,2115,-1u,-1u,2590,
++ 99,2648,227,703,680,2183,2219,-1u,-1u,-1u,
++ -1u,2300,2267,2087,2173,-1u,753,777,2190,-1u,
++ -1u,-1u,2365,-1u,1572,2641,2358,1598,1564,1142,
++ 1265,2581,548,402,-1u,711,2123,-1u,2334,524,
++ -1u,2311,2425,2099,662,2329,1077,518,-1u,-1u,
++ 2683,806,-1u,2700,2350,2417,966,542,2290,177,
++ 2038,2611,-1u,28,1153,2278,195,811,209,574,
++ 1540,672,395,55,2411,1379,37,-1u,-1u,-1u,
++ 620,1990,484,1240,1592,2719,763,440,0,1127,
++ 1246,1133,1254,1944,1870,1959,1885,1978,1806,1829,
++ 1904,1290,1233,-1u,-1u,-1u,1527,1413,1311,-1u,
++ -1u,1424,1726,1668,1695,1681,1753,1710,1739,1430,
++ 1512,-1u,613,67,74,2229,1997,695,1504,2677,
++ 743,-1u,-1u,-1u,-1u,-1u,-1u,998,790,645,
++ 637,629,2164,2135,652,2077,418,2154,733,2144,
++ 723,93,2203,2070,2061,2052,1402,1091,1083,-1u,
++ -1u,1554,-1u,2210,1067,508,797,1005,450,1027,
++ 1037,473,1622,1048,495,770,2575,558,1926,1852,
++ 2436,-1u,919,895,906,928,885,326,237,264,
++ 286,2022,347,2443,2500,2486,2469,2456,163,133,
++ 120,147,-1u,-1u,2341,532,1605,-1u,-1u,-1u,
++ 1186,1223,1210,1194,1176,1162,975,20,1650,986,
++ 2706,955,944,841,823,868,-1u,1350,1105,1119,
++ 425,564,1300,2624,1641,1020,2373,1581,409,337,
++ 1488,1418,2633,2006,590,2322,2388,2432,2691,-1u,
++ 606,274,2670,357,2660,2248,2514,297,2522,2553,
++ 2537,2257,305,854,1396,232,250,1436,1519,1769,
++ 1363,367,381,1443,1272,1332,106,2404,2109,1453,
++ 1470,1787,970,460,
++};
++static const char *s390x_syscall_i2s(int v) {
++ return i2s_direct__(s390x_syscall_strings, s390x_syscall_i2s_direct, 1, 344, v);
++}
+diff --git a/lib/x86_64_tables.h b/lib/x86_64_tables.h
+new file mode 100644
+index 0000000..d2a5673
+--- /dev/null
++++ b/lib/x86_64_tables.h
+@@ -0,0 +1,150 @@
++/* This is a generated file, see Makefile.am for its inputs. */
++static const char x86_64_syscall_strings[] = "_sysctl\0accept\0accept4\0access\0acct\0add_key\0adjtimex\0afs_syscall\0alarm\0arch_prctl\0"
++ "bind\0brk\0capget\0capset\0chdir\0chmod\0chown\0chroot\0clock_adjtime\0clock_getres\0"
++ "clock_gettime\0clock_nanosleep\0clock_settime\0clone\0close\0connect\0creat\0create_module\0delete_module\0dup\0"
++ "dup2\0dup3\0epoll_create\0epoll_create1\0epoll_ctl\0epoll_ctl_old\0epoll_pwait\0epoll_wait\0epoll_wait_old\0eventfd\0"
++ "eventfd2\0execve\0exit\0exit_group\0faccessat\0fadvise64\0fallocate\0fanotify_init\0fanotify_mark\0fchdir\0"
++ "fchmod\0fchmodat\0fchown\0fchownat\0fcntl\0fdatasync\0fgetxattr\0finit_module\0flistxattr\0flock\0"
++ "fork\0fremovexattr\0fsetxattr\0fstat\0fstatfs\0fsync\0ftruncate\0futex\0futimesat\0get_kernel_syms\0"
++ "get_mempolicy\0get_robust_list\0get_thread_area\0getcpu\0getcwd\0getdents\0getdents64\0getegid\0geteuid\0getgid\0"
++ "getgroups\0getitimer\0getpeername\0getpgid\0getpgrp\0getpid\0getpmsg\0getppid\0getpriority\0getresgid\0"
++ "getresuid\0getrlimit\0getrusage\0getsid\0getsockname\0getsockopt\0gettid\0gettimeofday\0getuid\0getxattr\0"
++ "init_module\0inotify_add_watch\0inotify_init\0inotify_init1\0inotify_rm_watch\0io_cancel\0io_destroy\0io_getevents\0io_setup\0io_submit\0"
++ "ioctl\0ioperm\0iopl\0ioprio_get\0ioprio_set\0kcmp\0kexec_load\0keyctl\0kill\0lchown\0"
++ "lgetxattr\0link\0linkat\0listen\0listxattr\0llistxattr\0lookup_dcookie\0lremovexattr\0lseek\0lsetxattr\0"
++ "lstat\0madvise\0mbind\0migrate_pages\0mincore\0mkdir\0mkdirat\0mknod\0mknodat\0mlock\0"
++ "mlockall\0mmap\0modify_ldt\0mount\0move_pages\0mprotect\0mq_getsetattr\0mq_notify\0mq_open\0mq_timedreceive\0"
++ "mq_timedsend\0mq_unlink\0mremap\0msgctl\0msgget\0msgrcv\0msgsnd\0msync\0munlock\0munlockall\0"
++ "munmap\0name_to_handle_at\0nanosleep\0newfstatat\0nfsservctl\0open\0open_by_handle_at\0openat\0pause\0perf_event_open\0"
++ "personality\0pipe\0pipe2\0pivot_root\0poll\0ppoll\0prctl\0pread\0preadv\0prlimit64\0"
++ "process_vm_readv\0process_vm_writev\0pselect6\0ptrace\0putpmsg\0pwrite\0pwritev\0query_module\0quotactl\0read\0"
++ "readahead\0readlink\0readlinkat\0readv\0reboot\0recvfrom\0recvmmsg\0recvmsg\0remap_file_pages\0removexattr\0"
++ "rename\0renameat\0request_key\0restart_syscall\0rmdir\0rt_sigaction\0rt_sigpending\0rt_sigprocmask\0rt_sigqueueinfo\0rt_sigreturn\0"
++ "rt_sigsuspend\0rt_sigtimedwait\0rt_tgsigqueueinfo\0sched_get_priority_max\0sched_get_priority_min\0sched_getaffinity\0sched_getparam\0sched_getscheduler\0sched_rr_get_interval\0sched_setaffinity\0"
++ "sched_setparam\0sched_setscheduler\0sched_yield\0security\0select\0semctl\0semget\0semop\0semtimedop\0sendfile\0"
++ "sendmmsg\0sendmsg\0sendto\0set_mempolicy\0set_robust_list\0set_thread_area\0set_tid_address\0setdomainname\0setfsgid\0setfsuid\0"
++ "setgid\0setgroups\0sethostname\0setitimer\0setns\0setpgid\0setpriority\0setregid\0setresgid\0setresuid\0"
++ "setreuid\0setrlimit\0setsid\0setsockopt\0settimeofday\0setuid\0setxattr\0shmat\0shmctl\0shmdt\0"
++ "shmget\0shutdown\0sigaltstack\0signalfd\0signalfd4\0socket\0socketpair\0splice\0stat\0statfs\0"
++ "swapoff\0swapon\0symlink\0symlinkat\0sync\0sync_file_range\0syncfs\0sysfs\0sysinfo\0syslog\0"
++ "tee\0tgkill\0time\0timer_create\0timer_delete\0timer_getoverrun\0timer_gettime\0timer_settime\0timerfd\0timerfd_gettime\0"
++ "timerfd_settime\0times\0tkill\0truncate\0tuxcall\0umask\0umount2\0uname\0unlink\0unlinkat\0"
++ "unshare\0uselib\0ustat\0utime\0utimensat\0utimes\0vfork\0vhangup\0vmsplice\0vserver\0"
++ "wait4\0waitid\0write\0writev";
++static const unsigned x86_64_syscall_s2i_s[] = {
++ 0,8,15,23,30,35,43,52,64,70,
++ 81,86,90,97,104,110,116,122,129,143,
++ 156,170,186,200,206,212,220,226,240,254,
++ 258,263,268,281,295,305,319,331,342,357,
++ 365,374,381,386,397,407,417,427,441,455,
++ 462,469,478,485,494,500,510,520,533,544,
++ 550,555,568,578,584,592,598,608,614,624,
++ 640,654,670,686,693,700,709,720,728,736,
++ 743,753,763,775,783,791,798,806,814,826,
++ 836,846,856,866,873,885,896,903,916,923,
++ 932,944,962,975,989,1006,1016,1027,1040,1049,
++ 1059,1065,1072,1077,1088,1099,1104,1115,1122,1127,
++ 1134,1144,1149,1156,1163,1173,1184,1199,1212,1218,
++ 1228,1234,1242,1248,1262,1270,1276,1284,1290,1298,
++ 1304,1313,1318,1329,1335,1346,1355,1369,1379,1387,
++ 1403,1416,1426,1433,1440,1447,1454,1461,1467,1475,
++ 1486,1493,1511,1521,1532,1543,1548,1566,1573,1579,
++ 1595,1607,1612,1618,1629,1634,1640,1646,1652,1659,
++ 1669,1686,1704,1713,1720,1728,1735,1743,1756,1765,
++ 1770,1780,1789,1800,1806,1813,1822,1831,1839,1856,
++ 1868,1875,1884,1896,1912,1918,1931,1945,1960,1976,
++ 1989,2003,2019,2037,2060,2083,2101,2116,2135,2157,
++ 2175,2190,2209,2221,2230,2237,2244,2251,2257,2268,
++ 2277,2286,2294,2301,2315,2331,2347,2363,2377,2386,
++ 2395,2402,2412,2424,2434,2440,2448,2460,2469,2479,
++ 2489,2498,2508,2515,2526,2539,2546,2555,2561,2568,
++ 2574,2581,2590,2602,2611,2621,2628,2639,2646,2651,
++ 2658,2666,2673,2681,2691,2696,2712,2719,2725,2733,
++ 2740,2744,2751,2756,2769,2782,2799,2813,2827,2835,
++ 2851,2867,2873,2879,2888,2896,2902,2910,2916,2923,
++ 2932,2940,2947,2953,2959,2969,2976,2982,2990,2999,
++ 3007,3013,3020,3026,
++};
++static const int x86_64_syscall_s2i_i[] = {
++ 156,43,288,21,163,248,159,183,37,158,
++ 49,12,125,126,80,90,92,161,305,229,
++ 228,230,227,56,3,42,85,174,176,32,
++ 33,292,213,291,233,214,281,232,215,284,
++ 290,59,60,231,269,221,285,300,301,81,
++ 91,268,93,260,72,75,193,313,196,73,
++ 57,199,190,5,138,74,77,202,261,177,
++ 239,274,211,309,79,78,217,108,107,104,
++ 115,36,52,121,111,39,181,110,140,120,
++ 118,97,98,124,51,55,186,96,102,191,
++ 175,254,253,294,255,210,207,208,206,209,
++ 16,173,172,252,251,312,246,250,62,94,
++ 192,86,265,50,194,195,212,198,8,189,
++ 6,28,237,256,27,83,258,133,259,149,
++ 151,9,154,165,279,10,245,244,240,243,
++ 242,241,25,71,68,70,69,26,150,152,
++ 11,303,35,262,180,2,304,257,34,298,
++ 135,22,293,155,7,271,157,17,295,302,
++ 310,311,270,101,182,18,296,178,179,0,
++ 187,89,267,19,169,45,299,47,216,197,
++ 82,264,249,219,84,13,127,14,129,15,
++ 130,128,297,146,147,204,143,145,148,203,
++ 142,144,24,185,23,66,64,65,220,40,
++ 307,46,44,238,273,205,218,171,123,122,
++ 106,116,170,38,308,109,141,114,119,117,
++ 113,160,112,54,164,105,188,30,31,67,
++ 29,48,131,282,289,41,53,275,4,137,
++ 168,167,88,266,162,277,306,139,99,103,
++ 276,234,201,222,226,225,224,223,283,287,
++ 286,100,200,76,184,95,166,63,87,263,
++ 272,134,136,132,280,235,58,153,278,236,
++ 61,247,1,20,
++};
++static int x86_64_syscall_s2i(const char *s, int *value) {
++ size_t len, i;
++ len = strlen(s);
++ { char copy[len + 1];
++ for (i = 0; i < len; i++) {
++ char c = s[i];
++ copy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c;
++ }
++ copy[i] = 0;
++ return s2i__(x86_64_syscall_strings, x86_64_syscall_s2i_s, x86_64_syscall_s2i_i, 314, copy, value);
++ }
++}
++static const unsigned x86_64_syscall_i2s_direct[] = {
++ 1765,3020,1543,206,2646,578,1228,1629,1212,1313,
++ 1346,1486,86,1918,1945,1976,1059,1646,1728,1800,
++ 3026,23,1607,2230,2209,1426,1461,1262,1234,2574,
++ 2555,2561,254,258,1573,1511,753,64,2424,791,
++ 2268,2621,212,8,2294,1813,2286,1831,2581,81,
++ 1156,873,763,2628,2515,885,200,550,2976,374,
++ 381,3007,1122,2910,2244,2251,2237,2568,1440,1454,
++ 1447,1433,494,544,592,500,2879,598,700,693,
++ 104,455,1868,1270,1912,220,1144,2916,2673,1780,
++ 110,462,116,478,1127,2896,903,846,856,2725,
++ 2867,1713,916,2733,736,2539,2395,728,720,2440,
++ 806,783,2508,2489,2460,743,2402,2479,836,2469,
++ 826,775,2386,2377,866,90,97,1931,2003,1960,
++ 1989,2590,2953,1284,2940,1595,2947,2651,584,2719,
++ 814,2448,2175,2101,2190,2116,2037,2060,2135,1298,
++ 1467,1304,1475,2982,1318,1618,0,1640,70,43,
++ 2498,122,2691,30,2526,1329,2902,2666,2658,1806,
++ 2412,2363,1072,1065,226,932,240,624,1743,1756,
++ 1532,798,1720,52,2888,2221,896,1770,2546,1218,
++ 568,923,1134,510,1163,1173,533,1856,1199,555,
++ 2873,2751,608,2157,2083,2331,1040,1016,1027,1049,
++ 1006,670,1184,268,305,342,1839,709,2347,1896,
++ 2257,407,2756,2813,2799,2782,2769,186,156,143,
++ 170,386,331,295,2744,2969,2999,1242,2301,640,
++ 1379,1416,1403,1387,1369,1355,1104,3013,35,1884,
++ 1115,1088,1077,962,944,989,1248,1566,1276,1290,
++ 485,614,1521,2923,1875,1149,2681,1789,469,397,
++ 1704,1634,2932,2315,654,2639,2740,2696,2990,1335,
++ 2959,319,2602,2827,357,417,2851,2835,15,2611,
++ 365,281,263,1612,975,1652,1735,2019,1579,1822,
++ 427,441,1659,1493,1548,129,2712,2277,2434,686,
++ 1669,1686,1099,520,
++};
++static const char *x86_64_syscall_i2s(int v) {
++ return i2s_direct__(x86_64_syscall_strings, x86_64_syscall_i2s_direct, 0, 313, v);
++}
+--
+1.7.9.5
+
diff --git a/meta-security/recipes-security/audit/audit/audit-python-configure.patch b/meta-security/recipes-security/audit/audit/audit-python-configure.patch
new file mode 100644
index 000000000..f90e21330
--- /dev/null
+++ b/meta-security/recipes-security/audit/audit/audit-python-configure.patch
@@ -0,0 +1,27 @@
+From cace630b0eb42418dea4f3d98c69d0d777bfc1be Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Wed, 20 Jun 2012 16:34:19 +0800
+Subject: [PATCH] audit: python cross-compile
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ configure.ac | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 3db7d45..9a07db6 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -90,7 +90,8 @@ if test x$use_python = xno ; then
+ else
+ AC_MSG_RESULT(testing)
+ AM_PATH_PYTHON
+-if test -f /usr/include/python${am_cv_python_version}/Python.h ; then
++PY_PREFIX=`$PYTHON -c 'import sys ; print sys.prefix'`
++if test -f $PY_PREFIX/include/python${am_cv_python_version}/Python.h ; then
+ python_found="yes"
+ AC_MSG_NOTICE(Python bindings will be built)
+ else
+--
+1.7.7
+
diff --git a/meta-security/recipes-security/audit/audit/audit-python.patch b/meta-security/recipes-security/audit/audit/audit-python.patch
new file mode 100644
index 000000000..78fce0199
--- /dev/null
+++ b/meta-security/recipes-security/audit/audit/audit-python.patch
@@ -0,0 +1,31 @@
+Remove hard coded python include directory
+
+Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
+
+diff -ur audit-2.1.3.orig/bindings/python/Makefile.am audit-2.1.3/bindings/python/Makefile.am
+--- audit-2.1.3.orig/bindings/python/Makefile.am 2011-08-15 12:31:01.000000000 -0500
++++ audit-2.1.3/bindings/python/Makefile.am 2012-01-30 12:19:54.533959225 -0600
+@@ -25,7 +25,9 @@
+
+ pyexec_LTLIBRARIES = auparse.la
+
++PYINC ?= /usr/include/python$(PYTHON_VERSION)
++
+ auparse_la_SOURCES = auparse_python.c
+-auparse_la_CPPFLAGS = -I$(top_srcdir)/auparse $(AM_CPPFLAGS) -I/usr/include/python$(PYTHON_VERSION) -fno-strict-aliasing
++auparse_la_CPPFLAGS = -I$(top_srcdir)/auparse $(AM_CPPFLAGS) -I$(PYINC) -fno-strict-aliasing
+ auparse_la_LDFLAGS = -module -avoid-version -Wl,-z,relro
+ auparse_la_LIBADD = ../../auparse/libauparse.la ../../lib/libaudit.la
+diff -ur audit-2.1.3.orig/swig/Makefile.am audit-2.1.3/swig/Makefile.am
+--- audit-2.1.3.orig/swig/Makefile.am 2011-08-15 12:31:03.000000000 -0500
++++ audit-2.1.3/swig/Makefile.am 2012-01-30 12:28:09.574834697 -0600
+@@ -23,7 +23,8 @@
+ CONFIG_CLEAN_FILES = *.loT *.rej *.orig
+ AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing
+ PYLIBVER ?= python$(PYTHON_VERSION)
+-INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I/usr/include/$(PYLIBVER)
++PYINC ?= /usr/include/$(PYLIBVER)
++INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I$(PYINC)
+ LIBS = $(top_builddir)/lib/libaudit.la
+ pyexec_PYTHON = audit.py
+ pyexec_LTLIBRARIES = _audit.la
diff --git a/meta-security/recipes-security/audit/audit/audit-volatile.conf b/meta-security/recipes-security/audit/audit/audit-volatile.conf
new file mode 100644
index 000000000..9cbe1547a
--- /dev/null
+++ b/meta-security/recipes-security/audit/audit/audit-volatile.conf
@@ -0,0 +1 @@
+d /var/log/audit 0750 root root -
diff --git a/meta-security/recipes-security/audit/audit/auditd b/meta-security/recipes-security/audit/audit/auditd
new file mode 100755
index 000000000..fcd96c9df
--- /dev/null
+++ b/meta-security/recipes-security/audit/audit/auditd
@@ -0,0 +1,153 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: auditd
+# Required-Start: $local_fs
+# Required-Stop: $local_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Audit Daemon
+# Description: Collects audit information from Linux 2.6 Kernels.
+### END INIT INFO
+
+# Author: Philipp Matthias Hahn <pmhahn@debian.org>
+# Based on Debians /etc/init.d/skeleton and Auditds init.d/auditd.init
+
+# June, 2012: Adopted for yocto <amy.fong@windriver.com>
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DESC="audit daemon"
+NAME=auditd
+DAEMON=/sbin/auditd
+PIDFILE=/var/run/"$NAME".pid
+SCRIPTNAME=/etc/init.d/"$NAME"
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/"$NAME" ] && . /etc/default/"$NAME"
+
+. /etc/default/rcS
+
+. /etc/init.d/functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" --test > /dev/null \
+ || return 1
+ start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" -- \
+ $EXTRAOPTIONS \
+ || return 2
+ if [ -f /etc/audit/audit.rules ]
+ then
+ /sbin/auditctl -R /etc/audit/audit.rules >/dev/null
+ fi
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon -K --quiet --pidfile "$PIDFILE" --name "$NAME"
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f "$PIDFILE"
+ rm -f /var/run/audit_events
+ # Remove watches so shutdown works cleanly
+ case "$AUDITD_CLEAN_STOP" in
+ no|NO) ;;
+ *) /sbin/auditctl -D >/dev/null ;;
+ esac
+ return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ start-stop-daemon -K --signal HUP --quiet --pidfile $PIDFILE --name $NAME
+ return 0
+}
+
+if [ ! -e /var/log/audit ]; then
+ mkdir -p /var/log/audit
+ [ -x /sbin/restorecon ] && /sbin/restorecon -F /var/log/audit
+fi
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && echo "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && echo 0 ;;
+ 2) [ "$VERBOSE" != no ] && echo 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && echo "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && echo 0 ;;
+ 2) [ "$VERBOSE" != no ] && echo 1 ;;
+ esac
+ ;;
+ reload|force-reload)
+ echo "Reloading $DESC" "$NAME"
+ do_reload
+ echo $?
+ ;;
+ restart)
+ echo "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) echo 0 ;;
+ 1) echo 1 ;; # Old process is still running
+ *) echo 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ echo 1
+ ;;
+ esac
+ ;;
+ rotate)
+ echo "Rotating $DESC logs" "$NAME"
+ start-stop-daemon -K --signal USR1 --quiet --pidfile "$PIDFILE" --name "$NAME"
+ echo $?
+ ;;
+ status)
+ pidofproc "$DAEMON" >/dev/null
+ status=$?
+ if [ $status -eq 0 ]; then
+ echo "$NAME is running."
+ else
+ echo "$NAME is not running."
+ fi
+ exit $status
+ ;;
+ *)
+ echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|rotate|status}" >&2
+ exit 3
+ ;;
+esac
+
+:
diff --git a/meta-security/recipes-security/audit/audit/auditd.service b/meta-security/recipes-security/audit/audit/auditd.service
new file mode 100644
index 000000000..ebc079897
--- /dev/null
+++ b/meta-security/recipes-security/audit/audit/auditd.service
@@ -0,0 +1,20 @@
+[Unit]
+Description=Security Auditing Service
+DefaultDependencies=no
+After=local-fs.target
+Conflicts=shutdown.target
+Before=sysinit.target shutdown.target
+After=systemd-tmpfiles-setup.service
+
+[Service]
+ExecStart=/sbin/auditd -n
+## To use augenrules, copy this file to /etc/systemd/system/auditd.service
+## and uncomment the next line and delete/comment out the auditctl line.
+## Then copy existing rules to /etc/audit/rules.d/
+## Not doing this last step can cause loss of existing rules
+#ExecStartPost=-/sbin/augenrules --load
+ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-security/recipes-security/audit/audit/disable-ldap.patch b/meta-security/recipes-security/audit/audit/disable-ldap.patch
new file mode 100644
index 000000000..1d683c29e
--- /dev/null
+++ b/meta-security/recipes-security/audit/audit/disable-ldap.patch
@@ -0,0 +1,59 @@
+Disable LDAP support
+
+Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
+
+Disable LDAP support
+
+Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
+
+Index: audit-2.3.2/audisp/plugins/Makefile.am
+===================================================================
+--- audit-2.3.2.orig/audisp/plugins/Makefile.am
++++ audit-2.3.2/audisp/plugins/Makefile.am
+@@ -22,8 +22,10 @@
+
+ CONFIG_CLEAN_FILES = *.loT *.rej *.orig
+
+-SUBDIRS = builtins zos-remote remote
+-#SUBDIRS = builtins zos-remote
++SUBDIRS = builtins remote
++if HAVE_LDAP
++SUBDIRS += zos-remote
++endif
+ if HAVE_PRELUDE
+ SUBDIRS += prelude
+ endif
+Index: audit-2.3.2/configure.ac
+===================================================================
+--- audit-2.3.2.orig/configure.ac
++++ audit-2.3.2/configure.ac
+@@ -241,6 +241,12 @@ else
+ fi
+ AM_CONDITIONAL(HAVE_PRELUDE, test x$have_prelude = xyes)
+
++AC_ARG_WITH(ldap,
++AS_HELP_STRING([--with-ldap],[enable zos-remote plugin, which requires ldap]),
++use_ldap=$withval,
++use_ldap=no)
++AM_CONDITIONAL(HAVE_LDAP, test x$have_ldap = xyes)
++
+ AC_MSG_CHECKING(whether to use libwrap)
+ AC_ARG_WITH(libwrap,
+ [ --with-libwrap[=PATH] Compile in libwrap (tcp_wrappers) support.],
+Index: audit-2.3.2/docs/Makefile.am
+===================================================================
+--- audit-2.3.2.orig/docs/Makefile.am
++++ audit-2.3.2/docs/Makefile.am
+@@ -53,7 +53,9 @@ ausearch_add_expression.3 ausearch_add_t
+ ausearch_clear.3 \
+ ausearch_next_event.3 ausearch_set_stop.3 \
+ autrace.8 get_auditfail_action.3 set_aumessage_mode.3 \
+-audispd.8 audispd.conf.5 audispd-zos-remote.8 libaudit.conf.5 \
+-augenrules.8 \
+-zos-remote.conf.5
++audispd.8 audispd.conf.5 libaudit.conf.5 \
++augenrules.8
+
++if HAVE_LDAP
++man_MANS += audispd-zos-remote.8 zos-remote.conf.5
++endif
diff --git a/meta-security/recipes-security/audit/audit/fix-swig-host-contamination.patch b/meta-security/recipes-security/audit/audit/fix-swig-host-contamination.patch
new file mode 100644
index 000000000..16bb173ad
--- /dev/null
+++ b/meta-security/recipes-security/audit/audit/fix-swig-host-contamination.patch
@@ -0,0 +1,48 @@
+audit: Fixed swig host contamination issue
+
+The audit build uses swig to generate a python wrapper.
+Unfortunately, the swig info file references host include
+directories. Some of these were previously noticed and
+eliminated, but the one fixed here was not.
+
+Upstream Status: pending
+
+Signed-off-by: Anders Hedlund <anders.hedlund@windriver.com>
+Signed-off-by: Joe Slater <jslater@windriver.com>
+
+Index: audit-2.2.1/swig/Makefile.am
+===================================================================
+--- audit-2.2.1.orig/swig/Makefile.am
++++ audit-2.2.1/swig/Makefile.am
+@@ -25,6 +25,7 @@ AM_CFLAGS = -fPIC -DPIC -fno-strict-alia
+ PYLIBVER ?= python$(PYTHON_VERSION)
+ PYINC ?= /usr/include/$(PYLIBVER)
+ INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I$(PYINC)
++STDINC ?= /usr/include
+ LIBS = $(top_builddir)/lib/libaudit.la
+ pyexec_PYTHON = audit.py
+ pyexec_LTLIBRARIES = _audit.la
+@@ -34,7 +35,7 @@ _audit_la_HEADERS: $(top_builddir)/confi
+ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudit.la
+ nodist__audit_la_SOURCES = audit_wrap.c
+ audit.py audit_wrap.c: ${srcdir}/auditswig.i
+- swig -o audit_wrap.c -python ${INCLUDES} ${srcdir}/auditswig.i
++ swig -o audit_wrap.c -python ${INCLUDES} -I$(STDINC) ${srcdir}/auditswig.i
+
+ CLEANFILES = audit.py* audit_wrap.c *~
+
+Index: audit-2.2.1/swig/auditswig.i
+===================================================================
+--- audit-2.2.1.orig/swig/auditswig.i
++++ audit-2.2.1/swig/auditswig.i
+@@ -37,8 +37,8 @@ signed
+ #define __attribute(X) /*nothing*/
+ typedef unsigned __u32;
+ typedef unsigned uid_t;
+-%include "/usr/include/linux/audit.h"
++%include "linux/audit.h"
+ #define __extension__ /*nothing*/
+-%include "/usr/include/stdint.h"
++%include "stdint.h"
+ %include "../lib/libaudit.h"
+
diff --git a/meta-security/recipes-security/audit/audit_2.3.2.bb b/meta-security/recipes-security/audit/audit_2.3.2.bb
new file mode 100644
index 000000000..1d7ea0f0a
--- /dev/null
+++ b/meta-security/recipes-security/audit/audit_2.3.2.bb
@@ -0,0 +1,102 @@
+SUMMARY = "User space tools for kernel auditing"
+DESCRIPTION = "The audit package contains the user space utilities for \
+storing and searching the audit records generated by the audit subsystem \
+in the Linux kernel."
+HOMEPAGE = "http://people.redhat.com/sgrubb/audit/"
+SECTION = "base"
+PR = "r8"
+LICENSE = "GPLv2+ & LGPLv2+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
+
+SRC_URI = "http://people.redhat.com/sgrubb/audit/audit-${PV}.tar.gz \
+ file://disable-ldap.patch \
+ file://audit-python.patch \
+ file://audit-python-configure.patch \
+ file://audit-for-cross-compiling.patch \
+ file://auditd \
+ file://fix-swig-host-contamination.patch \
+ file://auditd.service \
+ file://audit-volatile.conf \
+"
+SRC_URI_append_arm = "file://add-system-call-table-for-ARM.patch"
+
+inherit autotools pythonnative update-rc.d systemd
+
+UPDATERCPN = "auditd"
+INITSCRIPT_NAME = "auditd"
+INITSCRIPT_PARAMS = "defaults"
+
+SYSTEMD_SERVICE_${PN} = "auditd.service"
+
+SRC_URI[md5sum] = "4e8d065b5cc16b77b9b61e93a9ed160e"
+SRC_URI[sha256sum] = "8872e0b5392888789061db8034164305ef0e1b34543e1e7004d275f039081d29"
+
+DEPENDS += "python tcp-wrappers libcap-ng linux-libc-headers (>= 2.6.30)"
+
+EXTRA_OECONF += "--without-prelude \
+ --with-libwrap \
+ --enable-gssapi-krb5=no \
+ --without-ldap \
+ --with-libcap-ng=yes \
+ --with-python=yes \
+ --libdir=${base_libdir} \
+ --sbindir=${base_sbindir} \
+ "
+EXTRA_OECONF_append_arm = " --with-armeb=yes"
+
+EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \
+ PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \
+ pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \
+ STDINC='${STAGING_INCDIR}' \
+ "
+
+SUMMARY_audispd-plugins = "Plugins for the audit event dispatcher"
+DESCRIPTION_audispd-plugins = "The audispd-plugins package provides plugins for the real-time \
+interface to the audit system, audispd. These plugins can do things \
+like relay events to remote machines or analyze events for suspicious \
+behavior."
+
+PACKAGES =+ "audispd-plugins"
+PACKAGES += "auditd ${PN}-python"
+
+FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*"
+FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/*"
+FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \
+ ${sysconfdir}/audisp/plugins.d/au-remote.conf \
+ ${sbindir}/audisp-remote ${localstatedir}/spool/audit \
+ "
+FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug"
+FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}"
+FILES_${PN}-dev += "${base_libdir}/*.so ${base_libdir}/*.la"
+
+CONFFILES_auditd += "${sysconfdir}/audit/audit.rules"
+RDEPENDS_auditd += "bash"
+
+do_install_append() {
+ rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a
+ rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la
+
+ # reuse auditd config
+ [ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default
+ mv ${D}/etc/sysconfig/auditd ${D}/etc/default
+ rmdir ${D}/etc/sysconfig/
+
+ # replace init.d
+ install -D -m 0755 ${S}/../auditd ${D}/etc/init.d/auditd
+ rm -rf ${D}/etc/rc.d
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}${sysconfdir}/tmpfiles.d/
+ install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/
+ fi
+
+ # install systemd unit files
+ install -d ${D}${systemd_unitdir}/system
+ install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system
+
+ chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d
+ chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules
+
+ # Based on the audit.spec "Copy default rules into place on new installation"
+ cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules
+}
diff --git a/meta-security/recipes-security/cynara/cynara.inc b/meta-security/recipes-security/cynara/cynara.inc
new file mode 100644
index 000000000..0e823edcc
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara.inc
@@ -0,0 +1,158 @@
+DESCRIPTION = "Cynara service with client libraries"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3"
+
+DEPENDS = " \
+dbus \
+glib-2.0 \
+systemd \
+zip \
+"
+
+# For testing:
+# DEPENDS += "gmock"
+
+PACKAGECONFIG ??= ""
+# Use debug mode to increase logging. Beware, also compiles with less optimization
+# and thus has to disable FORTIFY_SOURCE below.
+PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE,libunwind elfutils"
+
+inherit cmake
+
+CXXFLAGS_append = " \
+-DCYNARA_STATE_PATH=\\\\\"${localstatedir}/cynara/\\\\\" \
+-DCYNARA_LIB_PATH=\\\\\"${prefix}/lib/cynara/\\\\\" \
+-DCYNARA_TESTS_DIR=\\\\\"${prefix}/share/cynara/tests/\\\\\" \
+-DCYNARA_CONFIGURATION_DIR=\\\\\"${sysconfdir}/cynara/\\\\\" \
+${@bb.utils.contains('PACKAGECONFIG', 'debug', '-Wp,-U_FORTIFY_SOURCE', '', d)} \
+"
+
+EXTRA_OECMAKE += " \
+-DCMAKE_VERBOSE_MAKEFILE=ON \
+-DBUILD_WITH_SYSTEMD=ON \
+-DSYSTEMD_UNIT_DIR=${systemd_unitdir}/system \
+-DSOCKET_DIR=/run/cynara \
+"
+
+# Explicitly package empty directory. Otherwise Cynara prints warnings
+# at runtime:
+# cyad[198]: Couldn't scan for plugins in </usr/lib/cynara/plugin/service/> : <No such file or directory>
+FILES_${PN}_append = " \
+${libdir}/cynara/plugin/service \
+${libdir}/cynara/plugin/client \
+"
+
+# Testing depends on gmock and gtest. They can be found in meta-oe
+# and are not necessarily available, so this feature is off by default.
+# If gmock from meta-oe is used, then a workaround is needed to avoid
+# a link error (libgmock.a calls pthread functions without libpthread
+# being listed in the .pc file).
+PACKAGECONFIG[tests] = "-DBUILD_TESTS:BOOL=ON,-DBUILD_TESTS:BOOL=OFF,gmock gtest,"
+SRC_URI_append = "${@bb.utils.contains('PACKAGECONFIG', 'tests', ' file://gmock-pthread-linking.patch file://run-ptest', '', d)}"
+
+# Will be empty if no tests were built.
+inherit ptest
+FILES_${PN}-ptest += "${bindir}/cynara-tests ${bindir}/cynara-db-migration-tests ${datadir}/cynara/tests"
+do_install_ptest () {
+ if ${@bb.utils.contains('PACKAGECONFIG', 'tests', 'true', 'false', d)}; then
+ mkdir -p ${D}/${datadir}/cynara/tests
+ cp -r ${S}/test/db/* ${D}/${datadir}/cynara/tests
+ fi
+}
+
+do_compile_prepend () {
+ # en_US.UTF8 is not available, causing cynara-tests parser.getKeyAndValue to fail.
+ # Submitted upstream: https://github.com/Samsung/cynara/issues/10
+ sed -i -e 's/std::locale("en_US.UTF8")/std::locale::classic()/g' ${S}/test/credsCommons/parser/Parser.cpp
+}
+
+inherit useradd
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM_${PN} = "-r cynara"
+USERADD_PARAM_${PN} = "\
+--system --home ${localstatedir}/lib/empty \
+--no-create-home --shell /bin/false \
+--gid cynara cynara \
+"
+
+# Causes deadlock during booting, see workaround in postinst below.
+#inherit systemd
+#SYSTEMD_SERVICE_${PN} = "cynara.service"
+
+do_install_append () {
+ chmod a+rx ${D}/${sbindir}/cynara-db-migration
+
+ install -d ${D}${sysconfdir}/cynara/
+ install -m 644 ${S}/conf/creds.conf ${D}/${sysconfdir}/cynara/creds.conf
+
+ # No need to create empty directories except for those which
+ # Cynara expects to find.
+ # install -d ${D}${localstatedir}/cynara/
+ # install -d ${D}${prefix}/share/cynara/tests/empty_db
+ install -d ${D}${libdir}/cynara/plugin/client
+ install -d ${D}${libdir}/cynara/plugin/service
+
+ # install db* ${D}${prefix}/share/cynara/tests/
+
+ install -d ${D}${systemd_unitdir}/system/sockets.target.wants
+ ln -s ../cynara.socket ${D}${systemd_unitdir}/system/sockets.target.wants/cynara.socket
+ ln -s ../cynara-admin.socket ${D}${systemd_unitdir}/system/sockets.target.wants/cynara-admin.socket
+ ln -s ../cynara-agent.socket ${D}${systemd_unitdir}/system/sockets.target.wants/cynara-agent.socket
+}
+
+FILES_${PN} += "${systemd_unitdir}/system"
+
+# Cynara itself has no dependency on Smack. Only its installation
+# is Smack-aware in the sense that it sets Smack labels. Do not
+# depend on smack userspace unless we really need Smack labels.
+#
+# The Tizen .spec file calls cynara-db-migration in a %pre section.
+# That only works when cynara-db-migration is packaged separately
+# (overly complex) and does not seem necessary: perhaps there is a
+# time window where cynara might already get activated before
+# the postinst completes, but that is a general problem. It gets
+# avoided entirely when calling this script while building the
+# rootfs.
+RDEPENDS_${PN}_append_with-lsm-smack = " smack-userspace"
+DEPENDS_append_with-lsm-smack = " smack-userspace-native"
+CHSMACK_with-lsm-smack = "chsmack"
+CHSMACK = "true"
+pkg_postinst_${PN} () {
+ # Fail on error.
+ set -e
+
+ # It would be nice to run the code below while building an image,
+ # but currently the calls to cynara-db-chsgen (a binary) in
+ # cynara-db-migration (a script) prevent that. Rely instead
+ # on OE's support for running failed postinst scripts at first boot.
+ if [ x"$D" != "x" ]; then
+ exit 1
+ fi
+
+ mkdir -p $D${sysconfdir}/cynara
+ ${CHSMACK} -a System $D${sysconfdir}/cynara
+
+ # Strip git patch level information, the version comparison code
+ # in cynara-db-migration only expect major.minor.patch version numbers.
+ VERSION=${@bb.data.getVar('PV',d,1).split('+git')[0]}
+ if [ -d $D${localstatedir}/cynara ] ; then
+ # upgrade
+ echo "NOTE: updating cynara DB to version $VERSION"
+ $D${sbindir}/cynara-db-migration upgrade -f 0.0.0 -t $VERSION
+ else
+ # install
+ echo "NOTE: creating cynara DB for version $VERSION"
+ mkdir -p $D${localstatedir}/cynara
+ ${CHSMACK} -a System $D${localstatedir}/cynara
+ $D${sbindir}/cynara-db-migration install -t $VERSION
+ fi
+
+ # Workaround for systemd.bbclass issue: it would call
+ # "systemctl start" without "--no-block", but because
+ # the service is not ready to run at the time when
+ # this scripts gets executed by run-postinsts.service,
+ # booting deadlocks.
+ echo "NOTE: enabling and starting cynara service"
+ systemctl enable cynara
+ systemctl start --no-block cynara
+}
diff --git a/meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch b/meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch
new file mode 100644
index 000000000..7ad94ed40
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/cmake-Improves-directories-and-libsystemd.patch
@@ -0,0 +1,119 @@
+From 9d1ba2f7c5d72436b17d0f3982a00380c72a58f8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Mon, 4 Jul 2016 13:54:59 +0200
+Subject: [PATCH] cmake: Improves directories and libsystemd
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The previous implementation was not fully compliant with
+standards. It was missing some of the predefined variable
+DATAROOTDIR, it was missing specificity of
+CMAKE_INSTALL_FULL_SYSCONFDIR. It also was not compatible
+with yocto build system bitbake.
+
+The library systemd is changing. The previous previous
+pkg-config files 'libsystemd-daemon' and 'libsystemd-journal'
+are now deprecated in favour of 'libsystemd'.
+
+Upstream-status: Submitted [https://github.com/Samsung/cynara/pull/16]
+
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ CMakeLists.txt | 46 ++++++++++++++++++++--------------------------
+ 1 file changed, 20 insertions(+), 26 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index b0ee75f..6a439e2 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -43,66 +43,60 @@ ENDIF (NOT BUILD_COMMONS AND NOT BUILD_SERVICE AND NOT BUILD_DBUS)
+
+ ########################## search for packages ################################
+
+-#1st case. User choose to build with systemd.
+-IF (DEFINED BUILD_WITH_SYSTEMD AND BUILD_WITH_SYSTEMD)
+- PKG_CHECK_MODULES(SYSTEMD_DEP
+- REQUIRED
+- libsystemd-daemon
+- libsystemd-journal
+- )
+-ENDIF (DEFINED BUILD_WITH_SYSTEMD AND BUILD_WITH_SYSTEMD)
++#Search the new libsystemd package
++PKG_CHECK_MODULES(SYSTEMD_DEP QUIET libsystemd)
+
+-#2nd case. User choose not to build with systemd. Noting to do in this case.
+-#IF (DEFINED BUILD_WITH_SYSTEMD AND NOT BUILD_WITH_SYSTEMD)
+-#ENDIF (DEFINED BUILD_WITH_SYSTEMD AND NOT BUILD_WITH_SYSTEMD)
+-
+-#3rd case. User did not choose. If we can we will use systemd.
+-IF (NOT DEFINED BUILD_WITH_SYSTEMD)
++#Fallback ot the oldest libsystemd packages
++IF(NOT SYSTEMD_DEP_FOUND)
+ PKG_CHECK_MODULES(SYSTEMD_DEP
+ QUIET
+ libsystemd-daemon
+ libsystemd-journal
+ )
+-
+- IF (SYSTEMD_DEP_FOUND)
+- SET(BUILD_WITH_SYSTEMD ON)
+- ENDIF (SYSTEMD_DEP_FOUND)
+-ENDIF (NOT DEFINED BUILD_WITH_SYSTEMD)
++ENDIF(NOT SYSTEMD_DEP_FOUND)
++
++#Enforce and check
++IF(SYSTEMD_DEP_FOUND)
++ #Enforce use of systemd if present
++ SET(BUILD_WITH_SYSTEMD ON)
++ELSEIF(BUILD_WITH_SYSTEMD)
++ MESSAGE(FATAL_ERROR "Can't find libsystemd")
++ENDIF()
+
+ ######################## directory configuration ############################
+
+ SET(LIB_DIR
+- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}"
++ "${CMAKE_INSTALL_FULL_LIBDIR}"
+ CACHE PATH
+ "Object code libraries directory")
+
+ SET(BIN_DIR
+- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_BINDIR}"
++ "${CMAKE_INSTALL_FULL_BINDIR}"
+ CACHE PATH
+ "User executables directory")
+
+ SET(SBIN_DIR
+- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_SBINDIR}"
++ "${CMAKE_INSTALL_FULL_SBINDIR}"
+ CACHE PATH
+ "System admin executables directory")
+
+ SET(SYS_CONFIG_DIR
+- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_SYSCONFDIR}"
++ "${CMAKE_INSTALL_FULL_SYSCONFDIR}"
+ CACHE PATH
+ "Read-only single-machine data directory")
+
+ SET(INCLUDE_DIR
+- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_INCLUDEDIR}"
++ "${CMAKE_INSTALL_FULL_INCLUDEDIR}"
+ CACHE PATH
+ "Header files directory")
+
+ SET(LOCAL_STATE_DIR
+- "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LOCALSTATEDIR}"
++ "${CMAKE_INSTALL_FULL_LOCALSTATEDIR}"
+ CACHE PATH
+ "Modifiable single-machine data directory")
+
+ SET(DATA_ROOT_DIR
+- "${CMAKE_INSTALL_PREFIX}/share"
++ "${CMAKE_INSTALL_FULL_DATAROOTDIR}"
+ CACHE PATH
+ "Read-only architecture-independent data root directory")
+
+--
+2.5.5
+
diff --git a/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch
new file mode 100644
index 000000000..cbf372ad9
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/cynara-db-migration-abort-on-errors.patch
@@ -0,0 +1,31 @@
+From 297774fa4d01156c0327d6e6380a7ecae30bf875 Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Mon, 23 Mar 2015 15:01:39 -0700
+Subject: [PATCH 1/2] cynara-db-migration.in: abort on errors
+
+"set -e" enables error checking for all commands invoked by the script.
+Previously, errors were silently ignored.
+
+Upstream-status: Submitted [https://github.com/Samsung/cynara/pull/8]
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+---
+ migration/cynara-db-migration | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/migration/cynara-db-migration.in b/migration/cynara-db-migration.in
+index ff9bd61..f6e7f94 100644
+--- a/migration/cynara-db-migration.in
++++ b/migration/cynara-db-migration.in
+@@ -19,6 +19,8 @@
+ # @brief Migration tool for Cynara's database
+ #
+
++set -e
++
+ ##### Constants (these must not be modified by shell)
+
+ STATE_PATH='@LOCAL_STATE_DIR@/@PROJECT_NAME@'
+--
+1.8.4.5
+
diff --git a/meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch b/meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch
new file mode 100644
index 000000000..1a204eb14
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/gmock-pthread-linking.patch
@@ -0,0 +1,31 @@
+From 80cc04091410d6a322fee1a2922fdf867395f00a Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Fri, 29 May 2015 10:21:57 +0200
+Subject: [PATCH] work around gmock pthread dependency
+
+In meta-oe, gmock's .pc file does not declare that users of
+gmock must link against pthread. Let's work around that
+here by always linking tests against libpthread.
+
+Upstream-status: Inappropriate [embedded specific]
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+---
+ test/CMakeLists.txt | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
+index 25a70db..f490a24 100644
+--- a/test/CMakeLists.txt
++++ b/test/CMakeLists.txt
+@@ -138,6 +138,7 @@ ADD_EXECUTABLE(${TARGET_CYNARA_TESTS}
+ TARGET_LINK_LIBRARIES(${TARGET_CYNARA_TESTS}
+ ${PKGS_LDFLAGS}
+ ${PKGS_LIBRARIES}
++ pthread
+ crypt
+ )
+ INSTALL(TARGETS ${TARGET_CYNARA_TESTS} DESTINATION ${BIN_INSTALL_DIR})
+--
+2.1.4
+
diff --git a/meta-security/recipes-security/cynara/cynara/run-ptest b/meta-security/recipes-security/cynara/cynara/run-ptest
new file mode 100755
index 000000000..f8dd5d8b4
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara/run-ptest
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+cynara-tests | sed -e 's/^\[ *OK *\] \(\S*\)$/PASS: \1/' -e 's/^\[ *FAILED *\] \(\S*\)$/FAIL: \1/'
+sh /usr/bin/cynara-db-migration-tests | sed -e 's/^Test .*(\([^)]*\)).*passed.*/PASS: \1/' -e 's/^Test .*(\([^)]*\)).*failed.*/FAIL: \1/'
diff --git a/meta-security/recipes-security/cynara/cynara_git.bb b/meta-security/recipes-security/cynara/cynara_git.bb
new file mode 100644
index 000000000..6e387d41e
--- /dev/null
+++ b/meta-security/recipes-security/cynara/cynara_git.bb
@@ -0,0 +1,11 @@
+require cynara.inc
+
+PV = "0.11.0+git${SRCPV}"
+SRCREV = "973765e329f8a84c1549cb2b0c65ccb1cce3c2d3"
+SRC_URI = "git://github.com/Samsung/cynara.git"
+S = "${WORKDIR}/git"
+
+SRC_URI += " \
+file://cynara-db-migration-abort-on-errors.patch \
+file://cmake-Improves-directories-and-libsystemd.patch \
+"
diff --git a/meta-security/recipes-security/keyutils/keyutils/keyutils-arm-remove-m32-m64.patch b/meta-security/recipes-security/keyutils/keyutils/keyutils-arm-remove-m32-m64.patch
new file mode 100644
index 000000000..a049fd23f
--- /dev/null
+++ b/meta-security/recipes-security/keyutils/keyutils/keyutils-arm-remove-m32-m64.patch
@@ -0,0 +1,19 @@
+Index: keyutils-1.5.5/Makefile
+===================================================================
+--- keyutils-1.5.5.orig/Makefile 2011-12-20 11:05:10.000000000 +0200
++++ keyutils-1.5.5/Makefile 2011-12-20 11:06:27.000000000 +0200
+@@ -58,12 +58,12 @@
+ LNS := ln -sf
+
+ ifeq ($(BUILDFOR),32-bit)
+-CFLAGS += -m32
++#CFLAGS += -m32
+ LIBDIR := /usr/lib
+ USRLIBDIR := /usr/lib
+ else
+ ifeq ($(BUILDFOR),64-bit)
+-CFLAGS += -m64
++#CFLAGS += -m64
+ LIBDIR := /usr/lib
+ USRLIBDIR := /usr/lib
+ endif
diff --git a/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_library_install.patch b/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_library_install.patch
new file mode 100644
index 000000000..adf064304
--- /dev/null
+++ b/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_library_install.patch
@@ -0,0 +1,30 @@
+Index: keyutils-1.5.5/Makefile
+===================================================================
+--- keyutils-1.5.5.orig/Makefile 2011-11-30 17:27:43.000000000 +0200
++++ keyutils-1.5.5/Makefile 2011-12-21 16:05:53.000000000 +0200
+@@ -59,13 +59,13 @@
+
+ ifeq ($(BUILDFOR),32-bit)
+ CFLAGS += -m32
+-LIBDIR := /lib
++LIBDIR := /usr/lib
+ USRLIBDIR := /usr/lib
+ else
+ ifeq ($(BUILDFOR),64-bit)
+ CFLAGS += -m64
+-LIBDIR := /lib64
+-USRLIBDIR := /usr/lib64
++LIBDIR := /usr/lib
++USRLIBDIR := /usr/lib
+ endif
+ endif
+
+@@ -152,7 +152,7 @@
+ $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME)
+ $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME)
+ mkdir -p $(DESTDIR)$(USRLIBDIR)
+- $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB)
++ $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB)
+ $(INSTALL) -D keyctl $(DESTDIR)$(BINDIR)/keyctl
+ $(INSTALL) -D request-key $(DESTDIR)$(SBINDIR)/request-key
+ $(INSTALL) -D request-key-debug.sh $(DESTDIR)$(SHAREDIR)/request-key-debug.sh
diff --git a/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch b/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch
new file mode 100644
index 000000000..8dd224505
--- /dev/null
+++ b/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch
@@ -0,0 +1,13 @@
+Index: git/Makefile
+===================================================================
+--- git.orig/Makefile 2012-11-16 15:40:05.258723425 +0200
++++ git/Makefile 2012-11-16 15:41:08.978725491 +0200
+@@ -53,7 +53,7 @@
+ ###############################################################################
+ LIBDIR := $(shell ldd /usr/bin/make | grep '\(/libc\)' | sed -e 's!.*\(/.*\)/libc[.].*!\1!')
+ USRLIBDIR := $(patsubst /lib/%,/usr/lib/%,$(LIBDIR))
+-BUILDFOR := $(shell file /usr/bin/make | sed -e 's!.*ELF \(32\|64\)-bit.*!\1!')-bit
++BUILDFOR := 64-bit
+
+ LNS := ln -sf
+
diff --git a/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86_cflags.patch b/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86_cflags.patch
new file mode 100644
index 000000000..573c429b8
--- /dev/null
+++ b/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86_cflags.patch
@@ -0,0 +1,13 @@
+Index: git/Makefile
+===================================================================
+--- git.orig/Makefile 2012-11-16 15:40:05.258723425 +0200
++++ git/Makefile 2012-11-16 15:41:08.978725491 +0200
+@@ -53,7 +53,7 @@
+ ###############################################################################
+ LIBDIR := $(shell ldd /usr/bin/make | grep '\(/libc\)' | sed -e 's!.*\(/.*\)/libc[.].*!\1!')
+ USRLIBDIR := $(patsubst /lib/%,/usr/lib/%,$(LIBDIR))
+-BUILDFOR := $(shell file /usr/bin/make | sed -e 's!.*ELF \(32\|64\)-bit.*!\1!')-bit
++BUILDFOR := 32-bit
+
+ LNS := ln -sf
+
diff --git a/meta-security/recipes-security/keyutils/keyutils_1.5.8.bb b/meta-security/recipes-security/keyutils/keyutils_1.5.8.bb
new file mode 100644
index 000000000..46b2b622a
--- /dev/null
+++ b/meta-security/recipes-security/keyutils/keyutils_1.5.8.bb
@@ -0,0 +1,44 @@
+SUMMARY = "Linux Key Management Utilities"
+DESCRIPTION = "Keyutils is a set of utilities for managing the key retention \
+facility in the kernel, which can be used by filesystems, block devices and \
+more to gain and retain the authorization and encryption keys required to \
+perform secure operations."
+SECTION = "base"
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://LICENCE.GPL;md5=5f6e72824f5da505c1f4a7197f004b45"
+
+PR = "r1"
+
+SRCREV = "dd64114721edca5808872190e7e2e927ee2e994c"
+
+SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git;protocol=git \
+ file://keyutils_fix_library_install.patch \
+ "
+SRC_URI_append_arm = " file://keyutils-arm-remove-m32-m64.patch"
+SRC_URI_append_x86 = " file://keyutils_fix_x86_cflags.patch"
+SRC_URI_append_x86-64 = " file://keyutils_fix_x86-64_cflags.patch"
+
+S = "${WORKDIR}/git"
+
+INSTALL_FLAGS = " \
+BINDIR=${bindir} \
+SBINDIR=${sbindir} \
+INCLUDEDIR=${includedir} \
+ETCDIR=${sysconfdir} \
+LIBDIR=${libdir} \
+USRLIBDIR=${libdir} \
+SHAREDIR=${datadir} \
+MAN1=${mandir}/man1 \
+MAN3=${mandir}/man3 \
+MAN5=${mandir}/man5 \
+MAN8=${mandir}/man8 \
+DESTDIR=${D}"
+
+do_install() {
+ cd ${S} && oe_runmake ${INSTALL_FLAGS} install
+
+ # Debugging script of unknown value, not packaged.
+ rm -f "${D}${datadir}/request-key-debug.sh"
+}
+
+BBCLASSEXTEND = "native"
diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch b/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch
new file mode 100644
index 000000000..d7a868d2c
--- /dev/null
+++ b/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch
@@ -0,0 +1,79 @@
+Upstream-Status: Pending
+
+diff --git a/docs/capng_lock.3 b/docs/capng_lock.3
+index 7683119..a070c1e 100644
+--- a/docs/capng_lock.3
++++ b/docs/capng_lock.3
+@@ -8,12 +8,13 @@ int capng_lock(void);
+
+ .SH "DESCRIPTION"
+
+-capng_lock will take steps to prevent children of the current process to regain full privileges if the uid is 0. This should be called while possessing the CAP_SETPCAP capability in the kernel. This function will do the following if permitted by the kernel: Set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS.
++capng_lock will take steps to prevent children of the current process from gaining privileges by executing setuid programs. This should be called while possessing the CAP_SETPCAP capability in the kernel.
+
++This function will do the following if permitted by the kernel: If the kernel supports PR_SET_NO_NEW_PRIVS, it will use it. Otherwise it will set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS. If both fail, it will return an error.
+
+ .SH "RETURN VALUE"
+
+-This returns 0 on success and a negative number on failure. -1 means a failure setting any of the PR_SET_SECUREBITS options.
++This returns 0 on success and a negative number on failure. -1 means a failure to use PR_SET_NO_NEW_PRIVS and a failure setting any of the PR_SET_SECUREBITS options.
+
+ .SH "SEE ALSO"
+
+diff --git a/src/cap-ng.c b/src/cap-ng.c
+index bd105ba..422f2bc 100644
+--- a/src/cap-ng.c
++++ b/src/cap-ng.c
+@@ -45,6 +45,7 @@
+ * 2.6.24 kernel XATTR_NAME_CAPS
+ * 2.6.25 kernel PR_CAPBSET_DROP, CAPABILITY_VERSION_2
+ * 2.6.26 kernel PR_SET_SECUREBITS, SECURE_*_LOCKED, VERSION_3
++ * 3.5 kernel PR_SET_NO_NEW_PRIVS
+ */
+
+ /* External syscall prototypes */
+@@ -122,6 +123,14 @@ extern int capget(cap_user_header_t header, const cap_user_data_t data);
+ #define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */
+ #endif
+
++/* prctl values that we use */
++#ifndef PR_SET_SECUREBITS
++#define PR_SET_SECUREBITS 28
++#endif
++#ifndef PR_SET_NO_NEW_PRIVS
++#define PR_SET_NO_NEW_PRIVS 38
++#endif
++
+ // States: new, allocated, initted, updated, applied
+ typedef enum { CAPNG_NEW, CAPNG_ERROR, CAPNG_ALLOCATED, CAPNG_INIT,
+ CAPNG_UPDATED, CAPNG_APPLIED } capng_states_t;
+@@ -663,15 +672,22 @@ int capng_change_id(int uid, int gid, capng_flags_t flag)
+
+ int capng_lock(void)
+ {
+-#ifdef PR_SET_SECUREBITS
+- int rc = prctl(PR_SET_SECUREBITS,
+- 1 << SECURE_NOROOT |
+- 1 << SECURE_NOROOT_LOCKED |
+- 1 << SECURE_NO_SETUID_FIXUP |
+- 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
++ int rc;
++
++ // On Linux 3.5 and up, we can directly prevent ourselves and
++ // our descendents from gaining privileges.
++ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0)
++ return 0;
++
++ // This kernel is too old or otherwise doesn't support
++ // PR_SET_NO_NEW_PRIVS. Fall back to using securebits.
++ rc = prctl(PR_SET_SECUREBITS,
++ 1 << SECURE_NOROOT |
++ 1 << SECURE_NOROOT_LOCKED |
++ 1 << SECURE_NO_SETUID_FIXUP |
++ 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
+ if (rc)
+ return -1;
+-#endif
+
+ return 0;
+ }
diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch b/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch
new file mode 100644
index 000000000..d82ceb454
--- /dev/null
+++ b/meta-security/recipes-security/libcap-ng/libcap-ng/python.patch
@@ -0,0 +1,39 @@
+configure.ac - Avoid an incorrect check for python.
+Makefile.am - avoid hard coded host include paths.
+
+Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
+
+--- libcap-ng-0.6.5/configure.ac.orig 2012-01-17 13:59:03.645898989 -0600
++++ libcap-ng-0.6.5/configure.ac 2012-01-17 13:59:46.353959252 -0600
+@@ -120,17 +120,8 @@
+ else
+ AC_MSG_RESULT(testing)
+ AM_PATH_PYTHON
+-if test -f /usr/include/python${am_cv_python_version}/Python.h ; then
+- python_found="yes"
+- AC_MSG_NOTICE(Python bindings will be built)
+-else
+- python_found="no"
+- if test x$use_python = xyes ; then
+- AC_MSG_ERROR([Python explicitly required and python headers found])
+- else
+- AC_MSG_WARN("Python headers not found - python bindings will not be made")
+- fi
+-fi
++python_found="yes"
++AC_MSG_NOTICE(Python bindings will be built)
+ fi
+ AM_CONDITIONAL(HAVE_PYTHON, test ${python_found} = "yes")
+
+--- libcap-ng-0.6.5/bindings/python/Makefile.am.orig 2010-11-03 12:31:59.000000000 -0500
++++ libcap-ng-0.6.5/bindings/python/Makefile.am 2012-01-17 14:05:50.199834467 -0600
+@@ -24,7 +24,8 @@
+ CONFIG_CLEAN_FILES = *.loT *.rej *.orig
+ AM_CFLAGS = -fPIC -DPIC
+ PYLIBVER ?= python$(PYTHON_VERSION)
+-INCLUDES = -I. -I$(top_builddir) -I/usr/include/$(PYLIBVER)
++PYINC ?= /usr/include/$(PYLIBVER)
++INCLUDES = -I. -I$(top_builddir) -I$(PYINC)
+ LIBS = $(top_builddir)/src/libcap-ng.la
+ pyexec_PYTHON = capng.py
+ pyexec_LTLIBRARIES = _capng.la
diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb b/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb
new file mode 100644
index 000000000..e729518e9
--- /dev/null
+++ b/meta-security/recipes-security/libcap-ng/libcap-ng_0.7.3.bb
@@ -0,0 +1,39 @@
+SUMMARY = "An alternate posix capabilities library"
+DESCRIPTION = "The libcap-ng library is intended to make programming \
+with POSIX capabilities much easier than the traditional libcap library."
+HOMEPAGE = "http://freecode.com/projects/libcap-ng"
+SECTION = "base"
+LICENSE = "GPLv2+ & LGPLv2.1+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
+ file://COPYING.LIB;md5=e3eda01d9815f8d24aae2dbd89b68b06"
+
+SRC_URI = "http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-${PV}.tar.gz \
+ file://python.patch \
+ file://CVE-2014-3215.patch \
+ "
+
+inherit lib_package autotools pythonnative
+
+SRC_URI[md5sum] = "610afb774f80a8032b711281df126283"
+SRC_URI[sha256sum] = "5ca441c8d3a1e4cfe8a8151907977662679457311ccaa7eaac91447c33a35bb1"
+
+DEPENDS += "swig-native python"
+
+EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' PYINC='${STAGING_INCDIR}/${PYLIBVER}'"
+
+PACKAGES += "${PN}-python"
+
+FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug"
+FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}"
+
+BBCLASSEXTEND = "native"
+
+do_install_append() {
+ # Moving libcap-ng to base_libdir
+ if [ ! ${D}${libdir} -ef ${D}${base_libdir} ]; then
+ mkdir -p ${D}/${base_libdir}/
+ mv -f ${D}${libdir}/libcap-ng.so.* ${D}${base_libdir}/
+ relpath=${@os.path.relpath("${base_libdir}", "${libdir}")}
+ ln -sf ${relpath}/libcap-ng.so.0.0.0 ${D}${libdir}/libcap-ng.so
+ fi
+}
diff --git a/meta-security/recipes-security/security-manager/security-manager.inc b/meta-security/recipes-security/security-manager/security-manager.inc
new file mode 100644
index 000000000..ee749a8fb
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager.inc
@@ -0,0 +1,98 @@
+DESCRIPTION = "Security manager and utilities"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3"
+
+inherit cmake
+
+# Out-of-tree build is broken ("sqlite3 .security-manager.db <db.sql" where db.sql is in $S/db).
+B = "${S}"
+
+DEPENDS = " \
+attr \
+boost \
+cynara \
+icu \
+libcap \
+smack \
+sqlite3 \
+sqlite3-native \
+systemd \
+"
+
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE"
+
+TZ_SYS_DB = "/var/db/security-manager"
+
+EXTRA_OECMAKE = " \
+-DCMAKE_VERBOSE_MAKEFILE=ON \
+-DVERSION=${PV} \
+-DSYSTEMD_INSTALL_DIR=${systemd_unitdir}/system \
+-DBIN_INSTALL_DIR=${bindir} \
+-DDB_INSTALL_DIR=${TZ_SYS_DB} \
+-DLIB_INSTALL_DIR=${libdir} \
+-DSHARE_INSTALL_PREFIX=${datadir} \
+-DINCLUDE_INSTALL_DIR=${includedir} \
+"
+
+inherit systemd
+SYSTEMD_SERVICE_${PN} = "security-manager.service"
+
+inherit distro_features_check
+REQUIRED_DISTRO_FEATURES += "smack"
+
+# The upstream source code contains the Tizen-specific policy configuration files.
+# To replace them, create a security-manager.bbappend and set the following variable to a
+# space-separated list of policy file names (not URIs!), for example:
+# SECURITY_MANAGER_POLICY = "privilege-group.list usertype-system.profile"
+#
+# Leave it empty to use the upstream Tizen policy.
+SECURITY_MANAGER_POLICY ?= ""
+SRC_URI_append = " ${@' '.join(['file://' + x for x in d.getVar('SECURITY_MANAGER_POLICY', True).split()])}"
+python do_patch_append () {
+ import os
+ import shutil
+ import glob
+ files = d.getVar('SECURITY_MANAGER_POLICY', True).split()
+ if files:
+ s = d.getVar('S', True)
+ workdir = d.getVar('WORKDIR', True)
+ for pattern in ['*.profile', '*.list']:
+ for old_file in glob.glob(s + '/policy/' + pattern):
+ os.unlink(old_file)
+ for file in files:
+ shutil.copy(file, s + '/policy')
+}
+
+do_install_append () {
+ install -d ${D}/${systemd_unitdir}/system/multi-user.target.wants
+ ln -s ../security-manager.service ${D}/${systemd_unitdir}/system/multi-user.target.wants/security-manager.service
+ install -d ${D}/${systemd_unitdir}/system/sockets.target.wants
+ ln -s ../security-manager.socket ${D}/${systemd_unitdir}/system/sockets.target.wants/security-manager.socket
+}
+
+RDEPENDS_${PN} += "smack"
+pkg_postinst_${PN} () {
+ set -e
+ chsmack -a System $D${TZ_SYS_DB}/.security-manager.db
+ chsmack -a System $D${TZ_SYS_DB}/.security-manager.db-journal
+}
+
+FILES_${PN} += " \
+${systemd_unitdir} \
+${TZ_SYS_DB} \
+"
+
+PACKAGES =+ "${PN}-policy"
+FILES_${PN}-policy = " \
+ ${datadir}/${PN} \
+ ${bindir}/security-manager-policy-reload \
+"
+RDEPENDS_${PN}-policy += "sqlite3 cynara"
+pkg_postinst_${PN}-policy () {
+ if [ x"$D" = "x" ] && ${bindir}/security-manager-policy-reload; then
+ exit 0
+ else
+ exit 1
+ fi
+}
diff --git a/meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch b/meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch
new file mode 100644
index 000000000..b0e11afe4
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch
@@ -0,0 +1,116 @@
+From d130a7384428a96f31ad5950ffbffadc0aa29a15 Mon Sep 17 00:00:00 2001
+From: Alejandro Joya <alejandro.joya.cruz@intel.com>
+Date: Wed, 4 Nov 2015 19:01:35 -0600
+Subject: [PATCH 1/2] Smack-rules: create two new functions
+
+It let to smack-rules to create multiple set of rules
+related with the privileges.
+
+It runs from the same bases than for a static set of rules on the
+template, but let you add 1 or many templates for different cases.
+
+Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com>
+---
+ src/common/include/smack-rules.h | 15 ++++++++++++++
+ src/common/smack-rules.cpp | 44 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+)
+
+diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h
+index 91446a7..f9fa438 100644
+--- a/src/common/include/smack-rules.h
++++ b/src/common/include/smack-rules.h
+@@ -47,6 +47,8 @@ public:
+ void addFromTemplate(const std::vector<std::string> &templateRules,
+ const std::string &appId, const std::string &pkgId);
+ void addFromTemplateFile(const std::string &appId, const std::string &pkgId);
++ void addFromTemplateFile(const std::string &appId, const std::string &pkgId,
++ const std::string &path);
+
+ void apply() const;
+ void clear() const;
+@@ -75,6 +77,19 @@ public:
+ static void installApplicationRules(const std::string &appId, const std::string &pkgId,
+ const std::vector<std::string> &pkgContents);
+ /**
++ * Install privileges-specific smack rules.
++ *
++ * Function creates smack rules using predefined template. Rules are applied
++ * to the kernel and saved on persistent storage so they are loaded on system boot.
++ *
++ * @param[in] appId - application id that is beeing installed
++ * @param[in] pkgId - package id that the application is in
++ * @param[in] pkgContents - a list of all applications in the package
++ * @param[in] privileges - a list of all prvileges
++ */
++ static void installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
++ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges);
++ /**
+ * Uninstall package-specific smack rules.
+ *
+ * Function loads package-specific smack rules, revokes them from the kernel
+diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
+index 3629e0f..d834e42 100644
+--- a/src/common/smack-rules.cpp
++++ b/src/common/smack-rules.cpp
+@@ -135,6 +135,29 @@ void SmackRules::saveToFile(const std::string &path) const
+ }
+ }
+
++void SmackRules::addFromTemplateFile(const std::string &appId,
++ const std::string &pkgId, const std::string &path)
++{
++ std::vector<std::string> templateRules;
++ std::string line;
++ std::ifstream templateRulesFile(path);
++
++ if (!templateRulesFile.is_open()) {
++ LogError("Cannot open rules template file: " << path);
++ ThrowMsg(SmackException::FileError, "Cannot open rules template file: " << path);
++ }
++
++ while (std::getline(templateRulesFile, line)) {
++ templateRules.push_back(line);
++ }
++
++ if (templateRulesFile.bad()) {
++ LogError("Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH);
++ ThrowMsg(SmackException::FileError, "Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH);
++ }
++
++ addFromTemplate(templateRules, appId, pkgId);
++}
+
+ void SmackRules::addFromTemplateFile(const std::string &appId,
+ const std::string &pkgId)
+@@ -223,7 +246,28 @@ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId)
+ std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str()));
+ return path;
+ }
++void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
++ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges)
++{
++ SmackRules smackRules;
++ std::string appPath = getApplicationRulesFilePath(appId);
++ smackRules.loadFromFile(appPath);
++ struct stat buffer;
++ for (auto privilege : privileges) {
++ if (privilege.empty())
++ continue;
++ std::string fprivilege ( privilege + "-template.smack");
++ std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str()));
++ if( stat(path.c_str(), &buffer) == 0)
++ smackRules.addFromTemplateFile(appId, pkgId, path);
++ }
++
++ if (smack_smackfs_path() != NULL)
++ smackRules.apply();
+
++ smackRules.saveToFile(appPath);
++ updatePackageRules(pkgId, pkgContents);
++}
+ void SmackRules::installApplicationRules(const std::string &appId, const std::string &pkgId,
+ const std::vector<std::string> &pkgContents)
+ {
+--
+2.1.0
+
diff --git a/meta-security/recipes-security/security-manager/security-manager/0002-app-install-implement-multiple-set-of-smack-rules.patch b/meta-security/recipes-security/security-manager/security-manager/0002-app-install-implement-multiple-set-of-smack-rules.patch
new file mode 100644
index 000000000..d60096a15
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/0002-app-install-implement-multiple-set-of-smack-rules.patch
@@ -0,0 +1,34 @@
+From 19688cbe2ca10921a499f3fa265928dca54cf98d Mon Sep 17 00:00:00 2001
+From: Alejandro Joya <alejandro.joya.cruz@intel.com>
+Date: Wed, 4 Nov 2015 19:06:23 -0600
+Subject: [PATCH 2/2] app-install: implement multiple set of smack-rules
+
+If it's need it could create load multiple set of smack rules
+related with the privileges.
+It wouldn't affect the case that only the default set of rules is need it.
+
+Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com>
+---
+ src/common/service_impl.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
+index 7fd621c..ae305d3 100644
+--- a/src/common/service_impl.cpp
++++ b/src/common/service_impl.cpp
+@@ -338,6 +338,12 @@ int appInstall(const app_inst_req &req, uid_t uid)
+ LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: "
+ << req.pkgId << ". Applications in package: " << pkgContents.size());
+ SmackRules::installApplicationRules(req.appId, req.pkgId, pkgContents);
++ /*Setup for privileges custom rules*/
++ LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: "
++ << req.pkgId << ". Applications in package: " << pkgContents.size()
++ << " and Privileges");
++ SmackRules::installApplicationPrivilegesRules(req.appId, req.pkgId,
++ pkgContents,req.privileges);
+ } catch (const SmackException::Base &e) {
+ LogError("Error while applying Smack policy for application: " << e.DumpToString());
+ return SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED;
+--
+2.1.0
+
diff --git a/meta-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch b/meta-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch
new file mode 100644
index 000000000..4baea6572
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch
@@ -0,0 +1,196 @@
+From 72e66d0e42f3bb6efd689ce33b1df407d94b3c60 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Mon, 16 Nov 2015 14:26:25 +0100
+Subject: [PATCH] Removing tizen-platform-config
+
+Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121
+---
+ policy/security-manager-policy-reload | 2 +-
+ src/common/file-lock.cpp | 4 +---
+ src/common/include/file-lock.h | 1 -
+ src/common/include/privilege_db.h | 3 +--
+ src/common/service_impl.cpp | 39 +++++++++++------------------------
+ src/common/smack-rules.cpp | 12 ++++-------
+ 6 files changed, 19 insertions(+), 42 deletions(-)
+
+diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload
+index 6f211c6..ed8047a 100755
+--- a/policy/security-manager-policy-reload
++++ b/policy/security-manager-policy-reload
+@@ -2,7 +2,7 @@
+
+ POLICY_PATH=/usr/share/security-manager/policy
+ PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list
+-DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db
++DB_FILE=/usr/dbspace/.security-manager.db
+
+ # Create default buckets
+ while read bucket default_policy
+diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp
+index 6f3996c..1dada17 100644
+--- a/src/common/file-lock.cpp
++++ b/src/common/file-lock.cpp
+@@ -30,9 +30,7 @@
+
+ namespace SecurityManager {
+
+-char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN,
+- "lock",
+- "security-manager.lock");
++char const * const SERVICE_LOCK_FILE = "/var/run/lock/security-manager.lock";
+
+ FileLocker::FileLocker(const std::string &lockFile, bool blocking)
+ {
+diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h
+index 604b019..21a86a0 100644
+--- a/src/common/include/file-lock.h
++++ b/src/common/include/file-lock.h
+@@ -29,7 +29,6 @@
+
+ #include <dpl/exception.h>
+ #include <dpl/noncopyable.h>
+-#include <tzplatform_config.h>
+
+ namespace SecurityManager {
+
+diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h
+index 4d73d90..03c6680 100644
+--- a/src/common/include/privilege_db.h
++++ b/src/common/include/privilege_db.h
+@@ -34,14 +34,13 @@
+ #include <string>
+
+ #include <dpl/db/sql_connection.h>
+-#include <tzplatform_config.h>
+
+ #ifndef PRIVILEGE_DB_H_
+ #define PRIVILEGE_DB_H_
+
+ namespace SecurityManager {
+
+-const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db");
++const char *const PRIVILEGE_DB_PATH = "/usr/dbspace/.security-manager.db";
+
+ enum class QueryType {
+ EGetPkgPrivileges,
+diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
+index ae305d3..65cc8b5 100644
+--- a/src/common/service_impl.cpp
++++ b/src/common/service_impl.cpp
+@@ -32,7 +32,6 @@
+ #include <algorithm>
+
+ #include <dpl/log/log.h>
+-#include <tzplatform_config.h>
+
+ #include "protocols.h"
+ #include "privilege_db.h"
+@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr,
+
+ static uid_t getGlobalUserId(void)
+ {
+- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
++ static uid_t globaluid = 0;
++ if (!globaluid) {
++ struct passwd pw, *p;
++ char buf[4096];
++ int rc = getpwnam_r("userapp", &pw, buf, sizeof buf, &p);
++ globaluid = (rc || p == NULL) ? 555 : p->pw_uid;
++ }
+ return globaluid;
+ }
+
+@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir)
+
+ static bool getUserAppDir(const uid_t &uid, std::string &userAppDir)
+ {
+- struct tzplatform_context *tz_ctx = nullptr;
+-
+- if (tzplatform_context_create(&tz_ctx))
+- return false;
+-
+- if (tzplatform_context_set_user(tz_ctx, uid)) {
+- tzplatform_context_destroy(tz_ctx);
+- tz_ctx = nullptr;
++ struct passwd pw, *p;
++ char buf[4096];
++ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p);
++ if (rc || p == NULL)
+ return false;
+- }
+-
+- enum tzplatform_variable id =
+- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP;
+- const char *appDir = tzplatform_context_getenv(tz_ctx, id);
+- if (!appDir) {
+- tzplatform_context_destroy(tz_ctx);
+- tz_ctx = nullptr;
+- return false;
+- }
+-
+- userAppDir = appDir;
+-
+- tzplatform_context_destroy(tz_ctx);
+- tz_ctx = nullptr;
+-
++ userAppDir = p->pw_dir;
+ return true;
+ }
+
+ static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath)
+ {
+- std::string userHome;
+ std::string userAppDir;
+ std::stringstream correctPath;
+
+diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
+index d834e42..8b5728b 100644
+--- a/src/common/smack-rules.cpp
++++ b/src/common/smack-rules.cpp
+@@ -34,7 +34,6 @@
+ #include <memory>
+
+ #include <dpl/log/log.h>
+-#include <tzplatform_config.h>
+
+ #include "smack-labels.h"
+ #include "smack-rules.h"
+@@ -43,7 +42,7 @@ namespace SecurityManager {
+
+ const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~";
+ const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~";
+-const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack");
++const char *const APP_RULES_TEMPLATE_FILE_PATH = "/usr/share/security-manager/policy/app-rules-template.smack";
+ const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat";
+
+ SmackRules::SmackRules()
+@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgCon
+
+ std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId)
+ {
+- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str()));
+- return path;
++ return "/etc/smack/accesses.d/pkg_" + pkgId;
+ }
+
+ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId)
+ {
+- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str()));
+- return path;
++ return "/etc/smack/accesses.d/app_" + appId;
+ }
+ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
+ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges)
+@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con
+ for (auto privilege : privileges) {
+ if (privilege.empty())
+ continue;
+- std::string fprivilege ( privilege + "-template.smack");
+- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str()));
++ std::string path = "/usr/share/security-manager/policy/" + privilege + "-template.smack";
+ if( stat(path.c_str(), &buffer) == 0)
+ smackRules.addFromTemplateFile(appId, pkgId, path);
+ }
+--
+2.1.4
+
diff --git a/meta-security/recipes-security/security-manager/security-manager/c-11-replace-depracated-auto_ptr.patch b/meta-security/recipes-security/security-manager/security-manager/c-11-replace-depracated-auto_ptr.patch
new file mode 100644
index 000000000..c312a9e72
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/c-11-replace-depracated-auto_ptr.patch
@@ -0,0 +1,32 @@
+From 6abeec29a0e704f4bf7084b29275b99fea0a78de Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net>
+Date: Wed, 13 Jan 2016 17:30:06 +0100
+Subject: [PATCH 2/2] c++11: replace depracated auto_ptr
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream-Status: Submitted [https://review.tizen.org/gerrit/#/c/56940/]
+
+Change-Id: Id793c784c9674eef48f346226c094bdd9f7bbda8
+Signed-off-by: José Bollo <jobol@nonadev.net>
+---
+ src/dpl/core/include/dpl/binary_queue.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dpl/core/include/dpl/binary_queue.h b/src/dpl/core/include/dpl/binary_queue.h
+index dd03f5e..185b6c7 100644
+--- a/src/dpl/core/include/dpl/binary_queue.h
++++ b/src/dpl/core/include/dpl/binary_queue.h
+@@ -33,7 +33,7 @@ namespace SecurityManager {
+ * Binary queue auto pointer
+ */
+ class BinaryQueue;
+-typedef std::auto_ptr<BinaryQueue> BinaryQueueAutoPtr;
++typedef std::unique_ptr<BinaryQueue> BinaryQueueAutoPtr;
+
+ /**
+ * Binary stream implemented as constant size bucket list
+--
+2.1.4
+
diff --git a/meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch b/meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch
new file mode 100644
index 000000000..33fbc025e
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch
@@ -0,0 +1,24 @@
+From: José Bollo <jose.bollo@iot.bzh>
+Date: Tue, 30 Oct 2015 14:32:03 -0100
+Subject: [PATCH] include linux xattr
+
+adds a #include <linux/xattr.h> in source.
+
+---
+ src/client/client-security-manager.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp
+index 74a6b30..641790b 100644
+--- a/src/client/client-security-manager.cpp
++++ b/src/client/client-security-manager.cpp
+@@ -34,6 +34,7 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/xattr.h>
++#include <linux/xattr.h>
+ #include <sys/smack.h>
+ #include <sys/capability.h>
+
+--
+2.1.4
diff --git a/meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch b/meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch
new file mode 100644
index 000000000..a948343f8
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch
@@ -0,0 +1,32 @@
+From: José Bollo <jose.bollo@iot.bzh>
+Date: Tue, 30 Oct 2015 14:32:03 -0100
+Subject: [PATCH] libcap without pkgconfig
+
+Handles libcap that isn't distributed for pkg-config
+
+---
+ src/client/CMakeLists.txt | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/client/CMakeLists.txt b/src/client/CMakeLists.txt
+index 5399a55..0250ce2 100644
+--- a/src/client/CMakeLists.txt
++++ b/src/client/CMakeLists.txt
+@@ -1,7 +1,6 @@
+ PKG_CHECK_MODULES(CLIENT_DEP
+ REQUIRED
+ libsmack
+- libcap
+ )
+
+ SET(CLIENT_VERSION_MAJOR 1)
+@@ -37,6 +36,7 @@ SET_TARGET_PROPERTIES(${TARGET_CLIENT}
+ TARGET_LINK_LIBRARIES(${TARGET_CLIENT}
+ ${TARGET_COMMON}
+ ${CLIENT_DEP_LIBRARIES}
++ cap
+ )
+
+ INSTALL(TARGETS ${TARGET_CLIENT} DESTINATION ${LIB_INSTALL_DIR})
+--
+2.1.4
diff --git a/meta-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch b/meta-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch
new file mode 100644
index 000000000..f94973074
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch
@@ -0,0 +1,78 @@
+From 1e2f8f58d4320afa1d83a6f94822e53346108ee8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Mon, 16 Nov 2015 15:56:27 +0100
+Subject: [PATCH] removes dependency to libslp-db-utils
+
+Change-Id: I90471e77d20e04bae58cc42eb2639e4aef97fdec
+---
+ src/common/CMakeLists.txt | 1 ++-
+ src/dpl/db/src/sql_connection.cpp | 17 +----------------
+ 2 files changed, 3 additions(+), 17 deletions(-)
+
+diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt
+index 968c7c1..d1fe644 100644
+--- a/src/common/CMakeLists.txt
++++ b/src/common/CMakeLists.txt
+@@ -5,7 +5,8 @@ PKG_CHECK_MODULES(COMMON_DEP
+ REQUIRED
+ libsystemd
+ libsmack
+- db-util
++ sqlite3
++ icu-i18n
+ cynara-admin
+ cynara-client
+ )
+diff --git a/src/dpl/db/src/sql_connection.cpp b/src/dpl/db/src/sql_connection.cpp
+index fdb4fe4..1fb97be 100644
+--- a/src/dpl/db/src/sql_connection.cpp
++++ b/src/dpl/db/src/sql_connection.cpp
+@@ -26,7 +26,6 @@
+ #include <memory>
+ #include <dpl/noncopyable.h>
+ #include <dpl/assert.h>
+-#include <db-util.h>
+ #include <unistd.h>
+ #include <cstdio>
+ #include <cstdarg>
+@@ -606,16 +605,7 @@ void SqlConnection::Connect(const std::string &address,
+
+ // Connect to database
+ int result;
+- if (type & Flag::UseLucene) {
+- result = db_util_open_with_options(
+- address.c_str(),
+- &m_connection,
+- flag,
+- NULL);
+-
+- m_usingLucene = true;
+- LogPedantic("Lucene index enabled");
+- } else {
++ (void)type;
+ result = sqlite3_open_v2(
+ address.c_str(),
+ &m_connection,
+@@ -624,7 +614,6 @@ void SqlConnection::Connect(const std::string &address,
+
+ m_usingLucene = false;
+ LogPedantic("Lucene index disabled");
+- }
+
+ if (result == SQLITE_OK) {
+ LogPedantic("Connected to DB");
+@@ -653,11 +642,7 @@ void SqlConnection::Disconnect()
+
+ int result;
+
+- if (m_usingLucene) {
+- result = db_util_close(m_connection);
+- } else {
+ result = sqlite3_close(m_connection);
+- }
+
+ if (result != SQLITE_OK) {
+ const char *error = sqlite3_errmsg(m_connection);
+--
+2.1.4
+
diff --git a/meta-security/recipes-security/security-manager/security-manager/security-manager-policy-reload-do-not-depend-on-GNU-.patch b/meta-security/recipes-security/security-manager/security-manager/security-manager-policy-reload-do-not-depend-on-GNU-.patch
new file mode 100644
index 000000000..ac57964ca
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/security-manager-policy-reload-do-not-depend-on-GNU-.patch
@@ -0,0 +1,35 @@
+From d2995014142306987bf86b4d508a84b9b4683c5c Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Wed, 19 Aug 2015 15:02:32 +0200
+Subject: [PATCH 2/2] security-manager-policy-reload: do not depend on GNU sed
+
+\U (= make replacement uppercase) is a GNU sed extension which is not
+supported by other sed implementation's (like the one from
+busybox). When using busybox, the bucket for user profiles became
+USER_TYPE_Uadmin instead USER_TYPE_ADMIN.
+
+To make SecurityManager more portable, better use tr to turn the
+bucket name into uppercase.
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1
+
+---
+ policy/security-manager-policy-reload | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload
+index 274c49c..6f211c6 100755
+--- a/policy/security-manager-policy-reload
++++ b/policy/security-manager-policy-reload
+@@ -33,7 +33,7 @@ END
+ find "$POLICY_PATH" -name "usertype-*.profile" |
+ while read file
+ do
+- bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\U\1|'`"
++ bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\1|' | tr '[:lower:]' '[:upper:]'`"
+
+ # Re-create the bucket with empty contents
+ cyad --delete-bucket=$bucket || true
+--
+2.1.4
diff --git a/meta-security/recipes-security/security-manager/security-manager/socket-manager-removes-tizen-specific-call.patch b/meta-security/recipes-security/security-manager/security-manager/socket-manager-removes-tizen-specific-call.patch
new file mode 100644
index 000000000..fa4c21c7f
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/socket-manager-removes-tizen-specific-call.patch
@@ -0,0 +1,47 @@
+From 75c4852e47217ab85d6840b488ab4b3688091856 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Fri, 8 Jan 2016 16:53:46 +0100
+Subject: [PATCH 1/2] socket-manager: removes tizen specific call
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The function 'smack_fgetlabel' is specific to Tizen
+and is no more maintained upstream.
+
+Upstream-Status: Accepted [https://review.tizen.org/gerrit/#/c/56507/]
+
+Change-Id: I3802742b1758efe37b33e6d968ff727d68f2fd1f
+Signed-off-by: José Bollo <jobol@nonadev.net>
+---
+ src/server/main/socket-manager.cpp | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/server/main/socket-manager.cpp b/src/server/main/socket-manager.cpp
+index 0366186..c5cec18 100644
+--- a/src/server/main/socket-manager.cpp
++++ b/src/server/main/socket-manager.cpp
+@@ -30,6 +30,7 @@
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <sys/smack.h>
++#include <linux/xattr.h>
+ #include <sys/un.h>
+ #include <sys/stat.h>
+ #include <unistd.h>
+@@ -500,9 +501,9 @@ int SocketManager::CreateDomainSocketHelp(
+ if (smack_check()) {
+ LogInfo("Set up smack label: " << desc.smackLabel);
+
+- if (0 != smack_fsetlabel(sockfd, desc.smackLabel.c_str(), SMACK_LABEL_IPIN)) {
+- LogError("Error in smack_fsetlabel");
+- ThrowMsg(Exception::InitFailed, "Error in smack_fsetlabel");
++ if (0 != smack_set_label_for_file(sockfd, XATTR_NAME_SMACKIPIN, desc.smackLabel.c_str())) {
++ LogError("Error in smack_set_label_for_file");
++ ThrowMsg(Exception::InitFailed, "Error in smack_set_label_for_file");
+ }
+ } else {
+ LogInfo("No smack on platform. Socket won't be securied with smack label!");
+--
+2.1.4
+
diff --git a/meta-security/recipes-security/security-manager/security-manager/systemd-stop-using-compat-libs.patch b/meta-security/recipes-security/security-manager/security-manager/systemd-stop-using-compat-libs.patch
new file mode 100644
index 000000000..cd5c36a6a
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/systemd-stop-using-compat-libs.patch
@@ -0,0 +1,47 @@
+From 8ec024d2adecb53029c6f1af2b95c93dfd43a7cb Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Tue, 24 Mar 2015 04:54:03 -0700
+Subject: [PATCH] systemd: stop using compat libs
+
+libsystemd-journal and libsystemd-daemon are considered obsolete
+in systemd since 2.09 and may not be available (not compiled
+by default).
+
+The code works fine with the current libsystemd, so just
+use that.
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1
+
+---
+ src/common/CMakeLists.txt | 2 +-
+ src/server/CMakeLists.txt | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt
+index 2da9c3e..968c7c1 100644
+--- a/src/common/CMakeLists.txt
++++ b/src/common/CMakeLists.txt
+@@ -3,7 +3,7 @@ SET(COMMON_VERSION ${COMMON_VERSION_MAJOR}.0.2)
+
+ PKG_CHECK_MODULES(COMMON_DEP
+ REQUIRED
+- libsystemd-journal
++ libsystemd
+ libsmack
+ db-util
+ cynara-admin
+diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt
+index 753eb96..6849d76 100644
+--- a/src/server/CMakeLists.txt
++++ b/src/server/CMakeLists.txt
+@@ -1,6 +1,6 @@
+ PKG_CHECK_MODULES(SERVER_DEP
+ REQUIRED
+- libsystemd-daemon
++ libsystemd
+ )
+
+ FIND_PACKAGE(Boost REQUIRED)
+--
+2.1.4
diff --git a/meta-security/recipes-security/security-manager/security-manager_git.bb b/meta-security/recipes-security/security-manager/security-manager_git.bb
new file mode 100644
index 000000000..65134d31a
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager_git.bb
@@ -0,0 +1,34 @@
+require security-manager.inc
+
+PV = "1.0.2+git${SRCPV}"
+SRCREV = "860305a595d681d650024ad07b3b0977e1fcb0a6"
+SRC_URI += "git://github.com/Samsung/security-manager.git"
+S = "${WORKDIR}/git"
+
+SRC_URI += " \
+file://systemd-stop-using-compat-libs.patch \
+file://security-manager-policy-reload-do-not-depend-on-GNU-.patch \
+file://0001-Smack-rules-create-two-new-functions.patch \
+file://0002-app-install-implement-multiple-set-of-smack-rules.patch \
+file://c-11-replace-depracated-auto_ptr.patch \
+file://socket-manager-removes-tizen-specific-call.patch \
+file://Removing-tizen-platform-config.patch \
+file://removes-dependency-to-libslp-db-utils.patch \
+"
+
+##########################################
+# This are patches for backward compatibility to the version dizzy of poky.
+# The dizzy version of libcap isn't providing a packconfig file.
+# This is solved by the patch libcap-without-pkgconfig.patch.
+# But after solving that issue, it appears that linux/xattr.h should
+# also be include add definitions of XATTR_NAME_SMACK... values.
+# Unfortunately, there is no explanation why linux/xattr.h should
+# also be included (patch include-linux-xattr.patch)
+##########################################
+do_patch[depends] = "libcap:do_populate_sysroot"
+APPLY = "${@str('no' if os.path.exists('${STAGING_LIBDIR}/pkgconfig/libcap.pc') else 'yes')}"
+SRC_URI += "\
+ file://libcap-without-pkgconfig.patch;apply=${APPLY} \
+ file://include-linux-xattr.patch;apply=${APPLY} \
+"
+
diff --git a/meta-security/recipes-security/smack/smack-userspace_git.bb b/meta-security/recipes-security/smack/smack-userspace_git.bb
new file mode 100644
index 000000000..aa6d5fa6f
--- /dev/null
+++ b/meta-security/recipes-security/smack/smack-userspace_git.bb
@@ -0,0 +1,27 @@
+DESCRIPTION = "Selection of tools for developers working with Smack"
+HOMEPAGE = "https://github.com/smack-team/smack"
+SECTION = "Security/Access Control"
+LICENSE = "LGPL-2.1"
+
+# Alias needed to satisfy dependencies in other recipes.
+# This recipe itself cannot be named "smack" because that
+# would conflict with the "smack" override.
+PROVIDES = "smack"
+RPROVIDES_${PN} += "smack"
+
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
+PV = "1.2.0+git${SRCPV}"
+SRCREV = "d82bac7dac69823fd40015dffad1a128505a2258"
+SRC_URI += "git://github.com/smack-team/smack.git;protocol=https;branch=v1.2.x"
+S = "${WORKDIR}/git"
+
+inherit autotools
+
+BBCLASSEXTEND = "native"
+
+# Fix copied from meta-tizen.
+do_configure_prepend() {
+ export ac_cv_prog_DOXYGEN=""
+ sed -i 's@systemd_new=no@systemd_new=yes@' ${S}/configure.ac
+ sed -i '/PKG_CHECK_MODULES(/,/)/{s/b/r/p;d}' ${S}/configure.ac
+}
diff --git a/meta-security/recipes-security/smacknet/files/smacknet b/meta-security/recipes-security/smacknet/files/smacknet
new file mode 100644
index 000000000..3818d30ae
--- /dev/null
+++ b/meta-security/recipes-security/smacknet/files/smacknet
@@ -0,0 +1,184 @@
+#!/usr/bin/python
+# Copyright (c) 2012, 2013, Intel Corporation
+# Copyright (c) 2009 David Wolinsky <davidiw@ufl.edu), University of Florida
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote products
+# derived from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+import socket,fcntl, struct, thread
+import os.path
+import sys
+
+SMACKFS_LOAD="/sys/fs/smackfs/load2"
+SMACKFS_NETLABEL="/sys/fs/smackfs/netlabel"
+SIOCGIFADDR = 0x8915
+SIOCGIFNETMASK = 0x891b
+
+def get_ip_address(ifname):
+ s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+ return fcntl.ioctl(s.fileno(), SIOCGIFADDR,
+ struct.pack('256s', ifname.encode("utf-8")))[20:24]
+
+def get_netmask(ifname):
+ s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+ return fcntl.ioctl(s.fileno(), SIOCGIFNETMASK,
+ struct.pack('256s', ifname.encode("utf-8")))[20:24]
+
+def applynetlabeltags(interface, addr):
+ if not interface.startswith("lo"):
+ bmask = get_netmask(interface.encode("utf-8"))
+ prefix = bin(struct.unpack(">L", bmask)[0]).count("1")
+ tags = [
+ addr+"/"+str(prefix)+" Network::Local\n",
+ "0.0.0.0/0 Network::Cloud\n",
+ "127.0.0.1/8 -CIPSO\n"]
+ smackfs_netlabel(tags)
+
+def loadnetlabelrules():
+ rulesSystem = [
+ "System Network::Cloud w\n",
+ "System Network::Local w\n",
+ "Network::Cloud System w\n",
+ "Network::Local System w\n"]
+ smackfs_load2(rulesSystem)
+
+def smackfs_load2 (rules):
+ with open(SMACKFS_LOAD, "w") as load2:
+ for rule in rules:
+ load2.write(rule)
+
+def smackfs_netlabel (tags):
+ for tag in tags:
+ with open(SMACKFS_NETLABEL, "w") as netlabel:
+ netlabel.write(tag)
+
+"""
+ Source of: Class ip monitor, and other functions named bellow.
+ Original author: David Wolinsky <davidiw@ufl.edu
+ Copied from: https://github.com/davidiw/Grid-Appliance/blob/master/scripts/ip_monitor.py
+
+"""
+
+"""4 byte alignment"""
+
+def align(inc):
+ diff = inc % 4
+ return inc + ((4 - diff) % 4)
+
+class ifaddr:
+ """Parse an ifaddr packet"""
+ LOCAL = 2
+ LABEL = 3
+
+ def __init__(self, packet):
+ self.family, self.prefixlen, self.flags, self.scope, self.index = \
+ struct.unpack("BBBBI", packet[:8])
+
+class rtattr:
+ """Parse a rtattr packet"""
+ GRP_IPV4_IFADDR = 0x10
+
+ NEWADDR = 20
+ DELADDR = 21
+ GETADDR = 22
+
+ def __init__(self, packet):
+ self.len, self.type = struct.unpack("HH", packet[:4])
+ if self.type == ifaddr.LOCAL:
+ addr = struct.unpack("BBBB", packet[4:self.len])
+ self.payload = "%s.%s.%s.%s" % (addr[0], addr[1], addr[2], addr[3])
+ elif self.type == ifaddr.LABEL:
+ self.payload = packet[4:self.len].strip("\0")
+ else:
+ self.payload = packet[4:self.len]
+
+class netlink:
+ """Parse a netlink packet"""
+ REQUEST = 1
+ ROOT = 0x100
+ MATCH = 0x200
+ DONE = 3
+
+ def __init__(self, packet):
+ self.msglen, self.msgtype, self.flags, self.seq, self.pid = \
+ struct.unpack("IHHII", packet[:16])
+ self.ifa = None
+ try:
+ self.ifa = ifaddr(packet[16:24])
+ except:
+ return
+
+ self.rtas = {}
+ pos = 24
+ while pos < self.msglen:
+ try:
+ rta = rtattr(packet[pos:])
+ except:
+ break
+ pos += align(rta.len)
+ self.rtas[rta.type] = rta.payload
+
+class ip_monitor:
+ def __init__(self, callback = None):
+ if callback == None:
+ callback = self.print_cb
+ self._callback = callback
+
+ def print_cb(self, label, addr):
+ print (label + " => " + addr)
+
+ def request_addrs(self, sock):
+ sock.send(struct.pack("IHHIIBBBBI", 24, rtattr.GETADDR, \
+ netlink.REQUEST | netlink.ROOT | netlink.MATCH, 0, sock.getsockname()[0], \
+ socket.AF_INET, 0, 0, 0, 0))
+
+ def start_thread(self):
+ thread.start_new_thread(self.run, ())
+
+ def run(self):
+ sock = socket.socket(socket.AF_NETLINK, socket.SOCK_RAW, socket.NETLINK_ROUTE)
+ sock.bind((0, rtattr.GRP_IPV4_IFADDR))
+ self.request_addrs(sock)
+
+ while True:
+ data = sock.recv(4096)
+ pos = 0
+ while pos < len(data):
+ nl = netlink(data[pos:])
+ if nl.msgtype == netlink.DONE:
+ break
+ pos += align(nl.msglen)
+ if nl.msgtype != rtattr.NEWADDR:
+ continue
+ self._callback(nl.rtas[ifaddr.LABEL], nl.rtas[ifaddr.LOCAL])
+
+def main():
+ if not os.path.isfile(SMACKFS_LOAD):
+ print ("Smack not found.")
+ return -1
+ loadnetlabelrules()
+
+ ip_monitor(applynetlabeltags).run()
+
+if __name__ == "__main__":
+ main()
diff --git a/meta-security/recipes-security/smacknet/files/smacknet.service b/meta-security/recipes-security/smacknet/files/smacknet.service
new file mode 100644
index 000000000..218d8b896
--- /dev/null
+++ b/meta-security/recipes-security/smacknet/files/smacknet.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=netlabels configuration for SMACK
+Wants=network.target network-online.target
+After=network.target network-online.target
+
+[Service]
+TimeoutStartSec=0
+ExecStart=@BINDIR@/smacknet
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-security/recipes-security/smacknet/smacknet.bb b/meta-security/recipes-security/smacknet/smacknet.bb
new file mode 100644
index 000000000..553456aee
--- /dev/null
+++ b/meta-security/recipes-security/smacknet/smacknet.bb
@@ -0,0 +1,29 @@
+#SMACKNET Description
+SUMMARY = "Smack network labels configuration"
+DESCRIPTION = "Provide service that will be labeling the network rules"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/BSD-3-Clause;md5=550794465ba0ec5312d6919e203a55f9"
+RDEPENDS_${PN} = "python"
+
+SRC_URI += "file://smacknet \
+ file://smacknet.service \
+ "
+S = "${WORKDIR}"
+
+inherit systemd
+
+inherit distro_features_check
+REQUIRED_DISTRO_FEATURES = "smack"
+
+#netlabel configuration service
+SYSTEMD_SERVICE_${PN} = "smacknet.service"
+SYSTEMD_AUTO_ENABLE = "enable"
+do_install(){
+ install -d ${D}${bindir}
+ install -m 0551 ${WORKDIR}/smacknet ${D}${bindir}
+
+ install -d -m 755 ${D}${systemd_unitdir}/system
+ install -m 644 ${WORKDIR}/smacknet.service ${D}${systemd_unitdir}/system
+ sed -i -e 's,@BINDIR@,${bindir},g' ${D}${systemd_unitdir}/system/smacknet.service
+}
+
diff --git a/meta-security/recipes-test/app-runas/app-runas.bb b/meta-security/recipes-test/app-runas/app-runas.bb
new file mode 100644
index 000000000..95725c2e7
--- /dev/null
+++ b/meta-security/recipes-test/app-runas/app-runas.bb
@@ -0,0 +1,17 @@
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://app-runas.cpp;beginline=3;endline=19;md5=1ca447189bb2c54039033d50d8982d92"
+SRC_URI = "file://app-runas.cpp"
+DEPENDS = "security-manager"
+S = "${WORKDIR}"
+
+do_compile () {
+ ${CXX} ${CXXFLAGS} ${S}/app-runas.cpp `pkg-config --cflags --libs security-manager` -o app-runas
+}
+
+do_install () {
+ install -D app-runas ${D}/${bindir}/app-runas
+ chmod u+s ${D}/${bindir}/app-runas
+}
+
+inherit deploy-files
+DEPLOY_FILES_FROM[target] = "app-runas"
diff --git a/meta-security/recipes-test/app-runas/files/app-runas.cpp b/meta-security/recipes-test/app-runas/files/app-runas.cpp
new file mode 100644
index 000000000..58fa15504
--- /dev/null
+++ b/meta-security/recipes-test/app-runas/files/app-runas.cpp
@@ -0,0 +1,221 @@
+// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+#include <security-manager.h>
+
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#include <string>
+#include <vector>
+
+#define CHECK(x) { \
+ int _ret = x; \
+ if (_ret != SECURITY_MANAGER_SUCCESS) { \
+ fprintf(stderr, "Failure in %s:%d: %s: %d = %s\n", __FILE__, __LINE__, #x, _ret, security_manager_strerror((lib_retcode)_ret)); \
+ return EXIT_FAILURE; \
+ } \
+ }
+
+static int do_install(app_inst_req *preq)
+{
+ CHECK(security_manager_app_install(preq));
+ return 0;
+}
+
+static int do_uninstall(app_inst_req *preq)
+{
+ CHECK(security_manager_app_uninstall(preq));
+ return 0;
+}
+
+static int do_run(const char *appid, const char *uid, const char *file, char *const argv[])
+{
+ if (!appid || !uid) {
+ fprintf(stderr, "Always need appid, uid for app startup.\n");
+ return EXIT_FAILURE;
+ }
+
+ pid_t child = fork();
+ if (child == -1) {
+ perror("fork");
+ return EXIT_FAILURE;
+ } else if (child) {
+ int status;
+ child = waitpid(child, &status, 0);
+ if (child == -1) {
+ perror("waitpid");
+ return EXIT_FAILURE;
+ }
+ } else {
+ // We cannot change the UID before security_manager_prepare_app()
+ // (because then setup_smack() fails to change Smack labels of
+ // our fds) and we cannot change the UID after it (because then
+ // security_manager_drop_process_privileges() has already dropped
+ // the necessary CAP_SETUID.
+ // Instead, we need to do the steps from security_manager_prepare_app()
+ // ourselves.
+ CHECK(security_manager_set_process_label_from_appid(appid));
+ CHECK(security_manager_set_process_groups_from_appid(appid));
+ if (setuid(atoi(uid))) {
+ fprintf(stderr, "setuid(%s): %s\n", uid, strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+ CHECK(security_manager_drop_process_privileges());
+ // CHECK(security_manager_prepare_app(appid));
+
+ execvp(file, argv);
+ fprintf(stderr, "execvp(%s): %s", argv[optind], strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+ return 0;
+}
+
+int main(int argc, char **argv)
+{
+ int flags, opt;
+ int nsecs, tfnd;
+ const char *appid = NULL;
+ const char *pkgid = NULL;
+ const char *uid = NULL;
+ std::vector<const char *> privileges;
+ std::vector< std::pair<app_install_path_type, std::string> > paths;
+ int install = 0, uninstall = 0, run = 0;
+
+ while ((opt = getopt(argc, argv, "a:p:u:r:t:ide")) != -1) {
+ switch (opt) {
+ case 'a':
+ appid = optarg;
+ break;
+ case 'p':
+ pkgid = optarg;
+ break;
+ case 'u':
+ uid = optarg;
+ break;
+ case 'r':
+ privileges.push_back(optarg);
+ break;
+ case 't': {
+ const char *colon = strchr(optarg, ':');
+ if (!colon) {
+ fprintf(stderr, "-t parameter must be of the format <type>:<path>");
+ return EXIT_FAILURE;
+ }
+ std::string typestr(optarg, colon - optarg);
+ std::string path(colon + 1);
+ app_install_path_type type;
+ if (typestr == "private") {
+ type = SECURITY_MANAGER_PATH_PRIVATE;
+ } else if (typestr == "public") {
+ type = SECURITY_MANAGER_PATH_PUBLIC;
+ } else if (typestr == "public-ro") {
+ type = SECURITY_MANAGER_PATH_PUBLIC_RO;
+ } else if (typestr == "rw") {
+ type = SECURITY_MANAGER_PATH_RW;
+ } else if (typestr == "ro") {
+ type = SECURITY_MANAGER_PATH_PRIVATE;
+ } else {
+ fprintf(stderr, "Invalid -t type: %s", typestr.c_str());
+ return EXIT_FAILURE;
+ }
+ paths.push_back(std::make_pair(type, path));
+ break;
+ }
+ case 'i':
+ install = 1;
+ break;
+ case 'd':
+ uninstall = 1;
+ break;
+ case 'e':
+ run = 1;
+ break;
+ default: /* '?' */
+ fprintf(stderr,
+ "Usage: %s -i|-e|-d -a appid -u uid -p pkgid -r privilege1 ... -t private|public|public-ro|rw:<path> ... -- command args\n"
+ " -i = install, command ignored\n"
+ " -e = run command, privileges and pkgid ignored\n"
+ " -d = uninstall, command and privileges ignored\n"
+ " Install, run, and uninstall can be combined into a single invocation.\n",
+ argv[0]);
+ exit(EXIT_FAILURE);
+ break;
+ }
+ }
+
+ if ((install || uninstall) &&
+ (!appid || !pkgid || !uid)) {
+ fprintf(stderr, "Always need appid, pkgid, uid for app install or uninstall.\n");
+ return EXIT_FAILURE;
+ }
+ if (run && optind >= argc) {
+ fprintf(stderr, "Expected command after options\n");
+ return EXIT_FAILURE;
+ }
+
+ app_inst_req *preq;
+ CHECK(security_manager_app_inst_req_new(&preq));
+ if (appid) {
+ CHECK(security_manager_app_inst_req_set_app_id(preq, appid));
+ }
+ if (pkgid) {
+ CHECK(security_manager_app_inst_req_set_pkg_id(preq, pkgid));
+ }
+ if (uid) {
+ CHECK(security_manager_app_inst_req_set_uid(preq, atoi(uid)));
+ }
+ for (size_t i = 0; i < paths.size(); i++) {
+ security_manager_app_inst_req_add_path(preq, paths[i].second.c_str(), paths[i].first);
+ }
+ for (size_t i = 0; i < privileges.size(); i++) {
+ CHECK(security_manager_app_inst_req_add_privilege(preq, privileges[i]));
+ }
+
+ int result = 0;
+ bool install_failed = false;
+ if (install) {
+ result = do_install(preq);
+ if (result) {
+ install_failed = true;
+ }
+ }
+ if (run && !install_failed) {
+ int run_result = do_run(appid, uid, argv[optind], argv + optind);
+ if (run_result) {
+ result = run_result;
+ }
+ }
+ if (uninstall && !install_failed) {
+ int uninstall_result = do_uninstall(preq);
+ if (uninstall_result) {
+ result = uninstall_result;
+ }
+ }
+
+ security_manager_app_inst_req_free(preq);
+ return result;
+}
diff --git a/meta-security/recipes-test/mmap-smack-test/files/mmap.c b/meta-security/recipes-test/mmap-smack-test/files/mmap.c
new file mode 100644
index 000000000..f358d27b5
--- /dev/null
+++ b/meta-security/recipes-test/mmap-smack-test/files/mmap.c
@@ -0,0 +1,7 @@
+#include <stdio.h>
+
+int main(int argc, char **argv)
+{
+ printf("Original test program removed while investigating its license.\n");
+ return 1;
+}
diff --git a/meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bb b/meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bb
new file mode 100644
index 000000000..9d11509d0
--- /dev/null
+++ b/meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bb
@@ -0,0 +1,16 @@
+SUMMARY = "Mmap binary used to test smack mmap attribute"
+DESCRIPTION = "Mmap binary used to test smack mmap attribute"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "file://mmap.c"
+
+S = "${WORKDIR}"
+do_compile() {
+ ${CC} mmap.c ${LDFLAGS} -o mmap_test
+}
+
+do_install() {
+ install -d ${D}${bindir}
+ install -m 0755 mmap_test ${D}${bindir}
+}
diff --git a/meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bbappend b/meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bbappend
new file mode 100644
index 000000000..e7d94f09f
--- /dev/null
+++ b/meta-security/recipes-test/mmap-smack-test/mmap-smack-test.bbappend
@@ -0,0 +1,2 @@
+inherit deploy-files
+DEPLOY_FILES_FROM[target] = "${WORKDIR}/mmap_test"
diff --git a/meta-security/recipes-test/tcp-smack-test/files/tcp_client.c b/meta-security/recipes-test/tcp-smack-test/files/tcp_client.c
new file mode 100644
index 000000000..185f97380
--- /dev/null
+++ b/meta-security/recipes-test/tcp-smack-test/files/tcp_client.c
@@ -0,0 +1,111 @@
+// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <string.h>
+#include <sys/xattr.h>
+
+int main(int argc, char* argv[])
+{
+
+ int sock;
+ char message[255] = "hello";
+ struct sockaddr_in server_addr;
+ char* label_in;
+ char* label_out;
+ char* attr_out = "security.SMACK64IPOUT";
+ char* attr_in = "security.SMACK64IPIN";
+ char out[256];
+ int port;
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ struct hostent* host = gethostbyname("localhost");
+
+ if (argc != 4)
+ {
+ perror("Client: Arguments missing, please provide socket labels");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label_in = argv[2];
+ label_out = argv[3];
+
+ if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+ {
+ perror("Client: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr_out, label_out, strlen(label_out), 0) < 0)
+ {
+ perror("Client: Unable to set attribute SMACK64IPOUT");
+ return 2;
+ }
+
+ if(fsetxattr(sock, attr_in, label_in, strlen(label_in), 0) < 0)
+ {
+ perror("Client: Unable to set attribute SMACK64IPIN");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
+ bzero(&(server_addr.sin_zero),8);
+
+ if(setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Client: Set timeout failed\n");
+ return 2;
+ }
+
+ if (connect(sock, (struct sockaddr *)&server_addr,sizeof(struct sockaddr)) == -1)
+ {
+ perror("Client: Connection failure");
+ close(sock);
+ return 1;
+ }
+
+
+ if(write(sock, message, strlen(message)) < 0)
+ {
+ perror("Client: Error sending data\n");
+ close(sock);
+ return 1;
+ }
+ close(sock);
+ return 0;
+}
+
+
+
+
+
+
diff --git a/meta-security/recipes-test/tcp-smack-test/files/tcp_server.c b/meta-security/recipes-test/tcp-smack-test/files/tcp_server.c
new file mode 100644
index 000000000..9285dc695
--- /dev/null
+++ b/meta-security/recipes-test/tcp-smack-test/files/tcp_server.c
@@ -0,0 +1,118 @@
+// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+
+ int sock;
+ int clientsock;
+ char message[255];
+ socklen_t client_length;
+ struct sockaddr_in server_addr, client_addr;
+ char* label_in;
+ char* attr_in = "security.SMACK64IPIN";
+ int port;
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ if (argc != 3)
+ {
+ perror("Server: Argument missing please provide port and label for SMACK64IPIN");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label_in = argv[2];
+ bzero(message,255);
+
+
+ if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+ {
+ perror("Server: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0)
+ {
+ perror("Server: Unable to set attribute ipin 2");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ server_addr.sin_addr.s_addr = INADDR_ANY;
+ bzero(&(server_addr.sin_zero),8);
+
+ if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Server: Set timeout failed\n");
+ return 2;
+ }
+
+ if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
+ {
+ perror("Server: Bind failure ");
+ return 2;
+ }
+
+ listen(sock, 1);
+ client_length = sizeof(client_addr);
+
+ clientsock = accept(sock,(struct sockaddr*) &client_addr, &client_length);
+
+ if (clientsock < 0)
+ {
+ perror("Server: Connection failed");
+ close(sock);
+ return 1;
+ }
+
+
+ if(fsetxattr(clientsock, "security.SMACK64IPIN", label_in, strlen(label_in),0) < 0)
+ {
+ perror(" Server: Unable to set attribute ipin 2");
+ close(sock);
+ return 2;
+ }
+
+ if(read(clientsock, message, 254) < 0)
+ {
+ perror("Server: Error when reading from socket");
+ close(clientsock);
+ close(sock);
+ return 1;
+ }
+
+
+ close(clientsock);
+ close(sock);
+
+ return 0;
+}
diff --git a/meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bb b/meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bb
new file mode 100644
index 000000000..57e7151a8
--- /dev/null
+++ b/meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bb
@@ -0,0 +1,20 @@
+SUMMARY = "Binary used to test smack tcp sockets"
+DESCRIPTION = "Server and client binaries used to test smack attributes on TCP sockets"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "file://tcp_server.c \
+ file://tcp_client.c \
+"
+
+S = "${WORKDIR}"
+do_compile() {
+ ${CC} tcp_client.c ${LDFLAGS} -o tcp_client
+ ${CC} tcp_server.c ${LDFLAGS} -o tcp_server
+}
+
+do_install() {
+ install -d ${D}${bindir}
+ install -m 0755 tcp_server ${D}${bindir}
+ install -m 0755 tcp_client ${D}${bindir}
+}
diff --git a/meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bbappend b/meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bbappend
new file mode 100644
index 000000000..2755bf0e1
--- /dev/null
+++ b/meta-security/recipes-test/tcp-smack-test/tcp-smack-test.bbappend
@@ -0,0 +1,2 @@
+inherit deploy-files
+DEPLOY_FILES_FROM[target] = "${WORKDIR}/tcp_client ${WORKDIR}/tcp_server"
diff --git a/meta-security/recipes-test/udp-smack-test/files/udp_client.c b/meta-security/recipes-test/udp-smack-test/files/udp_client.c
new file mode 100644
index 000000000..4d3afbe6c
--- /dev/null
+++ b/meta-security/recipes-test/udp-smack-test/files/udp_client.c
@@ -0,0 +1,75 @@
+// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <sys/socket.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+ char* message = "hello";
+ int sock, ret;
+ struct sockaddr_in server_addr;
+ struct hostent* host = gethostbyname("localhost");
+ char* label;
+ char* attr = "security.SMACK64IPOUT";
+ int port;
+ if (argc != 3)
+ {
+ perror("Client: Argument missing, please provide port and label for SMACK64IPOUT");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label = argv[2];
+ sock = socket(AF_INET, SOCK_DGRAM,0);
+ if(sock < 0)
+ {
+ perror("Client: Socket failure");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr, label, strlen(label),0) < 0)
+ {
+ perror("Client: Unable to set attribute ");
+ return 2;
+ }
+
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
+ bzero(&(server_addr.sin_zero),8);
+
+ ret = sendto(sock, message, strlen(message),0,(const struct sockaddr*)&server_addr,
+ sizeof(struct sockaddr_in));
+
+ close(sock);
+ if(ret < 0)
+ {
+ perror("Client: Error sending message\n");
+ return 1;
+ }
+
+ return 0;
+}
+
diff --git a/meta-security/recipes-test/udp-smack-test/files/udp_server.c b/meta-security/recipes-test/udp-smack-test/files/udp_server.c
new file mode 100644
index 000000000..cbab71e65
--- /dev/null
+++ b/meta-security/recipes-test/udp-smack-test/files/udp_server.c
@@ -0,0 +1,93 @@
+// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <sys/socket.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+ int sock,ret;
+ struct sockaddr_in server_addr, client_addr;
+ socklen_t len;
+ char message[5];
+ char* label;
+ char* attr = "security.SMACK64IPIN";
+ int port;
+
+ if(argc != 3)
+ {
+ perror("Server: Argument missing, please provide port and label for SMACK64IPIN");
+ return 2;
+ }
+
+ port = atoi(argv[1]);
+ label = argv[2];
+
+ struct timeval timeout;
+ timeout.tv_sec = 15;
+ timeout.tv_usec = 0;
+
+ sock = socket(AF_INET,SOCK_DGRAM,0);
+ if(sock < 0)
+ {
+ perror("Server: Socket error");
+ return 2;
+ }
+
+
+ if(fsetxattr(sock, attr, label, strlen(label), 0) < 0)
+ {
+ perror("Server: Unable to set attribute ");
+ return 2;
+ }
+
+ server_addr.sin_family = AF_INET;
+ server_addr.sin_port = htons(port);
+ server_addr.sin_addr.s_addr = INADDR_ANY;
+ bzero(&(server_addr.sin_zero),8);
+
+
+ if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
+ {
+ perror("Server: Set timeout failed\n");
+ return 2;
+ }
+
+ if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
+ {
+ perror("Server: Bind failure");
+ return 2;
+ }
+
+ len = sizeof(client_addr);
+ ret = recvfrom(sock, message, sizeof(message), 0, (struct sockaddr*)&client_addr,
+ &len);
+ close(sock);
+ if(ret < 0)
+ {
+ perror("Server: Error receiving");
+ return 1;
+
+ }
+ return 0;
+}
+
diff --git a/meta-security/recipes-test/udp-smack-test/udp-smack-test.bb b/meta-security/recipes-test/udp-smack-test/udp-smack-test.bb
new file mode 100644
index 000000000..478e3688d
--- /dev/null
+++ b/meta-security/recipes-test/udp-smack-test/udp-smack-test.bb
@@ -0,0 +1,20 @@
+SUMMARY = "Binary used to test smack udp sockets"
+DESCRIPTION = "Server and client binaries used to test smack attributes on UDP sockets"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "file://udp_server.c \
+ file://udp_client.c \
+"
+
+S = "${WORKDIR}"
+do_compile() {
+ ${CC} udp_client.c ${LDFLAGS} -o udp_client
+ ${CC} udp_server.c ${LDFLAGS} -o udp_server
+}
+
+do_install() {
+ install -d ${D}${bindir}
+ install -m 0755 udp_server ${D}${bindir}
+ install -m 0755 udp_client ${D}${bindir}
+}
diff --git a/meta-security/recipes-test/udp-smack-test/udp-smack-test.bbappend b/meta-security/recipes-test/udp-smack-test/udp-smack-test.bbappend
new file mode 100644
index 000000000..bf79ba4d4
--- /dev/null
+++ b/meta-security/recipes-test/udp-smack-test/udp-smack-test.bbappend
@@ -0,0 +1,2 @@
+inherit deploy-files
+DEPLOY_FILES_FROM[target] = "${WORKDIR}/udp_client ${WORKDIR}/udp_server"