summaryrefslogtreecommitdiffstats
path: root/meta-app-framework/recipes-security/security-manager
diff options
context:
space:
mode:
Diffstat (limited to 'meta-app-framework/recipes-security/security-manager')
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager.inc83
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch50
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch47
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch36
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch117
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch34
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch32
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch47
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch78
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch38
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch40
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch51
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch32
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch122
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch259
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch78
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch34
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend13
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager_git.bb27
19 files changed, 1218 insertions, 0 deletions
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager.inc b/meta-app-framework/recipes-security/security-manager/security-manager.inc
new file mode 100644
index 000000000..e1d1f4011
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager.inc
@@ -0,0 +1,83 @@
+DESCRIPTION = "Security manager and utilities"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3"
+
+inherit cmake
+
+B = "${S}"
+
+DEPENDS = " \
+ attr \
+ boost \
+ cynara \
+ icu \
+ libcap \
+ smack \
+ sqlite3 \
+ systemd \
+"
+
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE"
+
+TZ_SYS_DB ?= "/var/db/security-manager"
+
+EXTRA_OECMAKE = " \
+ -DCMAKE_VERBOSE_MAKEFILE=ON \
+ -DVERSION=${PV} \
+ -DSYSTEMD_INSTALL_DIR=${systemd_unitdir}/system \
+ -DBIN_INSTALL_DIR=${bindir} \
+ -DDB_INSTALL_DIR=${TZ_SYS_DB} \
+ -DLIB_INSTALL_DIR=${libdir} \
+ -DSHARE_INSTALL_PREFIX=${datadir} \
+ -DINCLUDE_INSTALL_DIR=${includedir} \
+"
+
+inherit systemd
+SYSTEMD_SERVICE_${PN} = "security-manager.service"
+
+inherit features_check
+REQUIRED_DISTRO_FEATURES += "smack"
+
+# The upstream source code contains the Tizen-specific policy configuration files.
+# To replace them, create a security-manager.bbappend and set the following variable to a
+# space-separated list of policy file names (not URIs!), for example:
+# SECURITY_MANAGER_POLICY = "privilege-group.list usertype-system.profile"
+#
+# Leave it empty to use the upstream Tizen policy.
+SECURITY_MANAGER_POLICY ?= ""
+SRC_URI_append = " ${@' '.join(['file://' + x for x in d.getVar('SECURITY_MANAGER_POLICY', True).split()])}"
+python do_patch_append () {
+ import os
+ import shutil
+ import glob
+ files = d.getVar('SECURITY_MANAGER_POLICY', True).split()
+ if files:
+ s = d.getVar('S', True)
+ workdir = d.getVar('WORKDIR', True)
+ for pattern in ['*.profile', '*.list']:
+ for old_file in glob.glob(s + '/policy/' + pattern):
+ os.unlink(old_file)
+ for file in files:
+ shutil.copy(file, s + '/policy')
+}
+
+do_install_append () {
+ install -d ${D}/${systemd_unitdir}/system/multi-user.target.wants
+ ln -s ../security-manager.service ${D}/${systemd_unitdir}/system/multi-user.target.wants/security-manager.service
+ install -d ${D}/${systemd_unitdir}/system/sockets.target.wants
+ ln -s ../security-manager.socket ${D}/${systemd_unitdir}/system/sockets.target.wants/security-manager.socket
+}
+
+RDEPENDS_${PN} += "sqlite3 cynara"
+FILES_${PN} += " \
+ ${systemd_unitdir} \
+ ${TZ_SYS_DB} \
+ ${bindir}/.security-manager-setup \
+"
+
+PACKAGES =+ "${PN}-policy"
+FILES_${PN}-policy = " \
+ ${datadir}/${PN} \
+ ${bindir}/security-manager-policy-reload \
+"
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch
new file mode 100644
index 000000000..4c91f7fa3
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch
@@ -0,0 +1,50 @@
+From 935e4e4e746b5ffcda80c80097dc75c2581c1a89 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Wed, 19 Oct 2016 13:45:54 +0200
+Subject: [PATCH] Adapt rules to AGL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+AGL distribution uses the repository https://github.com/01org/meta-intel-iot-security.git
+as basis for the integration of security framework. The security framework
+that it provides is an evolution of the security framework of tizen refited
+to the distribution Ostro of Intel. This refit took the decision to simplify
+the model by removing the running label "User". More can be viewed here:
+https://github.com/01org/meta-intel-iot-security/pull/116
+
+This commits adapt the template to the rules that are now needed
+after this evolution.
+
+It also integrates one other evolutions: the shared label becomes User::App-Shared instead
+of User::App::Shared to avoid collision with application of id "Shared".
+
+Change-Id: Ieb566b63f8c8e691b5f75e06499a3b576d042546
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ policy/app-rules-template.smack | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/policy/app-rules-template.smack b/policy/app-rules-template.smack
+index 1311169..b4cd2e3 100644
+--- a/policy/app-rules-template.smack
++++ b/policy/app-rules-template.smack
+@@ -1,12 +1,10 @@
+-System ~APP~ rwx
++System ~APP~ rwxa
++System ~PKG~ rwxat
+ ~APP~ System wx
+ ~APP~ System::Shared rx
+ ~APP~ System::Run rwxat
+ ~APP~ System::Log rwxa
+ ~APP~ _ l
+-User ~APP~ rwxa
+-User ~PKG~ rwxat
+-~APP~ User wx
+ ~APP~ User::Home rxl
+-~APP~ User::App::Shared rwxat
++~APP~ User::App-Shared rwxat
+ ~APP~ ~PKG~ rwxat
+--
+2.7.4
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch
new file mode 100644
index 000000000..91ce81963
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch
@@ -0,0 +1,47 @@
+From 3d9d1d83fe298a364f51ad752c17aad461beded3 Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Tue, 24 Mar 2015 04:54:03 -0700
+Subject: [PATCH 01/14] systemd: stop using compat libs
+
+libsystemd-journal and libsystemd-daemon are considered obsolete
+in systemd since 2.09 and may not be available (not compiled
+by default).
+
+The code works fine with the current libsystemd, so just
+use that.
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1
+---
+ src/common/CMakeLists.txt | 2 +-
+ src/server/CMakeLists.txt | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt
+index 2da9c3e..968c7c1 100644
+--- a/src/common/CMakeLists.txt
++++ b/src/common/CMakeLists.txt
+@@ -3,7 +3,7 @@ SET(COMMON_VERSION ${COMMON_VERSION_MAJOR}.0.2)
+
+ PKG_CHECK_MODULES(COMMON_DEP
+ REQUIRED
+- libsystemd-journal
++ libsystemd
+ libsmack
+ db-util
+ cynara-admin
+diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt
+index 753eb96..6849d76 100644
+--- a/src/server/CMakeLists.txt
++++ b/src/server/CMakeLists.txt
+@@ -1,6 +1,6 @@
+ PKG_CHECK_MODULES(SERVER_DEP
+ REQUIRED
+- libsystemd-daemon
++ libsystemd
+ )
+
+ FIND_PACKAGE(Boost REQUIRED)
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch
new file mode 100644
index 000000000..b6346480b
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch
@@ -0,0 +1,36 @@
+From a90515613f09140049b2bdf471fa83d5dd7bad1c Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Wed, 19 Aug 2015 15:02:32 +0200
+Subject: [PATCH 02/14] security-manager-policy-reload: do not depend on GNU
+ sed
+
+\U (= make replacement uppercase) is a GNU sed extension which is not
+supported by other sed implementation's (like the one from
+busybox). When using busybox, the bucket for user profiles became
+USER_TYPE_Uadmin instead USER_TYPE_ADMIN.
+
+To make SecurityManager more portable, better use tr to turn the
+bucket name into uppercase.
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1
+---
+ policy/security-manager-policy-reload | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload
+index 274c49c..6f211c6 100755
+--- a/policy/security-manager-policy-reload
++++ b/policy/security-manager-policy-reload
+@@ -33,7 +33,7 @@ END
+ find "$POLICY_PATH" -name "usertype-*.profile" |
+ while read file
+ do
+- bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\U\1|'`"
++ bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\1|' | tr '[:lower:]' '[:upper:]'`"
+
+ # Re-create the bucket with empty contents
+ cyad --delete-bucket=$bucket || true
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch
new file mode 100644
index 000000000..d79345e01
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch
@@ -0,0 +1,117 @@
+From a80e33bc0a10fa4bed5d0b7bf29f45dd2565d309 Mon Sep 17 00:00:00 2001
+From: Alejandro Joya <alejandro.joya.cruz@intel.com>
+Date: Wed, 4 Nov 2015 19:01:35 -0600
+Subject: [PATCH 03/14] Smack-rules: create two new functions
+
+It let to smack-rules to create multiple set of rules
+related with the privileges.
+
+It runs from the same bases than for a static set of rules on the
+template, but let you add 1 or many templates for different cases.
+
+Change-Id: I14f8d4e914ad5a7ba34c96f3cb5589f0b15292de
+Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com>
+---
+ src/common/include/smack-rules.h | 15 +++++++++++
+ src/common/smack-rules.cpp | 44 ++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+)
+
+diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h
+index 91446a7..3ad9dd4 100644
+--- a/src/common/include/smack-rules.h
++++ b/src/common/include/smack-rules.h
+@@ -47,6 +47,8 @@ public:
+ void addFromTemplate(const std::vector<std::string> &templateRules,
+ const std::string &appId, const std::string &pkgId);
+ void addFromTemplateFile(const std::string &appId, const std::string &pkgId);
++ void addFromTemplateFile(const std::string &appId, const std::string &pkgId,
++ const std::string &path);
+
+ void apply() const;
+ void clear() const;
+@@ -74,6 +76,19 @@ public:
+ */
+ static void installApplicationRules(const std::string &appId, const std::string &pkgId,
+ const std::vector<std::string> &pkgContents);
++ /**
++ * Install privileges-specific smack rules.
++ *
++ * Function creates smack rules using predefined template. Rules are applied
++ * to the kernel and saved on persistent storage so they are loaded on system boot.
++ *
++ * @param[in] appId - application id that is beeing installed
++ * @param[in] pkgId - package id that the application is in
++ * @param[in] pkgContents - a list of all applications in the package
++ * @param[in] privileges - a list of all prvileges
++ */
++ static void installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
++ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges);
+ /**
+ * Uninstall package-specific smack rules.
+ *
+diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
+index 3629e0f..922a56f 100644
+--- a/src/common/smack-rules.cpp
++++ b/src/common/smack-rules.cpp
+@@ -135,6 +135,29 @@ void SmackRules::saveToFile(const std::string &path) const
+ }
+ }
+
++void SmackRules::addFromTemplateFile(const std::string &appId,
++ const std::string &pkgId, const std::string &path)
++{
++ std::vector<std::string> templateRules;
++ std::string line;
++ std::ifstream templateRulesFile(path);
++
++ if (!templateRulesFile.is_open()) {
++ LogError("Cannot open rules template file: " << path);
++ ThrowMsg(SmackException::FileError, "Cannot open rules template file: " << path);
++ }
++
++ while (std::getline(templateRulesFile, line)) {
++ templateRules.push_back(line);
++ }
++
++ if (templateRulesFile.bad()) {
++ LogError("Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH);
++ ThrowMsg(SmackException::FileError, "Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH);
++ }
++
++ addFromTemplate(templateRules, appId, pkgId);
++}
+
+ void SmackRules::addFromTemplateFile(const std::string &appId,
+ const std::string &pkgId)
+@@ -223,7 +246,28 @@ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId)
+ std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str()));
+ return path;
+ }
++void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
++ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges)
++{
++ SmackRules smackRules;
++ std::string appPath = getApplicationRulesFilePath(appId);
++ smackRules.loadFromFile(appPath);
++ struct stat buffer;
++ for (auto privilege : privileges) {
++ if (privilege.empty())
++ continue;
++ std::string fprivilege ( privilege + "-template.smack");
++ std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str()));
++ if( stat(path.c_str(), &buffer) == 0)
++ smackRules.addFromTemplateFile(appId, pkgId, path);
++ }
++
++ if (smack_smackfs_path() != NULL)
++ smackRules.apply();
+
++ smackRules.saveToFile(appPath);
++ updatePackageRules(pkgId, pkgContents);
++}
+ void SmackRules::installApplicationRules(const std::string &appId, const std::string &pkgId,
+ const std::vector<std::string> &pkgContents)
+ {
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch
new file mode 100644
index 000000000..59d4971ff
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch
@@ -0,0 +1,34 @@
+From a5979d9d674e400ecd7fcdf5d7589cfa0cfeb492 Mon Sep 17 00:00:00 2001
+From: Alejandro Joya <alejandro.joya.cruz@intel.com>
+Date: Wed, 4 Nov 2015 19:06:23 -0600
+Subject: [PATCH 04/14] app-install: implement multiple set of smack-rules
+
+If it's need it could create load multiple set of smack rules
+related with the privileges.
+It wouldn't affect the case that only the default set of rules is need it.
+
+Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com>
+---
+ src/common/service_impl.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
+index 7fd621c..ae305d3 100644
+--- a/src/common/service_impl.cpp
++++ b/src/common/service_impl.cpp
+@@ -338,6 +338,12 @@ int appInstall(const app_inst_req &req, uid_t uid)
+ LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: "
+ << req.pkgId << ". Applications in package: " << pkgContents.size());
+ SmackRules::installApplicationRules(req.appId, req.pkgId, pkgContents);
++ /*Setup for privileges custom rules*/
++ LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: "
++ << req.pkgId << ". Applications in package: " << pkgContents.size()
++ << " and Privileges");
++ SmackRules::installApplicationPrivilegesRules(req.appId, req.pkgId,
++ pkgContents,req.privileges);
+ } catch (const SmackException::Base &e) {
+ LogError("Error while applying Smack policy for application: " << e.DumpToString());
+ return SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED;
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch
new file mode 100644
index 000000000..0739f28c7
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch
@@ -0,0 +1,32 @@
+From 198ba9b9782fda19803e94d2afeff91189ac27af Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net>
+Date: Wed, 13 Jan 2016 17:30:06 +0100
+Subject: [PATCH 05/14] c++11: replace deprecated auto_ptr
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream-Status: Submitted [https://review.tizen.org/gerrit/#/c/56940/]
+
+Change-Id: Id793c784c9674eef48f346226c094bdd9f7bbda8
+Signed-off-by: José Bollo <jobol@nonadev.net>
+---
+ src/dpl/core/include/dpl/binary_queue.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dpl/core/include/dpl/binary_queue.h b/src/dpl/core/include/dpl/binary_queue.h
+index dd03f5e..185b6c7 100644
+--- a/src/dpl/core/include/dpl/binary_queue.h
++++ b/src/dpl/core/include/dpl/binary_queue.h
+@@ -33,7 +33,7 @@ namespace SecurityManager {
+ * Binary queue auto pointer
+ */
+ class BinaryQueue;
+-typedef std::auto_ptr<BinaryQueue> BinaryQueueAutoPtr;
++typedef std::unique_ptr<BinaryQueue> BinaryQueueAutoPtr;
+
+ /**
+ * Binary stream implemented as constant size bucket list
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch
new file mode 100644
index 000000000..3b8aad98c
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch
@@ -0,0 +1,47 @@
+From ec098bf03cea23350ca7d1ea2ad88b9c88228943 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Fri, 8 Jan 2016 16:53:46 +0100
+Subject: [PATCH 06/14] socket-manager: removes tizen specific call
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The function 'smack_fgetlabel' is specific to Tizen
+and is no more maintained upstream.
+
+Upstream-Status: Accepted [https://review.tizen.org/gerrit/#/c/56507/]
+
+Change-Id: I3802742b1758efe37b33e6d968ff727d68f2fd1f
+Signed-off-by: José Bollo <jobol@nonadev.net>
+---
+ src/server/main/socket-manager.cpp | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/server/main/socket-manager.cpp b/src/server/main/socket-manager.cpp
+index 94c54c6..5e1a79b 100644
+--- a/src/server/main/socket-manager.cpp
++++ b/src/server/main/socket-manager.cpp
+@@ -30,6 +30,7 @@
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <sys/smack.h>
++#include <linux/xattr.h>
+ #include <sys/un.h>
+ #include <sys/stat.h>
+ #include <unistd.h>
+@@ -493,9 +494,9 @@ int SocketManager::CreateDomainSocketHelp(
+ if (smack_check()) {
+ LogInfo("Set up smack label: " << desc.smackLabel);
+
+- if (0 != smack_fsetlabel(sockfd, desc.smackLabel.c_str(), SMACK_LABEL_IPIN)) {
+- LogError("Error in smack_fsetlabel");
+- ThrowMsg(Exception::InitFailed, "Error in smack_fsetlabel");
++ if (0 != smack_set_label_for_file(sockfd, XATTR_NAME_SMACKIPIN, desc.smackLabel.c_str())) {
++ LogError("Error in smack_set_label_for_file");
++ ThrowMsg(Exception::InitFailed, "Error in smack_set_label_for_file");
+ }
+ } else {
+ LogInfo("No smack on platform. Socket won't be securied with smack label!");
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch
new file mode 100644
index 000000000..bad99d25a
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch
@@ -0,0 +1,78 @@
+From 9d0791dab4b4df086374c5c0ba2a6558e10e81c1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Mon, 16 Nov 2015 15:56:27 +0100
+Subject: [PATCH 07/14] removes dependency to libslp-db-utils
+
+Change-Id: I90471e77d20e04bae58cc42eb2639e4aef97fdec
+---
+ src/common/CMakeLists.txt | 3 ++-
+ src/dpl/db/src/sql_connection.cpp | 17 +----------------
+ 2 files changed, 3 insertions(+), 17 deletions(-)
+
+diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt
+index 968c7c1..9ae376f 100644
+--- a/src/common/CMakeLists.txt
++++ b/src/common/CMakeLists.txt
+@@ -5,7 +5,8 @@ PKG_CHECK_MODULES(COMMON_DEP
+ REQUIRED
+ libsystemd
+ libsmack
+- db-util
++ sqlite3
++ icu-i18n
+ cynara-admin
+ cynara-client
+ )
+diff --git a/src/dpl/db/src/sql_connection.cpp b/src/dpl/db/src/sql_connection.cpp
+index fdb4fe4..f49a6dc 100644
+--- a/src/dpl/db/src/sql_connection.cpp
++++ b/src/dpl/db/src/sql_connection.cpp
+@@ -26,7 +26,6 @@
+ #include <memory>
+ #include <dpl/noncopyable.h>
+ #include <dpl/assert.h>
+-#include <db-util.h>
+ #include <unistd.h>
+ #include <cstdio>
+ #include <cstdarg>
+@@ -606,16 +605,7 @@ void SqlConnection::Connect(const std::string &address,
+
+ // Connect to database
+ int result;
+- if (type & Flag::UseLucene) {
+- result = db_util_open_with_options(
+- address.c_str(),
+- &m_connection,
+- flag,
+- NULL);
+-
+- m_usingLucene = true;
+- LogPedantic("Lucene index enabled");
+- } else {
++ (void)type;
+ result = sqlite3_open_v2(
+ address.c_str(),
+ &m_connection,
+@@ -624,7 +614,6 @@ void SqlConnection::Connect(const std::string &address,
+
+ m_usingLucene = false;
+ LogPedantic("Lucene index disabled");
+- }
+
+ if (result == SQLITE_OK) {
+ LogPedantic("Connected to DB");
+@@ -653,11 +642,7 @@ void SqlConnection::Disconnect()
+
+ int result;
+
+- if (m_usingLucene) {
+- result = db_util_close(m_connection);
+- } else {
+ result = sqlite3_close(m_connection);
+- }
+
+ if (result != SQLITE_OK) {
+ const char *error = sqlite3_errmsg(m_connection);
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch
new file mode 100644
index 000000000..5ece7ef4f
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch
@@ -0,0 +1,38 @@
+From a1d9b40b4fa2e73d31a53e398c286bffeaae1732 Mon Sep 17 00:00:00 2001
+From: Ronan <ronan.lemartret@iot.bzh>
+Date: Wed, 12 Oct 2016 17:48:55 +0200
+Subject: [PATCH 08/14] Fix gcc6 build
+
+Signed-off-by: ronan <ronan@ot.bzh>
+---
+ src/client/client-security-manager.cpp | 1 +
+ src/common/include/privilege_db.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp
+index 74a6b30..347cddd 100644
+--- a/src/client/client-security-manager.cpp
++++ b/src/client/client-security-manager.cpp
+@@ -46,6 +46,7 @@
+ #include <service_impl.h>
+ #include <security-manager.h>
+ #include <client-offline.h>
++#include <linux/xattr.h>
+
+ static const char *EMPTY = "";
+
+diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h
+index 4d73d90..08fb9d6 100644
+--- a/src/common/include/privilege_db.h
++++ b/src/common/include/privilege_db.h
+@@ -32,6 +32,7 @@
+ #include <map>
+ #include <stdbool.h>
+ #include <string>
++#include <vector>
+
+ #include <dpl/db/sql_connection.h>
+ #include <tzplatform_config.h>
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch
new file mode 100644
index 000000000..706eb1a93
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch
@@ -0,0 +1,40 @@
+From 382379d74221bcc60a0ab70d63430a1c0587b2ec Mon Sep 17 00:00:00 2001
+From: Ronan <ronan.lemartret@iot.bzh>
+Date: Thu, 13 Oct 2016 11:37:47 +0200
+Subject: [PATCH 09/14] Fix Cmake conf for gcc6 build
+
+Signed-off-by: Ronan <ronan.lemartret@iot.bzh>
+---
+ src/cmd/CMakeLists.txt | 4 +---
+ src/server/CMakeLists.txt | 1 -
+ 2 files changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/src/cmd/CMakeLists.txt b/src/cmd/CMakeLists.txt
+index ee9a160..aa7a12c 100644
+--- a/src/cmd/CMakeLists.txt
++++ b/src/cmd/CMakeLists.txt
+@@ -1,8 +1,6 @@
+ FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options)
+
+-INCLUDE_DIRECTORIES(SYSTEM
+- ${Boost_INCLUDE_DIRS}
+- )
++
+
+ INCLUDE_DIRECTORIES(
+ ${INCLUDE_PATH}
+diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt
+index 6849d76..9598037 100644
+--- a/src/server/CMakeLists.txt
++++ b/src/server/CMakeLists.txt
+@@ -8,7 +8,6 @@ FIND_PACKAGE(Threads REQUIRED)
+
+ INCLUDE_DIRECTORIES(SYSTEM
+ ${SERVER_DEP_INCLUDE_DIRS}
+- ${Boost_INCLUDE_DIRS}
+ ${Threads_INCLUDE_DIRS}
+ )
+
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch
new file mode 100644
index 000000000..0f48c5f68
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch
@@ -0,0 +1,51 @@
+From 8e93699c0f225716f3cd5eff790270ae9e3880f9 Mon Sep 17 00:00:00 2001
+From: Changhyeok Bae <changhyeok.bae@gmail.com>
+Date: Sun, 17 Dec 2017 15:40:58 +0000
+Subject: [PATCH 10/14] gcc-7 requires include <functional> for std::function
+
+Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
+---
+ src/client/client-common.cpp | 1 +
+ src/common/smack-labels.cpp | 1 +
+ src/dpl/core/src/binary_queue.cpp | 1 +
+ 3 files changed, 3 insertions(+)
+
+diff --git a/src/client/client-common.cpp b/src/client/client-common.cpp
+index 883ab8d..1babdf7 100644
+--- a/src/client/client-common.cpp
++++ b/src/client/client-common.cpp
+@@ -31,6 +31,7 @@
+ #include <sys/xattr.h>
+ #include <linux/xattr.h>
+ #include <unistd.h>
++#include <functional>
+
+ #include <dpl/log/log.h>
+ #include <dpl/serialization.h>
+diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp
+index 0294a42..1598099 100644
+--- a/src/common/smack-labels.cpp
++++ b/src/common/smack-labels.cpp
+@@ -29,6 +29,7 @@
+ #include <sys/xattr.h>
+ #include <linux/xattr.h>
+ #include <memory>
++#include <functional>
+ #include <fts.h>
+ #include <cstring>
+ #include <string>
+diff --git a/src/dpl/core/src/binary_queue.cpp b/src/dpl/core/src/binary_queue.cpp
+index 72817a6..838409f 100644
+--- a/src/dpl/core/src/binary_queue.cpp
++++ b/src/dpl/core/src/binary_queue.cpp
+@@ -26,6 +26,7 @@
+ #include <malloc.h>
+ #include <cstring>
+ #include <new>
++#include <functional>
+
+ namespace SecurityManager {
+ BinaryQueue::BinaryQueue() :
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch
new file mode 100644
index 000000000..5c679fc26
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch
@@ -0,0 +1,32 @@
+From 243b7ffee16558d7cb9b411f49380138efeffca9 Mon Sep 17 00:00:00 2001
+From: Stephane Desneux <stephane.desneux@iot.bzh>
+Date: Fri, 1 Feb 2019 12:26:17 +0000
+Subject: [PATCH 11/14] Fix gcc8 warning/error [-Werror=catch-value=]
+
+Fixes the following warning/error during compile:
+
+src/dpl/core/src/assert.cpp:61:14: error: catching polymorphic type 'class SecurityManager::Exception' by value [-Werror=catch-value=]
+| } catch (Exception) {
+| ^~~~~~~~~
+
+Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
+---
+ src/dpl/core/src/assert.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dpl/core/src/assert.cpp b/src/dpl/core/src/assert.cpp
+index 63538a2..fc60ce9 100644
+--- a/src/dpl/core/src/assert.cpp
++++ b/src/dpl/core/src/assert.cpp
+@@ -58,7 +58,7 @@ void AssertProc(const char *condition,
+ INTERNAL_LOG("### Function: " << function);
+ INTERNAL_LOG(
+ "################################################################################");
+- } catch (Exception) {
++ } catch (Exception const&) {
+ // Just ignore possible double errors
+ }
+
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch
new file mode 100644
index 000000000..91ccf9ee2
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch
@@ -0,0 +1,122 @@
+From 5ee51d38575f289c2bf37ed817ef680ed47bb320 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Fri, 1 Feb 2019 15:37:44 +0100
+Subject: [PATCH 12/14] Avoid casting from "const T&" to "void*"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Latest version of g++ refuse the cast
+
+ reinterpret_cast<void (Service::*)(void*)>(serviceFunction)
+
+I made no investigation to know if the problem
+is coming from the const or not.
+
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ src/server/main/include/service-thread.h | 42 ++++++++++--------------
+ 1 file changed, 18 insertions(+), 24 deletions(-)
+
+diff --git a/src/server/main/include/service-thread.h b/src/server/main/include/service-thread.h
+index 964d168..61fdda8 100644
+--- a/src/server/main/include/service-thread.h
++++ b/src/server/main/include/service-thread.h
+@@ -94,7 +94,7 @@ public:
+ Join();
+ while (!m_eventQueue.empty()){
+ auto front = m_eventQueue.front();
+- delete front.eventPtr;
++ delete front;
+ m_eventQueue.pop();
+ }
+ }
+@@ -104,34 +104,28 @@ public:
+ Service *servicePtr,
+ void (Service::*serviceFunction)(const T &))
+ {
+- EventDescription description;
+- description.serviceFunctionPtr =
+- reinterpret_cast<void (Service::*)(void*)>(serviceFunction);
+- description.servicePtr = servicePtr;
+- description.eventFunctionPtr = &ServiceThread::EventCall<T>;
+- description.eventPtr = new T(event);
++ EventCallerBase *ec = new EventCaller<T>(event, servicePtr, serviceFunction);
+ {
+ std::lock_guard<std::mutex> lock(m_eventQueueMutex);
+- m_eventQueue.push(description);
++ m_eventQueue.push(ec);
+ }
+ m_waitCondition.notify_one();
+ }
+
+ protected:
+
+- struct EventDescription {
+- void (Service::*serviceFunctionPtr)(void *);
+- Service *servicePtr;
+- void (ServiceThread::*eventFunctionPtr)(const EventDescription &event);
+- GenericEvent* eventPtr;
++ struct EventCallerBase {
++ virtual void fire() = 0;
++ virtual ~EventCallerBase() {}
+ };
+
+ template <class T>
+- void EventCall(const EventDescription &desc) {
+- auto fun = reinterpret_cast<void (Service::*)(const T&)>(desc.serviceFunctionPtr);
+- const T& eventLocale = *(static_cast<T*>(desc.eventPtr));
+- (desc.servicePtr->*fun)(eventLocale);
+- }
++ struct EventCaller : public EventCallerBase {
++ T *event; Service *target; void (Service::*function)(const T&);
++ EventCaller(const T &e, Service *c, void (Service::*f)(const T&)) : event(new T(e)), target(c), function(f) {}
++ ~EventCaller() { delete event; }
++ void fire() { (target->*function)(*event); }
++ };
+
+ static void ThreadLoopStatic(ServiceThread *ptr) {
+ ptr->ThreadLoop();
+@@ -139,33 +133,33 @@ protected:
+
+ void ThreadLoop(){
+ for (;;) {
+- EventDescription description = {NULL, NULL, NULL, NULL};
++ EventCallerBase *ec = NULL;
+ {
+ std::unique_lock<std::mutex> ulock(m_eventQueueMutex);
+ if (m_quit)
+ return;
+ if (!m_eventQueue.empty()) {
+- description = m_eventQueue.front();
++ ec = m_eventQueue.front();
+ m_eventQueue.pop();
+ } else {
+ m_waitCondition.wait(ulock);
+ }
+ }
+
+- if (description.eventPtr != NULL) {
++ if (ec != NULL) {
+ UNHANDLED_EXCEPTION_HANDLER_BEGIN
+ {
+- (this->*description.eventFunctionPtr)(description);
+- delete description.eventPtr;
++ ec->fire();
+ }
+ UNHANDLED_EXCEPTION_HANDLER_END
++ delete ec;
+ }
+ }
+ }
+
+ std::thread m_thread;
+ std::mutex m_eventQueueMutex;
+- std::queue<EventDescription> m_eventQueue;
++ std::queue<EventCallerBase*> m_eventQueue;
+ std::condition_variable m_waitCondition;
+
+ State m_state;
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch
new file mode 100644
index 000000000..fb6215923
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch
@@ -0,0 +1,259 @@
+From 6c96a39ba7a7763ccd47e379dbfd8d376164985f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Mon, 16 Nov 2015 14:26:25 +0100
+Subject: [PATCH 13/14] Removing tizen-platform-config
+
+Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121
+---
+ CMakeLists.txt | 16 +++++++-
+ db/CMakeLists.txt | 2 +-
+ policy/CMakeLists.txt | 1 +
+ ...load => security-manager-policy-reload.in} | 4 +-
+ src/common/file-lock.cpp | 4 +-
+ src/common/include/file-lock.h | 1 -
+ src/common/include/privilege_db.h | 3 +-
+ src/common/service_impl.cpp | 39 ++++++-------------
+ src/common/smack-rules.cpp | 12 ++----
+ 9 files changed, 37 insertions(+), 45 deletions(-)
+ rename policy/{security-manager-policy-reload => security-manager-policy-reload.in} (94%)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 28790d8..37a43cc 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -49,7 +49,7 @@ ADD_DEFINITIONS("-Wall") # Generate all warnings
+ ADD_DEFINITIONS("-Wextra") # Generate even more extra warnings
+
+ STRING(REGEX MATCH "([^.]*)" API_VERSION "${VERSION}")
+-ADD_DEFINITIONS("-DAPI_VERSION=\"$(API_VERSION)\"")
++ADD_DEFINITIONS("-DAPI_VERSION=\"${API_VERSION}\"")
+
+ ADD_DEFINITIONS("-DSMACK_ENABLED")
+
+@@ -58,6 +58,20 @@ IF (CMAKE_BUILD_TYPE MATCHES "DEBUG")
+ ADD_DEFINITIONS("-DBUILD_TYPE_DEBUG")
+ ENDIF (CMAKE_BUILD_TYPE MATCHES "DEBUG")
+
++SET(DATADIR "/usr/share/security-manager" CACHE STRING "path to data directory")
++SET(SMACKRULESDIR "/etc/smack/accesses.d" CACHE STRING "path to Smack rules directory")
++SET(LOCKDIR "/var/run/lock" CACHE STRING "path to lock directory")
++SET(DB_INSTALL_DIR "/var/db/security-manager" CACHE STRING "path to database directory")
++SET(DB_FILENAME ".security-manager.db" CACHE STRING "basename of database")
++SET(GLOBALUSER "userapp" CACHE STRING "name of the global user")
++
++ADD_DEFINITIONS("-DDATADIR=\"${DATADIR}\"")
++ADD_DEFINITIONS("-DSMACKRULESDIR=\"${SMACKRULESDIR}\"")
++ADD_DEFINITIONS("-DLOCKDIR=\"${LOCKDIR}\"")
++ADD_DEFINITIONS("-DDB_INSTALL_DIR=\"${DB_INSTALL_DIR}\"")
++ADD_DEFINITIONS("-DDB_FILENAME=\"${DB_FILENAME}\"")
++ADD_DEFINITIONS("-DGLOBALUSER=\"${GLOBALUSER}\"")
++
+ ADD_SUBDIRECTORY(src)
+ ADD_SUBDIRECTORY(pc)
+ ADD_SUBDIRECTORY(systemd)
+diff --git a/db/CMakeLists.txt b/db/CMakeLists.txt
+index 9e8ffcc..d7af1a0 100644
+--- a/db/CMakeLists.txt
++++ b/db/CMakeLists.txt
+@@ -1,4 +1,4 @@
+-SET(TARGET_DB ".security-manager.db")
++SET(TARGET_DB "$(DB_FILENAME)")
+
+ ADD_CUSTOM_COMMAND(
+ OUTPUT ${TARGET_DB} ${TARGET_DB}-journal
+diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt
+index bd08edc..626a2bd 100644
+--- a/policy/CMakeLists.txt
++++ b/policy/CMakeLists.txt
+@@ -1,4 +1,5 @@
+ FILE(GLOB USERTYPE_POLICY_FILES usertype-*.profile)
++CONFIGURE_FILE(security-manager-policy-reload.in security-manager-policy-reload @ONLY)
+ INSTALL(FILES ${USERTYPE_POLICY_FILES} DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
+ INSTALL(FILES "app-rules-template.smack" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
+ INSTALL(FILES "privilege-group.list" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
+diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload.in
+similarity index 94%
+rename from policy/security-manager-policy-reload
+rename to policy/security-manager-policy-reload.in
+index 6f211c6..c1bc4e2 100755
+--- a/policy/security-manager-policy-reload
++++ b/policy/security-manager-policy-reload.in
+@@ -1,8 +1,8 @@
+ #!/bin/sh -e
+
+-POLICY_PATH=/usr/share/security-manager/policy
++POLICY_PATH=@DATADIR@/policy
+ PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list
+-DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db
++DB_FILE=@DB_INSTALL_DIR@/@DB_FILENAME@
+
+ # Create default buckets
+ while read bucket default_policy
+diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp
+index 6f3996c..88d2092 100644
+--- a/src/common/file-lock.cpp
++++ b/src/common/file-lock.cpp
+@@ -30,9 +30,7 @@
+
+ namespace SecurityManager {
+
+-char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN,
+- "lock",
+- "security-manager.lock");
++char const * const SERVICE_LOCK_FILE = LOCKDIR "/security-manager.lock";
+
+ FileLocker::FileLocker(const std::string &lockFile, bool blocking)
+ {
+diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h
+index 604b019..21a86a0 100644
+--- a/src/common/include/file-lock.h
++++ b/src/common/include/file-lock.h
+@@ -29,7 +29,6 @@
+
+ #include <dpl/exception.h>
+ #include <dpl/noncopyable.h>
+-#include <tzplatform_config.h>
+
+ namespace SecurityManager {
+
+diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h
+index 08fb9d6..3344987 100644
+--- a/src/common/include/privilege_db.h
++++ b/src/common/include/privilege_db.h
+@@ -35,14 +35,13 @@
+ #include <vector>
+
+ #include <dpl/db/sql_connection.h>
+-#include <tzplatform_config.h>
+
+ #ifndef PRIVILEGE_DB_H_
+ #define PRIVILEGE_DB_H_
+
+ namespace SecurityManager {
+
+-const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db");
++const char *const PRIVILEGE_DB_PATH = DB_INSTALL_DIR "/" DB_FILENAME;
+
+ enum class QueryType {
+ EGetPkgPrivileges,
+diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
+index ae305d3..42150fe 100644
+--- a/src/common/service_impl.cpp
++++ b/src/common/service_impl.cpp
+@@ -32,7 +32,6 @@
+ #include <algorithm>
+
+ #include <dpl/log/log.h>
+-#include <tzplatform_config.h>
+
+ #include "protocols.h"
+ #include "privilege_db.h"
+@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr,
+
+ static uid_t getGlobalUserId(void)
+ {
+- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
++ static uid_t globaluid = 0;
++ if (!globaluid) {
++ struct passwd pw, *p;
++ char buf[4096];
++ int rc = getpwnam_r(GLOBALUSER, &pw, buf, sizeof buf, &p);
++ globaluid = (rc || p == NULL) ? 555 : p->pw_uid;
++ }
+ return globaluid;
+ }
+
+@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir)
+
+ static bool getUserAppDir(const uid_t &uid, std::string &userAppDir)
+ {
+- struct tzplatform_context *tz_ctx = nullptr;
+-
+- if (tzplatform_context_create(&tz_ctx))
+- return false;
+-
+- if (tzplatform_context_set_user(tz_ctx, uid)) {
+- tzplatform_context_destroy(tz_ctx);
+- tz_ctx = nullptr;
++ struct passwd pw, *p;
++ char buf[4096];
++ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p);
++ if (rc || p == NULL)
+ return false;
+- }
+-
+- enum tzplatform_variable id =
+- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP;
+- const char *appDir = tzplatform_context_getenv(tz_ctx, id);
+- if (!appDir) {
+- tzplatform_context_destroy(tz_ctx);
+- tz_ctx = nullptr;
+- return false;
+- }
+-
+- userAppDir = appDir;
+-
+- tzplatform_context_destroy(tz_ctx);
+- tz_ctx = nullptr;
+-
++ userAppDir = p->pw_dir;
+ return true;
+ }
+
+ static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath)
+ {
+- std::string userHome;
+ std::string userAppDir;
+ std::stringstream correctPath;
+
+diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
+index 922a56f..c2e0041 100644
+--- a/src/common/smack-rules.cpp
++++ b/src/common/smack-rules.cpp
+@@ -34,7 +34,6 @@
+ #include <memory>
+
+ #include <dpl/log/log.h>
+-#include <tzplatform_config.h>
+
+ #include "smack-labels.h"
+ #include "smack-rules.h"
+@@ -43,7 +42,7 @@ namespace SecurityManager {
+
+ const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~";
+ const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~";
+-const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack");
++const char *const APP_RULES_TEMPLATE_FILE_PATH = DATADIR "/policy/app-rules-template.smack";
+ const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat";
+
+ SmackRules::SmackRules()
+@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgCon
+
+ std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId)
+ {
+- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str()));
+- return path;
++ return SMACKRULESDIR "/pkg_" + pkgId;
+ }
+
+ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId)
+ {
+- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str()));
+- return path;
++ return SMACKRULESDIR "/app_" + appId;
+ }
+ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
+ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges)
+@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con
+ for (auto privilege : privileges) {
+ if (privilege.empty())
+ continue;
+- std::string fprivilege ( privilege + "-template.smack");
+- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str()));
++ std::string path = DATADIR "/policy/" + privilege + "-template.smack";
+ if( stat(path.c_str(), &buffer) == 0)
+ smackRules.addFromTemplateFile(appId, pkgId, path);
+ }
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch
new file mode 100644
index 000000000..542a387d2
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch
@@ -0,0 +1,78 @@
+From c7f9d14e38a1b6d40b2fffa01433a3025eff9abd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Tue, 26 Nov 2019 12:34:39 +0100
+Subject: [PATCH 14/14] Ensure post install initialization of database
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Creation of the database was made during image creation,
+leading to issue with SOTA. This adds the creation on
+need before launching the service.
+
+Change-Id: Idfd0676bd87d39f7c10eaafd63f3a318f675c972
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ db/CMakeLists.txt | 14 ++++++--------
+ db/security-manager-setup | 14 ++++++++++++++
+ systemd/security-manager.service.in | 1 +
+ 3 files changed, 21 insertions(+), 8 deletions(-)
+ create mode 100644 db/security-manager-setup
+
+diff --git a/db/CMakeLists.txt b/db/CMakeLists.txt
+index d7af1a0..dcf5bc8 100644
+--- a/db/CMakeLists.txt
++++ b/db/CMakeLists.txt
+@@ -1,12 +1,10 @@
+-SET(TARGET_DB "$(DB_FILENAME)")
+-
+ ADD_CUSTOM_COMMAND(
+- OUTPUT ${TARGET_DB} ${TARGET_DB}-journal
+- COMMAND sqlite3 ${TARGET_DB} <db.sql
+- )
++ OUTPUT .security-manager-setup
++ COMMAND sed '/--DB\.SQL--/r db.sql' security-manager-setup > .security-manager-setup
++ DEPENDS security-manager-setup db.sql
++)
+
+ # Add a dummy build target to trigger building of ${TARGET_DB}
+-ADD_CUSTOM_TARGET(DB ALL DEPENDS ${TARGET_DB})
++ADD_CUSTOM_TARGET(DB ALL DEPENDS .security-manager-setup)
+
+-INSTALL(FILES ${TARGET_DB} DESTINATION ${DB_INSTALL_DIR})
+-INSTALL(FILES ${TARGET_DB}-journal DESTINATION ${DB_INSTALL_DIR})
++INSTALL(PROGRAMS .security-manager-setup DESTINATION ${BIN_INSTALL_DIR})
+diff --git a/db/security-manager-setup b/db/security-manager-setup
+new file mode 100644
+index 0000000..5675baf
+--- /dev/null
++++ b/db/security-manager-setup
+@@ -0,0 +1,14 @@
++#!/bin/sh
++
++if test -f "$1"; then exit; fi
++set -e
++dbdir="$(dirname "$1")"
++dbfile="$(basename "$1")"
++test -n "$dbfile"
++test -n "$dbdir"
++mkdir -p "$dbdir"
++cd "$dbdir"
++sqlite3 "$dbfile" << END-OF-CAT
++--DB.SQL--
++END-OF-CAT
++
+diff --git a/systemd/security-manager.service.in b/systemd/security-manager.service.in
+index 23fd1b2..2bf97d7 100644
+--- a/systemd/security-manager.service.in
++++ b/systemd/security-manager.service.in
+@@ -3,5 +3,6 @@ Description=Start the security manager
+
+ [Service]
+ Type=notify
++ExecStartPre=@BIN_INSTALL_DIR@/.security-manager-setup @DB_INSTALL_DIR@/@DB_FILENAME@
+ ExecStart=@BIN_INSTALL_DIR@/security-manager
+ Sockets=security-manager.socket
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch
new file mode 100644
index 000000000..d9949193b
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch
@@ -0,0 +1,34 @@
+From 7cffcd61378a9d7c0e7db5691b2da3a37448c969 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Thu, 30 Jan 2020 09:19:25 +0100
+Subject: [PATCH 15/15] Restrict socket accesses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ensure that only members of the group and the owner can access
+the security manager.
+
+Bug-AGL: SPEC-3146
+
+Change-Id: I68ce6523db4bfd4707c3680555c3cb0cf8858ef2
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ systemd/security-manager.socket | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/systemd/security-manager.socket b/systemd/security-manager.socket
+index af1c1da..b401f77 100644
+--- a/systemd/security-manager.socket
++++ b/systemd/security-manager.socket
+@@ -1,6 +1,6 @@
+ [Socket]
+ ListenStream=/run/security-manager.socket
+-SocketMode=0777
++SocketMode=0660
+ SmackLabelIPIn=*
+ SmackLabelIPOut=@
+
+--
+2.21.1
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend b/meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend
new file mode 100644
index 000000000..ec8435369
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend
@@ -0,0 +1,13 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/security-manager:"
+
+EXTRA_OECMAKE =+ " -DGLOBALUSER=afm"
+
+SRC_URI += " \
+ file://0001-Adapt-rules-to-AGL.patch \
+"
+
+do_install_append() {
+ # Needed for wayland-0 socket access and memfd usage
+ echo "~APP~ System::Weston rw" >> ${D}${datadir}/security-manager/policy/app-rules-template.smack
+ echo "System::Weston ~APP~ rw" >> ${D}${datadir}/security-manager/policy/app-rules-template.smack
+}
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager_git.bb b/meta-app-framework/recipes-security/security-manager/security-manager_git.bb
new file mode 100644
index 000000000..b34973519
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager_git.bb
@@ -0,0 +1,27 @@
+require security-manager.inc
+
+PV = "1.0.2+git${SRCPV}"
+SRCREV = "860305a595d681d650024ad07b3b0977e1fcb0a6"
+SRC_URI += "git://github.com/Samsung/security-manager.git"
+S = "${WORKDIR}/git"
+
+SRC_URI += " \
+ file://0001-systemd-stop-using-compat-libs.patch \
+ file://0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch \
+ file://0003-Smack-rules-create-two-new-functions.patch \
+ file://0004-app-install-implement-multiple-set-of-smack-rules.patch \
+ file://0005-c-11-replace-deprecated-auto_ptr.patch \
+ file://0006-socket-manager-removes-tizen-specific-call.patch \
+ file://0007-removes-dependency-to-libslp-db-utils.patch \
+ file://0008-Fix-gcc6-build.patch \
+ file://0009-Fix-Cmake-conf-for-gcc6-build.patch \
+ file://0010-gcc-7-requires-include-functional-for-std-function.patch \
+ file://0011-Fix-gcc8-warning-error-Werror-catch-value.patch \
+ file://0012-Avoid-casting-from-const-T-to-void.patch \
+ file://0013-Removing-tizen-platform-config.patch \
+ file://0014-Ensure-post-install-initialization-of-database.patch \
+ file://0015-Restrict-socket-accesses.patch \
+"
+
+# Use make with cmake and not ninja
+OECMAKE_GENERATOR = "Unix Makefiles"