summaryrefslogtreecommitdiffstats
path: root/meta-app-framework/recipes-security
diff options
context:
space:
mode:
Diffstat (limited to 'meta-app-framework/recipes-security')
-rw-r--r--meta-app-framework/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch42
-rw-r--r--meta-app-framework/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch133
-rw-r--r--meta-app-framework/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch57
-rw-r--r--meta-app-framework/recipes-security/audit/audit/audit-volatile.conf1
-rwxr-xr-xmeta-app-framework/recipes-security/audit/audit/auditd153
-rw-r--r--meta-app-framework/recipes-security/audit/audit/auditd.service20
-rw-r--r--meta-app-framework/recipes-security/audit/audit_2.8.5.bb106
-rw-r--r--meta-app-framework/recipes-security/cynagoauth/cynagoauth_0.1.bb23
-rw-r--r--meta-app-framework/recipes-security/cynagora/cynagora-cynara-compat_2.1.bb30
-rwxr-xr-xmeta-app-framework/recipes-security/cynagora/cynagora/run-ptest4
-rw-r--r--meta-app-framework/recipes-security/cynagora/cynagora_2.1.bb38
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager.inc83
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch50
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch47
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch36
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch117
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch34
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch32
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch47
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch78
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch38
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch40
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch51
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch32
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch122
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch259
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch78
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch34
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend13
-rw-r--r--meta-app-framework/recipes-security/security-manager/security-manager_git.bb27
-rw-r--r--meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend5
-rw-r--r--meta-app-framework/recipes-security/xmlsec1/xmlsec1_appfw.inc4
32 files changed, 1830 insertions, 4 deletions
diff --git a/meta-app-framework/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch b/meta-app-framework/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch
new file mode 100644
index 000000000..6e1827c08
--- /dev/null
+++ b/meta-app-framework/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch
@@ -0,0 +1,42 @@
+From df878b92e01f4d1c3de7f7d8229cea6a431509eb Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Wed, 19 Feb 2020 15:23:40 +0800
+Subject: [PATCH] lib/i386_table.h: add new syscall
+
+On 32bit system,
+After upgrade glibc to 2.31
+ # strace -o /tmp/test.log date -s 09:16:45
+ # tail -f /tmp/test.log
+ close(3) = 0
+ stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=114, ...}) = 0
+ clock_settime64(CLOCK_REALTIME, {tv_sec=1582103805, tv_nsec=0}) = 0
+ fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x4, 0x40), ...}) = 0
+ ioctl(1, TCGETS, {B115200 opost isig icanon echo ...}) = 0
+ write(1, "Wed Feb 19 09:16:45 UTC 2020\n", 29) = 29
+ close(1) = 0
+ close(2) = 0
+ exit_group(0) = ?
+ +++ exited with 0 +++
+
+It means the clock_settime64 syscall is used, so
+add the syscall.
+
+Upstream-Status: Submitted [https://github.com/linux-audit/audit-userspace/pull/116]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ lib/i386_table.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/i386_table.h b/lib/i386_table.h
+index 1a64c88..65fd4d9 100644
+--- a/lib/i386_table.h
++++ b/lib/i386_table.h
+@@ -405,3 +405,4 @@ _S(383, "statx")
+ _S(384, "arch_prctl")
+ _S(385, "io_pgetevents")
+ _S(386, "rseq")
++_S(404, "clock_settime64")
+--
+2.7.4
+
diff --git a/meta-app-framework/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch b/meta-app-framework/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch
new file mode 100644
index 000000000..bb6c61e80
--- /dev/null
+++ b/meta-app-framework/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch
@@ -0,0 +1,133 @@
+From bdcdc3dff4469aac88e718bd15958d5ed4b9392a Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Tue, 26 Feb 2019 18:33:33 -0500
+Subject: [PATCH] Add substitue functions for strndupa & rawmemchr
+
+Upstream-Status: Backport
+[https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e]
+---
+ auparse/auparse.c | 12 +++++++++++-
+ auparse/interpret.c | 9 ++++++++-
+ configure.ac | 14 +++++++++++++-
+ src/ausearch-lol.c | 12 +++++++++++-
+ 4 files changed, 43 insertions(+), 4 deletions(-)
+
+diff --git a/auparse/auparse.c b/auparse/auparse.c
+index 650db02..2e1c737 100644
+--- a/auparse/auparse.c
++++ b/auparse/auparse.c
+@@ -1,5 +1,5 @@
+ /* auparse.c --
+- * Copyright 2006-08,2012-17 Red Hat Inc., Durham, North Carolina.
++ * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+@@ -1118,6 +1118,16 @@ static int str2event(char *s, au_event_t *e)
+ return 0;
+ }
+
++#ifndef HAVE_STRNDUPA
++static inline char *strndupa(const char *old, size_t n)
++{
++ size_t len = strnlen(old, n);
++ char *tmp = alloca(len + 1);
++ tmp[len] = 0;
++ return memcpy(tmp, old, len);
++}
++#endif
++
+ /* Returns 0 on success and 1 on error */
+ static int extract_timestamp(const char *b, au_event_t *e)
+ {
+diff --git a/auparse/interpret.c b/auparse/interpret.c
+index 51c4a5e..67b7b77 100644
+--- a/auparse/interpret.c
++++ b/auparse/interpret.c
+@@ -853,6 +853,13 @@ err_out:
+ return print_escaped(id->val);
+ }
+
++// rawmemchr is faster. Let's use it if we have it.
++#ifdef HAVE_RAWMEMCHR
++#define STRCHR rawmemchr
++#else
++#define STRCHR strchr
++#endif
++
+ static const char *print_proctitle(const char *val)
+ {
+ char *out = (char *)print_escaped(val);
+@@ -863,7 +870,7 @@ static const char *print_proctitle(const char *val)
+ // Proctitle has arguments separated by NUL bytes
+ // We need to write over the NUL bytes with a space
+ // so that we can see the arguments
+- while ((ptr = rawmemchr(ptr, '\0'))) {
++ while ((ptr = STRCHR(ptr, '\0'))) {
+ if (ptr >= end)
+ break;
+ *ptr = ' ';
+diff --git a/configure.ac b/configure.ac
+index 54bdbf1..aef07fb 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1,7 +1,7 @@
+ dnl
+ define([AC_INIT_NOTICE],
+ [### Generated automatically using autoconf version] AC_ACVERSION [
+-### Copyright 2005-18 Steve Grubb <sgrubb@redhat.com>
++### Copyright 2005-19 Steve Grubb <sgrubb@redhat.com>
+ ###
+ ### Permission is hereby granted, free of charge, to any person obtaining a
+ ### copy of this software and associated documentation files (the "Software"),
+@@ -72,6 +72,18 @@ dnl; posix_fallocate is used in audisp-remote
+ AC_CHECK_FUNCS([posix_fallocate])
+ dnl; signalfd is needed for libev
+ AC_CHECK_FUNC([signalfd], [], [ AC_MSG_ERROR([The signalfd system call is necessary for auditd]) ])
++dnl; check if rawmemchr is available
++AC_CHECK_FUNCS([rawmemchr])
++dnl; check if strndupa is available
++AC_LINK_IFELSE(
++ [AC_LANG_SOURCE(
++ [[
++ #define _GNU_SOURCE
++ #include <string.h>
++ int main() { (void) strndupa("test", 10); return 0; }]])],
++ [AC_DEFINE(HAVE_STRNDUPA, 1, [Let us know if we have it or not])],
++ []
++)
+
+ ALLWARNS=""
+ ALLDEBUG="-g"
+diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c
+index 5d17a72..758c33e 100644
+--- a/src/ausearch-lol.c
++++ b/src/ausearch-lol.c
+@@ -1,6 +1,6 @@
+ /*
+ * ausearch-lol.c - linked list of linked lists library
+-* Copyright (c) 2008,2010,2014,2016 Red Hat Inc., Durham, North Carolina.
++* Copyright (c) 2008,2010,2014,2016,2019 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This software may be freely redistributed and/or modified under the
+@@ -152,6 +152,16 @@ static int compare_event_time(event *e1, event *e2)
+ return 0;
+ }
+
++#ifndef HAVE_STRNDUPA
++static inline char *strndupa(const char *old, size_t n)
++{
++ size_t len = strnlen(old, n);
++ char *tmp = alloca(len + 1);
++ tmp[len] = 0;
++ return memcpy(tmp, old, len);
++}
++#endif
++
+ /*
+ * This function will look at the line and pick out pieces of it.
+ */
+--
+2.7.4
+
diff --git a/meta-app-framework/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch b/meta-app-framework/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch
new file mode 100644
index 000000000..7c2699540
--- /dev/null
+++ b/meta-app-framework/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch
@@ -0,0 +1,57 @@
+From a07271f1cce82122610b622bcea4a8a37528f321 Mon Sep 17 00:00:00 2001
+From: Li xin <lixin.fnst@cn.fujitsu.com>
+Date: Sun, 19 Jul 2015 02:42:58 +0900
+Subject: [PATCH] audit: Fixed swig host contamination issue
+
+The audit build uses swig to generate a python wrapper.
+Unfortunately, the swig info file references host include
+directories. Some of these were previously noticed and
+eliminated, but the one fixed here was not.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Anders Hedlund <anders.hedlund@windriver.com>
+Signed-off-by: Joe Slater <jslater@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ bindings/swig/python3/Makefile.am | 3 ++-
+ bindings/swig/src/auditswig.i | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/bindings/swig/python3/Makefile.am b/bindings/swig/python3/Makefile.am
+index 9938418..fa46aac 100644
+--- a/bindings/swig/python3/Makefile.am
++++ b/bindings/swig/python3/Makefile.am
+@@ -22,6 +22,7 @@
+ CONFIG_CLEAN_FILES = *.loT *.rej *.orig
+ AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing $(PYTHON3_CFLAGS)
+ AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES)
++STDINC ?= /usr/include
+ LIBS = $(top_builddir)/lib/libaudit.la
+ SWIG_FLAGS = -python -py3 -modern
+ SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES)
+@@ -37,7 +38,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudi
+ _audit_la_LIBADD = ${top_builddir}/lib/libaudit.la
+ nodist__audit_la_SOURCES = audit_wrap.c
+ audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i
+- swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} ${srcdir}/../src/auditswig.i
++ swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} -I$(STDINC) ${srcdir}/../src/auditswig.i
+
+ CLEANFILES = audit.py* audit_wrap.c *~
+
+diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i
+index 7ebb373..424fb68 100644
+--- a/bindings/swig/src/auditswig.i
++++ b/bindings/swig/src/auditswig.i
+@@ -39,7 +39,7 @@ signed
+ #define __attribute(X) /*nothing*/
+ typedef unsigned __u32;
+ typedef unsigned uid_t;
+-%include "/usr/include/linux/audit.h"
++%include "linux/audit.h"
+ #define __extension__ /*nothing*/
+ #include <stdint.h>
+ %include "../lib/libaudit.h"
+--
+2.7.4
+
diff --git a/meta-app-framework/recipes-security/audit/audit/audit-volatile.conf b/meta-app-framework/recipes-security/audit/audit/audit-volatile.conf
new file mode 100644
index 000000000..9cbe1547a
--- /dev/null
+++ b/meta-app-framework/recipes-security/audit/audit/audit-volatile.conf
@@ -0,0 +1 @@
+d /var/log/audit 0750 root root -
diff --git a/meta-app-framework/recipes-security/audit/audit/auditd b/meta-app-framework/recipes-security/audit/audit/auditd
new file mode 100755
index 000000000..cda2e43d4
--- /dev/null
+++ b/meta-app-framework/recipes-security/audit/audit/auditd
@@ -0,0 +1,153 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: auditd
+# Required-Start: $local_fs
+# Required-Stop: $local_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Audit Daemon
+# Description: Collects audit information from Linux 2.6 Kernels.
+### END INIT INFO
+
+# Author: Philipp Matthias Hahn <pmhahn@debian.org>
+# Based on Debians /etc/init.d/skeleton and Auditds init.d/auditd.init
+
+# June, 2012: Adopted for yocto <amy.fong@windriver.com>
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DESC="audit daemon"
+NAME=auditd
+DAEMON=/sbin/auditd
+PIDFILE=/var/run/"$NAME".pid
+SCRIPTNAME=/etc/init.d/"$NAME"
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/"$NAME" ] && . /etc/default/"$NAME"
+
+. /etc/default/rcS
+
+. /etc/init.d/functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" --test > /dev/null \
+ || return 1
+ start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" -- \
+ $EXTRAOPTIONS \
+ || return 2
+ if [ -f /etc/audit/audit.rules ]
+ then
+ /sbin/auditctl -R /etc/audit/audit.rules >/dev/null
+ fi
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon -K --quiet --pidfile "$PIDFILE" --name "$NAME"
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f "$PIDFILE"
+ rm -f /var/run/audit_events
+ # Remove watches so shutdown works cleanly
+ case "$AUDITD_CLEAN_STOP" in
+ no|NO) ;;
+ *) /sbin/auditctl -D >/dev/null ;;
+ esac
+ return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ start-stop-daemon -K --signal HUP --quiet --pidfile $PIDFILE --name $NAME
+ return 0
+}
+
+if [ ! -e /var/log/audit ]; then
+ mkdir -p /var/log/audit
+ [ -x /sbin/restorecon ] && /sbin/restorecon -F /var/log/audit
+fi
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && echo "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && echo 0 ;;
+ 2) [ "$VERBOSE" != no ] && echo 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && echo "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && echo 0 ;;
+ 2) [ "$VERBOSE" != no ] && echo 1 ;;
+ esac
+ ;;
+ reload|force-reload)
+ echo "Reloading $DESC" "$NAME"
+ do_reload
+ echo $?
+ ;;
+ restart)
+ echo "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) echo 0 ;;
+ 1) echo 1 ;; # Old process is still running
+ *) echo 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ echo 1
+ ;;
+ esac
+ ;;
+ rotate)
+ echo "Rotating $DESC logs" "$NAME"
+ start-stop-daemon -K --signal USR1 --quiet --pidfile "$PIDFILE" --name "$NAME"
+ echo $?
+ ;;
+ status)
+ pidofproc "$DAEMON" >/dev/null
+ status=$?
+ if [ $status -eq 0 ]; then
+ echo "$NAME is running."
+ else
+ echo "$NAME is not running."
+ fi
+ exit $status
+ ;;
+ *)
+ echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|rotate|status}" >&2
+ exit 3
+ ;;
+esac
+
+:
diff --git a/meta-app-framework/recipes-security/audit/audit/auditd.service b/meta-app-framework/recipes-security/audit/audit/auditd.service
new file mode 100644
index 000000000..ebc079897
--- /dev/null
+++ b/meta-app-framework/recipes-security/audit/audit/auditd.service
@@ -0,0 +1,20 @@
+[Unit]
+Description=Security Auditing Service
+DefaultDependencies=no
+After=local-fs.target
+Conflicts=shutdown.target
+Before=sysinit.target shutdown.target
+After=systemd-tmpfiles-setup.service
+
+[Service]
+ExecStart=/sbin/auditd -n
+## To use augenrules, copy this file to /etc/systemd/system/auditd.service
+## and uncomment the next line and delete/comment out the auditctl line.
+## Then copy existing rules to /etc/audit/rules.d/
+## Not doing this last step can cause loss of existing rules
+#ExecStartPost=-/sbin/augenrules --load
+ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-app-framework/recipes-security/audit/audit_2.8.5.bb b/meta-app-framework/recipes-security/audit/audit_2.8.5.bb
new file mode 100644
index 000000000..af36ed5e2
--- /dev/null
+++ b/meta-app-framework/recipes-security/audit/audit_2.8.5.bb
@@ -0,0 +1,106 @@
+SUMMARY = "User space tools for kernel auditing"
+DESCRIPTION = "The audit package contains the user space utilities for \
+storing and searching the audit records generated by the audit subsystem \
+in the Linux kernel."
+HOMEPAGE = "http://people.redhat.com/sgrubb/audit/"
+SECTION = "base"
+LICENSE = "GPLv2+ & LGPLv2+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
+
+SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=2.8_maintenance \
+ file://Add-substitue-functions-for-strndupa-rawmemchr.patch \
+ file://Fixed-swig-host-contamination-issue.patch \
+ file://0001-lib-i386_table.h-add-new-syscall.patch \
+ file://auditd \
+ file://auditd.service \
+ file://audit-volatile.conf \
+"
+
+S = "${WORKDIR}/git"
+SRCREV = "5fae55c1ad15b3cefe6890eba7311af163e9133c"
+
+inherit autotools python3native update-rc.d systemd
+
+UPDATERCPN = "auditd"
+INITSCRIPT_NAME = "auditd"
+INITSCRIPT_PARAMS = "defaults"
+
+SYSTEMD_PACKAGES = "auditd"
+SYSTEMD_SERVICE_auditd = "auditd.service"
+
+DEPENDS += "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native"
+
+EXTRA_OECONF += "--without-prelude \
+ --with-libwrap \
+ --enable-gssapi-krb5=no \
+ --with-libcap-ng=yes \
+ --with-python3=yes \
+ --libdir=${base_libdir} \
+ --sbindir=${base_sbindir} \
+ --without-python \
+ --without-golang \
+ --disable-zos-remote \
+ "
+EXTRA_OECONF_append_arm = " --with-arm=yes"
+EXTRA_OECONF_append_aarch64 = " --with-aarch64=yes"
+
+EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \
+ PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \
+ pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \
+ STDINC='${STAGING_INCDIR}' \
+ pkgconfigdir=${libdir}/pkgconfig \
+ "
+
+SUMMARY_audispd-plugins = "Plugins for the audit event dispatcher"
+DESCRIPTION_audispd-plugins = "The audispd-plugins package provides plugins for the real-time \
+interface to the audit system, audispd. These plugins can do things \
+like relay events to remote machines or analyze events for suspicious \
+behavior."
+
+PACKAGES =+ "audispd-plugins"
+PACKAGES += "auditd ${PN}-python"
+
+FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*"
+FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/*"
+FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \
+ ${sysconfdir}/audisp/plugins.d/au-remote.conf \
+ ${sbindir}/audisp-remote ${localstatedir}/spool/audit \
+ "
+FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug"
+FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}"
+
+CONFFILES_auditd += "${sysconfdir}/audit/audit.rules"
+RDEPENDS_auditd += "bash"
+
+do_install_append() {
+ rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a
+ rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la
+
+ # reuse auditd config
+ [ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default
+ mv ${D}/etc/sysconfig/auditd ${D}/etc/default
+ rmdir ${D}/etc/sysconfig/
+
+ # replace init.d
+ install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd
+ rm -rf ${D}/etc/rc.d
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}${sysconfdir}/tmpfiles.d/
+ install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/
+ fi
+
+ # install systemd unit files
+ install -d ${D}${systemd_unitdir}/system
+ install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system
+
+ # audit-2.5 doesn't install any rules by default, so we do that here
+ mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d
+ cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules
+
+ chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d
+ chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules
+
+ # Based on the audit.spec "Copy default rules into place on new installation"
+ cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules
+}
diff --git a/meta-app-framework/recipes-security/cynagoauth/cynagoauth_0.1.bb b/meta-app-framework/recipes-security/cynagoauth/cynagoauth_0.1.bb
new file mode 100644
index 000000000..c77c99189
--- /dev/null
+++ b/meta-app-framework/recipes-security/cynagoauth/cynagoauth_0.1.bb
@@ -0,0 +1,23 @@
+DESCRIPTION = "OAuth server using cynagora backend"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57"
+
+SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagoauth.git;protocol=https;branch=${AGL_BRANCH}"
+SRCREV = "26a5dbddf3a9bfde481a6fcd2aae16c7ecba665f"
+PV = "0.1+git${SRCPV}"
+
+S = "${WORKDIR}/git"
+
+DEPENDS = "json-c libmicrohttpd openssl cynagora"
+
+inherit cmake
+
+EXTRA_OECMAKE += " \
+ -DDEFAULTHOSTS=:7777 \
+ -DDEFAULTURL=http://localhost:7777/tok \
+ -DUNITDIR_SYSTEM=${systemd_system_unitdir} \
+"
+
+FILES_${PN} += "${systemd_system_unitdir}"
+
+
diff --git a/meta-app-framework/recipes-security/cynagora/cynagora-cynara-compat_2.1.bb b/meta-app-framework/recipes-security/cynagora/cynagora-cynara-compat_2.1.bb
new file mode 100644
index 000000000..f146051cd
--- /dev/null
+++ b/meta-app-framework/recipes-security/cynagora/cynagora-cynara-compat_2.1.bb
@@ -0,0 +1,30 @@
+DESCRIPTION = "Cynara service with client libraries"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://Apache-2.0;md5=3b83ef96387f14655fc854ddc3c6bd57"
+
+SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagora;protocol=https;branch=${AGL_BRANCH}"
+SRCREV = "7d7907651c42c5c32deabc17b639e0e1765eae60"
+PV = "2.1+git${SRCPV}"
+
+S = "${WORKDIR}/git"
+
+inherit cmake
+
+PROVIDES = "cynara"
+RPROVIDES_${PN} = "cynara"
+DEPENDS = "libcap"
+RDEPENDS_${PN} = "cynagora"
+
+EXTRA_OECMAKE += " \
+ -DWITH_SYSTEMD=OFF \
+ -DWITH_CYNARA_COMPAT=ON \
+ -DDIRECT_CYNARA_COMPAT=ON \
+"
+
+do_install_append() {
+ # remove cynagora stuff
+ rm $(find ${D} -name '*cynagora*')
+ # remove stupid test
+ rm -r ${D}${bindir}
+}
+
diff --git a/meta-app-framework/recipes-security/cynagora/cynagora/run-ptest b/meta-app-framework/recipes-security/cynagora/cynagora/run-ptest
new file mode 100755
index 000000000..f95f0725b
--- /dev/null
+++ b/meta-app-framework/recipes-security/cynagora/cynagora/run-ptest
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+# test access to cynagora server
+cynagora-admin list > /dev/null
diff --git a/meta-app-framework/recipes-security/cynagora/cynagora_2.1.bb b/meta-app-framework/recipes-security/cynagora/cynagora_2.1.bb
new file mode 100644
index 000000000..73f2f0949
--- /dev/null
+++ b/meta-app-framework/recipes-security/cynagora/cynagora_2.1.bb
@@ -0,0 +1,38 @@
+DESCRIPTION = "Cynagora service and client libraries"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://Apache-2.0;md5=3b83ef96387f14655fc854ddc3c6bd57"
+
+SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagora;protocol=https;branch=${AGL_BRANCH}"
+SRCREV = "7d7907651c42c5c32deabc17b639e0e1765eae60"
+PV = "2.1+git${SRCPV}"
+
+S = "${WORKDIR}/git"
+
+DEPENDS = "systemd libcap"
+
+inherit cmake
+
+EXTRA_OECMAKE += " \
+ -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir} \
+ -DWITH_SYSTEMD=ON \
+ -DWITH_CYNARA_COMPAT=OFF \
+"
+
+inherit useradd
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM_${PN} = "-r cynagora"
+USERADD_PARAM_${PN} = "\
+--system --home ${localstatedir}/lib/empty \
+--no-create-home --shell /bin/false \
+--gid cynagora cynagora \
+"
+
+FILES_${PN} += "${systemd_system_unitdir}"
+
+PACKAGES =+ "${PN}-tools"
+FILES_${PN}-tools += "${bindir}/cynagora-admin ${bindir}/cynagora-agent"
+RDEPENDS_${PN}_append_agl-devel = " ${PN}-tools"
+
+inherit ptest
+SRC_URI_append = " file://run-ptest"
+RDEPENDS_${PN}-ptest_append = " ${PN}-tools"
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager.inc b/meta-app-framework/recipes-security/security-manager/security-manager.inc
new file mode 100644
index 000000000..e1d1f4011
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager.inc
@@ -0,0 +1,83 @@
+DESCRIPTION = "Security manager and utilities"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3"
+
+inherit cmake
+
+B = "${S}"
+
+DEPENDS = " \
+ attr \
+ boost \
+ cynara \
+ icu \
+ libcap \
+ smack \
+ sqlite3 \
+ systemd \
+"
+
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE"
+
+TZ_SYS_DB ?= "/var/db/security-manager"
+
+EXTRA_OECMAKE = " \
+ -DCMAKE_VERBOSE_MAKEFILE=ON \
+ -DVERSION=${PV} \
+ -DSYSTEMD_INSTALL_DIR=${systemd_unitdir}/system \
+ -DBIN_INSTALL_DIR=${bindir} \
+ -DDB_INSTALL_DIR=${TZ_SYS_DB} \
+ -DLIB_INSTALL_DIR=${libdir} \
+ -DSHARE_INSTALL_PREFIX=${datadir} \
+ -DINCLUDE_INSTALL_DIR=${includedir} \
+"
+
+inherit systemd
+SYSTEMD_SERVICE_${PN} = "security-manager.service"
+
+inherit features_check
+REQUIRED_DISTRO_FEATURES += "smack"
+
+# The upstream source code contains the Tizen-specific policy configuration files.
+# To replace them, create a security-manager.bbappend and set the following variable to a
+# space-separated list of policy file names (not URIs!), for example:
+# SECURITY_MANAGER_POLICY = "privilege-group.list usertype-system.profile"
+#
+# Leave it empty to use the upstream Tizen policy.
+SECURITY_MANAGER_POLICY ?= ""
+SRC_URI_append = " ${@' '.join(['file://' + x for x in d.getVar('SECURITY_MANAGER_POLICY', True).split()])}"
+python do_patch_append () {
+ import os
+ import shutil
+ import glob
+ files = d.getVar('SECURITY_MANAGER_POLICY', True).split()
+ if files:
+ s = d.getVar('S', True)
+ workdir = d.getVar('WORKDIR', True)
+ for pattern in ['*.profile', '*.list']:
+ for old_file in glob.glob(s + '/policy/' + pattern):
+ os.unlink(old_file)
+ for file in files:
+ shutil.copy(file, s + '/policy')
+}
+
+do_install_append () {
+ install -d ${D}/${systemd_unitdir}/system/multi-user.target.wants
+ ln -s ../security-manager.service ${D}/${systemd_unitdir}/system/multi-user.target.wants/security-manager.service
+ install -d ${D}/${systemd_unitdir}/system/sockets.target.wants
+ ln -s ../security-manager.socket ${D}/${systemd_unitdir}/system/sockets.target.wants/security-manager.socket
+}
+
+RDEPENDS_${PN} += "sqlite3 cynara"
+FILES_${PN} += " \
+ ${systemd_unitdir} \
+ ${TZ_SYS_DB} \
+ ${bindir}/.security-manager-setup \
+"
+
+PACKAGES =+ "${PN}-policy"
+FILES_${PN}-policy = " \
+ ${datadir}/${PN} \
+ ${bindir}/security-manager-policy-reload \
+"
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch
new file mode 100644
index 000000000..4c91f7fa3
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch
@@ -0,0 +1,50 @@
+From 935e4e4e746b5ffcda80c80097dc75c2581c1a89 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Wed, 19 Oct 2016 13:45:54 +0200
+Subject: [PATCH] Adapt rules to AGL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+AGL distribution uses the repository https://github.com/01org/meta-intel-iot-security.git
+as basis for the integration of security framework. The security framework
+that it provides is an evolution of the security framework of tizen refited
+to the distribution Ostro of Intel. This refit took the decision to simplify
+the model by removing the running label "User". More can be viewed here:
+https://github.com/01org/meta-intel-iot-security/pull/116
+
+This commits adapt the template to the rules that are now needed
+after this evolution.
+
+It also integrates one other evolutions: the shared label becomes User::App-Shared instead
+of User::App::Shared to avoid collision with application of id "Shared".
+
+Change-Id: Ieb566b63f8c8e691b5f75e06499a3b576d042546
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ policy/app-rules-template.smack | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/policy/app-rules-template.smack b/policy/app-rules-template.smack
+index 1311169..b4cd2e3 100644
+--- a/policy/app-rules-template.smack
++++ b/policy/app-rules-template.smack
+@@ -1,12 +1,10 @@
+-System ~APP~ rwx
++System ~APP~ rwxa
++System ~PKG~ rwxat
+ ~APP~ System wx
+ ~APP~ System::Shared rx
+ ~APP~ System::Run rwxat
+ ~APP~ System::Log rwxa
+ ~APP~ _ l
+-User ~APP~ rwxa
+-User ~PKG~ rwxat
+-~APP~ User wx
+ ~APP~ User::Home rxl
+-~APP~ User::App::Shared rwxat
++~APP~ User::App-Shared rwxat
+ ~APP~ ~PKG~ rwxat
+--
+2.7.4
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch
new file mode 100644
index 000000000..91ce81963
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch
@@ -0,0 +1,47 @@
+From 3d9d1d83fe298a364f51ad752c17aad461beded3 Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Tue, 24 Mar 2015 04:54:03 -0700
+Subject: [PATCH 01/14] systemd: stop using compat libs
+
+libsystemd-journal and libsystemd-daemon are considered obsolete
+in systemd since 2.09 and may not be available (not compiled
+by default).
+
+The code works fine with the current libsystemd, so just
+use that.
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1
+---
+ src/common/CMakeLists.txt | 2 +-
+ src/server/CMakeLists.txt | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt
+index 2da9c3e..968c7c1 100644
+--- a/src/common/CMakeLists.txt
++++ b/src/common/CMakeLists.txt
+@@ -3,7 +3,7 @@ SET(COMMON_VERSION ${COMMON_VERSION_MAJOR}.0.2)
+
+ PKG_CHECK_MODULES(COMMON_DEP
+ REQUIRED
+- libsystemd-journal
++ libsystemd
+ libsmack
+ db-util
+ cynara-admin
+diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt
+index 753eb96..6849d76 100644
+--- a/src/server/CMakeLists.txt
++++ b/src/server/CMakeLists.txt
+@@ -1,6 +1,6 @@
+ PKG_CHECK_MODULES(SERVER_DEP
+ REQUIRED
+- libsystemd-daemon
++ libsystemd
+ )
+
+ FIND_PACKAGE(Boost REQUIRED)
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch
new file mode 100644
index 000000000..b6346480b
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch
@@ -0,0 +1,36 @@
+From a90515613f09140049b2bdf471fa83d5dd7bad1c Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Wed, 19 Aug 2015 15:02:32 +0200
+Subject: [PATCH 02/14] security-manager-policy-reload: do not depend on GNU
+ sed
+
+\U (= make replacement uppercase) is a GNU sed extension which is not
+supported by other sed implementation's (like the one from
+busybox). When using busybox, the bucket for user profiles became
+USER_TYPE_Uadmin instead USER_TYPE_ADMIN.
+
+To make SecurityManager more portable, better use tr to turn the
+bucket name into uppercase.
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1
+---
+ policy/security-manager-policy-reload | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload
+index 274c49c..6f211c6 100755
+--- a/policy/security-manager-policy-reload
++++ b/policy/security-manager-policy-reload
+@@ -33,7 +33,7 @@ END
+ find "$POLICY_PATH" -name "usertype-*.profile" |
+ while read file
+ do
+- bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\U\1|'`"
++ bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\1|' | tr '[:lower:]' '[:upper:]'`"
+
+ # Re-create the bucket with empty contents
+ cyad --delete-bucket=$bucket || true
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch
new file mode 100644
index 000000000..d79345e01
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch
@@ -0,0 +1,117 @@
+From a80e33bc0a10fa4bed5d0b7bf29f45dd2565d309 Mon Sep 17 00:00:00 2001
+From: Alejandro Joya <alejandro.joya.cruz@intel.com>
+Date: Wed, 4 Nov 2015 19:01:35 -0600
+Subject: [PATCH 03/14] Smack-rules: create two new functions
+
+It let to smack-rules to create multiple set of rules
+related with the privileges.
+
+It runs from the same bases than for a static set of rules on the
+template, but let you add 1 or many templates for different cases.
+
+Change-Id: I14f8d4e914ad5a7ba34c96f3cb5589f0b15292de
+Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com>
+---
+ src/common/include/smack-rules.h | 15 +++++++++++
+ src/common/smack-rules.cpp | 44 ++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+)
+
+diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h
+index 91446a7..3ad9dd4 100644
+--- a/src/common/include/smack-rules.h
++++ b/src/common/include/smack-rules.h
+@@ -47,6 +47,8 @@ public:
+ void addFromTemplate(const std::vector<std::string> &templateRules,
+ const std::string &appId, const std::string &pkgId);
+ void addFromTemplateFile(const std::string &appId, const std::string &pkgId);
++ void addFromTemplateFile(const std::string &appId, const std::string &pkgId,
++ const std::string &path);
+
+ void apply() const;
+ void clear() const;
+@@ -74,6 +76,19 @@ public:
+ */
+ static void installApplicationRules(const std::string &appId, const std::string &pkgId,
+ const std::vector<std::string> &pkgContents);
++ /**
++ * Install privileges-specific smack rules.
++ *
++ * Function creates smack rules using predefined template. Rules are applied
++ * to the kernel and saved on persistent storage so they are loaded on system boot.
++ *
++ * @param[in] appId - application id that is beeing installed
++ * @param[in] pkgId - package id that the application is in
++ * @param[in] pkgContents - a list of all applications in the package
++ * @param[in] privileges - a list of all prvileges
++ */
++ static void installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
++ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges);
+ /**
+ * Uninstall package-specific smack rules.
+ *
+diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
+index 3629e0f..922a56f 100644
+--- a/src/common/smack-rules.cpp
++++ b/src/common/smack-rules.cpp
+@@ -135,6 +135,29 @@ void SmackRules::saveToFile(const std::string &path) const
+ }
+ }
+
++void SmackRules::addFromTemplateFile(const std::string &appId,
++ const std::string &pkgId, const std::string &path)
++{
++ std::vector<std::string> templateRules;
++ std::string line;
++ std::ifstream templateRulesFile(path);
++
++ if (!templateRulesFile.is_open()) {
++ LogError("Cannot open rules template file: " << path);
++ ThrowMsg(SmackException::FileError, "Cannot open rules template file: " << path);
++ }
++
++ while (std::getline(templateRulesFile, line)) {
++ templateRules.push_back(line);
++ }
++
++ if (templateRulesFile.bad()) {
++ LogError("Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH);
++ ThrowMsg(SmackException::FileError, "Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH);
++ }
++
++ addFromTemplate(templateRules, appId, pkgId);
++}
+
+ void SmackRules::addFromTemplateFile(const std::string &appId,
+ const std::string &pkgId)
+@@ -223,7 +246,28 @@ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId)
+ std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str()));
+ return path;
+ }
++void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
++ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges)
++{
++ SmackRules smackRules;
++ std::string appPath = getApplicationRulesFilePath(appId);
++ smackRules.loadFromFile(appPath);
++ struct stat buffer;
++ for (auto privilege : privileges) {
++ if (privilege.empty())
++ continue;
++ std::string fprivilege ( privilege + "-template.smack");
++ std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str()));
++ if( stat(path.c_str(), &buffer) == 0)
++ smackRules.addFromTemplateFile(appId, pkgId, path);
++ }
++
++ if (smack_smackfs_path() != NULL)
++ smackRules.apply();
+
++ smackRules.saveToFile(appPath);
++ updatePackageRules(pkgId, pkgContents);
++}
+ void SmackRules::installApplicationRules(const std::string &appId, const std::string &pkgId,
+ const std::vector<std::string> &pkgContents)
+ {
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch
new file mode 100644
index 000000000..59d4971ff
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch
@@ -0,0 +1,34 @@
+From a5979d9d674e400ecd7fcdf5d7589cfa0cfeb492 Mon Sep 17 00:00:00 2001
+From: Alejandro Joya <alejandro.joya.cruz@intel.com>
+Date: Wed, 4 Nov 2015 19:06:23 -0600
+Subject: [PATCH 04/14] app-install: implement multiple set of smack-rules
+
+If it's need it could create load multiple set of smack rules
+related with the privileges.
+It wouldn't affect the case that only the default set of rules is need it.
+
+Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com>
+---
+ src/common/service_impl.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
+index 7fd621c..ae305d3 100644
+--- a/src/common/service_impl.cpp
++++ b/src/common/service_impl.cpp
+@@ -338,6 +338,12 @@ int appInstall(const app_inst_req &req, uid_t uid)
+ LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: "
+ << req.pkgId << ". Applications in package: " << pkgContents.size());
+ SmackRules::installApplicationRules(req.appId, req.pkgId, pkgContents);
++ /*Setup for privileges custom rules*/
++ LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: "
++ << req.pkgId << ". Applications in package: " << pkgContents.size()
++ << " and Privileges");
++ SmackRules::installApplicationPrivilegesRules(req.appId, req.pkgId,
++ pkgContents,req.privileges);
+ } catch (const SmackException::Base &e) {
+ LogError("Error while applying Smack policy for application: " << e.DumpToString());
+ return SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED;
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch
new file mode 100644
index 000000000..0739f28c7
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch
@@ -0,0 +1,32 @@
+From 198ba9b9782fda19803e94d2afeff91189ac27af Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net>
+Date: Wed, 13 Jan 2016 17:30:06 +0100
+Subject: [PATCH 05/14] c++11: replace deprecated auto_ptr
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream-Status: Submitted [https://review.tizen.org/gerrit/#/c/56940/]
+
+Change-Id: Id793c784c9674eef48f346226c094bdd9f7bbda8
+Signed-off-by: José Bollo <jobol@nonadev.net>
+---
+ src/dpl/core/include/dpl/binary_queue.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dpl/core/include/dpl/binary_queue.h b/src/dpl/core/include/dpl/binary_queue.h
+index dd03f5e..185b6c7 100644
+--- a/src/dpl/core/include/dpl/binary_queue.h
++++ b/src/dpl/core/include/dpl/binary_queue.h
+@@ -33,7 +33,7 @@ namespace SecurityManager {
+ * Binary queue auto pointer
+ */
+ class BinaryQueue;
+-typedef std::auto_ptr<BinaryQueue> BinaryQueueAutoPtr;
++typedef std::unique_ptr<BinaryQueue> BinaryQueueAutoPtr;
+
+ /**
+ * Binary stream implemented as constant size bucket list
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch
new file mode 100644
index 000000000..3b8aad98c
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch
@@ -0,0 +1,47 @@
+From ec098bf03cea23350ca7d1ea2ad88b9c88228943 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Fri, 8 Jan 2016 16:53:46 +0100
+Subject: [PATCH 06/14] socket-manager: removes tizen specific call
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The function 'smack_fgetlabel' is specific to Tizen
+and is no more maintained upstream.
+
+Upstream-Status: Accepted [https://review.tizen.org/gerrit/#/c/56507/]
+
+Change-Id: I3802742b1758efe37b33e6d968ff727d68f2fd1f
+Signed-off-by: José Bollo <jobol@nonadev.net>
+---
+ src/server/main/socket-manager.cpp | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/server/main/socket-manager.cpp b/src/server/main/socket-manager.cpp
+index 94c54c6..5e1a79b 100644
+--- a/src/server/main/socket-manager.cpp
++++ b/src/server/main/socket-manager.cpp
+@@ -30,6 +30,7 @@
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <sys/smack.h>
++#include <linux/xattr.h>
+ #include <sys/un.h>
+ #include <sys/stat.h>
+ #include <unistd.h>
+@@ -493,9 +494,9 @@ int SocketManager::CreateDomainSocketHelp(
+ if (smack_check()) {
+ LogInfo("Set up smack label: " << desc.smackLabel);
+
+- if (0 != smack_fsetlabel(sockfd, desc.smackLabel.c_str(), SMACK_LABEL_IPIN)) {
+- LogError("Error in smack_fsetlabel");
+- ThrowMsg(Exception::InitFailed, "Error in smack_fsetlabel");
++ if (0 != smack_set_label_for_file(sockfd, XATTR_NAME_SMACKIPIN, desc.smackLabel.c_str())) {
++ LogError("Error in smack_set_label_for_file");
++ ThrowMsg(Exception::InitFailed, "Error in smack_set_label_for_file");
+ }
+ } else {
+ LogInfo("No smack on platform. Socket won't be securied with smack label!");
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch
new file mode 100644
index 000000000..bad99d25a
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch
@@ -0,0 +1,78 @@
+From 9d0791dab4b4df086374c5c0ba2a6558e10e81c1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Mon, 16 Nov 2015 15:56:27 +0100
+Subject: [PATCH 07/14] removes dependency to libslp-db-utils
+
+Change-Id: I90471e77d20e04bae58cc42eb2639e4aef97fdec
+---
+ src/common/CMakeLists.txt | 3 ++-
+ src/dpl/db/src/sql_connection.cpp | 17 +----------------
+ 2 files changed, 3 insertions(+), 17 deletions(-)
+
+diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt
+index 968c7c1..9ae376f 100644
+--- a/src/common/CMakeLists.txt
++++ b/src/common/CMakeLists.txt
+@@ -5,7 +5,8 @@ PKG_CHECK_MODULES(COMMON_DEP
+ REQUIRED
+ libsystemd
+ libsmack
+- db-util
++ sqlite3
++ icu-i18n
+ cynara-admin
+ cynara-client
+ )
+diff --git a/src/dpl/db/src/sql_connection.cpp b/src/dpl/db/src/sql_connection.cpp
+index fdb4fe4..f49a6dc 100644
+--- a/src/dpl/db/src/sql_connection.cpp
++++ b/src/dpl/db/src/sql_connection.cpp
+@@ -26,7 +26,6 @@
+ #include <memory>
+ #include <dpl/noncopyable.h>
+ #include <dpl/assert.h>
+-#include <db-util.h>
+ #include <unistd.h>
+ #include <cstdio>
+ #include <cstdarg>
+@@ -606,16 +605,7 @@ void SqlConnection::Connect(const std::string &address,
+
+ // Connect to database
+ int result;
+- if (type & Flag::UseLucene) {
+- result = db_util_open_with_options(
+- address.c_str(),
+- &m_connection,
+- flag,
+- NULL);
+-
+- m_usingLucene = true;
+- LogPedantic("Lucene index enabled");
+- } else {
++ (void)type;
+ result = sqlite3_open_v2(
+ address.c_str(),
+ &m_connection,
+@@ -624,7 +614,6 @@ void SqlConnection::Connect(const std::string &address,
+
+ m_usingLucene = false;
+ LogPedantic("Lucene index disabled");
+- }
+
+ if (result == SQLITE_OK) {
+ LogPedantic("Connected to DB");
+@@ -653,11 +642,7 @@ void SqlConnection::Disconnect()
+
+ int result;
+
+- if (m_usingLucene) {
+- result = db_util_close(m_connection);
+- } else {
+ result = sqlite3_close(m_connection);
+- }
+
+ if (result != SQLITE_OK) {
+ const char *error = sqlite3_errmsg(m_connection);
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch
new file mode 100644
index 000000000..5ece7ef4f
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch
@@ -0,0 +1,38 @@
+From a1d9b40b4fa2e73d31a53e398c286bffeaae1732 Mon Sep 17 00:00:00 2001
+From: Ronan <ronan.lemartret@iot.bzh>
+Date: Wed, 12 Oct 2016 17:48:55 +0200
+Subject: [PATCH 08/14] Fix gcc6 build
+
+Signed-off-by: ronan <ronan@ot.bzh>
+---
+ src/client/client-security-manager.cpp | 1 +
+ src/common/include/privilege_db.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp
+index 74a6b30..347cddd 100644
+--- a/src/client/client-security-manager.cpp
++++ b/src/client/client-security-manager.cpp
+@@ -46,6 +46,7 @@
+ #include <service_impl.h>
+ #include <security-manager.h>
+ #include <client-offline.h>
++#include <linux/xattr.h>
+
+ static const char *EMPTY = "";
+
+diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h
+index 4d73d90..08fb9d6 100644
+--- a/src/common/include/privilege_db.h
++++ b/src/common/include/privilege_db.h
+@@ -32,6 +32,7 @@
+ #include <map>
+ #include <stdbool.h>
+ #include <string>
++#include <vector>
+
+ #include <dpl/db/sql_connection.h>
+ #include <tzplatform_config.h>
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch
new file mode 100644
index 000000000..706eb1a93
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch
@@ -0,0 +1,40 @@
+From 382379d74221bcc60a0ab70d63430a1c0587b2ec Mon Sep 17 00:00:00 2001
+From: Ronan <ronan.lemartret@iot.bzh>
+Date: Thu, 13 Oct 2016 11:37:47 +0200
+Subject: [PATCH 09/14] Fix Cmake conf for gcc6 build
+
+Signed-off-by: Ronan <ronan.lemartret@iot.bzh>
+---
+ src/cmd/CMakeLists.txt | 4 +---
+ src/server/CMakeLists.txt | 1 -
+ 2 files changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/src/cmd/CMakeLists.txt b/src/cmd/CMakeLists.txt
+index ee9a160..aa7a12c 100644
+--- a/src/cmd/CMakeLists.txt
++++ b/src/cmd/CMakeLists.txt
+@@ -1,8 +1,6 @@
+ FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options)
+
+-INCLUDE_DIRECTORIES(SYSTEM
+- ${Boost_INCLUDE_DIRS}
+- )
++
+
+ INCLUDE_DIRECTORIES(
+ ${INCLUDE_PATH}
+diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt
+index 6849d76..9598037 100644
+--- a/src/server/CMakeLists.txt
++++ b/src/server/CMakeLists.txt
+@@ -8,7 +8,6 @@ FIND_PACKAGE(Threads REQUIRED)
+
+ INCLUDE_DIRECTORIES(SYSTEM
+ ${SERVER_DEP_INCLUDE_DIRS}
+- ${Boost_INCLUDE_DIRS}
+ ${Threads_INCLUDE_DIRS}
+ )
+
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch
new file mode 100644
index 000000000..0f48c5f68
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch
@@ -0,0 +1,51 @@
+From 8e93699c0f225716f3cd5eff790270ae9e3880f9 Mon Sep 17 00:00:00 2001
+From: Changhyeok Bae <changhyeok.bae@gmail.com>
+Date: Sun, 17 Dec 2017 15:40:58 +0000
+Subject: [PATCH 10/14] gcc-7 requires include <functional> for std::function
+
+Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
+---
+ src/client/client-common.cpp | 1 +
+ src/common/smack-labels.cpp | 1 +
+ src/dpl/core/src/binary_queue.cpp | 1 +
+ 3 files changed, 3 insertions(+)
+
+diff --git a/src/client/client-common.cpp b/src/client/client-common.cpp
+index 883ab8d..1babdf7 100644
+--- a/src/client/client-common.cpp
++++ b/src/client/client-common.cpp
+@@ -31,6 +31,7 @@
+ #include <sys/xattr.h>
+ #include <linux/xattr.h>
+ #include <unistd.h>
++#include <functional>
+
+ #include <dpl/log/log.h>
+ #include <dpl/serialization.h>
+diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp
+index 0294a42..1598099 100644
+--- a/src/common/smack-labels.cpp
++++ b/src/common/smack-labels.cpp
+@@ -29,6 +29,7 @@
+ #include <sys/xattr.h>
+ #include <linux/xattr.h>
+ #include <memory>
++#include <functional>
+ #include <fts.h>
+ #include <cstring>
+ #include <string>
+diff --git a/src/dpl/core/src/binary_queue.cpp b/src/dpl/core/src/binary_queue.cpp
+index 72817a6..838409f 100644
+--- a/src/dpl/core/src/binary_queue.cpp
++++ b/src/dpl/core/src/binary_queue.cpp
+@@ -26,6 +26,7 @@
+ #include <malloc.h>
+ #include <cstring>
+ #include <new>
++#include <functional>
+
+ namespace SecurityManager {
+ BinaryQueue::BinaryQueue() :
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch
new file mode 100644
index 000000000..5c679fc26
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch
@@ -0,0 +1,32 @@
+From 243b7ffee16558d7cb9b411f49380138efeffca9 Mon Sep 17 00:00:00 2001
+From: Stephane Desneux <stephane.desneux@iot.bzh>
+Date: Fri, 1 Feb 2019 12:26:17 +0000
+Subject: [PATCH 11/14] Fix gcc8 warning/error [-Werror=catch-value=]
+
+Fixes the following warning/error during compile:
+
+src/dpl/core/src/assert.cpp:61:14: error: catching polymorphic type 'class SecurityManager::Exception' by value [-Werror=catch-value=]
+| } catch (Exception) {
+| ^~~~~~~~~
+
+Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
+---
+ src/dpl/core/src/assert.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dpl/core/src/assert.cpp b/src/dpl/core/src/assert.cpp
+index 63538a2..fc60ce9 100644
+--- a/src/dpl/core/src/assert.cpp
++++ b/src/dpl/core/src/assert.cpp
+@@ -58,7 +58,7 @@ void AssertProc(const char *condition,
+ INTERNAL_LOG("### Function: " << function);
+ INTERNAL_LOG(
+ "################################################################################");
+- } catch (Exception) {
++ } catch (Exception const&) {
+ // Just ignore possible double errors
+ }
+
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch
new file mode 100644
index 000000000..91ccf9ee2
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch
@@ -0,0 +1,122 @@
+From 5ee51d38575f289c2bf37ed817ef680ed47bb320 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Fri, 1 Feb 2019 15:37:44 +0100
+Subject: [PATCH 12/14] Avoid casting from "const T&" to "void*"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Latest version of g++ refuse the cast
+
+ reinterpret_cast<void (Service::*)(void*)>(serviceFunction)
+
+I made no investigation to know if the problem
+is coming from the const or not.
+
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ src/server/main/include/service-thread.h | 42 ++++++++++--------------
+ 1 file changed, 18 insertions(+), 24 deletions(-)
+
+diff --git a/src/server/main/include/service-thread.h b/src/server/main/include/service-thread.h
+index 964d168..61fdda8 100644
+--- a/src/server/main/include/service-thread.h
++++ b/src/server/main/include/service-thread.h
+@@ -94,7 +94,7 @@ public:
+ Join();
+ while (!m_eventQueue.empty()){
+ auto front = m_eventQueue.front();
+- delete front.eventPtr;
++ delete front;
+ m_eventQueue.pop();
+ }
+ }
+@@ -104,34 +104,28 @@ public:
+ Service *servicePtr,
+ void (Service::*serviceFunction)(const T &))
+ {
+- EventDescription description;
+- description.serviceFunctionPtr =
+- reinterpret_cast<void (Service::*)(void*)>(serviceFunction);
+- description.servicePtr = servicePtr;
+- description.eventFunctionPtr = &ServiceThread::EventCall<T>;
+- description.eventPtr = new T(event);
++ EventCallerBase *ec = new EventCaller<T>(event, servicePtr, serviceFunction);
+ {
+ std::lock_guard<std::mutex> lock(m_eventQueueMutex);
+- m_eventQueue.push(description);
++ m_eventQueue.push(ec);
+ }
+ m_waitCondition.notify_one();
+ }
+
+ protected:
+
+- struct EventDescription {
+- void (Service::*serviceFunctionPtr)(void *);
+- Service *servicePtr;
+- void (ServiceThread::*eventFunctionPtr)(const EventDescription &event);
+- GenericEvent* eventPtr;
++ struct EventCallerBase {
++ virtual void fire() = 0;
++ virtual ~EventCallerBase() {}
+ };
+
+ template <class T>
+- void EventCall(const EventDescription &desc) {
+- auto fun = reinterpret_cast<void (Service::*)(const T&)>(desc.serviceFunctionPtr);
+- const T& eventLocale = *(static_cast<T*>(desc.eventPtr));
+- (desc.servicePtr->*fun)(eventLocale);
+- }
++ struct EventCaller : public EventCallerBase {
++ T *event; Service *target; void (Service::*function)(const T&);
++ EventCaller(const T &e, Service *c, void (Service::*f)(const T&)) : event(new T(e)), target(c), function(f) {}
++ ~EventCaller() { delete event; }
++ void fire() { (target->*function)(*event); }
++ };
+
+ static void ThreadLoopStatic(ServiceThread *ptr) {
+ ptr->ThreadLoop();
+@@ -139,33 +133,33 @@ protected:
+
+ void ThreadLoop(){
+ for (;;) {
+- EventDescription description = {NULL, NULL, NULL, NULL};
++ EventCallerBase *ec = NULL;
+ {
+ std::unique_lock<std::mutex> ulock(m_eventQueueMutex);
+ if (m_quit)
+ return;
+ if (!m_eventQueue.empty()) {
+- description = m_eventQueue.front();
++ ec = m_eventQueue.front();
+ m_eventQueue.pop();
+ } else {
+ m_waitCondition.wait(ulock);
+ }
+ }
+
+- if (description.eventPtr != NULL) {
++ if (ec != NULL) {
+ UNHANDLED_EXCEPTION_HANDLER_BEGIN
+ {
+- (this->*description.eventFunctionPtr)(description);
+- delete description.eventPtr;
++ ec->fire();
+ }
+ UNHANDLED_EXCEPTION_HANDLER_END
++ delete ec;
+ }
+ }
+ }
+
+ std::thread m_thread;
+ std::mutex m_eventQueueMutex;
+- std::queue<EventDescription> m_eventQueue;
++ std::queue<EventCallerBase*> m_eventQueue;
+ std::condition_variable m_waitCondition;
+
+ State m_state;
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch
new file mode 100644
index 000000000..fb6215923
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch
@@ -0,0 +1,259 @@
+From 6c96a39ba7a7763ccd47e379dbfd8d376164985f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Mon, 16 Nov 2015 14:26:25 +0100
+Subject: [PATCH 13/14] Removing tizen-platform-config
+
+Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121
+---
+ CMakeLists.txt | 16 +++++++-
+ db/CMakeLists.txt | 2 +-
+ policy/CMakeLists.txt | 1 +
+ ...load => security-manager-policy-reload.in} | 4 +-
+ src/common/file-lock.cpp | 4 +-
+ src/common/include/file-lock.h | 1 -
+ src/common/include/privilege_db.h | 3 +-
+ src/common/service_impl.cpp | 39 ++++++-------------
+ src/common/smack-rules.cpp | 12 ++----
+ 9 files changed, 37 insertions(+), 45 deletions(-)
+ rename policy/{security-manager-policy-reload => security-manager-policy-reload.in} (94%)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 28790d8..37a43cc 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -49,7 +49,7 @@ ADD_DEFINITIONS("-Wall") # Generate all warnings
+ ADD_DEFINITIONS("-Wextra") # Generate even more extra warnings
+
+ STRING(REGEX MATCH "([^.]*)" API_VERSION "${VERSION}")
+-ADD_DEFINITIONS("-DAPI_VERSION=\"$(API_VERSION)\"")
++ADD_DEFINITIONS("-DAPI_VERSION=\"${API_VERSION}\"")
+
+ ADD_DEFINITIONS("-DSMACK_ENABLED")
+
+@@ -58,6 +58,20 @@ IF (CMAKE_BUILD_TYPE MATCHES "DEBUG")
+ ADD_DEFINITIONS("-DBUILD_TYPE_DEBUG")
+ ENDIF (CMAKE_BUILD_TYPE MATCHES "DEBUG")
+
++SET(DATADIR "/usr/share/security-manager" CACHE STRING "path to data directory")
++SET(SMACKRULESDIR "/etc/smack/accesses.d" CACHE STRING "path to Smack rules directory")
++SET(LOCKDIR "/var/run/lock" CACHE STRING "path to lock directory")
++SET(DB_INSTALL_DIR "/var/db/security-manager" CACHE STRING "path to database directory")
++SET(DB_FILENAME ".security-manager.db" CACHE STRING "basename of database")
++SET(GLOBALUSER "userapp" CACHE STRING "name of the global user")
++
++ADD_DEFINITIONS("-DDATADIR=\"${DATADIR}\"")
++ADD_DEFINITIONS("-DSMACKRULESDIR=\"${SMACKRULESDIR}\"")
++ADD_DEFINITIONS("-DLOCKDIR=\"${LOCKDIR}\"")
++ADD_DEFINITIONS("-DDB_INSTALL_DIR=\"${DB_INSTALL_DIR}\"")
++ADD_DEFINITIONS("-DDB_FILENAME=\"${DB_FILENAME}\"")
++ADD_DEFINITIONS("-DGLOBALUSER=\"${GLOBALUSER}\"")
++
+ ADD_SUBDIRECTORY(src)
+ ADD_SUBDIRECTORY(pc)
+ ADD_SUBDIRECTORY(systemd)
+diff --git a/db/CMakeLists.txt b/db/CMakeLists.txt
+index 9e8ffcc..d7af1a0 100644
+--- a/db/CMakeLists.txt
++++ b/db/CMakeLists.txt
+@@ -1,4 +1,4 @@
+-SET(TARGET_DB ".security-manager.db")
++SET(TARGET_DB "$(DB_FILENAME)")
+
+ ADD_CUSTOM_COMMAND(
+ OUTPUT ${TARGET_DB} ${TARGET_DB}-journal
+diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt
+index bd08edc..626a2bd 100644
+--- a/policy/CMakeLists.txt
++++ b/policy/CMakeLists.txt
+@@ -1,4 +1,5 @@
+ FILE(GLOB USERTYPE_POLICY_FILES usertype-*.profile)
++CONFIGURE_FILE(security-manager-policy-reload.in security-manager-policy-reload @ONLY)
+ INSTALL(FILES ${USERTYPE_POLICY_FILES} DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
+ INSTALL(FILES "app-rules-template.smack" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
+ INSTALL(FILES "privilege-group.list" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
+diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload.in
+similarity index 94%
+rename from policy/security-manager-policy-reload
+rename to policy/security-manager-policy-reload.in
+index 6f211c6..c1bc4e2 100755
+--- a/policy/security-manager-policy-reload
++++ b/policy/security-manager-policy-reload.in
+@@ -1,8 +1,8 @@
+ #!/bin/sh -e
+
+-POLICY_PATH=/usr/share/security-manager/policy
++POLICY_PATH=@DATADIR@/policy
+ PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list
+-DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db
++DB_FILE=@DB_INSTALL_DIR@/@DB_FILENAME@
+
+ # Create default buckets
+ while read bucket default_policy
+diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp
+index 6f3996c..88d2092 100644
+--- a/src/common/file-lock.cpp
++++ b/src/common/file-lock.cpp
+@@ -30,9 +30,7 @@
+
+ namespace SecurityManager {
+
+-char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN,
+- "lock",
+- "security-manager.lock");
++char const * const SERVICE_LOCK_FILE = LOCKDIR "/security-manager.lock";
+
+ FileLocker::FileLocker(const std::string &lockFile, bool blocking)
+ {
+diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h
+index 604b019..21a86a0 100644
+--- a/src/common/include/file-lock.h
++++ b/src/common/include/file-lock.h
+@@ -29,7 +29,6 @@
+
+ #include <dpl/exception.h>
+ #include <dpl/noncopyable.h>
+-#include <tzplatform_config.h>
+
+ namespace SecurityManager {
+
+diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h
+index 08fb9d6..3344987 100644
+--- a/src/common/include/privilege_db.h
++++ b/src/common/include/privilege_db.h
+@@ -35,14 +35,13 @@
+ #include <vector>
+
+ #include <dpl/db/sql_connection.h>
+-#include <tzplatform_config.h>
+
+ #ifndef PRIVILEGE_DB_H_
+ #define PRIVILEGE_DB_H_
+
+ namespace SecurityManager {
+
+-const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db");
++const char *const PRIVILEGE_DB_PATH = DB_INSTALL_DIR "/" DB_FILENAME;
+
+ enum class QueryType {
+ EGetPkgPrivileges,
+diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
+index ae305d3..42150fe 100644
+--- a/src/common/service_impl.cpp
++++ b/src/common/service_impl.cpp
+@@ -32,7 +32,6 @@
+ #include <algorithm>
+
+ #include <dpl/log/log.h>
+-#include <tzplatform_config.h>
+
+ #include "protocols.h"
+ #include "privilege_db.h"
+@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr,
+
+ static uid_t getGlobalUserId(void)
+ {
+- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
++ static uid_t globaluid = 0;
++ if (!globaluid) {
++ struct passwd pw, *p;
++ char buf[4096];
++ int rc = getpwnam_r(GLOBALUSER, &pw, buf, sizeof buf, &p);
++ globaluid = (rc || p == NULL) ? 555 : p->pw_uid;
++ }
+ return globaluid;
+ }
+
+@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir)
+
+ static bool getUserAppDir(const uid_t &uid, std::string &userAppDir)
+ {
+- struct tzplatform_context *tz_ctx = nullptr;
+-
+- if (tzplatform_context_create(&tz_ctx))
+- return false;
+-
+- if (tzplatform_context_set_user(tz_ctx, uid)) {
+- tzplatform_context_destroy(tz_ctx);
+- tz_ctx = nullptr;
++ struct passwd pw, *p;
++ char buf[4096];
++ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p);
++ if (rc || p == NULL)
+ return false;
+- }
+-
+- enum tzplatform_variable id =
+- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP;
+- const char *appDir = tzplatform_context_getenv(tz_ctx, id);
+- if (!appDir) {
+- tzplatform_context_destroy(tz_ctx);
+- tz_ctx = nullptr;
+- return false;
+- }
+-
+- userAppDir = appDir;
+-
+- tzplatform_context_destroy(tz_ctx);
+- tz_ctx = nullptr;
+-
++ userAppDir = p->pw_dir;
+ return true;
+ }
+
+ static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath)
+ {
+- std::string userHome;
+ std::string userAppDir;
+ std::stringstream correctPath;
+
+diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
+index 922a56f..c2e0041 100644
+--- a/src/common/smack-rules.cpp
++++ b/src/common/smack-rules.cpp
+@@ -34,7 +34,6 @@
+ #include <memory>
+
+ #include <dpl/log/log.h>
+-#include <tzplatform_config.h>
+
+ #include "smack-labels.h"
+ #include "smack-rules.h"
+@@ -43,7 +42,7 @@ namespace SecurityManager {
+
+ const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~";
+ const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~";
+-const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack");
++const char *const APP_RULES_TEMPLATE_FILE_PATH = DATADIR "/policy/app-rules-template.smack";
+ const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat";
+
+ SmackRules::SmackRules()
+@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgCon
+
+ std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId)
+ {
+- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str()));
+- return path;
++ return SMACKRULESDIR "/pkg_" + pkgId;
+ }
+
+ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId)
+ {
+- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str()));
+- return path;
++ return SMACKRULESDIR "/app_" + appId;
+ }
+ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
+ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges)
+@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con
+ for (auto privilege : privileges) {
+ if (privilege.empty())
+ continue;
+- std::string fprivilege ( privilege + "-template.smack");
+- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str()));
++ std::string path = DATADIR "/policy/" + privilege + "-template.smack";
+ if( stat(path.c_str(), &buffer) == 0)
+ smackRules.addFromTemplateFile(appId, pkgId, path);
+ }
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch
new file mode 100644
index 000000000..542a387d2
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch
@@ -0,0 +1,78 @@
+From c7f9d14e38a1b6d40b2fffa01433a3025eff9abd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Tue, 26 Nov 2019 12:34:39 +0100
+Subject: [PATCH 14/14] Ensure post install initialization of database
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Creation of the database was made during image creation,
+leading to issue with SOTA. This adds the creation on
+need before launching the service.
+
+Change-Id: Idfd0676bd87d39f7c10eaafd63f3a318f675c972
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ db/CMakeLists.txt | 14 ++++++--------
+ db/security-manager-setup | 14 ++++++++++++++
+ systemd/security-manager.service.in | 1 +
+ 3 files changed, 21 insertions(+), 8 deletions(-)
+ create mode 100644 db/security-manager-setup
+
+diff --git a/db/CMakeLists.txt b/db/CMakeLists.txt
+index d7af1a0..dcf5bc8 100644
+--- a/db/CMakeLists.txt
++++ b/db/CMakeLists.txt
+@@ -1,12 +1,10 @@
+-SET(TARGET_DB "$(DB_FILENAME)")
+-
+ ADD_CUSTOM_COMMAND(
+- OUTPUT ${TARGET_DB} ${TARGET_DB}-journal
+- COMMAND sqlite3 ${TARGET_DB} <db.sql
+- )
++ OUTPUT .security-manager-setup
++ COMMAND sed '/--DB\.SQL--/r db.sql' security-manager-setup > .security-manager-setup
++ DEPENDS security-manager-setup db.sql
++)
+
+ # Add a dummy build target to trigger building of ${TARGET_DB}
+-ADD_CUSTOM_TARGET(DB ALL DEPENDS ${TARGET_DB})
++ADD_CUSTOM_TARGET(DB ALL DEPENDS .security-manager-setup)
+
+-INSTALL(FILES ${TARGET_DB} DESTINATION ${DB_INSTALL_DIR})
+-INSTALL(FILES ${TARGET_DB}-journal DESTINATION ${DB_INSTALL_DIR})
++INSTALL(PROGRAMS .security-manager-setup DESTINATION ${BIN_INSTALL_DIR})
+diff --git a/db/security-manager-setup b/db/security-manager-setup
+new file mode 100644
+index 0000000..5675baf
+--- /dev/null
++++ b/db/security-manager-setup
+@@ -0,0 +1,14 @@
++#!/bin/sh
++
++if test -f "$1"; then exit; fi
++set -e
++dbdir="$(dirname "$1")"
++dbfile="$(basename "$1")"
++test -n "$dbfile"
++test -n "$dbdir"
++mkdir -p "$dbdir"
++cd "$dbdir"
++sqlite3 "$dbfile" << END-OF-CAT
++--DB.SQL--
++END-OF-CAT
++
+diff --git a/systemd/security-manager.service.in b/systemd/security-manager.service.in
+index 23fd1b2..2bf97d7 100644
+--- a/systemd/security-manager.service.in
++++ b/systemd/security-manager.service.in
+@@ -3,5 +3,6 @@ Description=Start the security manager
+
+ [Service]
+ Type=notify
++ExecStartPre=@BIN_INSTALL_DIR@/.security-manager-setup @DB_INSTALL_DIR@/@DB_FILENAME@
+ ExecStart=@BIN_INSTALL_DIR@/security-manager
+ Sockets=security-manager.socket
+--
+2.21.0
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch
new file mode 100644
index 000000000..d9949193b
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch
@@ -0,0 +1,34 @@
+From 7cffcd61378a9d7c0e7db5691b2da3a37448c969 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Thu, 30 Jan 2020 09:19:25 +0100
+Subject: [PATCH 15/15] Restrict socket accesses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ensure that only members of the group and the owner can access
+the security manager.
+
+Bug-AGL: SPEC-3146
+
+Change-Id: I68ce6523db4bfd4707c3680555c3cb0cf8858ef2
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ systemd/security-manager.socket | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/systemd/security-manager.socket b/systemd/security-manager.socket
+index af1c1da..b401f77 100644
+--- a/systemd/security-manager.socket
++++ b/systemd/security-manager.socket
+@@ -1,6 +1,6 @@
+ [Socket]
+ ListenStream=/run/security-manager.socket
+-SocketMode=0777
++SocketMode=0660
+ SmackLabelIPIn=*
+ SmackLabelIPOut=@
+
+--
+2.21.1
+
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend b/meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend
new file mode 100644
index 000000000..ec8435369
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend
@@ -0,0 +1,13 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/security-manager:"
+
+EXTRA_OECMAKE =+ " -DGLOBALUSER=afm"
+
+SRC_URI += " \
+ file://0001-Adapt-rules-to-AGL.patch \
+"
+
+do_install_append() {
+ # Needed for wayland-0 socket access and memfd usage
+ echo "~APP~ System::Weston rw" >> ${D}${datadir}/security-manager/policy/app-rules-template.smack
+ echo "System::Weston ~APP~ rw" >> ${D}${datadir}/security-manager/policy/app-rules-template.smack
+}
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager_git.bb b/meta-app-framework/recipes-security/security-manager/security-manager_git.bb
new file mode 100644
index 000000000..b34973519
--- /dev/null
+++ b/meta-app-framework/recipes-security/security-manager/security-manager_git.bb
@@ -0,0 +1,27 @@
+require security-manager.inc
+
+PV = "1.0.2+git${SRCPV}"
+SRCREV = "860305a595d681d650024ad07b3b0977e1fcb0a6"
+SRC_URI += "git://github.com/Samsung/security-manager.git"
+S = "${WORKDIR}/git"
+
+SRC_URI += " \
+ file://0001-systemd-stop-using-compat-libs.patch \
+ file://0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch \
+ file://0003-Smack-rules-create-two-new-functions.patch \
+ file://0004-app-install-implement-multiple-set-of-smack-rules.patch \
+ file://0005-c-11-replace-deprecated-auto_ptr.patch \
+ file://0006-socket-manager-removes-tizen-specific-call.patch \
+ file://0007-removes-dependency-to-libslp-db-utils.patch \
+ file://0008-Fix-gcc6-build.patch \
+ file://0009-Fix-Cmake-conf-for-gcc6-build.patch \
+ file://0010-gcc-7-requires-include-functional-for-std-function.patch \
+ file://0011-Fix-gcc8-warning-error-Werror-catch-value.patch \
+ file://0012-Avoid-casting-from-const-T-to-void.patch \
+ file://0013-Removing-tizen-platform-config.patch \
+ file://0014-Ensure-post-install-initialization-of-database.patch \
+ file://0015-Restrict-socket-accesses.patch \
+"
+
+# Use make with cmake and not ninja
+OECMAKE_GENERATOR = "Unix Makefiles"
diff --git a/meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend b/meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend
index 09820be2f..afbc16c30 100644
--- a/meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend
+++ b/meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend
@@ -1,4 +1 @@
-# Disable nss to avoid build issues on native
-PACKAGECONFIG = "gnutls libgcrypt openssl des"
-
-BBCLASSEXTEND = "native nativesdk"
+require ${@bb.utils.contains('APPFW_ENABLED', '1', 'xmlsec1_appfw.inc', '', d)}
diff --git a/meta-app-framework/recipes-security/xmlsec1/xmlsec1_appfw.inc b/meta-app-framework/recipes-security/xmlsec1/xmlsec1_appfw.inc
new file mode 100644
index 000000000..09820be2f
--- /dev/null
+++ b/meta-app-framework/recipes-security/xmlsec1/xmlsec1_appfw.inc
@@ -0,0 +1,4 @@
+# Disable nss to avoid build issues on native
+PACKAGECONFIG = "gnutls libgcrypt openssl des"
+
+BBCLASSEXTEND = "native nativesdk"