aboutsummaryrefslogtreecommitdiffstats
path: root/meta-security/recipes-security/security-manager
diff options
context:
space:
mode:
Diffstat (limited to 'meta-security/recipes-security/security-manager')
-rw-r--r--meta-security/recipes-security/security-manager/security-manager.inc98
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch116
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/0002-app-install-implement-multiple-set-of-smack-rules.patch34
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch196
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/c-11-replace-depracated-auto_ptr.patch32
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch24
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch32
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch78
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/security-manager-policy-reload-do-not-depend-on-GNU-.patch35
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/socket-manager-removes-tizen-specific-call.patch47
-rw-r--r--meta-security/recipes-security/security-manager/security-manager/systemd-stop-using-compat-libs.patch47
-rw-r--r--meta-security/recipes-security/security-manager/security-manager_git.bb34
12 files changed, 773 insertions, 0 deletions
diff --git a/meta-security/recipes-security/security-manager/security-manager.inc b/meta-security/recipes-security/security-manager/security-manager.inc
new file mode 100644
index 000000000..ee749a8fb
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager.inc
@@ -0,0 +1,98 @@
+DESCRIPTION = "Security manager and utilities"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3"
+
+inherit cmake
+
+# Out-of-tree build is broken ("sqlite3 .security-manager.db <db.sql" where db.sql is in $S/db).
+B = "${S}"
+
+DEPENDS = " \
+attr \
+boost \
+cynara \
+icu \
+libcap \
+smack \
+sqlite3 \
+sqlite3-native \
+systemd \
+"
+
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE"
+
+TZ_SYS_DB = "/var/db/security-manager"
+
+EXTRA_OECMAKE = " \
+-DCMAKE_VERBOSE_MAKEFILE=ON \
+-DVERSION=${PV} \
+-DSYSTEMD_INSTALL_DIR=${systemd_unitdir}/system \
+-DBIN_INSTALL_DIR=${bindir} \
+-DDB_INSTALL_DIR=${TZ_SYS_DB} \
+-DLIB_INSTALL_DIR=${libdir} \
+-DSHARE_INSTALL_PREFIX=${datadir} \
+-DINCLUDE_INSTALL_DIR=${includedir} \
+"
+
+inherit systemd
+SYSTEMD_SERVICE_${PN} = "security-manager.service"
+
+inherit distro_features_check
+REQUIRED_DISTRO_FEATURES += "smack"
+
+# The upstream source code contains the Tizen-specific policy configuration files.
+# To replace them, create a security-manager.bbappend and set the following variable to a
+# space-separated list of policy file names (not URIs!), for example:
+# SECURITY_MANAGER_POLICY = "privilege-group.list usertype-system.profile"
+#
+# Leave it empty to use the upstream Tizen policy.
+SECURITY_MANAGER_POLICY ?= ""
+SRC_URI_append = " ${@' '.join(['file://' + x for x in d.getVar('SECURITY_MANAGER_POLICY', True).split()])}"
+python do_patch_append () {
+ import os
+ import shutil
+ import glob
+ files = d.getVar('SECURITY_MANAGER_POLICY', True).split()
+ if files:
+ s = d.getVar('S', True)
+ workdir = d.getVar('WORKDIR', True)
+ for pattern in ['*.profile', '*.list']:
+ for old_file in glob.glob(s + '/policy/' + pattern):
+ os.unlink(old_file)
+ for file in files:
+ shutil.copy(file, s + '/policy')
+}
+
+do_install_append () {
+ install -d ${D}/${systemd_unitdir}/system/multi-user.target.wants
+ ln -s ../security-manager.service ${D}/${systemd_unitdir}/system/multi-user.target.wants/security-manager.service
+ install -d ${D}/${systemd_unitdir}/system/sockets.target.wants
+ ln -s ../security-manager.socket ${D}/${systemd_unitdir}/system/sockets.target.wants/security-manager.socket
+}
+
+RDEPENDS_${PN} += "smack"
+pkg_postinst_${PN} () {
+ set -e
+ chsmack -a System $D${TZ_SYS_DB}/.security-manager.db
+ chsmack -a System $D${TZ_SYS_DB}/.security-manager.db-journal
+}
+
+FILES_${PN} += " \
+${systemd_unitdir} \
+${TZ_SYS_DB} \
+"
+
+PACKAGES =+ "${PN}-policy"
+FILES_${PN}-policy = " \
+ ${datadir}/${PN} \
+ ${bindir}/security-manager-policy-reload \
+"
+RDEPENDS_${PN}-policy += "sqlite3 cynara"
+pkg_postinst_${PN}-policy () {
+ if [ x"$D" = "x" ] && ${bindir}/security-manager-policy-reload; then
+ exit 0
+ else
+ exit 1
+ fi
+}
diff --git a/meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch b/meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch
new file mode 100644
index 000000000..b0e11afe4
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/0001-Smack-rules-create-two-new-functions.patch
@@ -0,0 +1,116 @@
+From d130a7384428a96f31ad5950ffbffadc0aa29a15 Mon Sep 17 00:00:00 2001
+From: Alejandro Joya <alejandro.joya.cruz@intel.com>
+Date: Wed, 4 Nov 2015 19:01:35 -0600
+Subject: [PATCH 1/2] Smack-rules: create two new functions
+
+It let to smack-rules to create multiple set of rules
+related with the privileges.
+
+It runs from the same bases than for a static set of rules on the
+template, but let you add 1 or many templates for different cases.
+
+Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com>
+---
+ src/common/include/smack-rules.h | 15 ++++++++++++++
+ src/common/smack-rules.cpp | 44 ++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 59 insertions(+)
+
+diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h
+index 91446a7..f9fa438 100644
+--- a/src/common/include/smack-rules.h
++++ b/src/common/include/smack-rules.h
+@@ -47,6 +47,8 @@ public:
+ void addFromTemplate(const std::vector<std::string> &templateRules,
+ const std::string &appId, const std::string &pkgId);
+ void addFromTemplateFile(const std::string &appId, const std::string &pkgId);
++ void addFromTemplateFile(const std::string &appId, const std::string &pkgId,
++ const std::string &path);
+
+ void apply() const;
+ void clear() const;
+@@ -75,6 +77,19 @@ public:
+ static void installApplicationRules(const std::string &appId, const std::string &pkgId,
+ const std::vector<std::string> &pkgContents);
+ /**
++ * Install privileges-specific smack rules.
++ *
++ * Function creates smack rules using predefined template. Rules are applied
++ * to the kernel and saved on persistent storage so they are loaded on system boot.
++ *
++ * @param[in] appId - application id that is beeing installed
++ * @param[in] pkgId - package id that the application is in
++ * @param[in] pkgContents - a list of all applications in the package
++ * @param[in] privileges - a list of all prvileges
++ */
++ static void installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
++ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges);
++ /**
+ * Uninstall package-specific smack rules.
+ *
+ * Function loads package-specific smack rules, revokes them from the kernel
+diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
+index 3629e0f..d834e42 100644
+--- a/src/common/smack-rules.cpp
++++ b/src/common/smack-rules.cpp
+@@ -135,6 +135,29 @@ void SmackRules::saveToFile(const std::string &path) const
+ }
+ }
+
++void SmackRules::addFromTemplateFile(const std::string &appId,
++ const std::string &pkgId, const std::string &path)
++{
++ std::vector<std::string> templateRules;
++ std::string line;
++ std::ifstream templateRulesFile(path);
++
++ if (!templateRulesFile.is_open()) {
++ LogError("Cannot open rules template file: " << path);
++ ThrowMsg(SmackException::FileError, "Cannot open rules template file: " << path);
++ }
++
++ while (std::getline(templateRulesFile, line)) {
++ templateRules.push_back(line);
++ }
++
++ if (templateRulesFile.bad()) {
++ LogError("Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH);
++ ThrowMsg(SmackException::FileError, "Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH);
++ }
++
++ addFromTemplate(templateRules, appId, pkgId);
++}
+
+ void SmackRules::addFromTemplateFile(const std::string &appId,
+ const std::string &pkgId)
+@@ -223,7 +246,28 @@ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId)
+ std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str()));
+ return path;
+ }
++void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
++ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges)
++{
++ SmackRules smackRules;
++ std::string appPath = getApplicationRulesFilePath(appId);
++ smackRules.loadFromFile(appPath);
++ struct stat buffer;
++ for (auto privilege : privileges) {
++ if (privilege.empty())
++ continue;
++ std::string fprivilege ( privilege + "-template.smack");
++ std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str()));
++ if( stat(path.c_str(), &buffer) == 0)
++ smackRules.addFromTemplateFile(appId, pkgId, path);
++ }
++
++ if (smack_smackfs_path() != NULL)
++ smackRules.apply();
+
++ smackRules.saveToFile(appPath);
++ updatePackageRules(pkgId, pkgContents);
++}
+ void SmackRules::installApplicationRules(const std::string &appId, const std::string &pkgId,
+ const std::vector<std::string> &pkgContents)
+ {
+--
+2.1.0
+
diff --git a/meta-security/recipes-security/security-manager/security-manager/0002-app-install-implement-multiple-set-of-smack-rules.patch b/meta-security/recipes-security/security-manager/security-manager/0002-app-install-implement-multiple-set-of-smack-rules.patch
new file mode 100644
index 000000000..d60096a15
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/0002-app-install-implement-multiple-set-of-smack-rules.patch
@@ -0,0 +1,34 @@
+From 19688cbe2ca10921a499f3fa265928dca54cf98d Mon Sep 17 00:00:00 2001
+From: Alejandro Joya <alejandro.joya.cruz@intel.com>
+Date: Wed, 4 Nov 2015 19:06:23 -0600
+Subject: [PATCH 2/2] app-install: implement multiple set of smack-rules
+
+If it's need it could create load multiple set of smack rules
+related with the privileges.
+It wouldn't affect the case that only the default set of rules is need it.
+
+Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com>
+---
+ src/common/service_impl.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
+index 7fd621c..ae305d3 100644
+--- a/src/common/service_impl.cpp
++++ b/src/common/service_impl.cpp
+@@ -338,6 +338,12 @@ int appInstall(const app_inst_req &req, uid_t uid)
+ LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: "
+ << req.pkgId << ". Applications in package: " << pkgContents.size());
+ SmackRules::installApplicationRules(req.appId, req.pkgId, pkgContents);
++ /*Setup for privileges custom rules*/
++ LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: "
++ << req.pkgId << ". Applications in package: " << pkgContents.size()
++ << " and Privileges");
++ SmackRules::installApplicationPrivilegesRules(req.appId, req.pkgId,
++ pkgContents,req.privileges);
+ } catch (const SmackException::Base &e) {
+ LogError("Error while applying Smack policy for application: " << e.DumpToString());
+ return SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED;
+--
+2.1.0
+
diff --git a/meta-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch b/meta-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch
new file mode 100644
index 000000000..4baea6572
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/Removing-tizen-platform-config.patch
@@ -0,0 +1,196 @@
+From 72e66d0e42f3bb6efd689ce33b1df407d94b3c60 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Mon, 16 Nov 2015 14:26:25 +0100
+Subject: [PATCH] Removing tizen-platform-config
+
+Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121
+---
+ policy/security-manager-policy-reload | 2 +-
+ src/common/file-lock.cpp | 4 +---
+ src/common/include/file-lock.h | 1 -
+ src/common/include/privilege_db.h | 3 +--
+ src/common/service_impl.cpp | 39 +++++++++++------------------------
+ src/common/smack-rules.cpp | 12 ++++-------
+ 6 files changed, 19 insertions(+), 42 deletions(-)
+
+diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload
+index 6f211c6..ed8047a 100755
+--- a/policy/security-manager-policy-reload
++++ b/policy/security-manager-policy-reload
+@@ -2,7 +2,7 @@
+
+ POLICY_PATH=/usr/share/security-manager/policy
+ PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list
+-DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db
++DB_FILE=/usr/dbspace/.security-manager.db
+
+ # Create default buckets
+ while read bucket default_policy
+diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp
+index 6f3996c..1dada17 100644
+--- a/src/common/file-lock.cpp
++++ b/src/common/file-lock.cpp
+@@ -30,9 +30,7 @@
+
+ namespace SecurityManager {
+
+-char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN,
+- "lock",
+- "security-manager.lock");
++char const * const SERVICE_LOCK_FILE = "/var/run/lock/security-manager.lock";
+
+ FileLocker::FileLocker(const std::string &lockFile, bool blocking)
+ {
+diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h
+index 604b019..21a86a0 100644
+--- a/src/common/include/file-lock.h
++++ b/src/common/include/file-lock.h
+@@ -29,7 +29,6 @@
+
+ #include <dpl/exception.h>
+ #include <dpl/noncopyable.h>
+-#include <tzplatform_config.h>
+
+ namespace SecurityManager {
+
+diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h
+index 4d73d90..03c6680 100644
+--- a/src/common/include/privilege_db.h
++++ b/src/common/include/privilege_db.h
+@@ -34,14 +34,13 @@
+ #include <string>
+
+ #include <dpl/db/sql_connection.h>
+-#include <tzplatform_config.h>
+
+ #ifndef PRIVILEGE_DB_H_
+ #define PRIVILEGE_DB_H_
+
+ namespace SecurityManager {
+
+-const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db");
++const char *const PRIVILEGE_DB_PATH = "/usr/dbspace/.security-manager.db";
+
+ enum class QueryType {
+ EGetPkgPrivileges,
+diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
+index ae305d3..65cc8b5 100644
+--- a/src/common/service_impl.cpp
++++ b/src/common/service_impl.cpp
+@@ -32,7 +32,6 @@
+ #include <algorithm>
+
+ #include <dpl/log/log.h>
+-#include <tzplatform_config.h>
+
+ #include "protocols.h"
+ #include "privilege_db.h"
+@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr,
+
+ static uid_t getGlobalUserId(void)
+ {
+- static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
++ static uid_t globaluid = 0;
++ if (!globaluid) {
++ struct passwd pw, *p;
++ char buf[4096];
++ int rc = getpwnam_r("userapp", &pw, buf, sizeof buf, &p);
++ globaluid = (rc || p == NULL) ? 555 : p->pw_uid;
++ }
+ return globaluid;
+ }
+
+@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir)
+
+ static bool getUserAppDir(const uid_t &uid, std::string &userAppDir)
+ {
+- struct tzplatform_context *tz_ctx = nullptr;
+-
+- if (tzplatform_context_create(&tz_ctx))
+- return false;
+-
+- if (tzplatform_context_set_user(tz_ctx, uid)) {
+- tzplatform_context_destroy(tz_ctx);
+- tz_ctx = nullptr;
++ struct passwd pw, *p;
++ char buf[4096];
++ int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p);
++ if (rc || p == NULL)
+ return false;
+- }
+-
+- enum tzplatform_variable id =
+- (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP;
+- const char *appDir = tzplatform_context_getenv(tz_ctx, id);
+- if (!appDir) {
+- tzplatform_context_destroy(tz_ctx);
+- tz_ctx = nullptr;
+- return false;
+- }
+-
+- userAppDir = appDir;
+-
+- tzplatform_context_destroy(tz_ctx);
+- tz_ctx = nullptr;
+-
++ userAppDir = p->pw_dir;
+ return true;
+ }
+
+ static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath)
+ {
+- std::string userHome;
+ std::string userAppDir;
+ std::stringstream correctPath;
+
+diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
+index d834e42..8b5728b 100644
+--- a/src/common/smack-rules.cpp
++++ b/src/common/smack-rules.cpp
+@@ -34,7 +34,6 @@
+ #include <memory>
+
+ #include <dpl/log/log.h>
+-#include <tzplatform_config.h>
+
+ #include "smack-labels.h"
+ #include "smack-rules.h"
+@@ -43,7 +42,7 @@ namespace SecurityManager {
+
+ const char *const SMACK_APP_LABEL_TEMPLATE = "~APP~";
+ const char *const SMACK_PKG_LABEL_TEMPLATE = "~PKG~";
+-const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack");
++const char *const APP_RULES_TEMPLATE_FILE_PATH = "/usr/share/security-manager/policy/app-rules-template.smack";
+ const char *const SMACK_APP_IN_PACKAGE_PERMS = "rwxat";
+
+ SmackRules::SmackRules()
+@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgCon
+
+ std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId)
+ {
+- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str()));
+- return path;
++ return "/etc/smack/accesses.d/pkg_" + pkgId;
+ }
+
+ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId)
+ {
+- std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" + appId).c_str()));
+- return path;
++ return "/etc/smack/accesses.d/app_" + appId;
+ }
+ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
+ const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges)
+@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con
+ for (auto privilege : privileges) {
+ if (privilege.empty())
+ continue;
+- std::string fprivilege ( privilege + "-template.smack");
+- std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str()));
++ std::string path = "/usr/share/security-manager/policy/" + privilege + "-template.smack";
+ if( stat(path.c_str(), &buffer) == 0)
+ smackRules.addFromTemplateFile(appId, pkgId, path);
+ }
+--
+2.1.4
+
diff --git a/meta-security/recipes-security/security-manager/security-manager/c-11-replace-depracated-auto_ptr.patch b/meta-security/recipes-security/security-manager/security-manager/c-11-replace-depracated-auto_ptr.patch
new file mode 100644
index 000000000..c312a9e72
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/c-11-replace-depracated-auto_ptr.patch
@@ -0,0 +1,32 @@
+From 6abeec29a0e704f4bf7084b29275b99fea0a78de Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net>
+Date: Wed, 13 Jan 2016 17:30:06 +0100
+Subject: [PATCH 2/2] c++11: replace depracated auto_ptr
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream-Status: Submitted [https://review.tizen.org/gerrit/#/c/56940/]
+
+Change-Id: Id793c784c9674eef48f346226c094bdd9f7bbda8
+Signed-off-by: José Bollo <jobol@nonadev.net>
+---
+ src/dpl/core/include/dpl/binary_queue.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dpl/core/include/dpl/binary_queue.h b/src/dpl/core/include/dpl/binary_queue.h
+index dd03f5e..185b6c7 100644
+--- a/src/dpl/core/include/dpl/binary_queue.h
++++ b/src/dpl/core/include/dpl/binary_queue.h
+@@ -33,7 +33,7 @@ namespace SecurityManager {
+ * Binary queue auto pointer
+ */
+ class BinaryQueue;
+-typedef std::auto_ptr<BinaryQueue> BinaryQueueAutoPtr;
++typedef std::unique_ptr<BinaryQueue> BinaryQueueAutoPtr;
+
+ /**
+ * Binary stream implemented as constant size bucket list
+--
+2.1.4
+
diff --git a/meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch b/meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch
new file mode 100644
index 000000000..33fbc025e
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/include-linux-xattr.patch
@@ -0,0 +1,24 @@
+From: José Bollo <jose.bollo@iot.bzh>
+Date: Tue, 30 Oct 2015 14:32:03 -0100
+Subject: [PATCH] include linux xattr
+
+adds a #include <linux/xattr.h> in source.
+
+---
+ src/client/client-security-manager.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp
+index 74a6b30..641790b 100644
+--- a/src/client/client-security-manager.cpp
++++ b/src/client/client-security-manager.cpp
+@@ -34,6 +34,7 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/xattr.h>
++#include <linux/xattr.h>
+ #include <sys/smack.h>
+ #include <sys/capability.h>
+
+--
+2.1.4
diff --git a/meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch b/meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch
new file mode 100644
index 000000000..a948343f8
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/libcap-without-pkgconfig.patch
@@ -0,0 +1,32 @@
+From: José Bollo <jose.bollo@iot.bzh>
+Date: Tue, 30 Oct 2015 14:32:03 -0100
+Subject: [PATCH] libcap without pkgconfig
+
+Handles libcap that isn't distributed for pkg-config
+
+---
+ src/client/CMakeLists.txt | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/client/CMakeLists.txt b/src/client/CMakeLists.txt
+index 5399a55..0250ce2 100644
+--- a/src/client/CMakeLists.txt
++++ b/src/client/CMakeLists.txt
+@@ -1,7 +1,6 @@
+ PKG_CHECK_MODULES(CLIENT_DEP
+ REQUIRED
+ libsmack
+- libcap
+ )
+
+ SET(CLIENT_VERSION_MAJOR 1)
+@@ -37,6 +36,7 @@ SET_TARGET_PROPERTIES(${TARGET_CLIENT}
+ TARGET_LINK_LIBRARIES(${TARGET_CLIENT}
+ ${TARGET_COMMON}
+ ${CLIENT_DEP_LIBRARIES}
++ cap
+ )
+
+ INSTALL(TARGETS ${TARGET_CLIENT} DESTINATION ${LIB_INSTALL_DIR})
+--
+2.1.4
diff --git a/meta-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch b/meta-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch
new file mode 100644
index 000000000..f94973074
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/removes-dependency-to-libslp-db-utils.patch
@@ -0,0 +1,78 @@
+From 1e2f8f58d4320afa1d83a6f94822e53346108ee8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Mon, 16 Nov 2015 15:56:27 +0100
+Subject: [PATCH] removes dependency to libslp-db-utils
+
+Change-Id: I90471e77d20e04bae58cc42eb2639e4aef97fdec
+---
+ src/common/CMakeLists.txt | 1 ++-
+ src/dpl/db/src/sql_connection.cpp | 17 +----------------
+ 2 files changed, 3 additions(+), 17 deletions(-)
+
+diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt
+index 968c7c1..d1fe644 100644
+--- a/src/common/CMakeLists.txt
++++ b/src/common/CMakeLists.txt
+@@ -5,7 +5,8 @@ PKG_CHECK_MODULES(COMMON_DEP
+ REQUIRED
+ libsystemd
+ libsmack
+- db-util
++ sqlite3
++ icu-i18n
+ cynara-admin
+ cynara-client
+ )
+diff --git a/src/dpl/db/src/sql_connection.cpp b/src/dpl/db/src/sql_connection.cpp
+index fdb4fe4..1fb97be 100644
+--- a/src/dpl/db/src/sql_connection.cpp
++++ b/src/dpl/db/src/sql_connection.cpp
+@@ -26,7 +26,6 @@
+ #include <memory>
+ #include <dpl/noncopyable.h>
+ #include <dpl/assert.h>
+-#include <db-util.h>
+ #include <unistd.h>
+ #include <cstdio>
+ #include <cstdarg>
+@@ -606,16 +605,7 @@ void SqlConnection::Connect(const std::string &address,
+
+ // Connect to database
+ int result;
+- if (type & Flag::UseLucene) {
+- result = db_util_open_with_options(
+- address.c_str(),
+- &m_connection,
+- flag,
+- NULL);
+-
+- m_usingLucene = true;
+- LogPedantic("Lucene index enabled");
+- } else {
++ (void)type;
+ result = sqlite3_open_v2(
+ address.c_str(),
+ &m_connection,
+@@ -624,7 +614,6 @@ void SqlConnection::Connect(const std::string &address,
+
+ m_usingLucene = false;
+ LogPedantic("Lucene index disabled");
+- }
+
+ if (result == SQLITE_OK) {
+ LogPedantic("Connected to DB");
+@@ -653,11 +642,7 @@ void SqlConnection::Disconnect()
+
+ int result;
+
+- if (m_usingLucene) {
+- result = db_util_close(m_connection);
+- } else {
+ result = sqlite3_close(m_connection);
+- }
+
+ if (result != SQLITE_OK) {
+ const char *error = sqlite3_errmsg(m_connection);
+--
+2.1.4
+
diff --git a/meta-security/recipes-security/security-manager/security-manager/security-manager-policy-reload-do-not-depend-on-GNU-.patch b/meta-security/recipes-security/security-manager/security-manager/security-manager-policy-reload-do-not-depend-on-GNU-.patch
new file mode 100644
index 000000000..ac57964ca
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/security-manager-policy-reload-do-not-depend-on-GNU-.patch
@@ -0,0 +1,35 @@
+From d2995014142306987bf86b4d508a84b9b4683c5c Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Wed, 19 Aug 2015 15:02:32 +0200
+Subject: [PATCH 2/2] security-manager-policy-reload: do not depend on GNU sed
+
+\U (= make replacement uppercase) is a GNU sed extension which is not
+supported by other sed implementation's (like the one from
+busybox). When using busybox, the bucket for user profiles became
+USER_TYPE_Uadmin instead USER_TYPE_ADMIN.
+
+To make SecurityManager more portable, better use tr to turn the
+bucket name into uppercase.
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1
+
+---
+ policy/security-manager-policy-reload | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload
+index 274c49c..6f211c6 100755
+--- a/policy/security-manager-policy-reload
++++ b/policy/security-manager-policy-reload
+@@ -33,7 +33,7 @@ END
+ find "$POLICY_PATH" -name "usertype-*.profile" |
+ while read file
+ do
+- bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\U\1|'`"
++ bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\1|' | tr '[:lower:]' '[:upper:]'`"
+
+ # Re-create the bucket with empty contents
+ cyad --delete-bucket=$bucket || true
+--
+2.1.4
diff --git a/meta-security/recipes-security/security-manager/security-manager/socket-manager-removes-tizen-specific-call.patch b/meta-security/recipes-security/security-manager/security-manager/socket-manager-removes-tizen-specific-call.patch
new file mode 100644
index 000000000..fa4c21c7f
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/socket-manager-removes-tizen-specific-call.patch
@@ -0,0 +1,47 @@
+From 75c4852e47217ab85d6840b488ab4b3688091856 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Fri, 8 Jan 2016 16:53:46 +0100
+Subject: [PATCH 1/2] socket-manager: removes tizen specific call
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The function 'smack_fgetlabel' is specific to Tizen
+and is no more maintained upstream.
+
+Upstream-Status: Accepted [https://review.tizen.org/gerrit/#/c/56507/]
+
+Change-Id: I3802742b1758efe37b33e6d968ff727d68f2fd1f
+Signed-off-by: José Bollo <jobol@nonadev.net>
+---
+ src/server/main/socket-manager.cpp | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/server/main/socket-manager.cpp b/src/server/main/socket-manager.cpp
+index 0366186..c5cec18 100644
+--- a/src/server/main/socket-manager.cpp
++++ b/src/server/main/socket-manager.cpp
+@@ -30,6 +30,7 @@
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <sys/smack.h>
++#include <linux/xattr.h>
+ #include <sys/un.h>
+ #include <sys/stat.h>
+ #include <unistd.h>
+@@ -500,9 +501,9 @@ int SocketManager::CreateDomainSocketHelp(
+ if (smack_check()) {
+ LogInfo("Set up smack label: " << desc.smackLabel);
+
+- if (0 != smack_fsetlabel(sockfd, desc.smackLabel.c_str(), SMACK_LABEL_IPIN)) {
+- LogError("Error in smack_fsetlabel");
+- ThrowMsg(Exception::InitFailed, "Error in smack_fsetlabel");
++ if (0 != smack_set_label_for_file(sockfd, XATTR_NAME_SMACKIPIN, desc.smackLabel.c_str())) {
++ LogError("Error in smack_set_label_for_file");
++ ThrowMsg(Exception::InitFailed, "Error in smack_set_label_for_file");
+ }
+ } else {
+ LogInfo("No smack on platform. Socket won't be securied with smack label!");
+--
+2.1.4
+
diff --git a/meta-security/recipes-security/security-manager/security-manager/systemd-stop-using-compat-libs.patch b/meta-security/recipes-security/security-manager/security-manager/systemd-stop-using-compat-libs.patch
new file mode 100644
index 000000000..cd5c36a6a
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager/systemd-stop-using-compat-libs.patch
@@ -0,0 +1,47 @@
+From 8ec024d2adecb53029c6f1af2b95c93dfd43a7cb Mon Sep 17 00:00:00 2001
+From: Patrick Ohly <patrick.ohly@intel.com>
+Date: Tue, 24 Mar 2015 04:54:03 -0700
+Subject: [PATCH] systemd: stop using compat libs
+
+libsystemd-journal and libsystemd-daemon are considered obsolete
+in systemd since 2.09 and may not be available (not compiled
+by default).
+
+The code works fine with the current libsystemd, so just
+use that.
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1
+
+---
+ src/common/CMakeLists.txt | 2 +-
+ src/server/CMakeLists.txt | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt
+index 2da9c3e..968c7c1 100644
+--- a/src/common/CMakeLists.txt
++++ b/src/common/CMakeLists.txt
+@@ -3,7 +3,7 @@ SET(COMMON_VERSION ${COMMON_VERSION_MAJOR}.0.2)
+
+ PKG_CHECK_MODULES(COMMON_DEP
+ REQUIRED
+- libsystemd-journal
++ libsystemd
+ libsmack
+ db-util
+ cynara-admin
+diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt
+index 753eb96..6849d76 100644
+--- a/src/server/CMakeLists.txt
++++ b/src/server/CMakeLists.txt
+@@ -1,6 +1,6 @@
+ PKG_CHECK_MODULES(SERVER_DEP
+ REQUIRED
+- libsystemd-daemon
++ libsystemd
+ )
+
+ FIND_PACKAGE(Boost REQUIRED)
+--
+2.1.4
diff --git a/meta-security/recipes-security/security-manager/security-manager_git.bb b/meta-security/recipes-security/security-manager/security-manager_git.bb
new file mode 100644
index 000000000..65134d31a
--- /dev/null
+++ b/meta-security/recipes-security/security-manager/security-manager_git.bb
@@ -0,0 +1,34 @@
+require security-manager.inc
+
+PV = "1.0.2+git${SRCPV}"
+SRCREV = "860305a595d681d650024ad07b3b0977e1fcb0a6"
+SRC_URI += "git://github.com/Samsung/security-manager.git"
+S = "${WORKDIR}/git"
+
+SRC_URI += " \
+file://systemd-stop-using-compat-libs.patch \
+file://security-manager-policy-reload-do-not-depend-on-GNU-.patch \
+file://0001-Smack-rules-create-two-new-functions.patch \
+file://0002-app-install-implement-multiple-set-of-smack-rules.patch \
+file://c-11-replace-depracated-auto_ptr.patch \
+file://socket-manager-removes-tizen-specific-call.patch \
+file://Removing-tizen-platform-config.patch \
+file://removes-dependency-to-libslp-db-utils.patch \
+"
+
+##########################################
+# This are patches for backward compatibility to the version dizzy of poky.
+# The dizzy version of libcap isn't providing a packconfig file.
+# This is solved by the patch libcap-without-pkgconfig.patch.
+# But after solving that issue, it appears that linux/xattr.h should
+# also be include add definitions of XATTR_NAME_SMACK... values.
+# Unfortunately, there is no explanation why linux/xattr.h should
+# also be included (patch include-linux-xattr.patch)
+##########################################
+do_patch[depends] = "libcap:do_populate_sysroot"
+APPLY = "${@str('no' if os.path.exists('${STAGING_LIBDIR}/pkgconfig/libcap.pc') else 'yes')}"
+SRC_URI += "\
+ file://libcap-without-pkgconfig.patch;apply=${APPLY} \
+ file://include-linux-xattr.patch;apply=${APPLY} \
+"
+