aboutsummaryrefslogtreecommitdiffstats
path: root/meta-security
diff options
context:
space:
mode:
Diffstat (limited to 'meta-security')
-rw-r--r--meta-security/conf/layer.conf2
-rw-r--r--meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0001-Integration-of-Cynara-asynchronous-security-checks.patch (renamed from meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch)121
-rw-r--r--meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0002-Disable-message-dispatching-when-send-rule-result-is.patch (renamed from meta-security/recipes-core/dbus-cynara/dbus-cynara/0002-Disable-message-dispatching-when-send-rule-result-is.patch)44
-rw-r--r--meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0003-Handle-unavailability-of-policy-results-for-broadcas.patch (renamed from meta-security/recipes-core/dbus-cynara/dbus-cynara/0003-Handle-unavailability-of-policy-results-for-broadcas.patch)33
-rw-r--r--meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0004-Add-own-rule-result-unavailability-handling.patch (renamed from meta-security/recipes-core/dbus-cynara/dbus-cynara/0004-Add-own-rule-result-unavailability-handling.patch)28
-rw-r--r--meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0005-Perform-Cynara-runtime-policy-checks-by-default.patch (renamed from meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch)15
-rw-r--r--meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0006-Fix-SIGSEGV-on-disconnections.patch (renamed from meta-security/recipes-core/dbus-cynara/dbus-cynara/0007-Fix-SIGSEGV-on-disconnections.patch)6
-rw-r--r--meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0007-Switch-from-cynara-to-cynagora.patch1048
-rw-r--r--meta-security/recipes-core/dbus-cynagora/dbus_1.12.16.bbappend (renamed from meta-security/recipes-core/dbus-cynara/dbus_1.12.10.bbappend)10
-rw-r--r--meta-security/recipes-core/dbus-cynara/dbus-cynara/0006-Fix-gcc-8-warnings.patch134
-rw-r--r--meta-security/recipes-core/systemd/systemd_2%.bbappend (renamed from meta-security/recipes-core/systemd/systemd_239.bbappend)0
-rw-r--r--meta-security/recipes-security/keyutils/keyutils/keyutils-arm-remove-m32-m64.patch19
-rw-r--r--meta-security/recipes-security/keyutils/keyutils/keyutils_fix_library_install.patch30
-rw-r--r--meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch13
-rw-r--r--meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86_cflags.patch13
-rw-r--r--meta-security/recipes-security/keyutils/keyutils_1.5.8.bb44
-rw-r--r--meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend3
17 files changed, 1240 insertions, 323 deletions
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf
index 16dae3989..608cf62ed 100644
--- a/meta-security/conf/layer.conf
+++ b/meta-security/conf/layer.conf
@@ -11,4 +11,4 @@ BBFILE_COLLECTIONS += "security-smack"
BBFILE_PATTERN_security-smack := "^${LAYERDIR}/"
BBFILE_PRIORITY_security-smack = "60"
-LAYERSERIES_COMPAT_security-smack = "thud"
+LAYERSERIES_COMPAT_security-smack = "zeus"
diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0001-Integration-of-Cynara-asynchronous-security-checks.patch
index 69d13ac35..55cedb9c7 100644
--- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0001-Integration-of-Cynara-asynchronous-security-checks.patch
+++ b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0001-Integration-of-Cynara-asynchronous-security-checks.patch
@@ -1,7 +1,7 @@
-From 6c498a9b0f4122d1ac49d603f9968b6d85830cdb Mon Sep 17 00:00:00 2001
+From ea4b650366261e4257e4b0fb95e7f48e30ef36f0 Mon Sep 17 00:00:00 2001
From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
Date: Thu, 27 Nov 2014 18:11:05 +0100
-Subject: Integration of Cynara asynchronous security checks
+Subject: [PATCH 1/8] Integration of Cynara asynchronous security checks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -20,13 +20,48 @@ Cherry picked from 4dcfb02f17247ff9de966b62182cd2e08f301238
by José Bollo.
Updated for dbus 1.10.20 by Scott Murray and José Bollo
+Updated for dbus 1.12.16 by José Bollo
Change-Id: I9bcbce34577e5dc2a3cecf6233a0a2b0e43e1108
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ bus/Makefile.am | 6 +
+ bus/activation.c | 5 +-
+ bus/bus.c | 124 ++++--
+ bus/bus.h | 22 +-
+ bus/check.c | 217 ++++++++++
+ bus/check.h | 68 ++++
+ bus/config-parser-common.c | 6 +
+ bus/config-parser-common.h | 1 +
+ bus/config-parser-trivial.c | 2 +
+ bus/config-parser.c | 72 +++-
+ bus/connection.c | 57 ++-
+ bus/connection.h | 4 +
+ bus/cynara.c | 374 ++++++++++++++++++
+ bus/cynara.h | 37 ++
+ bus/dispatch.c | 46 ++-
+ bus/driver.h | 2 +
+ bus/policy.c | 195 ++++++---
+ bus/policy.h | 29 +-
+ configure.ac | 12 +
+ test/Makefile.am | 1 +
+ .../data/invalid-config-files/badcheck-1.conf | 9 +
+ .../data/invalid-config-files/badcheck-2.conf | 9 +
+ test/data/valid-config-files/check-1.conf | 9 +
+ .../debug-check-some.conf.in | 18 +
+ 24 files changed, 1181 insertions(+), 144 deletions(-)
+ create mode 100644 bus/check.c
+ create mode 100644 bus/check.h
+ create mode 100644 bus/cynara.c
+ create mode 100644 bus/cynara.h
+ create mode 100644 test/data/invalid-config-files/badcheck-1.conf
+ create mode 100644 test/data/invalid-config-files/badcheck-2.conf
+ create mode 100644 test/data/valid-config-files/check-1.conf
+ create mode 100644 test/data/valid-config-files/debug-check-some.conf.in
diff --git a/bus/Makefile.am b/bus/Makefile.am
-index 9ae3071..46afb31 100644
+index c917063..2a8a72c 100644
--- a/bus/Makefile.am
+++ b/bus/Makefile.am
@@ -13,6 +13,7 @@ DBUS_BUS_LIBS = \
@@ -64,10 +99,10 @@ index 9ae3071..46afb31 100644
desktop-file.h \
$(DIR_WATCH_SOURCE) \
diff --git a/bus/activation.c b/bus/activation.c
-index 6f009f5..f8a02eb 100644
+index 99404b9..f9c6c62 100644
--- a/bus/activation.c
+++ b/bus/activation.c
-@@ -1788,14 +1788,15 @@ bus_activation_activate_service (BusActivation *activation,
+@@ -1789,14 +1789,15 @@ bus_activation_activate_service (BusActivation *activation,
if (auto_activation &&
entry != NULL &&
@@ -86,7 +121,7 @@ index 6f009f5..f8a02eb 100644
_DBUS_ASSERT_ERROR_IS_SET (error);
_dbus_verbose ("activation not authorized: %s: %s\n",
diff --git a/bus/bus.c b/bus/bus.c
-index 30ce4e1..237efe3 100644
+index 2ad8e78..6fc45d0 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -38,6 +38,7 @@
@@ -757,8 +792,28 @@ index 382a014..9e026d1 100644
ELEMENT_FORK,
ELEMENT_PIDFILE,
ELEMENT_SERVICEDIR,
+diff --git a/bus/config-parser-trivial.c b/bus/config-parser-trivial.c
+index dd65c6d..23dedb4 100644
+--- a/bus/config-parser-trivial.c
++++ b/bus/config-parser-trivial.c
+@@ -194,6 +194,7 @@ bus_config_parser_start_element (BusConfigParser *parser,
+ case ELEMENT_POLICY:
+ case ELEMENT_LIMIT:
+ case ELEMENT_ALLOW:
++ case ELEMENT_CHECK:
+ case ELEMENT_DENY:
+ case ELEMENT_FORK:
+ case ELEMENT_PIDFILE:
+@@ -316,6 +317,7 @@ bus_config_parser_content (BusConfigParser *parser,
+ case ELEMENT_POLICY:
+ case ELEMENT_LIMIT:
+ case ELEMENT_ALLOW:
++ case ELEMENT_CHECK:
+ case ELEMENT_DENY:
+ case ELEMENT_FORK:
+ case ELEMENT_PIDFILE:
diff --git a/bus/config-parser.c b/bus/config-parser.c
-index be27d38..b5f1dd1 100644
+index be27d38..7f91469 100644
--- a/bus/config-parser.c
+++ b/bus/config-parser.c
@@ -1318,7 +1318,7 @@ append_rule_from_element (BusConfigParser *parser,
@@ -965,6 +1020,14 @@ index be27d38..b5f1dd1 100644
if (parser == NULL)
{
_DBUS_ASSERT_ERROR_IS_SET (&error);
+@@ -3359,6 +3408,7 @@ elements_equal (const Element *a,
+ case ELEMENT_LISTEN:
+ case ELEMENT_AUTH:
+ case ELEMENT_ALLOW:
++ case ELEMENT_CHECK:
+ case ELEMENT_DENY:
+ case ELEMENT_FORK:
+ case ELEMENT_PIDFILE:
diff --git a/bus/connection.c b/bus/connection.c
index 53605fa..b348d42 100644
--- a/bus/connection.c
@@ -1197,7 +1260,7 @@ index 0000000..57a4c45
+
+#define USE_CYNARA_CACHE 1
+#ifdef USE_CYNARA_CACHE
-+#define CYNARA_CACHE_SIZE 7000
++#define CYNARA_CACHE_SIZE 1000
+#endif
+
+static dbus_bool_t bus_cynara_watch_callback(DBusWatch *watch,
@@ -1664,8 +1727,20 @@ index 19228be..d3867f7 100644
_dbus_verbose ("Giving message to %s\n", DBUS_SERVICE_DBUS);
if (!bus_driver_handle_message (connection, transaction, message, &error))
+diff --git a/bus/driver.h b/bus/driver.h
+index ac1289d..a7297ad 100644
+--- a/bus/driver.h
++++ b/bus/driver.h
+@@ -66,5 +66,7 @@ dbus_bool_t bus_driver_send_ack_reply (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusMessage *message,
+ DBusError *error);
++dbus_bool_t bus_driver_check_message_is_for_us (DBusMessage *message,
++ DBusError *error);
+
+ #endif /* BUS_DRIVER_H */
diff --git a/bus/policy.c b/bus/policy.c
-index a37be80..7ee1ce5 100644
+index a37be80..7de92c6 100644
--- a/bus/policy.c
+++ b/bus/policy.c
@@ -22,6 +22,7 @@
@@ -1829,7 +1904,7 @@ index a37be80..7ee1ce5 100644
(!no_interface &&
strcmp (dbus_message_get_interface (message),
rule->d.send.interface) != 0))
-@@ -1079,33 +1093,63 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
+@@ -1079,33 +1093,64 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
}
/* Use this rule */
@@ -1840,6 +1915,7 @@ index a37be80..7ee1ce5 100644
+ result = BUS_RESULT_TRUE;
+ break;
+ case BUS_POLICY_RULE_ACCESS_DENY:
++ default:
+ result = BUS_RESULT_FALSE;
+ break;
+ case BUS_POLICY_RULE_ACCESS_CHECK:
@@ -1907,7 +1983,7 @@ index a37be80..7ee1ce5 100644
eavesdropping =
addressed_recipient != proposed_recipient &&
-@@ -1118,7 +1162,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+@@ -1118,7 +1163,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
_dbus_verbose (" (policy) checking receive rules, eavesdropping = %d\n", eavesdropping);
*toggles = 0;
@@ -1916,7 +1992,7 @@ index a37be80..7ee1ce5 100644
link = _dbus_list_get_first_link (&policy->rules);
while (link != NULL)
{
-@@ -1141,19 +1185,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+@@ -1141,19 +1186,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
}
}
@@ -1943,7 +2019,7 @@ index a37be80..7ee1ce5 100644
{
_dbus_verbose (" (policy) skipping deny rule since it only applies to eavesdropping\n");
continue;
-@@ -1162,13 +1208,14 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+@@ -1162,13 +1209,14 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
/* If it's a reply, the requested_reply flag kicks in */
if (dbus_message_get_reply_serial (message) != 0)
{
@@ -1963,7 +2039,7 @@ index a37be80..7ee1ce5 100644
continue;
}
-@@ -1176,7 +1223,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+@@ -1176,7 +1224,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
* when the reply was not requested. requested_reply=true means the
* rule always applies.
*/
@@ -1972,7 +2048,7 @@ index a37be80..7ee1ce5 100644
{
_dbus_verbose (" (policy) skipping deny rule since it only applies to unrequested replies\n");
continue;
-@@ -1199,13 +1246,13 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+@@ -1199,13 +1247,13 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
/* The interface is optional in messages. For allow rules, if the message
* has no interface we want to skip the rule (and thus not allow);
* for deny rules, if the message has no interface we want to use the
@@ -1988,7 +2064,7 @@ index a37be80..7ee1ce5 100644
(!no_interface &&
strcmp (dbus_message_get_interface (message),
rule->d.receive.interface) != 0))
-@@ -1295,14 +1342,42 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+@@ -1295,14 +1343,43 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
}
/* Use this rule */
@@ -1999,6 +2075,7 @@ index a37be80..7ee1ce5 100644
+ result = BUS_RESULT_TRUE;
+ break;
+ case BUS_POLICY_RULE_ACCESS_DENY:
++ default:
+ result = BUS_RESULT_FALSE;
+ break;
+ case BUS_POLICY_RULE_ACCESS_CHECK:
@@ -2035,7 +2112,7 @@ index a37be80..7ee1ce5 100644
}
-@@ -1354,7 +1429,7 @@ bus_rules_check_can_own (DBusList *rules,
+@@ -1354,7 +1431,7 @@ bus_rules_check_can_own (DBusList *rules,
}
/* Use this rule */
@@ -2117,10 +2194,10 @@ index ec43ffa..f839d23 100644
const DBusString *service_name);
dbus_bool_t bus_client_policy_append_rule (BusClientPolicy *policy,
diff --git a/configure.ac b/configure.ac
-index 81028ba..f21d1b2 100644
+index d1e3a29..11b5ffd 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -1770,6 +1770,17 @@ AC_ARG_ENABLE([user-session],
+@@ -1742,6 +1742,17 @@ AC_ARG_ENABLE([user-session],
AM_CONDITIONAL([DBUS_ENABLE_USER_SESSION],
[test "x$enable_user_session" = xyes])
@@ -2138,7 +2215,7 @@ index 81028ba..f21d1b2 100644
AC_CONFIG_FILES([
Doxyfile
dbus/Version
-@@ -1852,6 +1863,7 @@ echo "
+@@ -1824,6 +1835,7 @@ echo "
Building bus stats API: ${enable_stats}
Building SELinux support: ${have_selinux}
Building AppArmor support: ${have_apparmor}
@@ -2147,7 +2224,7 @@ index 81028ba..f21d1b2 100644
Building kqueue support: ${have_kqueue}
Building systemd support: ${have_systemd}
diff --git a/test/Makefile.am b/test/Makefile.am
-index 6a6e1a3..ce84dbc 100644
+index af1e13b..e6f50e1 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -439,6 +439,7 @@ in_data = \
@@ -2228,5 +2305,5 @@ index 0000000..47ee854
+ </policy>
+</busconfig>
--
-2.17.2
+2.21.1
diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0002-Disable-message-dispatching-when-send-rule-result-is.patch b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0002-Disable-message-dispatching-when-send-rule-result-is.patch
index ebbd531ff..bac8cf97f 100644
--- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0002-Disable-message-dispatching-when-send-rule-result-is.patch
+++ b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0002-Disable-message-dispatching-when-send-rule-result-is.patch
@@ -1,7 +1,8 @@
-From aae977a0c4bb1c25640c7056166fbc4e76ef1db6 Mon Sep 17 00:00:00 2001
+From c2f4ba585c777b731df6b6b8a165b6cc4dc5d639 Mon Sep 17 00:00:00 2001
From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
Date: Fri, 28 Nov 2014 12:07:39 +0100
-Subject: Disable message dispatching when send rule result is not known
+Subject: [PATCH 2/8] Disable message dispatching when send rule result is not
+ known
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -23,9 +24,23 @@ Updated for dbus 1.10.20 by Scott Murray and José Bollo
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ bus/activation.c | 76 +++++++++++--
+ bus/check.c | 109 +++++++++++++++++--
+ bus/check.h | 10 ++
+ bus/cynara.c | 1 -
+ bus/dispatch.c | 184 ++++++++++++++++++++++++++++----
+ bus/dispatch.h | 2 +-
+ bus/driver.c | 12 ++-
+ dbus/dbus-connection-internal.h | 15 +++
+ dbus/dbus-connection.c | 125 +++++++++++++++++++++-
+ dbus/dbus-list.c | 29 +++++
+ dbus/dbus-list.h | 3 +
+ dbus/dbus-shared.h | 3 +-
+ 12 files changed, 528 insertions(+), 41 deletions(-)
diff --git a/bus/activation.c b/bus/activation.c
-index f8a02eb..005047f 100644
+index f9c6c62..8301b59 100644
--- a/bus/activation.c
+++ b/bus/activation.c
@@ -32,6 +32,7 @@
@@ -74,11 +89,15 @@ index f8a02eb..005047f 100644
{
/* If permission is denied, we just want to return the error
* to the original method invoker; in particular, we don't
-@@ -1266,9 +1272,40 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation
+@@ -1266,11 +1272,44 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation
bus_connection_send_oom_error (entry->connection,
entry->activation_message);
}
-+ }
+-
+ dbus_error_free (&error);
+ link = next;
+ continue;
+ }
+ else if (res == BUS_RESULT_LATER)
+ {
+ DBusList *putback_message_link = link;
@@ -91,9 +110,7 @@ index f8a02eb..005047f 100644
+ link = next;
+ continue;
+ }
-
-- link = next;
-- continue;
++
+ /**
+ * Getting here means that policy check result is not yet available and dispatching
+ * messages from entry->connection has been disabled.
@@ -114,10 +131,11 @@ index f8a02eb..005047f 100644
+
+ putback_message_link = _dbus_list_get_next_link(&pending_activation->entries, putback_message_link);
+ }
- }
++ }
}
-@@ -1286,6 +1323,19 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation
+ link = next;
+@@ -1287,6 +1326,19 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation
return TRUE;
error:
@@ -137,7 +155,7 @@ index f8a02eb..005047f 100644
return FALSE;
}
-@@ -2078,6 +2128,7 @@ bus_activation_activate_service (BusActivation *activation,
+@@ -2079,6 +2131,7 @@ bus_activation_activate_service (BusActivation *activation,
if (service != NULL)
{
@@ -145,7 +163,7 @@ index f8a02eb..005047f 100644
bus_context_log (activation->context,
DBUS_SYSTEM_LOG_INFO, "Activating via systemd: service name='%s' unit='%s' requested by '%s' (%s)",
service_name,
-@@ -2085,8 +2136,17 @@ bus_activation_activate_service (BusActivation *activation,
+@@ -2086,8 +2139,17 @@ bus_activation_activate_service (BusActivation *activation,
bus_connection_get_name (connection),
bus_connection_get_loginfo (connection));
/* Wonderful, systemd is connected, let's just send the msg */
@@ -945,5 +963,5 @@ index 7ab9103..e5bfbed 100644
/* Bus names */
--
-2.17.2
+2.21.1
diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0003-Handle-unavailability-of-policy-results-for-broadcas.patch b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0003-Handle-unavailability-of-policy-results-for-broadcas.patch
index 1c2ab2bcb..7d89a7496 100644
--- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0003-Handle-unavailability-of-policy-results-for-broadcas.patch
+++ b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0003-Handle-unavailability-of-policy-results-for-broadcas.patch
@@ -1,8 +1,8 @@
-From fdc3d7086c8f7a623e3da80e559708545b9201fc Mon Sep 17 00:00:00 2001
+From 9d39aa9dd55680529d721a0389ce9ef579bb669a Mon Sep 17 00:00:00 2001
From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
Date: Fri, 28 Nov 2014 12:39:33 +0100
-Subject: Handle unavailability of policy results for broadcasts and receive
- rules
+Subject: [PATCH 3/8] Handle unavailability of policy results for broadcasts
+ and receive rules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -25,9 +25,22 @@ Updated for dbus 1.10.20 by Scott Murray and José Bollo
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ bus/activation.c | 4 +-
+ bus/bus.c | 50 ++++++--
+ bus/bus.h | 19 +++
+ bus/check.c | 307 +++++++++++++++++++++++++++++++++++++++++++++++
+ bus/check.h | 25 ++++
+ bus/connection.c | 168 ++++++++++++++++++++++++--
+ bus/connection.h | 19 ++-
+ bus/dispatch.c | 115 +++++++++++++++---
+ bus/dispatch.h | 11 +-
+ bus/driver.c | 2 +-
+ bus/policy.c | 6 +
+ 11 files changed, 683 insertions(+), 43 deletions(-)
diff --git a/bus/activation.c b/bus/activation.c
-index 005047f..ffdc6fc 100644
+index 8301b59..d4b597c 100644
--- a/bus/activation.c
+++ b/bus/activation.c
@@ -1259,7 +1259,7 @@ bus_activation_send_pending_auto_activation_messages (BusActivation *activation
@@ -39,7 +52,7 @@ index 005047f..ffdc6fc 100644
if (res == BUS_RESULT_FALSE)
{
/* If permission is denied, we just want to return the error
-@@ -2137,7 +2137,7 @@ bus_activation_activate_service (BusActivation *activation,
+@@ -2140,7 +2140,7 @@ bus_activation_activate_service (BusActivation *activation,
bus_connection_get_loginfo (connection));
/* Wonderful, systemd is connected, let's just send the msg */
res = bus_dispatch_matches (activation_transaction, NULL,
@@ -49,7 +62,7 @@ index 005047f..ffdc6fc 100644
if (res == BUS_RESULT_TRUE)
retval = TRUE;
diff --git a/bus/bus.c b/bus/bus.c
-index 237efe3..5bb5637 100644
+index 6fc45d0..0aa700b 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -1800,17 +1800,9 @@ bus_context_check_security_policy (BusContext *context,
@@ -1054,10 +1067,10 @@ index f414f64..d89a658 100644
retval = TRUE;
else
diff --git a/bus/policy.c b/bus/policy.c
-index 7ee1ce5..b1fab0d 100644
+index 7de92c6..483cc97 100644
--- a/bus/policy.c
+++ b/bus/policy.c
-@@ -1121,6 +1121,9 @@ bus_client_policy_check_can_send (DBusConnection *sender,
+@@ -1122,6 +1122,9 @@ bus_client_policy_check_can_send (DBusConnection *sender,
result = bus_check_privilege(check, message, sender, addressed_recipient, receiver,
privilege, BUS_DEFERRED_MESSAGE_CHECK_SEND, deferred_message);
@@ -1067,7 +1080,7 @@ index 7ee1ce5..b1fab0d 100644
}
else
privilege = NULL;
-@@ -1370,6 +1373,9 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+@@ -1372,6 +1375,9 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
result = bus_check_privilege(check, message, sender, addressed_recipient, proposed_recipient,
privilege, BUS_DEFERRED_MESSAGE_CHECK_RECEIVE, deferred_message);
@@ -1078,5 +1091,5 @@ index 7ee1ce5..b1fab0d 100644
else
privilege = NULL;
--
-2.17.2
+2.21.1
diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0004-Add-own-rule-result-unavailability-handling.patch b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0004-Add-own-rule-result-unavailability-handling.patch
index 9cb744def..9953dcaac 100644
--- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0004-Add-own-rule-result-unavailability-handling.patch
+++ b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0004-Add-own-rule-result-unavailability-handling.patch
@@ -1,7 +1,7 @@
-From e7ae85429aa3e6d80df13b3a5a492d9ccbf42518 Mon Sep 17 00:00:00 2001
+From 28ada62c98d74285dc22b66650b09b6c8f2c28c4 Mon Sep 17 00:00:00 2001
From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
Date: Thu, 27 Nov 2014 11:26:21 +0100
-Subject: Add own rule result unavailability handling
+Subject: [PATCH 4/8] Add own rule result unavailability handling
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -21,6 +21,17 @@ Updated for dbus 1.10.20 by Scott Murray and José Bollo
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ bus/dispatch.c | 11 +-
+ bus/driver.c | 334 ++++++++++++++++++++++++++++---------------------
+ bus/driver.h | 2 +-
+ bus/policy.c | 52 ++++++--
+ bus/policy.h | 6 +-
+ bus/services.c | 26 ++--
+ bus/services.h | 3 +-
+ bus/stats.c | 23 ++--
+ bus/stats.h | 6 +-
+ 9 files changed, 283 insertions(+), 180 deletions(-)
diff --git a/bus/dispatch.c b/bus/dispatch.c
index 7d30ce4..4b84c21 100644
@@ -1160,7 +1171,7 @@ index d89a658..aaeb3b2 100644
+ return BUS_RESULT_FALSE;
}
diff --git a/bus/driver.h b/bus/driver.h
-index ac1289d..183c28b 100644
+index a7297ad..05e9886 100644
--- a/bus/driver.h
+++ b/bus/driver.h
@@ -35,7 +35,7 @@ typedef enum
@@ -1173,10 +1184,10 @@ index ac1289d..183c28b 100644
DBusMessage *message,
DBusError *error);
diff --git a/bus/policy.c b/bus/policy.c
-index b1fab0d..27b66d1 100644
+index 483cc97..f6f4d85 100644
--- a/bus/policy.c
+++ b/bus/policy.c
-@@ -1388,18 +1388,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
+@@ -1390,18 +1390,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
@@ -1202,7 +1213,7 @@ index b1fab0d..27b66d1 100644
link = _dbus_list_get_first_link (&rules);
while (link != NULL)
{
-@@ -1435,17 +1438,45 @@ bus_rules_check_can_own (DBusList *rules,
+@@ -1437,17 +1440,46 @@ bus_rules_check_can_own (DBusList *rules,
}
/* Use this rule */
@@ -1212,6 +1223,7 @@ index b1fab0d..27b66d1 100644
+ case BUS_POLICY_RULE_ACCESS_ALLOW:
+ result = BUS_RESULT_TRUE;
+ break;
++ default:
+ case BUS_POLICY_RULE_ACCESS_DENY:
+ result = BUS_RESULT_FALSE;
+ break;
@@ -1253,7 +1265,7 @@ index b1fab0d..27b66d1 100644
}
#ifdef DBUS_ENABLE_EMBEDDED_TESTS
-@@ -1453,7 +1484,7 @@ dbus_bool_t
+@@ -1455,7 +1487,7 @@ dbus_bool_t
bus_policy_check_can_own (BusPolicy *policy,
const DBusString *service_name)
{
@@ -1489,5 +1501,5 @@ index dcb022c..683fa17 100644
DBusMessage *message,
DBusError *error);
--
-2.17.2
+2.21.1
diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0005-Perform-Cynara-runtime-policy-checks-by-default.patch
index 8ce441b05..5f7e96a3b 100644
--- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0005-Perform-Cynara-runtime-policy-checks-by-default.patch
+++ b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0005-Perform-Cynara-runtime-policy-checks-by-default.patch
@@ -1,7 +1,7 @@
-From 69ba571e0daa0a7a9aa6c6b5be5d3338a89d144a Mon Sep 17 00:00:00 2001
+From 1f7ba56c9ced669951061d13b06e31d96a170e37 Mon Sep 17 00:00:00 2001
From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
Date: Tue, 23 Jun 2015 11:08:48 +0200
-Subject: Perform Cynara runtime policy checks by default
+Subject: [PATCH 5/8] Perform Cynara runtime policy checks by default
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -29,12 +29,17 @@ Updated for dbus 1.10.20 by Scott Murray and José Bollo
Signed-off-by: Jacek Bukarewicz <j.bukarewicz@samsung.com>
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ bus/activation.c | 42 ++++++++++++++++++++++++++----------------
+ bus/session.conf.in | 32 ++++++++++++++++++++++++++------
+ bus/system.conf.in | 19 +++++++++++++++----
+ 3 files changed, 67 insertions(+), 26 deletions(-)
diff --git a/bus/activation.c b/bus/activation.c
-index ffdc6fc..6a95b95 100644
+index d4b597c..8aabeaa 100644
--- a/bus/activation.c
+++ b/bus/activation.c
-@@ -1837,22 +1837,32 @@ bus_activation_activate_service (BusActivation *activation,
+@@ -1840,22 +1840,32 @@ bus_activation_activate_service (BusActivation *activation,
}
if (auto_activation &&
@@ -171,5 +176,5 @@ index f139b55..19d0c04 100644
<deny send_destination="org.freedesktop.DBus"
send_interface="org.freedesktop.DBus"
--
-2.17.2
+2.21.1
diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0007-Fix-SIGSEGV-on-disconnections.patch b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0006-Fix-SIGSEGV-on-disconnections.patch
index b5ee138ed..e51ad7ce4 100644
--- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0007-Fix-SIGSEGV-on-disconnections.patch
+++ b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0006-Fix-SIGSEGV-on-disconnections.patch
@@ -1,7 +1,7 @@
-From 2a1c1c3f9264f53abc439ec44b33fdca8ffbb803 Mon Sep 17 00:00:00 2001
+From 28077faa11827e1ca7a7245ffd62ee78091b6bd2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
Date: Fri, 16 Aug 2019 13:29:23 +0200
-Subject: [PATCH 7/8] Fix SIGSEGV on disconnections
+Subject: [PATCH 6/8] Fix SIGSEGV on disconnections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -105,5 +105,5 @@ index 97dae96..6af7bf1 100644
/* called by signals.c */
--
-2.17.2
+2.21.1
diff --git a/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0007-Switch-from-cynara-to-cynagora.patch b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0007-Switch-from-cynara-to-cynagora.patch
new file mode 100644
index 000000000..7a69efcd2
--- /dev/null
+++ b/meta-security/recipes-core/dbus-cynagora/dbus-cynagora/0007-Switch-from-cynara-to-cynagora.patch
@@ -0,0 +1,1048 @@
+From 43cc361a5c32c81c0f93451bdb0ef781cd19a1cb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
+Date: Tue, 4 Feb 2020 12:23:36 +0100
+Subject: [PATCH 7/8] Switch from cynara to cynagora
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: José Bollo <jose.bollo@iot.bzh>
+---
+ bus/Makefile.am | 8 +-
+ bus/bus.h | 2 +-
+ bus/check.c | 26 +-
+ bus/check.h | 2 +-
+ bus/connection.c | 27 ---
+ bus/connection.h | 3 -
+ bus/cynagora-check.c | 330 +++++++++++++++++++++++++
+ bus/{cynara.h => cynagora-check.h} | 10 +-
+ bus/cynara.c | 373 -----------------------------
+ bus/system.conf.in | 6 +-
+ configure.ac | 18 +-
+ 11 files changed, 366 insertions(+), 439 deletions(-)
+ create mode 100644 bus/cynagora-check.c
+ rename bus/{cynara.h => cynagora-check.h} (81%)
+ delete mode 100644 bus/cynara.c
+
+diff --git a/bus/Makefile.am b/bus/Makefile.am
+index 2a8a72c..1720048 100644
+--- a/bus/Makefile.am
++++ b/bus/Makefile.am
+@@ -13,7 +13,7 @@ DBUS_BUS_LIBS = \
+ $(THREAD_LIBS) \
+ $(ADT_LIBS) \
+ $(NETWORK_libs) \
+- $(CYNARA_LIBS) \
++ $(CYNAGORA_LIBS) \
+ $(NULL)
+
+ DBUS_LAUNCHER_LIBS = \
+@@ -31,7 +31,7 @@ AM_CPPFLAGS = \
+ $(APPARMOR_CFLAGS) \
+ -DDBUS_SYSTEM_CONFIG_FILE=\""$(dbusdatadir)/system.conf"\" \
+ -DDBUS_COMPILATION \
+- $(CYNARA_CFLAGS) \
++ $(CYNAGORA_CFLAGS) \
+ $(NULL)
+
+ # if assertions are enabled, improve backtraces
+@@ -101,8 +101,8 @@ BUS_SOURCES= \
+ config-parser-common.h \
+ connection.c \
+ connection.h \
+- cynara.c \
+- cynara.h \
++ cynagora-check.c \
++ cynagora-check.h \
+ desktop-file.c \
+ desktop-file.h \
+ $(DIR_WATCH_SOURCE) \
+diff --git a/bus/bus.h b/bus/bus.h
+index 1b08f7c..e167d9e 100644
+--- a/bus/bus.h
++++ b/bus/bus.h
+@@ -47,7 +47,7 @@ typedef struct BusMatchRule BusMatchRule;
+ typedef struct BusActivationEntry BusActivationEntry;
+ typedef struct BusCheck BusCheck;
+ typedef struct BusDeferredMessage BusDeferredMessage;
+-typedef struct BusCynara BusCynara;
++typedef struct BusCynagora BusCynagora;
+
+ /**
+ * BusResult is defined as a pointer to a dummy structure to allow detection of type mismatches.
+diff --git a/bus/check.c b/bus/check.c
+index b73d08b..ec30770 100644
+--- a/bus/check.c
++++ b/bus/check.c
+@@ -26,7 +26,7 @@
+ #include "check.h"
+ #include "connection.h"
+ #include "dispatch.h"
+-#include "cynara.h"
++#include "cynagora-check.h"
+ #include "utils.h"
+ #include <dbus/dbus-connection-internal.h>
+ #include <dbus/dbus-message-internal.h>
+@@ -38,7 +38,7 @@ typedef struct BusCheck
+ int refcount;
+
+ BusContext *context;
+- BusCynara *cynara;
++ BusCynagora *cynagora;
+ } BusCheck;
+
+ typedef struct BusDeferredMessage
+@@ -81,7 +81,7 @@ bus_check_new (BusContext *context, DBusError *error)
+
+ check->refcount = 1;
+ check->context = context;
+- check->cynara = bus_cynara_new(check, error);
++ check->cynagora = bus_cynagora_new(check, error);
+ if (dbus_error_is_set(error))
+ {
+ dbus_message_free_data_slot(&deferred_message_data_slot);
+@@ -110,7 +110,7 @@ bus_check_unref (BusCheck *check)
+
+ if (check->refcount == 0)
+ {
+- bus_cynara_unref(check->cynara);
++ bus_cynagora_unref(check->cynagora);
+ dbus_message_free_data_slot(&deferred_message_data_slot);
+ dbus_free(check);
+ }
+@@ -122,10 +122,10 @@ bus_check_get_context (BusCheck *check)
+ return check->context;
+ }
+
+-BusCynara *
+-bus_check_get_cynara (BusCheck *check)
++BusCynagora *
++bus_check_get_cynagora (BusCheck *check)
+ {
+- return check->cynara;
++ return check->cynagora;
+ }
+
+ static void
+@@ -276,8 +276,8 @@ bus_check_privilege (BusCheck *check,
+ {
+ BusDeferredMessage *previous_deferred_message;
+ BusResult result = BUS_RESULT_FALSE;
+-#ifdef DBUS_ENABLE_CYNARA
+- BusCynara *cynara;
++#ifdef DBUS_ENABLE_CYNAGORA
++ BusCynagora *cynagora;
+ #endif
+ DBusConnection *connection;
+
+@@ -304,7 +304,7 @@ bus_check_privilege (BusCheck *check,
+ * Message has been deferred due to receive or own rule which means that sending this message
+ * is allowed - it must have been checked previously.
+ * This might happen when client calls RequestName method which depending on security
+- * policy might result in both "can_send" and "can_own" Cynara checks.
++ * policy might result in both "can_send" and "can_own" Cynagora checks.
+ */
+ result = BUS_RESULT_TRUE;
+ }
+@@ -327,9 +327,9 @@ bus_check_privilege (BusCheck *check,
+ else
+ {
+ /* ask policy checkers */
+-#ifdef DBUS_ENABLE_CYNARA
+- cynara = bus_check_get_cynara(check);
+- result = bus_cynara_check_privilege(cynara, message, sender, addressed_recipient,
++#ifdef DBUS_ENABLE_CYNAGORA
++ cynagora = bus_check_get_cynagora(check);
++ result = bus_cynagora_check_privilege(cynagora, message, sender, addressed_recipient,
+ proposed_recipient, privilege, check_type, deferred_message);
+ #endif
+ if (result == BUS_RESULT_LATER && deferred_message != NULL)
+diff --git a/bus/check.h b/bus/check.h
+index d718a69..ab63c18 100644
+--- a/bus/check.h
++++ b/bus/check.h
+@@ -45,7 +45,7 @@ BusCheck *bus_check_ref (BusCheck *check);
+ void bus_check_unref (BusCheck *check);
+
+ BusContext *bus_check_get_context (BusCheck *check);
+-BusCynara *bus_check_get_cynara (BusCheck *check);
++BusCynagora *bus_check_get_cynagora (BusCheck *check);
+ BusResult bus_check_privilege (BusCheck *check,
+ DBusMessage *message,
+ DBusConnection *sender,
+diff --git a/bus/connection.c b/bus/connection.c
+index b520d57..48910e0 100644
+--- a/bus/connection.c
++++ b/bus/connection.c
+@@ -38,10 +38,6 @@
+ #include <dbus/dbus-connection-internal.h>
+ #include <dbus/dbus-internals.h>
+ #include <dbus/dbus-message-internal.h>
+-#ifdef DBUS_ENABLE_CYNARA
+-#include <stdlib.h>
+-#include <cynara-session.h>
+-#endif
+
+ /* Trim executed commands to this length; we want to keep logs readable */
+ #define MAX_LOG_COMMAND_LEN 50
+@@ -124,9 +120,6 @@ typedef struct
+
+ /** non-NULL if and only if this is a monitor */
+ DBusList *link_in_monitors;
+-#ifdef DBUS_ENABLE_CYNARA
+- char *cynara_session_id;
+-#endif
+ } BusConnectionData;
+
+ static dbus_bool_t bus_pending_reply_expired (BusExpireList *list,
+@@ -461,10 +454,6 @@ free_connection_data (void *data)
+
+ dbus_free (d->name);
+
+-#ifdef DBUS_ENABLE_CYNARA
+- free (d->cynara_session_id);
+-#endif
+-
+ dbus_free (d);
+ }
+
+@@ -1095,22 +1084,6 @@ bus_connection_get_policy (DBusConnection *connection)
+ return d->policy;
+ }
+
+-#ifdef DBUS_ENABLE_CYNARA
+-const char *bus_connection_get_cynara_session_id (DBusConnection *connection)
+-{
+- BusConnectionData *d = BUS_CONNECTION_DATA (connection);
+- _dbus_assert (d != NULL);
+-
+- if (d->cynara_session_id == NULL)
+- {
+- unsigned long pid;
+- if (dbus_connection_get_unix_process_id(connection, &pid))
+- d->cynara_session_id = cynara_session_from_pid(pid);
+- }
+- return d->cynara_session_id;
+-}
+-#endif
+-
+ static dbus_bool_t
+ foreach_active (BusConnections *connections,
+ BusConnectionForeachFunction function,
+diff --git a/bus/connection.h b/bus/connection.h
+index 6af7bf1..3116bcf 100644
+--- a/bus/connection.h
++++ b/bus/connection.h
+@@ -138,9 +138,6 @@ dbus_bool_t bus_connection_be_monitor (DBusConnection *connection,
+ BusTransaction *transaction,
+ DBusList **rules,
+ DBusError *error);
+-#ifdef DBUS_ENABLE_CYNARA
+-const char *bus_connection_get_cynara_session_id (DBusConnection *connection);
+-#endif
+
+ /* transaction API so we can send or not send a block of messages as a whole */
+
+diff --git a/bus/cynagora-check.c b/bus/cynagora-check.c
+new file mode 100644
+index 0000000..6c0c635
+--- /dev/null
++++ b/bus/cynagora-check.c
+@@ -0,0 +1,330 @@
++/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
++/* cynagora.c Cynagora runtime privilege checking
++ *
++ * Copyright (c) 2014 Samsung Electronics, Ltd.
++ *
++ * Licensed under the Academic Free License version 2.1
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
++ *
++ */
++
++#include <config.h>
++#include "cynagora-check.h"
++#include "check.h"
++#include "utils.h"
++
++#include <stdlib.h>
++#include <stdio.h>
++#include <errno.h>
++
++#include <dbus/dbus.h>
++#include <dbus/dbus-watch.h>
++#include <dbus/dbus-connection-internal.h>
++#include <bus/connection.h>
++
++#ifndef DBUS_ENABLE_CYNAGORA
++
++BusCynagora *
++bus_cynagora_new(BusCheck *check, DBusError *error)
++{
++ return NULL;
++}
++
++BusCynagora *
++bus_cynagora_ref (BusCynagora *cynagora)
++{
++ return NULL;
++}
++
++void
++bus_cynagora_unref (BusCynagora *cynagora)
++{
++}
++
++BusResult
++bus_cynagora_check_privilege (BusCynagora *cynagora,
++ DBusMessage *message,
++ DBusConnection *sender,
++ DBusConnection *addressed_recipient,
++ DBusConnection *proposed_recipient,
++ const char *privilege,
++ BusDeferredMessageStatus check_type,
++ BusDeferredMessage **deferred_message_param)
++{
++ return BUS_RESULT_FALSE;
++}
++
++#endif
++
++#ifdef DBUS_ENABLE_CYNAGORA
++
++#include <time.h>
++#include <sys/epoll.h>
++
++#include <cynagora.h>
++
++#ifndef CYNAGORA_CACHE_SIZE
++#define CYNAGORA_CACHE_SIZE 8000
++#endif
++
++typedef struct BusCynagora
++{
++ int refcount;
++
++ BusContext *context;
++ BusCheck *check;
++ cynagora_t *cynagora;
++ DBusWatch *cynagora_watch;
++} BusCynagora;
++
++static int async_callback(void *closure,
++ int op,
++ int fd,
++ uint32_t events);
++
++BusCynagora *
++bus_cynagora_new(BusCheck *check, DBusError *error)
++{
++ BusContext *context;
++ BusCynagora *cynagora;
++ int ret;
++
++ cynagora = dbus_new(BusCynagora, 1);
++ if (cynagora == NULL)
++ {
++ BUS_SET_OOM(error);
++ return NULL;
++ }
++
++ context = bus_check_get_context(check);
++
++ cynagora->refcount = 1;
++ cynagora->check = check;
++ cynagora->context = context;
++ cynagora->cynagora_watch = NULL;
++
++ ret = cynagora_create(&cynagora->cynagora, cynagora_Check, CYNAGORA_CACHE_SIZE, NULL);
++ if (ret < 0)
++ {
++ dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to create Cynagora configuration");
++ }
++ else
++ {
++ ret = cynagora_async_setup(cynagora->cynagora, async_callback, cynagora);
++ if (ret < 0)
++ {
++ dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to initialize Cynagora client");
++ }
++ else
++ {
++ return cynagora;
++ }
++ cynagora_destroy(cynagora->cynagora);
++ }
++
++ dbus_free(cynagora);
++ return NULL;
++}
++
++BusCynagora *
++bus_cynagora_ref (BusCynagora *cynagora)
++{
++ _dbus_assert (cynagora->refcount > 0);
++ cynagora->refcount += 1;
++
++ return cynagora;
++}
++
++void
++bus_cynagora_unref (BusCynagora *cynagora)
++{
++ _dbus_assert (cynagora->refcount > 0);
++
++ cynagora->refcount -= 1;
++
++ if (cynagora->refcount == 0)
++ {
++ cynagora_destroy(cynagora->cynagora);
++ dbus_free(cynagora);
++ }
++}
++
++static void
++async_check_callback (void *closure, int status)
++{
++ BusDeferredMessage *deferred_message = closure;
++ BusResult result;
++
++ if (deferred_message == NULL)
++ return;
++
++ if (status == 1)
++ result = BUS_RESULT_TRUE;
++ else
++ result = BUS_RESULT_FALSE;
++
++ bus_deferred_message_response_received(deferred_message, result);
++ bus_deferred_message_unref(deferred_message);
++}
++
++BusResult
++bus_cynagora_check_privilege (BusCynagora *cynagora,
++ DBusMessage *message,
++ DBusConnection *sender,
++ DBusConnection *addressed_recipient,
++ DBusConnection *proposed_recipient,
++ const char *permission,
++ BusDeferredMessageStatus check_type,
++ BusDeferredMessage **deferred_message_param)
++{
++ int result;
++ unsigned long uid;
++ unsigned long pid;
++ char *label;
++ char user[32];
++ char session[32];
++ DBusConnection *connection = check_type == BUS_DEFERRED_MESSAGE_CHECK_RECEIVE ? proposed_recipient : sender;
++ BusDeferredMessage *deferred_message;
++ BusResult ret;
++ cynagora_key_t key;
++
++ _dbus_assert(connection != NULL);
++
++ if (dbus_connection_get_unix_user(connection, &uid) == FALSE)
++ return BUS_RESULT_FALSE;
++
++ if (dbus_connection_get_unix_process_id(connection, &pid) == FALSE)
++ return BUS_RESULT_FALSE;
++
++ if (_dbus_connection_get_linux_security_label(connection, &label) == FALSE || label == NULL)
++ {
++ _dbus_warn("Failed to obtain security label for connection\n");
++ return BUS_RESULT_FALSE;
++ }
++
++ snprintf(user, sizeof(user), "%lu", uid);
++ snprintf(session, sizeof(session), "%lu", pid);
++
++ key.client = label;
++ key.session = session;
++ key.user = user;
++ key.permission = permission;
++
++ result = cynagora_cache_check(cynagora->cynagora, &key);
++ switch (result)
++ {
++ case 1:
++ _dbus_verbose("Cynagora: got ALLOWED answer from cache (client=%s session_id=%s user=%s permission=%s)\n",
++ label, session_id, user, permission);
++ ret = BUS_RESULT_TRUE;
++ break;
++
++ case 0:
++ _dbus_verbose("Cynagora: got DENIED answer from cache (client=%s session_id=%s user=%s permission=%s)\n",
++ label, session_id, user, permission);
++ ret = BUS_RESULT_FALSE;
++ break;
++
++ default:
++ deferred_message = bus_deferred_message_new(message, sender, addressed_recipient,
++ proposed_recipient, BUS_RESULT_LATER);
++ if (deferred_message == NULL)
++ {
++ _dbus_verbose("Failed to allocate memory for deferred message\n");
++ ret = BUS_RESULT_FALSE;
++ goto out;
++ }
++
++ /* callback is supposed to unref deferred_message*/
++ result = cynagora_async_check(cynagora->cynagora, &key, 1, 0, async_check_callback, deferred_message);
++ if (result == 0)
++ {
++ _dbus_verbose("Created Cynagora request: client=%s session_id=%s user=%s permission=%s "
++ "deferred_message=%p\n", label, session_id, user, permission, deferred_message);
++ if (deferred_message_param != NULL)
++ *deferred_message_param = deferred_message;
++ ret = BUS_RESULT_LATER;
++ }
++ else
++ {
++ _dbus_verbose("Error on cynagora request create: %i\n", result);
++ bus_deferred_message_unref(deferred_message);
++ ret = BUS_RESULT_FALSE;
++ }
++ break;
++ }
++out:
++ dbus_free(label);
++ return ret;
++}
++
++static dbus_bool_t
++watch_handler_callback(DBusWatch *watch,
++ unsigned int flags,
++ void *data)
++{
++ BusCynagora *cynagora = (BusCynagora *)data;
++ int result = cynagora_async_process(cynagora->cynagora);
++ if (result < 0)
++ _dbus_verbose("cynagora_async_process returned %d\n", result);
++
++ return result != -ENOMEM ? TRUE : FALSE;
++}
++
++static int
++async_callback(void *closure, int op, int fd, uint32_t events)
++{
++ BusCynagora *cynagora = (BusCynagora *)closure;
++ DBusLoop *loop = bus_context_get_loop(cynagora->context);
++ unsigned int flags;
++ DBusWatch *watch;
++
++ /* compute flags */
++ flags = 0;
++ if (events & EPOLLIN)
++ flags |= DBUS_WATCH_READABLE;
++ if (events & EPOLLOUT)
++ flags |= DBUS_WATCH_WRITABLE;
++
++ /* remove the watch if needed */
++ watch = cynagora->cynagora_watch;
++ if (watch != NULL)
++ {
++ cynagora->cynagora_watch = NULL;
++ _dbus_loop_remove_watch(loop, watch);
++ _dbus_watch_invalidate(watch);
++ _dbus_watch_unref(watch);
++ }
++
++ /* create the watch if needed */
++ watch = cynagora->cynagora_watch;
++ if (op != EPOLL_CTL_DEL)
++ {
++ watch = _dbus_watch_new(fd, flags, TRUE, watch_handler_callback, cynagora, NULL);
++ if (watch == NULL)
++ return -ENOMEM;
++ if (_dbus_loop_add_watch(loop, watch) != TRUE)
++ {
++ _dbus_watch_invalidate(watch);
++ _dbus_watch_unref(watch);
++ return -ENOMEM;
++ }
++ cynagora->cynagora_watch = watch;
++ }
++ return 0;
++}
++
++#endif /* DBUS_ENABLE_CYNAGORA */
+diff --git a/bus/cynara.h b/bus/cynagora-check.h
+similarity index 81%
+rename from bus/cynara.h
+rename to bus/cynagora-check.h
+index c4728bb..c0892c3 100644
+--- a/bus/cynara.h
++++ b/bus/cynagora-check.h
+@@ -1,5 +1,5 @@
+ /* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
+-/* cynara.h Cynara runtime privilege checking
++/* cynagora.h Cynagora runtime privilege checking
+ *
+ * Copyright (c) 2014 Samsung Electronics, Ltd.
+ *
+@@ -24,10 +24,10 @@
+ #include "bus.h"
+ #include "check.h"
+
+-BusCynara *bus_cynara_new (BusCheck *check, DBusError *error);
+-BusCynara *bus_cynara_ref (BusCynara *cynara);
+-void bus_cynara_unref (BusCynara *cynara);
+-BusResult bus_cynara_check_privilege (BusCynara *cynara,
++BusCynagora *bus_cynagora_new (BusCheck *check, DBusError *error);
++BusCynagora *bus_cynagora_ref (BusCynagora *cynagora);
++void bus_cynagora_unref (BusCynagora *cynagora);
++BusResult bus_cynagora_check_privilege (BusCynagora *cynagora,
+ DBusMessage *message,
+ DBusConnection *sender,
+ DBusConnection *addressed_recipient,
+diff --git a/bus/cynara.c b/bus/cynara.c
+deleted file mode 100644
+index 77aed62..0000000
+--- a/bus/cynara.c
++++ /dev/null
+@@ -1,373 +0,0 @@
+-/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
+-/* cynara.c Cynara runtime privilege checking
+- *
+- * Copyright (c) 2014 Samsung Electronics, Ltd.
+- *
+- * Licensed under the Academic Free License version 2.1
+- *
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License as published by
+- * the Free Software Foundation; either version 2 of the License, or
+- * (at your option) any later version.
+- *
+- * This program is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+- * GNU General Public License for more details.
+- *
+- * You should have received a copy of the GNU General Public License
+- * along with this program; if not, write to the Free Software
+- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+- *
+- */
+-
+-#include <config.h>
+-#include "cynara.h"
+-#include "check.h"
+-#include "utils.h"
+-
+-#include <stdio.h>
+-
+-#include <dbus/dbus.h>
+-#include <dbus/dbus-watch.h>
+-#include <dbus/dbus-connection-internal.h>
+-#include <bus/connection.h>
+-#ifdef DBUS_ENABLE_CYNARA
+-#include <cynara-client-async.h>
+-#endif
+-
+-#ifdef DBUS_ENABLE_CYNARA
+-typedef struct BusCynara
+-{
+- int refcount;
+-
+- BusContext *context;
+- BusCheck *check;
+- cynara_async *cynara;
+- DBusWatch *cynara_watch;
+-} BusCynara;
+-
+-#define USE_CYNARA_CACHE 1
+-#ifdef USE_CYNARA_CACHE
+-#define CYNARA_CACHE_SIZE 1000
+-#endif
+-
+-static dbus_bool_t bus_cynara_watch_callback(DBusWatch *watch,
+- unsigned int flags,
+- void *data);
+-
+-static void status_callback(int old_fd,
+- int new_fd,
+- cynara_async_status status,
+- void *user_status_data);
+-static void bus_cynara_check_response_callback (cynara_check_id check_id,
+- cynara_async_call_cause cause,
+- int response,
+- void *user_response_data);
+-#endif
+-
+-
+-BusCynara *
+-bus_cynara_new(BusCheck *check, DBusError *error)
+-{
+-#ifdef DBUS_ENABLE_CYNARA
+- BusContext *context;
+- BusCynara *cynara;
+- cynara_async_configuration *conf = NULL;
+- int ret;
+-
+- cynara = dbus_new(BusCynara, 1);
+- if (cynara == NULL)
+- {
+- BUS_SET_OOM(error);
+- return NULL;
+- }
+-
+- context = bus_check_get_context(check);
+-
+- cynara->refcount = 1;
+- cynara->check = check;
+- cynara->context = context;
+- cynara->cynara_watch = NULL;
+-
+- ret = cynara_async_configuration_create(&conf);
+- if (ret != CYNARA_API_SUCCESS)
+- {
+- dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to create Cynara configuration");
+- goto out;
+- }
+-
+-#ifdef CYNARA_CACHE_SIZE
+- ret = cynara_async_configuration_set_cache_size(conf, CYNARA_CACHE_SIZE);
+- if (ret != CYNARA_API_SUCCESS)
+- {
+- dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to Cynara cache size");
+- goto out;
+- }
+-#endif
+-
+- ret = cynara_async_initialize(&cynara->cynara, conf, &status_callback, cynara);
+- if (ret != CYNARA_API_SUCCESS)
+- {
+- dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to initialize Cynara client");
+- goto out;
+- }
+-
+-out:
+- cynara_async_configuration_destroy(conf);
+- if (ret != CYNARA_API_SUCCESS)
+- {
+- dbus_free(cynara);
+- return NULL;
+- }
+-
+- return cynara;
+-#else
+- return NULL;
+-#endif
+-}
+-
+-BusCynara *
+-bus_cynara_ref (BusCynara *cynara)
+-{
+-#ifdef DBUS_ENABLE_CYNARA
+- _dbus_assert (cynara->refcount > 0);
+- cynara->refcount += 1;
+-
+- return cynara;
+-#else
+- return NULL;
+-#endif
+-}
+-
+-void
+-bus_cynara_unref (BusCynara *cynara)
+-{
+-#ifdef DBUS_ENABLE_CYNARA
+- _dbus_assert (cynara->refcount > 0);
+-
+- cynara->refcount -= 1;
+-
+- if (cynara->refcount == 0)
+- {
+- cynara_async_finish(cynara->cynara);
+- dbus_free(cynara);
+- }
+-#endif
+-}
+-
+-BusResult
+-bus_cynara_check_privilege (BusCynara *cynara,
+- DBusMessage *message,
+- DBusConnection *sender,
+- DBusConnection *addressed_recipient,
+- DBusConnection *proposed_recipient,
+- const char *privilege,
+- BusDeferredMessageStatus check_type,
+- BusDeferredMessage **deferred_message_param)
+-{
+-#ifdef DBUS_ENABLE_CYNARA
+- int result;
+- unsigned long uid;
+- char *label;
+- const char *session_id;
+- char user[32];
+- cynara_check_id check_id;
+- DBusConnection *connection = check_type == BUS_DEFERRED_MESSAGE_CHECK_RECEIVE ? proposed_recipient : sender;
+- BusDeferredMessage *deferred_message;
+- BusResult ret;
+-
+- _dbus_assert(connection != NULL);
+-
+- if (dbus_connection_get_unix_user(connection, &uid) == FALSE)
+- return BUS_RESULT_FALSE;
+-
+- if (_dbus_connection_get_linux_security_label(connection, &label) == FALSE || label == NULL)
+- {
+- _dbus_warn("Failed to obtain security label for connection\n");
+- return BUS_RESULT_FALSE;
+- }
+-
+- session_id = bus_connection_get_cynara_session_id (connection);
+- if (session_id == NULL)
+- {
+- ret = BUS_RESULT_FALSE;
+- goto out;
+- }
+-
+- snprintf(user, sizeof(user), "%lu", uid);
+-
+-#if USE_CYNARA_CACHE
+- result = cynara_async_check_cache(cynara->cynara, label, session_id, user, privilege);
+-#else
+- result = CYNARA_API_CACHE_MISS;
+-#endif
+-
+- switch (result)
+- {
+- case CYNARA_API_ACCESS_ALLOWED:
+- _dbus_verbose("Cynara: got ALLOWED answer from cache (client=%s session_id=%s user=%s privilege=%s)\n",
+- label, session_id, user, privilege);
+- ret = BUS_RESULT_TRUE;
+- break;
+-
+- case CYNARA_API_ACCESS_DENIED:
+- _dbus_verbose("Cynara: got DENIED answer from cache (client=%s session_id=%s user=%s privilege=%s)\n",
+- label, session_id, user, privilege);
+- ret = BUS_RESULT_FALSE;
+- break;
+-
+- case CYNARA_API_CACHE_MISS:
+- deferred_message = bus_deferred_message_new(message, sender, addressed_recipient,
+- proposed_recipient, BUS_RESULT_LATER);
+- if (deferred_message == NULL)
+- {
+- _dbus_verbose("Failed to allocate memory for deferred message\n");
+- ret = BUS_RESULT_FALSE;
+- goto out;
+- }
+-
+- /* callback is supposed to unref deferred_message*/
+- result = cynara_async_create_request(cynara->cynara, label, session_id, user, privilege, &check_id,
+- &bus_cynara_check_response_callback, deferred_message);
+- if (result == CYNARA_API_SUCCESS)
+- {
+- _dbus_verbose("Created Cynara request: client=%s session_id=%s user=%s privilege=%s check_id=%u "
+- "deferred_message=%p\n", label, session_id, user, privilege, (unsigned int)check_id, deferred_message);
+- if (deferred_message_param != NULL)
+- *deferred_message_param = deferred_message;
+- ret = BUS_RESULT_LATER;
+- }
+- else
+- {
+- _dbus_verbose("Error on cynara request create: %i\n", result);
+- bus_deferred_message_unref(deferred_message);
+- ret = BUS_RESULT_FALSE;
+- }
+- break;
+- default:
+- _dbus_verbose("Error when accessing Cynara cache: %i\n", result);
+- ret = BUS_RESULT_FALSE;
+- }
+-out:
+- dbus_free(label);
+- return ret;
+-
+-#else
+- return BUS_RESULT_FALSE;
+-#endif
+-}
+-
+-
+-
+-#ifdef DBUS_ENABLE_CYNARA
+-static void
+-status_callback(int old_fd, int new_fd, cynara_async_status status,
+- void *user_status_data)
+-{
+- BusCynara *cynara = (BusCynara *)user_status_data;
+- DBusLoop *loop = bus_context_get_loop(cynara->context);
+-
+- if (cynara->cynara_watch != NULL)
+- {
+- _dbus_loop_remove_watch(loop, cynara->cynara_watch);
+- _dbus_watch_invalidate(cynara->cynara_watch);
+- _dbus_watch_unref(cynara->cynara_watch);
+- cynara->cynara_watch = NULL;
+- }
+-
+- if (new_fd != -1)
+- {
+- unsigned int flags;
+- DBusWatch *watch;
+-
+- switch (status)
+- {
+- case CYNARA_STATUS_FOR_READ:
+- flags = DBUS_WATCH_READABLE;
+- break;
+- case CYNARA_STATUS_FOR_RW:
+- flags = DBUS_WATCH_READABLE | DBUS_WATCH_WRITABLE;
+- break;
+- default:
+- /* Cynara passed unknown status - warn and add RW watch */
+- _dbus_verbose("Cynara passed unknown status value: 0x%08X\n", (unsigned int)status);
+- flags = DBUS_WATCH_READABLE | DBUS_WATCH_WRITABLE;
+- break;
+- }
+-
+- watch = _dbus_watch_new(new_fd, flags, TRUE, &bus_cynara_watch_callback, cynara, NULL);
+- if (watch != NULL)
+- {
+- if (_dbus_loop_add_watch(loop, watch) == TRUE)
+- {
+- cynara->cynara_watch = watch;
+- return;
+- }
+-
+- _dbus_watch_invalidate(watch);
+- _dbus_watch_unref(watch);
+- }
+-
+- /* It seems like not much can be done at this point. Cynara events won't be processed
+- * until next Cynara function call triggering status callback */
+- _dbus_verbose("Failed to add dbus watch\n");
+- }
+-}
+-
+-static dbus_bool_t
+-bus_cynara_watch_callback(DBusWatch *watch,
+- unsigned int flags,
+- void *data)
+-{
+- BusCynara *cynara = (BusCynara *)data;
+- int result = cynara_async_process(cynara->cynara);
+- if (result != CYNARA_API_SUCCESS)
+- _dbus_verbose("cynara_async_process returned %d\n", result);
+-
+- return result != CYNARA_API_OUT_OF_MEMORY ? TRUE : FALSE;
+-}
+-
+-static inline const char *
+-call_cause_to_string(cynara_async_call_cause cause)
+-{
+- switch (cause)
+- {
+- case CYNARA_CALL_CAUSE_ANSWER:
+- return "ANSWER";
+- case CYNARA_CALL_CAUSE_CANCEL:
+- return "CANCEL";
+- case CYNARA_CALL_CAUSE_FINISH:
+- return "FINSIH";
+- case CYNARA_CALL_CAUSE_SERVICE_NOT_AVAILABLE:
+- return "SERVICE NOT AVAILABLE";
+- default:
+- return "INVALID";
+- }
+-}
+-
+-static void
+-bus_cynara_check_response_callback (cynara_check_id check_id,
+- cynara_async_call_cause cause,
+- int response,
+- void *user_response_data)
+-{
+- BusDeferredMessage *deferred_message = user_response_data;
+- BusResult result;
+-
+- _dbus_verbose("Cynara callback: check_id=%u, cause=%s response=%i response_data=%p\n",
+- (unsigned int)check_id, call_cause_to_string(cause), response, user_response_data);
+-
+- if (deferred_message == NULL)
+- return;
+-
+- if (cause == CYNARA_CALL_CAUSE_ANSWER && response == CYNARA_API_ACCESS_ALLOWED)
+- result = BUS_RESULT_TRUE;
+- else
+- result = BUS_RESULT_FALSE;
+-
+- bus_deferred_message_response_received(deferred_message, result);
+- bus_deferred_message_unref(deferred_message);
+-}
+-
+-#endif /* DBUS_ENABLE_CYNARA */
+diff --git a/bus/system.conf.in b/bus/system.conf.in
+index 19d0c04..81c39c8 100644
+--- a/bus/system.conf.in
++++ b/bus/system.conf.in
+@@ -72,10 +72,10 @@
+ send_interface="org.freedesktop.DBus.Introspectable"/>
+ <allow send_destination="org.freedesktop.DBus"
+ send_interface="org.freedesktop.DBus.Properties"/>
+- <!-- If there is a need specific bus services could be protected by Cynara as well.
++ <!-- If there is a need specific bus services could be protected by Cynagora as well.
+ However, this can lead to deadlock during the boot process when such check is made and
+- Cynara is not yet activated (systemd calls protected method synchronously,
+- dbus daemon tries to consult Cynara, Cynara waits for systemd activation).
++ Cynagora is not yet activated (systemd calls protected method synchronously,
++ dbus daemon tries to consult Cynagora, Cynagora waits for systemd activation).
+ Therefore it is advised to allow root processes to use bus services.
+ Currently anyone is allowed to talk to the message bus -->
+ <allow receive_sender="org.freedesktop.DBus"/>
+diff --git a/configure.ac b/configure.ac
+index 11b5ffd..df9341c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1742,16 +1742,16 @@ AC_ARG_ENABLE([user-session],
+ AM_CONDITIONAL([DBUS_ENABLE_USER_SESSION],
+ [test "x$enable_user_session" = xyes])
+
+-#enable cynara integration
+-AC_ARG_ENABLE([cynara], [AS_HELP_STRING([--enable-cynara], [enable Cynara integration])], [], [enable_cynara=no])
+-if test "x$enable_cynara" = xyes; then
+- PKG_CHECK_MODULES([CYNARA], [cynara-client-async >= 0.6.0 cynara-session >= 0.6.0],
+- [AC_DEFINE([DBUS_ENABLE_CYNARA], [1], [Define to enable Cynara privilege checks in dbus-daemon])],
+- [AC_MSG_ERROR([libcynara-client-async and cynara-session are required to enable Cynara integration])])
++#enable cynagora integration
++AC_ARG_ENABLE([cynagora], [AS_HELP_STRING([--enable-cynagora], [enable Cynagora integration])], [], [enable_cynagora=no])
++if test "x$enable_cynagora" = xyes; then
++ PKG_CHECK_MODULES([CYNAGORA], [cynagora],
++ [AC_DEFINE([DBUS_ENABLE_CYNAGORA], [1], [Define to enable Cynagora privilege checks in dbus-daemon])],
++ [AC_MSG_ERROR([libcynagora is required to enable Cynagora integration])])
+ fi
+
+-AC_SUBST([CYNARA_CFLAGS])
+-AC_SUBST([CYNARA_LIBS])
++AC_SUBST([CYNAGORA_CFLAGS])
++AC_SUBST([CYNAGORA_LIBS])
+
+ AC_CONFIG_FILES([
+ Doxyfile
+@@ -1835,7 +1835,7 @@ echo "
+ Building bus stats API: ${enable_stats}
+ Building SELinux support: ${have_selinux}
+ Building AppArmor support: ${have_apparmor}
+- Building Cynara support: ${enable_cynara}
++ Building Cynagora support: ${enable_cynagora}
+ Building inotify support: ${have_inotify}
+ Building kqueue support: ${have_kqueue}
+ Building systemd support: ${have_systemd}
+--
+2.21.1
+
diff --git a/meta-security/recipes-core/dbus-cynara/dbus_1.12.10.bbappend b/meta-security/recipes-core/dbus-cynagora/dbus_1.12.16.bbappend
index 5cbf65ef6..177a117b8 100644
--- a/meta-security/recipes-core/dbus-cynara/dbus_1.12.10.bbappend
+++ b/meta-security/recipes-core/dbus-cynagora/dbus_1.12.16.bbappend
@@ -1,4 +1,4 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/dbus-cynara:"
+FILESEXTRAPATHS_prepend := "${THISDIR}/dbus-cynagora:"
SRC_URI_append_class-target = "\
file://0001-Integration-of-Cynara-asynchronous-security-checks.patch \
@@ -6,10 +6,10 @@ SRC_URI_append_class-target = "\
file://0003-Handle-unavailability-of-policy-results-for-broadcas.patch \
file://0004-Add-own-rule-result-unavailability-handling.patch \
file://0005-Perform-Cynara-runtime-policy-checks-by-default.patch \
- file://0006-Fix-gcc-8-warnings.patch \
- file://0007-Fix-SIGSEGV-on-disconnections.patch \
+ file://0006-Fix-SIGSEGV-on-disconnections.patch \
+ file://0007-Switch-from-cynara-to-cynagora.patch \
"
-DEPENDS_append_class-target = " cynara smack"
-EXTRA_OECONF_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES','smack','--enable-cynara --disable-selinux','',d)}"
+DEPENDS_append_class-target = " cynagora smack"
+EXTRA_OECONF_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES','smack','--enable-cynagora --disable-selinux','',d)}"
diff --git a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0006-Fix-gcc-8-warnings.patch b/meta-security/recipes-core/dbus-cynara/dbus-cynara/0006-Fix-gcc-8-warnings.patch
deleted file mode 100644
index 30fac9693..000000000
--- a/meta-security/recipes-core/dbus-cynara/dbus-cynara/0006-Fix-gcc-8-warnings.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-From 988958f40a2e0575df3d4d48101612713737a5db Mon Sep 17 00:00:00 2001
-From: Jose Bollo <jose.bollo@iot.bzh>
-Date: Wed, 29 May 2019 16:32:50 +0200
-Subject: Fix gcc 8 warnings
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Compiling with -Werror isn't possible without adaptation
-of the code.
-
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-
-diff --git a/bus/config-parser-trivial.c b/bus/config-parser-trivial.c
-index dd65c6d..23dedb4 100644
---- a/bus/config-parser-trivial.c
-+++ b/bus/config-parser-trivial.c
-@@ -194,6 +194,7 @@ bus_config_parser_start_element (BusConfigParser *parser,
- case ELEMENT_POLICY:
- case ELEMENT_LIMIT:
- case ELEMENT_ALLOW:
-+ case ELEMENT_CHECK:
- case ELEMENT_DENY:
- case ELEMENT_FORK:
- case ELEMENT_PIDFILE:
-@@ -316,6 +317,7 @@ bus_config_parser_content (BusConfigParser *parser,
- case ELEMENT_POLICY:
- case ELEMENT_LIMIT:
- case ELEMENT_ALLOW:
-+ case ELEMENT_CHECK:
- case ELEMENT_DENY:
- case ELEMENT_FORK:
- case ELEMENT_PIDFILE:
-diff --git a/bus/config-parser.c b/bus/config-parser.c
-index b5f1dd1..7f91469 100644
---- a/bus/config-parser.c
-+++ b/bus/config-parser.c
-@@ -3408,6 +3408,7 @@ elements_equal (const Element *a,
- case ELEMENT_LISTEN:
- case ELEMENT_AUTH:
- case ELEMENT_ALLOW:
-+ case ELEMENT_CHECK:
- case ELEMENT_DENY:
- case ELEMENT_FORK:
- case ELEMENT_PIDFILE:
-diff --git a/bus/desktop-file.c b/bus/desktop-file.c
-index 4459858..4a27ee3 100644
---- a/bus/desktop-file.c
-+++ b/bus/desktop-file.c
-@@ -382,7 +382,7 @@ is_valid_section_name (const char *name)
-
- while (*name)
- {
-- if (!((*name >= 'A' && *name <= 'Z') || (*name >= 'a' || *name <= 'z') ||
-+ if (!((*name >= ' ' && *name <= '~' && *name != '[' && *name != ']') ||
- *name == '\n' || *name == '\t'))
- return FALSE;
-
-diff --git a/bus/driver.h b/bus/driver.h
-index 183c28b..05e9886 100644
---- a/bus/driver.h
-+++ b/bus/driver.h
-@@ -66,5 +66,7 @@ dbus_bool_t bus_driver_send_ack_reply (DBusConnection *connection,
- BusTransaction *transaction,
- DBusMessage *message,
- DBusError *error);
-+dbus_bool_t bus_driver_check_message_is_for_us (DBusMessage *message,
-+ DBusError *error);
-
- #endif /* BUS_DRIVER_H */
-diff --git a/bus/policy.c b/bus/policy.c
-index 27b66d1..c4c3d4b 100644
---- a/bus/policy.c
-+++ b/bus/policy.c
-@@ -1098,6 +1098,7 @@ bus_client_policy_check_can_send (DBusConnection *sender,
- case BUS_POLICY_RULE_ACCESS_ALLOW:
- result = BUS_RESULT_TRUE;
- break;
-+ default:
- case BUS_POLICY_RULE_ACCESS_DENY:
- result = BUS_RESULT_FALSE;
- break;
-@@ -1350,6 +1351,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
- case BUS_POLICY_RULE_ACCESS_ALLOW:
- result = BUS_RESULT_TRUE;
- break;
-+ default:
- case BUS_POLICY_RULE_ACCESS_DENY:
- result = BUS_RESULT_FALSE;
- break;
-@@ -1443,6 +1445,7 @@ bus_rules_check_can_own (DBusList *rules,
- case BUS_POLICY_RULE_ACCESS_ALLOW:
- result = BUS_RESULT_TRUE;
- break;
-+ default:
- case BUS_POLICY_RULE_ACCESS_DENY:
- result = BUS_RESULT_FALSE;
- break;
-diff --git a/dbus/dbus-sysdeps-unix.c b/dbus/dbus-sysdeps-unix.c
-index 565e089..b96c735 100644
---- a/dbus/dbus-sysdeps-unix.c
-+++ b/dbus/dbus-sysdeps-unix.c
-@@ -4364,7 +4364,11 @@ _dbus_daemon_unpublish_session_bus_address (void)
- dbus_bool_t
- _dbus_get_is_errno_eagain_or_ewouldblock (int e)
- {
-+#if EAGAIN != EWOULDBLOCK
- return e == EAGAIN || e == EWOULDBLOCK;
-+#else
-+ return e == EAGAIN;
-+#endif
- }
-
- /**
-diff --git a/tools/dbus-send.c b/tools/dbus-send.c
-index 6fb65fe..d853b39 100644
---- a/tools/dbus-send.c
-+++ b/tools/dbus-send.c
-@@ -293,10 +293,12 @@ main (int argc, char *argv[])
- {
- is_bus = TRUE;
- }
-+#if 0
- else if (arg[2] == 'p') /* peer */
- {
- is_bus = FALSE;
- }
-+#endif
- else /* address; keeping backwards compatibility */
- {
- is_bus = FALSE;
---
-2.17.2
-
diff --git a/meta-security/recipes-core/systemd/systemd_239.bbappend b/meta-security/recipes-core/systemd/systemd_2%.bbappend
index 789c05f83..789c05f83 100644
--- a/meta-security/recipes-core/systemd/systemd_239.bbappend
+++ b/meta-security/recipes-core/systemd/systemd_2%.bbappend
diff --git a/meta-security/recipes-security/keyutils/keyutils/keyutils-arm-remove-m32-m64.patch b/meta-security/recipes-security/keyutils/keyutils/keyutils-arm-remove-m32-m64.patch
deleted file mode 100644
index a049fd23f..000000000
--- a/meta-security/recipes-security/keyutils/keyutils/keyutils-arm-remove-m32-m64.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Index: keyutils-1.5.5/Makefile
-===================================================================
---- keyutils-1.5.5.orig/Makefile 2011-12-20 11:05:10.000000000 +0200
-+++ keyutils-1.5.5/Makefile 2011-12-20 11:06:27.000000000 +0200
-@@ -58,12 +58,12 @@
- LNS := ln -sf
-
- ifeq ($(BUILDFOR),32-bit)
--CFLAGS += -m32
-+#CFLAGS += -m32
- LIBDIR := /usr/lib
- USRLIBDIR := /usr/lib
- else
- ifeq ($(BUILDFOR),64-bit)
--CFLAGS += -m64
-+#CFLAGS += -m64
- LIBDIR := /usr/lib
- USRLIBDIR := /usr/lib
- endif
diff --git a/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_library_install.patch b/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_library_install.patch
deleted file mode 100644
index adf064304..000000000
--- a/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_library_install.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Index: keyutils-1.5.5/Makefile
-===================================================================
---- keyutils-1.5.5.orig/Makefile 2011-11-30 17:27:43.000000000 +0200
-+++ keyutils-1.5.5/Makefile 2011-12-21 16:05:53.000000000 +0200
-@@ -59,13 +59,13 @@
-
- ifeq ($(BUILDFOR),32-bit)
- CFLAGS += -m32
--LIBDIR := /lib
-+LIBDIR := /usr/lib
- USRLIBDIR := /usr/lib
- else
- ifeq ($(BUILDFOR),64-bit)
- CFLAGS += -m64
--LIBDIR := /lib64
--USRLIBDIR := /usr/lib64
-+LIBDIR := /usr/lib
-+USRLIBDIR := /usr/lib
- endif
- endif
-
-@@ -152,7 +152,7 @@
- $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME)
- $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME)
- mkdir -p $(DESTDIR)$(USRLIBDIR)
-- $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB)
-+ $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB)
- $(INSTALL) -D keyctl $(DESTDIR)$(BINDIR)/keyctl
- $(INSTALL) -D request-key $(DESTDIR)$(SBINDIR)/request-key
- $(INSTALL) -D request-key-debug.sh $(DESTDIR)$(SHAREDIR)/request-key-debug.sh
diff --git a/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch b/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch
deleted file mode 100644
index 8dd224505..000000000
--- a/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86-64_cflags.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: git/Makefile
-===================================================================
---- git.orig/Makefile 2012-11-16 15:40:05.258723425 +0200
-+++ git/Makefile 2012-11-16 15:41:08.978725491 +0200
-@@ -53,7 +53,7 @@
- ###############################################################################
- LIBDIR := $(shell ldd /usr/bin/make | grep '\(/libc\)' | sed -e 's!.*\(/.*\)/libc[.].*!\1!')
- USRLIBDIR := $(patsubst /lib/%,/usr/lib/%,$(LIBDIR))
--BUILDFOR := $(shell file /usr/bin/make | sed -e 's!.*ELF \(32\|64\)-bit.*!\1!')-bit
-+BUILDFOR := 64-bit
-
- LNS := ln -sf
-
diff --git a/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86_cflags.patch b/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86_cflags.patch
deleted file mode 100644
index 573c429b8..000000000
--- a/meta-security/recipes-security/keyutils/keyutils/keyutils_fix_x86_cflags.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: git/Makefile
-===================================================================
---- git.orig/Makefile 2012-11-16 15:40:05.258723425 +0200
-+++ git/Makefile 2012-11-16 15:41:08.978725491 +0200
-@@ -53,7 +53,7 @@
- ###############################################################################
- LIBDIR := $(shell ldd /usr/bin/make | grep '\(/libc\)' | sed -e 's!.*\(/.*\)/libc[.].*!\1!')
- USRLIBDIR := $(patsubst /lib/%,/usr/lib/%,$(LIBDIR))
--BUILDFOR := $(shell file /usr/bin/make | sed -e 's!.*ELF \(32\|64\)-bit.*!\1!')-bit
-+BUILDFOR := 32-bit
-
- LNS := ln -sf
-
diff --git a/meta-security/recipes-security/keyutils/keyutils_1.5.8.bb b/meta-security/recipes-security/keyutils/keyutils_1.5.8.bb
deleted file mode 100644
index 46b2b622a..000000000
--- a/meta-security/recipes-security/keyutils/keyutils_1.5.8.bb
+++ /dev/null
@@ -1,44 +0,0 @@
-SUMMARY = "Linux Key Management Utilities"
-DESCRIPTION = "Keyutils is a set of utilities for managing the key retention \
-facility in the kernel, which can be used by filesystems, block devices and \
-more to gain and retain the authorization and encryption keys required to \
-perform secure operations."
-SECTION = "base"
-LICENSE = "GPLv2"
-LIC_FILES_CHKSUM = "file://LICENCE.GPL;md5=5f6e72824f5da505c1f4a7197f004b45"
-
-PR = "r1"
-
-SRCREV = "dd64114721edca5808872190e7e2e927ee2e994c"
-
-SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git;protocol=git \
- file://keyutils_fix_library_install.patch \
- "
-SRC_URI_append_arm = " file://keyutils-arm-remove-m32-m64.patch"
-SRC_URI_append_x86 = " file://keyutils_fix_x86_cflags.patch"
-SRC_URI_append_x86-64 = " file://keyutils_fix_x86-64_cflags.patch"
-
-S = "${WORKDIR}/git"
-
-INSTALL_FLAGS = " \
-BINDIR=${bindir} \
-SBINDIR=${sbindir} \
-INCLUDEDIR=${includedir} \
-ETCDIR=${sysconfdir} \
-LIBDIR=${libdir} \
-USRLIBDIR=${libdir} \
-SHAREDIR=${datadir} \
-MAN1=${mandir}/man1 \
-MAN3=${mandir}/man3 \
-MAN5=${mandir}/man5 \
-MAN8=${mandir}/man8 \
-DESTDIR=${D}"
-
-do_install() {
- cd ${S} && oe_runmake ${INSTALL_FLAGS} install
-
- # Debugging script of unknown value, not packaged.
- rm -f "${D}${datadir}/request-key-debug.sh"
-}
-
-BBCLASSEXTEND = "native"
diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend b/meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend
deleted file mode 100644
index 9c6080fcf..000000000
--- a/meta-security/recipes-security/xmlsec1/xmlsec1_%.bbappend
+++ /dev/null
@@ -1,3 +0,0 @@
-# remove the EXTRA_OECONF from the recipe to
-# avoid an build error in >= YP SUMO
-EXTRA_OECONF = ""