-WARN_QA = "textrel files-invalid incompatible-license xorg-driver-abi libdir \
- unknown-configure-option build-deps file-rdeps"
-ERROR_QA = "dev-so debug-deps dev-deps debug-files arch pkgconfig la perms \
- useless-rpaths rpaths staticdev ldflags pkgvarcheck already-stripped \
- compile-host-path dep-cmp installed-vs-shipped install-host-path \
- packages-list perm-config perm-line perm-link pkgv-undefined \
- pn-overrides split-strip var-undefined version-going-backwards"
+WARN_TO_ERROR_QA = "already-stripped compile-host-path install-host-path \
+ installed-vs-shipped ldflags pn-overrides rpaths staticdev \
+ useless-rpaths"
+WARN_QA_remove = "${WARN_TO_ERROR_QA}"
+ERROR_QA_append = " ${WARN_TO_ERROR_QA}"
+
+# using multiple BSP layers causes dangling bbappends in meta-agl-bsp
+# turn it into a warning
+BB_DANGLINGAPPENDS_WARNONLY = "1"
+
+# enforce security-related compiler flags by default
+require conf/distro/include/security_flags.inc
+
+# required overrides, upstreamed but not merged yet:
+# http://lists.openembedded.org/pipermail/openembedded-devel/2016-June/107727.html
+SECURITY_CFLAGS_pn-llvm3.3 = "${SECURITY_NO_PIE_CFLAGS}"
+
+# enable security features (smack, cynara) - required by Application Framework
+OVERRIDES .= ":smack"
+DISTRO_FEATURES_append = " smack dbus-cynara"
+
+# use tar-native to support SMACK extended attributes independently of host config
+IMAGE_CMD_TAR = "tar --xattrs-include='*'"
+IMAGE_DEPENDS_tar_append = " tar-replacement-native"
+EXTRANATIVEPATH += "tar-native"
+
+# security: enable ssh server in place of dropbear to support PAM on user sessions
+IMAGE_FEATURES += "ssh-server-openssh"
+