Prepare master for new framework integration 52/26752/2 sandbox/jsmoeller/rmappfw
authorJan-Simon Moeller <jsmoeller@linuxfoundation.org>
Mon, 18 Oct 2021 12:07:53 +0000 (14:07 +0200)
committerJan-Simon Moeller <jsmoeller@linuxfoundation.org>
Thu, 28 Oct 2021 11:40:57 +0000 (13:40 +0200)
During the last workshop the transition to the new framework was presented.
This change essentially deprecates the SMACK-based application framework.

To prepare the integration of it, we remove the deprecated components:
- meta-agl-core: remove Smack kernel patches
- meta-app-framework
- meta-pipewire/dynamic-layers/meta-app-framework/

Bug-AGL: SPEC-4121

Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Change-Id: Icdaeadfb5d2193f3a4c535168c88da6073423e67

161 files changed:
docs/profiles.md
meta-agl-bsp/meta-freescale-layer/recipes-kernel/linux/files/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch [deleted file]
meta-agl-bsp/meta-rcar-gen3-adas/recipes-bsp/si-tools/si-init_1.0.bb
meta-agl-bsp/meta-rcar-gen3/recipes-graphics/gles-module/gles-user-module.bbappend
meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch [deleted file]
meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch [deleted file]
meta-agl-core/recipes-kernel/linux/linux-agl-4.14.inc
meta-agl-core/scripts/run-yocto-check-layer-feature-enabled.sh
meta-agl-core/scripts/run-yocto-check-layer.sh
meta-agl.md
meta-app-framework/LICENSE [deleted file]
meta-app-framework/LICENSE.GPL-2.0-only [deleted file]
meta-app-framework/LICENSE.MIT [deleted file]
meta-app-framework/README [deleted file]
meta-app-framework/classes/aglwgt.bbclass [deleted file]
meta-app-framework/conf/include/agl-appfw-smack.inc [deleted file]
meta-app-framework/conf/include/agl-sign-wgts.inc [deleted file]
meta-app-framework/conf/layer.conf [deleted file]
meta-app-framework/dynamic-layers/meta-agl-core/recipes-platform/packagegroups/packagegroup-agl-core-security.bbappend [deleted file]
meta-app-framework/dynamic-layers/meta-agl-core/recipes-platform/packagegroups/packagegroup-agl-core-security_appfw.inc [deleted file]
meta-app-framework/dynamic-layers/meta-agl-core/recipes-platform/packagegroups/packagegroup-agl-image-boot.bbappend [deleted file]
meta-app-framework/dynamic-layers/meta-agl-core/recipes-platform/packagegroups/packagegroup-agl-image-boot_appfw.inc [deleted file]
meta-app-framework/dynamic-layers/meta-agl-core/recipes-platform/packagegroups/packagegroup-agl-image-minimal.bbappend [deleted file]
meta-app-framework/dynamic-layers/meta-agl-core/recipes-platform/packagegroups/packagegroup-agl-image-minimal_appfw.inc [deleted file]
meta-app-framework/dynamic-layers/meta-qt5/recipes-devtools/libafb-helpers-qt/libafb-helpers-qt_git.bb [deleted file]
meta-app-framework/dynamic-layers/meta-qt5/recipes-devtools/libqtappfw/libqtappfw_git.bb [deleted file]
meta-app-framework/dynamic-layers/meta-qt5/recipes-platform/packagegroups/packagegroup-agl-appfw-qt5.bb [deleted file]
meta-app-framework/recipes-connectivity/bluez5/bluez5_%.bbappend [deleted file]
meta-app-framework/recipes-connectivity/bluez5/bluez5_appfw.inc [deleted file]
meta-app-framework/recipes-connectivity/bluez5/files/bluetooth.service.conf [deleted file]
meta-app-framework/recipes-connectivity/connman/connman_%.bbappend [deleted file]
meta-app-framework/recipes-connectivity/connman/connman_appfw.inc [deleted file]
meta-app-framework/recipes-connectivity/connman/files/connman.service.conf [deleted file]
meta-app-framework/recipes-core/af-binder/af-binder-devtools-native_git.bb [deleted file]
meta-app-framework/recipes-core/af-binder/af-binder_git.bb [deleted file]
meta-app-framework/recipes-core/af-binder/af-binder_git.inc [deleted file]
meta-app-framework/recipes-core/af-binder/nativesdk-af-binder-devtools_git.bb [deleted file]
meta-app-framework/recipes-core/af-main/af-main_git.bb [deleted file]
meta-app-framework/recipes-core/af-main/af-main_git.inc [deleted file]
meta-app-framework/recipes-core/af-main/nativesdk-af-main_git.bb [deleted file]
meta-app-framework/recipes-core/af-platform-setup/af-platform-setup_1.0.bb [deleted file]
meta-app-framework/recipes-core/af-platform-setup/files/udev-shared.conf [deleted file]
meta-app-framework/recipes-core/base-files/base-files_%.bbappend [deleted file]
meta-app-framework/recipes-core/base-files/base-files_appfw.inc [deleted file]
meta-app-framework/recipes-core/coreutils/coreutils_%.bbappend [deleted file]
meta-app-framework/recipes-core/coreutils/coreutils_appfw.inc [deleted file]
meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0001-Integration-of-Cynara-asynchronous-security-checks.patch [deleted file]
meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0002-Disable-message-dispatching-when-send-rule-result-is.patch [deleted file]
meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0003-Handle-unavailability-of-policy-results-for-broadcas.patch [deleted file]
meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0004-Add-own-rule-result-unavailability-handling.patch [deleted file]
meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0005-Perform-Cynara-runtime-policy-checks-by-default.patch [deleted file]
meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0006-Fix-SIGSEGV-on-disconnections.patch [deleted file]
meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0007-Switch-from-cynara-to-cynagora.patch [deleted file]
meta-app-framework/recipes-core/dbus-cynagora/dbus_1.12.20.bbappend [deleted file]
meta-app-framework/recipes-core/dbus-cynagora/dbus_appfw.inc [deleted file]
meta-app-framework/recipes-core/nss-localuser/nss-localuser_0.1.bb [deleted file]
meta-app-framework/recipes-core/shadow/shadow_%.bbappend [deleted file]
meta-app-framework/recipes-core/shadow/shadow_appfw.inc [deleted file]
meta-app-framework/recipes-core/smack-system-setup/files/55-udev-smack-default.rules [deleted file]
meta-app-framework/recipes-core/smack-system-setup/files/systemd-journald.service.conf [deleted file]
meta-app-framework/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf [deleted file]
meta-app-framework/recipes-core/smack-system-setup/files/tmp.mount.conf [deleted file]
meta-app-framework/recipes-core/smack-system-setup/smack-system-setup_1.bb [deleted file]
meta-app-framework/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch [deleted file]
meta-app-framework/recipes-core/systemd/systemd_2%.bbappend [deleted file]
meta-app-framework/recipes-core/systemd/systemd_appfw.inc [deleted file]
meta-app-framework/recipes-core/util-linux/util-linux_%.bbappend [deleted file]
meta-app-framework/recipes-core/util-linux/util-linux_appfw.inc [deleted file]
meta-app-framework/recipes-devtools/cmake-apps-module/cmake-apps-module_git.bb [deleted file]
meta-app-framework/recipes-devtools/json-c/json-c_%.bbappend [deleted file]
meta-app-framework/recipes-devtools/json-c/json-c_appfw.inc [deleted file]
meta-app-framework/recipes-devtools/libafb-helpers/libafb-helpers_git.bb [deleted file]
meta-app-framework/recipes-devtools/libafb-helpers/libafb-helpers_git.inc [deleted file]
meta-app-framework/recipes-devtools/libappcontroller/libappcontroller_git.bb [deleted file]
meta-app-framework/recipes-devtools/packagegroups/nativesdk-packagegroup-sdk-host.bbappend [deleted file]
meta-app-framework/recipes-devtools/packagegroups/nativesdk-packagegroup-sdk-host_appfw.inc [deleted file]
meta-app-framework/recipes-devtools/run-postinsts/run-postinsts/ldconfig-wait.conf [deleted file]
meta-app-framework/recipes-devtools/run-postinsts/run-postinsts_%.bbappend [deleted file]
meta-app-framework/recipes-devtools/run-postinsts/run-postinsts_appfw.inc [deleted file]
meta-app-framework/recipes-graphics/wayland/wayland/0001-Change-socket-mode-add-rw-for-group.patch [deleted file]
meta-app-framework/recipes-graphics/wayland/wayland_%.bbappend [deleted file]
meta-app-framework/recipes-graphics/wayland/wayland_appfw.inc [deleted file]
meta-app-framework/recipes-graphics/wayland/weston/0001-Allow-regular-users-to-launch-Weston_7.0.0.patch [deleted file]
meta-app-framework/recipes-graphics/wayland/weston/smack-weston [deleted file]
meta-app-framework/recipes-graphics/wayland/weston_8.0.%.bbappend [deleted file]
meta-app-framework/recipes-graphics/wayland/weston_8.0_appfw.inc [deleted file]
meta-app-framework/recipes-kernel/linux/linux-%.bbappend [deleted file]
meta-app-framework/recipes-kernel/linux/linux-appfw.inc [deleted file]
meta-app-framework/recipes-kernel/linux/linux/audit.cfg [deleted file]
meta-app-framework/recipes-kernel/linux/linux/smack-default-lsm-old.cfg [deleted file]
meta-app-framework/recipes-kernel/linux/linux/smack-default-lsm.cfg [deleted file]
meta-app-framework/recipes-kernel/linux/linux/smack.cfg [deleted file]
meta-app-framework/recipes-platform/packagegroups/packagegroup-agl-app-framework-examples.bb [deleted file]
meta-app-framework/recipes-platform/packagegroups/packagegroup-agl-app-framework.bb [deleted file]
meta-app-framework/recipes-platform/packagegroups/packagegroup-agl-appfw-native.bb [deleted file]
meta-app-framework/recipes-platform/packagegroups/packagegroup-security-framework.bb [deleted file]
meta-app-framework/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch [deleted file]
meta-app-framework/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch [deleted file]
meta-app-framework/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch [deleted file]
meta-app-framework/recipes-security/audit/audit/audit-volatile.conf [deleted file]
meta-app-framework/recipes-security/audit/audit/auditd [deleted file]
meta-app-framework/recipes-security/audit/audit/auditd.service [deleted file]
meta-app-framework/recipes-security/audit/audit_2.8.5.bb [deleted file]
meta-app-framework/recipes-security/cynagoauth/cynagoauth_0.1.bb [deleted file]
meta-app-framework/recipes-security/cynagora/cynagora-cynara-compat_2.1.bb [deleted file]
meta-app-framework/recipes-security/cynagora/cynagora/run-ptest [deleted file]
meta-app-framework/recipes-security/cynagora/cynagora_2.1.bb [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager.inc [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend [deleted file]
meta-app-framework/recipes-security/security-manager/security-manager_git.bb [deleted file]
meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend [deleted file]
meta-app-framework/recipes-security/xmlsec1/xmlsec1_appfw.inc [deleted file]
meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch [deleted file]
meta-app-framework/recipes-support/libcap/libcap_%.bbappend [deleted file]
meta-app-framework/recipes-support/libcap/libcap_appfw.inc [deleted file]
meta-app-framework/recipes-support/libzip/libzip_%.bbappend [deleted file]
meta-app-framework/recipes-support/libzip/libzip_appfw.inc [deleted file]
meta-app-framework/recipes-test/afb-test/afb-test_git.bb [deleted file]
meta-app-framework/recipes-test/afb-test/files/run-ptest [deleted file]
meta-app-framework/scripts/run-yocto-check-layer-enabled-flags.sh [deleted file]
meta-app-framework/scripts/run-yocto-check-layer.sh [deleted file]
meta-netboot/recipes-core/initramfs-netboot/files/init.sh
meta-netboot/scripts/run-yocto-check-layer-flags-enabled.sh
meta-netboot/scripts/run-yocto-check-layer.sh
meta-pipewire/conf/layer.conf
meta-pipewire/dynamic-layers/meta-app-framework/recipes-apis/agl-service-audiomixer/agl-service-audiomixer_git.bb [deleted file]
meta-pipewire/dynamic-layers/meta-app-framework/recipes-core/packagegroups/packagegroup-pipewire.bbappend [deleted file]
meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/0001-modules-add-new-access-seclabel-module.patch [deleted file]
meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.conf [deleted file]
meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.service [deleted file]
meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.socket [deleted file]
meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/smack-pipewire [deleted file]
meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_0.3.30.bbappend [deleted file]
meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/50-access-agl.lua [deleted file]
meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/access-smack.lua [deleted file]
meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl_git.bbappend [deleted file]
meta-pipewire/dynamic-layers/meta-app-framework/recipes-security/cynagora/cynagora_%.bbappend [deleted file]
meta-pipewire/dynamic-layers/meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend [deleted file]
meta-pipewire/scripts/run-yocto-check-layer.sh
scripts/envsetup.sh
templates/feature/agl-appfw-smack/50_bblayers.conf.inc [deleted file]
templates/feature/agl-appfw-smack/50_local.conf.inc [deleted file]
templates/feature/agl-appfw-smack/README_feature_agl-appfw-smack.md [deleted file]
templates/feature/agl-hmi-framework/50_local.conf.inc [deleted file]
templates/feature/agl-hmi-framework/README_feature_agl-hmi-framework.md [deleted file]

index 287b819..5d0f89d 100644 (file)
@@ -140,7 +140,6 @@ meta-agl/meta-agl-profile-core/recipes-platform
 |   |-- agl-image-graphical-qt5.bb
 |   `-- agl-image-graphical-qt5.inc
 `-- packagegroups
-    |-- packagegroup-agl-appfw-native-qt5.bb
     |-- packagegroup-agl-demo-qt-examples.bb
     |-- packagegroup-agl-profile-graphical-qt5.bb
     `-- packagegroup-qt5-toolchain-target.bbappend
diff --git a/meta-agl-bsp/meta-freescale-layer/recipes-kernel/linux/files/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch b/meta-agl-bsp/meta-freescale-layer/recipes-kernel/linux/files/0004-Smack-Assign-smack_known_web-label-for-kernel-thread.patch
deleted file mode 100644 (file)
index 1b17bc7..0000000
+++ /dev/null
@@ -1,49 +0,0 @@
-From c8bbb0f916de54610513e376070aea531af19dd6 Mon Sep 17 00:00:00 2001
-From: jooseong lee <jooseong.lee@samsung.com>
-Date: Thu, 3 Nov 2016 10:55:43 +0100
-Subject: [PATCH 4/4] Smack: Assign smack_known_web label for kernel thread's
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Assign smack_known_web label for kernel thread's socket in the sk_alloc_security hook
-
-Creating struct sock by sk_alloc function in various kernel subsystems
-like bluetooth dosen't call smack_socket_post_create(). In such case,
-received sock label is the floor('_') label and makes access deny.
-
-Refers-to: https://review.tizen.org/gerrit/#/c/80717/4
-
-Change-Id: I2e5c9359bfede84a988fd4d4d74cdb9dfdfc52d8
-Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- security/smack/smack_lsm.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
-index e45f0a3..a3f3ccc 100644
---- a/security/smack/smack_lsm.c
-+++ b/security/smack/smack_lsm.c
-@@ -2107,8 +2107,16 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
-       if (ssp == NULL)
-               return -ENOMEM;
--      ssp->smk_in = skp;
--      ssp->smk_out = skp;
-+      /*
-+       * Sockets created by kernel threads receive web label.
-+       */
-+      if (unlikely(current->flags & PF_KTHREAD)) {
-+              ssp->smk_in = &smack_known_web;
-+              ssp->smk_out = &smack_known_web;
-+      } else {
-+              ssp->smk_in = skp;
-+              ssp->smk_out = skp;
-+      }
-       ssp->smk_packet = NULL;
-       sk->sk_security = ssp;
--- 
-2.7.4
-
index c752bba..b535044 100644 (file)
@@ -21,7 +21,7 @@ do_install() {
     # the Si468x device via i2c
     install -d ${D}${sysconfdir}/udev/rules.d
     cat >${D}${sysconfdir}/udev/rules.d/zz-radio-si.rules <<'EOF'
-KERNEL=="i2c-12", MODE="0660", GROUP="audio", SECLABEL{smack}="*"
+KERNEL=="i2c-12", MODE="0660", GROUP="audio"
 EOF
 }
 
index d690b15..cbd4952 100644 (file)
@@ -1,6 +1,5 @@
 require checksum_control.inc
 
 do_install:append(){
-        sed -i 's/MODE="0660", OWNER/MODE="0660", SECLABEL{smack}="*", OWNER/g' ${D}${sysconfdir}/udev/rules.d/72-pvr-seat.rules 
         sed -i 's/GROUP="video"/GROUP="display"/g' ${D}${sysconfdir}/udev/rules.d/72-pvr-seat.rules 
 }
diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch
deleted file mode 100644 (file)
index c595dfd..0000000
+++ /dev/null
@@ -1,40 +0,0 @@
-From 63f5acdf097b7baca8d0f7056a037f8811b48aaa Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Tue, 27 Feb 2018 17:06:21 +0100
-Subject: [PATCH] Smack: Handle CGROUP2 in the same way that CGROUP
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The new file system CGROUP2 isn't actually handled
-by smack. This changes makes Smack treat equally
-CGROUP and CGROUP2 items.
-
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- security/smack/smack_lsm.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
-index 03fdecba93bb..5d77ed04422c 100644
---- a/security/smack/smack_lsm.c
-+++ b/security/smack/smack_lsm.c
-@@ -3431,6 +3431,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
-       if (opt_dentry->d_parent == opt_dentry) {
-               switch (sbp->s_magic) {
-               case CGROUP_SUPER_MAGIC:
-+              case CGROUP2_SUPER_MAGIC:
-                       /*
-                        * The cgroup filesystem is never mounted,
-                        * so there's no opportunity to set the mount
-@@ -3474,6 +3475,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
-       switch (sbp->s_magic) {
-       case SMACK_MAGIC:
-       case CGROUP_SUPER_MAGIC:
-+      case CGROUP2_SUPER_MAGIC:
-               /*
-                * Casey says that it's a little embarrassing
-                * that the smack file system doesn't do
--- 
-2.14.3
-
diff --git a/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch b/meta-agl-core/recipes-kernel/linux/linux-4.14/Smack-Privilege-check-on-key-operations.patch
deleted file mode 100644 (file)
index 4100bb8..0000000
+++ /dev/null
@@ -1,109 +0,0 @@
-Smack: Privilege check on key operations
-
-Operations on key objects are subjected to Smack policy
-even if the process is privileged. This is inconsistent
-with the general behavior of Smack and may cause issues
-with authentication by privileged daemons. This patch
-allows processes with CAP_MAC_OVERRIDE to access keys
-even if the Smack rules indicate otherwise.
-
-Reported-by: Jose Bollo <jobol@nonadev.net>
-Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
----
- security/smack/smack.h        |  1 +
- security/smack/smack_access.c | 40 +++++++++++++++++++++++++++++-----------
- security/smack/smack_lsm.c    |  4 ++++
- 3 files changed, 34 insertions(+), 11 deletions(-)
-
-diff --git a/security/smack/smack.h b/security/smack/smack.h
-index 6a71fc7..f7db791 100644
---- a/security/smack/smack.h
-+++ b/security/smack/smack.h
-@@ -321,6 +321,7 @@ struct smack_known *smk_import_entry(const char *, int);
- void smk_insert_entry(struct smack_known *skp);
- struct smack_known *smk_find_entry(const char *);
- bool smack_privileged(int cap);
-+bool smack_privileged_cred(int cap, const struct cred *cred);
- void smk_destroy_label_list(struct list_head *list);
- /*
-diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
-index 1a30041..141ffac 100644
---- a/security/smack/smack_access.c
-+++ b/security/smack/smack_access.c
-@@ -623,26 +623,24 @@ struct smack_known *smack_from_secid(const u32 secid)
- LIST_HEAD(smack_onlycap_list);
- DEFINE_MUTEX(smack_onlycap_lock);
--/*
-+/**
-+ * smack_privileged_cred - are all privilege requirements met by cred
-+ * @cap: The requested capability
-+ * @cred: the credential to use
-+ *
-  * Is the task privileged and allowed to be privileged
-  * by the onlycap rule.
-  *
-  * Returns true if the task is allowed to be privileged, false if it's not.
-  */
--bool smack_privileged(int cap)
-+bool smack_privileged_cred(int cap, const struct cred *cred)
- {
--      struct smack_known *skp = smk_of_current();
-+      struct task_smack *tsp = cred->security;
-+      struct smack_known *skp = tsp->smk_task;
-       struct smack_known_list_elem *sklep;
-       int rc;
--      /*
--       * All kernel tasks are privileged
--       */
--      if (unlikely(current->flags & PF_KTHREAD))
--              return true;
--
--      rc = cap_capable(current_cred(), &init_user_ns, cap,
--                              SECURITY_CAP_AUDIT);
-+      rc = cap_capable(cred, &init_user_ns, cap, SECURITY_CAP_AUDIT);
-       if (rc)
-               return false;
-@@ -662,3 +660,23 @@ bool smack_privileged(int cap)
-       return false;
- }
-+
-+/**
-+ * smack_privileged - are all privilege requirements met
-+ * @cap: The requested capability
-+ *
-+ * Is the task privileged and allowed to be privileged
-+ * by the onlycap rule.
-+ *
-+ * Returns true if the task is allowed to be privileged, false if it's not.
-+ */
-+bool smack_privileged(int cap)
-+{
-+      /*
-+       * All kernel tasks are privileged
-+       */
-+      if (unlikely(current->flags & PF_KTHREAD))
-+              return true;
-+
-+      return smack_privileged_cred(cap, current_cred());
-+}
-diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
-index 30f2c3d..03fdecb 100644
---- a/security/smack/smack_lsm.c
-+++ b/security/smack/smack_lsm.c
-@@ -4369,6 +4369,10 @@ static int smack_key_permission(key_ref_t key_ref,
-        */
-       if (tkp == NULL)
-               return -EACCES;
-+
-+      if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred))
-+              return 0;
-+
- #ifdef CONFIG_AUDIT
-       smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY);
-       ad.a.u.key_struct.key = keyp->serial;
-
index 8476f34..9ab3d34 100644 (file)
@@ -1,13 +1,5 @@
 FILESEXTRAPATHS:prepend := "${THISDIR}/linux-4.14:"
 
-#-------------------------------------------------------------------------
-# smack patches for kernels keys
-
-SRC_URI:append:with-lsm-smack = "\
-       file://Smack-Privilege-check-on-key-operations.patch \
-       file://Smack-Handle-CGROUP2-in-the-same-way-that-CGROUP.patch \
-       "
-
 SRC_URI:append = "\
        file://net-sch_generic-add-if_afp.h-header-to-get-ARPHRD_CA.patch \
        file://net-sch_generic-Use-pfifo_fast-as-fallback-scheduler.patch \
index fec7306..e0e9d17 100755 (executable)
@@ -20,14 +20,10 @@ AGL_EXTRA_IMAGE_FSTYPES ?= ""
 
 # important settings imported from poky-agl.conf
 # we do not import 
-DISTRO_FEATURES:append = " systemd smack"
+DISTRO_FEATURES:append = " systemd"
 DISTRO_FEATURES_BACKFILL_CONSIDERED:append = " sysvinit"
 VIRTUAL-RUNTIME_init_manager = "systemd"
 
-# workaround:
-# ERROR: Nothing PROVIDES 'smack' (but /home/dl9pf/AGL/master-newlayout/external/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb DEPENDS on or otherwise requires it)
-BBMASK += "meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb"
-
 AGL_FEATURES += "aglcore"
 
 EOF
index 369ed98..3af61bc 100755 (executable)
@@ -20,14 +20,10 @@ AGL_EXTRA_IMAGE_FSTYPES ?= ""
 
 # important settings imported from poky-agl.conf
 # we do not import 
-DISTRO_FEATURES:append = " systemd smack"
+DISTRO_FEATURES:append = " systemd"
 DISTRO_FEATURES_BACKFILL_CONSIDERED:append = " sysvinit"
 VIRTUAL-RUNTIME_init_manager = "systemd"
 
-# workaround:
-# ERROR: Nothing PROVIDES 'smack' (but /home/dl9pf/AGL/master-newlayout/external/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb DEPENDS on or otherwise requires it)
-BBMASK += "meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb"
-
 EOF
 
 
index 0affb6f..be43696 100755 (executable)
@@ -27,7 +27,6 @@ Following is a "tree" look at the layer:
 |-- meta-agl-ic
 |-- meta-agl-ivi
 |-- meta-agl.md
-|-- meta-app-framework
 |-- meta-netboot
 |-- meta-pipewire
 |-- scripts
@@ -47,8 +46,6 @@ in `meta-agl`:
 * `meta-agl-core-test`: recipes supporting qa images (separate layer due to external dependencies)
 * `meta-agl-ic`: Instrument Cluster platform
 * `meta-agl-ivi`: IVI platform
-* `meta-app-framework`: Configuration and recipes supporting the AGL Application
-  Framework.
 * `meta-netboot`: Contains recipes and configuration adjustments to allow network
   boot through network block device (NBD) since network file system (NFS) does not
   support security labels.
diff --git a/meta-app-framework/LICENSE b/meta-app-framework/LICENSE
deleted file mode 100644 (file)
index e8758f8..0000000
+++ /dev/null
@@ -1,20 +0,0 @@
-Different components of the AGL layers are under different licenses (a mix
-of MIT and GPLv2). See LICENSE.GPL-2.0-only and LICENSE.MIT for further
-details of the individual licenses.
-
-All metadata (e.g. .bb, .bbappend, .bbclass, .inc, templates/* and similar)
-is MIT licensed unless otherwise stated.
-Source code included in tree for individual recipes (e.g. patches) are under
-the LICENSE stated in the associated recipe (.bb file) unless otherwise stated.
-
-License information for any other files (scripts) is either explicitly stated
-or defaults to GPL version 2 only.
-
-Individual files can contain the following style tags instead of the full
-license text to identify their license:
-
-    SPDX-License-Identifier: GPL-2.0-only
-    SPDX-License-Identifier: MIT
-
-This enables machine processing of license information based on the SPDX
-License Identifiers that are here available: http://spdx.org/licenses/
diff --git a/meta-app-framework/LICENSE.GPL-2.0-only b/meta-app-framework/LICENSE.GPL-2.0-only
deleted file mode 100644 (file)
index 5db3c0a..0000000
+++ /dev/null
@@ -1,288 +0,0 @@
-                   GNU GENERAL PUBLIC LICENSE
-                      Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                           Preamble
-
-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Lesser General Public License instead.)  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
-
-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                   GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
-
-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
-
-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
-
-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
-
-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-                           NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-                    END OF TERMS AND CONDITIONS
-
-Note:
-Individual files contain the following tag instead of the full license text.
-
-    SPDX-License-Identifier: GPL-2.0-only
-
-This enables machine processing of license information based on the SPDX
-License Identifiers that are here available: http://spdx.org/licenses/
diff --git a/meta-app-framework/LICENSE.MIT b/meta-app-framework/LICENSE.MIT
deleted file mode 100644 (file)
index a6919eb..0000000
+++ /dev/null
@@ -1,25 +0,0 @@
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-
-Note:
-Individual files contain the following tag instead of the full license text.
-
-    SPDX-License-Identifier: MIT
-
-This enables machine processing of license information based on the SPDX
-License Identifiers that are here available: http://spdx.org/licenses/
diff --git a/meta-app-framework/README b/meta-app-framework/README
deleted file mode 100644 (file)
index bbcd5f4..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-This is meta-app-framework.
-
-It is an application framework building on-top of the SMACK LSM.
-
diff --git a/meta-app-framework/classes/aglwgt.bbclass b/meta-app-framework/classes/aglwgt.bbclass
deleted file mode 100644 (file)
index f42c282..0000000
+++ /dev/null
@@ -1,185 +0,0 @@
-#
-# aglwgt bbclass
-#
-# Jan-Simon Moeller, jsmoeller@linuxfoundation.org
-#
-# This class expects a "make package" target in the makefile
-# which creates the wgt files in the package/ subfolder.
-# The makefile needs to use wgtpkg-pack.
-#
-
-# 'wgtpkg-pack' in af-main-native is required.
-DEPENDS:append = " af-main-native"
-
-# for bindings af-binder is required.
-DEPENDS:append = " af-binder"
-
-# for bindings that use the cmake-apps-module
-DEPENDS:append = " cmake-apps-module-native"
-
-# for hal bindings genskel is required.
-DEPENDS:append = " af-binder-devtools-native"
-
-# Re-enable strip for qmake based projects (default value is "echo")
-OE_QMAKE_STRIP = "${STRIP}"
-
-# Extra build arguments passed to the autobuild script invocations
-AGLWGT_EXTRA_BUILD_ARGS ?= 'VERBOSE=TRUE BUILD_ARGS="${PARALLEL_MAKE}"'
-
-# CMake based widgets that inherit cmake.bbclass will have the
-# following automatically appended to AGLWGT_EXTRA_BUILD_ARGS as
-# the value of CONFIGURE_FLAGS.  This definition may need to be
-# extended to include more of what is passed in cmake.bbclass's
-# do_configure if it is found insufficient.  Using the generated
-# toolchain.cmake file does fix issues with respect to finding the
-# Qt5 CMake modules that seem difficult to fix otherwise, so at the
-# very minimum it should be present.
-AGLWGT_CMAKE_CONFIGURE_ARGS ?= "-DCMAKE_TOOLCHAIN_FILE=${WORKDIR}/toolchain.cmake ${EXTRA_OECMAKE}"
-
-# Only widgets with recipe names starting with agl-service- are
-# assumed to have tests by default, set this to "1" to force
-# building/packaging of the test widget for other widgets.
-AGLWGT_HAVE_TESTS ?= "0"
-
-# Whether the widget should be auto-installed on first boot
-AGLWGT_AUTOINSTALL ?= "1"
-
-# Signature keys
-# These are default keys for development purposes !
-# Change it for production.
-WGTPKG_AUTOSIGN_0:agl-sign-wgts ??= "${WORKDIR}/recipe-sysroot-native/usr/share/afm/keys/developer.key.pem:${WORKDIR}/recipe-sysroot-native/usr/share/afm/certs/developer.cert.pem"
-WGTPKG_AUTOSIGN_1:agl-sign-wgts ??= "${WORKDIR}/recipe-sysroot-native/usr/share/afm/keys/platform.key.pem:${WORKDIR}/recipe-sysroot-native/usr/share/afm/certs/platform.cert.pem"
-
-export WGTPKG_AUTOSIGN_0
-export WGTPKG_AUTOSIGN_1
-
-python __anonymous () {
-    # NOTE: AGLWGT_CMAKE_CONFIGURE_ARGS is not updated directly here,
-    #       but via the prefunc below to avoid issues around anonymous
-    #       python ordering conflicts with e.g. externalsrc.bbclass.
-    if bb.data.inherits_class("cmake", d):
-        d.appendVarFlag('do_compile', 'prefuncs', ' aglwgt_cmake_configure')
-}
-
-python aglwgt_cmake_configure () {
-    # Define CONFIGURE_FLAGS appropriately if cmake.bbclass has been
-    # inherited, see description of AGLWGT_CMAKE_CONFIGURE_ARGS above
-    # for more details.
-    cmake_config_args = d.getVar("AGLWGT_CMAKE_CONFIGURE_ARGS")
-    if bb.data.inherits_class("cmake", d) and cmake_config_args:
-        d.appendVar("AGLWGT_EXTRA_BUILD_ARGS", ' CONFIGURE_ARGS="' + cmake_config_args + '"')
-        d.appendVarFlag("AGLWGT_EXTRA_BUILD_ARGS", "vardeps", " AGLWGT_CMAKE_CONFIGURE_ARGS")
-}
-
-# Placeholder to keep things like externalsrc that prefunc or append
-# do_configure working as expected.
-aglwgt_do_configure() {
-    true
-}
-
-aglwgt_do_compile() {
-    bldcmd=${S}/autobuild/agl/autobuild
-    if [ ! -x "$bldcmd" ]; then
-        bbfatal "Missing autobuild/agl/autobuild script"
-    fi
-
-    if [ "${S}" != "${B}" ]; then
-        rm -rf ${B}
-        mkdir -p ${B}
-        cd ${B}
-    fi
-
-    $bldcmd package BUILD_DIR=${B}/build-release ${AGLWGT_EXTRA_BUILD_ARGS}
-    $bldcmd package-debug BUILD_DIR_DEBUG=${B}/build-debug ${AGLWGT_EXTRA_BUILD_ARGS}
-
-    if echo ${BPN} | grep -q '^agl-service-' || [ "${AGLWGT_HAVE_TESTS}" = "1" ]; then
-        # Only try building the test widget if there's source for it, to avoid spurious errors
-        if [ -f ${S}/test/CMakeLists.txt ]; then
-            $bldcmd package-test BUILD_DIR_TEST=${B}/build-test ${AGLWGT_EXTRA_BUILD_ARGS}
-        fi
-
-        # The coverage widget should always build
-        $bldcmd package-coverage BUILD_DIR_COVERAGE=${B}/build-coverage ${AGLWGT_EXTRA_BUILD_ARGS}
-    fi
-}
-
-POST_INSTALL_LEVEL ?= "10"
-POST_INSTALL_SCRIPT ?= "${POST_INSTALL_LEVEL}-${PN}.sh"
-
-EXTRA_WGT_POSTINSTALL ?= ""
-
-aglwgt_do_install() {
-    DEST=release
-    if [ "${AGLWGT_AUTOINSTALL_${PN}}" = "0" ]; then
-        DEST=manualinstall
-    fi
-
-    wgt="$(find ${B}/build-release -maxdepth 1 -name '*.wgt'| head -n 1)"
-    if [ -n "$wgt" ]; then
-        install -d ${D}/usr/AGL/apps/$DEST
-        install -m 0644 $wgt ${D}/usr/AGL/apps/$DEST/
-    else
-        bbfatal "no package found in widget directory"
-    fi
-
-    for t in debug coverage test; do
-        if [ "$(find ${B}/build-${t} -maxdepth 1 -name *-${t}.wgt)" ]; then
-            install -d ${D}/usr/AGL/apps/${t}
-            install -m 0644 ${B}/build-${t}/*-${t}.wgt ${D}/usr/AGL/apps/${t}/
-        elif [ "$t" = "debug" ]; then
-            # HTML5 widgets complicate things here, need to detect them and
-            # not error out in that case.  ATM this requires looking in the
-            # config.xml of the release widget.
-            rm -rf ${B}/tmp
-            unzip $wgt config.xml -d ${B}/tmp
-            if [ -f ${B}/tmp/config.xml -a \
-                 ! cat ${B}/tmp/config.xml | \
-                     grep -q '^[[:space:]]*<content[[:space:]]\+src="[^\"]*"[[:space:]]\+type="text/html"' ]; then
-                bbfatal "no package found in ${t} widget directory"
-            fi
-            rm -rf ${B}/tmp
-        elif echo ${BPN} | grep -q '^agl-service-' || [ "${AGLWGT_HAVE_TESTS}" = "1" ]; then
-            if [ "$t" = "coverage" -o -f ${S}/test/CMakeLists.txt ]; then
-                bbfatal "no package found in ${t} widget directory"
-            fi
-        fi
-    done
-
-    if [ "${AGLWGT_AUTOINSTALL}" != "0" ]; then
-        # For now assume autoinstall of the release versions
-        rm -rf ${D}/usr/AGL/apps/autoinstall
-        ln -sf release ${D}/usr/AGL/apps/autoinstall
-
-        APP_FILES=""
-        for file in ${D}/usr/AGL/apps/autoinstall/*.wgt; do
-            APP_FILES="${APP_FILES} $(basename $file)";
-        done
-        install -d ${D}/${sysconfdir}/agl-postinsts
-        cat > ${D}/${sysconfdir}/agl-postinsts/${POST_INSTALL_SCRIPT} <<EOF
-#!/bin/sh -e
-for file in ${APP_FILES}; do
-    /usr/bin/afm-install install /usr/AGL/apps/autoinstall/\$file
-done
-sync
-${EXTRA_WGT_POSTINSTALL}
-EOF
-        chmod a+x ${D}/${sysconfdir}/agl-postinsts/${POST_INSTALL_SCRIPT}
-    fi
-}
-
-PACKAGES += "${PN}-test ${PN}-debug ${PN}-coverage"
-
-FILES:${PN} += " \
-    /usr/AGL/apps/release/*.wgt \
-    /usr/AGL/apps/autoinstall \
-    /usr/AGL/apps/manualinstall \
-    ${sysconfdir}/agl-postinsts/${POST_INSTALL_SCRIPT} \
-"
-FILES:${PN}-test = "/usr/AGL/apps/test/*.wgt"
-FILES:${PN}-debug = "/usr/AGL/apps/debug/*.wgt"
-FILES:${PN}-coverage = "/usr/AGL/apps/coverage/*.wgt"
-
-# Test widgets need the parent widget and the test framework
-RDEPENDS:${PN}-test = "${PN} afb-test"
-
-EXPORT_FUNCTIONS do_configure do_compile do_install
diff --git a/meta-app-framework/conf/include/agl-appfw-smack.inc b/meta-app-framework/conf/include/agl-appfw-smack.inc
deleted file mode 100644 (file)
index f22fe71..0000000
+++ /dev/null
@@ -1,24 +0,0 @@
-# enable security features (smack, cynagora) - required by Application Framework
-OVERRIDES .= ":with-lsm-smack"
-DISTRO_FEATURES:append = " smack xattr"
-DISTRO_FEATURES_NATIVE:append = " smack xattr"
-
-APPFW_ENABLED = "1"
-
-# use tar-native to support SMACK extended attributes independently of host config
-IMAGE_CMD_TAR = "tar --xattrs --xattrs-include='*'"
-do_image_tar[depends] += "tar-replacement-native:do_populate_sysroot"
-EXTRANATIVEPATH += "tar-native"
-
-# security: enable ssh server in place of dropbear to support PAM on user sessions
-IMAGE_FEATURES += "ssh-server-openssh"
-
-# enforce copy of xattrs (to be removed, see SPEC-475)
-PACKAGECONFIG:append:pn-shadow = " attr"
-PACKAGECONFIG:append:pn-shadow-native = " attr"
-
-# set the home directory for root
-ROOT_HOME = "/home/0"
-
-# include devel wgts in images
-IMAGE_FEATURES:append = " agl-devel-wgt"
diff --git a/meta-app-framework/conf/include/agl-sign-wgts.inc b/meta-app-framework/conf/include/agl-sign-wgts.inc
deleted file mode 100644 (file)
index 06a7aba..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# allows insertion of code or items specific to developement
-OVERRIDES .= ":agl-sign-wgts"
-AGL_FEATURES:append = " agl-sign-wgts"
diff --git a/meta-app-framework/conf/layer.conf b/meta-app-framework/conf/layer.conf
deleted file mode 100644 (file)
index 77701bb..0000000
+++ /dev/null
@@ -1,33 +0,0 @@
-# We have a conf and classes directory, add to BBPATH
-BBPATH .= ":${LAYERDIR}"
-
-# We have recipes-* directories, add to BBFILES
-BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
-       ${LAYERDIR}/recipes-*/*/*.bbappend"
-
-BBFILE_COLLECTIONS += "app-framework"
-BBFILE_PATTERN_app-framework = "^${LAYERDIR}/"
-BBFILE_PRIORITY_app-framework = "70"
-
-LAYERSERIES_COMPAT_app-framework = "dunfell"
-
-# dependency: meta-oe
-LAYERDEPENDS_app-framework  = "openembedded-layer"
-# dependency: meta-security
-LAYERDEPENDS_app-framework += "security"
-
-# AGL core layer is an optional requirement
-LAYERRECOMMENDS_app-framework += "aglcore"
-LAYERRECOMMENDS_app-framework += "qt5-layer"
-
-BBFILES_DYNAMIC += " \
-    qt5-layer:${LAYERDIR}/dynamic-layers/meta-qt5/*/*/*.bb \
-    qt5-layer:${LAYERDIR}/dynamic-layers/meta-qt5/*/*/*.bbappend \
-    aglcore:${LAYERDIR}/dynamic-layers/meta-agl-core/*/*/*.bb \
-    aglcore:${LAYERDIR}/dynamic-layers/meta-agl-core/*/*/*.bbappend \
-"
-
-
-# bug in meta-security
-BBMASK += "packagegroup-core-security-ptest\.bb"
-#BBMASK += "meta-security/recipes-mac/smack/smack-test_1.0.bb
diff --git a/meta-app-framework/dynamic-layers/meta-agl-core/recipes-platform/packagegroups/packagegroup-agl-core-security.bbappend b/meta-app-framework/dynamic-layers/meta-agl-core/recipes-platform/packagegroups/packagegroup-agl-core-security.bbappend
deleted file mode 100644 (file)
index 048154e..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', '${PN}_appfw.inc', '', d)}
diff --git a/meta-app-framework/dynamic-layers/meta-agl-core/recipes-platform/packagegroups/packagegroup-agl-core-security_appfw.inc b/meta-app-framework/dynamic-layers/meta-agl-core/recipes-platform/packagegroups/packagegroup-agl-core-security_appfw.inc
deleted file mode 100644 (file)
index 52d3f0e..0000000
+++ /dev/null
@@ -1,8 +0,0 @@
-RDEPENDS:${PN}:append = "\
-       smack-system-setup \
-       xmlsec1 \
-       cynagora \
-       security-manager \
-       security-manager-policy \
-       agl-users \
-    "
diff --git a/meta-app-framework/dynamic-layers/meta-agl-core/recipes-platform/packagegroups/packagegroup-agl-image-boot.bbappend b/meta-app-framework/dynamic-layers/meta-agl-core/recipes-platform/packagegroups/packagegroup-agl-image-boot.bbappend
deleted file mode 100644 (file)
index 514dde7..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'packagegroup-agl-image-boot_appfw.inc', '', d)}
diff --git a/meta-app-framework/dynamic-layers/meta-agl-core/recipes-platform/packagegroups/packagegroup-agl-image-boot_appfw.inc b/meta-app-framework/dynamic-layers/meta-agl-core/recipes-platform/packagegroups/packagegroup-agl-image-boot_appfw.inc
deleted file mode 100644 (file)
index 2499c07..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-RDEPENDS:${PN}:append = "\
-   packagegroup-agl-app-framework \
-   "
diff --git a/meta-app-framework/dynamic-layers/meta-agl-core/recipes-platform/packagegroups/packagegroup-agl-image-minimal.bbappend b/meta-app-framework/dynamic-layers/meta-agl-core/recipes-platform/packagegroups/packagegroup-agl-image-minimal.bbappend
deleted file mode 100644 (file)
index 5f890bf..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'packagegroup-agl-image-minimal_appfw.inc', '', d)}
diff --git a/meta-app-framework/dynamic-layers/meta-agl-core/recipes-platform/packagegroups/packagegroup-agl-image-minimal_appfw.inc b/meta-app-framework/dynamic-layers/meta-agl-core/recipes-platform/packagegroups/packagegroup-agl-image-minimal_appfw.inc
deleted file mode 100644 (file)
index 2499c07..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-RDEPENDS:${PN}:append = "\
-   packagegroup-agl-app-framework \
-   "
diff --git a/meta-app-framework/dynamic-layers/meta-qt5/recipes-devtools/libafb-helpers-qt/libafb-helpers-qt_git.bb b/meta-app-framework/dynamic-layers/meta-qt5/recipes-devtools/libafb-helpers-qt/libafb-helpers-qt_git.bb
deleted file mode 100644 (file)
index afbbc09..0000000
+++ /dev/null
@@ -1,11 +0,0 @@
-require recipes-devtools/libafb-helpers/libafb-helpers_git.inc
-
-DEPENDS:append = " qtwebsockets"
-RDEPENDS:${PN}:append = " af-binder"
-
-inherit cmake_qt5
-
-EXTRA_OECMAKE:append = " -DAFB_HELPERS_QT=ON -DAFB_HELPERS=OFF"
-
-ALLOW_EMPTY:${PN} = "1"
-
diff --git a/meta-app-framework/dynamic-layers/meta-qt5/recipes-devtools/libqtappfw/libqtappfw_git.bb b/meta-app-framework/dynamic-layers/meta-qt5/recipes-devtools/libqtappfw/libqtappfw_git.bb
deleted file mode 100644 (file)
index dd270d0..0000000
+++ /dev/null
@@ -1,20 +0,0 @@
-SUMMARY     = "AGL Qt AppFW Library"
-DESCRIPTION = "libqtappfw"
-HOMEPAGE    = "http://docs.automotivelinux.org"
-LICENSE     = "Apache-2.0"
-SECTION     = "libs"
-
-BBCLASSEXTEND = "nativesdk"
-
-LIC_FILES_CHKSUM = "file://LICENSE;md5=ae6497158920d9524cf208c09cc4c984"
-
-DEPENDS += "qtbase qtdeclarative qtwebsockets"
-
-inherit cmake_qt5
-
-SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/libqtappfw;protocol=https;branch=${AGL_BRANCH}"
-SRCREV  = "fe20f1b029f67dee1f790ade7a9114086f2abd38"
-S       = "${WORKDIR}/git/"
-
-# PV needs to be modified with SRCPV to work AUTOREV correctly
-PV = "0.0+git${SRCPV}"
diff --git a/meta-app-framework/dynamic-layers/meta-qt5/recipes-platform/packagegroups/packagegroup-agl-appfw-qt5.bb b/meta-app-framework/dynamic-layers/meta-qt5/recipes-platform/packagegroups/packagegroup-agl-appfw-qt5.bb
deleted file mode 100644 (file)
index 8536276..0000000
+++ /dev/null
@@ -1,16 +0,0 @@
-SUMMARY = "The software for application framework of AGL IVI profile"
-DESCRIPTION = "A set of packages belong to AGL application framework"
-
-LICENSE = "MIT"
-
-inherit packagegroup
-
-PACKAGES = "\
-    packagegroup-agl-appfw-qt5 \
-    "
-
-ALLOW_EMPTY:${PN} = "1"
-
-RDEPENDS:${PN} += "\
-    packagegroup-agl-appfw-native \
-"
\ No newline at end of file
diff --git a/meta-app-framework/recipes-connectivity/bluez5/bluez5_%.bbappend b/meta-app-framework/recipes-connectivity/bluez5/bluez5_%.bbappend
deleted file mode 100644 (file)
index 20d2a68..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'bluez5_appfw.inc', '', d)}
diff --git a/meta-app-framework/recipes-connectivity/bluez5/bluez5_appfw.inc b/meta-app-framework/recipes-connectivity/bluez5/bluez5_appfw.inc
deleted file mode 100644 (file)
index 7b74de9..0000000
+++ /dev/null
@@ -1,55 +0,0 @@
-# Recent bluez5 releases started limiting the capabilities of
-# bluetoothd. When running on a Smack-enabled system, that change has the
-# effect that bluetoothd can no longer create the input device under
-# /sys because bluez5 running with label "System" has no write
-# access to that.
-#
-# It works when running as normal root with unrestricted capabilities
-# because then CAP_MAC_OVERRIDE (a Smack-specific capability) allows
-# the process to ignore Smack rules.
-#
-# We need to ensure that bluetoothd still has that capability.
-#
-# To fix the issue, Patick and Casey(the Smack architect) had a talk
-# about it in Ostro dev mail list. Casey has some ideas about the issue:
-# "Turning off privilege is a great thing to do *so long as you don't
-# really need the privilege*. In this case you really need it.
-# The application package isn't written to account for Smack's use of
-# CAP_MAC_OVERRIDE as the mechanism for controlling this dangerous operation.
-# Yes, it would be possible to change /proc to change the Smack label on
-# that particular file, but that might open other paths for exploit.
-# I say give the program the required capability. The program maintainer
-# may well say change the kernel handling of /proc. You're stuck in the
-# middle, as both work the way they're intended and hence the system
-# doesn't work. :( There isn't a way to make this work without "loosening"
-# something."
-# Therefore, when we we run the program with CAP_MAC_OVERRIDE,
-# the whole reason for having capabilities is so the we can give a
-# process the ability to bypass one kind of check without giving it the
-# ability to bypass other, unrelated checks. A process with
-# CAP_MAC_OVERRIDE is still constrained by the file mode bits.
-# We was overly worried about granting that capability.
-# When it has no other effect than excluding a process from Smack MAC enforcement,
-# then adding to the process seems like the right solution for now.
-#
-# The conclusion from Patick and Casey is that the Smack architect give the key point
-# that this is the solution preferred.
-#
-# Because the solution is to some extend specific to the environment
-# in which connmand runs, this change is not submitted upstream
-# and it can be overridden by a distro via FIX_BLUEZ5_CAPABILITIES.
-#
-# The related patch has been submitted to upstream too.
-# upstream link: http://permalink.gmane.org/gmane.linux.bluez.kernel/67993
-
-FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
-
-SRC_URI:append:with-lsm-smack = "\
-  file://bluetooth.service.conf \
-"
-
-FILES:${PN}:append = " ${systemd_unitdir}"
-
-do_install:append:with-lsm-smack() {
-  install -Dm0644 ${WORKDIR}/bluetooth.service.conf ${D}${systemd_unitdir}/system/bluetooth.service.d/smack.conf
-}
diff --git a/meta-app-framework/recipes-connectivity/bluez5/files/bluetooth.service.conf b/meta-app-framework/recipes-connectivity/bluez5/files/bluetooth.service.conf
deleted file mode 100644 (file)
index b93ab4f..0000000
+++ /dev/null
@@ -1,2 +0,0 @@
-[Service]
-CapabilityBoundingSet=CAP_MAC_OVERRIDE
diff --git a/meta-app-framework/recipes-connectivity/connman/connman_%.bbappend b/meta-app-framework/recipes-connectivity/connman/connman_%.bbappend
deleted file mode 100644 (file)
index 72aa9f2..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'connman_appfw.inc', '', d)}
diff --git a/meta-app-framework/recipes-connectivity/connman/connman_appfw.inc b/meta-app-framework/recipes-connectivity/connman/connman_appfw.inc
deleted file mode 100644 (file)
index 6446020..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
-# Recent ConnMan releases started limiting the capabilities of
-# ConnMan. When running on a Smack-enabled system, that change has the
-# effect that connmand can no longer change network settings under
-# /proc/net because the Smack label of /proc is "_", and connmand
-# running with label "System" has no write access to that.
-#
-# It works when running as normal root with unrestricted capabilities
-# because then CAP_MAC_OVERRIDE (a Smack-specific capability) allows
-# the process to ignore Smack rules.
-#
-# We need to ensure that connmand still has that capability.
-#
-# The alternative would be to set up fine-grained labelling of
-# /proc with corresponding rules, which is considerably more work
-# and also may depend on kernel changes (like supporting smackfsroot
-# for procfs, which seems to be missing at the moment).
-#
-# Because the solution is to some extend specific to the environment
-# in which connmand runs, this change is not submitted upstream
-# and it can be overridden by a distro via FIX_CONNMAN_CAPABILITIES.
-
-FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
-
-SRC_URI:append:with-lsm-smack = "\
-  file://connman.service.conf \
-"
-
-RDEPENDS:${PN}:append:with-lsm-smack = " smack"
-
-FILES:${PN}:append = " ${systemd_unitdir}"
-
-do_install:append:with-lsm-smack() {
-  install -Dm0644 ${WORKDIR}/connman.service.conf ${D}${systemd_unitdir}/system/connman.service.d/smack.conf
-}
diff --git a/meta-app-framework/recipes-connectivity/connman/files/connman.service.conf b/meta-app-framework/recipes-connectivity/connman/files/connman.service.conf
deleted file mode 100644 (file)
index 6ebbf6a..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-[Service]
-CapabilityBoundingSet=CAP_MAC_OVERRIDE
-ExecStartPre=+-/bin/mkdir -p /run/connman
-ExecStartPre=+-/usr/bin/chsmack -t -a System::Shared /run/connman
diff --git a/meta-app-framework/recipes-core/af-binder/af-binder-devtools-native_git.bb b/meta-app-framework/recipes-core/af-binder/af-binder-devtools-native_git.bb
deleted file mode 100644 (file)
index 1331fb8..0000000
+++ /dev/null
@@ -1,8 +0,0 @@
-require af-binder_${PV}.inc
-
-DEPENDS = "json-c-native"
-
-inherit cmake pkgconfig native
-
-EXTRA_OECMAKE:append = " -DONLY_DEVTOOLS=TRUE"
-
diff --git a/meta-app-framework/recipes-core/af-binder/af-binder_git.bb b/meta-app-framework/recipes-core/af-binder/af-binder_git.bb
deleted file mode 100644 (file)
index 4728e47..0000000
+++ /dev/null
@@ -1,117 +0,0 @@
-require af-binder_${PV}.inc
-
-DEPENDS = "file json-c libmicrohttpd systemd util-linux openssl cynara"
-
-inherit cmake pkgconfig
-
-EXTRA_OECMAKE:append:class-target = "\
-       -DUNITDIR_SYSTEM=${systemd_system_unitdir} \
-"
-
-EXTRA_OECMAKE:append:agl-devel = " \
-       -DAGL_DEVEL=ON \
-       -DINCLUDE_MONITORING=ON \
-       -DINCLUDE_SUPERVISOR=ON -DAFS_SUPERVISION_SOCKET=/run/platform/supervisor \
-"
-
-pkg_postinst:${PN}() {
-       mkdir -p "$D${libdir}/afb"
-}
-
-do_install:append:agl-devel:class-target() {
-    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
-        install -d -m 0755 ${D}${systemd_system_unitdir}/multi-user.target.wants
-        ln -s ../afm-api-supervisor.service ${D}${systemd_system_unitdir}/multi-user.target.wants/afm-api-supervisor.service
-    fi
-}
-
-#############################################
-# main package
-#############################################
-
-FILES:${PN}:append:agl-devel = " ${libdir}/afb/monitoring ${systemd_system_unitdir}"
-
-RDEPENDS:${PN}-dev += "libafbwsc-dev"
-
-#############################################
-# intrinsic binding packages
-#############################################
-PACKAGES =+ "${PN}-intrinsic-bindings"
-ALLOW_EMPTY:${PN}-intrinsic-bindings = "1"
-
-PACKAGES_DYNAMIC = "${PN}-binding-*"
-
-python populate_packages:prepend () {
-    afb_libdir = d.expand('${libdir}/afb')
-    postinst = d.getVar('binding_postinst', True)
-    pkgs = []
-
-    pkgs += do_split_packages(d, afb_libdir, '(.*)-api\.so$', d.expand('${PN}-binding-%s'), 'AFB binding for %s', postinst=postinst, extra_depends=d.expand('${PN}'))
-    pkgs += do_split_packages(d, afb_libdir, '(.*(?!-api))\.so$', d.expand('${PN}-binding-%s'), 'AFB binding for %s', postinst=postinst, extra_depends=d.expand('${PN}'))
-
-    d.setVar('RDEPENDS:' + d.getVar('PN', True) + '-intrinsic-bindings', ' '.join(pkgs))
-}
-
-#############################################
-# tool package
-#############################################
-PACKAGES =+ "${PN}-tools"
-
-FILES:${PN}-tools = "\
-       ${bindir}/afb-client-demo \
-"
-
-#############################################
-# setup libafbwsc package
-#############################################
-PACKAGES =+ "libafbwsc libafbwsc-dev"
-
-FILES:libafbwsc = "\
-       ${libdir}/libafbwsc.so.* \
-"
-FILES:libafbwsc-dev = "\
-       ${includedir}/afb/afb-wsj1.h \
-       ${includedir}/afb/afb-ws-client.h \
-       ${libdir}/libafbwsc.so \
-       ${libdir}/pkgconfig/libafbwsc.pc \
-"
-
-#############################################
-# devtool package
-#############################################
-PACKAGES =+ "${PN}-devtools"
-
-FILES:${PN}-devtools = "\
-       ${bindir}/afb-exprefs \
-       ${bindir}/afb-json2c \
-       ${bindir}/afb-genskel \
-"
-
-#############################################
-# supervisor package
-#############################################
-PACKAGES:append:agl-devel = " ${PN}-supervisor "
-
-FILES:${PN}-supervisor:agl-devel = "\
-       ${bindir}/afs-supervisor \
-        ${systemd_system_unitdir} \
-"
-
-#############################################
-# setup sample packages
-#############################################
-PACKAGES =+ "${PN}-samples"
-
-FILES:${PN}-samples = "\
-       ${datadir}/af-binder \
-"
-
-#############################################
-# meta package
-#############################################
-PACKAGES =+ "${PN}-meta"
-ALLOW_EMPTY:${PN}-meta = "1"
-
-RDEPENDS:${PN}-meta += "${PN} ${PN}-tools libafbwsc ${PN}-intrinsic-bindings"
-RDEPENDS:${PN}-meta:append:agl-devel = " ${PN}-supervisor "
-
diff --git a/meta-app-framework/recipes-core/af-binder/af-binder_git.inc b/meta-app-framework/recipes-core/af-binder/af-binder_git.inc
deleted file mode 100644 (file)
index 50f60f7..0000000
+++ /dev/null
@@ -1,22 +0,0 @@
-SUMMARY = "HTTP REST interface to automotive backends for HTML5 UI support"
-DESCRIPTION = "Automotive-Framework-Binder Daemon provides a HTTP REST \
-interface to various automotive-oriented bindings, \
-allowing HTML5 UIs to send platform-specific requests in a secure way."
-
-HOMEPAGE = "https://gerrit.automotivelinux.org/gerrit/#/admin/projects/src/app-framework-binder"
-LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE-2.0.txt;md5=3b83ef96387f14655fc854ddc3c6bd57"
-
-SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/app-framework-binder;protocol=https;branch=${AGL_BRANCH}"
-
-SRCREV = "c5c15f86d2eaaa5ac72f0ac00634a978326daae9"
-PV = "${AGL_BRANCH}+git${SRCPV}"
-
-S = "${WORKDIR}/git"
-
-CFLAGS:append:agl-devel = " -DAGL_DEVEL"
-
-EXTRA_OECMAKE:append = "\
-       -DAGLVERSION=${AGLVERSION} \
-"
-
diff --git a/meta-app-framework/recipes-core/af-binder/nativesdk-af-binder-devtools_git.bb b/meta-app-framework/recipes-core/af-binder/nativesdk-af-binder-devtools_git.bb
deleted file mode 100644 (file)
index 334d073..0000000
+++ /dev/null
@@ -1,8 +0,0 @@
-require af-binder_${PV}.inc
-
-DEPENDS = "nativesdk-json-c"
-
-inherit cmake pkgconfig nativesdk
-
-EXTRA_OECMAKE:append = " -DONLY_DEVTOOLS=TRUE"
-
diff --git a/meta-app-framework/recipes-core/af-main/af-main_git.bb b/meta-app-framework/recipes-core/af-main/af-main_git.bb
deleted file mode 100644 (file)
index 8e72e45..0000000
+++ /dev/null
@@ -1,122 +0,0 @@
-require af-main_${PV}.inc 
-
-# NOTE: using libcap-native and setcap in install doesn't work
-# NOTE: maybe setting afm_name to agl-framework is cleaner but has implications
-# NOTE: there is a hack of security for using groups and dbus (to be checked)
-# NOTE: using ZIP programs creates directories with mode 777 (very bad)
-
-inherit cmake pkgconfig useradd systemd
-BBCLASSEXTEND = "native"
-
-SECTION = "base"
-
-DEPENDS = "openssl libxml2 xmlsec1 systemd libzip json-c systemd security-manager af-binder sed m4"
-DEPENDS:class-native = "openssl libxml2 xmlsec1 libzip json-c"
-RDEPENDS:${PN}:class-target += "af-binder-tools nss-localuser cynagoauth"
-
-PACKAGE_WRITE_DEPS:append:with-lsm-smack = " smack-native libcap-native"
-
-EXTRA_OECMAKE:append:class-native  = "\
-       -DUSE_LIBZIP=1 \
-       -DUSE_SIMULATION=1 \
-       -DUSE_SDK=1 \
-       -DAGLVERSION=${AGLVERSION} \
-       -Dafm_name=${afm_name} \
-       -Dafm_confdir=${afm_confdir} \
-       -Dafm_datadir=${afm_datadir} \
-"
-
-EXTRA_OECMAKE:append:class-target = "\
-       -DUSE_LIBZIP=1 \
-       -DUSE_SIMULATION=0 \
-       -DUSE_SDK=0 \
-       -DAGLVERSION=${AGLVERSION} \
-       -Dafm_name=${afm_name} \
-       -Dafm_confdir=${afm_confdir} \
-       -Dafm_datadir=${afm_datadir} \
-       -Dsystemd_units_root=${systemd_units_root} \
-       -DUNITDIR_USER=${systemd_user_unitdir} \
-       -DUNITDIR_SYSTEM=${systemd_system_unitdir} \
-"
-
-# ------------------------ WARNING WARNING WARNNING ---------------------------
-#
-# ATM (FF.rc2), forcing all apps to be signed is an issue when building without
-# agl-devel feature. A workaround is to define ALLOW_NO_SIGNATURE=ON for all
-# builds but this must be removed later. See SPEC-1614 for more details.
-#
-# A variable AGL_FORBID_UNSIGNED_APPS is introduced to enable/disable this 
-# workaround in local.conf and allow transition to signed apps:
-# * forbid unsigned apps by setting: AGL_FORBID_UNSIGNED_APPS="1"
-# * [DEFAULT] allow unsigned apps: do nothing (or set: AGL_FORBID_UNSIGNED_APPS="0")
-AGL_FORBID_UNSIGNED_APPS ?= "0"
-#
-# WORKAROUND:
-EXTRA_OECMAKE:append:agl-devel = " -DAGL_DEVEL=1"
-EXTRA_OECMAKE:append = " ${@bb.utils.contains('AGL_FORBID_UNSIGNED_APPS','1','','-DALLOW_NO_SIGNATURE=ON', d)}"
-#
-# Correct version (IMPORTANT TODO: to be restored later):
-#EXTRA_OECMAKE:append:agl-devel = " -DAGL_DEVEL=1 -DALLOW_NO_SIGNATURE=ON"
-#
-# ------------------------ WARNING WARNING WARNNING ---------------------------
-
-
-USERADD_PACKAGES = "${PN}"
-USERADD_PARAM:${PN} = "--system --gid ${afm_name} --home-dir ${afm_datadir} ${afm_name}"
-GROUPADD_PARAM:${PN} = "--system ${afm_name}"
-
-RDEPENDS:${PN}:append:with-lsm-smack = " smack bash"
-DEPENDS:append:with-lsm-smack = " smack-native"
-
-do_install:append:class-target() {
-    install -d ${D}${bindir}
-    install -d -m 0775 ${D}${systemd_units_root}/system
-    install -d -m 0775 "${D}${systemd_units_root}/system/multi-user.target.wants"
-    install -d -m 0775 "${D}${systemd_units_root}/system/afm-user-session@.target.wants"
-    install -d -m 0775 ${D}${systemd_units_root}/user
-    install -d -m 0775 ${D}${systemd_units_root}/user/default.target.wants
-    install -d -m 0775 ${D}${systemd_units_root}/user/sockets.target.wants
-    install -d ${D}${afm_datadir}/applications
-    install -d ${D}${afm_datadir}/icons
-    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
-        install -d -m 0755 ${D}${systemd_system_unitdir}/multi-user.target.wants
-        install -d -m 0755 ${D}${systemd_system_unitdir}/sockets.target.wants
-        ln -sf ../afm-system-setup.service ${D}${systemd_system_unitdir}/multi-user.target.wants/afm-system-setup.service
-        ln -sf ../afm-system-daemon.service ${D}${systemd_system_unitdir}/multi-user.target.wants/afm-system-daemon.service
-        ln -sf ../afm-system-daemon.socket ${D}${systemd_system_unitdir}/sockets.target.wants/afm-system-daemon.socket
-    fi
-}
-
-pkg_postinst_ontarget:${PN}() {
-    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
-        chgrp ${afm_name} $D${systemd_units_root}/system
-        chgrp ${afm_name} $D${systemd_units_root}/system/afm-user-session@.target.wants
-        chgrp ${afm_name} $D${systemd_units_root}/user/default.target.wants
-        chgrp ${afm_name} $D${systemd_units_root}/user/sockets.target.wants
-    fi
-    chown ${afm_name}:${afm_name} $D${afm_datadir}
-    chown ${afm_name}:${afm_name} $D${afm_datadir}/applications
-    chown ${afm_name}:${afm_name} $D${afm_datadir}/icons
-}
-
-pkg_postinst_ontarget:${PN}:append:with-lsm-smack() {
-    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
-        chsmack -a 'System::Shared' -t $D${systemd_units_root}/system
-        chsmack -a 'System::Shared' -t $D${systemd_units_root}/system/afm-user-session@.target.wants
-        chsmack -a 'System::Shared' -t $D${systemd_units_root}/user/default.target.wants
-        chsmack -a 'System::Shared' -t $D${systemd_units_root}/user/sockets.target.wants
-    fi
-    chsmack -a 'System::Shared' -t $D${afm_datadir}
-    chsmack -a 'System::Shared' -t $D${afm_datadir}/applications
-    chsmack -a 'System::Shared' -t $D${afm_datadir}/icons
-}
-FILES:${PN} += "${systemd_units_root}/* ${systemd_system_unitdir} ${systemd_user_unitdir}"
-FILES:${PN}:append:agl-sign-wgts = " ${datadir}/afm"
-
-PACKAGES =+ "${PN}-binding ${PN}-binding-dbg"
-FILES:${PN}-binding = " ${afb_binding_dir}/afm-main-binding.so "
-FILES:${PN}-binding-dbg = " ${afb_binding_dir}/.debug/afm-main-binding.so "
-
-PACKAGES =+ "${PN}-tools ${PN}-tools-dbg"
-FILES:${PN}-tools = "${bindir}/wgtpkg-*"
-FILES:${PN}-tools-dbg = "${bindir}/.debug/wgtpkg-*"
diff --git a/meta-app-framework/recipes-core/af-main/af-main_git.inc b/meta-app-framework/recipes-core/af-main/af-main_git.inc
deleted file mode 100644 (file)
index 11d563a..0000000
+++ /dev/null
@@ -1,30 +0,0 @@
-SUMMARY = "AGL Framework Main part"
-DESCRIPTION = "\
-This is a core framework component for managing \
-applications, widgets, and components. \
-"
-
-HOMEPAGE = "https://gerrit.automotivelinux.org/gerrit/#/admin/projects/src/app-framework-main"
-LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://COPYING;md5=3b83ef96387f14655fc854ddc3c6bd57"
-
-SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/app-framework-main;protocol=https;branch=${AGL_BRANCH}"
-
-SRCREV = "3ea6f4a404d2486ef1c5da55f1cd0d98c594f157"
-PV = "${AGL_BRANCH}+git${SRCPV}"
-
-S = "${WORKDIR}/git"
-
-afm_name    = "afm"
-afm_confdir = "${sysconfdir}/${afm_name}"
-afm_datadir = "/var/local/lib/${afm_name}"
-afb_binding_dir = "${libdir}/afb"
-systemd_units_root = "/var/local/lib/systemd"
-
-CFLAGS:append:agl-devel = " -DAGL_DEVEL"
-# only install sample keys in agl-devel mode
-# for production you need to deploy real keys
-EXTRA_OECMAKE:append:agl-sign-wgts = " ${@bb.utils.contains('DISTRO_FEATURES', 'agl-devel', '-DINSTALL_SAMPLE_KEYS=ON', '-DINSTALL_SAMPLE_KEYS=OFF', d)}"
-
-
-
diff --git a/meta-app-framework/recipes-core/af-main/nativesdk-af-main_git.bb b/meta-app-framework/recipes-core/af-main/nativesdk-af-main_git.bb
deleted file mode 100644 (file)
index 4564831..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
-require af-main_${PV}.inc 
-
-inherit nativesdk cmake pkgconfig 
-
-SECTION = "base"
-
-DEPENDS = "nativesdk-openssl nativesdk-libxml2 nativesdk-xmlsec1 nativesdk-libzip nativesdk-json-c"
-
-EXTRA_OECMAKE = "\
-       -DUSE_LIBZIP=1 \
-       -DUSE_SIMULATION=1 \
-       -DUSE_SDK=1 \
-       -DAGLVERSION=${AGLVERSION} \
-       -Dafm_name=${afm_name} \
-       -Dafm_confdir=${afm_confdir} \
-       -Dafm_datadir=${afm_datadir} \
-"
-
-do_install:append() {
-    # remove unused .pc file we don't want to package
-       rm -rf ${D}/${libdir}
-}
-
-PACKAGES = "${PN}-tools ${PN}-tools-dbg"
-FILES:${PN}-tools = "${bindir}/wgtpkg-* ${afm_confdir}/*"
-FILES:${PN}-tools:append:agl-sign-wgts = " ${datadir}/afm"
-FILES:${PN}-tools-dbg = "${bindir}/.debug/wgtpkg-*"
diff --git a/meta-app-framework/recipes-core/af-platform-setup/af-platform-setup_1.0.bb b/meta-app-framework/recipes-core/af-platform-setup/af-platform-setup_1.0.bb
deleted file mode 100644 (file)
index 52c7a65..0000000
+++ /dev/null
@@ -1,16 +0,0 @@
-HOMEPAGE = "here"
-
-LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
-
-SRC_URI = "file://udev-shared.conf"
-
-S = "${WORKDIR}"
-
-do_install() {
-       d=${D}${systemd_system_unitdir}/systemd-udevd.service.d
-       install -d $d
-       install -m 0644 ${S}/udev-shared.conf $d
-}
-
-FILES:${PN} = "${systemd_system_unitdir}"
diff --git a/meta-app-framework/recipes-core/af-platform-setup/files/udev-shared.conf b/meta-app-framework/recipes-core/af-platform-setup/files/udev-shared.conf
deleted file mode 100644 (file)
index cce02bc..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-[Service]
-ExecStartPre=/bin/mkdir -p /run/udev
-ExecStartPre=/usr/bin/chsmack -r -a System::Shared -t /run/udev
-
diff --git a/meta-app-framework/recipes-core/base-files/base-files_%.bbappend b/meta-app-framework/recipes-core/base-files/base-files_%.bbappend
deleted file mode 100644 (file)
index 28b08fa..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'base-files_appfw.inc', '', d)}
diff --git a/meta-app-framework/recipes-core/base-files/base-files_appfw.inc b/meta-app-framework/recipes-core/base-files/base-files_appfw.inc
deleted file mode 100644 (file)
index 4c83013..0000000
+++ /dev/null
@@ -1,113 +0,0 @@
-RDEPENDS:${PN}:append:with-lsm-smack = " smack"
-PACKAGE_WRITE_DEPS:append:with-lsm-smack = " smack-native"
-
-do_install:append() {
-    install -m 0700 -d ${D}/${sysconfdir}/skel
-    chmod -R 0700 ${D}/${sysconfdir}/skel
-    install -m 0700 -d ${D}/${sysconfdir}/skel/app-data
-    install -m 0700 -d ${D}/${sysconfdir}/skel/.config
-    install -m 0755 -d ${D}/var
-    if [ -d ${D}/usr/local ]; then
-        mv ${D}/usr/local ${D}/var
-    else
-        install -m 0755 -d ${D}/var/local
-    fi
-    ln -s ../var/local ${D}/usr/local
-}
-
-do_install:append:with-lsm-smack () {
-    install -d ${D}/${sysconfdir}/smack/accesses.d
-    cat > ${D}/${sysconfdir}/smack/accesses.d/default-access-domains-no-user <<EOF
-System User::App-Shared rwxat
-System User::Home       rwxat
-EOF
-    chmod 0644 ${D}/${sysconfdir}/smack/accesses.d/default-access-domains-no-user
-}
-
-pkg_postinst:${PN}:append:with-lsm-smack() {
-    chsmack -r -a 'User::Home' -t -D $D/${sysconfdir}/skel
-    chsmack -a 'User::App-Shared' -D $D/${sysconfdir}/skel/app-data
-    cp -rTf --preserve=all $D/${sysconfdir}/skel $D/${ROOT_HOME}
-}
-
-
-
-# Install default Smack rules, copied from a running Tizen IVI 3.0.
-# Corresponds to manifest file from default-access-domains in Tizen:
-# https://review.tizen.org/git?p=platform/core/security/default-ac-domains.git;a=blob;f=packaging/default-ac-domains.manifest
-do_install:append:with-lsm-smack () {
-    install -d ${D}/${sysconfdir}/smack/accesses.d
-    cat >${D}/${sysconfdir}/smack/accesses.d/default-access-domains <<EOF
-System _ -----l
-System System::Log rwxa--
-System System::Run rwxat-
-System System::Shared rwxat-
-System ^ rwxa--
-_ System::Run rwxat-
-_ System -wx---
-^ System::Log rwxa--
-^ System::Run rwxat-
-^ System rwxa--
-EOF
-    chmod 0644 ${D}/${sysconfdir}/smack/accesses.d/default-access-domains
-
-    install -d ${D}/${libdir}/tmpfiles.d
-    cat >${D}/${libdir}/tmpfiles.d/packet-forwarding.conf <<EOF
-t /proc/sys/net/ipv4/conf/all/forwarding - - - - security.SMACK64=*
-t /proc/sys/net/ipv6/conf/all/forwarding - - - - security.SMACK64=*
-t /proc/sys/net/ipv4/conf/default/forwarding - - - - security.SMACK64=*
-t /proc/sys/net/ipv6/conf/default/forwarding - - - - security.SMACK64=*
-EOF
-    chmod 0644 ${D}/${libdir}/tmpfiles.d/packet-forwarding.conf
-
-    install -d ${D}/${base_libdir}/udev/rules.d
-    cat >${D}/${base_libdir}/udev/rules.d/85-netdev-ipconf-smacklabel.rules <<EOF
-SUBSYSTEM=="net", ENV{ID_NET_NAME}=="", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv4/conf/%k/*'", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv6/conf/%k/*'"
-
-SUBSYSTEM=="net", ENV{ID_NET_NAME}!="", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv4/conf/\$env{ID_NET_NAME}/*'", RUN+="/bin/sh -c '/usr/bin/chsmack -a \* /proc/sys/net/ipv6/conf/\$env{ID_NET_NAME}/*'"
-EOF
-    chmod 0644 ${D}/${base_libdir}/udev/rules.d/85-netdev-ipconf-smacklabel.rules
-}
-
-# Do not rely on an rpm with manifest support. Apparently that approach
-# will no longer be used in Tizen 3.0. Instead set special Smack attributes
-# via postinst. This is much easier to use with bitbake, too:
-# - no need to maintain a patched rpm
-# - works for directories which are not packaged by default when empty
-RDEPENDS:${PN}:append:with-lsm-smack = " smack"
-DEPENDS:append:with-lsm-smack = " smack-native"
-pkg_postinst:${PN}:with-lsm-smack() {
-    #!/bin/sh -e
-
-    # https://review.tizen.org/gerrit/gitweb?p=platform/upstream/filesystem.git;a=blob;f=packaging/filesystem.manifest:
-    # <filesystem path="/etc" label="System::Shared" type="transmutable" />
-    install -d $D${sysconfdir}
-    # This has no effect on files installed into /etc during image construction
-    # because pseudo does not know the special semantic of SMACK::TRANSMUTE.
-    # To avoid having different xattrs on files inside /etc when pre-installed
-    # in an image vs. installed on a device, the xattr-images.bbclass has
-    # a workaround for this deficiency in pseudo.
-    chsmack -t $D${sysconfdir}
-    chsmack -a 'System::Shared' $D${sysconfdir}
-
-    # Same for /media. Any daemon running as "System" will get write access
-    # to everything.
-    install -d $D/media
-    chsmack -t $D/media
-    chsmack -a 'System::Shared' $D/media
-
-    # Same for /var. Any daemon running as "System" will get write access
-    # to everything.
-    install -d $D${localstatedir}
-    chsmack -t $D${localstatedir}
-    chsmack -a 'System::Shared' $D${localstatedir}
-
-    # <filesystem path="/tmp" label="*" />
-    mkdir -p $D/tmp
-    chsmack -a '*' $D/tmp
-
-    # <filesystem path="/var/log" label="System::Log" type="transmutable" />
-    # <filesystem path="/var/tmp" label="*" />
-    # These are in a file system mounted by systemd. We patch the systemd service
-    # to set these attributes.
-}
diff --git a/meta-app-framework/recipes-core/coreutils/coreutils_%.bbappend b/meta-app-framework/recipes-core/coreutils/coreutils_%.bbappend
deleted file mode 100644 (file)
index b7bf9ff..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'coreutils_appfw.inc', '', d)}
diff --git a/meta-app-framework/recipes-core/coreutils/coreutils_appfw.inc b/meta-app-framework/recipes-core/coreutils/coreutils_appfw.inc
deleted file mode 100644 (file)
index 2344875..0000000
+++ /dev/null
@@ -1,7 +0,0 @@
-# Smack patches are included in coreutils v8.22, we just need to enable them.
-# The default is not deterministic (enabled if libsmack found), so disable
-# explicitly otherwise.
-EXTRA_OECONF_SMACK:class-target = "--disable-libsmack"
-EXTRA_OECONF_SMACK:with-lsm-smack:class-target = "--enable-libsmack"
-EXTRA_OECONF:append:class-target = " ${EXTRA_OECONF_SMACK}"
-DEPENDS:append:with-lsm-smack:class-target = " smack"
diff --git a/meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0001-Integration-of-Cynara-asynchronous-security-checks.patch b/meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0001-Integration-of-Cynara-asynchronous-security-checks.patch
deleted file mode 100644 (file)
index 55cedb9..0000000
+++ /dev/null
@@ -1,2309 +0,0 @@
-From ea4b650366261e4257e4b0fb95e7f48e30ef36f0 Mon Sep 17 00:00:00 2001
-From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
-Date: Thu, 27 Nov 2014 18:11:05 +0100
-Subject: [PATCH 1/8] Integration of Cynara asynchronous security checks
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This commit introduces basic framework for asynchronous policy
-checks and Cynara integration code. Functions for checking security
-policy can now return third value - BUS_RESULT_LATER denoting check
-result unavailability. Whenever policy checker cannot decide on the
-result of the check it is supposed to allocate DeferredMessage structure
-that will be passed to the upper layers which can decide what should be
-done in such situation.
-Proper handling of such case will be implemented in subsequent commits.
-Currently such return value results in message denial.
-
-Cherry picked from 4dcfb02f17247ff9de966b62182cd2e08f301238
-by José Bollo.
-
-Updated for dbus 1.10.20 by Scott Murray and José Bollo
-Updated for dbus 1.12.16 by José Bollo
-
-Change-Id: I9bcbce34577e5dc2a3cecf6233a0a2b0e43e1108
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-Signed-off-by: Scott Murray <scott.murray@konsulko.com>
----
- bus/Makefile.am                               |   6 +
- bus/activation.c                              |   5 +-
- bus/bus.c                                     | 124 ++++--
- bus/bus.h                                     |  22 +-
- bus/check.c                                   | 217 ++++++++++
- bus/check.h                                   |  68 ++++
- bus/config-parser-common.c                    |   6 +
- bus/config-parser-common.h                    |   1 +
- bus/config-parser-trivial.c                   |   2 +
- bus/config-parser.c                           |  72 +++-
- bus/connection.c                              |  57 ++-
- bus/connection.h                              |   4 +
- bus/cynara.c                                  | 374 ++++++++++++++++++
- bus/cynara.h                                  |  37 ++
- bus/dispatch.c                                |  46 ++-
- bus/driver.h                                  |   2 +
- bus/policy.c                                  | 195 ++++++---
- bus/policy.h                                  |  29 +-
- configure.ac                                  |  12 +
- test/Makefile.am                              |   1 +
- .../data/invalid-config-files/badcheck-1.conf |   9 +
- .../data/invalid-config-files/badcheck-2.conf |   9 +
- test/data/valid-config-files/check-1.conf     |   9 +
- .../debug-check-some.conf.in                  |  18 +
- 24 files changed, 1181 insertions(+), 144 deletions(-)
- create mode 100644 bus/check.c
- create mode 100644 bus/check.h
- create mode 100644 bus/cynara.c
- create mode 100644 bus/cynara.h
- create mode 100644 test/data/invalid-config-files/badcheck-1.conf
- create mode 100644 test/data/invalid-config-files/badcheck-2.conf
- create mode 100644 test/data/valid-config-files/check-1.conf
- create mode 100644 test/data/valid-config-files/debug-check-some.conf.in
-
-diff --git a/bus/Makefile.am b/bus/Makefile.am
-index c917063..2a8a72c 100644
---- a/bus/Makefile.am
-+++ b/bus/Makefile.am
-@@ -13,6 +13,7 @@ DBUS_BUS_LIBS = \
-       $(THREAD_LIBS) \
-       $(ADT_LIBS) \
-       $(NETWORK_libs) \
-+      $(CYNARA_LIBS) \
-       $(NULL)
- DBUS_LAUNCHER_LIBS = \
-@@ -30,6 +31,7 @@ AM_CPPFLAGS = \
-       $(APPARMOR_CFLAGS) \
-       -DDBUS_SYSTEM_CONFIG_FILE=\""$(dbusdatadir)/system.conf"\" \
-       -DDBUS_COMPILATION \
-+      $(CYNARA_CFLAGS) \
-       $(NULL)
- # if assertions are enabled, improve backtraces
-@@ -90,6 +92,8 @@ BUS_SOURCES=                                 \
-       audit.h                                 \
-       bus.c                                   \
-       bus.h                                   \
-+      check.c                                 \
-+      check.h                                 \
-       config-loader-expat.c                   \
-       config-parser.c                         \
-       config-parser.h                         \
-@@ -97,6 +101,8 @@ BUS_SOURCES=                                        \
-       config-parser-common.h                  \
-       connection.c                            \
-       connection.h                            \
-+      cynara.c                                \
-+      cynara.h                                \
-       desktop-file.c                          \
-       desktop-file.h                          \
-       $(DIR_WATCH_SOURCE)                     \
-diff --git a/bus/activation.c b/bus/activation.c
-index 99404b9..f9c6c62 100644
---- a/bus/activation.c
-+++ b/bus/activation.c
-@@ -1789,14 +1789,15 @@ bus_activation_activate_service (BusActivation  *activation,
-   if (auto_activation &&
-       entry != NULL &&
--      !bus_context_check_security_policy (activation->context,
-+      BUS_RESULT_TRUE != bus_context_check_security_policy (activation->context,
-         transaction,
-         connection, /* sender */
-         NULL, /* addressed recipient */
-         NULL, /* proposed recipient */
-         activation_message,
-         entry,
--        error))
-+        error,
-+        NULL))
-     {
-       _DBUS_ASSERT_ERROR_IS_SET (error);
-       _dbus_verbose ("activation not authorized: %s: %s\n",
-diff --git a/bus/bus.c b/bus/bus.c
-index 2ad8e78..6fc45d0 100644
---- a/bus/bus.c
-+++ b/bus/bus.c
-@@ -38,6 +38,7 @@
- #include "apparmor.h"
- #include "audit.h"
- #include "dir-watch.h"
-+#include "check.h"
- #include <dbus/dbus-auth.h>
- #include <dbus/dbus-list.h>
- #include <dbus/dbus-hash.h>
-@@ -67,6 +68,7 @@ struct BusContext
-   BusRegistry *registry;
-   BusPolicy *policy;
-   BusMatchmaker *matchmaker;
-+  BusCheck *check;
-   BusLimits limits;
-   DBusRLimit *initial_fd_limit;
-   unsigned int fork : 1;
-@@ -1003,6 +1005,10 @@ bus_context_new (const DBusString *config_file,
-       parser = NULL;
-     }
-+  context->check = bus_check_new(context, error);
-+  if (context->check == NULL)
-+      goto failed;
-+
-   dbus_server_free_data_slot (&server_data_slot);
-   return context;
-@@ -1127,6 +1133,12 @@ bus_context_unref (BusContext *context)
-       bus_context_shutdown (context);
-+      if (context->check)
-+        {
-+          bus_check_unref(context->check);
-+          context->check = NULL;
-+        }
-+
-       if (context->connections)
-         {
-           bus_connections_unref (context->connections);
-@@ -1256,6 +1268,12 @@ bus_context_get_loop (BusContext *context)
-   return context->loop;
- }
-+BusCheck*
-+bus_context_get_check (BusContext *context)
-+{
-+  return context->check;
-+}
-+
- dbus_bool_t
- bus_context_allow_unix_user (BusContext   *context,
-                              unsigned long uid)
-@@ -1451,6 +1469,7 @@ complain_about_message (BusContext     *context,
-                         DBusConnection *proposed_recipient,
-                         dbus_bool_t     requested_reply,
-                         dbus_bool_t     log,
-+                        const char     *privilege,
-                         DBusError      *error)
- {
-   DBusError stack_error = DBUS_ERROR_INIT;
-@@ -1480,7 +1499,8 @@ complain_about_message (BusContext     *context,
-   dbus_set_error (&stack_error, error_name,
-       "%s, %d matched rules; type=\"%s\", sender=\"%s\" (%s) "
-       "interface=\"%s\" member=\"%s\" error name=\"%s\" "
--      "requested_reply=\"%d\" destination=\"%s\" (%s)",
-+      "requested_reply=\"%d\" destination=\"%s\" (%s) "
-+      "privilege=\"%s\"",
-       complaint,
-       matched_rules,
-       dbus_message_type_to_string (dbus_message_get_type (message)),
-@@ -1491,7 +1511,8 @@ complain_about_message (BusContext     *context,
-       nonnull (dbus_message_get_error_name (message), "(unset)"),
-       requested_reply,
-       nonnull (dbus_message_get_destination (message), DBUS_SERVICE_DBUS),
--      proposed_recipient_loginfo);
-+      proposed_recipient_loginfo,
-+      nonnull (privilege, "(n/a)"));
-   /* If we hit OOM while setting the error, this will syslog "out of memory"
-    * which is itself an indication that something is seriously wrong */
-@@ -1519,7 +1540,7 @@ complain_about_message (BusContext     *context,
-  * NULL for addressed_recipient may mean the bus driver, or may mean
-  * no destination was specified in the message (e.g. a signal).
-  */
--dbus_bool_t
-+BusResult
- bus_context_check_security_policy (BusContext     *context,
-                                    BusTransaction *transaction,
-                                    DBusConnection *sender,
-@@ -1527,7 +1548,8 @@ bus_context_check_security_policy (BusContext     *context,
-                                    DBusConnection *proposed_recipient,
-                                    DBusMessage    *message,
-                                    BusActivationEntry *activation_entry,
--                                   DBusError      *error)
-+                                   DBusError      *error,
-+                                   BusDeferredMessage **deferred_message)
- {
-   const char *src, *dest;
-   BusClientPolicy *sender_policy;
-@@ -1536,6 +1558,7 @@ bus_context_check_security_policy (BusContext     *context,
-   dbus_bool_t log;
-   int type;
-   dbus_bool_t requested_reply;
-+  const char *privilege;
-   type = dbus_message_get_type (message);
-   src = dbus_message_get_sender (message);
-@@ -1565,7 +1588,7 @@ bus_context_check_security_policy (BusContext     *context,
-       dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
-                       "Message bus will not accept messages of unknown type\n");
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   requested_reply = FALSE;
-@@ -1595,7 +1618,7 @@ bus_context_check_security_policy (BusContext     *context,
-                   if (dbus_error_is_set (&error2))
-                     {
-                       dbus_move_error (&error2, error);
--                      return FALSE;
-+                      return BUS_RESULT_FALSE;
-                     }
-                 }
-             }
-@@ -1624,11 +1647,11 @@ bus_context_check_security_policy (BusContext     *context,
-               complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
-                   "An SELinux policy prevents this sender from sending this "
-                   "message to this recipient",
--                  0, message, sender, proposed_recipient, FALSE, FALSE, error);
-+                  0, message, sender, proposed_recipient, FALSE, FALSE, NULL, error);
-               _dbus_verbose ("SELinux security check denying send to service\n");
-             }
--          return FALSE;
-+          return BUS_RESULT_FALSE;
-         }
-       /* next verify AppArmor access controls.  If allowed then
-@@ -1646,7 +1669,7 @@ bus_context_check_security_policy (BusContext     *context,
-                                      src ? src : DBUS_SERVICE_DBUS,
-                                      activation_entry,
-                                      error))
--        return FALSE;
-+        return BUS_RESULT_FALSE;
-       if (!bus_connection_is_active (sender))
-         {
-@@ -1660,7 +1683,7 @@ bus_context_check_security_policy (BusContext     *context,
-             {
-               _dbus_verbose ("security check allowing %s message\n",
-                              "Hello");
--              return TRUE;
-+              return BUS_RESULT_TRUE;
-             }
-           else
-             {
-@@ -1671,7 +1694,7 @@ bus_context_check_security_policy (BusContext     *context,
-                               "Client tried to send a message other than %s without being registered",
-                               "Hello");
--              return FALSE;
-+              return BUS_RESULT_FALSE;
-             }
-         }
-     }
-@@ -1720,20 +1743,29 @@ bus_context_check_security_policy (BusContext     *context,
-                 (proposed_recipient == NULL && recipient_policy == NULL));
-   log = FALSE;
--  if (sender_policy &&
--      !bus_client_policy_check_can_send (sender_policy,
--                                         context->registry,
--                                         requested_reply,
--                                         proposed_recipient,
--                                         message, &toggles, &log))
--    {
--      complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
--          "Rejected send message", toggles,
--          message, sender, proposed_recipient, requested_reply,
--          (addressed_recipient == proposed_recipient), error);
--      _dbus_verbose ("security policy disallowing message due to sender policy\n");
--      return FALSE;
--    }
-+  if (sender_policy)
-+    {
-+      BusResult res = bus_client_policy_check_can_send (sender,
-+                                                        sender_policy,
-+                                                        context->registry,
-+                                                        requested_reply,
-+                                                        addressed_recipient,
-+                                                        proposed_recipient,
-+                                                        message, &toggles, &log, &privilege,
-+                                                        deferred_message);
-+      if (res == BUS_RESULT_FALSE)
-+        {
-+          complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
-+                                  "Rejected send message", toggles,
-+                                  message, sender, proposed_recipient, requested_reply,
-+                                  (addressed_recipient == proposed_recipient), privilege,
-+                                  error);
-+          _dbus_verbose ("security policy disallowing message due to sender policy\n");
-+          return BUS_RESULT_FALSE;
-+        }
-+      else if (res == BUS_RESULT_LATER)
-+        return BUS_RESULT_LATER;
-+  }
-   if (log)
-     {
-@@ -1742,23 +1774,29 @@ bus_context_check_security_policy (BusContext     *context,
-       complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
-           "Would reject message", toggles,
-           message, sender, proposed_recipient, requested_reply,
--          TRUE, NULL);
-+          TRUE, privilege, NULL);
-     }
--  if (recipient_policy &&
--      !bus_client_policy_check_can_receive (recipient_policy,
--                                            context->registry,
--                                            requested_reply,
--                                            sender,
--                                            addressed_recipient, proposed_recipient,
--                                            message, &toggles))
-+  if (recipient_policy)
-     {
--      complain_about_message (context, DBUS_ERROR_ACCESS_DENIED,
--          "Rejected receive message", toggles,
--          message, sender, proposed_recipient, requested_reply,
--          (addressed_recipient == proposed_recipient), error);
--      _dbus_verbose ("security policy disallowing message due to recipient policy\n");
--      return FALSE;
-+      BusResult res;
-+      res = bus_client_policy_check_can_receive (recipient_policy,
-+                                                 context->registry,
-+                                                 requested_reply,
-+                                                 sender,
-+                                                 addressed_recipient, proposed_recipient,
-+                                                 message, &toggles, &privilege, deferred_message);
-+      if (res == BUS_RESULT_FALSE)
-+        {
-+          complain_about_message(context, DBUS_ERROR_ACCESS_DENIED, "Rejected receive message",
-+              toggles, message, sender, proposed_recipient, requested_reply,
-+            (addressed_recipient == proposed_recipient), privilege, error);
-+          _dbus_verbose(
-+            "security policy disallowing message due to recipient policy\n");
-+          return BUS_RESULT_FALSE;
-+        }
-+      else if (res == BUS_RESULT_LATER)
-+        return BUS_RESULT_LATER;
-     }
-   /* See if limits on size have been exceeded */
-@@ -1768,10 +1806,10 @@ bus_context_check_security_policy (BusContext     *context,
-     {
-       complain_about_message (context, DBUS_ERROR_LIMITS_EXCEEDED,
-           "Rejected: destination has a full message queue",
--          0, message, sender, proposed_recipient, requested_reply, TRUE,
-+          0, message, sender, proposed_recipient, requested_reply, TRUE, NULL,
-           error);
-       _dbus_verbose ("security policy disallowing message due to full message queue\n");
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   /* Record that we will allow a reply here in the future (don't
-@@ -1792,11 +1830,11 @@ bus_context_check_security_policy (BusContext     *context,
-                                      message, error))
-     {
-       _dbus_verbose ("Failed to record reply expectation or problem with the message expecting a reply\n");
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   _dbus_verbose ("security policy allowing message\n");
--  return TRUE;
-+  return BUS_RESULT_TRUE;
- }
- void
-diff --git a/bus/bus.h b/bus/bus.h
-index 2e0de82..82c32c8 100644
---- a/bus/bus.h
-+++ b/bus/bus.h
-@@ -45,6 +45,22 @@ typedef struct BusTransaction   BusTransaction;
- typedef struct BusMatchmaker    BusMatchmaker;
- typedef struct BusMatchRule     BusMatchRule;
- typedef struct BusActivationEntry BusActivationEntry;
-+typedef struct BusCheck         BusCheck;
-+typedef struct BusDeferredMessage BusDeferredMessage;
-+typedef struct BusCynara        BusCynara;
-+
-+/**
-+ * BusResult is defined as a pointer to a dummy structure to allow detection of type mismatches.
-+ * The disadvantage of such solution is that now BusResult variables cannot be used in switch
-+ * statement.
-+ * Additionally, BUS_RESULT_TRUE is defined as 0 instead of 1 to help detect type mismatches
-+ * at runtime.
-+ */
-+typedef const struct BusResultStruct { int dummy; } *BusResult;
-+
-+static const BusResult BUS_RESULT_TRUE  = (BusResult)0x0;
-+static const BusResult BUS_RESULT_FALSE = (BusResult)0x1;
-+static const BusResult BUS_RESULT_LATER = (BusResult)0x2;
- typedef struct
- {
-@@ -101,6 +117,7 @@ BusConnections*   bus_context_get_connections                    (BusContext
- BusActivation*    bus_context_get_activation                     (BusContext       *context);
- BusMatchmaker*    bus_context_get_matchmaker                     (BusContext       *context);
- DBusLoop*         bus_context_get_loop                           (BusContext       *context);
-+BusCheck *        bus_context_get_check                          (BusContext       *context);
- dbus_bool_t       bus_context_allow_unix_user                    (BusContext       *context,
-                                                                   unsigned long     uid);
- dbus_bool_t       bus_context_allow_windows_user                 (BusContext       *context,
-@@ -136,14 +153,15 @@ void              bus_context_log_and_set_error                  (BusContext
-                                                                   const char       *name,
-                                                                   const char       *msg,
-                                                                   ...) _DBUS_GNUC_PRINTF (5, 6);
--dbus_bool_t       bus_context_check_security_policy              (BusContext       *context,
-+BusResult         bus_context_check_security_policy              (BusContext       *context,
-                                                                   BusTransaction   *transaction,
-                                                                   DBusConnection   *sender,
-                                                                   DBusConnection   *addressed_recipient,
-                                                                   DBusConnection   *proposed_recipient,
-                                                                   DBusMessage      *message,
-                                                                   BusActivationEntry *activation_entry,
--                                                                  DBusError        *error);
-+                                                                  DBusError        *error,
-+                                                                  BusDeferredMessage **deferred_message);
- void              bus_context_check_all_watches                  (BusContext       *context);
- #endif /* BUS_BUS_H */
-diff --git a/bus/check.c b/bus/check.c
-new file mode 100644
-index 0000000..5b72d31
---- /dev/null
-+++ b/bus/check.c
-@@ -0,0 +1,217 @@
-+/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
-+/* check.c  Bus security policy runtime check
-+ *
-+ * Copyright (C) 2014  Intel, Inc.
-+ * Copyright (c) 2014  Samsung Electronics, Ltd.
-+ *
-+ * Licensed under the Academic Free License version 2.1
-+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * This program is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+ * GNU General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with this program; if not, write to the Free Software
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-+ *
-+ */
-+
-+#include <config.h>
-+#include "check.h"
-+#include "connection.h"
-+#include "dispatch.h"
-+#include "cynara.h"
-+#include "utils.h"
-+#include <dbus/dbus-connection-internal.h>
-+#include <dbus/dbus-message-internal.h>
-+#include <dbus/dbus-internals.h>
-+
-+
-+typedef struct BusCheck
-+{
-+  int refcount;
-+
-+  BusContext *context;
-+  BusCynara *cynara;
-+} BusCheck;
-+
-+typedef struct BusDeferredMessage
-+{
-+  int refcount;
-+
-+  DBusMessage *message;
-+  DBusConnection *sender;
-+  DBusConnection *proposed_recipient;
-+  DBusConnection *addressed_recipient;
-+  dbus_bool_t full_dispatch;
-+  BusDeferredMessageStatus status;
-+  BusResult response;
-+  BusCheckResponseFunc response_callback;
-+} BusDeferredMessage;
-+
-+BusCheck *
-+bus_check_new (BusContext *context, DBusError *error)
-+{
-+  BusCheck *check;
-+
-+  check = dbus_new(BusCheck, 1);
-+  if (check == NULL)
-+    {
-+      BUS_SET_OOM(error);
-+      return NULL;
-+    }
-+
-+  check->refcount = 1;
-+  check->context = context;
-+  check->cynara = bus_cynara_new(check, error);
-+  if (dbus_error_is_set(error))
-+    {
-+      dbus_free(check);
-+      return NULL;
-+    }
-+
-+  return check;
-+}
-+
-+BusCheck *
-+bus_check_ref (BusCheck *check)
-+{
-+  _dbus_assert (check->refcount > 0);
-+  check->refcount += 1;
-+
-+  return check;
-+}
-+
-+void
-+bus_check_unref (BusCheck *check)
-+{
-+  _dbus_assert (check->refcount > 0);
-+
-+  check->refcount -= 1;
-+
-+  if (check->refcount == 0)
-+    {
-+      bus_cynara_unref(check->cynara);
-+      dbus_free(check);
-+    }
-+}
-+
-+BusContext *
-+bus_check_get_context (BusCheck *check)
-+{
-+  return check->context;
-+}
-+
-+BusCynara *
-+bus_check_get_cynara (BusCheck *check)
-+{
-+  return check->cynara;
-+}
-+
-+BusResult
-+bus_check_privilege (BusCheck *check,
-+                     DBusMessage *message,
-+                     DBusConnection *sender,
-+                     DBusConnection *addressed_recipient,
-+                     DBusConnection *proposed_recipient,
-+                     const char *privilege,
-+                     BusDeferredMessageStatus check_type,
-+                     BusDeferredMessage **deferred_message)
-+{
-+  BusResult result = BUS_RESULT_FALSE;
-+#ifdef DBUS_ENABLE_CYNARA
-+  BusCynara *cynara;
-+#endif
-+  DBusConnection *connection;
-+
-+  connection = check_type == BUS_DEFERRED_MESSAGE_CHECK_RECEIVE ? proposed_recipient : sender;
-+
-+  if (!dbus_connection_get_is_connected(connection))
-+    {
-+      return BUS_RESULT_FALSE;
-+    }
-+
-+  /* ask policy checkers */
-+#ifdef DBUS_ENABLE_CYNARA
-+  cynara = bus_check_get_cynara(check);
-+  result = bus_cynara_check_privilege(cynara, message, sender, addressed_recipient,
-+      proposed_recipient, privilege, check_type, deferred_message);
-+#endif
-+
-+  if (result == BUS_RESULT_LATER && deferred_message != NULL)
-+    {
-+      (*deferred_message)->status |= check_type;
-+    }
-+  return result;
-+}
-+
-+BusDeferredMessage *bus_deferred_message_new (DBusMessage *message,
-+                                              DBusConnection *sender,
-+                                              DBusConnection *addressed_recipient,
-+                                              DBusConnection *proposed_recipient,
-+                                              BusResult response)
-+{
-+  BusDeferredMessage *deferred_message;
-+
-+  deferred_message = dbus_new(BusDeferredMessage, 1);
-+  if (deferred_message == NULL)
-+    {
-+      return NULL;
-+    }
-+
-+  deferred_message->refcount = 1;
-+  deferred_message->sender = sender != NULL ? dbus_connection_ref(sender) : NULL;
-+  deferred_message->addressed_recipient = addressed_recipient != NULL ? dbus_connection_ref(addressed_recipient) : NULL;
-+  deferred_message->proposed_recipient = proposed_recipient != NULL ? dbus_connection_ref(proposed_recipient) : NULL;
-+  deferred_message->message = dbus_message_ref(message);
-+  deferred_message->response = response;
-+  deferred_message->status = 0;
-+  deferred_message->full_dispatch = FALSE;
-+  deferred_message->response_callback = NULL;
-+
-+  return deferred_message;
-+}
-+
-+BusDeferredMessage *
-+bus_deferred_message_ref (BusDeferredMessage *deferred_message)
-+{
-+  _dbus_assert (deferred_message->refcount > 0);
-+  deferred_message->refcount += 1;
-+  return deferred_message;
-+}
-+
-+void
-+bus_deferred_message_unref (BusDeferredMessage *deferred_message)
-+{
-+  _dbus_assert (deferred_message->refcount > 0);
-+
-+  deferred_message->refcount -= 1;
-+
-+   if (deferred_message->refcount == 0)
-+     {
-+       dbus_message_unref(deferred_message->message);
-+       if (deferred_message->sender != NULL)
-+           dbus_connection_unref(deferred_message->sender);
-+       if (deferred_message->addressed_recipient != NULL)
-+           dbus_connection_unref(deferred_message->addressed_recipient);
-+       if (deferred_message->proposed_recipient != NULL)
-+           dbus_connection_unref(deferred_message->proposed_recipient);
-+       dbus_free(deferred_message);
-+     }
-+}
-+
-+void
-+bus_deferred_message_response_received (BusDeferredMessage *deferred_message,
-+                                        BusResult result)
-+{
-+  if (deferred_message->response_callback != NULL)
-+    {
-+      deferred_message->response_callback(deferred_message, result);
-+    }
-+}
-diff --git a/bus/check.h b/bus/check.h
-new file mode 100644
-index 0000000..c3fcaf9
---- /dev/null
-+++ b/bus/check.h
-@@ -0,0 +1,68 @@
-+/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
-+/* check.h  Bus security policy runtime check
-+ *
-+ * Copyright (C) 2014  Intel, Inc.
-+ * Copyright (c) 2014  Samsung Electronics, Ltd.
-+ *
-+ * Licensed under the Academic Free License version 2.1
-+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * This program is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+ * GNU General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with this program; if not, write to the Free Software
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-+ *
-+ */
-+
-+#ifndef BUS_CHECK_H
-+#define BUS_CHECK_H
-+
-+#include "bus.h"
-+#include "policy.h"
-+
-+
-+typedef void (*BusCheckResponseFunc) (BusDeferredMessage *message,
-+                                      BusResult result);
-+
-+typedef enum {
-+  BUS_DEFERRED_MESSAGE_CHECK_SEND      = 1 << 0,
-+  BUS_DEFERRED_MESSAGE_CHECK_RECEIVE   = 1 << 1,
-+  BUS_DEFERRED_MESSAGE_CHECK_OWN       = 1 << 2,
-+} BusDeferredMessageStatus;
-+
-+
-+BusCheck   *bus_check_new         (BusContext *context,
-+                                   DBusError *error);
-+BusCheck   *bus_check_ref         (BusCheck *check);
-+void        bus_check_unref       (BusCheck *check);
-+
-+BusContext *bus_check_get_context (BusCheck *check);
-+BusCynara  *bus_check_get_cynara  (BusCheck *check);
-+BusResult   bus_check_privilege   (BusCheck *check,
-+                                   DBusMessage *message,
-+                                   DBusConnection *sender,
-+                                   DBusConnection *addressed_recipient,
-+                                   DBusConnection *proposed_recipient,
-+                                   const char *privilege,
-+                                   BusDeferredMessageStatus check_type,
-+                                   BusDeferredMessage **deferred_message);
-+
-+BusDeferredMessage *bus_deferred_message_new                (DBusMessage *message,
-+                                                             DBusConnection *sender,
-+                                                             DBusConnection *addressed_recipient,
-+                                                             DBusConnection *proposed_recipient,
-+                                                             BusResult response);
-+
-+BusDeferredMessage *bus_deferred_message_ref                (BusDeferredMessage *deferred_message);
-+void                bus_deferred_message_unref              (BusDeferredMessage *deferred_message);
-+void                bus_deferred_message_response_received  (BusDeferredMessage *deferred_message,
-+                                                             BusResult result);
-+#endif /* BUS_CHECK_H */
-diff --git a/bus/config-parser-common.c b/bus/config-parser-common.c
-index c1c4191..e2f253d 100644
---- a/bus/config-parser-common.c
-+++ b/bus/config-parser-common.c
-@@ -75,6 +75,10 @@ bus_config_parser_element_name_to_type (const char *name)
-     {
-       return ELEMENT_DENY;
-     }
-+  else if (strcmp (name, "check") == 0)
-+    {
-+      return ELEMENT_CHECK;
-+    }
-   else if (strcmp (name, "servicehelper") == 0)
-     {
-       return ELEMENT_SERVICEHELPER;
-@@ -159,6 +163,8 @@ bus_config_parser_element_type_to_name (ElementType type)
-       return "allow";
-     case ELEMENT_DENY:
-       return "deny";
-+    case ELEMENT_CHECK:
-+      return "check";
-     case ELEMENT_FORK:
-       return "fork";
-     case ELEMENT_PIDFILE:
-diff --git a/bus/config-parser-common.h b/bus/config-parser-common.h
-index 382a014..9e026d1 100644
---- a/bus/config-parser-common.h
-+++ b/bus/config-parser-common.h
-@@ -36,6 +36,7 @@ typedef enum
-   ELEMENT_LIMIT,
-   ELEMENT_ALLOW,
-   ELEMENT_DENY,
-+  ELEMENT_CHECK,
-   ELEMENT_FORK,
-   ELEMENT_PIDFILE,
-   ELEMENT_SERVICEDIR,
-diff --git a/bus/config-parser-trivial.c b/bus/config-parser-trivial.c
-index dd65c6d..23dedb4 100644
---- a/bus/config-parser-trivial.c
-+++ b/bus/config-parser-trivial.c
-@@ -194,6 +194,7 @@ bus_config_parser_start_element (BusConfigParser   *parser,
-     case ELEMENT_POLICY:
-     case ELEMENT_LIMIT:
-     case ELEMENT_ALLOW:
-+    case ELEMENT_CHECK:
-     case ELEMENT_DENY:
-     case ELEMENT_FORK:
-     case ELEMENT_PIDFILE:
-@@ -316,6 +317,7 @@ bus_config_parser_content (BusConfigParser   *parser,
-     case ELEMENT_POLICY:
-     case ELEMENT_LIMIT:
-     case ELEMENT_ALLOW:
-+    case ELEMENT_CHECK:
-     case ELEMENT_DENY:
-     case ELEMENT_FORK:
-     case ELEMENT_PIDFILE:
-diff --git a/bus/config-parser.c b/bus/config-parser.c
-index be27d38..7f91469 100644
---- a/bus/config-parser.c
-+++ b/bus/config-parser.c
-@@ -1318,7 +1318,7 @@ append_rule_from_element (BusConfigParser   *parser,
-                           const char        *element_name,
-                           const char       **attribute_names,
-                           const char       **attribute_values,
--                          dbus_bool_t        allow,
-+                          BusPolicyRuleAccess access,
-                           DBusError         *error)
- {
-   const char *log;
-@@ -1360,6 +1360,7 @@ append_rule_from_element (BusConfigParser   *parser,
-   const char *own_prefix;
-   const char *user;
-   const char *group;
-+  const char *privilege;
-   BusPolicyRule *rule;
-@@ -1390,6 +1391,7 @@ append_rule_from_element (BusConfigParser   *parser,
-                           "user", &user,
-                           "group", &group,
-                           "log", &log,
-+                          "privilege", &privilege,
-                           NULL))
-     return FALSE;
-@@ -1422,6 +1424,7 @@ append_rule_from_element (BusConfigParser   *parser,
-   if (!(any_send_attribute ||
-         any_receive_attribute ||
-+        privilege ||
-         own || own_prefix || user || group))
-     {
-       dbus_set_error (error, DBUS_ERROR_FAILED,
-@@ -1438,7 +1441,30 @@ append_rule_from_element (BusConfigParser   *parser,
-                       element_name);
-       return FALSE;
-     }
--  
-+
-+  if (access == BUS_POLICY_RULE_ACCESS_CHECK)
-+    {
-+      if (privilege == NULL || !*privilege)
-+        {
-+          dbus_set_error (error, DBUS_ERROR_FAILED,
-+                          "On element <%s>, you must specify the privilege to be checked.",
-+                          element_name);
-+          return FALSE;
-+        }
-+    }
-+  else
-+    {
-+      if (privilege != NULL && *privilege)
-+        {
-+          dbus_set_error (error, DBUS_ERROR_FAILED,
-+                          "On element <%s>, privilege %s is used outside of a check rule.",
-+                          element_name, privilege);
-+          return FALSE;
-+        }
-+      else
-+        privilege = NULL; /* replace (potentially) empty string with NULL pointer, it wouldn't be used anyway */
-+    }
-+
-   /* Allowed combinations of elements are:
-    *
-    *   base, must be all send or all receive:
-@@ -1589,7 +1615,7 @@ append_rule_from_element (BusConfigParser   *parser,
-                                 error))
-         return FALSE;
--      rule = bus_policy_rule_new (BUS_POLICY_RULE_SEND, allow); 
-+      rule = bus_policy_rule_new (BUS_POLICY_RULE_SEND, access);
-       if (rule == NULL)
-         goto nomem;
-       
-@@ -1694,7 +1720,7 @@ append_rule_from_element (BusConfigParser   *parser,
-                                 error))
-         return FALSE;
--      rule = bus_policy_rule_new (BUS_POLICY_RULE_RECEIVE, allow); 
-+      rule = bus_policy_rule_new (BUS_POLICY_RULE_RECEIVE, access);
-       if (rule == NULL)
-         goto nomem;
-@@ -1726,7 +1752,7 @@ append_rule_from_element (BusConfigParser   *parser,
-     }
-   else if (own || own_prefix)
-     {
--      rule = bus_policy_rule_new (BUS_POLICY_RULE_OWN, allow); 
-+      rule = bus_policy_rule_new (BUS_POLICY_RULE_OWN, access);
-       if (rule == NULL)
-         goto nomem;
-@@ -1752,7 +1778,7 @@ append_rule_from_element (BusConfigParser   *parser,
-     {      
-       if (IS_WILDCARD (user))
-         {
--          rule = bus_policy_rule_new (BUS_POLICY_RULE_USER, allow); 
-+          rule = bus_policy_rule_new (BUS_POLICY_RULE_USER, access);
-           if (rule == NULL)
-             goto nomem;
-@@ -1767,7 +1793,7 @@ append_rule_from_element (BusConfigParser   *parser,
-       
-           if (_dbus_parse_unix_user_from_config (&username, &uid))
-             {
--              rule = bus_policy_rule_new (BUS_POLICY_RULE_USER, allow); 
-+              rule = bus_policy_rule_new (BUS_POLICY_RULE_USER, access);
-               if (rule == NULL)
-                 goto nomem;
-@@ -1784,7 +1810,7 @@ append_rule_from_element (BusConfigParser   *parser,
-     {
-       if (IS_WILDCARD (group))
-         {
--          rule = bus_policy_rule_new (BUS_POLICY_RULE_GROUP, allow); 
-+          rule = bus_policy_rule_new (BUS_POLICY_RULE_GROUP, access);
-           if (rule == NULL)
-             goto nomem;
-@@ -1799,7 +1825,7 @@ append_rule_from_element (BusConfigParser   *parser,
-           
-           if (_dbus_parse_unix_group_from_config (&groupname, &gid))
-             {
--              rule = bus_policy_rule_new (BUS_POLICY_RULE_GROUP, allow); 
-+              rule = bus_policy_rule_new (BUS_POLICY_RULE_GROUP, access);
-               if (rule == NULL)
-                 goto nomem;
-@@ -1823,6 +1849,10 @@ append_rule_from_element (BusConfigParser   *parser,
-       _dbus_assert (pe != NULL);
-       _dbus_assert (pe->type == ELEMENT_POLICY);
-+      rule->privilege = _dbus_strdup (privilege);
-+      if (privilege && !rule->privilege)
-+        goto nomem;
-+
-       switch (pe->d.policy.type)
-         {
-         case POLICY_IGNORED:
-@@ -1898,7 +1928,7 @@ start_policy_child (BusConfigParser   *parser,
-     {
-       if (!append_rule_from_element (parser, element_name,
-                                      attribute_names, attribute_values,
--                                     TRUE, error))
-+                                     BUS_POLICY_RULE_ACCESS_ALLOW, error))
-         return FALSE;
-       
-       if (push_element (parser, ELEMENT_ALLOW) == NULL)
-@@ -1913,7 +1943,7 @@ start_policy_child (BusConfigParser   *parser,
-     {
-       if (!append_rule_from_element (parser, element_name,
-                                      attribute_names, attribute_values,
--                                     FALSE, error))
-+                                     BUS_POLICY_RULE_ACCESS_DENY, error))
-         return FALSE;
-       
-       if (push_element (parser, ELEMENT_DENY) == NULL)
-@@ -1922,6 +1952,21 @@ start_policy_child (BusConfigParser   *parser,
-           return FALSE;
-         }
-       
-+      return TRUE;
-+    }
-+  else if (strcmp (element_name, "check") == 0)
-+    {
-+      if (!append_rule_from_element (parser, element_name,
-+                                     attribute_names, attribute_values,
-+                                     BUS_POLICY_RULE_ACCESS_CHECK, error))
-+        return FALSE;
-+
-+      if (push_element (parser, ELEMENT_CHECK) == NULL)
-+        {
-+          BUS_SET_OOM (error);
-+          return FALSE;
-+        }
-+
-       return TRUE;
-     }
-   else
-@@ -2284,6 +2329,7 @@ bus_config_parser_end_element (BusConfigParser   *parser,
-     case ELEMENT_POLICY:
-     case ELEMENT_ALLOW:
-     case ELEMENT_DENY:
-+    case ELEMENT_CHECK:
-     case ELEMENT_FORK:
-     case ELEMENT_SYSLOG:
-     case ELEMENT_KEEP_UMASK:
-@@ -2600,6 +2646,7 @@ bus_config_parser_content (BusConfigParser   *parser,
-     case ELEMENT_POLICY:
-     case ELEMENT_ALLOW:
-     case ELEMENT_DENY:
-+    case ELEMENT_CHECK:
-     case ELEMENT_FORK:
-     case ELEMENT_SYSLOG:
-     case ELEMENT_KEEP_UMASK:
-@@ -3127,6 +3174,8 @@ do_load (const DBusString *full_path,
-   dbus_error_init (&error);
-   parser = bus_config_load (full_path, TRUE, NULL, &error);
-+  if (dbus_error_is_set (&error))
-+    _dbus_verbose ("Failed to load file: %s\n", error.message);
-   if (parser == NULL)
-     {
-       _DBUS_ASSERT_ERROR_IS_SET (&error);
-@@ -3359,6 +3408,7 @@ elements_equal (const Element *a,
-     case ELEMENT_LISTEN:
-     case ELEMENT_AUTH:
-     case ELEMENT_ALLOW:
-+    case ELEMENT_CHECK:
-     case ELEMENT_DENY:
-     case ELEMENT_FORK:
-     case ELEMENT_PIDFILE:
-diff --git a/bus/connection.c b/bus/connection.c
-index 53605fa..b348d42 100644
---- a/bus/connection.c
-+++ b/bus/connection.c
-@@ -36,6 +36,10 @@
- #include <dbus/dbus-timeout.h>
- #include <dbus/dbus-connection-internal.h>
- #include <dbus/dbus-internals.h>
-+#ifdef DBUS_ENABLE_CYNARA
-+#include <stdlib.h>
-+#include <cynara-session.h>
-+#endif
- /* Trim executed commands to this length; we want to keep logs readable */
- #define MAX_LOG_COMMAND_LEN 50
-@@ -116,6 +120,9 @@ typedef struct
-   /** non-NULL if and only if this is a monitor */
-   DBusList *link_in_monitors;
-+#ifdef DBUS_ENABLE_CYNARA
-+  char *cynara_session_id;
-+#endif
- } BusConnectionData;
- static dbus_bool_t bus_pending_reply_expired (BusExpireList *list,
-@@ -129,8 +136,8 @@ static dbus_bool_t expire_incomplete_timeout (void *data);
- #define BUS_CONNECTION_DATA(connection) (dbus_connection_get_data ((connection), connection_data_slot))
--static DBusLoop*
--connection_get_loop (DBusConnection *connection)
-+DBusLoop*
-+bus_connection_get_loop (DBusConnection *connection)
- {
-   BusConnectionData *d;
-@@ -354,7 +361,7 @@ add_connection_watch (DBusWatch      *watch,
- {
-   DBusConnection *connection = data;
--  return _dbus_loop_add_watch (connection_get_loop (connection), watch);
-+  return _dbus_loop_add_watch (bus_connection_get_loop (connection), watch);
- }
- static void
-@@ -363,7 +370,7 @@ remove_connection_watch (DBusWatch      *watch,
- {
-   DBusConnection *connection = data;
-   
--  _dbus_loop_remove_watch (connection_get_loop (connection), watch);
-+  _dbus_loop_remove_watch (bus_connection_get_loop (connection), watch);
- }
- static void
-@@ -372,7 +379,7 @@ toggle_connection_watch (DBusWatch      *watch,
- {
-   DBusConnection *connection = data;
--  _dbus_loop_toggle_watch (connection_get_loop (connection), watch);
-+  _dbus_loop_toggle_watch (bus_connection_get_loop (connection), watch);
- }
- static dbus_bool_t
-@@ -381,7 +388,7 @@ add_connection_timeout (DBusTimeout    *timeout,
- {
-   DBusConnection *connection = data;
-   
--  return _dbus_loop_add_timeout (connection_get_loop (connection), timeout);
-+  return _dbus_loop_add_timeout (bus_connection_get_loop (connection), timeout);
- }
- static void
-@@ -390,7 +397,7 @@ remove_connection_timeout (DBusTimeout    *timeout,
- {
-   DBusConnection *connection = data;
-   
--  _dbus_loop_remove_timeout (connection_get_loop (connection), timeout);
-+  _dbus_loop_remove_timeout (bus_connection_get_loop (connection), timeout);
- }
- static void
-@@ -448,6 +455,10 @@ free_connection_data (void *data)
-   
-   dbus_free (d->name);
-   
-+#ifdef DBUS_ENABLE_CYNARA
-+  free (d->cynara_session_id);
-+#endif
-+
-   dbus_free (d);
- }
-@@ -1078,6 +1089,22 @@ bus_connection_get_policy (DBusConnection *connection)
-   return d->policy;
- }
-+#ifdef DBUS_ENABLE_CYNARA
-+const char *bus_connection_get_cynara_session_id (DBusConnection *connection)
-+{
-+  BusConnectionData *d = BUS_CONNECTION_DATA (connection);
-+  _dbus_assert (d != NULL);
-+
-+  if (d->cynara_session_id == NULL)
-+    {
-+      unsigned long pid;
-+      if (dbus_connection_get_unix_process_id(connection, &pid))
-+        d->cynara_session_id = cynara_session_from_pid(pid);
-+    }
-+  return d->cynara_session_id;
-+}
-+#endif
-+
- static dbus_bool_t
- foreach_active (BusConnections               *connections,
-                 BusConnectionForeachFunction  function,
-@@ -2333,6 +2360,7 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
-                                   DBusMessage    *message)
- {
-   DBusError error = DBUS_ERROR_INIT;
-+  BusResult res;
-   /* We have to set the sender to the driver, and have
-    * to check security policy since it was not done in
-@@ -2370,10 +2398,11 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
-    * if we're actively capturing messages, it's nice to log that we
-    * tried to send it and did not allow ourselves to do so.
-    */
--  if (!bus_context_check_security_policy (bus_transaction_get_context (transaction),
--                                          transaction,
--                                          NULL, connection, connection,
--                                          message, NULL, &error))
-+  res = bus_context_check_security_policy (bus_transaction_get_context (transaction),
-+                                           transaction,
-+                                           NULL, connection, connection, message, NULL,
-+                                           &error, NULL);
-+  if (res == BUS_RESULT_FALSE)
-     {
-       if (!bus_transaction_capture_error_reply (transaction, connection,
-                                                 &error, message))
-@@ -2388,6 +2417,12 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
-       dbus_error_free (&error);
-       return TRUE;
-     }
-+  else if (res == BUS_RESULT_LATER)
-+    {
-+      _dbus_verbose ("Cannot delay sending message from bus driver, dropping it\n");
-+      dbus_error_free (&error);
-+      return TRUE;
-+    }
-   return bus_transaction_send (transaction, connection, message);
- }
-diff --git a/bus/connection.h b/bus/connection.h
-index 9e253ae..71078ea 100644
---- a/bus/connection.h
-+++ b/bus/connection.h
-@@ -31,6 +31,7 @@
- typedef dbus_bool_t (* BusConnectionForeachFunction) (DBusConnection *connection, 
-                                                       void           *data);
-+DBusLoop*       bus_connection_get_loop           (DBusConnection *connection);
- BusConnections* bus_connections_new               (BusContext                   *context);
- BusConnections* bus_connections_ref               (BusConnections               *connections);
-@@ -124,6 +125,9 @@ dbus_bool_t bus_connection_be_monitor (DBusConnection  *connection,
-                                        BusTransaction  *transaction,
-                                        DBusList       **rules,
-                                        DBusError       *error);
-+#ifdef DBUS_ENABLE_CYNARA
-+const char *bus_connection_get_cynara_session_id (DBusConnection *connection);
-+#endif
- /* transaction API so we can send or not send a block of messages as a whole */
-diff --git a/bus/cynara.c b/bus/cynara.c
-new file mode 100644
-index 0000000..57a4c45
---- /dev/null
-+++ b/bus/cynara.c
-@@ -0,0 +1,374 @@
-+/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
-+/* cynara.c  Cynara runtime privilege checking
-+ *
-+ * Copyright (c) 2014 Samsung Electronics, Ltd.
-+ *
-+ * Licensed under the Academic Free License version 2.1
-+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * This program is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+ * GNU General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with this program; if not, write to the Free Software
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-+ *
-+ */
-+
-+#include <config.h>
-+#include "cynara.h"
-+#include "check.h"
-+#include "utils.h"
-+
-+#include <stdio.h>
-+
-+#include <dbus/dbus.h>
-+#include <dbus/dbus-watch.h>
-+#include <dbus/dbus-connection-internal.h>
-+#include <bus/connection.h>
-+#ifdef DBUS_ENABLE_CYNARA
-+#include <cynara-client-async.h>
-+#endif
-+
-+
-+#ifdef DBUS_ENABLE_CYNARA
-+typedef struct BusCynara
-+{
-+  int refcount;
-+
-+  BusContext   *context;
-+  BusCheck     *check;
-+  cynara_async *cynara;
-+  DBusWatch    *cynara_watch;
-+} BusCynara;
-+
-+#define USE_CYNARA_CACHE 1
-+#ifdef USE_CYNARA_CACHE
-+#define CYNARA_CACHE_SIZE 1000
-+#endif
-+
-+static dbus_bool_t bus_cynara_watch_callback(DBusWatch *watch,
-+                                             unsigned int flags,
-+                                             void *data);
-+
-+static void status_callback(int old_fd,
-+                            int new_fd,
-+                            cynara_async_status status,
-+                            void *user_status_data);
-+static void bus_cynara_check_response_callback (cynara_check_id check_id,
-+                                                cynara_async_call_cause cause,
-+                                                int response,
-+                                                void *user_response_data);
-+#endif
-+
-+
-+BusCynara *
-+bus_cynara_new(BusCheck *check, DBusError *error)
-+{
-+#ifdef DBUS_ENABLE_CYNARA
-+  BusContext *context;
-+  BusCynara *cynara;
-+  cynara_async_configuration *conf = NULL;
-+  int ret;
-+
-+  cynara = dbus_new(BusCynara, 1);
-+  if (cynara == NULL)
-+    {
-+      BUS_SET_OOM(error);
-+      return NULL;
-+    }
-+
-+  context = bus_check_get_context(check);
-+
-+  cynara->refcount = 1;
-+  cynara->check = check;
-+  cynara->context = context;
-+  cynara->cynara_watch = NULL;
-+
-+  ret = cynara_async_configuration_create(&conf);
-+  if (ret != CYNARA_API_SUCCESS)
-+    {
-+      dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to create Cynara configuration");
-+      goto out;
-+    }
-+
-+#ifdef CYNARA_CACHE_SIZE
-+  ret = cynara_async_configuration_set_cache_size(conf, CYNARA_CACHE_SIZE);
-+  if (ret != CYNARA_API_SUCCESS)
-+    {
-+      dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to Cynara cache size");
-+      goto out;
-+    }
-+#endif
-+
-+  ret = cynara_async_initialize(&cynara->cynara, conf, &status_callback, cynara);
-+  if (ret != CYNARA_API_SUCCESS)
-+    {
-+      dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to initialize Cynara client");
-+      goto out;
-+    }
-+
-+out:
-+  cynara_async_configuration_destroy(conf);
-+  if (ret != CYNARA_API_SUCCESS)
-+    {
-+      dbus_free(cynara);
-+      return NULL;
-+    }
-+
-+  return cynara;
-+#else
-+  return NULL;
-+#endif
-+}
-+
-+BusCynara *
-+bus_cynara_ref (BusCynara *cynara)
-+{
-+#ifdef DBUS_ENABLE_CYNARA
-+  _dbus_assert (cynara->refcount > 0);
-+  cynara->refcount += 1;
-+
-+  return cynara;
-+#else
-+  return NULL;
-+#endif
-+}
-+
-+void
-+bus_cynara_unref (BusCynara *cynara)
-+{
-+#ifdef DBUS_ENABLE_CYNARA
-+  _dbus_assert (cynara->refcount > 0);
-+
-+  cynara->refcount -= 1;
-+
-+  if (cynara->refcount == 0)
-+    {
-+      cynara_async_finish(cynara->cynara);
-+      dbus_free(cynara);
-+    }
-+#endif
-+}
-+
-+BusResult
-+bus_cynara_check_privilege (BusCynara *cynara,
-+                            DBusMessage *message,
-+                            DBusConnection *sender,
-+                            DBusConnection *addressed_recipient,
-+                            DBusConnection *proposed_recipient,
-+                            const char *privilege,
-+                            BusDeferredMessageStatus check_type,
-+                            BusDeferredMessage **deferred_message_param)
-+{
-+#ifdef DBUS_ENABLE_CYNARA
-+  int result;
-+  unsigned long uid;
-+  char *label;
-+  const char *session_id;
-+  char user[32];
-+  cynara_check_id check_id;
-+  DBusConnection *connection = check_type == BUS_DEFERRED_MESSAGE_CHECK_RECEIVE ? proposed_recipient : sender;
-+  BusDeferredMessage *deferred_message;
-+  BusResult ret;
-+
-+  _dbus_assert(connection != NULL);
-+
-+  if (dbus_connection_get_unix_user(connection, &uid) == FALSE)
-+      return BUS_RESULT_FALSE;
-+
-+  if (_dbus_connection_get_linux_security_label(connection, &label) == FALSE || label == NULL)
-+    {
-+      _dbus_warn("Failed to obtain security label for connection\n");
-+      return BUS_RESULT_FALSE;
-+    }
-+
-+  session_id = bus_connection_get_cynara_session_id (connection);
-+  if (session_id == NULL)
-+    {
-+      ret = BUS_RESULT_FALSE;
-+      goto out;
-+    }
-+
-+  snprintf(user, sizeof(user), "%lu", uid);
-+
-+#if USE_CYNARA_CACHE
-+  result = cynara_async_check_cache(cynara->cynara, label, session_id, user, privilege);
-+#else
-+  result = CYNARA_API_CACHE_MISS;
-+#endif
-+
-+  switch (result)
-+  {
-+  case CYNARA_API_ACCESS_ALLOWED:
-+    _dbus_verbose("Cynara: got ALLOWED answer from cache (client=%s session_id=%s user=%s privilege=%s)\n",
-+               label, session_id, user, privilege);
-+    ret = BUS_RESULT_TRUE;
-+    break;
-+
-+  case CYNARA_API_ACCESS_DENIED:
-+    _dbus_verbose("Cynara: got DENIED answer from cache (client=%s session_id=%s user=%s privilege=%s)\n",
-+               label, session_id, user, privilege);
-+    ret = BUS_RESULT_FALSE;
-+    break;
-+
-+  case CYNARA_API_CACHE_MISS:
-+     deferred_message = bus_deferred_message_new(message, sender, addressed_recipient,
-+         proposed_recipient, BUS_RESULT_LATER);
-+     if (deferred_message == NULL)
-+       {
-+         _dbus_verbose("Failed to allocate memory for deferred message\n");
-+         ret = BUS_RESULT_FALSE;
-+         goto out;
-+       }
-+
-+    /* callback is supposed to unref deferred_message*/
-+    result = cynara_async_create_request(cynara->cynara, label, session_id, user, privilege, &check_id,
-+        &bus_cynara_check_response_callback, deferred_message);
-+    if (result == CYNARA_API_SUCCESS)
-+      {
-+        _dbus_verbose("Created Cynara request: client=%s session_id=%s user=%s privilege=%s check_id=%u "
-+            "deferred_message=%p\n", label, session_id, user, privilege, (unsigned int)check_id, deferred_message);
-+        if (deferred_message_param != NULL)
-+          *deferred_message_param = deferred_message;
-+        ret = BUS_RESULT_LATER;
-+      }
-+    else
-+      {
-+        _dbus_verbose("Error on cynara request create: %i\n", result);
-+        bus_deferred_message_unref(deferred_message);
-+        ret = BUS_RESULT_FALSE;
-+      }
-+    break;
-+  default:
-+    _dbus_verbose("Error when accessing Cynara cache: %i\n", result);
-+    ret = BUS_RESULT_FALSE;
-+  }
-+out:
-+  dbus_free(label);
-+  return ret;
-+
-+#else
-+  return BUS_RESULT_FALSE;
-+#endif
-+}
-+
-+
-+
-+#ifdef DBUS_ENABLE_CYNARA
-+static void
-+status_callback(int old_fd, int new_fd, cynara_async_status status,
-+                void *user_status_data)
-+{
-+  BusCynara *cynara = (BusCynara *)user_status_data;
-+  DBusLoop *loop = bus_context_get_loop(cynara->context);
-+
-+  if (cynara->cynara_watch != NULL)
-+    {
-+      _dbus_loop_remove_watch(loop, cynara->cynara_watch);
-+      _dbus_watch_invalidate(cynara->cynara_watch);
-+      _dbus_watch_unref(cynara->cynara_watch);
-+      cynara->cynara_watch = NULL;
-+    }
-+
-+  if (new_fd != -1)
-+    {
-+      unsigned int flags;
-+      DBusWatch *watch;
-+
-+      switch (status)
-+      {
-+      case CYNARA_STATUS_FOR_READ:
-+        flags = DBUS_WATCH_READABLE;
-+        break;
-+      case CYNARA_STATUS_FOR_RW:
-+        flags = DBUS_WATCH_READABLE | DBUS_WATCH_WRITABLE;
-+        break;
-+      default:
-+        /* Cynara passed unknown status - warn and add RW watch */
-+        _dbus_verbose("Cynara passed unknown status value: 0x%08X\n", (unsigned int)status);
-+        flags = DBUS_WATCH_READABLE | DBUS_WATCH_WRITABLE;
-+        break;
-+      }
-+
-+      watch = _dbus_watch_new(new_fd, flags, TRUE, &bus_cynara_watch_callback, cynara, NULL);
-+      if (watch != NULL)
-+        {
-+          if (_dbus_loop_add_watch(loop, watch) == TRUE)
-+            {
-+              cynara->cynara_watch = watch;
-+              return;
-+            }
-+
-+          _dbus_watch_invalidate(watch);
-+          _dbus_watch_unref(watch);
-+        }
-+
-+      /* It seems like not much can be done at this point. Cynara events won't be processed
-+       * until next Cynara function call triggering status callback */
-+      _dbus_verbose("Failed to add dbus watch\n");
-+    }
-+}
-+
-+static dbus_bool_t
-+bus_cynara_watch_callback(DBusWatch    *watch,
-+                          unsigned int  flags,
-+                          void         *data)
-+{
-+  BusCynara *cynara = (BusCynara *)data;
-+  int result = cynara_async_process(cynara->cynara);
-+  if (result != CYNARA_API_SUCCESS)
-+      _dbus_verbose("cynara_async_process returned %d\n", result);
-+
-+  return result != CYNARA_API_OUT_OF_MEMORY ? TRUE : FALSE;
-+}
-+
-+static inline const char *
-+call_cause_to_string(cynara_async_call_cause cause)
-+{
-+  switch (cause)
-+  {
-+  case CYNARA_CALL_CAUSE_ANSWER:
-+    return "ANSWER";
-+  case CYNARA_CALL_CAUSE_CANCEL:
-+    return "CANCEL";
-+  case CYNARA_CALL_CAUSE_FINISH:
-+    return "FINSIH";
-+  case CYNARA_CALL_CAUSE_SERVICE_NOT_AVAILABLE:
-+    return "SERVICE NOT AVAILABLE";
-+  default:
-+    return "INVALID";
-+  }
-+}
-+
-+static void
-+bus_cynara_check_response_callback (cynara_check_id check_id,
-+                                    cynara_async_call_cause cause,
-+                                    int response,
-+                                    void *user_response_data)
-+{
-+  BusDeferredMessage *deferred_message = user_response_data;
-+  BusResult result;
-+
-+  _dbus_verbose("Cynara callback: check_id=%u, cause=%s response=%i response_data=%p\n",
-+      (unsigned int)check_id, call_cause_to_string(cause), response, user_response_data);
-+
-+  if (deferred_message == NULL)
-+    return;
-+
-+  if (cause == CYNARA_CALL_CAUSE_ANSWER && response == CYNARA_API_ACCESS_ALLOWED)
-+    result = BUS_RESULT_TRUE;
-+  else
-+    result = BUS_RESULT_FALSE;
-+
-+  bus_deferred_message_response_received(deferred_message, result);
-+  bus_deferred_message_unref(deferred_message);
-+}
-+
-+#endif /* DBUS_ENABLE_CYNARA */
-diff --git a/bus/cynara.h b/bus/cynara.h
-new file mode 100644
-index 0000000..c4728bb
---- /dev/null
-+++ b/bus/cynara.h
-@@ -0,0 +1,37 @@
-+/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
-+/* cynara.h  Cynara runtime privilege checking
-+ *
-+ * Copyright (c) 2014 Samsung Electronics, Ltd.
-+ *
-+ * Licensed under the Academic Free License version 2.1
-+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * This program is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+ * GNU General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with this program; if not, write to the Free Software
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-+ *
-+ */
-+
-+#include "bus.h"
-+#include "check.h"
-+
-+BusCynara *bus_cynara_new             (BusCheck *check, DBusError *error);
-+BusCynara *bus_cynara_ref             (BusCynara *cynara);
-+void       bus_cynara_unref           (BusCynara *cynara);
-+BusResult  bus_cynara_check_privilege (BusCynara *cynara,
-+                                       DBusMessage *message,
-+                                       DBusConnection *sender,
-+                                       DBusConnection *addressed_recipient,
-+                                       DBusConnection *proposed_recipient,
-+                                       const char *privilege,
-+                                       BusDeferredMessageStatus check_type,
-+                                       BusDeferredMessage **deferred_message);
-diff --git a/bus/dispatch.c b/bus/dispatch.c
-index 19228be..d3867f7 100644
---- a/bus/dispatch.c
-+++ b/bus/dispatch.c
-@@ -25,6 +25,7 @@
- #include <config.h>
- #include "dispatch.h"
-+#include "check.h"
- #include "connection.h"
- #include "driver.h"
- #include "services.h"
-@@ -64,14 +65,18 @@ send_one_message (DBusConnection *connection,
-                   DBusError      *error)
- {
-   DBusError stack_error = DBUS_ERROR_INIT;
-+  BusDeferredMessage *deferred_message;
-+  BusResult result;
--  if (!bus_context_check_security_policy (context, transaction,
-+  result = bus_context_check_security_policy (context, transaction,
-                                           sender,
-                                           addressed_recipient,
-                                           connection,
-                                           message,
-                                           NULL,
--                                          &stack_error))
-+                                          &stack_error,
-+                                          &deferred_message);
-+  if (result != BUS_RESULT_TRUE)
-     {
-       if (!bus_transaction_capture_error_reply (transaction, sender,
-                                                 &stack_error, message))
-@@ -130,6 +135,8 @@ bus_dispatch_matches (BusTransaction *transaction,
-   BusMatchmaker *matchmaker;
-   DBusList *link;
-   BusContext *context;
-+  BusDeferredMessage *deferred_message;
-+  BusResult res;
-   _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -145,11 +152,20 @@ bus_dispatch_matches (BusTransaction *transaction,
-   /* First, send the message to the addressed_recipient, if there is one. */
-   if (addressed_recipient != NULL)
-     {
--      if (!bus_context_check_security_policy (context, transaction,
--                                              sender, addressed_recipient,
--                                              addressed_recipient,
--                                              message, NULL, error))
-+      res = bus_context_check_security_policy (context, transaction,
-+                                               sender, addressed_recipient,
-+                                               addressed_recipient,
-+                                               message, NULL, error,
-+                                               &deferred_message);
-+      if (res == BUS_RESULT_FALSE)
-         return FALSE;
-+      else if (res == BUS_RESULT_LATER)
-+        {
-+          dbus_set_error (error,
-+                          DBUS_ERROR_ACCESS_DENIED,
-+                          "Rejecting message because time is needed to check security policy");
-+          return FALSE;
-+        }
-       if (dbus_message_contains_unix_fds (message) &&
-           !dbus_connection_can_send_type (addressed_recipient,
-@@ -374,19 +390,31 @@ bus_dispatch (DBusConnection *connection,
-   if (service_name &&
-       strcmp (service_name, DBUS_SERVICE_DBUS) == 0) /* to bus driver */
-     {
-+      BusDeferredMessage *deferred_message;
-+      BusResult res;
-+
-       if (!bus_transaction_capture (transaction, connection, NULL, message))
-         {
-           BUS_SET_OOM (&error);
-           goto out;
-         }
--      if (!bus_context_check_security_policy (context, transaction,
--                                              connection, NULL, NULL, message,
--                                              NULL, &error))
-+      res = bus_context_check_security_policy (context, transaction,
-+                                               connection, NULL, NULL, message, NULL,
-+                                               &error, &deferred_message);
-+      if (res == BUS_RESULT_FALSE)
-         {
-           _dbus_verbose ("Security policy rejected message\n");
-           goto out;
-         }
-+      else if (res == BUS_RESULT_LATER)
-+        {
-+          dbus_set_error (&error,
-+                          DBUS_ERROR_ACCESS_DENIED,
-+                          "Rejecting message because time is needed to check security policy");
-+          _dbus_verbose ("Security policy needs time to check policy. Dropping message\n");
-+          goto out;
-+        }
-       _dbus_verbose ("Giving message to %s\n", DBUS_SERVICE_DBUS);
-       if (!bus_driver_handle_message (connection, transaction, message, &error))
-diff --git a/bus/driver.h b/bus/driver.h
-index ac1289d..a7297ad 100644
---- a/bus/driver.h
-+++ b/bus/driver.h
-@@ -66,5 +66,7 @@ dbus_bool_t bus_driver_send_ack_reply     (DBusConnection  *connection,
-                                            BusTransaction  *transaction,
-                                            DBusMessage     *message,
-                                            DBusError       *error);
-+dbus_bool_t bus_driver_check_message_is_for_us (DBusMessage *message,
-+                                                DBusError   *error);
- #endif /* BUS_DRIVER_H */
-diff --git a/bus/policy.c b/bus/policy.c
-index a37be80..7de92c6 100644
---- a/bus/policy.c
-+++ b/bus/policy.c
-@@ -22,6 +22,7 @@
-  */
- #include <config.h>
-+#include "check.h"
- #include "policy.h"
- #include "services.h"
- #include "test.h"
-@@ -33,7 +34,7 @@
- BusPolicyRule*
- bus_policy_rule_new (BusPolicyRuleType type,
--                     dbus_bool_t       allow)
-+                     BusPolicyRuleAccess access)
- {
-   BusPolicyRule *rule;
-@@ -43,7 +44,7 @@ bus_policy_rule_new (BusPolicyRuleType type,
-   rule->type = type;
-   rule->refcount = 1;
--  rule->allow = allow;
-+  rule->access = access;
-   switch (rule->type)
-     {
-@@ -55,18 +56,19 @@ bus_policy_rule_new (BusPolicyRuleType type,
-       break;
-     case BUS_POLICY_RULE_SEND:
-       rule->d.send.message_type = DBUS_MESSAGE_TYPE_INVALID;
--
-       /* allow rules default to TRUE (only requested replies allowed)
-+       * check rules default to TRUE (only requested replies are checked)
-        * deny rules default to FALSE (only unrequested replies denied)
-        */
--      rule->d.send.requested_reply = rule->allow;
-+      rule->d.send.requested_reply = rule->access != BUS_POLICY_RULE_ACCESS_DENY;
-       break;
-     case BUS_POLICY_RULE_RECEIVE:
-       rule->d.receive.message_type = DBUS_MESSAGE_TYPE_INVALID;
-       /* allow rules default to TRUE (only requested replies allowed)
-+       * check rules default to TRUE (only requested replies are checked)
-        * deny rules default to FALSE (only unrequested replies denied)
-        */
--      rule->d.receive.requested_reply = rule->allow;
-+      rule->d.receive.requested_reply = rule->access != BUS_POLICY_RULE_ACCESS_DENY;
-       break;
-     case BUS_POLICY_RULE_OWN:
-       break;
-@@ -122,7 +124,8 @@ bus_policy_rule_unref (BusPolicyRule *rule)
-         default:
-           _dbus_assert_not_reached ("invalid rule");
-         }
--      
-+
-+      dbus_free (rule->privilege);
-       dbus_free (rule);
-     }
- }
-@@ -435,7 +438,10 @@ list_allows_user (dbus_bool_t           def,
-       else
-         continue;
--      allowed = rule->allow;
-+      /* We don't intend to support <check user="..." /> and <check group="..." />
-+         rules. They are treated like deny.
-+      */
-+      allowed = rule->access == BUS_POLICY_RULE_ACCESS_ALLOW;
-     }
-   
-   return allowed;
-@@ -873,18 +879,23 @@ bus_client_policy_append_rule (BusClientPolicy *policy,
-   return TRUE;
- }
--dbus_bool_t
--bus_client_policy_check_can_send (BusClientPolicy *policy,
--                                  BusRegistry     *registry,
--                                  dbus_bool_t      requested_reply,
--                                  DBusConnection  *receiver,
--                                  DBusMessage     *message,
--                                  dbus_int32_t    *toggles,
--                                  dbus_bool_t     *log)
-+BusResult
-+bus_client_policy_check_can_send (DBusConnection      *sender,
-+                                  BusClientPolicy     *policy,
-+                                  BusRegistry         *registry,
-+                                  dbus_bool_t          requested_reply,
-+                                  DBusConnection      *addressed_recipient,
-+                                  DBusConnection      *receiver,
-+                                  DBusMessage         *message,
-+                                  dbus_int32_t        *toggles,
-+                                  dbus_bool_t         *log,
-+                                  const char         **privilege_param,
-+                                  BusDeferredMessage **deferred_message)
- {
-   DBusList *link;
--  dbus_bool_t allowed;
--  
-+  BusResult result;
-+  const char *privilege;
-+
-   /* policy->rules is in the order the rules appeared
-    * in the config file, i.e. last rule that applies wins
-    */
-@@ -892,7 +903,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
-   _dbus_verbose ("  (policy) checking send rules\n");
-   *toggles = 0;
-   
--  allowed = FALSE;
-+  result = BUS_RESULT_FALSE;
-   link = _dbus_list_get_first_link (&policy->rules);
-   while (link != NULL)
-     {
-@@ -923,13 +934,14 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
-       /* If it's a reply, the requested_reply flag kicks in */
-       if (dbus_message_get_reply_serial (message) != 0)
-         {
--          /* for allow, requested_reply=true means the rule applies
--           * only when reply was requested. requested_reply=false means
--           * always allow.
-+          /* for allow or check requested_reply=true means the rule applies
-+           * only when reply was requested. requested_reply=false means the
-+           * rule always applies
-            */
--          if (!requested_reply && rule->allow && rule->d.send.requested_reply && !rule->d.send.eavesdrop)
-+          if (!requested_reply && rule->access != BUS_POLICY_RULE_ACCESS_DENY && rule->d.send.requested_reply && !rule->d.send.eavesdrop)
-             {
--              _dbus_verbose ("  (policy) skipping allow rule since it only applies to requested replies and does not allow eavesdropping\n");
-+              _dbus_verbose ("  (policy) skipping %s rule since it only applies to requested replies and does not allow eavesdropping\n",
-+                  rule->access == BUS_POLICY_RULE_ACCESS_ALLOW ? "allow" : "check");
-               continue;
-             }
-@@ -937,7 +949,7 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
-            * when the reply was not requested. requested_reply=true means the
-            * rule always applies.
-            */
--          if (requested_reply && !rule->allow && !rule->d.send.requested_reply)
-+          if (requested_reply && rule->access == BUS_POLICY_RULE_ACCESS_DENY && !rule->d.send.requested_reply)
-             {
-               _dbus_verbose ("  (policy) skipping deny rule since it only applies to unrequested replies\n");
-               continue;
-@@ -960,13 +972,15 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
-           /* The interface is optional in messages. For allow rules, if the message
-            * has no interface we want to skip the rule (and thus not allow);
-            * for deny rules, if the message has no interface we want to use the
--           * rule (and thus deny).
-+           * rule (and thus deny). Check rules are meant to be used like allow
-+           * rules (they can grant access, but not remove it), so we treat it like
-+           * allow here.
-            */
-           dbus_bool_t no_interface;
-           no_interface = dbus_message_get_interface (message) == NULL;
-           
--          if ((no_interface && rule->allow) ||
-+          if ((no_interface && rule->access != BUS_POLICY_RULE_ACCESS_DENY) ||
-               (!no_interface && 
-                strcmp (dbus_message_get_interface (message),
-                        rule->d.send.interface) != 0))
-@@ -1079,33 +1093,64 @@ bus_client_policy_check_can_send (BusClientPolicy *policy,
-         }
-       /* Use this rule */
--      allowed = rule->allow;
-+      switch (rule->access)
-+        {
-+        case BUS_POLICY_RULE_ACCESS_ALLOW:
-+          result = BUS_RESULT_TRUE;
-+          break;
-+        case BUS_POLICY_RULE_ACCESS_DENY:
-+        default:
-+          result = BUS_RESULT_FALSE;
-+          break;
-+        case BUS_POLICY_RULE_ACCESS_CHECK:
-+          result = BUS_RESULT_LATER;
-+          privilege = rule->privilege;
-+          break;
-+        }
-+
-       *log = rule->d.send.log;
-       (*toggles)++;
--      _dbus_verbose ("  (policy) used rule, allow now = %d\n",
--                     allowed);
-+      _dbus_verbose ("  (policy) used rule, result now = %d\n",
-+                     (int)(intptr_t)result);
-     }
--  return allowed;
-+  if (result == BUS_RESULT_LATER)
-+    {
-+      BusContext *context = bus_connection_get_context(sender);
-+      BusCheck *check = bus_context_get_check(context);
-+
-+      result = bus_check_privilege(check, message, sender, addressed_recipient, receiver,
-+          privilege, BUS_DEFERRED_MESSAGE_CHECK_SEND, deferred_message);
-+    }
-+  else
-+    privilege = NULL;
-+
-+  if (privilege_param != NULL)
-+    *privilege_param = privilege;
-+
-+  return result;
- }
- /* See docs on what the args mean on bus_context_check_security_policy()
-  * comment
-  */
--dbus_bool_t
--bus_client_policy_check_can_receive (BusClientPolicy *policy,
--                                     BusRegistry     *registry,
--                                     dbus_bool_t      requested_reply,
--                                     DBusConnection  *sender,
--                                     DBusConnection  *addressed_recipient,
--                                     DBusConnection  *proposed_recipient,
--                                     DBusMessage     *message,
--                                     dbus_int32_t    *toggles)
-+BusResult
-+bus_client_policy_check_can_receive (BusClientPolicy     *policy,
-+                                     BusRegistry         *registry,
-+                                     dbus_bool_t          requested_reply,
-+                                     DBusConnection      *sender,
-+                                     DBusConnection      *addressed_recipient,
-+                                     DBusConnection      *proposed_recipient,
-+                                     DBusMessage         *message,
-+                                     dbus_int32_t        *toggles,
-+                                     const char         **privilege_param,
-+                                     BusDeferredMessage **deferred_message)
- {
-   DBusList *link;
--  dbus_bool_t allowed;
-   dbus_bool_t eavesdropping;
-+  BusResult result;
-+  const char *privilege;
-   eavesdropping =
-     addressed_recipient != proposed_recipient &&
-@@ -1118,7 +1163,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
-   _dbus_verbose ("  (policy) checking receive rules, eavesdropping = %d\n", eavesdropping);
-   *toggles = 0;
-   
--  allowed = FALSE;
-+  result = BUS_RESULT_FALSE;
-   link = _dbus_list_get_first_link (&policy->rules);
-   while (link != NULL)
-     {
-@@ -1141,19 +1186,21 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
-             }
-         }
--      /* for allow, eavesdrop=false means the rule doesn't apply when
--       * eavesdropping. eavesdrop=true means always allow.
-+
-+      /* for allow or check, eavesdrop=false means the rule doesn't apply when
-+       * eavesdropping. eavesdrop=true means the rule always applies
-        */
--      if (eavesdropping && rule->allow && !rule->d.receive.eavesdrop)
-+      if (eavesdropping && rule->access != BUS_POLICY_RULE_ACCESS_DENY && !rule->d.receive.eavesdrop)
-         {
--          _dbus_verbose ("  (policy) skipping allow rule since it doesn't apply to eavesdropping\n");
-+          _dbus_verbose ("  (policy) skipping %s rule since it doesn't apply to eavesdropping\n",
-+              rule->access == BUS_POLICY_RULE_ACCESS_ALLOW ? "allow" : "check");
-           continue;
-         }
-       /* for deny, eavesdrop=true means the rule applies only when
-        * eavesdropping; eavesdrop=false means always deny.
-        */
--      if (!eavesdropping && !rule->allow && rule->d.receive.eavesdrop)
-+      if (!eavesdropping && rule->access == BUS_POLICY_RULE_ACCESS_DENY && rule->d.receive.eavesdrop)
-         {
-           _dbus_verbose ("  (policy) skipping deny rule since it only applies to eavesdropping\n");
-           continue;
-@@ -1162,13 +1209,14 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
-       /* If it's a reply, the requested_reply flag kicks in */
-       if (dbus_message_get_reply_serial (message) != 0)
-         {
--          /* for allow, requested_reply=true means the rule applies
--           * only when reply was requested. requested_reply=false means
--           * always allow.
-+          /* for allow or check requested_reply=true means the rule applies
-+           * only when reply was requested. requested_reply=false means the
-+           * rule always applies
-            */
--          if (!requested_reply && rule->allow && rule->d.receive.requested_reply && !rule->d.receive.eavesdrop)
-+          if (!requested_reply && rule->access != BUS_POLICY_RULE_ACCESS_DENY && rule->d.send.requested_reply && !rule->d.send.eavesdrop)
-             {
--              _dbus_verbose ("  (policy) skipping allow rule since it only applies to requested replies and does not allow eavesdropping\n");
-+              _dbus_verbose ("  (policy) skipping %s rule since it only applies to requested replies and does not allow eavesdropping\n",
-+                  rule->access == BUS_POLICY_RULE_ACCESS_DENY ? "allow" : "deny");
-               continue;
-             }
-@@ -1176,7 +1224,7 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
-            * when the reply was not requested. requested_reply=true means the
-            * rule always applies.
-            */
--          if (requested_reply && !rule->allow && !rule->d.receive.requested_reply)
-+          if (requested_reply && rule->access == BUS_POLICY_RULE_ACCESS_DENY && !rule->d.receive.requested_reply)
-             {
-               _dbus_verbose ("  (policy) skipping deny rule since it only applies to unrequested replies\n");
-               continue;
-@@ -1199,13 +1247,13 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
-           /* The interface is optional in messages. For allow rules, if the message
-            * has no interface we want to skip the rule (and thus not allow);
-            * for deny rules, if the message has no interface we want to use the
--           * rule (and thus deny).
-+           * rule (and thus deny). Check rules are treated like allow rules.
-            */
-           dbus_bool_t no_interface;
-           no_interface = dbus_message_get_interface (message) == NULL;
-           
--          if ((no_interface && rule->allow) ||
-+          if ((no_interface && rule->access != BUS_POLICY_RULE_ACCESS_DENY) ||
-               (!no_interface &&
-                strcmp (dbus_message_get_interface (message),
-                        rule->d.receive.interface) != 0))
-@@ -1295,14 +1343,43 @@ bus_client_policy_check_can_receive (BusClientPolicy *policy,
-         }
-       /* Use this rule */
--      allowed = rule->allow;
-+      switch (rule->access)
-+      {
-+        case BUS_POLICY_RULE_ACCESS_ALLOW:
-+          result = BUS_RESULT_TRUE;
-+          break;
-+        case BUS_POLICY_RULE_ACCESS_DENY:
-+        default:
-+          result = BUS_RESULT_FALSE;
-+          break;
-+        case BUS_POLICY_RULE_ACCESS_CHECK:
-+          result = BUS_RESULT_LATER;
-+          privilege = rule->privilege;
-+          break;
-+      }
-+
-       (*toggles)++;
--      _dbus_verbose ("  (policy) used rule, allow now = %d\n",
--                     allowed);
-+      _dbus_verbose ("  (policy) used rule, result now = %d\n",
-+                     (int)(intptr_t)result);
-     }
--  return allowed;
-+
-+  if (result == BUS_RESULT_LATER)
-+    {
-+      BusContext *context = bus_connection_get_context(proposed_recipient);
-+      BusCheck *check = bus_context_get_check(context);
-+
-+      result = bus_check_privilege(check, message, sender, addressed_recipient, proposed_recipient,
-+                 privilege, BUS_DEFERRED_MESSAGE_CHECK_RECEIVE, deferred_message);
-+    }
-+  else
-+      privilege = NULL;
-+
-+  if (privilege_param != NULL)
-+     *privilege_param = privilege;
-+
-+  return result;
- }
-@@ -1354,7 +1431,7 @@ bus_rules_check_can_own (DBusList *rules,
-         }
-       /* Use this rule */
--      allowed = rule->allow;
-+      allowed = rule->access == BUS_POLICY_RULE_ACCESS_ALLOW;
-     }
-   return allowed;
-diff --git a/bus/policy.h b/bus/policy.h
-index ec43ffa..f839d23 100644
---- a/bus/policy.h
-+++ b/bus/policy.h
-@@ -46,6 +46,14 @@ typedef enum
-   BUS_POLICY_TRISTATE_TRUE
- } BusPolicyTristate;
-+typedef enum
-+{
-+  BUS_POLICY_RULE_ACCESS_DENY,
-+  BUS_POLICY_RULE_ACCESS_ALLOW,
-+  /** runtime check resulting in allow or deny */
-+  BUS_POLICY_RULE_ACCESS_CHECK
-+} BusPolicyRuleAccess;
-+
- /** determines whether the rule affects a connection, or some global item */
- #define BUS_POLICY_RULE_IS_PER_CLIENT(rule) (!((rule)->type == BUS_POLICY_RULE_USER || \
-                                                (rule)->type == BUS_POLICY_RULE_GROUP))
-@@ -56,8 +64,9 @@ struct BusPolicyRule
-   
-   BusPolicyRuleType type;
--  unsigned int allow : 1; /**< #TRUE if this allows, #FALSE if it denies */
--  
-+  unsigned int access : 2; /**< BusPolicyRuleAccess */
-+  char *privilege; /**< for BUS_POLICY_RULE_ACCESS_CHECK */
-+
-   union
-   {
-     struct
-@@ -118,7 +127,7 @@ struct BusPolicyRule
- };
- BusPolicyRule* bus_policy_rule_new   (BusPolicyRuleType type,
--                                      dbus_bool_t       allow);
-+                                      BusPolicyRuleAccess access);
- BusPolicyRule* bus_policy_rule_ref   (BusPolicyRule    *rule);
- void           bus_policy_rule_unref (BusPolicyRule    *rule);
-@@ -152,21 +161,27 @@ dbus_bool_t      bus_policy_merge                 (BusPolicy        *policy,
- BusClientPolicy* bus_client_policy_new               (void);
- BusClientPolicy* bus_client_policy_ref               (BusClientPolicy  *policy);
- void             bus_client_policy_unref             (BusClientPolicy  *policy);
--dbus_bool_t      bus_client_policy_check_can_send    (BusClientPolicy  *policy,
-+BusResult        bus_client_policy_check_can_send    (DBusConnection   *sender,
-+                                                      BusClientPolicy  *policy,
-                                                       BusRegistry      *registry,
-                                                       dbus_bool_t       requested_reply,
-+                                                      DBusConnection   *addressed_recipient,
-                                                       DBusConnection   *receiver,
-                                                       DBusMessage      *message,
-                                                       dbus_int32_t     *toggles,
--                                                      dbus_bool_t      *log);
--dbus_bool_t      bus_client_policy_check_can_receive (BusClientPolicy  *policy,
-+                                                      dbus_bool_t      *log,
-+                                                      const char      **privilege_param,
-+                                                      BusDeferredMessage **deferred_message);
-+BusResult        bus_client_policy_check_can_receive (BusClientPolicy  *policy,
-                                                       BusRegistry      *registry,
-                                                       dbus_bool_t       requested_reply,
-                                                       DBusConnection   *sender,
-                                                       DBusConnection   *addressed_recipient,
-                                                       DBusConnection   *proposed_recipient,
-                                                       DBusMessage      *message,
--                                                      dbus_int32_t     *toggles);
-+                                                      dbus_int32_t     *toggles,
-+                                                      const char      **privilege_param,
-+                                                      BusDeferredMessage **deferred_message);
- dbus_bool_t      bus_client_policy_check_can_own     (BusClientPolicy  *policy,
-                                                       const DBusString *service_name);
- dbus_bool_t      bus_client_policy_append_rule       (BusClientPolicy  *policy,
-diff --git a/configure.ac b/configure.ac
-index d1e3a29..11b5ffd 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1742,6 +1742,17 @@ AC_ARG_ENABLE([user-session],
- AM_CONDITIONAL([DBUS_ENABLE_USER_SESSION],
-   [test "x$enable_user_session" = xyes])
-+#enable cynara integration
-+AC_ARG_ENABLE([cynara], [AS_HELP_STRING([--enable-cynara], [enable Cynara integration])], [], [enable_cynara=no])
-+if test "x$enable_cynara" = xyes; then
-+  PKG_CHECK_MODULES([CYNARA], [cynara-client-async >= 0.6.0 cynara-session >= 0.6.0],
-+     [AC_DEFINE([DBUS_ENABLE_CYNARA], [1], [Define to enable Cynara privilege checks in dbus-daemon])],
-+     [AC_MSG_ERROR([libcynara-client-async and cynara-session are required to enable Cynara integration])])
-+fi
-+
-+AC_SUBST([CYNARA_CFLAGS])
-+AC_SUBST([CYNARA_LIBS])
-+
- AC_CONFIG_FILES([
- Doxyfile
- dbus/Version
-@@ -1824,6 +1835,7 @@ echo "
-         Building bus stats API:   ${enable_stats}
-         Building SELinux support: ${have_selinux}
-         Building AppArmor support: ${have_apparmor}
-+        Building Cynara support:  ${enable_cynara}
-         Building inotify support: ${have_inotify}
-         Building kqueue support:  ${have_kqueue}
-         Building systemd support: ${have_systemd}
-diff --git a/test/Makefile.am b/test/Makefile.am
-index af1e13b..e6f50e1 100644
---- a/test/Makefile.am
-+++ b/test/Makefile.am
-@@ -439,6 +439,7 @@ in_data = \
-       data/valid-config-files/debug-allow-all.conf.in \
-       data/valid-config-files/finite-timeout.conf.in \
-       data/valid-config-files/forbidding.conf.in \
-+      data/valid-config-files/debug-check-some.conf.in \
-       data/valid-config-files/incoming-limit.conf.in \
-       data/valid-config-files/max-completed-connections.conf.in \
-       data/valid-config-files/max-connections-per-user.conf.in \
-diff --git a/test/data/invalid-config-files/badcheck-1.conf b/test/data/invalid-config-files/badcheck-1.conf
-new file mode 100644
-index 0000000..fad9f50
---- /dev/null
-+++ b/test/data/invalid-config-files/badcheck-1.conf
-@@ -0,0 +1,9 @@
-+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
-+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-+<busconfig>
-+  <user>mybususer</user>
-+  <listen>unix:path=/foo/bar</listen>
-+  <policy context="default">
-+    <allow privilege="foo" send_destination="*"/> <!-- extra privilege="foo" -->
-+  </policy>
-+</busconfig>
-diff --git a/test/data/invalid-config-files/badcheck-2.conf b/test/data/invalid-config-files/badcheck-2.conf
-new file mode 100644
-index 0000000..63c7ef2
---- /dev/null
-+++ b/test/data/invalid-config-files/badcheck-2.conf
-@@ -0,0 +1,9 @@
-+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
-+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-+<busconfig>
-+  <user>mybususer</user>
-+  <listen>unix:path=/foo/bar</listen>
-+  <policy context="default">
-+    <check send_destination="*"/> <!-- missing privilege="foo" -->
-+  </policy>
-+</busconfig>
-diff --git a/test/data/valid-config-files/check-1.conf b/test/data/valid-config-files/check-1.conf
-new file mode 100644
-index 0000000..ad71473
---- /dev/null
-+++ b/test/data/valid-config-files/check-1.conf
-@@ -0,0 +1,9 @@
-+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
-+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-+<busconfig>
-+  <user>mybususer</user>
-+  <listen>unix:path=/foo/bar</listen>
-+  <policy context="default">
-+    <check privilege="foo" send_destination="*"/>
-+  </policy>
-+</busconfig>
-diff --git a/test/data/valid-config-files/debug-check-some.conf.in b/test/data/valid-config-files/debug-check-some.conf.in
-new file mode 100644
-index 0000000..47ee854
---- /dev/null
-+++ b/test/data/valid-config-files/debug-check-some.conf.in
-@@ -0,0 +1,18 @@
-+<!-- Bus that listens on a debug pipe and doesn't create any restrictions -->
-+
-+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
-+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-+<busconfig>
-+  <listen>debug-pipe:name=test-server</listen>
-+  <listen>@TEST_LISTEN@</listen>
-+  <servicedir>@DBUS_TEST_DATA@/valid-service-files</servicedir>
-+  <policy context="default">
-+    <allow send_interface="*"/>
-+    <allow receive_interface="*"/>
-+    <allow own="*"/>
-+    <allow user="*"/>
-+
-+    <deny send_interface="org.freedesktop.TestSuite" send_member="Echo"/>
-+    <check privilege="foo" send_interface="org.freedesktop.TestSuite" send_member="Echo"/>
-+  </policy>
-+</busconfig>
--- 
-2.21.1
-
diff --git a/meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0002-Disable-message-dispatching-when-send-rule-result-is.patch b/meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0002-Disable-message-dispatching-when-send-rule-result-is.patch
deleted file mode 100644 (file)
index bac8cf9..0000000
+++ /dev/null
@@ -1,967 +0,0 @@
-From c2f4ba585c777b731df6b6b8a165b6cc4dc5d639 Mon Sep 17 00:00:00 2001
-From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
-Date: Fri, 28 Nov 2014 12:07:39 +0100
-Subject: [PATCH 2/8] Disable message dispatching when send rule result is not
- known
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When unicast message is sent to addressed recipient and policy result
-is not available message dispatch from the sender is disabled.
-This also means that any further messages from the given connection are
-put into the incoming queue without being processed. If response is received
-message dispatching is resumed. This time answer is attached to the message
-which is now processed synchronously.
-Receive rule result unavailability is not yet handled - such messages are
-rejected. Also, if message is sent to non-addressed recipient and policy result
-is unknown, message is silently dropped.
-
-Cherry-picked from b1b87ad9f20b2052c28431b48e81073078a745ce
-by Jose Bollo.
-
-Updated for dbus 1.10.20 by Scott Murray and José Bollo
-
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-Signed-off-by: Scott Murray <scott.murray@konsulko.com>
----
- bus/activation.c                |  76 +++++++++++--
- bus/check.c                     | 109 +++++++++++++++++--
- bus/check.h                     |  10 ++
- bus/cynara.c                    |   1 -
- bus/dispatch.c                  | 184 ++++++++++++++++++++++++++++----
- bus/dispatch.h                  |   2 +-
- bus/driver.c                    |  12 ++-
- dbus/dbus-connection-internal.h |  15 +++
- dbus/dbus-connection.c          | 125 +++++++++++++++++++++-
- dbus/dbus-list.c                |  29 +++++
- dbus/dbus-list.h                |   3 +
- dbus/dbus-shared.h              |   3 +-
- 12 files changed, 528 insertions(+), 41 deletions(-)
-
-diff --git a/bus/activation.c b/bus/activation.c
-index f9c6c62..8301b59 100644
---- a/bus/activation.c
-+++ b/bus/activation.c
-@@ -32,6 +32,7 @@
- #include "services.h"
- #include "test.h"
- #include "utils.h"
-+#include <dbus/dbus-connection-internal.h>
- #include <dbus/dbus-internals.h>
- #include <dbus/dbus-hash.h>
- #include <dbus/dbus-list.h>
-@@ -94,6 +95,8 @@ struct BusPendingActivationEntry
-   DBusConnection *connection;
-   dbus_bool_t auto_activation;
-+
-+  dbus_bool_t is_put_back;
- };
- typedef struct
-@@ -1241,20 +1244,23 @@ bus_activation_send_pending_auto_activation_messages (BusActivation  *activation
-       BusPendingActivationEntry *entry = link->data;
-       DBusList *next = _dbus_list_get_next_link (&pending_activation->entries, link);
--      if (entry->auto_activation && (entry->connection == NULL || dbus_connection_get_is_connected (entry->connection)))
-+      if (entry->auto_activation && !entry->is_put_back &&
-+          (entry->connection == NULL || dbus_connection_get_is_connected (entry->connection)))
-         {
-           DBusConnection *addressed_recipient;
-           DBusError error;
-+          BusResult res;
-           dbus_error_init (&error);
-           addressed_recipient = bus_service_get_primary_owners_connection (service);
-           /* Resume dispatching where we left off in bus_dispatch() */
--          if (!bus_dispatch_matches (transaction,
--                                     entry->connection,
--                                     addressed_recipient,
--                                     entry->activation_message, &error))
-+          res = bus_dispatch_matches (transaction,
-+                                      entry->connection,
-+                                      addressed_recipient,
-+                                      entry->activation_message, &error);
-+          if (res == BUS_RESULT_FALSE)
-             {
-               /* If permission is denied, we just want to return the error
-                * to the original method invoker; in particular, we don't
-@@ -1266,11 +1272,44 @@ bus_activation_send_pending_auto_activation_messages (BusActivation  *activation
-                   bus_connection_send_oom_error (entry->connection,
-                                                  entry->activation_message);
-                 }
--
-               dbus_error_free (&error);
-               link = next;
-               continue;
-             }
-+          else if (res == BUS_RESULT_LATER)
-+            {
-+              DBusList *putback_message_link = link;
-+              DBusMessage *last_inserted_message = NULL;
-+
-+              /* NULL entry->connection implies sending pending ActivationRequest message to systemd */
-+              if (entry->connection == NULL)
-+                {
-+                  _dbus_assert_not_reached ("bus_dispatch_matches returned BUS_RESULT_LATER unexpectedly when sender is NULL");
-+                  link = next;
-+                  continue;
-+                }
-+
-+              /**
-+               * Getting here means that policy check result is not yet available and dispatching
-+               * messages from entry->connection has been disabled.
-+               * Let's put back all messages for the given connection in the incoming queue and mark
-+               * this entry as put back so they are not handled twice.
-+               */
-+              while (putback_message_link != NULL)
-+                {
-+                  BusPendingActivationEntry *putback_message = putback_message_link->data;
-+                  if (putback_message->connection == entry->connection)
-+                    {
-+                      if (!_dbus_connection_putback_message (putback_message->connection, last_inserted_message,
-+                            putback_message->activation_message, &error))
-+                        goto error;
-+                      last_inserted_message = putback_message->activation_message;
-+                      putback_message->is_put_back = TRUE;
-+                    }
-+
-+                  putback_message_link = _dbus_list_get_next_link(&pending_activation->entries, putback_message_link);
-+                }
-+            }
-         }
-       link = next;
-@@ -1287,6 +1326,19 @@ bus_activation_send_pending_auto_activation_messages (BusActivation  *activation
-   return TRUE;
-  error:
-+  /* remove all messages that have been put to connections' incoming queues */
-+  link = _dbus_list_get_first_link (&pending_activation->entries);
-+  while (link != NULL)
-+    {
-+      BusPendingActivationEntry *entry = link->data;
-+      if (entry->is_put_back)
-+        {
-+          _dbus_connection_remove_message(entry->connection, entry->activation_message);
-+          entry->is_put_back = FALSE;
-+        }
-+      link = _dbus_list_get_next_link(&pending_activation->entries, link);
-+    }
-+
-   return FALSE;
- }
-@@ -2079,6 +2131,7 @@ bus_activation_activate_service (BusActivation  *activation,
-           if (service != NULL)
-             {
-+              BusResult res;
-               bus_context_log (activation->context,
-                                DBUS_SYSTEM_LOG_INFO, "Activating via systemd: service name='%s' unit='%s' requested by '%s' (%s)",
-                                service_name,
-@@ -2086,8 +2139,17 @@ bus_activation_activate_service (BusActivation  *activation,
-                                bus_connection_get_name (connection),
-                                bus_connection_get_loginfo (connection));
-               /* Wonderful, systemd is connected, let's just send the msg */
--              retval = bus_dispatch_matches (activation_transaction, NULL,
-+              res = bus_dispatch_matches (activation_transaction, NULL,
-                                              systemd, message, error);
-+
-+              if (res == BUS_RESULT_TRUE)
-+                retval = TRUE;
-+              else
-+                {
-+                  retval = FALSE;
-+                  if (res == BUS_RESULT_LATER)
-+                    _dbus_verbose("Unexpectedly need time to check message from bus driver to systemd - dropping the message.\n");
-+                }
-             }
-           else
-             {
-diff --git a/bus/check.c b/bus/check.c
-index 5b72d31..4b8a699 100644
---- a/bus/check.c
-+++ b/bus/check.c
-@@ -55,6 +55,8 @@ typedef struct BusDeferredMessage
-   BusCheckResponseFunc response_callback;
- } BusDeferredMessage;
-+static dbus_int32_t deferred_message_data_slot = -1;
-+
- BusCheck *
- bus_check_new (BusContext *context, DBusError *error)
- {
-@@ -67,11 +69,19 @@ bus_check_new (BusContext *context, DBusError *error)
-       return NULL;
-     }
-+  if (!dbus_message_allocate_data_slot(&deferred_message_data_slot))
-+    {
-+      dbus_free(check);
-+      BUS_SET_OOM(error);
-+      return NULL;
-+    }
-+
-   check->refcount = 1;
-   check->context = context;
-   check->cynara = bus_cynara_new(check, error);
-   if (dbus_error_is_set(error))
-     {
-+      dbus_message_free_data_slot(&deferred_message_data_slot);
-       dbus_free(check);
-       return NULL;
-     }
-@@ -98,6 +108,7 @@ bus_check_unref (BusCheck *check)
-   if (check->refcount == 0)
-     {
-       bus_cynara_unref(check->cynara);
-+      dbus_message_free_data_slot(&deferred_message_data_slot);
-       dbus_free(check);
-     }
- }
-@@ -114,6 +125,45 @@ bus_check_get_cynara (BusCheck *check)
-   return check->cynara;
- }
-+static void
-+bus_check_enable_dispatch_callback (BusDeferredMessage *deferred_message,
-+                                    BusResult result)
-+{
-+  _dbus_verbose("bus_check_enable_dispatch_callback called deferred_message=%p\n", deferred_message);
-+
-+  deferred_message->response = result;
-+  _dbus_connection_enable_dispatch(deferred_message->sender);
-+}
-+
-+static void
-+deferred_message_free_function(void *data)
-+{
-+  BusDeferredMessage *deferred_message = (BusDeferredMessage *)data;
-+  bus_deferred_message_unref(deferred_message);
-+}
-+
-+void
-+bus_deferred_message_disable_sender (BusDeferredMessage *deferred_message)
-+{
-+  _dbus_assert(deferred_message != NULL);
-+  _dbus_assert(deferred_message->sender != NULL);
-+
-+  if (dbus_message_get_data(deferred_message->message, deferred_message_data_slot) == NULL)
-+    {
-+      if (dbus_message_set_data(deferred_message->message, deferred_message_data_slot, deferred_message,
-+          deferred_message_free_function))
-+        bus_deferred_message_ref(deferred_message);
-+    }
-+
-+  _dbus_connection_disable_dispatch(deferred_message->sender);
-+  deferred_message->response_callback = bus_check_enable_dispatch_callback;
-+}
-+
-+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
-+BusResult (*bus_check_test_override) (DBusConnection *connection,
-+                                        const char *privilege);
-+#endif
-+
- BusResult
- bus_check_privilege (BusCheck *check,
-                      DBusMessage *message,
-@@ -124,6 +174,7 @@ bus_check_privilege (BusCheck *check,
-                      BusDeferredMessageStatus check_type,
-                      BusDeferredMessage **deferred_message)
- {
-+  BusDeferredMessage *previous_deferred_message;
-   BusResult result = BUS_RESULT_FALSE;
- #ifdef DBUS_ENABLE_CYNARA
-   BusCynara *cynara;
-@@ -137,16 +188,54 @@ bus_check_privilege (BusCheck *check,
-       return BUS_RESULT_FALSE;
-     }
--  /* ask policy checkers */
--#ifdef DBUS_ENABLE_CYNARA
--  cynara = bus_check_get_cynara(check);
--  result = bus_cynara_check_privilege(cynara, message, sender, addressed_recipient,
--      proposed_recipient, privilege, check_type, deferred_message);
-+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
-+  if (bus_check_test_override)
-+    return bus_check_test_override (connection, privilege);
- #endif
--  if (result == BUS_RESULT_LATER && deferred_message != NULL)
-+  previous_deferred_message = dbus_message_get_data(message, deferred_message_data_slot);
-+  /* check if message blocked at sender's queue is being processed */
-+  if (previous_deferred_message != NULL)
-+    {
-+      if ((check_type & BUS_DEFERRED_MESSAGE_CHECK_SEND) &&
-+          !(previous_deferred_message->status & BUS_DEFERRED_MESSAGE_CHECK_SEND))
-+        {
-+          /**
-+           * Message has been deferred due to receive or own rule which means that sending this message
-+           * is allowed - it must have been checked previously.
-+           * This might happen when client calls RequestName method which depending on security
-+           * policy might result in both "can_send" and "can_own" Cynara checks.
-+           */
-+          result = BUS_RESULT_TRUE;
-+        }
-+      else
-+        {
-+          result = previous_deferred_message->response;
-+          if (result == BUS_RESULT_LATER)
-+            {
-+              /* result is still not known - reuse deferred message object */
-+              if (deferred_message != NULL)
-+                *deferred_message = previous_deferred_message;
-+            }
-+          else
-+            {
-+              /* result is available - we can remove deferred message from the processed message */
-+              dbus_message_set_data(message, deferred_message_data_slot, NULL, NULL);
-+            }
-+        }
-+    }
-+  else
-     {
--      (*deferred_message)->status |= check_type;
-+      /* ask policy checkers */
-+#ifdef DBUS_ENABLE_CYNARA
-+      cynara = bus_check_get_cynara(check);
-+      result = bus_cynara_check_privilege(cynara, message, sender, addressed_recipient,
-+          proposed_recipient, privilege, check_type, deferred_message);
-+#endif
-+      if (result == BUS_RESULT_LATER && deferred_message != NULL)
-+        {
-+          (*deferred_message)->status |= check_type;
-+        }
-     }
-   return result;
- }
-@@ -206,6 +295,12 @@ bus_deferred_message_unref (BusDeferredMessage *deferred_message)
-      }
- }
-+BusDeferredMessageStatus
-+bus_deferred_message_get_status (BusDeferredMessage *deferred_message)
-+{
-+  return deferred_message->status;
-+}
-+
- void
- bus_deferred_message_response_received (BusDeferredMessage *deferred_message,
-                                         BusResult result)
-diff --git a/bus/check.h b/bus/check.h
-index c3fcaf9..d177549 100644
---- a/bus/check.h
-+++ b/bus/check.h
-@@ -55,6 +55,7 @@ BusResult   bus_check_privilege   (BusCheck *check,
-                                    BusDeferredMessageStatus check_type,
-                                    BusDeferredMessage **deferred_message);
-+
- BusDeferredMessage *bus_deferred_message_new                (DBusMessage *message,
-                                                              DBusConnection *sender,
-                                                              DBusConnection *addressed_recipient,
-@@ -65,4 +66,13 @@ BusDeferredMessage *bus_deferred_message_ref                (BusDeferredMessage
- void                bus_deferred_message_unref              (BusDeferredMessage *deferred_message);
- void                bus_deferred_message_response_received  (BusDeferredMessage *deferred_message,
-                                                              BusResult result);
-+void                bus_deferred_message_disable_sender     (BusDeferredMessage *deferred_message);
-+
-+BusDeferredMessageStatus  bus_deferred_message_get_status   (BusDeferredMessage *deferred_message);
-+
-+#ifdef DBUS_ENABLE_EMBEDDED_TESTS
-+extern BusResult (*bus_check_test_override) (DBusConnection *connection,
-+                                               const char *privilege);
-+#endif
-+
- #endif /* BUS_CHECK_H */
-diff --git a/bus/cynara.c b/bus/cynara.c
-index 57a4c45..77aed62 100644
---- a/bus/cynara.c
-+++ b/bus/cynara.c
-@@ -36,7 +36,6 @@
- #include <cynara-client-async.h>
- #endif
--
- #ifdef DBUS_ENABLE_CYNARA
- typedef struct BusCynara
- {
-diff --git a/bus/dispatch.c b/bus/dispatch.c
-index d3867f7..50a22a3 100644
---- a/bus/dispatch.c
-+++ b/bus/dispatch.c
-@@ -35,6 +35,7 @@
- #include "signals.h"
- #include "test.h"
- #include <dbus/dbus-internals.h>
-+#include <dbus/dbus-connection-internal.h>
- #include <dbus/dbus-misc.h>
- #include <string.h>
-@@ -122,7 +123,7 @@ send_one_message (DBusConnection *connection,
-   return TRUE;
- }
--dbus_bool_t
-+BusResult
- bus_dispatch_matches (BusTransaction *transaction,
-                       DBusConnection *sender,
-                       DBusConnection *addressed_recipient,
-@@ -158,13 +159,29 @@ bus_dispatch_matches (BusTransaction *transaction,
-                                                message, NULL, error,
-                                                &deferred_message);
-       if (res == BUS_RESULT_FALSE)
--        return FALSE;
-+        return BUS_RESULT_FALSE;
-       else if (res == BUS_RESULT_LATER)
-         {
--          dbus_set_error (error,
--                          DBUS_ERROR_ACCESS_DENIED,
--                          "Rejecting message because time is needed to check security policy");
--          return FALSE;
-+          BusDeferredMessageStatus status;
-+          status = bus_deferred_message_get_status(deferred_message);
-+
-+          if (status & BUS_DEFERRED_MESSAGE_CHECK_SEND)
-+            {
-+              /* send rule result not available - disable dispatching messages from the sender */
-+              bus_deferred_message_disable_sender(deferred_message);
-+              return BUS_RESULT_LATER;
-+            }
-+          else if (status & BUS_DEFERRED_MESSAGE_CHECK_RECEIVE)
-+            {
-+              dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
-+                              "Rejecting message because time is needed to check security policy");
-+              return BUS_RESULT_FALSE;
-+            }
-+          else
-+            {
-+              _dbus_verbose("deferred message has no status field set to send or receive unexpectedly\n");
-+              return BUS_RESULT_FALSE;
-+            }
-         }
-       if (dbus_message_contains_unix_fds (message) &&
-@@ -175,14 +192,14 @@ bus_dispatch_matches (BusTransaction *transaction,
-                           DBUS_ERROR_NOT_SUPPORTED,
-                           "Tried to send message with Unix file descriptors"
-                           "to a client that doesn't support that.");
--          return FALSE;
--      }
-+          return BUS_RESULT_FALSE;
-+        }
-       /* Dispatch the message */
-       if (!bus_transaction_send (transaction, addressed_recipient, message))
-         {
-           BUS_SET_OOM (error);
--          return FALSE;
-+          return BUS_RESULT_FALSE;
-         }
-     }
-@@ -197,7 +214,7 @@ bus_dispatch_matches (BusTransaction *transaction,
-                                       &recipients))
-     {
-       BUS_SET_OOM (error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   link = _dbus_list_get_first_link (&recipients);
-@@ -219,10 +236,10 @@ bus_dispatch_matches (BusTransaction *transaction,
-   if (dbus_error_is_set (&tmp_error))
-     {
-       dbus_move_error (&tmp_error, error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   else
--    return TRUE;
-+    return BUS_RESULT_TRUE;
- }
- static DBusHandlerResult
-@@ -409,10 +426,12 @@ bus_dispatch (DBusConnection *connection,
-         }
-       else if (res == BUS_RESULT_LATER)
-         {
--          dbus_set_error (&error,
--                          DBUS_ERROR_ACCESS_DENIED,
--                          "Rejecting message because time is needed to check security policy");
--          _dbus_verbose ("Security policy needs time to check policy. Dropping message\n");
-+          /* Disable dispatching messages from the sender,
-+           * roll back and dispatch the message once the policy result is available */
-+          bus_deferred_message_disable_sender(deferred_message);
-+          bus_transaction_cancel_and_free (transaction);
-+          transaction = NULL;
-+          result = DBUS_HANDLER_RESULT_LATER;
-           goto out;
-         }
-@@ -514,8 +533,14 @@ bus_dispatch (DBusConnection *connection,
-    * addressed_recipient == NULL), and match it against other connections'
-    * match rules.
-    */
--  if (!bus_dispatch_matches (transaction, connection, addressed_recipient, message, &error))
--    goto out;
-+  if (BUS_RESULT_LATER == bus_dispatch_matches (transaction, connection, addressed_recipient,
-+                                                message, &error))
-+    {
-+      /* Roll back and dispatch the message once the policy result is available */
-+      bus_transaction_cancel_and_free (transaction);
-+      transaction = NULL;
-+      result = DBUS_HANDLER_RESULT_LATER;
-+    }
-  out:
-   if (dbus_error_is_set (&error))
-@@ -5060,9 +5085,132 @@ bus_dispatch_test_conf_fail (const DBusString *test_data_dir,
- }
- #endif
-+typedef struct {
-+  DBusTimeout *timeout;
-+  DBusConnection *connection;
-+  dbus_bool_t timedout;
-+  int check_counter;
-+} BusTestCheckData;
-+
-+static BusTestCheckData *cdata;
-+
-+static dbus_bool_t
-+bus_dispatch_test_check_timeout (void *data)
-+{
-+  _dbus_verbose ("timeout triggered - pretend that privilege check result is available\n");
-+
-+  /* should only happen once during the test */
-+  _dbus_assert (!cdata->timedout);
-+  cdata->timedout = TRUE;
-+  _dbus_connection_enable_dispatch (cdata->connection);
-+
-+  /* don't call this again */
-+  _dbus_loop_remove_timeout (bus_connection_get_loop (cdata->connection),
-+                             cdata->timeout);
-+  dbus_connection_unref (cdata->connection);
-+  cdata->connection = NULL;
-+  return TRUE;
-+}
-+
-+static BusResult
-+bus_dispatch_test_check_override (DBusConnection *connection,
-+                                  const char *privilege)
-+{
-+  _dbus_verbose ("overriding privilege check %s #%d\n", privilege, cdata->check_counter);
-+  cdata->check_counter++;
-+  if (!cdata->timedout)
-+    {
-+      dbus_bool_t added;
-+
-+      /* Should be the first privilege check for the "Echo" method. */
-+      _dbus_assert (cdata->check_counter == 1);
-+      cdata->timeout = _dbus_timeout_new (1, bus_dispatch_test_check_timeout,
-+                                          NULL, NULL);
-+      _dbus_assert (cdata->timeout);
-+      added = _dbus_loop_add_timeout (bus_connection_get_loop (connection),
-+                                      cdata->timeout);
-+      _dbus_assert (added);
-+      cdata->connection = connection;
-+      dbus_connection_ref (connection);
-+      _dbus_connection_disable_dispatch (connection);
-+      return BUS_RESULT_LATER;
-+    }
-+  else
-+    {
-+      /* Should only be checked one more time, and this time succeeds. */
-+      _dbus_assert (cdata->check_counter == 2);
-+      return BUS_RESULT_TRUE;
-+    }
-+}
-+
-+static dbus_bool_t
-+bus_dispatch_test_check (const DBusString *test_data_dir)
-+{
-+  const char *filename = "valid-config-files/debug-check-some.conf";
-+  BusContext *context;
-+  DBusConnection *foo;
-+  DBusError error;
-+  dbus_bool_t result = TRUE;
-+  BusTestCheckData data;
-+
-+  /* save the config name for the activation helper */
-+  if (!setenv_TEST_LAUNCH_HELPER_CONFIG (test_data_dir, filename))
-+    _dbus_assert_not_reached ("no memory setting TEST_LAUNCH_HELPER_CONFIG");
-+
-+  dbus_error_init (&error);
-+
-+  context = bus_context_new_test (test_data_dir, filename);
-+  if (context == NULL)
-+    return FALSE;
-+
-+  foo = dbus_connection_open_private (TEST_DEBUG_PIPE, &error);
-+  if (foo == NULL)
-+    _dbus_assert_not_reached ("could not alloc connection");
-+
-+  if (!bus_setup_debug_client (foo))
-+    _dbus_assert_not_reached ("could not set up connection");
-+
-+  spin_connection_until_authenticated (context, foo);
-+
-+  if (!check_hello_message (context, foo))
-+    _dbus_assert_not_reached ("hello message failed");
-+
-+  if (!check_double_hello_message (context, foo))
-+    _dbus_assert_not_reached ("double hello message failed");
-+
-+  if (!check_add_match (context, foo, ""))
-+    _dbus_assert_not_reached ("AddMatch message failed");
-+
-+  /*
-+   * Cause bus_check_send_privilege() to return BUS_RESULT_LATER in the
-+   * first call, then BUS_RESULT_TRUE.
-+   */
-+  cdata = &data;
-+  memset (cdata, 0, sizeof(*cdata));
-+  bus_check_test_override = bus_dispatch_test_check_override;
-+
-+  result = check_existent_service_auto_start (context, foo);
-+
-+  _dbus_assert (cdata->check_counter == 2);
-+  _dbus_assert (cdata->timedout);
-+  _dbus_assert (cdata->timeout);
-+  _dbus_assert (!cdata->connection);
-+  _dbus_timeout_unref (cdata->timeout);
-+
-+  kill_client_connection_unchecked (foo);
-+
-+  bus_context_unref (context);
-+
-+  return result;
-+}
-+
- dbus_bool_t
- bus_dispatch_test (const DBusString *test_data_dir)
- {
-+  _dbus_verbose ("<check> tests\n");
-+  if (!bus_dispatch_test_check (test_data_dir))
-+    return FALSE;
-+
-   /* run normal activation tests */
-   _dbus_verbose ("Normal activation tests\n");
-   if (!bus_dispatch_test_conf (test_data_dir,
-diff --git a/bus/dispatch.h b/bus/dispatch.h
-index fb5ba7a..afba6a2 100644
---- a/bus/dispatch.h
-+++ b/bus/dispatch.h
-@@ -29,7 +29,7 @@
- dbus_bool_t bus_dispatch_add_connection    (DBusConnection *connection);
- void        bus_dispatch_remove_connection (DBusConnection *connection);
--dbus_bool_t bus_dispatch_matches           (BusTransaction *transaction,
-+BusResult   bus_dispatch_matches           (BusTransaction *transaction,
-                                             DBusConnection *sender,
-                                             DBusConnection *recipient,
-                                             DBusMessage    *message,
-diff --git a/bus/driver.c b/bus/driver.c
-index cd0a714..f414f64 100644
---- a/bus/driver.c
-+++ b/bus/driver.c
-@@ -218,6 +218,7 @@ bus_driver_send_service_owner_changed (const char     *service_name,
- {
-   DBusMessage *message;
-   dbus_bool_t retval;
-+  BusResult res;
-   const char *null_service;
-   _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -253,7 +254,16 @@ bus_driver_send_service_owner_changed (const char     *service_name,
-   if (!bus_transaction_capture (transaction, NULL, NULL, message))
-     goto oom;
--  retval = bus_dispatch_matches (transaction, NULL, NULL, message, error);
-+  res = bus_dispatch_matches (transaction, NULL, NULL, message, error);
-+  if (res == BUS_RESULT_TRUE)
-+    retval = TRUE;
-+  else
-+    {
-+      retval = FALSE;
-+      if (res == BUS_RESULT_LATER)
-+        /* should never happen */
-+        _dbus_assert_not_reached ("bus_dispatch_matches returned BUS_RESULT_LATER unexpectedly");
-+    }
-   dbus_message_unref (message);
-   return retval;
-diff --git a/dbus/dbus-connection-internal.h b/dbus/dbus-connection-internal.h
-index 4835732..94b1c95 100644
---- a/dbus/dbus-connection-internal.h
-+++ b/dbus/dbus-connection-internal.h
-@@ -118,6 +118,21 @@ DBUS_PRIVATE_EXPORT
- dbus_bool_t       _dbus_connection_get_linux_security_label       (DBusConnection  *connection,
-                                                                    char           **label_p);
-+DBUS_PRIVATE_EXPORT
-+void              _dbus_connection_enable_dispatch                (DBusConnection *connection);
-+DBUS_PRIVATE_EXPORT
-+void              _dbus_connection_disable_dispatch               (DBusConnection *connection);
-+
-+DBUS_PRIVATE_EXPORT
-+dbus_bool_t       _dbus_connection_putback_message                (DBusConnection *connection,
-+                                                                   DBusMessage    *after_message,
-+                                                                   DBusMessage    *message,
-+                                                                   DBusError      *error);
-+
-+DBUS_PRIVATE_EXPORT
-+dbus_bool_t       _dbus_connection_remove_message                 (DBusConnection *connection,
-+                                                                   DBusMessage    *message);
-+
- /* if DBUS_ENABLE_STATS */
- DBUS_PRIVATE_EXPORT
- void _dbus_connection_get_stats (DBusConnection *connection,
-diff --git a/dbus/dbus-connection.c b/dbus/dbus-connection.c
-index c525b6d..958968c 100644
---- a/dbus/dbus-connection.c
-+++ b/dbus/dbus-connection.c
-@@ -311,7 +311,8 @@ struct DBusConnection
-    */
-   dbus_bool_t dispatch_acquired; /**< Someone has dispatch path (can drain incoming queue) */
-   dbus_bool_t io_path_acquired;  /**< Someone has transport io path (can use the transport to read/write messages) */
--  
-+
-+  unsigned int dispatch_disabled : 1;  /**< if true, then dispatching incoming messages is stopped until enabled again */
-   unsigned int shareable : 1; /**< #TRUE if libdbus owns a reference to the connection and can return it from dbus_connection_open() more than once */
-   
-   unsigned int exit_on_disconnect : 1; /**< If #TRUE, exit after handling disconnect signal */
-@@ -439,6 +440,39 @@ _dbus_connection_wakeup_mainloop (DBusConnection *connection)
-     (*connection->wakeup_main_function) (connection->wakeup_main_data);
- }
-+static void
-+_dbus_connection_set_dispatch(DBusConnection *connection,
-+                              dbus_bool_t disabled)
-+{
-+  CONNECTION_LOCK (connection);
-+  if (connection->dispatch_disabled != disabled)
-+    {
-+      DBusDispatchStatus status;
-+
-+      connection->dispatch_disabled = disabled;
-+      status = _dbus_connection_get_dispatch_status_unlocked (connection);
-+      _dbus_connection_update_dispatch_status_and_unlock (connection, status);
-+    }
-+  else
-+    {
-+      CONNECTION_UNLOCK (connection);
-+    }
-+}
-+
-+
-+void
-+_dbus_connection_enable_dispatch (DBusConnection *connection)
-+{
-+  _dbus_connection_set_dispatch (connection, FALSE);
-+}
-+
-+void
-+ _dbus_connection_disable_dispatch (DBusConnection *connection)
-+{
-+  _dbus_connection_set_dispatch (connection, TRUE);
-+}
-+
-+
- #ifdef DBUS_ENABLE_EMBEDDED_TESTS
- /**
-  * Gets the locks so we can examine them
-@@ -4069,6 +4103,82 @@ _dbus_connection_putback_message_link_unlocked (DBusConnection *connection,
-       "_dbus_connection_putback_message_link_unlocked");
- }
-+dbus_bool_t
-+_dbus_connection_putback_message (DBusConnection *connection,
-+                                  DBusMessage    *after_message,
-+                                  DBusMessage    *message,
-+                                  DBusError      *error)
-+{
-+  DBusDispatchStatus status;
-+  DBusList *message_link = _dbus_list_alloc_link (message);
-+  DBusList *after_link;
-+  if (message_link == NULL)
-+    {
-+      _DBUS_SET_OOM (error);
-+      return FALSE;
-+    }
-+  dbus_message_ref (message);
-+
-+  CONNECTION_LOCK (connection);
-+  _dbus_connection_acquire_dispatch (connection);
-+  HAVE_LOCK_CHECK (connection);
-+
-+  after_link = _dbus_list_find_first(&connection->incoming_messages, after_message);
-+  _dbus_list_insert_after_link (&connection->incoming_messages, after_link, message_link);
-+  connection->n_incoming += 1;
-+
-+  _dbus_verbose ("Message %p (%s %s %s '%s') put back into queue %p, %d incoming\n",
-+                 message_link->data,
-+                 dbus_message_type_to_string (dbus_message_get_type (message_link->data)),
-+                 dbus_message_get_interface (message_link->data) ?
-+                 dbus_message_get_interface (message_link->data) :
-+                 "no interface",
-+                 dbus_message_get_member (message_link->data) ?
-+                 dbus_message_get_member (message_link->data) :
-+                 "no member",
-+                 dbus_message_get_signature (message_link->data),
-+                 connection, connection->n_incoming);
-+
-+  _dbus_message_trace_ref (message_link->data, -1, -1,
-+      "_dbus_connection_putback_message");
-+
-+  _dbus_connection_release_dispatch (connection);
-+
-+  status = _dbus_connection_get_dispatch_status_unlocked (connection);
-+  _dbus_connection_update_dispatch_status_and_unlock (connection, status);
-+
-+  return TRUE;
-+}
-+
-+dbus_bool_t
-+_dbus_connection_remove_message (DBusConnection *connection,
-+                                 DBusMessage *message)
-+{
-+  DBusDispatchStatus status;
-+  dbus_bool_t removed;
-+
-+  CONNECTION_LOCK (connection);
-+  _dbus_connection_acquire_dispatch (connection);
-+  HAVE_LOCK_CHECK (connection);
-+
-+  removed = _dbus_list_remove(&connection->incoming_messages, message);
-+
-+  if (removed)
-+    {
-+      connection->n_incoming -= 1;
-+      dbus_message_unref(message);
-+      _dbus_verbose ("Message %p removed from incoming queue\n", message);
-+    }
-+  else
-+      _dbus_verbose ("Message %p not found in the incoming queue\n", message);
-+
-+  _dbus_connection_release_dispatch (connection);
-+
-+  status = _dbus_connection_get_dispatch_status_unlocked (connection);
-+  _dbus_connection_update_dispatch_status_and_unlock (connection, status);
-+  return removed;
-+}
-+
- /**
-  * Returns the first-received message from the incoming message queue,
-  * removing it from the queue. The caller owns a reference to the
-@@ -4252,8 +4362,9 @@ static DBusDispatchStatus
- _dbus_connection_get_dispatch_status_unlocked (DBusConnection *connection)
- {
-   HAVE_LOCK_CHECK (connection);
--  
--  if (connection->n_incoming > 0)
-+  if (connection->dispatch_disabled && _dbus_connection_get_is_connected_unlocked(connection))
-+    return DBUS_DISPATCH_COMPLETE;
-+  else if (connection->n_incoming > 0)
-     return DBUS_DISPATCH_DATA_REMAINS;
-   else if (!_dbus_transport_queue_messages (connection->transport))
-     return DBUS_DISPATCH_NEED_MEMORY;
-@@ -4716,6 +4827,8 @@ dbus_connection_dispatch (DBusConnection *connection)
-   
-   CONNECTION_LOCK (connection);
-+  if (result == DBUS_HANDLER_RESULT_LATER)
-+      goto out;
-   if (result == DBUS_HANDLER_RESULT_NEED_MEMORY)
-     {
-       _dbus_verbose ("No memory\n");
-@@ -4838,9 +4951,11 @@ dbus_connection_dispatch (DBusConnection *connection)
-                  connection);
-   
-  out:
--  if (result == DBUS_HANDLER_RESULT_NEED_MEMORY)
-+  if (result == DBUS_HANDLER_RESULT_LATER ||
-+      result == DBUS_HANDLER_RESULT_NEED_MEMORY)
-     {
--      _dbus_verbose ("out of memory\n");
-+      if (result == DBUS_HANDLER_RESULT_NEED_MEMORY)
-+        _dbus_verbose ("out of memory\n");
-       
-       /* Put message back, and we'll start over.
-        * Yes this means handlers must be idempotent if they
-diff --git a/dbus/dbus-list.c b/dbus/dbus-list.c
-index 8e713c0..32ea871 100644
---- a/dbus/dbus-list.c
-+++ b/dbus/dbus-list.c
-@@ -458,6 +458,35 @@ _dbus_list_remove_last (DBusList **list,
-     return FALSE;
- }
-+/**
-+ * Finds a value in the list. Returns the first link
-+ * with value equal to the given data pointer.
-+ * This is a linear-time operation.
-+ * Returns #NULL if no value found that matches.
-+ *
-+ * @param list address of the list head.
-+ * @param data the value to find.
-+ * @returns the link if found
-+ */
-+DBusList*
-+_dbus_list_find_first (DBusList **list,
-+                       void      *data)
-+{
-+  DBusList *link;
-+
-+  link = _dbus_list_get_first_link (list);
-+
-+  while (link != NULL)
-+    {
-+      if (link->data == data)
-+        return link;
-+
-+      link = _dbus_list_get_next_link (list, link);
-+    }
-+
-+  return NULL;
-+}
-+
- /**
-  * Finds a value in the list. Returns the last link
-  * with value equal to the given data pointer.
-diff --git a/dbus/dbus-list.h b/dbus/dbus-list.h
-index 9350a0d..fee9f1b 100644
---- a/dbus/dbus-list.h
-+++ b/dbus/dbus-list.h
-@@ -68,6 +68,9 @@ DBUS_PRIVATE_EXPORT
- void        _dbus_list_remove_link        (DBusList **list,
-                                            DBusList  *link);
- DBUS_PRIVATE_EXPORT
-+DBusList*   _dbus_list_find_first         (DBusList **list,
-+                                           void      *data);
-+DBUS_PRIVATE_EXPORT
- DBusList*   _dbus_list_find_last          (DBusList **list,
-                                            void      *data);
- DBUS_PRIVATE_EXPORT
-diff --git a/dbus/dbus-shared.h b/dbus/dbus-shared.h
-index 7ab9103..e5bfbed 100644
---- a/dbus/dbus-shared.h
-+++ b/dbus/dbus-shared.h
-@@ -67,7 +67,8 @@ typedef enum
- {
-   DBUS_HANDLER_RESULT_HANDLED,         /**< Message has had its effect - no need to run more handlers. */ 
-   DBUS_HANDLER_RESULT_NOT_YET_HANDLED, /**< Message has not had any effect - see if other handlers want it. */
--  DBUS_HANDLER_RESULT_NEED_MEMORY      /**< Need more memory in order to return #DBUS_HANDLER_RESULT_HANDLED or #DBUS_HANDLER_RESULT_NOT_YET_HANDLED. Please try again later with more memory. */
-+  DBUS_HANDLER_RESULT_NEED_MEMORY,     /**< Need more memory in order to return #DBUS_HANDLER_RESULT_HANDLED or #DBUS_HANDLER_RESULT_NOT_YET_HANDLED. Please try again later with more memory. */
-+  DBUS_HANDLER_RESULT_LATER            /**< Message dispatch deferred due to pending policy check */
- } DBusHandlerResult;
- /* Bus names */
--- 
-2.21.1
-
diff --git a/meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0003-Handle-unavailability-of-policy-results-for-broadcas.patch b/meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0003-Handle-unavailability-of-policy-results-for-broadcas.patch
deleted file mode 100644 (file)
index 7d89a74..0000000
+++ /dev/null
@@ -1,1095 +0,0 @@
-From 9d39aa9dd55680529d721a0389ce9ef579bb669a Mon Sep 17 00:00:00 2001
-From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
-Date: Fri, 28 Nov 2014 12:39:33 +0100
-Subject: [PATCH 3/8] Handle unavailability of policy results for broadcasts
- and receive rules
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When message is sent to the addressed recipient and receive rule
-result is unavailable we don't want to block the sender
-as it most likely will be the privileged service, so instead we queue
-it at the recipient. Any further messages sent to it will be queued to
-maintain message order. Once the answer from Cynara arrives messages are
-dispatched from the recipient queue. In such case full dispatch is
-performed - messages are sent to addressed recipient and other
-interested connections.
-Messages sent to non-addressed recipients (eavesdroppers or broadcast
-message recipients) are handled in a similar way. The difference is
-that it is not full dispatch meaning message is sent to a single recipient.
-
-Cherry picked from 1e231194610892dd4360224998d91336097b05a1 by Jose Bollo
-
-Updated for dbus 1.10.20 by Scott Murray and José Bollo
-
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-Signed-off-by: Scott Murray <scott.murray@konsulko.com>
----
- bus/activation.c |   4 +-
- bus/bus.c        |  50 ++++++--
- bus/bus.h        |  19 +++
- bus/check.c      | 307 +++++++++++++++++++++++++++++++++++++++++++++++
- bus/check.h      |  25 ++++
- bus/connection.c | 168 ++++++++++++++++++++++++--
- bus/connection.h |  19 ++-
- bus/dispatch.c   | 115 +++++++++++++++---
- bus/dispatch.h   |  11 +-
- bus/driver.c     |   2 +-
- bus/policy.c     |   6 +
- 11 files changed, 683 insertions(+), 43 deletions(-)
-
-diff --git a/bus/activation.c b/bus/activation.c
-index 8301b59..d4b597c 100644
---- a/bus/activation.c
-+++ b/bus/activation.c
-@@ -1259,7 +1259,7 @@ bus_activation_send_pending_auto_activation_messages (BusActivation  *activation
-           res = bus_dispatch_matches (transaction,
-                                       entry->connection,
-                                       addressed_recipient,
--                                      entry->activation_message, &error);
-+                                      entry->activation_message, NULL, &error);
-           if (res == BUS_RESULT_FALSE)
-             {
-               /* If permission is denied, we just want to return the error
-@@ -2140,7 +2140,7 @@ bus_activation_activate_service (BusActivation  *activation,
-                                bus_connection_get_loginfo (connection));
-               /* Wonderful, systemd is connected, let's just send the msg */
-               res = bus_dispatch_matches (activation_transaction, NULL,
--                                             systemd, message, error);
-+                                             systemd, message, NULL, error);
-               if (res == BUS_RESULT_TRUE)
-                 retval = TRUE;
-diff --git a/bus/bus.c b/bus/bus.c
-index 6fc45d0..0aa700b 100644
---- a/bus/bus.c
-+++ b/bus/bus.c
-@@ -1800,17 +1800,9 @@ bus_context_check_security_policy (BusContext     *context,
-     }
-   /* See if limits on size have been exceeded */
--  if (proposed_recipient &&
--      ((dbus_connection_get_outgoing_size (proposed_recipient) > context->limits.max_outgoing_bytes) ||
--       (dbus_connection_get_outgoing_unix_fds (proposed_recipient) > context->limits.max_outgoing_unix_fds)))
--    {
--      complain_about_message (context, DBUS_ERROR_LIMITS_EXCEEDED,
--          "Rejected: destination has a full message queue",
--          0, message, sender, proposed_recipient, requested_reply, TRUE, NULL,
--          error);
--      _dbus_verbose ("security policy disallowing message due to full message queue\n");
-+  if (!bus_context_check_recipient_message_limits(context, proposed_recipient, sender, message,
-+      requested_reply, error))
-       return BUS_RESULT_FALSE;
--    }
-   /* Record that we will allow a reply here in the future (don't
-    * bother if the recipient is the bus or this is an eavesdropping
-@@ -1869,3 +1861,41 @@ bus_context_check_all_watches (BusContext *context)
-       _dbus_server_toggle_all_watches (server, enabled);
-     }
- }
-+
-+void
-+bus_context_complain_about_message (BusContext     *context,
-+                                    const char     *error_name,
-+                                    const char     *complaint,
-+                                    int             matched_rules,
-+                                    DBusMessage    *message,
-+                                    DBusConnection *sender,
-+                                    DBusConnection *proposed_recipient,
-+                                    dbus_bool_t     requested_reply,
-+                                    dbus_bool_t     log,
-+                                    const char     *privilege,
-+                                    DBusError      *error)
-+{
-+  complain_about_message(context, error_name, complaint, matched_rules, message, sender,
-+      proposed_recipient, requested_reply, log, privilege, error);
-+}
-+
-+dbus_bool_t bus_context_check_recipient_message_limits (BusContext *context,
-+                                                        DBusConnection *recipient,
-+                                                        DBusConnection *sender,
-+                                                        DBusMessage *message,
-+                                                        dbus_bool_t requested_reply,
-+                                                        DBusError *error)
-+{
-+  if (recipient &&
-+       ((dbus_connection_get_outgoing_size (recipient) > context->limits.max_outgoing_bytes) ||
-+        (dbus_connection_get_outgoing_unix_fds (recipient) > context->limits.max_outgoing_unix_fds)))
-+     {
-+       complain_about_message (context, DBUS_ERROR_LIMITS_EXCEEDED,
-+           "Rejected: destination has a full message queue",
-+           0, message, sender, recipient, requested_reply, TRUE, NULL,
-+           error);
-+       _dbus_verbose ("security policy disallowing message due to full message queue\n");
-+       return FALSE;
-+     }
-+  return TRUE;
-+}
-diff --git a/bus/bus.h b/bus/bus.h
-index 82c32c8..1b08f7c 100644
---- a/bus/bus.h
-+++ b/bus/bus.h
-@@ -164,4 +164,23 @@ BusResult         bus_context_check_security_policy              (BusContext
-                                                                   BusDeferredMessage **deferred_message);
- void              bus_context_check_all_watches                  (BusContext       *context);
-+dbus_bool_t       bus_context_check_recipient_message_limits     (BusContext *context,
-+                                                                  DBusConnection *recipient,
-+                                                                  DBusConnection *sender,
-+                                                                  DBusMessage *message,
-+                                                                  dbus_bool_t requested_reply,
-+                                                                  DBusError *error);
-+void              bus_context_complain_about_message             (BusContext     *context,
-+                                                                  const char     *error_name,
-+                                                                  const char     *complaint,
-+                                                                  int             matched_rules,
-+                                                                  DBusMessage    *message,
-+                                                                  DBusConnection *sender,
-+                                                                  DBusConnection *proposed_recipient,
-+                                                                  dbus_bool_t     requested_reply,
-+                                                                  dbus_bool_t     log,
-+                                                                  const char     *privilege,
-+                                                                  DBusError      *error);
-+
-+
- #endif /* BUS_BUS_H */
-diff --git a/bus/check.c b/bus/check.c
-index 4b8a699..f3d283f 100644
---- a/bus/check.c
-+++ b/bus/check.c
-@@ -49,6 +49,9 @@ typedef struct BusDeferredMessage
-   DBusConnection *sender;
-   DBusConnection *proposed_recipient;
-   DBusConnection *addressed_recipient;
-+  dbus_bool_t requested_reply;
-+  int matched_rules;
-+  const char *privilege;
-   dbus_bool_t full_dispatch;
-   BusDeferredMessageStatus status;
-   BusResult response;
-@@ -135,6 +138,89 @@ bus_check_enable_dispatch_callback (BusDeferredMessage *deferred_message,
-   _dbus_connection_enable_dispatch(deferred_message->sender);
- }
-+static void
-+bus_check_queued_message_reply_callback (BusDeferredMessage *deferred_message,
-+                                         BusResult result)
-+{
-+  int status;
-+
-+  _dbus_verbose("bus_check_queued_message_reply_callback called message=%p\n", deferred_message);
-+
-+  if (!bus_connection_is_active(deferred_message->proposed_recipient))
-+    return;
-+
-+  status = deferred_message->status;
-+
-+  deferred_message->status = 0; /* mark message as not waiting for response */
-+  deferred_message->response = result;
-+
-+  /*
-+   * If send rule allows us to send message we still need to check receive rules.
-+   */
-+  if ((status & BUS_DEFERRED_MESSAGE_CHECK_SEND) && (result == BUS_RESULT_TRUE))
-+    {
-+      int toggles;
-+      BusContext *context;
-+      BusRegistry *registry;
-+      BusClientPolicy *recipient_policy;
-+      BusDeferredMessage *deferred_message_receive;
-+
-+      context = bus_connection_get_context(deferred_message->proposed_recipient);
-+      registry = bus_context_get_registry(context);
-+      recipient_policy = bus_connection_get_policy(deferred_message->proposed_recipient);
-+
-+      deferred_message->response = bus_client_policy_check_can_receive(recipient_policy, registry,
-+          deferred_message->requested_reply, deferred_message->sender,
-+          deferred_message->addressed_recipient, deferred_message->proposed_recipient, deferred_message->message,
-+          &toggles, NULL, &deferred_message_receive);
-+      if (deferred_message->response == BUS_RESULT_LATER)
-+        {
-+          /* replace deferred message associated with send check with the one associated with
-+           * receive check */
-+          if (!bus_deferred_message_replace(deferred_message, deferred_message_receive))
-+            {
-+              /* failed to replace deferred message (due to oom). Set it to rejected */
-+              deferred_message->response = BUS_RESULT_FALSE;
-+            }
-+        }
-+    }
-+
-+  bus_connection_dispatch_deferred(deferred_message->proposed_recipient);
-+}
-+
-+static void
-+queue_deferred_message_cancel_transaction_hook (void *data)
-+{
-+  BusDeferredMessage *deferred_message = (BusDeferredMessage *)data;
-+  bus_connection_remove_deferred_message(deferred_message->proposed_recipient, deferred_message);
-+}
-+
-+
-+dbus_bool_t
-+bus_deferred_message_queue_at_recipient (BusDeferredMessage *deferred_message,
-+                                         BusTransaction *transaction,
-+                                         dbus_bool_t full_dispatch,
-+                                         dbus_bool_t prepend)
-+{
-+  _dbus_assert(deferred_message != NULL);
-+  _dbus_assert(deferred_message->proposed_recipient != NULL);
-+
-+  if (!bus_connection_queue_deferred_message(deferred_message->proposed_recipient,
-+         deferred_message, prepend))
-+    return FALSE;
-+
-+  if (!bus_transaction_add_cancel_hook(transaction, queue_deferred_message_cancel_transaction_hook,
-+      deferred_message, NULL))
-+    {
-+      bus_connection_remove_deferred_message(deferred_message->proposed_recipient, deferred_message);
-+      return FALSE;
-+    }
-+  deferred_message->response_callback = bus_check_queued_message_reply_callback;
-+  deferred_message->full_dispatch = full_dispatch;
-+
-+  return TRUE;
-+}
-+
- static void
- deferred_message_free_function(void *data)
- {
-@@ -159,6 +245,20 @@ bus_deferred_message_disable_sender (BusDeferredMessage *deferred_message)
-   deferred_message->response_callback = bus_check_enable_dispatch_callback;
- }
-+void
-+bus_deferred_message_set_policy_check_info (BusDeferredMessage *deferred_message,
-+                                            dbus_bool_t requested_reply,
-+                                            int matched_rules,
-+                                            const char *privilege)
-+{
-+  _dbus_assert(deferred_message != NULL);
-+
-+  deferred_message->requested_reply = requested_reply;
-+  deferred_message->matched_rules = matched_rules;
-+  deferred_message->privilege = privilege;
-+}
-+
-+
- #ifdef DBUS_ENABLE_EMBEDDED_TESTS
- BusResult (*bus_check_test_override) (DBusConnection *connection,
-                                         const char *privilege);
-@@ -259,6 +359,9 @@ BusDeferredMessage *bus_deferred_message_new (DBusMessage *message,
-   deferred_message->addressed_recipient = addressed_recipient != NULL ? dbus_connection_ref(addressed_recipient) : NULL;
-   deferred_message->proposed_recipient = proposed_recipient != NULL ? dbus_connection_ref(proposed_recipient) : NULL;
-   deferred_message->message = dbus_message_ref(message);
-+  deferred_message->requested_reply = FALSE;
-+  deferred_message->matched_rules = 0;
-+  deferred_message->privilege = NULL;
-   deferred_message->response = response;
-   deferred_message->status = 0;
-   deferred_message->full_dispatch = FALSE;
-@@ -295,12 +398,215 @@ bus_deferred_message_unref (BusDeferredMessage *deferred_message)
-      }
- }
-+dbus_bool_t
-+bus_deferred_message_check_message_limits (BusDeferredMessage *deferred_message, DBusError *error)
-+{
-+  BusContext *context = bus_connection_get_context(deferred_message->proposed_recipient);
-+
-+  return bus_context_check_recipient_message_limits(context, deferred_message->proposed_recipient,
-+      deferred_message->sender, deferred_message->message, deferred_message->requested_reply,
-+      error);
-+}
-+
-+dbus_bool_t
-+bus_deferred_message_expect_method_reply(BusDeferredMessage *deferred_message, BusTransaction *transaction, DBusError *error)
-+{
-+  int type = dbus_message_get_type(deferred_message->message);
-+  if (type == DBUS_MESSAGE_TYPE_METHOD_CALL &&
-+        deferred_message->sender &&
-+        deferred_message->addressed_recipient &&
-+        deferred_message->addressed_recipient == deferred_message->proposed_recipient && /* not eavesdropping */
-+        !bus_connections_expect_reply (bus_connection_get_connections (deferred_message->sender),
-+                                       transaction,
-+                                       deferred_message->sender, deferred_message->addressed_recipient,
-+                                       deferred_message->message, error))
-+    {
-+      _dbus_verbose ("Failed to record reply expectation or problem with the message expecting a reply\n");
-+      return FALSE;
-+    }
-+  return TRUE;
-+}
-+
-+void
-+bus_deferred_message_create_error(BusDeferredMessage *deferred_message,
-+    const char *error_message, DBusError *error)
-+{
-+  BusContext *context;
-+  _dbus_assert (deferred_message->status == 0 && deferred_message->response == BUS_RESULT_FALSE);
-+
-+  if (deferred_message->sender == NULL)
-+    return; /* error won't be sent to bus driver anyway */
-+
-+  context = bus_connection_get_context(deferred_message->sender);
-+  bus_context_complain_about_message(context, DBUS_ERROR_ACCESS_DENIED, "Rejected message",
-+      deferred_message->matched_rules, deferred_message->message, deferred_message->sender,
-+      deferred_message->proposed_recipient, deferred_message->requested_reply, FALSE,
-+      deferred_message->privilege, error);
-+}
-+
-+BusResult
-+bus_deferred_message_dispatch (BusDeferredMessage *deferred_message)
-+{
-+  BusContext *context = bus_connection_get_context (deferred_message->proposed_recipient);
-+  BusTransaction *transaction = bus_transaction_new (context);
-+  BusResult result = BUS_RESULT_TRUE;
-+  DBusError error;
-+
-+  if (transaction == NULL)
-+    {
-+      return BUS_RESULT_FALSE;
-+    }
-+
-+  dbus_error_init(&error);
-+
-+  if (!deferred_message->full_dispatch)
-+    {
-+      result = deferred_message->response;
-+      if (result == BUS_RESULT_TRUE)
-+        {
-+          if (!bus_context_check_recipient_message_limits(context, deferred_message->proposed_recipient,
-+               deferred_message->sender, deferred_message->message, deferred_message->requested_reply, &error))
-+              result = BUS_RESULT_FALSE;
-+        }
-+      else if (result == BUS_RESULT_LATER)
-+        {
-+          BusDeferredMessage *deferred_message2;
-+          result = bus_context_check_security_policy (context, transaction,
-+                                                      deferred_message->sender,
-+                                                      deferred_message->addressed_recipient,
-+                                                      deferred_message->proposed_recipient,
-+                                                      deferred_message->message, NULL, NULL,
-+                                                      &deferred_message2);
-+
-+          if (result == BUS_RESULT_LATER)
-+            {
-+              /* prepend at recipient */
-+              if (!bus_deferred_message_queue_at_recipient(deferred_message2, transaction,
-+                  FALSE, TRUE))
-+                result = BUS_RESULT_FALSE;
-+            }
-+        }
-+
-+      /* silently drop messages on access denial */
-+      if (result == BUS_RESULT_TRUE)
-+        {
-+          if (!bus_transaction_send (transaction, deferred_message->proposed_recipient, deferred_message->message, TRUE))
-+            result = BUS_RESULT_FALSE;
-+        }
-+
-+      bus_transaction_execute_and_free(transaction);
-+
-+      goto out;
-+    }
-+
-+  /* do not attempt to send message if sender has disconnected */
-+  if (deferred_message->sender != NULL && !bus_connection_is_active(deferred_message->sender))
-+    {
-+      bus_transaction_cancel_and_free(transaction);
-+      result = BUS_RESULT_FALSE;
-+      goto out;
-+    }
-+
-+  result = bus_dispatch_matches(transaction, deferred_message->sender,
-+      deferred_message->addressed_recipient, deferred_message->message, deferred_message, &error);
-+
-+  if (result == BUS_RESULT_LATER)
-+    {
-+      /* Message deferring was already done in bus_dispatch_matches */
-+      bus_transaction_cancel_and_free(transaction);
-+      goto out;
-+    }
-+
-+  /* this part is a copy & paste from bus_dispatch function. Probably can be moved to a function */
-+  if (dbus_error_is_set (&error))
-+    {
-+      if (!dbus_connection_get_is_connected (deferred_message->sender))
-+        {
-+          /* If we disconnected it, we won't bother to send it any error
-+           * messages.
-+           */
-+          _dbus_verbose ("Not sending error to connection we disconnected\n");
-+        }
-+      else if (dbus_error_has_name (&error, DBUS_ERROR_NO_MEMORY))
-+        {
-+          bus_connection_send_oom_error (deferred_message->sender, deferred_message->message);
-+
-+          /* cancel transaction due to OOM */
-+          if (transaction != NULL)
-+            {
-+              bus_transaction_cancel_and_free (transaction);
-+              transaction = NULL;
-+            }
-+        }
-+      else
-+        {
-+          /* Try to send the real error, if no mem to do that, send
-+           * the OOM error
-+           */
-+          _dbus_assert (transaction != NULL);
-+          if (!bus_transaction_send_error_reply (transaction, deferred_message->sender,
-+                                                 &error, deferred_message->message))
-+            {
-+              bus_connection_send_oom_error (deferred_message->sender, deferred_message->message);
-+
-+              /* cancel transaction due to OOM */
-+              if (transaction != NULL)
-+                {
-+                  bus_transaction_cancel_and_free (transaction);
-+                  transaction = NULL;
-+                }
-+            }
-+        }
-+    }
-+
-+  if (transaction != NULL)
-+    {
-+      bus_transaction_execute_and_free (transaction);
-+    }
-+
-+out:
-+  dbus_error_free(&error);
-+
-+  return result;
-+}
-+
-+dbus_bool_t
-+bus_deferred_message_replace (BusDeferredMessage *old_message, BusDeferredMessage *new_message)
-+{
-+  if (bus_connection_replace_deferred_message(old_message->proposed_recipient,
-+        old_message, new_message))
-+    {
-+      new_message->response_callback = old_message->response_callback;
-+      new_message->full_dispatch = old_message->full_dispatch;
-+      return TRUE;
-+    }
-+  return FALSE;
-+}
-+
-+dbus_bool_t
-+bus_deferred_message_waits_for_check(BusDeferredMessage *deferred_message)
-+{
-+  return deferred_message->status != 0;
-+}
-+
-+DBusConnection *
-+bus_deferred_message_get_recipient(BusDeferredMessage *deferred_message)
-+{
-+  return deferred_message->proposed_recipient;
-+}
-+
- BusDeferredMessageStatus
- bus_deferred_message_get_status (BusDeferredMessage *deferred_message)
- {
-   return deferred_message->status;
- }
-+BusResult
-+bus_deferred_message_get_response (BusDeferredMessage *deferred_message)
-+{
-+  return deferred_message->response;
-+}
-+
- void
- bus_deferred_message_response_received (BusDeferredMessage *deferred_message,
-                                         BusResult result)
-@@ -310,3 +616,4 @@ bus_deferred_message_response_received (BusDeferredMessage *deferred_message,
-       deferred_message->response_callback(deferred_message, result);
-     }
- }
-+
-diff --git a/bus/check.h b/bus/check.h
-index d177549..9c13c18 100644
---- a/bus/check.h
-+++ b/bus/check.h
-@@ -64,12 +64,37 @@ BusDeferredMessage *bus_deferred_message_new                (DBusMessage *messag
- BusDeferredMessage *bus_deferred_message_ref                (BusDeferredMessage *deferred_message);
- void                bus_deferred_message_unref              (BusDeferredMessage *deferred_message);
-+BusResult           bus_deferred_message_dispatch           (BusDeferredMessage *deferred_message);
-+dbus_bool_t         bus_deferred_message_waits_for_check    (BusDeferredMessage *deferred_message);
-+DBusConnection     *bus_deferred_message_get_recipient      (BusDeferredMessage *deferred_message);
- void                bus_deferred_message_response_received  (BusDeferredMessage *deferred_message,
-                                                              BusResult result);
-+dbus_bool_t         bus_deferred_message_queue_at_recipient (BusDeferredMessage *deferred_message,
-+                                                             BusTransaction *transaction,
-+                                                             dbus_bool_t full_dispatch,
-+                                                             dbus_bool_t prepend);
-+dbus_bool_t         bus_deferred_message_replace            (BusDeferredMessage *old_message,
-+                                                             BusDeferredMessage *new_message);
- void                bus_deferred_message_disable_sender     (BusDeferredMessage *deferred_message);
-+BusResult           bus_deferred_message_get_response       (BusDeferredMessage *deferred_message);
- BusDeferredMessageStatus  bus_deferred_message_get_status   (BusDeferredMessage *deferred_message);
-+
-+dbus_bool_t         bus_deferred_message_expect_method_reply (BusDeferredMessage *deferred_message,
-+                                                              BusTransaction *transaction,
-+                                                              DBusError *error);
-+void                bus_deferred_message_create_error        (BusDeferredMessage *deferred_message,
-+                                                              const char *error_message,
-+                                                              DBusError *error);
-+void                bus_deferred_message_set_policy_check_info (BusDeferredMessage *deferred_message,
-+                                                                dbus_bool_t requested_reply,
-+                                                                int matched_rules,
-+                                                                const char *privilege);
-+dbus_bool_t         bus_deferred_message_check_message_limits (BusDeferredMessage *deferred_message,
-+                                                               DBusError *error);
-+
-+
- #ifdef DBUS_ENABLE_EMBEDDED_TESTS
- extern BusResult (*bus_check_test_override) (DBusConnection *connection,
-                                                const char *privilege);
-diff --git a/bus/connection.c b/bus/connection.c
-index b348d42..ee93384 100644
---- a/bus/connection.c
-+++ b/bus/connection.c
-@@ -31,11 +31,13 @@
- #include "expirelist.h"
- #include "selinux.h"
- #include "apparmor.h"
-+#include "check.h"
- #include <dbus/dbus-list.h>
- #include <dbus/dbus-hash.h>
- #include <dbus/dbus-timeout.h>
- #include <dbus/dbus-connection-internal.h>
- #include <dbus/dbus-internals.h>
-+#include <dbus/dbus-message-internal.h>
- #ifdef DBUS_ENABLE_CYNARA
- #include <stdlib.h>
- #include <cynara-session.h>
-@@ -102,6 +104,7 @@ typedef struct
-   DBusMessage *oom_message;
-   DBusPreallocatedSend *oom_preallocated;
-   BusClientPolicy *policy;
-+  DBusList *deferred_messages;  /**< Queue of messages deferred due to pending policy check */
-   char *cached_loginfo_string;
-   BusSELinuxID *selinux_id;
-@@ -268,6 +271,8 @@ bus_connection_disconnected (DBusConnection *connection)
-       bus_transaction_execute_and_free (transaction);
-     }
-+  bus_connection_clear_deferred_messages(connection);
-+
-   bus_dispatch_remove_connection (connection);
-   
-   /* no more watching */
-@@ -2307,7 +2312,7 @@ bus_transaction_capture (BusTransaction *transaction,
-     {
-       DBusConnection *recipient = link->data;
--      if (!bus_transaction_send (transaction, recipient, message))
-+      if (!bus_transaction_send (transaction, recipient, message, FALSE))
-         goto out;
-     }
-@@ -2361,6 +2366,7 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
- {
-   DBusError error = DBUS_ERROR_INIT;
-   BusResult res;
-+  BusDeferredMessage *deferred_message;
-   /* We have to set the sender to the driver, and have
-    * to check security policy since it was not done in
-@@ -2401,7 +2407,7 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
-   res = bus_context_check_security_policy (bus_transaction_get_context (transaction),
-                                            transaction,
-                                            NULL, connection, connection, message, NULL,
--                                           &error, NULL);
-+                                           &error, &deferred_message);
-   if (res == BUS_RESULT_FALSE)
-     {
-       if (!bus_transaction_capture_error_reply (transaction, connection,
-@@ -2419,18 +2425,20 @@ bus_transaction_send_from_driver (BusTransaction *transaction,
-     }
-   else if (res == BUS_RESULT_LATER)
-     {
--      _dbus_verbose ("Cannot delay sending message from bus driver, dropping it\n");
-       dbus_error_free (&error);
--      return TRUE;
-+      if (!bus_deferred_message_queue_at_recipient(deferred_message, transaction, FALSE, FALSE))
-+        return FALSE;
-+      return TRUE; /* pretend to have sent it */
-     }
--  return bus_transaction_send (transaction, connection, message);
-+  return bus_transaction_send (transaction, connection, message, FALSE);
- }
- dbus_bool_t
- bus_transaction_send (BusTransaction *transaction,
-                       DBusConnection *connection,
--                      DBusMessage    *message)
-+                      DBusMessage    *message,
-+                      dbus_bool_t     deferred_dispatch)
- {
-   MessageToSend *to_send;
-   BusConnectionData *d;
-@@ -2456,7 +2464,28 @@ bus_transaction_send (BusTransaction *transaction,
-   
-   d = BUS_CONNECTION_DATA (connection);
-   _dbus_assert (d != NULL);
--  
-+
-+  if (!deferred_dispatch && d->deferred_messages != NULL)
-+    {
-+      BusDeferredMessage *deferred_message;
-+      dbus_bool_t success;
-+      /* sender and addressed recipient are not required at this point as we only need to send message
-+       * to a single recipient without performing policy check. */
-+      deferred_message = bus_deferred_message_new (message,
-+                                                   NULL,
-+                                                   NULL,
-+                                                   connection,
-+                                                   BUS_RESULT_TRUE);
-+      if (deferred_message == NULL)
-+        return FALSE;
-+
-+      success = bus_deferred_message_queue_at_recipient(deferred_message, transaction,
-+          FALSE, FALSE);
-+      bus_deferred_message_unref(deferred_message);
-+
-+      return success;
-+    }
-+
-   to_send = dbus_new (MessageToSend, 1);
-   if (to_send == NULL)
-     {
-@@ -2708,6 +2737,131 @@ bus_transaction_add_cancel_hook (BusTransaction               *transaction,
-   return TRUE;
- }
-+void
-+bus_connection_dispatch_deferred (DBusConnection *connection)
-+{
-+  BusDeferredMessage *message;
-+
-+  _dbus_return_if_fail (connection != NULL);
-+
-+  while ((message = bus_connection_pop_deferred_message(connection)) != NULL)
-+    {
-+      bus_deferred_message_dispatch(message);
-+      bus_deferred_message_unref(message);
-+    }
-+}
-+
-+dbus_bool_t
-+bus_connection_has_deferred_messages (DBusConnection *connection)
-+{
-+  BusConnectionData *d = BUS_CONNECTION_DATA(connection);
-+  return d->deferred_messages != NULL ? TRUE : FALSE;
-+}
-+
-+dbus_bool_t
-+bus_connection_queue_deferred_message (DBusConnection *connection,
-+                                       BusDeferredMessage *message,
-+                                       dbus_bool_t prepend)
-+{
-+  BusConnectionData *d = BUS_CONNECTION_DATA(connection);
-+  dbus_bool_t success;
-+  if (prepend)
-+    success = _dbus_list_prepend(&d->deferred_messages, message);
-+  else
-+    success = _dbus_list_append(&d->deferred_messages, message);
-+
-+  if (success)
-+    {
-+      bus_deferred_message_ref(message);
-+      return TRUE;
-+    }
-+
-+  return FALSE;
-+}
-+
-+dbus_bool_t
-+bus_connection_replace_deferred_message (DBusConnection *connection,
-+                                         BusDeferredMessage *oldMessage,
-+                                         BusDeferredMessage *newMessage)
-+{
-+  DBusList *link;
-+  BusConnectionData *d = BUS_CONNECTION_DATA(connection);
-+
-+  link = _dbus_list_find_first(&d->deferred_messages, oldMessage);
-+  if (link == NULL)
-+    return FALSE;
-+
-+  if (!_dbus_list_insert_after(&d->deferred_messages, link, newMessage))
-+    return FALSE;
-+
-+  bus_deferred_message_ref(newMessage);
-+  _dbus_list_remove_link(&d->deferred_messages, link);
-+  bus_deferred_message_unref(oldMessage);
-+  return TRUE;
-+}
-+
-+BusDeferredMessage *
-+bus_connection_pop_deferred_message (DBusConnection *connection)
-+{
-+  DBusList *link;
-+  BusDeferredMessage *message;
-+  BusConnectionData *d = BUS_CONNECTION_DATA(connection);
-+
-+  link =_dbus_list_get_first_link(&d->deferred_messages);
-+  if (link != NULL)
-+    {
-+      message = link->data;
-+      if (!bus_deferred_message_waits_for_check(message))
-+        {
-+          _dbus_list_remove_link(&d->deferred_messages, link);
-+          return message;
-+        }
-+    }
-+
-+  return NULL;
-+}
-+
-+dbus_bool_t
-+bus_connection_putback_deferred_message (DBusConnection *connection, BusDeferredMessage *message)
-+{
-+  BusConnectionData *d = BUS_CONNECTION_DATA(connection);
-+  if (_dbus_list_prepend(&d->deferred_messages, message))
-+    {
-+      return TRUE;
-+    }
-+  return FALSE;
-+}
-+
-+void
-+bus_connection_clear_deferred_messages (DBusConnection *connection)
-+{
-+  BusConnectionData *d = BUS_CONNECTION_DATA(connection);
-+  DBusList *link;
-+  DBusList *next;
-+  BusDeferredMessage *message;
-+
-+  link =_dbus_list_get_first_link(&d->deferred_messages);
-+  while (link != NULL)
-+    {
-+      next = _dbus_list_get_next_link (&d->deferred_messages, link);
-+      message = link->data;
-+
-+      bus_deferred_message_unref(message);
-+      _dbus_list_remove_link(&d->deferred_messages, link);
-+
-+      link = next;
-+    }
-+}
-+
-+void
-+bus_connection_remove_deferred_message (DBusConnection *connection,
-+                                        BusDeferredMessage *message)
-+{
-+  BusConnectionData *d = BUS_CONNECTION_DATA(connection);
-+  if (_dbus_list_remove(&d->deferred_messages, message))
-+    bus_deferred_message_unref(message);
-+}
-+
- int
- bus_connections_get_n_active (BusConnections *connections)
- {
-diff --git a/bus/connection.h b/bus/connection.h
-index 71078ea..97dae96 100644
---- a/bus/connection.h
-+++ b/bus/connection.h
-@@ -85,6 +85,22 @@ dbus_bool_t bus_connection_preallocate_oom_error (DBusConnection *connection);
- void        bus_connection_send_oom_error        (DBusConnection *connection,
-                                                   DBusMessage    *in_reply_to);
-+dbus_bool_t         bus_connection_has_deferred_messages    (DBusConnection *connection);
-+dbus_bool_t         bus_connection_queue_deferred_message   (DBusConnection *connection,
-+                                                             BusDeferredMessage *message,
-+                                                             dbus_bool_t prepend);
-+BusDeferredMessage *bus_connection_pop_deferred_message     (DBusConnection *connection);
-+dbus_bool_t         bus_connection_putback_deferred_message (DBusConnection *connection,
-+                                                             BusDeferredMessage *message);
-+void                bus_connection_remove_deferred_message  (DBusConnection *connection,
-+                                                             BusDeferredMessage *message);
-+dbus_bool_t         bus_connection_replace_deferred_message (DBusConnection *connection,
-+                                                             BusDeferredMessage *oldMessage,
-+                                                             BusDeferredMessage *newMessage);
-+void                bus_connection_dispatch_deferred        (DBusConnection *connection);
-+void                bus_connection_clear_deferred_messages  (DBusConnection *connection);
-+
-+
- /* called by signals.c */
- dbus_bool_t bus_connection_add_match_rule      (DBusConnection *connection,
-                                                 BusMatchRule   *rule);
-@@ -137,7 +153,8 @@ BusTransaction* bus_transaction_new              (BusContext                   *
- BusContext*     bus_transaction_get_context      (BusTransaction               *transaction);
- dbus_bool_t     bus_transaction_send             (BusTransaction               *transaction,
-                                                   DBusConnection               *connection,
--                                                  DBusMessage                  *message);
-+                                                  DBusMessage                  *message,
-+                                                  dbus_bool_t                   deferred_dispatch);
- dbus_bool_t     bus_transaction_capture          (BusTransaction               *transaction,
-                                                   DBusConnection               *connection,
-                                                   DBusConnection               *addressed_recipient,
-diff --git a/bus/dispatch.c b/bus/dispatch.c
-index 50a22a3..7d30ce4 100644
---- a/bus/dispatch.c
-+++ b/bus/dispatch.c
-@@ -33,6 +33,7 @@
- #include "utils.h"
- #include "bus.h"
- #include "signals.h"
-+#include "dispatch.h"
- #include "test.h"
- #include <dbus/dbus-internals.h>
- #include <dbus/dbus-connection-internal.h>
-@@ -77,7 +78,7 @@ send_one_message (DBusConnection *connection,
-                                           NULL,
-                                           &stack_error,
-                                           &deferred_message);
--  if (result != BUS_RESULT_TRUE)
-+  if (result == BUS_RESULT_FALSE)
-     {
-       if (!bus_transaction_capture_error_reply (transaction, sender,
-                                                 &stack_error, message))
-@@ -112,9 +113,19 @@ send_one_message (DBusConnection *connection,
-       return TRUE; /* don't send it but don't return an error either */
-     }
-+  if (result == BUS_RESULT_LATER)
-+    {
-+      if (!bus_deferred_message_queue_at_recipient(deferred_message, transaction, FALSE, FALSE))
-+        {
-+          BUS_SET_OOM (error);
-+          return FALSE;
-+        }
-+      return TRUE; /* pretend to have sent it */
-+    }
-+
-   if (!bus_transaction_send (transaction,
-                              connection,
--                             message))
-+                             message, FALSE))
-     {
-       BUS_SET_OOM (error);
-       return FALSE;
-@@ -124,11 +135,12 @@ send_one_message (DBusConnection *connection,
- }
- BusResult
--bus_dispatch_matches (BusTransaction *transaction,
--                      DBusConnection *sender,
--                      DBusConnection *addressed_recipient,
--                      DBusMessage    *message,
--                      DBusError      *error)
-+bus_dispatch_matches (BusTransaction     *transaction,
-+                      DBusConnection     *sender,
-+                      DBusConnection     *addressed_recipient,
-+                      DBusMessage        *message,
-+                      BusDeferredMessage *dispatched_deferred_message,
-+                      DBusError          *error)
- {
-   DBusError tmp_error;
-   BusConnections *connections;
-@@ -137,7 +149,6 @@ bus_dispatch_matches (BusTransaction *transaction,
-   DBusList *link;
-   BusContext *context;
-   BusDeferredMessage *deferred_message;
--  BusResult res;
-   _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -153,16 +164,80 @@ bus_dispatch_matches (BusTransaction *transaction,
-   /* First, send the message to the addressed_recipient, if there is one. */
-   if (addressed_recipient != NULL)
-     {
--      res = bus_context_check_security_policy (context, transaction,
-+      BusResult result;
-+      /* To maintain message order message needs to be appended at the recipient if there are already
-+       *  deferred messages and we are not doing deferred dispatch
-+       */
-+      if (dispatched_deferred_message == NULL && bus_connection_has_deferred_messages(addressed_recipient))
-+        {
-+          deferred_message = bus_deferred_message_new(message, sender,
-+              addressed_recipient, addressed_recipient, BUS_RESULT_LATER);
-+
-+          if (deferred_message == NULL)
-+            {
-+              BUS_SET_OOM(error);
-+              return BUS_RESULT_FALSE;
-+            }
-+
-+          if (!bus_deferred_message_queue_at_recipient(deferred_message, transaction, TRUE, FALSE))
-+            {
-+              bus_deferred_message_unref(deferred_message);
-+              BUS_SET_OOM(error);
-+              return BUS_RESULT_FALSE;
-+            }
-+
-+          bus_deferred_message_unref(deferred_message);
-+          return BUS_RESULT_TRUE; /* pretend to have sent it */
-+        }
-+
-+      if (dispatched_deferred_message != NULL)
-+        {
-+          result = bus_deferred_message_get_response(dispatched_deferred_message);
-+          if (result == BUS_RESULT_TRUE)
-+            {
-+              /* if we know the result of policy check we still need to check if message limits
-+               * are not exceeded. It is also required to add entry in expected replies list if
-+               * this is a method call
-+               */
-+              if (!bus_deferred_message_check_message_limits(dispatched_deferred_message, error))
-+                return BUS_RESULT_FALSE;
-+
-+              if (!bus_deferred_message_expect_method_reply(dispatched_deferred_message, transaction, error))
-+                return BUS_RESULT_FALSE;
-+            }
-+          else if (result == BUS_RESULT_FALSE)
-+            {
-+              bus_deferred_message_create_error(dispatched_deferred_message, "Rejected message", error);
-+              return BUS_RESULT_FALSE;
-+            }
-+        }
-+      else
-+        result = BUS_RESULT_LATER;
-+
-+      if (result == BUS_RESULT_LATER)
-+        result = bus_context_check_security_policy (context, transaction,
-                                                sender, addressed_recipient,
-                                                addressed_recipient,
-                                                message, NULL, error,
-                                                &deferred_message);
--      if (res == BUS_RESULT_FALSE)
-+
-+      if (result == BUS_RESULT_FALSE)
-         return BUS_RESULT_FALSE;
--      else if (res == BUS_RESULT_LATER)
-+      else if (result == BUS_RESULT_LATER)
-         {
-           BusDeferredMessageStatus status;
-+
-+          if (dispatched_deferred_message != NULL)
-+            {
-+              /* for deferred dispatch prepend message at the recipient */
-+              if (!bus_deferred_message_queue_at_recipient(deferred_message, transaction, TRUE, TRUE))
-+                {
-+                  BUS_SET_OOM(error);
-+                  return BUS_RESULT_FALSE;
-+                }
-+              return BUS_RESULT_TRUE; /* pretend to have sent it */
-+            }
-+
-           status = bus_deferred_message_get_status(deferred_message);
-           if (status & BUS_DEFERRED_MESSAGE_CHECK_SEND)
-@@ -173,13 +248,18 @@ bus_dispatch_matches (BusTransaction *transaction,
-             }
-           else if (status & BUS_DEFERRED_MESSAGE_CHECK_RECEIVE)
-             {
--              dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
--                              "Rejecting message because time is needed to check security policy");
--              return BUS_RESULT_FALSE;
-+              /* receive rule result not available - queue message at the recipient */
-+              if (!bus_deferred_message_queue_at_recipient(deferred_message, transaction, TRUE, FALSE))
-+                {
-+                  BUS_SET_OOM(error);
-+                  return BUS_RESULT_FALSE;
-+                }
-+
-+              return BUS_RESULT_TRUE; /* pretend to have sent it */
-             }
-           else
-             {
--              _dbus_verbose("deferred message has no status field set to send or receive unexpectedly\n");
-+              _dbus_verbose("deferred message has no status field set unexpectedly\n");
-               return BUS_RESULT_FALSE;
-             }
-         }
-@@ -196,7 +276,8 @@ bus_dispatch_matches (BusTransaction *transaction,
-         }
-       /* Dispatch the message */
--      if (!bus_transaction_send (transaction, addressed_recipient, message))
-+      if (!bus_transaction_send(transaction, addressed_recipient, message,
-+          dispatched_deferred_message != NULL ? TRUE : FALSE))
-         {
-           BUS_SET_OOM (error);
-           return BUS_RESULT_FALSE;
-@@ -534,7 +615,7 @@ bus_dispatch (DBusConnection *connection,
-    * match rules.
-    */
-   if (BUS_RESULT_LATER == bus_dispatch_matches (transaction, connection, addressed_recipient,
--                                                message, &error))
-+                                                message, NULL, &error))
-     {
-       /* Roll back and dispatch the message once the policy result is available */
-       bus_transaction_cancel_and_free (transaction);
-diff --git a/bus/dispatch.h b/bus/dispatch.h
-index afba6a2..f6102e8 100644
---- a/bus/dispatch.h
-+++ b/bus/dispatch.h
-@@ -29,10 +29,11 @@
- dbus_bool_t bus_dispatch_add_connection    (DBusConnection *connection);
- void        bus_dispatch_remove_connection (DBusConnection *connection);
--BusResult   bus_dispatch_matches           (BusTransaction *transaction,
--                                            DBusConnection *sender,
--                                            DBusConnection *recipient,
--                                            DBusMessage    *message,
--                                            DBusError      *error);
-+BusResult   bus_dispatch_matches           (BusTransaction     *transaction,
-+                                            DBusConnection     *sender,
-+                                            DBusConnection     *recipient,
-+                                            DBusMessage        *message,
-+                                            BusDeferredMessage *dispatched_deferred_message,
-+                                            DBusError           *error);
- #endif /* BUS_DISPATCH_H */
-diff --git a/bus/driver.c b/bus/driver.c
-index f414f64..d89a658 100644
---- a/bus/driver.c
-+++ b/bus/driver.c
-@@ -254,7 +254,7 @@ bus_driver_send_service_owner_changed (const char     *service_name,
-   if (!bus_transaction_capture (transaction, NULL, NULL, message))
-     goto oom;
--  res = bus_dispatch_matches (transaction, NULL, NULL, message, error);
-+  res = bus_dispatch_matches (transaction, NULL, NULL, message, NULL, error);
-   if (res == BUS_RESULT_TRUE)
-     retval = TRUE;
-   else
-diff --git a/bus/policy.c b/bus/policy.c
-index 7de92c6..483cc97 100644
---- a/bus/policy.c
-+++ b/bus/policy.c
-@@ -1122,6 +1122,9 @@ bus_client_policy_check_can_send (DBusConnection      *sender,
-       result = bus_check_privilege(check, message, sender, addressed_recipient, receiver,
-           privilege, BUS_DEFERRED_MESSAGE_CHECK_SEND, deferred_message);
-+      if (result == BUS_RESULT_LATER && deferred_message != NULL)
-+        bus_deferred_message_set_policy_check_info(*deferred_message, requested_reply,
-+            *toggles, privilege);
-     }
-   else
-     privilege = NULL;
-@@ -1372,6 +1375,9 @@ bus_client_policy_check_can_receive (BusClientPolicy     *policy,
-       result = bus_check_privilege(check, message, sender, addressed_recipient, proposed_recipient,
-                  privilege, BUS_DEFERRED_MESSAGE_CHECK_RECEIVE, deferred_message);
-+      if (result == BUS_RESULT_LATER && deferred_message != NULL)
-+        bus_deferred_message_set_policy_check_info(*deferred_message, requested_reply,
-+                    *toggles, privilege);
-     }
-   else
-       privilege = NULL;
--- 
-2.21.1
-
diff --git a/meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0004-Add-own-rule-result-unavailability-handling.patch b/meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0004-Add-own-rule-result-unavailability-handling.patch
deleted file mode 100644 (file)
index 9953dca..0000000
+++ /dev/null
@@ -1,1505 +0,0 @@
-From 28ada62c98d74285dc22b66650b09b6c8f2c28c4 Mon Sep 17 00:00:00 2001
-From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
-Date: Thu, 27 Nov 2014 11:26:21 +0100
-Subject: [PATCH 4/8] Add own rule result unavailability handling
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Own rule result unavailability is handled like send rules - dispatching
-messages from the sender is blocked and resumed when result becomes
-available.
-
-Handler of "RequestName" method needs to return BUS_RESULT_LATER when
-policy result is not known therefore its return type is modified.
-Since bus message handlers are put into function pointer array other
-message handler function singatures are also affected.
-
-Cherry-picked from 35ef89cd6777ea2430077fc621d21bd01df92349 by Jose.bollo
-
-Updated for dbus 1.10.20 by Scott Murray and José Bollo
-
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-Signed-off-by: Scott Murray <scott.murray@konsulko.com>
----
- bus/dispatch.c |  11 +-
- bus/driver.c   | 334 ++++++++++++++++++++++++++++---------------------
- bus/driver.h   |   2 +-
- bus/policy.c   |  52 ++++++--
- bus/policy.h   |   6 +-
- bus/services.c |  26 ++--
- bus/services.h |   3 +-
- bus/stats.c    |  23 ++--
- bus/stats.h    |   6 +-
- 9 files changed, 283 insertions(+), 180 deletions(-)
-
-diff --git a/bus/dispatch.c b/bus/dispatch.c
-index 7d30ce4..4b84c21 100644
---- a/bus/dispatch.c
-+++ b/bus/dispatch.c
-@@ -517,8 +517,17 @@ bus_dispatch (DBusConnection *connection,
-         }
-       _dbus_verbose ("Giving message to %s\n", DBUS_SERVICE_DBUS);
--      if (!bus_driver_handle_message (connection, transaction, message, &error))
-+      res = bus_driver_handle_message (connection, transaction, message, &error);
-+      if (res == BUS_RESULT_FALSE)
-         goto out;
-+      else if (res == BUS_RESULT_LATER)
-+        {
-+          /* connection has been disabled in message handler */
-+          bus_transaction_cancel_and_free (transaction);
-+          transaction = NULL;
-+          result = DBUS_HANDLER_RESULT_LATER;
-+          goto out;
-+        }
-     }
-   else if (!bus_connection_is_active (connection)) /* clients must talk to bus driver first */
-     {
-diff --git a/bus/driver.c b/bus/driver.c
-index d89a658..aaeb3b2 100644
---- a/bus/driver.c
-+++ b/bus/driver.c
-@@ -420,7 +420,7 @@ create_unique_client_name (BusRegistry *registry,
-   return TRUE;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_hello (DBusConnection *connection,
-                          BusTransaction *transaction,
-                          DBusMessage    *message,
-@@ -428,7 +428,7 @@ bus_driver_handle_hello (DBusConnection *connection,
- {
-   DBusString unique_name;
-   BusService *service;
--  dbus_bool_t retval;
-+  BusResult retval;
-   BusRegistry *registry;
-   BusConnections *connections;
-   DBusError tmp_error;
-@@ -442,7 +442,7 @@ bus_driver_handle_hello (DBusConnection *connection,
-       /* We already handled an Hello message for this connection. */
-       dbus_set_error (error, DBUS_ERROR_FAILED,
-                       "Already handled an Hello message");
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   /* Note that when these limits are exceeded we don't disconnect the
-@@ -464,16 +464,16 @@ bus_driver_handle_hello (DBusConnection *connection,
-       bus_context_log (context, DBUS_SYSTEM_LOG_WARNING, "%s (%s=%d)",
-           tmp_error.message, limit_name, limit);
-       dbus_move_error (&tmp_error, error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   if (!_dbus_string_init (&unique_name))
-     {
-       BUS_SET_OOM (error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
--  retval = FALSE;
-+  retval = BUS_RESULT_FALSE;
-   registry = bus_connection_get_registry (connection);
-@@ -506,7 +506,7 @@ bus_driver_handle_hello (DBusConnection *connection,
-     goto out_0;
-   _dbus_assert (bus_connection_is_active (connection));
--  retval = TRUE;
-+  retval = BUS_RESULT_TRUE;
-  out_0:
-   _dbus_string_free (&unique_name);
-@@ -558,7 +558,7 @@ bus_driver_send_welcome_message (DBusConnection *connection,
-     }
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_list_services (DBusConnection *connection,
-                                  BusTransaction *transaction,
-                                  DBusMessage    *message,
-@@ -580,14 +580,14 @@ bus_driver_handle_list_services (DBusConnection *connection,
-   if (reply == NULL)
-     {
-       BUS_SET_OOM (error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   if (!bus_registry_list_services (registry, &services, &len))
-     {
-       dbus_message_unref (reply);
-       BUS_SET_OOM (error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   dbus_message_iter_init_append (reply, &iter);
-@@ -599,7 +599,7 @@ bus_driver_handle_list_services (DBusConnection *connection,
-       dbus_free_string_array (services);
-       dbus_message_unref (reply);
-       BUS_SET_OOM (error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   {
-@@ -611,7 +611,7 @@ bus_driver_handle_list_services (DBusConnection *connection,
-         dbus_free_string_array (services);
-         dbus_message_unref (reply);
-         BUS_SET_OOM (error);
--        return FALSE;
-+        return BUS_RESULT_FALSE;
-       }
-   }
-@@ -624,7 +624,7 @@ bus_driver_handle_list_services (DBusConnection *connection,
-           dbus_free_string_array (services);
-           dbus_message_unref (reply);
-           BUS_SET_OOM (error);
--          return FALSE;
-+          return BUS_RESULT_FALSE;
-         }
-       ++i;
-     }
-@@ -635,23 +635,23 @@ bus_driver_handle_list_services (DBusConnection *connection,
-     {
-       dbus_message_unref (reply);
-       BUS_SET_OOM (error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   if (!bus_transaction_send_from_driver (transaction, connection, reply))
-     {
-       dbus_message_unref (reply);
-       BUS_SET_OOM (error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   else
-     {
-       dbus_message_unref (reply);
--      return TRUE;
-+      return BUS_RESULT_TRUE;
-     }
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_list_activatable_services (DBusConnection *connection,
-                                            BusTransaction *transaction,
-                                            DBusMessage    *message,
-@@ -673,14 +673,14 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
-   if (reply == NULL)
-     {
-       BUS_SET_OOM (error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   if (!bus_activation_list_services (activation, &services, &len))
-     {
-       dbus_message_unref (reply);
-       BUS_SET_OOM (error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   dbus_message_iter_init_append (reply, &iter);
-@@ -692,7 +692,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
-       dbus_free_string_array (services);
-       dbus_message_unref (reply);
-       BUS_SET_OOM (error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   {
-@@ -704,7 +704,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
-       dbus_free_string_array (services);
-       dbus_message_unref (reply);
-       BUS_SET_OOM (error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-       }
-   }
-@@ -717,7 +717,7 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
-         dbus_free_string_array (services);
-         dbus_message_unref (reply);
-         BUS_SET_OOM (error);
--        return FALSE;
-+        return BUS_RESULT_FALSE;
-       }
-       ++i;
-     }
-@@ -728,23 +728,23 @@ bus_driver_handle_list_activatable_services (DBusConnection *connection,
-     {
-       dbus_message_unref (reply);
-       BUS_SET_OOM (error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   if (!bus_transaction_send_from_driver (transaction, connection, reply))
-     {
-       dbus_message_unref (reply);
-       BUS_SET_OOM (error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   else
-     {
-       dbus_message_unref (reply);
--      return TRUE;
-+      return BUS_RESULT_TRUE;
-     }
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_acquire_service (DBusConnection *connection,
-                                    BusTransaction *transaction,
-                                    DBusMessage    *message,
-@@ -755,7 +755,8 @@ bus_driver_handle_acquire_service (DBusConnection *connection,
-   const char *name;
-   dbus_uint32_t service_reply;
-   dbus_uint32_t flags;
--  dbus_bool_t retval;
-+  BusResult retval;
-+  BusResult res;
-   BusRegistry *registry;
-   _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -766,20 +767,24 @@ bus_driver_handle_acquire_service (DBusConnection *connection,
-                               DBUS_TYPE_STRING, &name,
-                               DBUS_TYPE_UINT32, &flags,
-                               DBUS_TYPE_INVALID))
--    return FALSE;
-+    return BUS_RESULT_FALSE;
-   _dbus_verbose ("Trying to own name %s with flags 0x%x\n", name, flags);
--  retval = FALSE;
-+  retval = BUS_RESULT_FALSE;
-   reply = NULL;
-   _dbus_string_init_const (&service_name, name);
--  if (!bus_registry_acquire_service (registry, connection,
--                                     &service_name, flags,
--                                     &service_reply, transaction,
--                                     error))
--    goto out;
-+  res = bus_registry_acquire_service (registry, connection, message,
-+                                       &service_name, flags,
-+                                       &service_reply, transaction,
-+                                       error);
-+  if (res != BUS_RESULT_TRUE)
-+    {
-+      retval = res;
-+      goto out;
-+    }
-   reply = dbus_message_new_method_return (message);
-   if (reply == NULL)
-@@ -800,7 +805,7 @@ bus_driver_handle_acquire_service (DBusConnection *connection,
-       goto out;
-     }
--  retval = TRUE;
-+  retval = BUS_RESULT_TRUE;
-  out:
-   if (reply)
-@@ -808,7 +813,7 @@ bus_driver_handle_acquire_service (DBusConnection *connection,
-   return retval;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_release_service (DBusConnection *connection,
-                                    BusTransaction *transaction,
-                                    DBusMessage    *message,
-@@ -818,7 +823,7 @@ bus_driver_handle_release_service (DBusConnection *connection,
-   DBusString service_name;
-   const char *name;
-   dbus_uint32_t service_reply;
--  dbus_bool_t retval;
-+  BusResult retval;
-   BusRegistry *registry;
-   _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -828,11 +833,11 @@ bus_driver_handle_release_service (DBusConnection *connection,
-   if (!dbus_message_get_args (message, error,
-                               DBUS_TYPE_STRING, &name,
-                               DBUS_TYPE_INVALID))
--    return FALSE;
-+    return BUS_RESULT_FALSE;
-   _dbus_verbose ("Trying to release name %s\n", name);
--  retval = FALSE;
-+  retval = BUS_RESULT_FALSE;
-   reply = NULL;
-   _dbus_string_init_const (&service_name, name);
-@@ -861,7 +866,7 @@ bus_driver_handle_release_service (DBusConnection *connection,
-       goto out;
-     }
--  retval = TRUE;
-+  retval = BUS_RESULT_TRUE;
-  out:
-   if (reply)
-@@ -869,7 +874,7 @@ bus_driver_handle_release_service (DBusConnection *connection,
-   return retval;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_service_exists (DBusConnection *connection,
-                                   BusTransaction *transaction,
-                                   DBusMessage    *message,
-@@ -880,7 +885,7 @@ bus_driver_handle_service_exists (DBusConnection *connection,
-   BusService *service;
-   dbus_bool_t service_exists;
-   const char *name;
--  dbus_bool_t retval;
-+  BusResult retval;
-   BusRegistry *registry;
-   _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -890,9 +895,9 @@ bus_driver_handle_service_exists (DBusConnection *connection,
-   if (!dbus_message_get_args (message, error,
-                               DBUS_TYPE_STRING, &name,
-                               DBUS_TYPE_INVALID))
--    return FALSE;
-+    return BUS_RESULT_FALSE;
--  retval = FALSE;
-+  retval = BUS_RESULT_FALSE;
-   if (strcmp (name, DBUS_SERVICE_DBUS) == 0)
-     {
-@@ -926,7 +931,7 @@ bus_driver_handle_service_exists (DBusConnection *connection,
-       goto out;
-     }
--  retval = TRUE;
-+  retval = BUS_RESULT_TRUE;
-  out:
-   if (reply)
-@@ -935,7 +940,7 @@ bus_driver_handle_service_exists (DBusConnection *connection,
-   return retval;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_activate_service (DBusConnection *connection,
-                                     BusTransaction *transaction,
-                                     DBusMessage    *message,
-@@ -943,7 +948,7 @@ bus_driver_handle_activate_service (DBusConnection *connection,
- {
-   dbus_uint32_t flags;
-   const char *name;
--  dbus_bool_t retval;
-+  BusResult retval;
-   BusActivation *activation;
-   _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -957,10 +962,10 @@ bus_driver_handle_activate_service (DBusConnection *connection,
-     {
-       _DBUS_ASSERT_ERROR_IS_SET (error);
-       _dbus_verbose ("No memory to get arguments to StartServiceByName\n");
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
--  retval = FALSE;
-+  retval = BUS_RESULT_FALSE;
-   if (!bus_activation_activate_service (activation, connection, transaction, FALSE,
-                                         message, name, error))
-@@ -970,7 +975,7 @@ bus_driver_handle_activate_service (DBusConnection *connection,
-       goto out;
-     }
--  retval = TRUE;
-+  retval = BUS_RESULT_TRUE;
-  out:
-   return retval;
-@@ -1072,13 +1077,13 @@ bus_driver_send_or_activate (BusTransaction *transaction,
-   return TRUE;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_update_activation_environment (DBusConnection *connection,
-                                                  BusTransaction *transaction,
-                                                  DBusMessage    *message,
-                                                  DBusError      *error)
- {
--  dbus_bool_t retval;
-+  BusResult retval;
-   BusActivation *activation;
-   BusContext *context;
-   DBusMessageIter iter;
-@@ -1100,7 +1105,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection,
-       dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
-                       "Cannot change activation environment "
-                       "on a system bus.");
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   activation = bus_connection_get_activation (connection);
-@@ -1114,7 +1119,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection,
-   dbus_message_iter_recurse (&iter, &dict_iter);
--  retval = FALSE;
-+  retval = BUS_RESULT_FALSE;
-   systemd_message = NULL;
-   /* Then loop through the sent dictionary, add the location of
-@@ -1279,7 +1284,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection,
-   if (!bus_driver_send_ack_reply (connection, transaction, message, error))
-     goto out;
--  retval = TRUE;
-+  retval = BUS_RESULT_TRUE;
-  out:
-   if (systemd_message != NULL)
-@@ -1289,7 +1294,7 @@ bus_driver_handle_update_activation_environment (DBusConnection *connection,
-   return retval;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_add_match (DBusConnection *connection,
-                              BusTransaction *transaction,
-                              DBusMessage    *message,
-@@ -1371,16 +1376,16 @@ bus_driver_handle_add_match (DBusConnection *connection,
-   bus_match_rule_unref (rule);
--  return TRUE;
-+  return BUS_RESULT_TRUE;
-  failed:
-   _DBUS_ASSERT_ERROR_IS_SET (error);
-   if (rule)
-     bus_match_rule_unref (rule);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_remove_match (DBusConnection *connection,
-                                 BusTransaction *transaction,
-                                 DBusMessage    *message,
-@@ -1423,16 +1428,16 @@ bus_driver_handle_remove_match (DBusConnection *connection,
-   bus_match_rule_unref (rule);
--  return TRUE;
-+  return BUS_RESULT_TRUE;
-  failed:
-   _DBUS_ASSERT_ERROR_IS_SET (error);
-   if (rule)
-     bus_match_rule_unref (rule);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_get_service_owner (DBusConnection *connection,
-                                    BusTransaction *transaction,
-                                    DBusMessage    *message,
-@@ -1502,7 +1507,7 @@ bus_driver_handle_get_service_owner (DBusConnection *connection,
-   dbus_message_unref (reply);
--  return TRUE;
-+  return BUS_RESULT_TRUE;
-  oom:
-   BUS_SET_OOM (error);
-@@ -1511,10 +1516,10 @@ bus_driver_handle_get_service_owner (DBusConnection *connection,
-   _DBUS_ASSERT_ERROR_IS_SET (error);
-   if (reply)
-     dbus_message_unref (reply);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_list_queued_owners (DBusConnection *connection,
-                                     BusTransaction *transaction,
-                                     DBusMessage    *message,
-@@ -1606,7 +1611,7 @@ bus_driver_handle_list_queued_owners (DBusConnection *connection,
-   dbus_message_unref (reply);
--  return TRUE;
-+  return BUS_RESULT_TRUE;
-  oom:
-   BUS_SET_OOM (error);
-@@ -1619,10 +1624,10 @@ bus_driver_handle_list_queued_owners (DBusConnection *connection,
-   if (base_names)
-     _dbus_list_clear (&base_names);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_get_connection_unix_user (DBusConnection *connection,
-                                             BusTransaction *transaction,
-                                             DBusMessage    *message,
-@@ -1679,7 +1684,7 @@ bus_driver_handle_get_connection_unix_user (DBusConnection *connection,
-   dbus_message_unref (reply);
--  return TRUE;
-+  return BUS_RESULT_TRUE;
-  oom:
-   BUS_SET_OOM (error);
-@@ -1688,10 +1693,10 @@ bus_driver_handle_get_connection_unix_user (DBusConnection *connection,
-   _DBUS_ASSERT_ERROR_IS_SET (error);
-   if (reply)
-     dbus_message_unref (reply);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection,
-                                                 BusTransaction *transaction,
-                                                 DBusMessage    *message,
-@@ -1748,7 +1753,7 @@ bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection,
-   dbus_message_unref (reply);
--  return TRUE;
-+  return BUS_RESULT_TRUE;
-  oom:
-   BUS_SET_OOM (error);
-@@ -1757,10 +1762,10 @@ bus_driver_handle_get_connection_unix_process_id (DBusConnection *connection,
-   _DBUS_ASSERT_ERROR_IS_SET (error);
-   if (reply)
-     dbus_message_unref (reply);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection,
-                                             BusTransaction *transaction,
-                                             DBusMessage    *message,
-@@ -1811,7 +1816,7 @@ bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection,
-   dbus_message_unref (reply);
--  return TRUE;
-+  return BUS_RESULT_TRUE;
-  oom:
-   BUS_SET_OOM (error);
-@@ -1820,10 +1825,10 @@ bus_driver_handle_get_adt_audit_session_data (DBusConnection *connection,
-   _DBUS_ASSERT_ERROR_IS_SET (error);
-   if (reply)
-     dbus_message_unref (reply);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_get_connection_selinux_security_context (DBusConnection *connection,
-                                                          BusTransaction *transaction,
-                                                          DBusMessage    *message,
-@@ -1872,7 +1877,7 @@ bus_driver_handle_get_connection_selinux_security_context (DBusConnection *conne
-   dbus_message_unref (reply);
--  return TRUE;
-+  return BUS_RESULT_TRUE;
-  oom:
-   BUS_SET_OOM (error);
-@@ -1881,10 +1886,10 @@ bus_driver_handle_get_connection_selinux_security_context (DBusConnection *conne
-   _DBUS_ASSERT_ERROR_IS_SET (error);
-   if (reply)
-     dbus_message_unref (reply);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_get_connection_credentials (DBusConnection *connection,
-                                               BusTransaction *transaction,
-                                               DBusMessage    *message,
-@@ -1998,7 +2003,7 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection,
-   dbus_message_unref (reply);
--  return TRUE;
-+  return BUS_RESULT_TRUE;
-  oom:
-   BUS_SET_OOM (error);
-@@ -2012,10 +2017,10 @@ bus_driver_handle_get_connection_credentials (DBusConnection *connection,
-       dbus_message_unref (reply);
-     }
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_reload_config (DBusConnection *connection,
-                                BusTransaction *transaction,
-                                DBusMessage    *message,
-@@ -2040,7 +2045,7 @@ bus_driver_handle_reload_config (DBusConnection *connection,
-     goto oom;
-   dbus_message_unref (reply);
--  return TRUE;
-+  return BUS_RESULT_TRUE;
-  oom:
-   BUS_SET_OOM (error);
-@@ -2049,11 +2054,11 @@ bus_driver_handle_reload_config (DBusConnection *connection,
-   _DBUS_ASSERT_ERROR_IS_SET (error);
-   if (reply)
-     dbus_message_unref (reply);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
- #ifdef DBUS_ENABLE_VERBOSE_MODE
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_enable_verbose (DBusConnection *connection,
-                                   BusTransaction *transaction,
-                                   DBusMessage    *message,
-@@ -2073,7 +2078,7 @@ bus_driver_handle_enable_verbose (DBusConnection *connection,
-     _dbus_set_verbose(TRUE);
-     dbus_message_unref (reply);
--    return TRUE;
-+    return BUS_RESULT_TRUE;
-    oom:
-     _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -2082,10 +2087,10 @@ bus_driver_handle_enable_verbose (DBusConnection *connection,
-     if (reply)
-       dbus_message_unref (reply);
--    return FALSE;
-+    return BUS_RESULT_FALSE;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_disable_verbose (DBusConnection *connection,
-                                    BusTransaction *transaction,
-                                    DBusMessage    *message,
-@@ -2105,7 +2110,7 @@ bus_driver_handle_disable_verbose (DBusConnection *connection,
-     _dbus_set_verbose(FALSE);
-     dbus_message_unref (reply);
--    return TRUE;
-+    return BUS_RESULT_TRUE;
-    oom:
-     _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -2114,11 +2119,11 @@ bus_driver_handle_disable_verbose (DBusConnection *connection,
-     if (reply)
-       dbus_message_unref (reply);
--    return FALSE;
-+    return BUS_RESULT_FALSE;
- }
- #endif
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_get_id (DBusConnection *connection,
-                           BusTransaction *transaction,
-                           DBusMessage    *message,
-@@ -2134,7 +2139,7 @@ bus_driver_handle_get_id (DBusConnection *connection,
-   if (!_dbus_string_init (&uuid))
-     {
-       BUS_SET_OOM (error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   reply = NULL;
-@@ -2160,7 +2165,7 @@ bus_driver_handle_get_id (DBusConnection *connection,
-   _dbus_string_free (&uuid);
-   dbus_message_unref (reply);
--  return TRUE;
-+  return BUS_RESULT_TRUE;
-  oom:
-   _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -2170,10 +2175,10 @@ bus_driver_handle_get_id (DBusConnection *connection,
-   if (reply)
-     dbus_message_unref (reply);
-   _dbus_string_free (&uuid);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_become_monitor (DBusConnection *connection,
-                                   BusTransaction *transaction,
-                                   DBusMessage    *message,
-@@ -2189,7 +2194,7 @@ bus_driver_handle_become_monitor (DBusConnection *connection,
-   int i;
-   int n_match_rules;
-   dbus_uint32_t flags;
--  dbus_bool_t ret = FALSE;
-+  BusResult ret = BUS_RESULT_FALSE;
-   _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -2262,10 +2267,10 @@ bus_driver_handle_become_monitor (DBusConnection *connection,
-   if (!bus_connection_be_monitor (connection, transaction, &rules, error))
-     goto out;
--  ret = TRUE;
-+  ret = BUS_RESULT_TRUE;
- out:
--  if (ret)
-+  if (ret == BUS_RESULT_TRUE)
-     _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-   else
-     _DBUS_ASSERT_ERROR_IS_SET (error);
-@@ -2281,7 +2286,7 @@ out:
-   return ret;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_get_machine_id (DBusConnection *connection,
-                                   BusTransaction *transaction,
-                                   DBusMessage *message,
-@@ -2296,7 +2301,7 @@ bus_driver_handle_get_machine_id (DBusConnection *connection,
-   if (!_dbus_string_init (&uuid))
-     {
-       BUS_SET_OOM (error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   if (!_dbus_get_local_machine_uuid_encoded (&uuid, error))
-@@ -2321,7 +2326,7 @@ bus_driver_handle_get_machine_id (DBusConnection *connection,
-   _dbus_string_free (&uuid);
-   dbus_message_unref (reply);
--  return TRUE;
-+  return BUS_RESULT_TRUE;
- oom:
-   _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -2335,29 +2340,30 @@ fail:
-     dbus_message_unref (reply);
-   _dbus_string_free (&uuid);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_ping (DBusConnection *connection,
-                         BusTransaction *transaction,
-                         DBusMessage *message,
-                         DBusError *error)
- {
--  return bus_driver_send_ack_reply (connection, transaction, message, error);
-+  return bus_driver_send_ack_reply (connection, transaction, message, error) == TRUE
-+               ? BUS_RESULT_TRUE : BUS_RESULT_FALSE;
- }
--static dbus_bool_t bus_driver_handle_get (DBusConnection *connection,
-+static BusResult bus_driver_handle_get (DBusConnection *connection,
-                                           BusTransaction *transaction,
-                                           DBusMessage *message,
-                                           DBusError *error);
--static dbus_bool_t bus_driver_handle_get_all (DBusConnection *connection,
-+static BusResult bus_driver_handle_get_all (DBusConnection *connection,
-                                               BusTransaction *transaction,
-                                               DBusMessage *message,
-                                               DBusError *error);
--static dbus_bool_t bus_driver_handle_set (DBusConnection *connection,
-+static BusResult bus_driver_handle_set (DBusConnection *connection,
-                                           BusTransaction *transaction,
-                                           DBusMessage *message,
-                                           DBusError *error);
-@@ -2389,10 +2395,10 @@ typedef struct
-   const char *name;
-   const char *in_args;
-   const char *out_args;
--  dbus_bool_t (* handler) (DBusConnection *connection,
--                           BusTransaction *transaction,
--                           DBusMessage    *message,
--                           DBusError      *error);
-+  BusResult (* handler) (DBusConnection *connection,
-+                         BusTransaction *transaction,
-+                         DBusMessage    *message,
-+                         DBusError      *error);
-   MethodFlags flags;
- } MessageHandler;
-@@ -2511,7 +2517,7 @@ static const PropertyHandler dbus_property_handlers[] = {
-   { NULL, NULL, NULL }
- };
--static dbus_bool_t bus_driver_handle_introspect (DBusConnection *,
-+static BusResult bus_driver_handle_introspect (DBusConnection *,
-     BusTransaction *, DBusMessage *, DBusError *);
- static const MessageHandler properties_message_handlers[] = {
-@@ -2763,7 +2769,7 @@ bus_driver_generate_introspect_string (DBusString *xml,
-   return TRUE;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_introspect (DBusConnection *connection,
-                               BusTransaction *transaction,
-                               DBusMessage    *message,
-@@ -2784,13 +2790,13 @@ bus_driver_handle_introspect (DBusConnection *connection,
-                              DBUS_TYPE_INVALID))
-     {
-       _DBUS_ASSERT_ERROR_IS_SET (error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   if (!_dbus_string_init (&xml))
-     {
-       BUS_SET_OOM (error);
--      return FALSE;
-+      return BUS_RESULT_FALSE;
-     }
-   is_canonical_path = dbus_message_has_path (message, DBUS_PATH_DBUS);
-@@ -2815,7 +2821,7 @@ bus_driver_handle_introspect (DBusConnection *connection,
-   dbus_message_unref (reply);
-   _dbus_string_free (&xml);
--  return TRUE;
-+  return BUS_RESULT_TRUE;
-  oom:
-   BUS_SET_OOM (error);
-@@ -2825,10 +2831,42 @@ bus_driver_handle_introspect (DBusConnection *connection,
-   _dbus_string_free (&xml);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
-+/*
-+ * Set @error and return FALSE if the message is not directed to the
-+ * dbus-daemon by its canonical object path. This is hardening against
-+ * system services with poorly-written security policy files, which
-+ * might allow sending dangerously broad equivalence classes of messages
-+ * such as "anything with this assumed-to-be-safe object path".
-+ *
-+ * dbus-daemon is unusual in that it normally ignores the object path
-+ * of incoming messages; we need to keep that behaviour for the "read"
-+ * read-only method calls like GetConnectionUnixUser for backwards
-+ * compatibility, but it seems safer to be more restrictive for things
-+ * intended to be root-only or privileged-developers-only.
-+ *
-+ * It is possible that there are other system services with the same
-+ * quirk as dbus-daemon.
-+ */
- dbus_bool_t
-+bus_driver_check_message_is_for_us (DBusMessage *message,
-+                                    DBusError   *error)
-+{
-+  if (!dbus_message_has_path (message, DBUS_PATH_DBUS))
-+    {
-+      dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
-+          "Method '%s' is only available at the canonical object path '%s'",
-+          dbus_message_get_member (message), DBUS_PATH_DBUS);
-+
-+      return FALSE;
-+    }
-+
-+  return TRUE;
-+}
-+
-+BusResult
- bus_driver_handle_message (DBusConnection *connection,
-                            BusTransaction *transaction,
-                          DBusMessage    *message,
-@@ -2839,6 +2877,7 @@ bus_driver_handle_message (DBusConnection *connection,
-   const MessageHandler *mh;
-   dbus_bool_t found_interface = FALSE;
-   dbus_bool_t is_canonical_path;
-+  BusResult res;
-   _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-@@ -2854,7 +2893,7 @@ bus_driver_handle_message (DBusConnection *connection,
-                                                   transaction,
-                                                   message,
-                                                   error))
--        return FALSE;
-+        return BUS_RESULT_FALSE;
-       context = bus_connection_get_context (connection);
-       systemd = bus_driver_get_owner_of_name (connection,
-@@ -2871,7 +2910,7 @@ bus_driver_handle_message (DBusConnection *connection,
-                            attacker ? attacker : "(unauthenticated)",
-                            bus_connection_get_loginfo (connection));
-           /* ignore it */
--          return TRUE;
-+          return BUS_RESULT_TRUE;
-         }
-       if (!bus_context_get_systemd_activation (context))
-@@ -2879,16 +2918,16 @@ bus_driver_handle_message (DBusConnection *connection,
-           bus_context_log (context, DBUS_SYSTEM_LOG_WARNING,
-                            "Ignoring unexpected ActivationFailure message "
-                            "while not using systemd activation");
--          return FALSE;
-+          return BUS_RESULT_FALSE;
-         }
--      return dbus_activation_systemd_failure(bus_context_get_activation(context), message);
-+      return dbus_activation_systemd_failure(bus_context_get_activation(context), message) == TRUE ? BUS_RESULT_TRUE : BUS_RESULT_FALSE;
-     }
-   if (dbus_message_get_type (message) != DBUS_MESSAGE_TYPE_METHOD_CALL)
-     {
-       _dbus_verbose ("Driver got a non-method-call message, ignoring\n");
--      return TRUE; /* we just ignore this */
-+      return BUS_RESULT_TRUE; /* we just ignore this */
-     }
-   /* may be NULL, which means "any interface will do" */
-@@ -2953,20 +2992,27 @@ bus_driver_handle_message (DBusConnection *connection,
-                               name, dbus_message_get_signature (message),
-                               mh->in_args);
-               _DBUS_ASSERT_ERROR_IS_SET (error);
--              return FALSE;
-+              return BUS_RESULT_FALSE;
-             }
--          if ((* mh->handler) (connection, transaction, message, error))
-+          res = (* mh->handler) (connection, transaction, message, error);
-+          if (res == BUS_RESULT_TRUE)
-             {
-               _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-               _dbus_verbose ("Driver handler succeeded\n");
--              return TRUE;
-+              return BUS_RESULT_TRUE;
-             }
--          else
-+          else if (res == BUS_RESULT_FALSE)
-             {
-               _DBUS_ASSERT_ERROR_IS_SET (error);
-               _dbus_verbose ("Driver handler returned failure\n");
--              return FALSE;
-+              return BUS_RESULT_FALSE;
-+            }
-+          else if (res == BUS_RESULT_LATER)
-+            {
-+              _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-+              _dbus_verbose ("Driver handler delayed message processing due to policy check\n");
-+              return BUS_RESULT_LATER;
-             }
-         }
-     }
-@@ -2978,7 +3024,7 @@ bus_driver_handle_message (DBusConnection *connection,
-                   "%s does not understand message %s",
-                   DBUS_SERVICE_DBUS, name);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
- void
-@@ -3099,7 +3145,7 @@ interface_handler_find_property (const InterfaceHandler *ih,
-   return NULL;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_get (DBusConnection *connection,
-                        BusTransaction *transaction,
-                        DBusMessage    *message,
-@@ -3120,18 +3166,18 @@ bus_driver_handle_get (DBusConnection *connection,
-                               DBUS_TYPE_STRING, &iface,
-                               DBUS_TYPE_STRING, &prop,
-                               DBUS_TYPE_INVALID))
--    return FALSE;
-+    return BUS_RESULT_FALSE;
-   /* We only implement Properties on /org/freedesktop/DBus so far. */
-   ih = bus_driver_find_interface (iface, TRUE, error);
-   if (ih == NULL)
--    return FALSE;
-+    return BUS_RESULT_FALSE;
-   handler = interface_handler_find_property (ih, prop, error);
-   if (handler == NULL)
--    return FALSE;
-+    return BUS_RESULT_FALSE;
-   context = bus_transaction_get_context (transaction);
-@@ -3159,17 +3205,17 @@ bus_driver_handle_get (DBusConnection *connection,
-     goto oom;
-   dbus_message_unref (reply);
--  return TRUE;
-+  return BUS_RESULT_TRUE;
- oom:
-   if (reply != NULL)
-     dbus_message_unref (reply);
-   BUS_SET_OOM (error);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_get_all (DBusConnection *connection,
-                            BusTransaction *transaction,
-                            DBusMessage    *message,
-@@ -3188,13 +3234,13 @@ bus_driver_handle_get_all (DBusConnection *connection,
-   if (!dbus_message_get_args (message, error,
-                               DBUS_TYPE_STRING, &iface,
-                               DBUS_TYPE_INVALID))
--    return FALSE;
-+    return BUS_RESULT_FALSE;
-   /* We only implement Properties on /org/freedesktop/DBus so far. */
-   ih = bus_driver_find_interface (iface, TRUE, error);
-   if (ih == NULL)
--    return FALSE;
-+    return BUS_RESULT_FALSE;
-   context = bus_transaction_get_context (transaction);
-@@ -3229,7 +3275,7 @@ bus_driver_handle_get_all (DBusConnection *connection,
-     goto oom;
-   dbus_message_unref (reply);
--  return TRUE;
-+  return BUS_RESULT_TRUE;
- oom_abandon_message:
-   _dbus_asv_abandon (&reply_iter, &array_iter);
-@@ -3239,10 +3285,10 @@ oom:
-     dbus_message_unref (reply);
-   BUS_SET_OOM (error);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
--static dbus_bool_t
-+static BusResult
- bus_driver_handle_set (DBusConnection *connection,
-                        BusTransaction *transaction,
-                        DBusMessage    *message,
-@@ -3271,15 +3317,15 @@ bus_driver_handle_set (DBusConnection *connection,
-   ih = bus_driver_find_interface (iface, TRUE, error);
-   if (ih == NULL)
--    return FALSE;
-+    return BUS_RESULT_FALSE;
-   handler = interface_handler_find_property (ih, prop, error);
-   if (handler == NULL)
--    return FALSE;
-+    return BUS_RESULT_FALSE;
-   /* We don't implement any properties that can be set yet. */
-   dbus_set_error (error, DBUS_ERROR_PROPERTY_READ_ONLY,
-                   "Property '%s.%s' cannot be set", iface, prop);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
-diff --git a/bus/driver.h b/bus/driver.h
-index a7297ad..05e9886 100644
---- a/bus/driver.h
-+++ b/bus/driver.h
-@@ -35,7 +35,7 @@ typedef enum
- } BusDriverFound;
- void        bus_driver_remove_connection     (DBusConnection *connection);
--dbus_bool_t bus_driver_handle_message        (DBusConnection *connection,
-+BusResult   bus_driver_handle_message        (DBusConnection *connection,
-                                               BusTransaction *transaction,
-                                               DBusMessage    *message,
-                                               DBusError      *error);
-diff --git a/bus/policy.c b/bus/policy.c
-index 483cc97..f6f4d85 100644
---- a/bus/policy.c
-+++ b/bus/policy.c
-@@ -1390,18 +1390,21 @@ bus_client_policy_check_can_receive (BusClientPolicy     *policy,
--static dbus_bool_t
-+static BusResult
- bus_rules_check_can_own (DBusList *rules,
--                         const DBusString *service_name)
-+                         const DBusString *service_name,
-+                         DBusConnection   *connection,
-+                         DBusMessage      *message)
- {
-   DBusList *link;
--  dbus_bool_t allowed;
-+  BusResult result;
-+  const char *privilege;
-   
-   /* rules is in the order the rules appeared
-    * in the config file, i.e. last rule that applies wins
-    */
--  allowed = FALSE;
-+  result = BUS_RESULT_FALSE;
-   link = _dbus_list_get_first_link (&rules);
-   while (link != NULL)
-     {
-@@ -1437,17 +1440,46 @@ bus_rules_check_can_own (DBusList *rules,
-         }
-       /* Use this rule */
--      allowed = rule->access == BUS_POLICY_RULE_ACCESS_ALLOW;
-+      switch (rule->access)
-+      {
-+      case BUS_POLICY_RULE_ACCESS_ALLOW:
-+        result = BUS_RESULT_TRUE;
-+        break;
-+      default:
-+      case BUS_POLICY_RULE_ACCESS_DENY:
-+        result = BUS_RESULT_FALSE;
-+        break;
-+      case BUS_POLICY_RULE_ACCESS_CHECK:
-+        result = BUS_RESULT_LATER;
-+        privilege = rule->privilege;
-+        break;
-+      }
-     }
--  return allowed;
-+  if (result == BUS_RESULT_LATER)
-+    {
-+      BusContext *context = bus_connection_get_context(connection);
-+      BusCheck *check = bus_context_get_check(context);
-+      BusDeferredMessage *deferred_message;
-+
-+      result = bus_check_privilege(check, message, connection, NULL, NULL,
-+          privilege, BUS_DEFERRED_MESSAGE_CHECK_OWN, &deferred_message);
-+      if (result == BUS_RESULT_LATER)
-+        {
-+          bus_deferred_message_disable_sender(deferred_message);
-+        }
-+    }
-+
-+  return result;
- }
--dbus_bool_t
-+BusResult
- bus_client_policy_check_can_own (BusClientPolicy  *policy,
--                                 const DBusString *service_name)
-+                                 const DBusString *service_name,
-+                                 DBusConnection   *connection,
-+                                 DBusMessage      *message)
- {
--  return bus_rules_check_can_own (policy->rules, service_name);
-+  return bus_rules_check_can_own (policy->rules, service_name, connection, message);
- }
- #ifdef DBUS_ENABLE_EMBEDDED_TESTS
-@@ -1455,7 +1487,7 @@ dbus_bool_t
- bus_policy_check_can_own (BusPolicy  *policy,
-                           const DBusString *service_name)
- {
--  return bus_rules_check_can_own (policy->default_rules, service_name);
-+  return bus_rules_check_can_own (policy->default_rules, service_name, NULL, NULL) == BUS_RESULT_TRUE;
- }
- #endif /* DBUS_ENABLE_EMBEDDED_TESTS */
-diff --git a/bus/policy.h b/bus/policy.h
-index f839d23..28ce8f2 100644
---- a/bus/policy.h
-+++ b/bus/policy.h
-@@ -182,8 +182,10 @@ BusResult        bus_client_policy_check_can_receive (BusClientPolicy  *policy,
-                                                       dbus_int32_t     *toggles,
-                                                       const char      **privilege_param,
-                                                       BusDeferredMessage **deferred_message);
--dbus_bool_t      bus_client_policy_check_can_own     (BusClientPolicy  *policy,
--                                                      const DBusString *service_name);
-+BusResult        bus_client_policy_check_can_own     (BusClientPolicy  *policy,
-+                                                      const DBusString *service_name,
-+                                                      DBusConnection   *connection,
-+                                                      DBusMessage      *message);
- dbus_bool_t      bus_client_policy_append_rule       (BusClientPolicy  *policy,
-                                                       BusPolicyRule    *rule);
- void             bus_client_policy_optimize          (BusClientPolicy  *policy);
-diff --git a/bus/services.c b/bus/services.c
-index 127edda..586af18 100644
---- a/bus/services.c
-+++ b/bus/services.c
-@@ -376,16 +376,17 @@ bus_registry_list_services (BusRegistry *registry,
-   return FALSE;
- }
--dbus_bool_t
-+BusResult
- bus_registry_acquire_service (BusRegistry      *registry,
-                               DBusConnection   *connection,
-+                              DBusMessage      *message,
-                               const DBusString *service_name,
-                               dbus_uint32_t     flags,
-                               dbus_uint32_t    *result,
-                               BusTransaction   *transaction,
-                               DBusError        *error)
- {
--  dbus_bool_t retval;
-+  BusResult retval;
-   DBusConnection *old_owner_conn;
-   BusClientPolicy *policy;
-   BusService *service;
-@@ -393,8 +394,9 @@ bus_registry_acquire_service (BusRegistry      *registry,
-   BusSELinuxID *sid;
-   BusOwner *primary_owner;
-   int limit;
-+  BusResult res;
--  retval = FALSE;
-+  retval = BUS_RESULT_FALSE;
-   if (!_dbus_validate_bus_name (service_name, 0,
-                                 _dbus_string_get_length (service_name)))
-@@ -467,7 +469,8 @@ bus_registry_acquire_service (BusRegistry      *registry,
-                                             _dbus_string_get_const_data (service_name), error))
-     goto out;
-   
--  if (!bus_client_policy_check_can_own (policy, service_name))
-+  res = bus_client_policy_check_can_own (policy, service_name, connection, message);
-+  if (res == BUS_RESULT_FALSE)
-     {
-       dbus_set_error (error, DBUS_ERROR_ACCESS_DENIED,
-                       "Connection \"%s\" is not allowed to own the service \"%s\" due "
-@@ -478,6 +481,11 @@ bus_registry_acquire_service (BusRegistry      *registry,
-                       _dbus_string_get_const_data (service_name));
-       goto out;
-     }
-+  else if (res == BUS_RESULT_LATER)
-+    {
-+      retval = BUS_RESULT_LATER;
-+      goto out;
-+    }
-   limit = bus_context_get_max_services_per_connection (registry->context);
-@@ -603,11 +611,13 @@ bus_registry_acquire_service (BusRegistry      *registry,
-     }
-   activation = bus_context_get_activation (registry->context);
--  retval = bus_activation_send_pending_auto_activation_messages (activation,
-+  
-+  if (bus_activation_send_pending_auto_activation_messages (activation,
-                                                                service,
--                                                               transaction);
--  if (!retval)
--    BUS_SET_OOM (error);
-+                                                               transaction))
-+      retval = BUS_RESULT_TRUE;
-+  else
-+      BUS_SET_OOM (error);
-   
-  out:
-   return retval;
-diff --git a/bus/services.h b/bus/services.h
-index 056dd9f..3df3dd7 100644
---- a/bus/services.h
-+++ b/bus/services.h
-@@ -50,8 +50,9 @@ void         bus_registry_foreach         (BusRegistry                 *registry
- dbus_bool_t  bus_registry_list_services   (BusRegistry                 *registry,
-                                            char                      ***listp,
-                                            int                         *array_len);
--dbus_bool_t  bus_registry_acquire_service (BusRegistry                 *registry,
-+BusResult    bus_registry_acquire_service (BusRegistry                 *registry,
-                                            DBusConnection              *connection,
-+                                           DBusMessage                 *message,
-                                            const DBusString            *service_name,
-                                            dbus_uint32_t                flags,
-                                            dbus_uint32_t               *result,
-diff --git a/bus/stats.c b/bus/stats.c
-index 1582255..c25be98 100644
---- a/bus/stats.c
-+++ b/bus/stats.c
-@@ -36,7 +36,7 @@
- #ifdef DBUS_ENABLE_STATS
--dbus_bool_t
-+BusResult
- bus_stats_handle_get_stats (DBusConnection *connection,
-                             BusTransaction *transaction,
-                             DBusMessage    *message,
-@@ -51,6 +51,9 @@ bus_stats_handle_get_stats (DBusConnection *connection,
-   _DBUS_ASSERT_ERROR_IS_CLEAR (error);
-+  if (!bus_driver_check_message_is_for_us (message, error))
-+    return BUS_RESULT_FALSE;
-+
-   context = bus_transaction_get_context (transaction);
-   connections = bus_context_get_connections (context);
-@@ -104,17 +107,17 @@ bus_stats_handle_get_stats (DBusConnection *connection,
-     goto oom;
-   dbus_message_unref (reply);
--  return TRUE;
-+  return BUS_RESULT_TRUE;
- oom:
-   if (reply != NULL)
-     dbus_message_unref (reply);
-   BUS_SET_OOM (error);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
--dbus_bool_t
-+BusResult
- bus_stats_handle_get_connection_stats (DBusConnection *caller_connection,
-                                        BusTransaction *transaction,
-                                        DBusMessage    *message,
-@@ -209,7 +212,7 @@ bus_stats_handle_get_connection_stats (DBusConnection *caller_connection,
-     goto oom;
-   dbus_message_unref (reply);
--  return TRUE;
-+  return BUS_RESULT_TRUE;
- oom:
-   BUS_SET_OOM (error);
-@@ -218,11 +221,11 @@ failed:
-   if (reply != NULL)
-     dbus_message_unref (reply);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
--dbus_bool_t
-+BusResult
- bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection,
-                                       BusTransaction *transaction,
-                                       DBusMessage    *message,
-@@ -246,7 +249,7 @@ bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection,
-   matchmaker = bus_context_get_matchmaker (context);
-   if (!bus_registry_list_services (registry, &services, &services_len))
--    return FALSE;
-+    return BUS_RESULT_FALSE;
-   reply = dbus_message_new_method_return (message);
-   if (reply == NULL)
-@@ -325,7 +328,7 @@ bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection,
-   dbus_message_unref (reply);
-   dbus_free_string_array (services);
--  return TRUE;
-+  return BUS_RESULT_TRUE;
- oom:
-   if (reply != NULL)
-@@ -334,7 +337,7 @@ oom:
-   dbus_free_string_array (services);
-   BUS_SET_OOM (error);
--  return FALSE;
-+  return BUS_RESULT_FALSE;
- }
- #endif
-diff --git a/bus/stats.h b/bus/stats.h
-index dcb022c..683fa17 100644
---- a/bus/stats.h
-+++ b/bus/stats.h
-@@ -25,17 +25,17 @@
- #define BUS_INTERFACE_STATS "org.freedesktop.DBus.Debug.Stats"
--dbus_bool_t bus_stats_handle_get_stats (DBusConnection *connection,
-+BusResult bus_stats_handle_get_stats (DBusConnection *connection,
-                                         BusTransaction *transaction,
-                                         DBusMessage    *message,
-                                         DBusError      *error);
--dbus_bool_t bus_stats_handle_get_connection_stats (DBusConnection *connection,
-+BusResult bus_stats_handle_get_connection_stats (DBusConnection *connection,
-                                                    BusTransaction *transaction,
-                                                    DBusMessage    *message,
-                                                    DBusError      *error);
--dbus_bool_t bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection,
-+BusResult bus_stats_handle_get_all_match_rules (DBusConnection *caller_connection,
-                                                   BusTransaction *transaction,
-                                                   DBusMessage    *message,
-                                                   DBusError      *error);
--- 
-2.21.1
-
diff --git a/meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0005-Perform-Cynara-runtime-policy-checks-by-default.patch b/meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0005-Perform-Cynara-runtime-policy-checks-by-default.patch
deleted file mode 100644 (file)
index 5f7e96a..0000000
+++ /dev/null
@@ -1,180 +0,0 @@
-From 1f7ba56c9ced669951061d13b06e31d96a170e37 Mon Sep 17 00:00:00 2001
-From: Jacek Bukarewicz <j.bukarewicz@samsung.com>
-Date: Tue, 23 Jun 2015 11:08:48 +0200
-Subject: [PATCH 5/8] Perform Cynara runtime policy checks by default
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This change introduces http://tizen.org/privilege/internal/dbus privilege
-which is supposed to be available only to trusted system resources.
-Checks for this privilege are used in place of certain allow rules to
-make security policy more strict.
-
-For system bus sending and receiving signals now requires
-http://tizen.org/privilege/internal/dbus privilege. Requesting name
-ownership and sending methods is still denied by default.
-
-For session bus http://tizen.org/privilege/internal/dbus privilege
-is now required for requesting name, calling methods, sending and receiving
-signals.
-
-Services are supposed to override these default settings to implement their
-own security policy.
-
-Cherry picked from e8610297cf7031e94eb314a2e8c11246f4405403 by Jose Bollo
-
-Updated for dbus 1.10.20 by Scott Murray and José Bollo
-
-Signed-off-by: Jacek Bukarewicz <j.bukarewicz@samsung.com>
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
-Signed-off-by: Scott Murray <scott.murray@konsulko.com>
----
- bus/activation.c    | 42 ++++++++++++++++++++++++++----------------
- bus/session.conf.in | 32 ++++++++++++++++++++++++++------
- bus/system.conf.in  | 19 +++++++++++++++----
- 3 files changed, 67 insertions(+), 26 deletions(-)
-
-diff --git a/bus/activation.c b/bus/activation.c
-index d4b597c..8aabeaa 100644
---- a/bus/activation.c
-+++ b/bus/activation.c
-@@ -1840,22 +1840,32 @@ bus_activation_activate_service (BusActivation  *activation,
-     }
-   if (auto_activation &&
--      entry != NULL &&
--      BUS_RESULT_TRUE != bus_context_check_security_policy (activation->context,
--        transaction,
--        connection, /* sender */
--        NULL, /* addressed recipient */
--        NULL, /* proposed recipient */
--        activation_message,
--        entry,
--        error,
--        NULL))
--    {
--      _DBUS_ASSERT_ERROR_IS_SET (error);
--      _dbus_verbose ("activation not authorized: %s: %s\n",
--          error != NULL ? error->name : "(error ignored)",
--          error != NULL ? error->message : "(error ignored)");
--      return FALSE;
-+      entry != NULL)
-+   {
-+      BusResult result;
-+
-+      result = bus_context_check_security_policy (activation->context,
-+                      transaction,
-+                      connection, /* sender */
-+                      NULL, /* addressed recipient */
-+                      NULL, /* proposed recipient */
-+                      activation_message,
-+                      entry,
-+                      error,
-+                      NULL);
-+      if (result == BUS_RESULT_FALSE)
-+        {
-+          _DBUS_ASSERT_ERROR_IS_SET (error);
-+          _dbus_verbose ("activation not authorized: %s: %s\n",
-+              error != NULL ? error->name : "(error ignored)",
-+              error != NULL ? error->message : "(error ignored)");
-+          return FALSE;
-+        }
-+      if (result == BUS_RESULT_LATER)
-+        {
-+          /* TODO */
-+          _dbus_verbose ("ALERT FIX ME!!!!!!!!!!!!!!!");
-+        }
-     }
-   /* Bypass the registry lookup if we're auto-activating, bus_dispatch would not
-diff --git a/bus/session.conf.in b/bus/session.conf.in
-index affa7f1..157dfb4 100644
---- a/bus/session.conf.in
-+++ b/bus/session.conf.in
-@@ -27,12 +27,32 @@
-   <standard_session_servicedirs />
-   <policy context="default">
--    <!-- Allow everything to be sent -->
--    <allow send_destination="*" eavesdrop="true"/>
--    <!-- Allow everything to be received -->
--    <allow eavesdrop="true"/>
--    <!-- Allow anyone to own anything -->
--    <allow own="*"/>
-+    <!-- By default clients require internal/dbus privilege to communicate
-+         with D-Bus services and to claim name ownership. This is internal privilege that
-+         is only accessible to trusted system services -->
-+    <check own="*"                  privilege="http://tizen.org/privilege/internal/dbus" />
-+    <check send_type="method_call"  privilege="http://tizen.org/privilege/internal/dbus" />
-+    <check send_type="signal"       privilege="http://tizen.org/privilege/internal/dbus" />
-+    <check receive_type="signal"    privilege="http://tizen.org/privilege/internal/dbus" />
-+
-+    <!-- Reply messages (method returns, errors) are allowed
-+         by default -->
-+    <allow send_requested_reply="true" send_type="method_return"/>
-+    <allow send_requested_reply="true" send_type="error"/>
-+
-+    <!-- All messages but signals may be received by default -->
-+    <allow receive_type="method_call"/>
-+    <allow receive_type="method_return"/>
-+    <allow receive_type="error"/>
-+
-+    <!-- Allow anyone to talk to the message bus -->
-+    <allow send_destination="org.freedesktop.DBus"/>
-+    <allow receive_sender="org.freedesktop.DBus"/>
-+
-+    <!-- But disallow some specific bus services -->
-+    <deny send_destination="org.freedesktop.DBus"
-+          send_interface="org.freedesktop.DBus"
-+          send_member="UpdateActivationEnvironment"/>
-   </policy>
-   <!-- Include legacy configuration location -->
-diff --git a/bus/system.conf.in b/bus/system.conf.in
-index f139b55..19d0c04 100644
---- a/bus/system.conf.in
-+++ b/bus/system.conf.in
-@@ -50,17 +50,20 @@
-     <deny own="*"/>
-     <deny send_type="method_call"/>
--    <!-- Signals and reply messages (method returns, errors) are allowed
-+    <!-- By default clients require internal/dbus privilege to send and receive signaks.
-+         This is internal privilege that is only accessible to trusted system services -->
-+    <check send_type="signal"       privilege="http://tizen.org/privilege/internal/dbus" />
-+    <check receive_type="signal"    privilege="http://tizen.org/privilege/internal/dbus" />
-+
-+    <!-- Reply messages (method returns, errors) are allowed
-          by default -->
--    <allow send_type="signal"/>
-     <allow send_requested_reply="true" send_type="method_return"/>
-     <allow send_requested_reply="true" send_type="error"/>
--    <!-- All messages may be received by default -->
-+    <!-- All messages but signals may be received by default -->
-     <allow receive_type="method_call"/>
-     <allow receive_type="method_return"/>
-     <allow receive_type="error"/>
--    <allow receive_type="signal"/>
-     <!-- Allow anyone to talk to the message bus -->
-     <allow send_destination="org.freedesktop.DBus"
-@@ -69,6 +72,14 @@
-            send_interface="org.freedesktop.DBus.Introspectable"/>
-     <allow send_destination="org.freedesktop.DBus"
-            send_interface="org.freedesktop.DBus.Properties"/>
-+    <!-- If there is a need specific bus services could be protected by Cynara as well.
-+         However, this can lead to deadlock during the boot process when such check is made and
-+         Cynara is not yet activated (systemd calls protected method synchronously,
-+         dbus daemon tries to consult Cynara, Cynara waits for systemd activation).
-+         Therefore it is advised to allow root processes to use bus services.
-+         Currently anyone is allowed to talk to the message bus -->
-+    <allow receive_sender="org.freedesktop.DBus"/>
-+
-     <!-- But disallow some specific bus services -->
-     <deny send_destination="org.freedesktop.DBus"
-           send_interface="org.freedesktop.DBus"
--- 
-2.21.1
-
diff --git a/meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0006-Fix-SIGSEGV-on-disconnections.patch b/meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0006-Fix-SIGSEGV-on-disconnections.patch
deleted file mode 100644 (file)
index e51ad7c..0000000
+++ /dev/null
@@ -1,109 +0,0 @@
-From 28077faa11827e1ca7a7245ffd62ee78091b6bd2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Fri, 16 Aug 2019 13:29:23 +0200
-Subject: [PATCH 6/8] Fix SIGSEGV on disconnections
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Sometime, at start of the system, dbus-daemon was crashing
-because a pending authorisation were reactivating a closed
-connection.
-
-Also, clean unused function.
-
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- bus/check.c      |  5 +++++
- bus/check.h      |  1 +
- bus/connection.c | 14 +++-----------
- bus/connection.h |  3 ---
- 4 files changed, 9 insertions(+), 14 deletions(-)
-
-diff --git a/bus/check.c b/bus/check.c
-index f3d283f..b73d08b 100644
---- a/bus/check.c
-+++ b/bus/check.c
-@@ -617,3 +617,8 @@ bus_deferred_message_response_received (BusDeferredMessage *deferred_message,
-     }
- }
-+void
-+bus_deferred_message_abort (BusDeferredMessage *deferred_message)
-+{
-+  deferred_message->response_callback = NULL;
-+}
-diff --git a/bus/check.h b/bus/check.h
-index 9c13c18..d718a69 100644
---- a/bus/check.h
-+++ b/bus/check.h
-@@ -93,6 +93,7 @@ void                bus_deferred_message_set_policy_check_info (BusDeferredMessa
-                                                                 const char *privilege);
- dbus_bool_t         bus_deferred_message_check_message_limits (BusDeferredMessage *deferred_message,
-                                                                DBusError *error);
-+void                bus_deferred_message_abort                (BusDeferredMessage *deferred_message);
- #ifdef DBUS_ENABLE_EMBEDDED_TESTS
-diff --git a/bus/connection.c b/bus/connection.c
-index ee93384..b520d57 100644
---- a/bus/connection.c
-+++ b/bus/connection.c
-@@ -47,6 +47,7 @@
- #define MAX_LOG_COMMAND_LEN 50
- static void bus_connection_remove_transactions (DBusConnection *connection);
-+static void bus_connection_clear_deferred_messages (DBusConnection *connection);
- typedef struct
- {
-@@ -2821,17 +2822,7 @@ bus_connection_pop_deferred_message (DBusConnection *connection)
-   return NULL;
- }
--dbus_bool_t
--bus_connection_putback_deferred_message (DBusConnection *connection, BusDeferredMessage *message)
--{
--  BusConnectionData *d = BUS_CONNECTION_DATA(connection);
--  if (_dbus_list_prepend(&d->deferred_messages, message))
--    {
--      return TRUE;
--    }
--  return FALSE;
--}
--
-+static
- void
- bus_connection_clear_deferred_messages (DBusConnection *connection)
- {
-@@ -2846,6 +2837,7 @@ bus_connection_clear_deferred_messages (DBusConnection *connection)
-       next = _dbus_list_get_next_link (&d->deferred_messages, link);
-       message = link->data;
-+      bus_deferred_message_abort(message);
-       bus_deferred_message_unref(message);
-       _dbus_list_remove_link(&d->deferred_messages, link);
-diff --git a/bus/connection.h b/bus/connection.h
-index 97dae96..6af7bf1 100644
---- a/bus/connection.h
-+++ b/bus/connection.h
-@@ -90,15 +90,12 @@ dbus_bool_t         bus_connection_queue_deferred_message   (DBusConnection *con
-                                                              BusDeferredMessage *message,
-                                                              dbus_bool_t prepend);
- BusDeferredMessage *bus_connection_pop_deferred_message     (DBusConnection *connection);
--dbus_bool_t         bus_connection_putback_deferred_message (DBusConnection *connection,
--                                                             BusDeferredMessage *message);
- void                bus_connection_remove_deferred_message  (DBusConnection *connection,
-                                                              BusDeferredMessage *message);
- dbus_bool_t         bus_connection_replace_deferred_message (DBusConnection *connection,
-                                                              BusDeferredMessage *oldMessage,
-                                                              BusDeferredMessage *newMessage);
- void                bus_connection_dispatch_deferred        (DBusConnection *connection);
--void                bus_connection_clear_deferred_messages  (DBusConnection *connection);
- /* called by signals.c */
--- 
-2.21.1
-
diff --git a/meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0007-Switch-from-cynara-to-cynagora.patch b/meta-app-framework/recipes-core/dbus-cynagora/dbus-cynagora/0007-Switch-from-cynara-to-cynagora.patch
deleted file mode 100644 (file)
index 7a69efc..0000000
+++ /dev/null
@@ -1,1048 +0,0 @@
-From 43cc361a5c32c81c0f93451bdb0ef781cd19a1cb Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Tue, 4 Feb 2020 12:23:36 +0100
-Subject: [PATCH 7/8] Switch from cynara to cynagora
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- bus/Makefile.am                    |   8 +-
- bus/bus.h                          |   2 +-
- bus/check.c                        |  26 +-
- bus/check.h                        |   2 +-
- bus/connection.c                   |  27 ---
- bus/connection.h                   |   3 -
- bus/cynagora-check.c               | 330 +++++++++++++++++++++++++
- bus/{cynara.h => cynagora-check.h} |  10 +-
- bus/cynara.c                       | 373 -----------------------------
- bus/system.conf.in                 |   6 +-
- configure.ac                       |  18 +-
- 11 files changed, 366 insertions(+), 439 deletions(-)
- create mode 100644 bus/cynagora-check.c
- rename bus/{cynara.h => cynagora-check.h} (81%)
- delete mode 100644 bus/cynara.c
-
-diff --git a/bus/Makefile.am b/bus/Makefile.am
-index 2a8a72c..1720048 100644
---- a/bus/Makefile.am
-+++ b/bus/Makefile.am
-@@ -13,7 +13,7 @@ DBUS_BUS_LIBS = \
-       $(THREAD_LIBS) \
-       $(ADT_LIBS) \
-       $(NETWORK_libs) \
--      $(CYNARA_LIBS) \
-+      $(CYNAGORA_LIBS) \
-       $(NULL)
- DBUS_LAUNCHER_LIBS = \
-@@ -31,7 +31,7 @@ AM_CPPFLAGS = \
-       $(APPARMOR_CFLAGS) \
-       -DDBUS_SYSTEM_CONFIG_FILE=\""$(dbusdatadir)/system.conf"\" \
-       -DDBUS_COMPILATION \
--      $(CYNARA_CFLAGS) \
-+      $(CYNAGORA_CFLAGS) \
-       $(NULL)
- # if assertions are enabled, improve backtraces
-@@ -101,8 +101,8 @@ BUS_SOURCES=                                       \
-       config-parser-common.h                  \
-       connection.c                            \
-       connection.h                            \
--      cynara.c                                \
--      cynara.h                                \
-+      cynagora-check.c                        \
-+      cynagora-check.h                        \
-       desktop-file.c                          \
-       desktop-file.h                          \
-       $(DIR_WATCH_SOURCE)                     \
-diff --git a/bus/bus.h b/bus/bus.h
-index 1b08f7c..e167d9e 100644
---- a/bus/bus.h
-+++ b/bus/bus.h
-@@ -47,7 +47,7 @@ typedef struct BusMatchRule     BusMatchRule;
- typedef struct BusActivationEntry BusActivationEntry;
- typedef struct BusCheck         BusCheck;
- typedef struct BusDeferredMessage BusDeferredMessage;
--typedef struct BusCynara        BusCynara;
-+typedef struct BusCynagora        BusCynagora;
- /**
-  * BusResult is defined as a pointer to a dummy structure to allow detection of type mismatches.
-diff --git a/bus/check.c b/bus/check.c
-index b73d08b..ec30770 100644
---- a/bus/check.c
-+++ b/bus/check.c
-@@ -26,7 +26,7 @@
- #include "check.h"
- #include "connection.h"
- #include "dispatch.h"
--#include "cynara.h"
-+#include "cynagora-check.h"
- #include "utils.h"
- #include <dbus/dbus-connection-internal.h>
- #include <dbus/dbus-message-internal.h>
-@@ -38,7 +38,7 @@ typedef struct BusCheck
-   int refcount;
-   BusContext *context;
--  BusCynara *cynara;
-+  BusCynagora *cynagora;
- } BusCheck;
- typedef struct BusDeferredMessage
-@@ -81,7 +81,7 @@ bus_check_new (BusContext *context, DBusError *error)
-   check->refcount = 1;
-   check->context = context;
--  check->cynara = bus_cynara_new(check, error);
-+  check->cynagora = bus_cynagora_new(check, error);
-   if (dbus_error_is_set(error))
-     {
-       dbus_message_free_data_slot(&deferred_message_data_slot);
-@@ -110,7 +110,7 @@ bus_check_unref (BusCheck *check)
-   if (check->refcount == 0)
-     {
--      bus_cynara_unref(check->cynara);
-+      bus_cynagora_unref(check->cynagora);
-       dbus_message_free_data_slot(&deferred_message_data_slot);
-       dbus_free(check);
-     }
-@@ -122,10 +122,10 @@ bus_check_get_context (BusCheck *check)
-   return check->context;
- }
--BusCynara *
--bus_check_get_cynara (BusCheck *check)
-+BusCynagora *
-+bus_check_get_cynagora (BusCheck *check)
- {
--  return check->cynara;
-+  return check->cynagora;
- }
- static void
-@@ -276,8 +276,8 @@ bus_check_privilege (BusCheck *check,
- {
-   BusDeferredMessage *previous_deferred_message;
-   BusResult result = BUS_RESULT_FALSE;
--#ifdef DBUS_ENABLE_CYNARA
--  BusCynara *cynara;
-+#ifdef DBUS_ENABLE_CYNAGORA
-+  BusCynagora *cynagora;
- #endif
-   DBusConnection *connection;
-@@ -304,7 +304,7 @@ bus_check_privilege (BusCheck *check,
-            * Message has been deferred due to receive or own rule which means that sending this message
-            * is allowed - it must have been checked previously.
-            * This might happen when client calls RequestName method which depending on security
--           * policy might result in both "can_send" and "can_own" Cynara checks.
-+           * policy might result in both "can_send" and "can_own" Cynagora checks.
-            */
-           result = BUS_RESULT_TRUE;
-         }
-@@ -327,9 +327,9 @@ bus_check_privilege (BusCheck *check,
-   else
-     {
-       /* ask policy checkers */
--#ifdef DBUS_ENABLE_CYNARA
--      cynara = bus_check_get_cynara(check);
--      result = bus_cynara_check_privilege(cynara, message, sender, addressed_recipient,
-+#ifdef DBUS_ENABLE_CYNAGORA
-+      cynagora = bus_check_get_cynagora(check);
-+      result = bus_cynagora_check_privilege(cynagora, message, sender, addressed_recipient,
-           proposed_recipient, privilege, check_type, deferred_message);
- #endif
-       if (result == BUS_RESULT_LATER && deferred_message != NULL)
-diff --git a/bus/check.h b/bus/check.h
-index d718a69..ab63c18 100644
---- a/bus/check.h
-+++ b/bus/check.h
-@@ -45,7 +45,7 @@ BusCheck   *bus_check_ref         (BusCheck *check);
- void        bus_check_unref       (BusCheck *check);
- BusContext *bus_check_get_context (BusCheck *check);
--BusCynara  *bus_check_get_cynara  (BusCheck *check);
-+BusCynagora  *bus_check_get_cynagora  (BusCheck *check);
- BusResult   bus_check_privilege   (BusCheck *check,
-                                    DBusMessage *message,
-                                    DBusConnection *sender,
-diff --git a/bus/connection.c b/bus/connection.c
-index b520d57..48910e0 100644
---- a/bus/connection.c
-+++ b/bus/connection.c
-@@ -38,10 +38,6 @@
- #include <dbus/dbus-connection-internal.h>
- #include <dbus/dbus-internals.h>
- #include <dbus/dbus-message-internal.h>
--#ifdef DBUS_ENABLE_CYNARA
--#include <stdlib.h>
--#include <cynara-session.h>
--#endif
- /* Trim executed commands to this length; we want to keep logs readable */
- #define MAX_LOG_COMMAND_LEN 50
-@@ -124,9 +120,6 @@ typedef struct
-   /** non-NULL if and only if this is a monitor */
-   DBusList *link_in_monitors;
--#ifdef DBUS_ENABLE_CYNARA
--  char *cynara_session_id;
--#endif
- } BusConnectionData;
- static dbus_bool_t bus_pending_reply_expired (BusExpireList *list,
-@@ -461,10 +454,6 @@ free_connection_data (void *data)
-   
-   dbus_free (d->name);
-   
--#ifdef DBUS_ENABLE_CYNARA
--  free (d->cynara_session_id);
--#endif
--
-   dbus_free (d);
- }
-@@ -1095,22 +1084,6 @@ bus_connection_get_policy (DBusConnection *connection)
-   return d->policy;
- }
--#ifdef DBUS_ENABLE_CYNARA
--const char *bus_connection_get_cynara_session_id (DBusConnection *connection)
--{
--  BusConnectionData *d = BUS_CONNECTION_DATA (connection);
--  _dbus_assert (d != NULL);
--
--  if (d->cynara_session_id == NULL)
--    {
--      unsigned long pid;
--      if (dbus_connection_get_unix_process_id(connection, &pid))
--        d->cynara_session_id = cynara_session_from_pid(pid);
--    }
--  return d->cynara_session_id;
--}
--#endif
--
- static dbus_bool_t
- foreach_active (BusConnections               *connections,
-                 BusConnectionForeachFunction  function,
-diff --git a/bus/connection.h b/bus/connection.h
-index 6af7bf1..3116bcf 100644
---- a/bus/connection.h
-+++ b/bus/connection.h
-@@ -138,9 +138,6 @@ dbus_bool_t bus_connection_be_monitor (DBusConnection  *connection,
-                                        BusTransaction  *transaction,
-                                        DBusList       **rules,
-                                        DBusError       *error);
--#ifdef DBUS_ENABLE_CYNARA
--const char *bus_connection_get_cynara_session_id (DBusConnection *connection);
--#endif
- /* transaction API so we can send or not send a block of messages as a whole */
-diff --git a/bus/cynagora-check.c b/bus/cynagora-check.c
-new file mode 100644
-index 0000000..6c0c635
---- /dev/null
-+++ b/bus/cynagora-check.c
-@@ -0,0 +1,330 @@
-+/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
-+/* cynagora.c  Cynagora runtime privilege checking
-+ *
-+ * Copyright (c) 2014 Samsung Electronics, Ltd.
-+ *
-+ * Licensed under the Academic Free License version 2.1
-+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * This program is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+ * GNU General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with this program; if not, write to the Free Software
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-+ *
-+ */
-+
-+#include <config.h>
-+#include "cynagora-check.h"
-+#include "check.h"
-+#include "utils.h"
-+
-+#include <stdlib.h>
-+#include <stdio.h>
-+#include <errno.h>
-+
-+#include <dbus/dbus.h>
-+#include <dbus/dbus-watch.h>
-+#include <dbus/dbus-connection-internal.h>
-+#include <bus/connection.h>
-+
-+#ifndef DBUS_ENABLE_CYNAGORA
-+
-+BusCynagora *
-+bus_cynagora_new(BusCheck *check, DBusError *error)
-+{
-+  return NULL;
-+}
-+
-+BusCynagora *
-+bus_cynagora_ref (BusCynagora *cynagora)
-+{
-+  return NULL;
-+}
-+
-+void
-+bus_cynagora_unref (BusCynagora *cynagora)
-+{
-+}
-+
-+BusResult
-+bus_cynagora_check_privilege (BusCynagora *cynagora,
-+                            DBusMessage *message,
-+                            DBusConnection *sender,
-+                            DBusConnection *addressed_recipient,
-+                            DBusConnection *proposed_recipient,
-+                            const char *privilege,
-+                            BusDeferredMessageStatus check_type,
-+                            BusDeferredMessage **deferred_message_param)
-+{
-+  return BUS_RESULT_FALSE;
-+}
-+
-+#endif
-+
-+#ifdef DBUS_ENABLE_CYNAGORA
-+
-+#include <time.h>
-+#include <sys/epoll.h>
-+
-+#include <cynagora.h>
-+
-+#ifndef CYNAGORA_CACHE_SIZE
-+#define CYNAGORA_CACHE_SIZE 8000
-+#endif
-+
-+typedef struct BusCynagora
-+{
-+  int refcount;
-+
-+  BusContext   *context;
-+  BusCheck     *check;
-+  cynagora_t   *cynagora;
-+  DBusWatch    *cynagora_watch;
-+} BusCynagora;
-+
-+static int async_callback(void *closure,
-+                          int op,
-+                          int fd,
-+                          uint32_t events);
-+
-+BusCynagora *
-+bus_cynagora_new(BusCheck *check, DBusError *error)
-+{
-+  BusContext *context;
-+  BusCynagora *cynagora;
-+  int ret;
-+
-+  cynagora = dbus_new(BusCynagora, 1);
-+  if (cynagora == NULL)
-+    {
-+      BUS_SET_OOM(error);
-+      return NULL;
-+    }
-+
-+  context = bus_check_get_context(check);
-+
-+  cynagora->refcount = 1;
-+  cynagora->check = check;
-+  cynagora->context = context;
-+  cynagora->cynagora_watch = NULL;
-+
-+  ret = cynagora_create(&cynagora->cynagora, cynagora_Check, CYNAGORA_CACHE_SIZE, NULL);
-+  if (ret < 0)
-+    {
-+      dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to create Cynagora configuration");
-+    }
-+  else
-+    {
-+      ret = cynagora_async_setup(cynagora->cynagora, async_callback, cynagora);
-+      if (ret < 0)
-+        {
-+          dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to initialize Cynagora client");
-+        }
-+        else
-+        {
-+          return cynagora;
-+        }
-+        cynagora_destroy(cynagora->cynagora);
-+    }
-+
-+  dbus_free(cynagora);
-+  return NULL;
-+}
-+
-+BusCynagora *
-+bus_cynagora_ref (BusCynagora *cynagora)
-+{
-+  _dbus_assert (cynagora->refcount > 0);
-+  cynagora->refcount += 1;
-+
-+  return cynagora;
-+}
-+
-+void
-+bus_cynagora_unref (BusCynagora *cynagora)
-+{
-+  _dbus_assert (cynagora->refcount > 0);
-+
-+  cynagora->refcount -= 1;
-+
-+  if (cynagora->refcount == 0)
-+    {
-+      cynagora_destroy(cynagora->cynagora);
-+      dbus_free(cynagora);
-+    }
-+}
-+
-+static void
-+async_check_callback (void *closure, int status)
-+{
-+  BusDeferredMessage *deferred_message = closure;
-+  BusResult result;
-+
-+  if (deferred_message == NULL)
-+    return;
-+
-+  if (status == 1)
-+    result = BUS_RESULT_TRUE;
-+  else
-+    result = BUS_RESULT_FALSE;
-+
-+  bus_deferred_message_response_received(deferred_message, result);
-+  bus_deferred_message_unref(deferred_message);
-+}
-+
-+BusResult
-+bus_cynagora_check_privilege (BusCynagora *cynagora,
-+                            DBusMessage *message,
-+                            DBusConnection *sender,
-+                            DBusConnection *addressed_recipient,
-+                            DBusConnection *proposed_recipient,
-+                            const char *permission,
-+                            BusDeferredMessageStatus check_type,
-+                            BusDeferredMessage **deferred_message_param)
-+{
-+  int result;
-+  unsigned long uid;
-+  unsigned long pid;
-+  char *label;
-+  char user[32];
-+  char session[32];
-+  DBusConnection *connection = check_type == BUS_DEFERRED_MESSAGE_CHECK_RECEIVE ? proposed_recipient : sender;
-+  BusDeferredMessage *deferred_message;
-+  BusResult ret;
-+  cynagora_key_t key;
-+
-+  _dbus_assert(connection != NULL);
-+
-+  if (dbus_connection_get_unix_user(connection, &uid) == FALSE)
-+      return BUS_RESULT_FALSE;
-+
-+  if (dbus_connection_get_unix_process_id(connection, &pid) == FALSE)
-+      return BUS_RESULT_FALSE;
-+
-+  if (_dbus_connection_get_linux_security_label(connection, &label) == FALSE || label == NULL)
-+    {
-+      _dbus_warn("Failed to obtain security label for connection\n");
-+      return BUS_RESULT_FALSE;
-+    }
-+
-+  snprintf(user, sizeof(user), "%lu", uid);
-+  snprintf(session, sizeof(session), "%lu", pid);
-+
-+  key.client = label;
-+  key.session = session;
-+  key.user = user;
-+  key.permission = permission;
-+
-+  result = cynagora_cache_check(cynagora->cynagora, &key);
-+  switch (result)
-+  {
-+  case 1:
-+    _dbus_verbose("Cynagora: got ALLOWED answer from cache (client=%s session_id=%s user=%s permission=%s)\n",
-+               label, session_id, user, permission);
-+    ret = BUS_RESULT_TRUE;
-+    break;
-+
-+  case 0:
-+    _dbus_verbose("Cynagora: got DENIED answer from cache (client=%s session_id=%s user=%s permission=%s)\n",
-+               label, session_id, user, permission);
-+    ret = BUS_RESULT_FALSE;
-+    break;
-+
-+  default:
-+     deferred_message = bus_deferred_message_new(message, sender, addressed_recipient,
-+         proposed_recipient, BUS_RESULT_LATER);
-+     if (deferred_message == NULL)
-+       {
-+         _dbus_verbose("Failed to allocate memory for deferred message\n");
-+         ret = BUS_RESULT_FALSE;
-+         goto out;
-+       }
-+
-+    /* callback is supposed to unref deferred_message*/
-+    result = cynagora_async_check(cynagora->cynagora, &key, 1, 0, async_check_callback, deferred_message);
-+    if (result == 0)
-+      {
-+        _dbus_verbose("Created Cynagora request: client=%s session_id=%s user=%s permission=%s "
-+            "deferred_message=%p\n", label, session_id, user, permission, deferred_message);
-+        if (deferred_message_param != NULL)
-+          *deferred_message_param = deferred_message;
-+        ret = BUS_RESULT_LATER;
-+      }
-+    else
-+      {
-+        _dbus_verbose("Error on cynagora request create: %i\n", result);
-+        bus_deferred_message_unref(deferred_message);
-+        ret = BUS_RESULT_FALSE;
-+      }
-+    break;
-+  }
-+out:
-+  dbus_free(label);
-+  return ret;
-+}
-+
-+static dbus_bool_t
-+watch_handler_callback(DBusWatch    *watch,
-+                       unsigned int  flags,
-+                       void         *data)
-+{
-+  BusCynagora *cynagora = (BusCynagora *)data;
-+  int result = cynagora_async_process(cynagora->cynagora);
-+  if (result < 0)
-+      _dbus_verbose("cynagora_async_process returned %d\n", result);
-+
-+  return result != -ENOMEM ? TRUE : FALSE;
-+}
-+
-+static int
-+async_callback(void *closure, int op, int fd, uint32_t events)
-+{
-+  BusCynagora *cynagora = (BusCynagora *)closure;
-+  DBusLoop *loop = bus_context_get_loop(cynagora->context);
-+  unsigned int flags;
-+  DBusWatch *watch;
-+
-+  /* compute flags */
-+  flags = 0;
-+  if (events & EPOLLIN)
-+    flags |= DBUS_WATCH_READABLE;
-+  if (events & EPOLLOUT)
-+    flags |= DBUS_WATCH_WRITABLE;
-+
-+  /* remove the watch if needed */
-+  watch = cynagora->cynagora_watch;
-+  if (watch != NULL)
-+    {
-+      cynagora->cynagora_watch = NULL;
-+      _dbus_loop_remove_watch(loop, watch);
-+      _dbus_watch_invalidate(watch);
-+      _dbus_watch_unref(watch);
-+    }
-+
-+  /* create the watch if needed */
-+  watch = cynagora->cynagora_watch;
-+  if (op != EPOLL_CTL_DEL)
-+    {
-+      watch = _dbus_watch_new(fd, flags, TRUE, watch_handler_callback, cynagora, NULL);
-+      if (watch == NULL)
-+        return -ENOMEM;
-+      if (_dbus_loop_add_watch(loop, watch) != TRUE)
-+        {
-+          _dbus_watch_invalidate(watch);
-+          _dbus_watch_unref(watch);
-+          return -ENOMEM;
-+        }
-+      cynagora->cynagora_watch = watch;
-+    }
-+  return 0;
-+}
-+
-+#endif /* DBUS_ENABLE_CYNAGORA */
-diff --git a/bus/cynara.h b/bus/cynagora-check.h
-similarity index 81%
-rename from bus/cynara.h
-rename to bus/cynagora-check.h
-index c4728bb..c0892c3 100644
---- a/bus/cynara.h
-+++ b/bus/cynagora-check.h
-@@ -1,5 +1,5 @@
- /* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
--/* cynara.h  Cynara runtime privilege checking
-+/* cynagora.h  Cynagora runtime privilege checking
-  *
-  * Copyright (c) 2014 Samsung Electronics, Ltd.
-  *
-@@ -24,10 +24,10 @@
- #include "bus.h"
- #include "check.h"
--BusCynara *bus_cynara_new             (BusCheck *check, DBusError *error);
--BusCynara *bus_cynara_ref             (BusCynara *cynara);
--void       bus_cynara_unref           (BusCynara *cynara);
--BusResult  bus_cynara_check_privilege (BusCynara *cynara,
-+BusCynagora *bus_cynagora_new             (BusCheck *check, DBusError *error);
-+BusCynagora *bus_cynagora_ref             (BusCynagora *cynagora);
-+void       bus_cynagora_unref           (BusCynagora *cynagora);
-+BusResult  bus_cynagora_check_privilege (BusCynagora *cynagora,
-                                        DBusMessage *message,
-                                        DBusConnection *sender,
-                                        DBusConnection *addressed_recipient,
-diff --git a/bus/cynara.c b/bus/cynara.c
-deleted file mode 100644
-index 77aed62..0000000
---- a/bus/cynara.c
-+++ /dev/null
-@@ -1,373 +0,0 @@
--/* -*- mode: C; c-file-style: "gnu"; indent-tabs-mode: nil; -*- */
--/* cynara.c  Cynara runtime privilege checking
-- *
-- * Copyright (c) 2014 Samsung Electronics, Ltd.
-- *
-- * Licensed under the Academic Free License version 2.1
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License as published by
-- * the Free Software Foundation; either version 2 of the License, or
-- * (at your option) any later version.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- * GNU General Public License for more details.
-- *
-- * You should have received a copy of the GNU General Public License
-- * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-- *
-- */
--
--#include <config.h>
--#include "cynara.h"
--#include "check.h"
--#include "utils.h"
--
--#include <stdio.h>
--
--#include <dbus/dbus.h>
--#include <dbus/dbus-watch.h>
--#include <dbus/dbus-connection-internal.h>
--#include <bus/connection.h>
--#ifdef DBUS_ENABLE_CYNARA
--#include <cynara-client-async.h>
--#endif
--
--#ifdef DBUS_ENABLE_CYNARA
--typedef struct BusCynara
--{
--  int refcount;
--
--  BusContext   *context;
--  BusCheck     *check;
--  cynara_async *cynara;
--  DBusWatch    *cynara_watch;
--} BusCynara;
--
--#define USE_CYNARA_CACHE 1
--#ifdef USE_CYNARA_CACHE
--#define CYNARA_CACHE_SIZE 1000
--#endif
--
--static dbus_bool_t bus_cynara_watch_callback(DBusWatch *watch,
--                                             unsigned int flags,
--                                             void *data);
--
--static void status_callback(int old_fd,
--                            int new_fd,
--                            cynara_async_status status,
--                            void *user_status_data);
--static void bus_cynara_check_response_callback (cynara_check_id check_id,
--                                                cynara_async_call_cause cause,
--                                                int response,
--                                                void *user_response_data);
--#endif
--
--
--BusCynara *
--bus_cynara_new(BusCheck *check, DBusError *error)
--{
--#ifdef DBUS_ENABLE_CYNARA
--  BusContext *context;
--  BusCynara *cynara;
--  cynara_async_configuration *conf = NULL;
--  int ret;
--
--  cynara = dbus_new(BusCynara, 1);
--  if (cynara == NULL)
--    {
--      BUS_SET_OOM(error);
--      return NULL;
--    }
--
--  context = bus_check_get_context(check);
--
--  cynara->refcount = 1;
--  cynara->check = check;
--  cynara->context = context;
--  cynara->cynara_watch = NULL;
--
--  ret = cynara_async_configuration_create(&conf);
--  if (ret != CYNARA_API_SUCCESS)
--    {
--      dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to create Cynara configuration");
--      goto out;
--    }
--
--#ifdef CYNARA_CACHE_SIZE
--  ret = cynara_async_configuration_set_cache_size(conf, CYNARA_CACHE_SIZE);
--  if (ret != CYNARA_API_SUCCESS)
--    {
--      dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to Cynara cache size");
--      goto out;
--    }
--#endif
--
--  ret = cynara_async_initialize(&cynara->cynara, conf, &status_callback, cynara);
--  if (ret != CYNARA_API_SUCCESS)
--    {
--      dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to initialize Cynara client");
--      goto out;
--    }
--
--out:
--  cynara_async_configuration_destroy(conf);
--  if (ret != CYNARA_API_SUCCESS)
--    {
--      dbus_free(cynara);
--      return NULL;
--    }
--
--  return cynara;
--#else
--  return NULL;
--#endif
--}
--
--BusCynara *
--bus_cynara_ref (BusCynara *cynara)
--{
--#ifdef DBUS_ENABLE_CYNARA
--  _dbus_assert (cynara->refcount > 0);
--  cynara->refcount += 1;
--
--  return cynara;
--#else
--  return NULL;
--#endif
--}
--
--void
--bus_cynara_unref (BusCynara *cynara)
--{
--#ifdef DBUS_ENABLE_CYNARA
--  _dbus_assert (cynara->refcount > 0);
--
--  cynara->refcount -= 1;
--
--  if (cynara->refcount == 0)
--    {
--      cynara_async_finish(cynara->cynara);
--      dbus_free(cynara);
--    }
--#endif
--}
--
--BusResult
--bus_cynara_check_privilege (BusCynara *cynara,
--                            DBusMessage *message,
--                            DBusConnection *sender,
--                            DBusConnection *addressed_recipient,
--                            DBusConnection *proposed_recipient,
--                            const char *privilege,
--                            BusDeferredMessageStatus check_type,
--                            BusDeferredMessage **deferred_message_param)
--{
--#ifdef DBUS_ENABLE_CYNARA
--  int result;
--  unsigned long uid;
--  char *label;
--  const char *session_id;
--  char user[32];
--  cynara_check_id check_id;
--  DBusConnection *connection = check_type == BUS_DEFERRED_MESSAGE_CHECK_RECEIVE ? proposed_recipient : sender;
--  BusDeferredMessage *deferred_message;
--  BusResult ret;
--
--  _dbus_assert(connection != NULL);
--
--  if (dbus_connection_get_unix_user(connection, &uid) == FALSE)
--      return BUS_RESULT_FALSE;
--
--  if (_dbus_connection_get_linux_security_label(connection, &label) == FALSE || label == NULL)
--    {
--      _dbus_warn("Failed to obtain security label for connection\n");
--      return BUS_RESULT_FALSE;
--    }
--
--  session_id = bus_connection_get_cynara_session_id (connection);
--  if (session_id == NULL)
--    {
--      ret = BUS_RESULT_FALSE;
--      goto out;
--    }
--
--  snprintf(user, sizeof(user), "%lu", uid);
--
--#if USE_CYNARA_CACHE
--  result = cynara_async_check_cache(cynara->cynara, label, session_id, user, privilege);
--#else
--  result = CYNARA_API_CACHE_MISS;
--#endif
--
--  switch (result)
--  {
--  case CYNARA_API_ACCESS_ALLOWED:
--    _dbus_verbose("Cynara: got ALLOWED answer from cache (client=%s session_id=%s user=%s privilege=%s)\n",
--               label, session_id, user, privilege);
--    ret = BUS_RESULT_TRUE;
--    break;
--
--  case CYNARA_API_ACCESS_DENIED:
--    _dbus_verbose("Cynara: got DENIED answer from cache (client=%s session_id=%s user=%s privilege=%s)\n",
--               label, session_id, user, privilege);
--    ret = BUS_RESULT_FALSE;
--    break;
--
--  case CYNARA_API_CACHE_MISS:
--     deferred_message = bus_deferred_message_new(message, sender, addressed_recipient,
--         proposed_recipient, BUS_RESULT_LATER);
--     if (deferred_message == NULL)
--       {
--         _dbus_verbose("Failed to allocate memory for deferred message\n");
--         ret = BUS_RESULT_FALSE;
--         goto out;
--       }
--
--    /* callback is supposed to unref deferred_message*/
--    result = cynara_async_create_request(cynara->cynara, label, session_id, user, privilege, &check_id,
--        &bus_cynara_check_response_callback, deferred_message);
--    if (result == CYNARA_API_SUCCESS)
--      {
--        _dbus_verbose("Created Cynara request: client=%s session_id=%s user=%s privilege=%s check_id=%u "
--            "deferred_message=%p\n", label, session_id, user, privilege, (unsigned int)check_id, deferred_message);
--        if (deferred_message_param != NULL)
--          *deferred_message_param = deferred_message;
--        ret = BUS_RESULT_LATER;
--      }
--    else
--      {
--        _dbus_verbose("Error on cynara request create: %i\n", result);
--        bus_deferred_message_unref(deferred_message);
--        ret = BUS_RESULT_FALSE;
--      }
--    break;
--  default:
--    _dbus_verbose("Error when accessing Cynara cache: %i\n", result);
--    ret = BUS_RESULT_FALSE;
--  }
--out:
--  dbus_free(label);
--  return ret;
--
--#else
--  return BUS_RESULT_FALSE;
--#endif
--}
--
--
--
--#ifdef DBUS_ENABLE_CYNARA
--static void
--status_callback(int old_fd, int new_fd, cynara_async_status status,
--                void *user_status_data)
--{
--  BusCynara *cynara = (BusCynara *)user_status_data;
--  DBusLoop *loop = bus_context_get_loop(cynara->context);
--
--  if (cynara->cynara_watch != NULL)
--    {
--      _dbus_loop_remove_watch(loop, cynara->cynara_watch);
--      _dbus_watch_invalidate(cynara->cynara_watch);
--      _dbus_watch_unref(cynara->cynara_watch);
--      cynara->cynara_watch = NULL;
--    }
--
--  if (new_fd != -1)
--    {
--      unsigned int flags;
--      DBusWatch *watch;
--
--      switch (status)
--      {
--      case CYNARA_STATUS_FOR_READ:
--        flags = DBUS_WATCH_READABLE;
--        break;
--      case CYNARA_STATUS_FOR_RW:
--        flags = DBUS_WATCH_READABLE | DBUS_WATCH_WRITABLE;
--        break;
--      default:
--        /* Cynara passed unknown status - warn and add RW watch */
--        _dbus_verbose("Cynara passed unknown status value: 0x%08X\n", (unsigned int)status);
--        flags = DBUS_WATCH_READABLE | DBUS_WATCH_WRITABLE;
--        break;
--      }
--
--      watch = _dbus_watch_new(new_fd, flags, TRUE, &bus_cynara_watch_callback, cynara, NULL);
--      if (watch != NULL)
--        {
--          if (_dbus_loop_add_watch(loop, watch) == TRUE)
--            {
--              cynara->cynara_watch = watch;
--              return;
--            }
--
--          _dbus_watch_invalidate(watch);
--          _dbus_watch_unref(watch);
--        }
--
--      /* It seems like not much can be done at this point. Cynara events won't be processed
--       * until next Cynara function call triggering status callback */
--      _dbus_verbose("Failed to add dbus watch\n");
--    }
--}
--
--static dbus_bool_t
--bus_cynara_watch_callback(DBusWatch    *watch,
--                          unsigned int  flags,
--                          void         *data)
--{
--  BusCynara *cynara = (BusCynara *)data;
--  int result = cynara_async_process(cynara->cynara);
--  if (result != CYNARA_API_SUCCESS)
--      _dbus_verbose("cynara_async_process returned %d\n", result);
--
--  return result != CYNARA_API_OUT_OF_MEMORY ? TRUE : FALSE;
--}
--
--static inline const char *
--call_cause_to_string(cynara_async_call_cause cause)
--{
--  switch (cause)
--  {
--  case CYNARA_CALL_CAUSE_ANSWER:
--    return "ANSWER";
--  case CYNARA_CALL_CAUSE_CANCEL:
--    return "CANCEL";
--  case CYNARA_CALL_CAUSE_FINISH:
--    return "FINSIH";
--  case CYNARA_CALL_CAUSE_SERVICE_NOT_AVAILABLE:
--    return "SERVICE NOT AVAILABLE";
--  default:
--    return "INVALID";
--  }
--}
--
--static void
--bus_cynara_check_response_callback (cynara_check_id check_id,
--                                    cynara_async_call_cause cause,
--                                    int response,
--                                    void *user_response_data)
--{
--  BusDeferredMessage *deferred_message = user_response_data;
--  BusResult result;
--
--  _dbus_verbose("Cynara callback: check_id=%u, cause=%s response=%i response_data=%p\n",
--      (unsigned int)check_id, call_cause_to_string(cause), response, user_response_data);
--
--  if (deferred_message == NULL)
--    return;
--
--  if (cause == CYNARA_CALL_CAUSE_ANSWER && response == CYNARA_API_ACCESS_ALLOWED)
--    result = BUS_RESULT_TRUE;
--  else
--    result = BUS_RESULT_FALSE;
--
--  bus_deferred_message_response_received(deferred_message, result);
--  bus_deferred_message_unref(deferred_message);
--}
--
--#endif /* DBUS_ENABLE_CYNARA */
-diff --git a/bus/system.conf.in b/bus/system.conf.in
-index 19d0c04..81c39c8 100644
---- a/bus/system.conf.in
-+++ b/bus/system.conf.in
-@@ -72,10 +72,10 @@
-            send_interface="org.freedesktop.DBus.Introspectable"/>
-     <allow send_destination="org.freedesktop.DBus"
-            send_interface="org.freedesktop.DBus.Properties"/>
--    <!-- If there is a need specific bus services could be protected by Cynara as well.
-+    <!-- If there is a need specific bus services could be protected by Cynagora as well.
-          However, this can lead to deadlock during the boot process when such check is made and
--         Cynara is not yet activated (systemd calls protected method synchronously,
--         dbus daemon tries to consult Cynara, Cynara waits for systemd activation).
-+         Cynagora is not yet activated (systemd calls protected method synchronously,
-+         dbus daemon tries to consult Cynagora, Cynagora waits for systemd activation).
-          Therefore it is advised to allow root processes to use bus services.
-          Currently anyone is allowed to talk to the message bus -->
-     <allow receive_sender="org.freedesktop.DBus"/>
-diff --git a/configure.ac b/configure.ac
-index 11b5ffd..df9341c 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1742,16 +1742,16 @@ AC_ARG_ENABLE([user-session],
- AM_CONDITIONAL([DBUS_ENABLE_USER_SESSION],
-   [test "x$enable_user_session" = xyes])
--#enable cynara integration
--AC_ARG_ENABLE([cynara], [AS_HELP_STRING([--enable-cynara], [enable Cynara integration])], [], [enable_cynara=no])
--if test "x$enable_cynara" = xyes; then
--  PKG_CHECK_MODULES([CYNARA], [cynara-client-async >= 0.6.0 cynara-session >= 0.6.0],
--     [AC_DEFINE([DBUS_ENABLE_CYNARA], [1], [Define to enable Cynara privilege checks in dbus-daemon])],
--     [AC_MSG_ERROR([libcynara-client-async and cynara-session are required to enable Cynara integration])])
-+#enable cynagora integration
-+AC_ARG_ENABLE([cynagora], [AS_HELP_STRING([--enable-cynagora], [enable Cynagora integration])], [], [enable_cynagora=no])
-+if test "x$enable_cynagora" = xyes; then
-+  PKG_CHECK_MODULES([CYNAGORA], [cynagora],
-+     [AC_DEFINE([DBUS_ENABLE_CYNAGORA], [1], [Define to enable Cynagora privilege checks in dbus-daemon])],
-+     [AC_MSG_ERROR([libcynagora is required to enable Cynagora integration])])
- fi
--AC_SUBST([CYNARA_CFLAGS])
--AC_SUBST([CYNARA_LIBS])
-+AC_SUBST([CYNAGORA_CFLAGS])
-+AC_SUBST([CYNAGORA_LIBS])
- AC_CONFIG_FILES([
- Doxyfile
-@@ -1835,7 +1835,7 @@ echo "
-         Building bus stats API:   ${enable_stats}
-         Building SELinux support: ${have_selinux}
-         Building AppArmor support: ${have_apparmor}
--        Building Cynara support:  ${enable_cynara}
-+        Building Cynagora support: ${enable_cynagora}
-         Building inotify support: ${have_inotify}
-         Building kqueue support:  ${have_kqueue}
-         Building systemd support: ${have_systemd}
--- 
-2.21.1
-
diff --git a/meta-app-framework/recipes-core/dbus-cynagora/dbus_1.12.20.bbappend b/meta-app-framework/recipes-core/dbus-cynagora/dbus_1.12.20.bbappend
deleted file mode 100644 (file)
index 028c734..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'dbus_appfw.inc', '', d)}
diff --git a/meta-app-framework/recipes-core/dbus-cynagora/dbus_appfw.inc b/meta-app-framework/recipes-core/dbus-cynagora/dbus_appfw.inc
deleted file mode 100644 (file)
index 4efeef7..0000000
+++ /dev/null
@@ -1,15 +0,0 @@
-FILESEXTRAPATHS:prepend := "${THISDIR}/dbus-cynagora:"
-
-SRC_URI:append:class-target = "\
-   file://0001-Integration-of-Cynara-asynchronous-security-checks.patch \
-   file://0002-Disable-message-dispatching-when-send-rule-result-is.patch \
-   file://0003-Handle-unavailability-of-policy-results-for-broadcas.patch \
-   file://0004-Add-own-rule-result-unavailability-handling.patch \
-   file://0005-Perform-Cynara-runtime-policy-checks-by-default.patch \
-   file://0006-Fix-SIGSEGV-on-disconnections.patch \
-   file://0007-Switch-from-cynara-to-cynagora.patch \
-"
-
-DEPENDS:append:class-target = " cynagora smack"
-EXTRA_OECONF:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES','smack','--enable-cynagora --disable-selinux','',d)}"
-
diff --git a/meta-app-framework/recipes-core/nss-localuser/nss-localuser_0.1.bb b/meta-app-framework/recipes-core/nss-localuser/nss-localuser_0.1.bb
deleted file mode 100644 (file)
index 93d2a20..0000000
+++ /dev/null
@@ -1,39 +0,0 @@
-SUMMARY = "Name Service Switch module for resolving the local user hostname"
-
-DESCRIPTION = "plugin for the GNU Name Service Switch (NSS) \
-functionality of the GNU C Library (`glibc`) providing host name \
-resolution for *"localuser"* family of virtual hostnames."
-
-HOMEPAGE = "https://git.automotivelinux.org/src/nss-localuser/"
-
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=79ad77111c398994735201536a4749ba"
-
-SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/nss-localuser;protocol=https;branch=${AGL_BRANCH}"
-SRCREV = "66803c6fdb609ed83a78b9194ecb23e9c1b773e7"
-PV = "${AGL_BRANCH}+git${SRCPV}"
-
-RDEPENDS:${PN} = "base-files"
-
-S = "${WORKDIR}/git"
-
-do_compile() {
-       make
-}
-
-do_install() {
-       make nssdir=${D}${libdir} install
-}
-
-pkg_postinst_ontarget:${PN} () {
-       sed -e '/^hosts:/s/\<localuser\>\s*//' \
-               -e 's/\(^hosts:\s\s*\)\(.*\)/\1localuser \2/' \
-               -i $D${sysconfdir}/nsswitch.conf
-}
-
-pkg_prerm:${PN} () {
-       sed -e '/^hosts:/s/\<localuser\>\s*//' \
-               -i $D${sysconfdir}/nsswitch.conf
-}
-
-INSANE_SKIP:${PN} = "ldflags"
diff --git a/meta-app-framework/recipes-core/shadow/shadow_%.bbappend b/meta-app-framework/recipes-core/shadow/shadow_%.bbappend
deleted file mode 100644 (file)
index 70a0c3c..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'shadow_appfw.inc', '', d)}
-
-
diff --git a/meta-app-framework/recipes-core/shadow/shadow_appfw.inc b/meta-app-framework/recipes-core/shadow/shadow_appfw.inc
deleted file mode 100644 (file)
index d41c996..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-do_install:append() {
-       sed -i '/^UMASK/s:^.*$:UMASK 077:' ${D}${sysconfdir}/login.defs
-}
diff --git a/meta-app-framework/recipes-core/smack-system-setup/files/55-udev-smack-default.rules b/meta-app-framework/recipes-core/smack-system-setup/files/55-udev-smack-default.rules
deleted file mode 100644 (file)
index eca6529..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
-# do not edit this file, it will be overwritten on update
-
-KERNEL=="null", SECLABEL{smack}="*"
-KERNEL=="zero", SECLABEL{smack}="*"
-KERNEL=="console", SECLABEL{smack}="*"
-KERNEL=="kmsg", SECLABEL{smack}="*"
-KERNEL=="video*", SECLABEL{smack}="*"
-KERNEL=="card*", SECLABEL{smack}="*"
-KERNEL=="ptmx", SECLABEL{smack}="*"
-KERNEL=="tty", SECLABEL{smack}="*"
-KERNEL=="rfkill", SECLABEL{smack}="*"
-
-SUBSYSTEM=="most_cdev_aim", SECLABEL{smack}="*"
-
-SUBSYSTEM=="graphics", GROUP="video", SECLABEL{smack}="*"
-SUBSYSTEM=="drm", GROUP="video", SECLABEL{smack}="*"
-SUBSYSTEM=="dvb", GROUP="video", SECLABEL{smack}="*"
-SUBSYSTEM=="sound", GROUP="audio", SECLABEL{smack}="*"
-
-SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666", SECLABEL{smack}="*"
-SUBSYSTEM=="tty", KERNEL=="tty", GROUP="tty", MODE="0666", SECLABEL{smack}="*"
-SUBSYSTEM=="tty", KERNEL=="tty[0-9]*", GROUP="tty", MODE="0620", SECLABEL{smack}="*"
-SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty", SECLABEL{smack}="*"
-KERNEL=="tty[A-Z]*[0-9]|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", SECLABEL{smack}="*"
-
-SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*", MODE="0640", SECLABEL{smack}="*"
-SUBSYSTEM=="input", KERNEL=="ts[0-9]*|uinput", MODE="0640", SECLABEL{smack}="*"
diff --git a/meta-app-framework/recipes-core/smack-system-setup/files/systemd-journald.service.conf b/meta-app-framework/recipes-core/smack-system-setup/files/systemd-journald.service.conf
deleted file mode 100644 (file)
index 7035a14..0000000
+++ /dev/null
@@ -1,16 +0,0 @@
-# Run systemd-journald with the hat ("^") Smack label.
-#
-# The journal daemon needs global read access to gather information
-# about the services spawned by systemd. The hat label is intended
-# for this purpose. The journal daemon is the only part of the
-# System domain that needs read access to the User domain. Giving
-# the journal daemon the hat label means that we can remove the
-# System domain's read access to the User domain and we can avoid
-# hard-coding a specific label name for that domain.
-#
-# Original author: Casey Schaufler <casey@schaufler-ca.com>
-#
-# This is considered a configuration change and thus distro specific.
-[Service]
-SmackProcessLabel=^
-
diff --git a/meta-app-framework/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf b/meta-app-framework/recipes-core/smack-system-setup/files/systemd-tmpfiles-setup.service.conf
deleted file mode 100644 (file)
index db43c8c..0000000
+++ /dev/null
@@ -1,2 +0,0 @@
-[Service]
-ExecStartPost=/bin/sh -c '([ ! -d /var/tmp ] || chsmack -L -a \"*\" /var/tmp) && ([ ! -d /var/log ] || chsmack -L -a System::Log /var/log && chsmack -L -t /var/log)'
diff --git a/meta-app-framework/recipes-core/smack-system-setup/files/tmp.mount.conf b/meta-app-framework/recipes-core/smack-system-setup/files/tmp.mount.conf
deleted file mode 100644 (file)
index 388986e..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-# Mount /tmp publicly accessable. Based on patch by Michael Demeter <michael.demeter@intel.com>.
-# Upstream systemd temporarily had SmackFileSystemRoot for this (https://github.com/systemd/systemd/pull/1664),
-# but it was removed again (https://github.com/systemd/systemd/issues/1696) because
-# util-linux mount will ignore smackfsroot when Smack is not active. However,
-# busybox is not that intelligent.
-#
-# When using busybox mount, adding smackfsroot=* and booting without
-# Smack (i.e. security=none), tmp.mount will fail with an error about
-# "Bad mount option smackfsroot".
-[Mount]
-Options=smackfsroot=*
-
diff --git a/meta-app-framework/recipes-core/smack-system-setup/smack-system-setup_1.bb b/meta-app-framework/recipes-core/smack-system-setup/smack-system-setup_1.bb
deleted file mode 100644 (file)
index b74f462..0000000
+++ /dev/null
@@ -1,28 +0,0 @@
-DESCRIPTION = "setup of a system using smack"
-LICENSE = "GPLv2"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
-
-SRC_URI = "\
-  file://55-udev-smack-default.rules \
-  file://systemd-journald.service.conf \
-  file://systemd-tmpfiles-setup.service.conf \
-  file://tmp.mount.conf \
-"
-
-RDEPENDS:${PN}:append:with-lsm-smack = " smack"
-
-do_install:append:with-lsm-smack() {
-    # tuning systemd units
-    install -Dm0644 ${WORKDIR}/systemd-tmpfiles-setup.service.conf \
-                     ${D}${systemd_unitdir}/system/systemd-tmpfiles-setup.service.d/smack.conf
-    install -Dm0644 ${WORKDIR}/systemd-journald.service.conf \
-                     ${D}${systemd_unitdir}/system/systemd-journald.service.d/smack.conf
-    install -Dm0644 ${WORKDIR}/tmp.mount.conf \
-                     ${D}${systemd_unitdir}/system/tmp.mount.d/smack.conf
-
-    # add udev rules
-    install -Dm0644 ${WORKDIR}/55-udev-smack-default.rules \
-                     ${D}${sysconfdir}/udev/rules.d/55-udev-smack-default.rules
-}
-
-FILES:${PN} += "${systemd_unitdir}"
diff --git a/meta-app-framework/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch b/meta-app-framework/recipes-core/systemd/systemd/0001-Switch-Smack-label-earlier.patch
deleted file mode 100644 (file)
index 46445be..0000000
+++ /dev/null
@@ -1,52 +0,0 @@
-From 6cc74075797edb6f698cb7f312bb1c3d8cc6cb28 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Thu, 12 Oct 2017 17:17:56 +0200
-Subject: [PATCH] Switch Smack label earlier
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Switching label after removing capability isn't
-possible.
-
-Change-Id: Ib7dac8f071f36119520ed3205d743c1e3df3cd5e
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- src/core/execute.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/src/core/execute.c b/src/core/execute.c
-index d72e5bf08..0abffd569 100644
---- a/src/core/execute.c
-+++ b/src/core/execute.c
-@@ -2707,6 +2707,13 @@ static int exec_child(
-                         }
-                 }
-+                r = setup_smack(context, command);
-+                if (r < 0) {
-+                        *exit_status = EXIT_SMACK_PROCESS_LABEL;
-+                        *error_message = strdup("Failed to set SMACK process label");
-+                        return r;
-+                }
-+
-                 if (!cap_test_all(context->capability_bounding_set)) {
-                         r = capability_bounding_set_drop(context->capability_bounding_set, false);
-                         if (r < 0) {
-@@ -2775,13 +2782,6 @@ static int exec_child(
-                 }
- #endif
--                r = setup_smack(context, command);
--                if (r < 0) {
--                        *exit_status = EXIT_SMACK_PROCESS_LABEL;
--                        *error_message = strdup("Failed to set SMACK process label");
--                        return r;
--                }
--
- #ifdef HAVE_APPARMOR
-                 if (context->apparmor_profile && mac_apparmor_use()) {
-                         r = aa_change_onexec(context->apparmor_profile);
--- 
-2.14.3
-
diff --git a/meta-app-framework/recipes-core/systemd/systemd_2%.bbappend b/meta-app-framework/recipes-core/systemd/systemd_2%.bbappend
deleted file mode 100644 (file)
index 11b1df9..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'systemd_appfw.inc', '', d)}
diff --git a/meta-app-framework/recipes-core/systemd/systemd_appfw.inc b/meta-app-framework/recipes-core/systemd/systemd_appfw.inc
deleted file mode 100644 (file)
index 8aa72c5..0000000
+++ /dev/null
@@ -1,40 +0,0 @@
-FILESEXTRAPATHS:prepend := "${THISDIR}/systemd:"
-
-# Ensures systemd runs with label "System"
-EXTRA_OEMESON:append:with-lsm-smack = " -Dsmack-run-label=System"
-
-##################################################################################
-# Maintaining trivial, non-upstreamable configuration changes as patches
-# is tedious. But in same cases (like early mounting of special directories)
-# the configuration has to be in code. We make these changes here directly.
-##################################################################################
-do_patch[prefuncs] += "patch_systemd"
-do_patch[vardeps] += "patch_systemd"
-patch_systemd() {
-    # Handling of /run and /sys/fs/cgroup. Make /run a transmuting directory to
-    # enable systemd communications with services in the User domain.
-    # Original patch by Michael Demeter <michael.demeter@intel.com>.
-    #
-    # We simplify the patching by touching only lines which check the result of
-    # mac_smack_use(). Those are the ones which are used when Smack is active.
-    #
-    # smackfsroot=* on /sys/fs/cgroup may be upstreamable, but smackfstransmute=System::Run
-    # is too distro specific (depends on Smack rules) and thus has to remain here.
-    sed -i -e 's;\("/sys/fs/cgroup", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfsroot=*\2;' \
-           -e 's;\("/run", *"[^"]*", *"[^"]*\)\(.*mac_smack_use.*\);\1,smackfstransmute=System::Run\2;' \
-           ${S}/src/core/mount-setup.c
-}
-
-##################################################################################
-# What follows is temporary.
-# This is a solution to the Bug-AGL SPEC-539
-# (see https://jira.automotivelinux.org/browse/SPEC-539).
-#
-# It renames the file "touchscreen.rules" to "55-touchscreen.rules"
-# This comes with the recipe systemd_230/234 of poky (meta/recipes-core/systemd)
-# It should be removed when poky changes.
-##################################################################################
-do_install:prepend() {
-       mv ${WORKDIR}/touchscreen.rules ${WORKDIR}/55-touchscreen.rules || true
-}
-
diff --git a/meta-app-framework/recipes-core/util-linux/util-linux_%.bbappend b/meta-app-framework/recipes-core/util-linux/util-linux_%.bbappend
deleted file mode 100644 (file)
index 3894f57..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'util-linux_appfw.inc', '', d)}
diff --git a/meta-app-framework/recipes-core/util-linux/util-linux_appfw.inc b/meta-app-framework/recipes-core/util-linux/util-linux_appfw.inc
deleted file mode 100644 (file)
index 7399aa4..0000000
+++ /dev/null
@@ -1,8 +0,0 @@
-# Enabling Smack support in util-linux enables special support
-# in [lib]mount for Smack mount options: they get removed if
-# Smack is not active in the current kernel. Important for
-# booting with "security=none" when userspace otherwise is
-# compiled to use Smack.
-
-PACKAGECONFIG:append:with-lsm-smack:class-target = " smack"
-PACKAGECONFIG[smack] = "--with-smack, --without-smack"
diff --git a/meta-app-framework/recipes-devtools/cmake-apps-module/cmake-apps-module_git.bb b/meta-app-framework/recipes-devtools/cmake-apps-module/cmake-apps-module_git.bb
deleted file mode 100644 (file)
index 4164171..0000000
+++ /dev/null
@@ -1,20 +0,0 @@
-SUMMARY = "CMake module to ease development of apps"
-DESCRIPTION = "This is a migration of former app-templates git submodule which let you \
-ease the development of apps and widget building."
-HOMEPAGE = "https://gerrit.automotivelinux.org/gerrit/#/admin/projects/src/cmake-apps-module"
-LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
-SECTION = "apps"
-
-SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cmake-apps-module;protocol=https;branch=${AGL_BRANCH}"
-SRCREV = "7c03348d9c2de43684fa69c3c9e227b25daceaaa"
-
-PV = "${AGLVERSION}"
-S  = "${WORKDIR}/git"
-
-inherit cmake
-
-FILES:${PN} += " ${datadir}/*/Modules/CMakeAfbTemplates*"
-
-BBCLASSEXTEND = "native nativesdk"
-
diff --git a/meta-app-framework/recipes-devtools/json-c/json-c_%.bbappend b/meta-app-framework/recipes-devtools/json-c/json-c_%.bbappend
deleted file mode 100644 (file)
index 051f66a..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'json-c_appfw.inc', '', d)}
diff --git a/meta-app-framework/recipes-devtools/json-c/json-c_appfw.inc b/meta-app-framework/recipes-devtools/json-c/json-c_appfw.inc
deleted file mode 100644 (file)
index c15548c..0000000
+++ /dev/null
@@ -1 +0,0 @@
-EXTRA_OECONF:append = " --enable-threading"
diff --git a/meta-app-framework/recipes-devtools/libafb-helpers/libafb-helpers_git.bb b/meta-app-framework/recipes-devtools/libafb-helpers/libafb-helpers_git.bb
deleted file mode 100644 (file)
index 9ca32fd..0000000
+++ /dev/null
@@ -1,8 +0,0 @@
-require libafb-helpers_git.inc
-
-inherit cmake
-
-RDEPENDS:${PN}:append = " af-binder"
-
-ALLOW_EMPTY:${PN} = "1"
-
diff --git a/meta-app-framework/recipes-devtools/libafb-helpers/libafb-helpers_git.inc b/meta-app-framework/recipes-devtools/libafb-helpers/libafb-helpers_git.inc
deleted file mode 100644 (file)
index 664f622..0000000
+++ /dev/null
@@ -1,14 +0,0 @@
-SUMMARY = "AFB helpers library"
-DESCRIPTION = "AFB helpers library to ease JSON object manipulation and binding interaction"
-
-LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
-
-SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/libafb-helpers;protocol=https;branch=${AGL_BRANCH}"
-SRCREV = "16b77f6cea24332fffb75b6dcccb76f59565ed44"
-
-PV = "${AGLVERSION}"
-S  = "${WORKDIR}/git"
-
-DEPENDS:append = " af-binder jq"
-
diff --git a/meta-app-framework/recipes-devtools/libappcontroller/libappcontroller_git.bb b/meta-app-framework/recipes-devtools/libappcontroller/libappcontroller_git.bb
deleted file mode 100644 (file)
index 74fe081..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
-SUMMARY = "Controller library for an Application Framework"
-DESCRIPTION = "Controller library to be used to easily create a binding for AGL App Framework"
-
-LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
-
-SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/libappcontroller;protocol=https;branch=${AGL_BRANCH}"
-SRCREV = "1bef31c8bbad27f4914484c5007b2e199fb073d4"
-
-PV = "${AGLVERSION}"
-S  = "${WORKDIR}/git"
-
-DEPENDS:append = " af-binder libafb-helpers lua"
-RDEPENDS:${PN}:append = " af-binder lua"
-
-inherit cmake
-
-ALLOW_EMPTY:${PN} = "1"
-
diff --git a/meta-app-framework/recipes-devtools/packagegroups/nativesdk-packagegroup-sdk-host.bbappend b/meta-app-framework/recipes-devtools/packagegroups/nativesdk-packagegroup-sdk-host.bbappend
deleted file mode 100644 (file)
index 837b853..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'nativesdk-packagegroup-sdk-host_appfw.inc', '', d)}
diff --git a/meta-app-framework/recipes-devtools/packagegroups/nativesdk-packagegroup-sdk-host_appfw.inc b/meta-app-framework/recipes-devtools/packagegroups/nativesdk-packagegroup-sdk-host_appfw.inc
deleted file mode 100644 (file)
index 27ee7cf..0000000
+++ /dev/null
@@ -1,5 +0,0 @@
-RDEPENDS:${PN}:append = " \
-               nativesdk-af-main-tools \
-               nativesdk-af-binder-devtools \
-               nativesdk-cmake-apps-module \
-"
diff --git a/meta-app-framework/recipes-devtools/run-postinsts/run-postinsts/ldconfig-wait.conf b/meta-app-framework/recipes-devtools/run-postinsts/run-postinsts/ldconfig-wait.conf
deleted file mode 100644 (file)
index d706cc5..0000000
+++ /dev/null
@@ -1,2 +0,0 @@
-[Unit]
-After=ldconfig.service
diff --git a/meta-app-framework/recipes-devtools/run-postinsts/run-postinsts_%.bbappend b/meta-app-framework/recipes-devtools/run-postinsts/run-postinsts_%.bbappend
deleted file mode 100644 (file)
index 6b9025d..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'run-postinsts_appfw.inc', '', d)}
diff --git a/meta-app-framework/recipes-devtools/run-postinsts/run-postinsts_appfw.inc b/meta-app-framework/recipes-devtools/run-postinsts/run-postinsts_appfw.inc
deleted file mode 100644 (file)
index 07b958a..0000000
+++ /dev/null
@@ -1,14 +0,0 @@
-FILESEXTRAPATHS:prepend := "${THISDIR}/run-postinsts:"
-
-SRC_URI:append = " file://ldconfig-wait.conf"
-
-do_configure:append() {
-       if ! grep -q StandardOutput= ${WORKDIR}/run-postinsts.service; then
-               sed -i '/ExecStart=/iStandardOutput=journal+console' ${WORKDIR}/run-postinsts.service
-       fi
-}
-
-do_install:append() {
-       install -d ${D}${sysconfdir}/systemd/system/run-postinsts.service.d
-       install -m 0644 ${WORKDIR}/ldconfig-wait.conf ${D}${sysconfdir}/systemd/system/run-postinsts.service.d
-}
diff --git a/meta-app-framework/recipes-graphics/wayland/wayland/0001-Change-socket-mode-add-rw-for-group.patch b/meta-app-framework/recipes-graphics/wayland/wayland/0001-Change-socket-mode-add-rw-for-group.patch
deleted file mode 100644 (file)
index d0dcb45..0000000
+++ /dev/null
@@ -1,29 +0,0 @@
-From 9162f7d4cfeec7103474e8703218b3679ca9ed10 Mon Sep 17 00:00:00 2001
-From: Ronan Le Martret <ronan.lemartret@iot.bzh>
-Date: Tue, 18 Apr 2017 13:53:26 +0200
-Subject: [PATCH] Change socket mode:add rw for group
-
-Signed-off-by: Ronan Le Martret <ronan.lemartret@iot.bzh>
-[Updated for 1.18.0 to remove fuzz]
-Signed-off-by: Scott Murray <scott.murray@konsulko.com>
-
----
- src/wayland-server.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/src/wayland-server.c b/src/wayland-server.c
-index 3f48dfe..fbccb45 100644
---- a/src/wayland-server.c
-+++ b/src/wayland-server.c
-@@ -1528,7 +1528,10 @@ _wl_display_add_socket(struct wl_display *display, struct wl_socket *s)
-               wl_log("bind() failed with error: %s\n", strerror(errno));
-               return -1;
-       }
--
-+      if (chmod(s->addr.sun_path, 0660) < 0) {
-+              wl_log("chmod() failed with error: %m\n");
-+              return -1;
-+      }
-       if (listen(s->fd, 128) < 0) {
-               wl_log("listen() failed with error: %s\n", strerror(errno));
-               return -1;
diff --git a/meta-app-framework/recipes-graphics/wayland/wayland_%.bbappend b/meta-app-framework/recipes-graphics/wayland/wayland_%.bbappend
deleted file mode 100644 (file)
index 50cad03..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'wayland_appfw.inc', '', d)}
diff --git a/meta-app-framework/recipes-graphics/wayland/wayland_appfw.inc b/meta-app-framework/recipes-graphics/wayland/wayland_appfw.inc
deleted file mode 100644 (file)
index a1d55a1..0000000
+++ /dev/null
@@ -1,5 +0,0 @@
-FILESEXTRAPATHS:prepend := "${THISDIR}/wayland:"
-
-SRC_URI:append = "\
-    file://0001-Change-socket-mode-add-rw-for-group.patch \
-    "
diff --git a/meta-app-framework/recipes-graphics/wayland/weston/0001-Allow-regular-users-to-launch-Weston_7.0.0.patch b/meta-app-framework/recipes-graphics/wayland/weston/0001-Allow-regular-users-to-launch-Weston_7.0.0.patch
deleted file mode 100644 (file)
index 362f6b0..0000000
+++ /dev/null
@@ -1,51 +0,0 @@
-Allow regular users to launch Weston
-
-Signed-off-by: Ronan Le Martret <ronan.lemartret@iot.bzh>
-[Reworked for Weston 7.0.0 switch to meson]
-Signed-off-by: Scott Murray <scott.murray@konsulko.com>
-
-diff --git a/libweston/launcher-direct.c b/libweston/launcher-direct.c
-index 9fa329b6..8e218804 100644
---- a/libweston/launcher-direct.c
-+++ b/libweston/launcher-direct.c
-@@ -291,8 +291,10 @@ launcher_direct_connect(struct weston_launcher **out, struct weston_compositor *
- {
-       struct launcher_direct *launcher;
-+#ifndef ENABLE_USER_START
-       if (geteuid() != 0)
-               return -EINVAL;
-+#endif
-       launcher = zalloc(sizeof(*launcher));
-       if (launcher == NULL)
-diff --git a/libweston/meson.build b/libweston/meson.build
-index d8d3fc07..0d39ebf1 100644
---- a/libweston/meson.build
-+++ b/libweston/meson.build
-@@ -216,6 +216,10 @@ if get_option('weston-launch')
-       meson.add_install_script('echo', 'REMINDER: You are installing weston-launch, please make it setuid-root.')
- endif
-+if get_option('enable-user-start')
-+      config_h.set('ENABLE_USER_START', '1')
-+endif
-+
- subdir('renderer-gl')
- subdir('backend-drm')
- subdir('backend-fbdev')
-diff --git a/meson_options.txt b/meson_options.txt
-index d5bf1d54..c93f31d1 100644
---- a/meson_options.txt
-+++ b/meson_options.txt
-@@ -217,3 +217,10 @@ option(
-       value: false,
-       description: 'Generate documentation'
- )
-+
-+option(
-+      'enable-user-start',
-+      type: 'boolean',
-+      value: true,
-+      description: 'Tests: enable start as non-root user'
-+)
diff --git a/meta-app-framework/recipes-graphics/wayland/weston/smack-weston b/meta-app-framework/recipes-graphics/wayland/weston/smack-weston
deleted file mode 100644 (file)
index 63a3240..0000000
+++ /dev/null
@@ -1,8 +0,0 @@
-System System::Weston rwxa--
-System::Weston System rwx---
-System::Weston System::Shared rwx---
-System::Weston System::Run rwxat-
-System::Weston System::Log rwxa--
-System::Weston _ r-x--l
-System::Weston User::Home r-x--l
-System::Weston User::App-Shared rwxat-
diff --git a/meta-app-framework/recipes-graphics/wayland/weston_8.0.%.bbappend b/meta-app-framework/recipes-graphics/wayland/weston_8.0.%.bbappend
deleted file mode 100644 (file)
index 00bb510..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'weston_8.0_appfw.inc', '', d)}
diff --git a/meta-app-framework/recipes-graphics/wayland/weston_8.0_appfw.inc b/meta-app-framework/recipes-graphics/wayland/weston_8.0_appfw.inc
deleted file mode 100644 (file)
index a72f224..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
-FILESEXTRAPATHS:append := ":${THISDIR}/weston"
-
-SRC_URI:append = "\
-    file://0001-Allow-regular-users-to-launch-Weston_7.0.0.patch \
-    file://smack-weston \
-    "
-
-EXTRA_OEMESON:append = " -Denable-user-start=true"
-
-do_install:append() {
-    if ${@bb.utils.contains('DISTRO_FEATURES', 'smack', 'true', 'false', d)}; then
-        # Install SMACK rules
-        install -D -m 0644 ${WORKDIR}/smack-weston ${D}${sysconfdir}/smack/accesses.d/weston
-    fi
-}
-
-FILES:${PN}:append = "\
-    ${sysconfdir}/smack/accesses.d/* \
-"
diff --git a/meta-app-framework/recipes-kernel/linux/linux-%.bbappend b/meta-app-framework/recipes-kernel/linux/linux-%.bbappend
deleted file mode 100644 (file)
index 807da11..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'linux-appfw.inc', '', d) if bb.data.inherits_class('kernel', d) else ''}
diff --git a/meta-app-framework/recipes-kernel/linux/linux-appfw.inc b/meta-app-framework/recipes-kernel/linux/linux-appfw.inc
deleted file mode 100644 (file)
index 68fb358..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-FILESEXTRAPATHS:prepend := "${THISDIR}/linux:"
-
-# Enable SMACK support without making it the default explicitly.
-AGL_KCONFIG_FRAGMENTS += "smack.cfg"
-
-# Enable SMACK as default LSM, can be overridden by changing this
-# variable to e.g. "".
-#
-# NOTE:
-# We use a different fragment for kernels older than 5.x that predate
-# the switch to using CONFIG_LSM instead of CONFIG_DEFAULT_SECURITY.
-# For simplicity, logic to handle the change being made in 5.1 instead
-# of 5.0 has been omitted; in practice this should not be a problem
-# since no current BSPs have been seen that use 5.0.x.  If a BSP
-# kernel recipe does not set LINUX_VERSION, the kernel being 5.x or
-# newer is assumed as the default behavior.
-LINUX_VERSION_MAJOR = "${@(d.getVar('LINUX_VERSION') or "5.x").split('.')[0]}"
-SMACK_DEFAULT_SUFFIX = "${@'' if int(d.getVar('LINUX_VERSION_MAJOR') or 0) >= 5 else '-old'}"
-SMACK_DEFAULT_SECURITY ??= "smack-default-lsm${SMACK_DEFAULT_SUFFIX}.cfg"
-AGL_KCONFIG_FRAGMENTS += "${SMACK_DEFAULT_SECURITY}"
-
-# Enable audit support
-AGL_KCONFIG_FRAGMENTS += "audit.cfg"
diff --git a/meta-app-framework/recipes-kernel/linux/linux/audit.cfg b/meta-app-framework/recipes-kernel/linux/linux/audit.cfg
deleted file mode 100644 (file)
index 214dbe3..0000000
+++ /dev/null
@@ -1,2 +0,0 @@
-CONFIG_AUDIT=y
-CONFIG_AUDITSYSCALL=y
diff --git a/meta-app-framework/recipes-kernel/linux/linux/smack-default-lsm-old.cfg b/meta-app-framework/recipes-kernel/linux/linux/smack-default-lsm-old.cfg
deleted file mode 100644 (file)
index b5c4845..0000000
+++ /dev/null
@@ -1,2 +0,0 @@
-CONFIG_DEFAULT_SECURITY="smack"
-CONFIG_DEFAULT_SECURITY_SMACK=y
diff --git a/meta-app-framework/recipes-kernel/linux/linux/smack-default-lsm.cfg b/meta-app-framework/recipes-kernel/linux/linux/smack-default-lsm.cfg
deleted file mode 100644 (file)
index 4791eba..0000000
+++ /dev/null
@@ -1,2 +0,0 @@
-CONFIG_DEFAULT_SECURITY_SMACK=y
-CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor"
diff --git a/meta-app-framework/recipes-kernel/linux/linux/smack.cfg b/meta-app-framework/recipes-kernel/linux/linux/smack.cfg
deleted file mode 100644 (file)
index 45a92f1..0000000
+++ /dev/null
@@ -1,9 +0,0 @@
-CONFIG_IP_NF_SECURITY=m
-CONFIG_IP6_NF_SECURITY=m
-CONFIG_EXT2_FS_SECURITY=y
-CONFIG_EXT3_FS_SECURITY=y
-CONFIG_EXT4_FS_SECURITY=y
-CONFIG_SECURITY=y
-CONFIG_SECURITY_SMACK=y
-CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y
-CONFIG_TMPFS_XATTR=y
diff --git a/meta-app-framework/recipes-platform/packagegroups/packagegroup-agl-app-framework-examples.bb b/meta-app-framework/recipes-platform/packagegroups/packagegroup-agl-app-framework-examples.bb
deleted file mode 100644 (file)
index 1c90421..0000000
+++ /dev/null
@@ -1,14 +0,0 @@
-SUMMARY = "AGL Application Framework examples"
-DESCRIPTION = "The set of examples associated to the AGL Application Framework"
-LICENSE = "MIT"
-
-inherit packagegroup
-
-PACKAGES = "\
-    packagegroup-agl-app-framework-examples \
-    "
-
-ALLOW_EMPTY:${PN} = "1"
-
-RDEPENDS:${PN} += "\
-    "
diff --git a/meta-app-framework/recipes-platform/packagegroups/packagegroup-agl-app-framework.bb b/meta-app-framework/recipes-platform/packagegroups/packagegroup-agl-app-framework.bb
deleted file mode 100644 (file)
index 866f2e0..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
-SUMMARY = "AGL Application Framework core packages"
-DESCRIPTION = "The set of packages required by the AGL Application Framework"
-LICENSE = "MIT"
-
-inherit packagegroup
-
-PACKAGES_${PN} = "\
-    packagegroup-agl-app-framework \
-    "
-
-ALLOW_EMPTY:${PN} = "1"
-
-RDEPENDS:${PN} = "\
-       af-binder \
-       libafbwsc \
-       af-main \
-       nss-localuser \
-       af-platform-setup \
-       "
diff --git a/meta-app-framework/recipes-platform/packagegroups/packagegroup-agl-appfw-native.bb b/meta-app-framework/recipes-platform/packagegroups/packagegroup-agl-appfw-native.bb
deleted file mode 100644 (file)
index bdd967a..0000000
+++ /dev/null
@@ -1,16 +0,0 @@
-SUMMARY = "The software for application framework of AGL IVI profile"
-DESCRIPTION = "A set of packages belong to AGL application framework which required by \
-Native App Fw Subsystem"
-
-LICENSE = "MIT"
-
-inherit packagegroup
-
-PACKAGES = "\
-    packagegroup-agl-appfw-native \
-    "
-
-ALLOW_EMPTY:${PN} = "1"
-
-RDEPENDS:${PN} += "\
-    "
diff --git a/meta-app-framework/recipes-platform/packagegroups/packagegroup-security-framework.bb b/meta-app-framework/recipes-platform/packagegroups/packagegroup-security-framework.bb
deleted file mode 100644 (file)
index 449ce64..0000000
+++ /dev/null
@@ -1,22 +0,0 @@
-SUMMARY = "Security middleware components"
-LICENSE = "MIT"
-
-inherit packagegroup
-
-# Install Cynara and security-manager by default if (and only if)
-# Smack is enabled.
-#
-# Cynara does not have a hard dependency on Smack security,
-# but is meant to be used with it. security-manager however
-# links against smack and expects Smack to be active,
-# so we do not have any choice.
-#
-# Without configuration, security-manager is not usable. We use
-# the policy packaged from the upstream source code here. Adapting
-# it for the distro can be done by patching that source.
-RDEPENDS:${PN}:append:with-lsm-smack = " \
-    cynagora \
-    security-manager \
-    security-manager-policy \
-    smack-system-setup \
-"
diff --git a/meta-app-framework/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch b/meta-app-framework/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch
deleted file mode 100644 (file)
index 6e1827c..0000000
+++ /dev/null
@@ -1,42 +0,0 @@
-From df878b92e01f4d1c3de7f7d8229cea6a431509eb Mon Sep 17 00:00:00 2001
-From: Mingli Yu <mingli.yu@windriver.com>
-Date: Wed, 19 Feb 2020 15:23:40 +0800
-Subject: [PATCH] lib/i386_table.h: add new syscall
-
-On 32bit system,
-After upgrade glibc to 2.31
- # strace -o /tmp/test.log date -s 09:16:45
- # tail -f /tmp/test.log
- close(3)                                = 0
- stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=114, ...}) = 0
- clock_settime64(CLOCK_REALTIME, {tv_sec=1582103805, tv_nsec=0}) = 0
- fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x4, 0x40), ...}) = 0
- ioctl(1, TCGETS, {B115200 opost isig icanon echo ...}) = 0
- write(1, "Wed Feb 19 09:16:45 UTC 2020\n", 29) = 29
- close(1)                                = 0
- close(2)                                = 0
- exit_group(0)                           = ?
- +++ exited with 0 +++
-
-It means the clock_settime64 syscall is used, so
-add the syscall.
-
-Upstream-Status: Submitted [https://github.com/linux-audit/audit-userspace/pull/116]
-
-Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
----
- lib/i386_table.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/lib/i386_table.h b/lib/i386_table.h
-index 1a64c88..65fd4d9 100644
---- a/lib/i386_table.h
-+++ b/lib/i386_table.h
-@@ -405,3 +405,4 @@ _S(383, "statx")
- _S(384, "arch_prctl")
- _S(385, "io_pgetevents")
- _S(386, "rseq")
-+_S(404, "clock_settime64")
--- 
-2.7.4
-
diff --git a/meta-app-framework/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch b/meta-app-framework/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch
deleted file mode 100644 (file)
index bb6c61e..0000000
+++ /dev/null
@@ -1,133 +0,0 @@
-From bdcdc3dff4469aac88e718bd15958d5ed4b9392a Mon Sep 17 00:00:00 2001
-From: Steve Grubb <sgrubb@redhat.com>
-Date: Tue, 26 Feb 2019 18:33:33 -0500
-Subject: [PATCH] Add substitue functions for strndupa & rawmemchr
-
-Upstream-Status: Backport
-[https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e]
----
- auparse/auparse.c   | 12 +++++++++++-
- auparse/interpret.c |  9 ++++++++-
- configure.ac        | 14 +++++++++++++-
- src/ausearch-lol.c  | 12 +++++++++++-
- 4 files changed, 43 insertions(+), 4 deletions(-)
-
-diff --git a/auparse/auparse.c b/auparse/auparse.c
-index 650db02..2e1c737 100644
---- a/auparse/auparse.c
-+++ b/auparse/auparse.c
-@@ -1,5 +1,5 @@
- /* auparse.c --
-- * Copyright 2006-08,2012-17 Red Hat Inc., Durham, North Carolina.
-+ * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina.
-  * All Rights Reserved.
-  *
-  * This library is free software; you can redistribute it and/or
-@@ -1118,6 +1118,16 @@ static int str2event(char *s, au_event_t *e)
-       return 0;
- }
-+#ifndef HAVE_STRNDUPA
-+static inline char *strndupa(const char *old, size_t n)
-+{
-+      size_t len = strnlen(old, n);
-+      char *tmp = alloca(len + 1);
-+      tmp[len] = 0;
-+      return memcpy(tmp, old, len);
-+}
-+#endif
-+
- /* Returns 0 on success and 1 on error */
- static int extract_timestamp(const char *b, au_event_t *e)
- {
-diff --git a/auparse/interpret.c b/auparse/interpret.c
-index 51c4a5e..67b7b77 100644
---- a/auparse/interpret.c
-+++ b/auparse/interpret.c
-@@ -853,6 +853,13 @@ err_out:
-               return print_escaped(id->val);
- }
-+// rawmemchr is faster. Let's use it if we have it.
-+#ifdef HAVE_RAWMEMCHR
-+#define STRCHR rawmemchr
-+#else
-+#define STRCHR strchr
-+#endif
-+
- static const char *print_proctitle(const char *val)
- {
-       char *out = (char *)print_escaped(val);
-@@ -863,7 +870,7 @@ static const char *print_proctitle(const char *val)
-               // Proctitle has arguments separated by NUL bytes
-               // We need to write over the NUL bytes with a space
-               // so that we can see the arguments
--              while ((ptr  = rawmemchr(ptr, '\0'))) {
-+              while ((ptr  = STRCHR(ptr, '\0'))) {
-                       if (ptr >= end)
-                               break;
-                       *ptr = ' ';
-diff --git a/configure.ac b/configure.ac
-index 54bdbf1..aef07fb 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1,7 +1,7 @@
- dnl
- define([AC_INIT_NOTICE],
- [### Generated automatically using autoconf version] AC_ACVERSION [
--### Copyright 2005-18 Steve Grubb <sgrubb@redhat.com>
-+### Copyright 2005-19 Steve Grubb <sgrubb@redhat.com>
- ###
- ### Permission is hereby granted, free of charge, to any person obtaining a
- ### copy of this software and associated documentation files (the "Software"),
-@@ -72,6 +72,18 @@ dnl; posix_fallocate is used in audisp-remote
- AC_CHECK_FUNCS([posix_fallocate])
- dnl; signalfd is needed for libev
- AC_CHECK_FUNC([signalfd], [], [ AC_MSG_ERROR([The signalfd system call is necessary for auditd]) ])
-+dnl; check if rawmemchr is available
-+AC_CHECK_FUNCS([rawmemchr])
-+dnl; check if strndupa is available
-+AC_LINK_IFELSE(
-+  [AC_LANG_SOURCE(
-+    [[
-+      #define _GNU_SOURCE
-+      #include <string.h>
-+      int main() { (void) strndupa("test", 10); return 0; }]])],
-+ [AC_DEFINE(HAVE_STRNDUPA, 1, [Let us know if we have it or not])],
-+ []
-+)
- ALLWARNS=""
- ALLDEBUG="-g"
-diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c
-index 5d17a72..758c33e 100644
---- a/src/ausearch-lol.c
-+++ b/src/ausearch-lol.c
-@@ -1,6 +1,6 @@
- /*
- * ausearch-lol.c - linked list of linked lists library
--* Copyright (c) 2008,2010,2014,2016 Red Hat Inc., Durham, North Carolina.
-+* Copyright (c) 2008,2010,2014,2016,2019 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved. 
- *
- * This software may be freely redistributed and/or modified under the
-@@ -152,6 +152,16 @@ static int compare_event_time(event *e1, event *e2)
-       return 0;
- }
-+#ifndef HAVE_STRNDUPA
-+static inline char *strndupa(const char *old, size_t n)
-+{
-+      size_t len = strnlen(old, n);
-+      char *tmp = alloca(len + 1);
-+      tmp[len] = 0;
-+      return memcpy(tmp, old, len);
-+}
-+#endif
-+
- /*
-  * This function will look at the line and pick out pieces of it.
-  */
--- 
-2.7.4
-
diff --git a/meta-app-framework/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch b/meta-app-framework/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch
deleted file mode 100644 (file)
index 7c26995..0000000
+++ /dev/null
@@ -1,57 +0,0 @@
-From a07271f1cce82122610b622bcea4a8a37528f321 Mon Sep 17 00:00:00 2001
-From: Li xin <lixin.fnst@cn.fujitsu.com>
-Date: Sun, 19 Jul 2015 02:42:58 +0900
-Subject: [PATCH] audit: Fixed swig host contamination issue
-
-The audit build uses swig to generate a python wrapper.
-Unfortunately, the swig info file references host include
-directories.  Some of these were previously noticed and
-eliminated, but the one fixed here was not.
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Anders Hedlund <anders.hedlund@windriver.com>
-Signed-off-by: Joe Slater <jslater@windriver.com>
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- bindings/swig/python3/Makefile.am | 3 ++-
- bindings/swig/src/auditswig.i     | 2 +-
- 2 files changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/bindings/swig/python3/Makefile.am b/bindings/swig/python3/Makefile.am
-index 9938418..fa46aac 100644
---- a/bindings/swig/python3/Makefile.am
-+++ b/bindings/swig/python3/Makefile.am
-@@ -22,6 +22,7 @@
- CONFIG_CLEAN_FILES = *.loT *.rej *.orig
- AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing $(PYTHON3_CFLAGS)
- AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES)
-+STDINC ?= /usr/include
- LIBS = $(top_builddir)/lib/libaudit.la
- SWIG_FLAGS = -python -py3 -modern
- SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES)
-@@ -37,7 +38,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudi
- _audit_la_LIBADD = ${top_builddir}/lib/libaudit.la
- nodist__audit_la_SOURCES  = audit_wrap.c
- audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i 
--      swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} ${srcdir}/../src/auditswig.i 
-+      swig -o audit_wrap.c ${SWIG_FLAGS} ${SWIG_INCLUDES} -I$(STDINC) ${srcdir}/../src/auditswig.i
- CLEANFILES = audit.py* audit_wrap.c *~
-diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i
-index 7ebb373..424fb68 100644
---- a/bindings/swig/src/auditswig.i
-+++ b/bindings/swig/src/auditswig.i
-@@ -39,7 +39,7 @@ signed
- #define __attribute(X) /*nothing*/
- typedef unsigned __u32;
- typedef unsigned uid_t;
--%include "/usr/include/linux/audit.h"
-+%include "linux/audit.h"
- #define __extension__ /*nothing*/
- #include <stdint.h>
- %include "../lib/libaudit.h"
--- 
-2.7.4
-
diff --git a/meta-app-framework/recipes-security/audit/audit/audit-volatile.conf b/meta-app-framework/recipes-security/audit/audit/audit-volatile.conf
deleted file mode 100644 (file)
index 9cbe154..0000000
+++ /dev/null
@@ -1 +0,0 @@
-d  /var/log/audit 0750 root root -
diff --git a/meta-app-framework/recipes-security/audit/audit/auditd b/meta-app-framework/recipes-security/audit/audit/auditd
deleted file mode 100755 (executable)
index cda2e43..0000000
+++ /dev/null
@@ -1,153 +0,0 @@
-#! /bin/sh
-### BEGIN INIT INFO
-# Provides:          auditd
-# Required-Start:    $local_fs
-# Required-Stop:     $local_fs
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: Audit Daemon
-# Description:       Collects audit information from Linux 2.6 Kernels.
-### END INIT INFO
-
-# Author: Philipp Matthias Hahn <pmhahn@debian.org>
-# Based on Debians /etc/init.d/skeleton and Auditds init.d/auditd.init
-
-# June, 2012: Adopted for yocto <amy.fong@windriver.com>
-
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
-PATH=/sbin:/bin:/usr/sbin:/usr/bin
-DESC="audit daemon"
-NAME=auditd
-DAEMON=/sbin/auditd
-PIDFILE=/var/run/"$NAME".pid
-SCRIPTNAME=/etc/init.d/"$NAME"
-
-# Exit if the package is not installed
-[ -x "$DAEMON" ] || exit 0
-
-# Read configuration variable file if it is present
-[ -r /etc/default/"$NAME" ] && . /etc/default/"$NAME"
-
-. /etc/default/rcS
-
-. /etc/init.d/functions
-
-#
-# Function that starts the daemon/service
-#
-do_start()
-{
-       # Return
-       #   0 if daemon has been started
-       #   1 if daemon was already running
-       #   2 if daemon could not be started
-       start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" --test > /dev/null \
-               || return 1
-       start-stop-daemon -S --quiet --pidfile "$PIDFILE" --exec "$DAEMON" -- \
-               $EXTRAOPTIONS \
-               || return 2
-       if [ -f /etc/audit/audit.rules ]
-       then
-               /sbin/auditctl -R /etc/audit/audit.rules >/dev/null
-       fi
-}
-
-#
-# Function that stops the daemon/service
-#
-do_stop()
-{
-       # Return
-       #   0 if daemon has been stopped
-       #   1 if daemon was already stopped
-       #   2 if daemon could not be stopped
-       #   other if a failure occurred
-       start-stop-daemon -K --quiet --pidfile "$PIDFILE" --name "$NAME"
-       RETVAL="$?"
-       [ "$RETVAL" = 2 ] && return 2
-       # Many daemons don't delete their pidfiles when they exit.
-       rm -f "$PIDFILE"
-       rm -f /var/run/audit_events
-       # Remove watches so shutdown works cleanly
-       case "$AUDITD_CLEAN_STOP" in
-               no|NO) ;;
-               *) /sbin/auditctl -D >/dev/null ;;
-       esac
-       return "$RETVAL"
-}
-
-#
-# Function that sends a SIGHUP to the daemon/service
-#
-do_reload() {
-       start-stop-daemon -K --signal HUP --quiet --pidfile $PIDFILE --name $NAME
-       return 0
-}
-
-if [ ! -e /var/log/audit ]; then
-       mkdir -p /var/log/audit
-       [ -x /sbin/restorecon ] && /sbin/restorecon -F /var/log/audit
-fi
-
-case "$1" in
-  start)
-       [ "$VERBOSE" != no ] && echo "Starting $DESC" "$NAME"
-       do_start
-       case "$?" in
-               0|1) [ "$VERBOSE" != no ] && echo 0 ;;
-               2) [ "$VERBOSE" != no ] && echo 1 ;;
-       esac
-       ;;
-  stop)
-       [ "$VERBOSE" != no ] && echo "Stopping $DESC" "$NAME"
-       do_stop
-       case "$?" in
-               0|1) [ "$VERBOSE" != no ] && echo 0 ;;
-               2) [ "$VERBOSE" != no ] && echo 1 ;;
-       esac
-       ;;
-  reload|force-reload)
-       echo "Reloading $DESC" "$NAME"
-       do_reload
-       echo $?
-       ;;
-  restart)
-       echo "Restarting $DESC" "$NAME"
-       do_stop
-       case "$?" in
-         0|1)
-               do_start
-               case "$?" in
-                       0) echo 0 ;;
-                       1) echo 1 ;; # Old process is still running
-                       *) echo 1 ;; # Failed to start
-               esac
-               ;;
-         *)
-               # Failed to stop
-               echo 1
-               ;;
-       esac
-       ;;
-  rotate)
-       echo "Rotating $DESC logs" "$NAME"
-       start-stop-daemon -K --signal USR1 --quiet --pidfile "$PIDFILE" --name "$NAME"
-       echo $?
-       ;;
-  status)
-       pidofproc "$DAEMON" >/dev/null
-       status=$?
-       if [ $status -eq 0 ]; then
-               echo "$NAME is running."
-       else
-               echo "$NAME is not running."
-       fi
-       exit $status
-       ;;
-  *)
-       echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|rotate|status}" >&2
-       exit 3
-       ;;
-esac
-
-:
diff --git a/meta-app-framework/recipes-security/audit/audit/auditd.service b/meta-app-framework/recipes-security/audit/audit/auditd.service
deleted file mode 100644 (file)
index ebc0798..0000000
+++ /dev/null
@@ -1,20 +0,0 @@
-[Unit]
-Description=Security Auditing Service
-DefaultDependencies=no
-After=local-fs.target
-Conflicts=shutdown.target
-Before=sysinit.target shutdown.target
-After=systemd-tmpfiles-setup.service
-
-[Service]
-ExecStart=/sbin/auditd -n
-## To use augenrules, copy this file to /etc/systemd/system/auditd.service
-## and uncomment the next line and delete/comment out the auditctl line.
-## Then copy existing rules to /etc/audit/rules.d/
-## Not doing this last step can cause loss of existing rules
-#ExecStartPost=-/sbin/augenrules --load
-ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
-ExecReload=/bin/kill -HUP $MAINPID
-
-[Install]
-WantedBy=multi-user.target
diff --git a/meta-app-framework/recipes-security/audit/audit_2.8.5.bb b/meta-app-framework/recipes-security/audit/audit_2.8.5.bb
deleted file mode 100644 (file)
index 19cc688..0000000
+++ /dev/null
@@ -1,106 +0,0 @@
-SUMMARY = "User space tools for kernel auditing"
-DESCRIPTION = "The audit package contains the user space utilities for \
-storing and searching the audit records generated by the audit subsystem \
-in the Linux kernel."
-HOMEPAGE = "http://people.redhat.com/sgrubb/audit/"
-SECTION = "base"
-LICENSE = "GPLv2+ & LGPLv2+"
-LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
-
-SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=2.8_maintenance \
-           file://Add-substitue-functions-for-strndupa-rawmemchr.patch \
-           file://Fixed-swig-host-contamination-issue.patch \
-           file://0001-lib-i386_table.h-add-new-syscall.patch \
-           file://auditd \
-           file://auditd.service \
-           file://audit-volatile.conf \
-"
-
-S = "${WORKDIR}/git"
-SRCREV = "5fae55c1ad15b3cefe6890eba7311af163e9133c"
-
-inherit autotools python3native update-rc.d systemd
-
-UPDATERCPN = "auditd"
-INITSCRIPT_NAME = "auditd"
-INITSCRIPT_PARAMS = "defaults"
-
-SYSTEMD_PACKAGES = "auditd"
-SYSTEMD_SERVICE:auditd = "auditd.service"
-
-DEPENDS += "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native"
-
-EXTRA_OECONF += "--without-prelude \
-        --with-libwrap \
-        --enable-gssapi-krb5=no \
-        --with-libcap-ng=yes \
-        --with-python3=yes \
-        --libdir=${base_libdir} \
-        --sbindir=${base_sbindir} \
-        --without-python \
-        --without-golang \
-        --disable-zos-remote \
-        "
-EXTRA_OECONF:append:arm = " --with-arm=yes"
-EXTRA_OECONF:append:aarch64 = " --with-aarch64=yes"
-
-EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \
-       PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \
-       pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \
-       STDINC='${STAGING_INCDIR}' \
-       pkgconfigdir=${libdir}/pkgconfig \
-       "
-
-SUMMARY:audispd-plugins = "Plugins for the audit event dispatcher"
-DESCRIPTION:audispd-plugins = "The audispd-plugins package provides plugins for the real-time \
-interface to the audit system, audispd. These plugins can do things \
-like relay events to remote machines or analyze events for suspicious \
-behavior."
-
-PACKAGES =+ "audispd-plugins"
-PACKAGES += "auditd ${PN}-python"
-
-FILES:${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*"
-FILES:auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/*"
-FILES:audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \
-       ${sysconfdir}/audisp/plugins.d/au-remote.conf \
-       ${sbindir}/audisp-remote ${localstatedir}/spool/audit \
-       "
-FILES:${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug"
-FILES:${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}"
-
-CONFFILES:auditd += "${sysconfdir}/audit/audit.rules"
-RDEPENDS:auditd += "bash"
-
-do_install:append() {
-       rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a
-       rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la
-
-       # reuse auditd config
-       [ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default
-       mv ${D}/etc/sysconfig/auditd ${D}/etc/default
-       rmdir ${D}/etc/sysconfig/
-
-       # replace init.d
-       install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd
-       rm -rf ${D}/etc/rc.d
-
-       if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
-               install -d ${D}${sysconfdir}/tmpfiles.d/
-               install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/
-       fi
-
-       # install systemd unit files
-       install -d ${D}${systemd_unitdir}/system
-       install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system
-
-       # audit-2.5 doesn't install any rules by default, so we do that here
-       mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d
-       cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules
-
-       chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d
-       chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules
-
-       # Based on the audit.spec "Copy default rules into place on new installation"
-       cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules
-}
diff --git a/meta-app-framework/recipes-security/cynagoauth/cynagoauth_0.1.bb b/meta-app-framework/recipes-security/cynagoauth/cynagoauth_0.1.bb
deleted file mode 100644 (file)
index d76181c..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-DESCRIPTION = "OAuth server using cynagora backend"
-LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57"
-
-SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagoauth.git;protocol=https;branch=${AGL_BRANCH}"
-SRCREV = "26a5dbddf3a9bfde481a6fcd2aae16c7ecba665f"
-PV = "0.1+git${SRCPV}"
-
-S = "${WORKDIR}/git"
-
-DEPENDS = "json-c libmicrohttpd openssl cynagora"
-
-inherit cmake
-
-EXTRA_OECMAKE += " \
-       -DDEFAULTHOSTS=:7777 \
-       -DDEFAULTURL=http://localhost:7777/tok \
-       -DUNITDIR_SYSTEM=${systemd_system_unitdir} \
-"
-
-FILES:${PN} += "${systemd_system_unitdir}"
-
-
diff --git a/meta-app-framework/recipes-security/cynagora/cynagora-cynara-compat_2.1.bb b/meta-app-framework/recipes-security/cynagora/cynagora-cynara-compat_2.1.bb
deleted file mode 100644 (file)
index 55edbce..0000000
+++ /dev/null
@@ -1,30 +0,0 @@
-DESCRIPTION = "Cynara service with client libraries"
-LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://Apache-2.0;md5=3b83ef96387f14655fc854ddc3c6bd57"
-
-SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagora;protocol=https;branch=${AGL_BRANCH}"
-SRCREV = "7d7907651c42c5c32deabc17b639e0e1765eae60"
-PV = "2.1+git${SRCPV}"
-
-S = "${WORKDIR}/git"
-
-inherit cmake
-
-PROVIDES = "cynara"
-RPROVIDES:${PN} = "cynara"
-DEPENDS = "libcap"
-RDEPENDS:${PN} = "cynagora"
-
-EXTRA_OECMAKE += " \
-       -DWITH_SYSTEMD=OFF \
-       -DWITH_CYNARA_COMPAT=ON \
-       -DDIRECT_CYNARA_COMPAT=ON \
-"
-
-do_install:append() {
-       # remove cynagora stuff
-       rm $(find ${D} -name '*cynagora*')
-       # remove stupid test
-       rm -r ${D}${bindir}
-}
-
diff --git a/meta-app-framework/recipes-security/cynagora/cynagora/run-ptest b/meta-app-framework/recipes-security/cynagora/cynagora/run-ptest
deleted file mode 100755 (executable)
index f95f072..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-
-# test access to cynagora server
-cynagora-admin list > /dev/null
diff --git a/meta-app-framework/recipes-security/cynagora/cynagora_2.1.bb b/meta-app-framework/recipes-security/cynagora/cynagora_2.1.bb
deleted file mode 100644 (file)
index 2ed1b15..0000000
+++ /dev/null
@@ -1,38 +0,0 @@
-DESCRIPTION = "Cynagora service and client libraries"
-LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://Apache-2.0;md5=3b83ef96387f14655fc854ddc3c6bd57"
-
-SRC_URI = "git://gerrit.automotivelinux.org/gerrit/src/cynagora;protocol=https;branch=${AGL_BRANCH}"
-SRCREV = "7d7907651c42c5c32deabc17b639e0e1765eae60"
-PV = "2.1+git${SRCPV}"
-
-S = "${WORKDIR}/git"
-
-DEPENDS = "systemd libcap"
-
-inherit cmake
-
-EXTRA_OECMAKE += " \
-       -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir} \
-       -DWITH_SYSTEMD=ON \
-       -DWITH_CYNARA_COMPAT=OFF \
-"
-
-inherit useradd
-USERADD_PACKAGES = "${PN}"
-GROUPADD_PARAM:${PN} = "-r cynagora"
-USERADD_PARAM:${PN} = "\
---system --home ${localstatedir}/lib/empty \
---no-create-home --shell /bin/false \
---gid cynagora cynagora \
-"
-
-FILES:${PN} += "${systemd_system_unitdir}"
-
-PACKAGES =+ "${PN}-tools"
-FILES:${PN}-tools += "${bindir}/cynagora-admin ${bindir}/cynagora-agent"
-RDEPENDS:${PN}:append:agl-devel = " ${PN}-tools"
-
-inherit ptest
-SRC_URI:append = " file://run-ptest"
-RDEPENDS:${PN}-ptest:append = " ${PN}-tools"
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager.inc b/meta-app-framework/recipes-security/security-manager/security-manager.inc
deleted file mode 100644 (file)
index c6bc123..0000000
+++ /dev/null
@@ -1,83 +0,0 @@
-DESCRIPTION = "Security manager and utilities"
-LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327;beginline=3"
-
-inherit cmake
-
-B = "${S}"
-
-DEPENDS = " \
-   attr \
-   boost \
-   cynara \
-   icu \
-   libcap \
-   smack \
-   sqlite3 \
-   systemd \
-"
-
-PACKAGECONFIG ??= ""
-PACKAGECONFIG[debug] = "-DCMAKE_BUILD_TYPE=DEBUG,-DCMAKE_BUILD_TYPE=RELEASE"
-
-TZ_SYS_DB ?= "/var/db/security-manager"
-
-EXTRA_OECMAKE = " \
-   -DCMAKE_VERBOSE_MAKEFILE=ON \
-   -DVERSION=${PV} \
-   -DSYSTEMD_INSTALL_DIR=${systemd_unitdir}/system \
-   -DBIN_INSTALL_DIR=${bindir} \
-   -DDB_INSTALL_DIR=${TZ_SYS_DB} \
-   -DLIB_INSTALL_DIR=${libdir} \
-   -DSHARE_INSTALL_PREFIX=${datadir} \
-   -DINCLUDE_INSTALL_DIR=${includedir} \
-"
-
-inherit systemd
-SYSTEMD_SERVICE:${PN} = "security-manager.service"
-
-inherit features_check
-REQUIRED_DISTRO_FEATURES += "smack"
-
-# The upstream source code contains the Tizen-specific policy configuration files.
-# To replace them, create a security-manager.bbappend and set the following variable to a
-# space-separated list of policy file names (not URIs!), for example:
-# SECURITY_MANAGER_POLICY = "privilege-group.list usertype-system.profile"
-#
-# Leave it empty to use the upstream Tizen policy.
-SECURITY_MANAGER_POLICY ?= ""
-SRC_URI:append = " ${@' '.join(['file://' + x for x in d.getVar('SECURITY_MANAGER_POLICY', True).split()])}"
-python do_patch:append () {
-    import os
-    import shutil
-    import glob
-    files = d.getVar('SECURITY_MANAGER_POLICY', True).split()
-    if files:
-        s = d.getVar('S', True)
-        workdir = d.getVar('WORKDIR', True)
-        for pattern in ['*.profile', '*.list']:
-            for old_file in glob.glob(s + '/policy/' + pattern):
-                os.unlink(old_file)
-        for file in files:
-            shutil.copy(file, s + '/policy')
-}
-
-do_install:append () {
-   install -d ${D}/${systemd_unitdir}/system/multi-user.target.wants
-   ln -s ../security-manager.service ${D}/${systemd_unitdir}/system/multi-user.target.wants/security-manager.service
-   install -d ${D}/${systemd_unitdir}/system/sockets.target.wants
-   ln -s ../security-manager.socket ${D}/${systemd_unitdir}/system/sockets.target.wants/security-manager.socket
-}
-
-RDEPENDS:${PN} += "sqlite3 cynara"
-FILES:${PN} += " \
-   ${systemd_unitdir} \
-   ${TZ_SYS_DB} \
-   ${bindir}/.security-manager-setup \
-"
-
-PACKAGES =+ "${PN}-policy"
-FILES:${PN}-policy = " \
-   ${datadir}/${PN} \
-   ${bindir}/security-manager-policy-reload \
-"
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0001-Adapt-rules-to-AGL.patch
deleted file mode 100644 (file)
index 4c91f7f..0000000
+++ /dev/null
@@ -1,50 +0,0 @@
-From 935e4e4e746b5ffcda80c80097dc75c2581c1a89 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Wed, 19 Oct 2016 13:45:54 +0200
-Subject: [PATCH] Adapt rules to AGL
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-AGL distribution uses the repository https://github.com/01org/meta-intel-iot-security.git
-as basis for the integration of security framework. The security framework
-that it provides is an evolution of the security framework of tizen refited
-to the distribution Ostro of Intel. This refit took the decision to simplify
-the model by removing the running label "User". More can be viewed here:
-https://github.com/01org/meta-intel-iot-security/pull/116
-
-This commits adapt the template to the rules that are now needed
-after this evolution.
-
-It also integrates one other evolutions: the shared label becomes User::App-Shared instead
-of User::App::Shared to avoid collision with application of id "Shared".
-
-Change-Id: Ieb566b63f8c8e691b5f75e06499a3b576d042546
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- policy/app-rules-template.smack | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/policy/app-rules-template.smack b/policy/app-rules-template.smack
-index 1311169..b4cd2e3 100644
---- a/policy/app-rules-template.smack
-+++ b/policy/app-rules-template.smack
-@@ -1,12 +1,10 @@
--System ~APP~ rwx
-+System ~APP~ rwxa
-+System ~PKG~ rwxat
- ~APP~ System wx
- ~APP~ System::Shared rx
- ~APP~ System::Run rwxat
- ~APP~ System::Log rwxa
- ~APP~ _ l
--User ~APP~ rwxa
--User ~PKG~ rwxat
--~APP~ User wx
- ~APP~ User::Home rxl
--~APP~ User::App::Shared rwxat
-+~APP~ User::App-Shared rwxat
- ~APP~ ~PKG~ rwxat
--- 
-2.7.4
-
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0001-systemd-stop-using-compat-libs.patch
deleted file mode 100644 (file)
index 91ce819..0000000
+++ /dev/null
@@ -1,47 +0,0 @@
-From 3d9d1d83fe298a364f51ad752c17aad461beded3 Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@intel.com>
-Date: Tue, 24 Mar 2015 04:54:03 -0700
-Subject: [PATCH 01/14] systemd: stop using compat libs
-
-libsystemd-journal and libsystemd-daemon are considered obsolete
-in systemd since 2.09 and may not be available (not compiled
-by default).
-
-The code works fine with the current libsystemd, so just
-use that.
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
-Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1
----
- src/common/CMakeLists.txt | 2 +-
- src/server/CMakeLists.txt | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt
-index 2da9c3e..968c7c1 100644
---- a/src/common/CMakeLists.txt
-+++ b/src/common/CMakeLists.txt
-@@ -3,7 +3,7 @@ SET(COMMON_VERSION ${COMMON_VERSION_MAJOR}.0.2)
- PKG_CHECK_MODULES(COMMON_DEP
-     REQUIRED
--    libsystemd-journal
-+    libsystemd
-     libsmack
-     db-util
-     cynara-admin
-diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt
-index 753eb96..6849d76 100644
---- a/src/server/CMakeLists.txt
-+++ b/src/server/CMakeLists.txt
-@@ -1,6 +1,6 @@
- PKG_CHECK_MODULES(SERVER_DEP
-     REQUIRED
--    libsystemd-daemon
-+    libsystemd
-     )
- FIND_PACKAGE(Boost REQUIRED)
--- 
-2.21.0
-
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch
deleted file mode 100644 (file)
index b634648..0000000
+++ /dev/null
@@ -1,36 +0,0 @@
-From a90515613f09140049b2bdf471fa83d5dd7bad1c Mon Sep 17 00:00:00 2001
-From: Patrick Ohly <patrick.ohly@intel.com>
-Date: Wed, 19 Aug 2015 15:02:32 +0200
-Subject: [PATCH 02/14] security-manager-policy-reload: do not depend on GNU
- sed
-
-\U (= make replacement uppercase) is a GNU sed extension which is not
-supported by other sed implementation's (like the one from
-busybox). When using busybox, the bucket for user profiles became
-USER_TYPE_Uadmin instead USER_TYPE_ADMIN.
-
-To make SecurityManager more portable, better use tr to turn the
-bucket name into uppercase.
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
-Upstream-Status: Submitted (https://github.com/Samsung/security-manager/pull/1
----
- policy/security-manager-policy-reload | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload
-index 274c49c..6f211c6 100755
---- a/policy/security-manager-policy-reload
-+++ b/policy/security-manager-policy-reload
-@@ -33,7 +33,7 @@ END
- find "$POLICY_PATH" -name "usertype-*.profile" |
- while read file
- do
--    bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\U\1|'`"
-+    bucket="`echo $file | sed -r 's|.*/usertype-(.*).profile$|USER_TYPE_\1|' | tr '[:lower:]' '[:upper:]'`"
-     # Re-create the bucket with empty contents
-     cyad --delete-bucket=$bucket || true
--- 
-2.21.0
-
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0003-Smack-rules-create-two-new-functions.patch
deleted file mode 100644 (file)
index d79345e..0000000
+++ /dev/null
@@ -1,117 +0,0 @@
-From a80e33bc0a10fa4bed5d0b7bf29f45dd2565d309 Mon Sep 17 00:00:00 2001
-From: Alejandro Joya <alejandro.joya.cruz@intel.com>
-Date: Wed, 4 Nov 2015 19:01:35 -0600
-Subject: [PATCH 03/14] Smack-rules: create two new functions
-
-It let to smack-rules to create multiple set of rules
-related with the privileges.
-
-It runs from the same bases than for a static set of rules on the
-template, but let you add 1 or many templates for different cases.
-
-Change-Id: I14f8d4e914ad5a7ba34c96f3cb5589f0b15292de
-Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com>
----
- src/common/include/smack-rules.h | 15 +++++++++++
- src/common/smack-rules.cpp       | 44 ++++++++++++++++++++++++++++++++
- 2 files changed, 59 insertions(+)
-
-diff --git a/src/common/include/smack-rules.h b/src/common/include/smack-rules.h
-index 91446a7..3ad9dd4 100644
---- a/src/common/include/smack-rules.h
-+++ b/src/common/include/smack-rules.h
-@@ -47,6 +47,8 @@ public:
-     void addFromTemplate(const std::vector<std::string> &templateRules,
-         const std::string &appId, const std::string &pkgId);
-     void addFromTemplateFile(const std::string &appId, const std::string &pkgId);
-+    void addFromTemplateFile(const std::string &appId, const std::string &pkgId,
-+      const std::string &path);
-     void apply() const;
-     void clear() const;
-@@ -74,6 +76,19 @@ public:
-      */
-     static void installApplicationRules(const std::string &appId, const std::string &pkgId,
-         const std::vector<std::string> &pkgContents);
-+    /**
-+     * Install privileges-specific smack rules.
-+     *
-+     * Function creates smack rules using predefined template. Rules are applied
-+     * to the kernel and saved on persistent storage so they are loaded on system boot.
-+     *
-+     * @param[in] appId - application id that is beeing installed
-+     * @param[in] pkgId - package id that the application is in
-+     * @param[in] pkgContents - a list of all applications in the package
-+     * @param[in] privileges - a list of all prvileges
-+     */
-+    static void installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
-+        const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges);
-     /**
-      * Uninstall package-specific smack rules.
-      *
-diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
-index 3629e0f..922a56f 100644
---- a/src/common/smack-rules.cpp
-+++ b/src/common/smack-rules.cpp
-@@ -135,6 +135,29 @@ void SmackRules::saveToFile(const std::string &path) const
-     }
- }
-+void SmackRules::addFromTemplateFile(const std::string &appId,
-+        const std::string &pkgId, const std::string &path)
-+{
-+    std::vector<std::string> templateRules;
-+    std::string line;
-+    std::ifstream templateRulesFile(path);
-+
-+    if (!templateRulesFile.is_open()) {
-+        LogError("Cannot open rules template file: " << path);
-+        ThrowMsg(SmackException::FileError, "Cannot open rules template file: " << path);
-+    }
-+
-+    while (std::getline(templateRulesFile, line)) {
-+        templateRules.push_back(line);
-+    }
-+
-+    if (templateRulesFile.bad()) {
-+        LogError("Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH);
-+        ThrowMsg(SmackException::FileError, "Error reading template file: " << APP_RULES_TEMPLATE_FILE_PATH);
-+    }
-+
-+    addFromTemplate(templateRules, appId, pkgId);
-+}
- void SmackRules::addFromTemplateFile(const std::string &appId,
-         const std::string &pkgId)
-@@ -223,7 +246,28 @@ std::string SmackRules::getApplicationRulesFilePath(const std::string &appId)
-     std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" +  appId).c_str()));
-     return path;
- }
-+void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
-+        const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges)
-+{
-+    SmackRules smackRules;
-+    std::string appPath = getApplicationRulesFilePath(appId);
-+    smackRules.loadFromFile(appPath);
-+    struct stat buffer;
-+    for (auto privilege : privileges) {
-+        if (privilege.empty())
-+            continue;
-+        std::string fprivilege ( privilege + "-template.smack");
-+        std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str()));
-+        if( stat(path.c_str(), &buffer) == 0)
-+            smackRules.addFromTemplateFile(appId, pkgId, path);
-+    }
-+
-+    if (smack_smackfs_path() != NULL)
-+        smackRules.apply();
-+    smackRules.saveToFile(appPath);
-+    updatePackageRules(pkgId, pkgContents);
-+}
- void SmackRules::installApplicationRules(const std::string &appId, const std::string &pkgId,
-         const std::vector<std::string> &pkgContents)
- {
--- 
-2.21.0
-
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0004-app-install-implement-multiple-set-of-smack-rules.patch
deleted file mode 100644 (file)
index 59d4971..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
-From a5979d9d674e400ecd7fcdf5d7589cfa0cfeb492 Mon Sep 17 00:00:00 2001
-From: Alejandro Joya <alejandro.joya.cruz@intel.com>
-Date: Wed, 4 Nov 2015 19:06:23 -0600
-Subject: [PATCH 04/14] app-install: implement multiple set of smack-rules
-
-If it's need it could create load multiple set of smack rules
-related with the privileges.
-It wouldn't affect the case that only the default set of rules is need it.
-
-Signed-off-by: Alejandro Joya <alejandro.joya.cruz@intel.com>
----
- src/common/service_impl.cpp | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
-index 7fd621c..ae305d3 100644
---- a/src/common/service_impl.cpp
-+++ b/src/common/service_impl.cpp
-@@ -338,6 +338,12 @@ int appInstall(const app_inst_req &req, uid_t uid)
-         LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: "
-                 << req.pkgId << ". Applications in package: " << pkgContents.size());
-         SmackRules::installApplicationRules(req.appId, req.pkgId, pkgContents);
-+      /*Setup for privileges custom rules*/
-+       LogDebug("Adding Smack rules for new appId: " << req.appId << " with pkgId: "
-+                << req.pkgId << ". Applications in package: " << pkgContents.size()
-+              << " and Privileges");
-+      SmackRules::installApplicationPrivilegesRules(req.appId, req.pkgId,
-+          pkgContents,req.privileges);
-     } catch (const SmackException::Base &e) {
-         LogError("Error while applying Smack policy for application: " << e.DumpToString());
-         return SECURITY_MANAGER_API_ERROR_SETTING_FILE_LABEL_FAILED;
--- 
-2.21.0
-
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0005-c-11-replace-deprecated-auto_ptr.patch
deleted file mode 100644 (file)
index 0739f28..0000000
+++ /dev/null
@@ -1,32 +0,0 @@
-From 198ba9b9782fda19803e94d2afeff91189ac27af Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net>
-Date: Wed, 13 Jan 2016 17:30:06 +0100
-Subject: [PATCH 05/14] c++11: replace deprecated auto_ptr
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Upstream-Status: Submitted [https://review.tizen.org/gerrit/#/c/56940/]
-
-Change-Id: Id793c784c9674eef48f346226c094bdd9f7bbda8
-Signed-off-by: José Bollo <jobol@nonadev.net>
----
- src/dpl/core/include/dpl/binary_queue.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/dpl/core/include/dpl/binary_queue.h b/src/dpl/core/include/dpl/binary_queue.h
-index dd03f5e..185b6c7 100644
---- a/src/dpl/core/include/dpl/binary_queue.h
-+++ b/src/dpl/core/include/dpl/binary_queue.h
-@@ -33,7 +33,7 @@ namespace SecurityManager {
-  * Binary queue auto pointer
-  */
- class BinaryQueue;
--typedef std::auto_ptr<BinaryQueue> BinaryQueueAutoPtr;
-+typedef std::unique_ptr<BinaryQueue> BinaryQueueAutoPtr;
- /**
-  * Binary stream implemented as constant size bucket list
--- 
-2.21.0
-
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0006-socket-manager-removes-tizen-specific-call.patch
deleted file mode 100644 (file)
index 3b8aad9..0000000
+++ /dev/null
@@ -1,47 +0,0 @@
-From ec098bf03cea23350ca7d1ea2ad88b9c88228943 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Fri, 8 Jan 2016 16:53:46 +0100
-Subject: [PATCH 06/14] socket-manager: removes tizen specific call
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The function 'smack_fgetlabel' is specific to Tizen
-and is no more maintained upstream.
-
-Upstream-Status: Accepted [https://review.tizen.org/gerrit/#/c/56507/]
-
-Change-Id: I3802742b1758efe37b33e6d968ff727d68f2fd1f
-Signed-off-by: José Bollo <jobol@nonadev.net>
----
- src/server/main/socket-manager.cpp | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/src/server/main/socket-manager.cpp b/src/server/main/socket-manager.cpp
-index 94c54c6..5e1a79b 100644
---- a/src/server/main/socket-manager.cpp
-+++ b/src/server/main/socket-manager.cpp
-@@ -30,6 +30,7 @@
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <sys/smack.h>
-+#include <linux/xattr.h>
- #include <sys/un.h>
- #include <sys/stat.h>
- #include <unistd.h>
-@@ -493,9 +494,9 @@ int SocketManager::CreateDomainSocketHelp(
-     if (smack_check()) {
-         LogInfo("Set up smack label: " << desc.smackLabel);
--        if (0 != smack_fsetlabel(sockfd, desc.smackLabel.c_str(), SMACK_LABEL_IPIN)) {
--            LogError("Error in smack_fsetlabel");
--            ThrowMsg(Exception::InitFailed, "Error in smack_fsetlabel");
-+        if (0 != smack_set_label_for_file(sockfd, XATTR_NAME_SMACKIPIN, desc.smackLabel.c_str())) {
-+            LogError("Error in smack_set_label_for_file");
-+            ThrowMsg(Exception::InitFailed, "Error in smack_set_label_for_file");
-         }
-     } else {
-         LogInfo("No smack on platform. Socket won't be securied with smack label!");
--- 
-2.21.0
-
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0007-removes-dependency-to-libslp-db-utils.patch
deleted file mode 100644 (file)
index bad99d2..0000000
+++ /dev/null
@@ -1,78 +0,0 @@
-From 9d0791dab4b4df086374c5c0ba2a6558e10e81c1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Mon, 16 Nov 2015 15:56:27 +0100
-Subject: [PATCH 07/14] removes dependency to libslp-db-utils
-
-Change-Id: I90471e77d20e04bae58cc42eb2639e4aef97fdec
----
- src/common/CMakeLists.txt         |  3 ++-
- src/dpl/db/src/sql_connection.cpp | 17 +----------------
- 2 files changed, 3 insertions(+), 17 deletions(-)
-
-diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt
-index 968c7c1..9ae376f 100644
---- a/src/common/CMakeLists.txt
-+++ b/src/common/CMakeLists.txt
-@@ -5,7 +5,8 @@ PKG_CHECK_MODULES(COMMON_DEP
-     REQUIRED
-     libsystemd
-     libsmack
--    db-util
-+    sqlite3
-+    icu-i18n
-     cynara-admin
-     cynara-client
-     )
-diff --git a/src/dpl/db/src/sql_connection.cpp b/src/dpl/db/src/sql_connection.cpp
-index fdb4fe4..f49a6dc 100644
---- a/src/dpl/db/src/sql_connection.cpp
-+++ b/src/dpl/db/src/sql_connection.cpp
-@@ -26,7 +26,6 @@
- #include <memory>
- #include <dpl/noncopyable.h>
- #include <dpl/assert.h>
--#include <db-util.h>
- #include <unistd.h>
- #include <cstdio>
- #include <cstdarg>
-@@ -606,16 +605,7 @@ void SqlConnection::Connect(const std::string &address,
-     // Connect to database
-     int result;
--    if (type & Flag::UseLucene) {
--        result = db_util_open_with_options(
--                address.c_str(),
--                &m_connection,
--                flag,
--                NULL);
--
--        m_usingLucene = true;
--        LogPedantic("Lucene index enabled");
--    } else {
-+    (void)type;
-         result = sqlite3_open_v2(
-                 address.c_str(),
-                 &m_connection,
-@@ -624,7 +614,6 @@ void SqlConnection::Connect(const std::string &address,
-         m_usingLucene = false;
-         LogPedantic("Lucene index disabled");
--    }
-     if (result == SQLITE_OK) {
-         LogPedantic("Connected to DB");
-@@ -653,11 +642,7 @@ void SqlConnection::Disconnect()
-     int result;
--    if (m_usingLucene) {
--        result = db_util_close(m_connection);
--    } else {
-         result = sqlite3_close(m_connection);
--    }
-     if (result != SQLITE_OK) {
-         const char *error = sqlite3_errmsg(m_connection);
--- 
-2.21.0
-
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0008-Fix-gcc6-build.patch
deleted file mode 100644 (file)
index 5ece7ef..0000000
+++ /dev/null
@@ -1,38 +0,0 @@
-From a1d9b40b4fa2e73d31a53e398c286bffeaae1732 Mon Sep 17 00:00:00 2001
-From: Ronan <ronan.lemartret@iot.bzh>
-Date: Wed, 12 Oct 2016 17:48:55 +0200
-Subject: [PATCH 08/14] Fix gcc6 build
-
-Signed-off-by: ronan <ronan@ot.bzh>
----
- src/client/client-security-manager.cpp | 1 +
- src/common/include/privilege_db.h      | 1 +
- 2 files changed, 2 insertions(+)
-
-diff --git a/src/client/client-security-manager.cpp b/src/client/client-security-manager.cpp
-index 74a6b30..347cddd 100644
---- a/src/client/client-security-manager.cpp
-+++ b/src/client/client-security-manager.cpp
-@@ -46,6 +46,7 @@
- #include <service_impl.h>
- #include <security-manager.h>
- #include <client-offline.h>
-+#include <linux/xattr.h>
- static const char *EMPTY = "";
-diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h
-index 4d73d90..08fb9d6 100644
---- a/src/common/include/privilege_db.h
-+++ b/src/common/include/privilege_db.h
-@@ -32,6 +32,7 @@
- #include <map>
- #include <stdbool.h>
- #include <string>
-+#include <vector>
- #include <dpl/db/sql_connection.h>
- #include <tzplatform_config.h>
--- 
-2.21.0
-
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0009-Fix-Cmake-conf-for-gcc6-build.patch
deleted file mode 100644 (file)
index 706eb1a..0000000
+++ /dev/null
@@ -1,40 +0,0 @@
-From 382379d74221bcc60a0ab70d63430a1c0587b2ec Mon Sep 17 00:00:00 2001
-From: Ronan <ronan.lemartret@iot.bzh>
-Date: Thu, 13 Oct 2016 11:37:47 +0200
-Subject: [PATCH 09/14] Fix Cmake conf for gcc6 build
-
-Signed-off-by: Ronan <ronan.lemartret@iot.bzh>
----
- src/cmd/CMakeLists.txt    | 4 +---
- src/server/CMakeLists.txt | 1 -
- 2 files changed, 1 insertion(+), 4 deletions(-)
-
-diff --git a/src/cmd/CMakeLists.txt b/src/cmd/CMakeLists.txt
-index ee9a160..aa7a12c 100644
---- a/src/cmd/CMakeLists.txt
-+++ b/src/cmd/CMakeLists.txt
-@@ -1,8 +1,6 @@
- FIND_PACKAGE(Boost REQUIRED COMPONENTS program_options)
--INCLUDE_DIRECTORIES(SYSTEM
--    ${Boost_INCLUDE_DIRS}
--    )
-+
- INCLUDE_DIRECTORIES(
-     ${INCLUDE_PATH}
-diff --git a/src/server/CMakeLists.txt b/src/server/CMakeLists.txt
-index 6849d76..9598037 100644
---- a/src/server/CMakeLists.txt
-+++ b/src/server/CMakeLists.txt
-@@ -8,7 +8,6 @@ FIND_PACKAGE(Threads REQUIRED)
- INCLUDE_DIRECTORIES(SYSTEM
-     ${SERVER_DEP_INCLUDE_DIRS}
--    ${Boost_INCLUDE_DIRS}
-     ${Threads_INCLUDE_DIRS}
-     )
--- 
-2.21.0
-
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0010-gcc-7-requires-include-functional-for-std-function.patch
deleted file mode 100644 (file)
index 0f48c5f..0000000
+++ /dev/null
@@ -1,51 +0,0 @@
-From 8e93699c0f225716f3cd5eff790270ae9e3880f9 Mon Sep 17 00:00:00 2001
-From: Changhyeok Bae <changhyeok.bae@gmail.com>
-Date: Sun, 17 Dec 2017 15:40:58 +0000
-Subject: [PATCH 10/14] gcc-7 requires include <functional> for std::function
-
-Signed-off-by: Changhyeok Bae <changhyeok.bae@gmail.com>
----
- src/client/client-common.cpp      | 1 +
- src/common/smack-labels.cpp       | 1 +
- src/dpl/core/src/binary_queue.cpp | 1 +
- 3 files changed, 3 insertions(+)
-
-diff --git a/src/client/client-common.cpp b/src/client/client-common.cpp
-index 883ab8d..1babdf7 100644
---- a/src/client/client-common.cpp
-+++ b/src/client/client-common.cpp
-@@ -31,6 +31,7 @@
- #include <sys/xattr.h>
- #include <linux/xattr.h>
- #include <unistd.h>
-+#include <functional>
- #include <dpl/log/log.h>
- #include <dpl/serialization.h>
-diff --git a/src/common/smack-labels.cpp b/src/common/smack-labels.cpp
-index 0294a42..1598099 100644
---- a/src/common/smack-labels.cpp
-+++ b/src/common/smack-labels.cpp
-@@ -29,6 +29,7 @@
- #include <sys/xattr.h>
- #include <linux/xattr.h>
- #include <memory>
-+#include <functional>
- #include <fts.h>
- #include <cstring>
- #include <string>
-diff --git a/src/dpl/core/src/binary_queue.cpp b/src/dpl/core/src/binary_queue.cpp
-index 72817a6..838409f 100644
---- a/src/dpl/core/src/binary_queue.cpp
-+++ b/src/dpl/core/src/binary_queue.cpp
-@@ -26,6 +26,7 @@
- #include <malloc.h>
- #include <cstring>
- #include <new>
-+#include <functional>
- namespace SecurityManager {
- BinaryQueue::BinaryQueue() :
--- 
-2.21.0
-
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0011-Fix-gcc8-warning-error-Werror-catch-value.patch
deleted file mode 100644 (file)
index 5c679fc..0000000
+++ /dev/null
@@ -1,32 +0,0 @@
-From 243b7ffee16558d7cb9b411f49380138efeffca9 Mon Sep 17 00:00:00 2001
-From: Stephane Desneux <stephane.desneux@iot.bzh>
-Date: Fri, 1 Feb 2019 12:26:17 +0000
-Subject: [PATCH 11/14] Fix gcc8 warning/error [-Werror=catch-value=]
-
-Fixes the following warning/error during compile:
-
-src/dpl/core/src/assert.cpp:61:14: error: catching polymorphic type 'class SecurityManager::Exception' by value [-Werror=catch-value=]
-|      } catch (Exception) {
-|               ^~~~~~~~~
-
-Signed-off-by: Stephane Desneux <stephane.desneux@iot.bzh>
----
- src/dpl/core/src/assert.cpp | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/dpl/core/src/assert.cpp b/src/dpl/core/src/assert.cpp
-index 63538a2..fc60ce9 100644
---- a/src/dpl/core/src/assert.cpp
-+++ b/src/dpl/core/src/assert.cpp
-@@ -58,7 +58,7 @@ void AssertProc(const char *condition,
-         INTERNAL_LOG("### Function: " << function);
-         INTERNAL_LOG(
-             "################################################################################");
--    } catch (Exception) {
-+    } catch (Exception const&) {
-         // Just ignore possible double errors
-     }
--- 
-2.21.0
-
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0012-Avoid-casting-from-const-T-to-void.patch
deleted file mode 100644 (file)
index 91ccf9e..0000000
+++ /dev/null
@@ -1,122 +0,0 @@
-From 5ee51d38575f289c2bf37ed817ef680ed47bb320 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Fri, 1 Feb 2019 15:37:44 +0100
-Subject: [PATCH 12/14] Avoid casting from "const T&" to "void*"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Latest version of g++ refuse the cast
-
-     reinterpret_cast<void (Service::*)(void*)>(serviceFunction)
-
-I made no investigation to know if the problem
-is coming from the const or not.
-
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- src/server/main/include/service-thread.h | 42 ++++++++++--------------
- 1 file changed, 18 insertions(+), 24 deletions(-)
-
-diff --git a/src/server/main/include/service-thread.h b/src/server/main/include/service-thread.h
-index 964d168..61fdda8 100644
---- a/src/server/main/include/service-thread.h
-+++ b/src/server/main/include/service-thread.h
-@@ -94,7 +94,7 @@ public:
-             Join();
-         while (!m_eventQueue.empty()){
-             auto front = m_eventQueue.front();
--            delete front.eventPtr;
-+            delete front;
-             m_eventQueue.pop();
-         }
-     }
-@@ -104,34 +104,28 @@ public:
-                Service *servicePtr,
-                void (Service::*serviceFunction)(const T &))
-     {
--        EventDescription description;
--        description.serviceFunctionPtr =
--            reinterpret_cast<void (Service::*)(void*)>(serviceFunction);
--        description.servicePtr = servicePtr;
--        description.eventFunctionPtr = &ServiceThread::EventCall<T>;
--        description.eventPtr = new T(event);
-+        EventCallerBase *ec = new EventCaller<T>(event, servicePtr, serviceFunction);
-         {
-             std::lock_guard<std::mutex> lock(m_eventQueueMutex);
--            m_eventQueue.push(description);
-+            m_eventQueue.push(ec);
-         }
-         m_waitCondition.notify_one();
-     }
- protected:
--    struct EventDescription {
--        void (Service::*serviceFunctionPtr)(void *);
--        Service *servicePtr;
--        void (ServiceThread::*eventFunctionPtr)(const EventDescription &event);
--        GenericEvent* eventPtr;
-+    struct EventCallerBase {
-+       virtual void fire() = 0;
-+       virtual ~EventCallerBase() {}
-     };
-     template <class T>
--    void EventCall(const EventDescription &desc) {
--        auto fun = reinterpret_cast<void (Service::*)(const T&)>(desc.serviceFunctionPtr);
--        const T& eventLocale = *(static_cast<T*>(desc.eventPtr));
--        (desc.servicePtr->*fun)(eventLocale);
--    }
-+    struct EventCaller : public EventCallerBase {
-+        T *event; Service *target; void (Service::*function)(const T&);
-+        EventCaller(const T &e, Service *c, void (Service::*f)(const T&)) : event(new T(e)), target(c), function(f) {}
-+      ~EventCaller() { delete event; }
-+      void fire() { (target->*function)(*event); }
-+    };
-     static void ThreadLoopStatic(ServiceThread *ptr) {
-         ptr->ThreadLoop();
-@@ -139,33 +133,33 @@ protected:
-     void ThreadLoop(){
-         for (;;) {
--            EventDescription description = {NULL, NULL, NULL, NULL};
-+            EventCallerBase *ec = NULL;
-             {
-                 std::unique_lock<std::mutex> ulock(m_eventQueueMutex);
-                 if (m_quit)
-                     return;
-                 if (!m_eventQueue.empty()) {
--                    description = m_eventQueue.front();
-+                    ec = m_eventQueue.front();
-                     m_eventQueue.pop();
-                 } else {
-                     m_waitCondition.wait(ulock);
-                 }
-             }
--            if (description.eventPtr != NULL) {
-+            if (ec != NULL) {
-                 UNHANDLED_EXCEPTION_HANDLER_BEGIN
-                 {
--                    (this->*description.eventFunctionPtr)(description);
--                    delete description.eventPtr;
-+                    ec->fire();
-                 }
-                 UNHANDLED_EXCEPTION_HANDLER_END
-+                delete ec;
-             }
-         }
-     }
-     std::thread m_thread;
-     std::mutex m_eventQueueMutex;
--    std::queue<EventDescription> m_eventQueue;
-+    std::queue<EventCallerBase*> m_eventQueue;
-     std::condition_variable m_waitCondition;
-     State m_state;
--- 
-2.21.0
-
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0013-Removing-tizen-platform-config.patch
deleted file mode 100644 (file)
index fb62159..0000000
+++ /dev/null
@@ -1,259 +0,0 @@
-From 6c96a39ba7a7763ccd47e379dbfd8d376164985f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Mon, 16 Nov 2015 14:26:25 +0100
-Subject: [PATCH 13/14] Removing tizen-platform-config
-
-Change-Id: Ic832a2b75229517b09faba969c27fb1a4b490121
----
- CMakeLists.txt                                | 16 +++++++-
- db/CMakeLists.txt                             |  2 +-
- policy/CMakeLists.txt                         |  1 +
- ...load => security-manager-policy-reload.in} |  4 +-
- src/common/file-lock.cpp                      |  4 +-
- src/common/include/file-lock.h                |  1 -
- src/common/include/privilege_db.h             |  3 +-
- src/common/service_impl.cpp                   | 39 ++++++-------------
- src/common/smack-rules.cpp                    | 12 ++----
- 9 files changed, 37 insertions(+), 45 deletions(-)
- rename policy/{security-manager-policy-reload => security-manager-policy-reload.in} (94%)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 28790d8..37a43cc 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -49,7 +49,7 @@ ADD_DEFINITIONS("-Wall")                        # Generate all warnings
- ADD_DEFINITIONS("-Wextra")                      # Generate even more extra warnings
- STRING(REGEX MATCH "([^.]*)" API_VERSION "${VERSION}")
--ADD_DEFINITIONS("-DAPI_VERSION=\"$(API_VERSION)\"")
-+ADD_DEFINITIONS("-DAPI_VERSION=\"${API_VERSION}\"")
- ADD_DEFINITIONS("-DSMACK_ENABLED")
-@@ -58,6 +58,20 @@ IF (CMAKE_BUILD_TYPE MATCHES "DEBUG")
-     ADD_DEFINITIONS("-DBUILD_TYPE_DEBUG")
- ENDIF (CMAKE_BUILD_TYPE MATCHES "DEBUG")
-+SET(DATADIR        "/usr/share/security-manager" CACHE STRING "path to data directory")
-+SET(SMACKRULESDIR  "/etc/smack/accesses.d"       CACHE STRING "path to Smack rules directory")
-+SET(LOCKDIR        "/var/run/lock"               CACHE STRING "path to lock directory")
-+SET(DB_INSTALL_DIR "/var/db/security-manager"    CACHE STRING "path to database directory")
-+SET(DB_FILENAME    ".security-manager.db"        CACHE STRING "basename of database")
-+SET(GLOBALUSER     "userapp"                     CACHE STRING "name of the global user")
-+
-+ADD_DEFINITIONS("-DDATADIR=\"${DATADIR}\"")
-+ADD_DEFINITIONS("-DSMACKRULESDIR=\"${SMACKRULESDIR}\"")
-+ADD_DEFINITIONS("-DLOCKDIR=\"${LOCKDIR}\"")
-+ADD_DEFINITIONS("-DDB_INSTALL_DIR=\"${DB_INSTALL_DIR}\"")
-+ADD_DEFINITIONS("-DDB_FILENAME=\"${DB_FILENAME}\"")
-+ADD_DEFINITIONS("-DGLOBALUSER=\"${GLOBALUSER}\"")
-+
- ADD_SUBDIRECTORY(src)
- ADD_SUBDIRECTORY(pc)
- ADD_SUBDIRECTORY(systemd)
-diff --git a/db/CMakeLists.txt b/db/CMakeLists.txt
-index 9e8ffcc..d7af1a0 100644
---- a/db/CMakeLists.txt
-+++ b/db/CMakeLists.txt
-@@ -1,4 +1,4 @@
--SET(TARGET_DB ".security-manager.db")
-+SET(TARGET_DB "$(DB_FILENAME)")
- ADD_CUSTOM_COMMAND(
-     OUTPUT ${TARGET_DB} ${TARGET_DB}-journal
-diff --git a/policy/CMakeLists.txt b/policy/CMakeLists.txt
-index bd08edc..626a2bd 100644
---- a/policy/CMakeLists.txt
-+++ b/policy/CMakeLists.txt
-@@ -1,4 +1,5 @@
- FILE(GLOB USERTYPE_POLICY_FILES usertype-*.profile)
-+CONFIGURE_FILE(security-manager-policy-reload.in security-manager-policy-reload @ONLY)
- INSTALL(FILES ${USERTYPE_POLICY_FILES} DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
- INSTALL(FILES "app-rules-template.smack" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
- INSTALL(FILES "privilege-group.list" DESTINATION ${SHARE_INSTALL_PREFIX}/security-manager/policy)
-diff --git a/policy/security-manager-policy-reload b/policy/security-manager-policy-reload.in
-similarity index 94%
-rename from policy/security-manager-policy-reload
-rename to policy/security-manager-policy-reload.in
-index 6f211c6..c1bc4e2 100755
---- a/policy/security-manager-policy-reload
-+++ b/policy/security-manager-policy-reload.in
-@@ -1,8 +1,8 @@
- #!/bin/sh -e
--POLICY_PATH=/usr/share/security-manager/policy
-+POLICY_PATH=@DATADIR@/policy
- PRIVILEGE_GROUP_MAPPING=$POLICY_PATH/privilege-group.list
--DB_FILE=`tzplatform-get TZ_SYS_DB | cut -d= -f2`/.security-manager.db
-+DB_FILE=@DB_INSTALL_DIR@/@DB_FILENAME@
- # Create default buckets
- while read bucket default_policy
-diff --git a/src/common/file-lock.cpp b/src/common/file-lock.cpp
-index 6f3996c..88d2092 100644
---- a/src/common/file-lock.cpp
-+++ b/src/common/file-lock.cpp
-@@ -30,9 +30,7 @@
- namespace SecurityManager {
--char const * const SERVICE_LOCK_FILE = tzplatform_mkpath3(TZ_SYS_RUN,
--                                                         "lock",
--                                                         "security-manager.lock");
-+char const * const SERVICE_LOCK_FILE = LOCKDIR "/security-manager.lock";
- FileLocker::FileLocker(const std::string &lockFile, bool blocking)
- {
-diff --git a/src/common/include/file-lock.h b/src/common/include/file-lock.h
-index 604b019..21a86a0 100644
---- a/src/common/include/file-lock.h
-+++ b/src/common/include/file-lock.h
-@@ -29,7 +29,6 @@
- #include <dpl/exception.h>
- #include <dpl/noncopyable.h>
--#include <tzplatform_config.h>
- namespace SecurityManager {
-diff --git a/src/common/include/privilege_db.h b/src/common/include/privilege_db.h
-index 08fb9d6..3344987 100644
---- a/src/common/include/privilege_db.h
-+++ b/src/common/include/privilege_db.h
-@@ -35,14 +35,13 @@
- #include <vector>
- #include <dpl/db/sql_connection.h>
--#include <tzplatform_config.h>
- #ifndef PRIVILEGE_DB_H_
- #define PRIVILEGE_DB_H_
- namespace SecurityManager {
--const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db");
-+const char *const PRIVILEGE_DB_PATH = DB_INSTALL_DIR "/" DB_FILENAME;
- enum class QueryType {
-     EGetPkgPrivileges,
-diff --git a/src/common/service_impl.cpp b/src/common/service_impl.cpp
-index ae305d3..42150fe 100644
---- a/src/common/service_impl.cpp
-+++ b/src/common/service_impl.cpp
-@@ -32,7 +32,6 @@
- #include <algorithm>
- #include <dpl/log/log.h>
--#include <tzplatform_config.h>
- #include "protocols.h"
- #include "privilege_db.h"
-@@ -131,7 +130,13 @@ static inline int validatePolicy(policy_entry &policyEntry, std::string uidStr,
- static uid_t getGlobalUserId(void)
- {
--    static uid_t globaluid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
-+    static uid_t globaluid = 0;
-+    if (!globaluid) {
-+        struct passwd pw, *p;
-+        char buf[4096];
-+        int rc = getpwnam_r(GLOBALUSER, &pw, buf, sizeof buf, &p);
-+        globaluid = (rc || p == NULL) ? 555 : p->pw_uid;
-+    }
-     return globaluid;
- }
-@@ -161,37 +166,17 @@ static inline bool isSubDir(const char *parent, const char *subdir)
- static bool getUserAppDir(const uid_t &uid, std::string &userAppDir)
- {
--    struct tzplatform_context *tz_ctx = nullptr;
--
--    if (tzplatform_context_create(&tz_ctx))
--            return false;
--
--    if (tzplatform_context_set_user(tz_ctx, uid)) {
--        tzplatform_context_destroy(tz_ctx);
--        tz_ctx = nullptr;
-+    struct passwd pw, *p;
-+    char buf[4096];
-+    int rc = getpwuid_r(uid, &pw, buf, sizeof buf, &p);
-+    if (rc || p == NULL)
-         return false;
--    }
--
--    enum tzplatform_variable id =
--            (uid == getGlobalUserId()) ? TZ_SYS_RW_APP : TZ_USER_APP;
--    const char *appDir = tzplatform_context_getenv(tz_ctx, id);
--    if (!appDir) {
--        tzplatform_context_destroy(tz_ctx);
--        tz_ctx = nullptr;
--        return false;
--    }
--
--    userAppDir = appDir;
--
--    tzplatform_context_destroy(tz_ctx);
--    tz_ctx = nullptr;
--
-+    userAppDir = p->pw_dir;
-     return true;
- }
- static inline bool installRequestAuthCheck(const app_inst_req &req, uid_t uid, bool &isCorrectPath, std::string &appPath)
- {
--    std::string userHome;
-     std::string userAppDir;
-     std::stringstream correctPath;
-diff --git a/src/common/smack-rules.cpp b/src/common/smack-rules.cpp
-index 922a56f..c2e0041 100644
---- a/src/common/smack-rules.cpp
-+++ b/src/common/smack-rules.cpp
-@@ -34,7 +34,6 @@
- #include <memory>
- #include <dpl/log/log.h>
--#include <tzplatform_config.h>
- #include "smack-labels.h"
- #include "smack-rules.h"
-@@ -43,7 +42,7 @@ namespace SecurityManager {
- const char *const SMACK_APP_LABEL_TEMPLATE     = "~APP~";
- const char *const SMACK_PKG_LABEL_TEMPLATE     = "~PKG~";
--const char *const APP_RULES_TEMPLATE_FILE_PATH = tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", "app-rules-template.smack");
-+const char *const APP_RULES_TEMPLATE_FILE_PATH = DATADIR "/policy/app-rules-template.smack";
- const char *const SMACK_APP_IN_PACKAGE_PERMS   = "rwxat";
- SmackRules::SmackRules()
-@@ -237,14 +236,12 @@ void SmackRules::generatePackageCrossDeps(const std::vector<std::string> &pkgCon
- std::string SmackRules::getPackageRulesFilePath(const std::string &pkgId)
- {
--    std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("pkg_" + pkgId).c_str()));
--    return path;
-+    return SMACKRULESDIR "/pkg_" + pkgId;
- }
- std::string SmackRules::getApplicationRulesFilePath(const std::string &appId)
- {
--    std::string path(tzplatform_mkpath3(TZ_SYS_SMACK, "accesses.d", ("app_" +  appId).c_str()));
--    return path;
-+    return SMACKRULESDIR "/app_" + appId;
- }
- void SmackRules::installApplicationPrivilegesRules(const std::string &appId, const std::string &pkgId,
-         const std::vector<std::string> &pkgContents, const std::vector<std::string> &privileges)
-@@ -256,8 +253,7 @@ void SmackRules::installApplicationPrivilegesRules(const std::string &appId, con
-     for (auto privilege : privileges) {
-         if (privilege.empty())
-             continue;
--        std::string fprivilege ( privilege + "-template.smack");
--        std::string path(tzplatform_mkpath4(TZ_SYS_SHARE, "security-manager", "policy", fprivilege.c_str()));
-+        std::string path = DATADIR "/policy/" + privilege + "-template.smack";
-         if( stat(path.c_str(), &buffer) == 0)
-             smackRules.addFromTemplateFile(appId, pkgId, path);
-     }
--- 
-2.21.0
-
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0014-Ensure-post-install-initialization-of-database.patch
deleted file mode 100644 (file)
index 542a387..0000000
+++ /dev/null
@@ -1,78 +0,0 @@
-From c7f9d14e38a1b6d40b2fffa01433a3025eff9abd Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Tue, 26 Nov 2019 12:34:39 +0100
-Subject: [PATCH 14/14] Ensure post install initialization of database
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Creation of the database was made during image creation,
-leading to issue with SOTA. This adds the creation on
-need before launching the service.
-
-Change-Id: Idfd0676bd87d39f7c10eaafd63f3a318f675c972
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- db/CMakeLists.txt                   | 14 ++++++--------
- db/security-manager-setup           | 14 ++++++++++++++
- systemd/security-manager.service.in |  1 +
- 3 files changed, 21 insertions(+), 8 deletions(-)
- create mode 100644 db/security-manager-setup
-
-diff --git a/db/CMakeLists.txt b/db/CMakeLists.txt
-index d7af1a0..dcf5bc8 100644
---- a/db/CMakeLists.txt
-+++ b/db/CMakeLists.txt
-@@ -1,12 +1,10 @@
--SET(TARGET_DB "$(DB_FILENAME)")
--
- ADD_CUSTOM_COMMAND(
--    OUTPUT ${TARGET_DB} ${TARGET_DB}-journal
--    COMMAND sqlite3 ${TARGET_DB} <db.sql
--    )
-+    OUTPUT .security-manager-setup
-+    COMMAND sed '/--DB\.SQL--/r db.sql' security-manager-setup > .security-manager-setup
-+    DEPENDS security-manager-setup db.sql
-+)
- # Add a dummy build target to trigger building of ${TARGET_DB}
--ADD_CUSTOM_TARGET(DB ALL DEPENDS ${TARGET_DB})
-+ADD_CUSTOM_TARGET(DB ALL DEPENDS .security-manager-setup)
--INSTALL(FILES ${TARGET_DB} DESTINATION ${DB_INSTALL_DIR})
--INSTALL(FILES ${TARGET_DB}-journal DESTINATION ${DB_INSTALL_DIR})
-+INSTALL(PROGRAMS .security-manager-setup DESTINATION ${BIN_INSTALL_DIR})
-diff --git a/db/security-manager-setup b/db/security-manager-setup
-new file mode 100644
-index 0000000..5675baf
---- /dev/null
-+++ b/db/security-manager-setup
-@@ -0,0 +1,14 @@
-+#!/bin/sh
-+
-+if test -f "$1"; then exit; fi
-+set -e
-+dbdir="$(dirname "$1")"
-+dbfile="$(basename "$1")"
-+test -n "$dbfile"
-+test -n "$dbdir"
-+mkdir -p "$dbdir"
-+cd "$dbdir"
-+sqlite3 "$dbfile" << END-OF-CAT
-+--DB.SQL--
-+END-OF-CAT
-+
-diff --git a/systemd/security-manager.service.in b/systemd/security-manager.service.in
-index 23fd1b2..2bf97d7 100644
---- a/systemd/security-manager.service.in
-+++ b/systemd/security-manager.service.in
-@@ -3,5 +3,6 @@ Description=Start the security manager
- [Service]
- Type=notify
-+ExecStartPre=@BIN_INSTALL_DIR@/.security-manager-setup @DB_INSTALL_DIR@/@DB_FILENAME@
- ExecStart=@BIN_INSTALL_DIR@/security-manager
- Sockets=security-manager.socket
--- 
-2.21.0
-
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch b/meta-app-framework/recipes-security/security-manager/security-manager/0015-Restrict-socket-accesses.patch
deleted file mode 100644 (file)
index d994919..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
-From 7cffcd61378a9d7c0e7db5691b2da3a37448c969 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Thu, 30 Jan 2020 09:19:25 +0100
-Subject: [PATCH 15/15] Restrict socket accesses
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Ensure that only members of the group and the owner can access
-the security manager.
-
-Bug-AGL: SPEC-3146
-
-Change-Id: I68ce6523db4bfd4707c3680555c3cb0cf8858ef2
-Signed-off-by: José Bollo <jose.bollo@iot.bzh>
----
- systemd/security-manager.socket | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/systemd/security-manager.socket b/systemd/security-manager.socket
-index af1c1da..b401f77 100644
---- a/systemd/security-manager.socket
-+++ b/systemd/security-manager.socket
-@@ -1,6 +1,6 @@
- [Socket]
- ListenStream=/run/security-manager.socket
--SocketMode=0777
-+SocketMode=0660
- SmackLabelIPIn=*
- SmackLabelIPOut=@
--- 
-2.21.1
-
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend b/meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend
deleted file mode 100644 (file)
index ba3365f..0000000
+++ /dev/null
@@ -1,13 +0,0 @@
-FILESEXTRAPATHS:prepend := "${THISDIR}/security-manager:"
-
-EXTRA_OECMAKE =+ " -DGLOBALUSER=afm"
-
-SRC_URI += " \
-   file://0001-Adapt-rules-to-AGL.patch \
-"
-
-do_install:append() {
-   # Needed for wayland-0 socket access and memfd usage
-   echo "~APP~ System::Weston rw" >> ${D}${datadir}/security-manager/policy/app-rules-template.smack
-   echo "System::Weston ~APP~ rw" >> ${D}${datadir}/security-manager/policy/app-rules-template.smack
-}
diff --git a/meta-app-framework/recipes-security/security-manager/security-manager_git.bb b/meta-app-framework/recipes-security/security-manager/security-manager_git.bb
deleted file mode 100644 (file)
index b349735..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
-require security-manager.inc
-
-PV = "1.0.2+git${SRCPV}"
-SRCREV = "860305a595d681d650024ad07b3b0977e1fcb0a6"
-SRC_URI += "git://github.com/Samsung/security-manager.git"
-S = "${WORKDIR}/git"
-
-SRC_URI += " \
-   file://0001-systemd-stop-using-compat-libs.patch \
-   file://0002-security-manager-policy-reload-do-not-depend-on-GNU-.patch \
-   file://0003-Smack-rules-create-two-new-functions.patch \
-   file://0004-app-install-implement-multiple-set-of-smack-rules.patch \
-   file://0005-c-11-replace-deprecated-auto_ptr.patch \
-   file://0006-socket-manager-removes-tizen-specific-call.patch \
-   file://0007-removes-dependency-to-libslp-db-utils.patch \
-   file://0008-Fix-gcc6-build.patch \
-   file://0009-Fix-Cmake-conf-for-gcc6-build.patch \
-   file://0010-gcc-7-requires-include-functional-for-std-function.patch \
-   file://0011-Fix-gcc8-warning-error-Werror-catch-value.patch \
-   file://0012-Avoid-casting-from-const-T-to-void.patch \
-   file://0013-Removing-tizen-platform-config.patch \
-   file://0014-Ensure-post-install-initialization-of-database.patch \
-   file://0015-Restrict-socket-accesses.patch \
-"
-
-# Use make with cmake and not ninja
-OECMAKE_GENERATOR = "Unix Makefiles"
diff --git a/meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend b/meta-app-framework/recipes-security/xmlsec1/xmlsec1_1.%.bbappend
deleted file mode 100644 (file)
index afbc16c..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'xmlsec1_appfw.inc', '', d)}
diff --git a/meta-app-framework/recipes-security/xmlsec1/xmlsec1_appfw.inc b/meta-app-framework/recipes-security/xmlsec1/xmlsec1_appfw.inc
deleted file mode 100644 (file)
index 09820be..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-# Disable nss to avoid build issues on native
-PACKAGECONFIG = "gnutls libgcrypt openssl des"
-
-BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch b/meta-app-framework/recipes-support/libcap/libcap/removing-capability-enforcement.patch
deleted file mode 100644 (file)
index fa359fa..0000000
+++ /dev/null
@@ -1,87 +0,0 @@
-From c34b2725817d4fd1fd6878bbb16617cb9e3e3a70 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jose.bollo@iot.bzh>
-Date: Fri, 22 Jan 2016 16:23:59 +0100
-Subject: [PATCH] removing capability enforcement
-
-Signed-off-by: ronan <ronan@iot.bzh>
-
-Change-Id: Idb724192ceab176a611bbed45c0ebc9c8eb5dd30
----
- progs/setcap.c | 45 +--------------------------------------------
- 1 file changed, 1 insertion(+), 44 deletions(-)
-
-diff --git a/progs/setcap.c b/progs/setcap.c
-index 7304343..71999b6 100644
---- a/progs/setcap.c
-+++ b/progs/setcap.c
-@@ -58,11 +58,9 @@ static int read_caps(int quiet, const char *filename, char *buffer)
- int main(int argc, char **argv)
- {
--    int tried_to_cap_setfcap = 0;
-     char buffer[MAXCAP+1];
-     int retval, quiet=0, verify=0;
-     cap_t mycaps;
--    cap_value_t capflag;
-     if (argc < 3) {
-       usage();
-@@ -150,54 +148,13 @@ int main(int argc, char **argv)
-               printf("%s: OK\n", *argv);
-           }
-       } else {
--          if (!tried_to_cap_setfcap) {
--              capflag = CAP_SETFCAP;
--
--              /*
--               * Raise the effective CAP_SETFCAP.
--               */
--              if (cap_set_flag(mycaps, CAP_EFFECTIVE, 1, &capflag, CAP_SET)
--                  != 0) {
--                  perror("unable to manipulate CAP_SETFCAP - "
--                         "try a newer libcap?");
--                  exit(1);
--              }
--              if (cap_set_proc(mycaps) != 0) {
--                  perror("unable to set CAP_SETFCAP effective capability");
--                  exit(1);
--              }
--              tried_to_cap_setfcap = 1;
--          }
-           retval = cap_set_file(*++argv, cap_d);
-           if (retval != 0) {
--              int explained = 0;
-               int oerrno = errno;
--#ifdef linux
--              cap_value_t cap;
--              cap_flag_value_t per_state;
--
--              for (cap = 0;
--                   cap_get_flag(cap_d, cap, CAP_PERMITTED, &per_state) != -1;
--                   cap++) {
--                  cap_flag_value_t inh_state, eff_state;
--
--                  cap_get_flag(cap_d, cap, CAP_INHERITABLE, &inh_state);
--                  cap_get_flag(cap_d, cap, CAP_EFFECTIVE, &eff_state);
--                  if ((inh_state | per_state) != eff_state) {
--                      fprintf(stderr, "NOTE: Under Linux, effective file capabilities must either be empty, or\n"
--                              "      exactly match the union of selected permitted and inheritable bits.\n");
--                      explained = 1;
--                      break;
--                  }
--              }
--#endif /* def linux */
--              
-               fprintf(stderr,
-                       "Failed to set capabilities on file `%s' (%s)\n",
-                       argv[0], strerror(oerrno));
--              if (!explained) {
--                  usage();
--              }
-+
-           }
-       }
-       if (cap_d) {
--- 
-2.6.6
-
diff --git a/meta-app-framework/recipes-support/libcap/libcap_%.bbappend b/meta-app-framework/recipes-support/libcap/libcap_%.bbappend
deleted file mode 100644 (file)
index 6107ee7..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'libcap_appfw.inc', '', d)}
diff --git a/meta-app-framework/recipes-support/libcap/libcap_appfw.inc b/meta-app-framework/recipes-support/libcap/libcap_appfw.inc
deleted file mode 100644 (file)
index a33fd99..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-FILESEXTRAPATHS:append:class-native := ":${THISDIR}/libcap"
-# FIXME: It needs to be determined if this is still required
-#SRC_URI:append:class-native = " file://removing-capability-enforcement.patch"
diff --git a/meta-app-framework/recipes-support/libzip/libzip_%.bbappend b/meta-app-framework/recipes-support/libzip/libzip_%.bbappend
deleted file mode 100644 (file)
index d559c2f..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('APPFW_ENABLED', '1', 'libzip_appfw.inc', '', d)}
diff --git a/meta-app-framework/recipes-support/libzip/libzip_appfw.inc b/meta-app-framework/recipes-support/libzip/libzip_appfw.inc
deleted file mode 100644 (file)
index 5174650..0000000
+++ /dev/null
@@ -1 +0,0 @@
-BBCLASSEXTEND += "native nativesdk"
diff --git a/meta-app-framework/recipes-test/afb-test/afb-test_git.bb b/meta-app-framework/recipes-test/afb-test/afb-test_git.bb
deleted file mode 100644 (file)
index 6fd1424..0000000
+++ /dev/null
@@ -1,25 +0,0 @@
-SUMMARY = "Binding embedding test framework to test others binding"
-DESCRIPTION = "This make testing binding running with Application Framework binder \
-easier by simply test verb return as well as event reception."
-HOMEPAGE = "https://gerrit.automotivelinux.org/gerrit/#/admin/projects/apps/app-afb-test"
-LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
-SECTION = "apps"
-
-SRC_URI = "git://gerrit.automotivelinux.org/gerrit/apps/app-afb-test;protocol=https;branch=${AGL_BRANCH}"
-SRCREV = "${AGL_APP_REVISION}"
-
-DEPENDS += "lua libafb-helpers libappcontroller"
-RDEPENDS:${PN} += "lua bash jq"
-RDEPENDS:${PN}-ptest += "af-binder"
-
-PV = "${AGLVERSION}"
-S  = "${WORKDIR}/git"
-
-inherit cmake aglwgt pkgconfig ptest
-
-do_install:append() {
-       install -d ${D}${bindir}
-       install -m 775 ${S}/afm-test.target.sh ${D}${bindir}/afm-test
-}
-
diff --git a/meta-app-framework/recipes-test/afb-test/files/run-ptest b/meta-app-framework/recipes-test/afb-test/files/run-ptest
deleted file mode 100644 (file)
index 883939a..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-afm-test /usr/AGL/apps/testwgt/aftest-test.wgt
diff --git a/meta-app-framework/scripts/run-yocto-check-layer-enabled-flags.sh b/meta-app-framework/scripts/run-yocto-check-layer-enabled-flags.sh
deleted file mode 100755 (executable)
index 762a79e..0000000
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/bin/bash
-set -x
-SCRIPTPATH="$( cd $(dirname $0) >/dev/null 2>&1 ; pwd -P )"
-echo $SCRIPTPATH
-AGLROOT="$SCRIPTPATH/../../.."
-POKYDIR="$AGLROOT/external/poky"
-TMPROOT="/tmp"
-
-rm -rf ${TMPROOT}/testbuild-ycl || true
-mkdir -p ${TMPROOT}/testbuild-ycl
-cd ${TMPROOT}/testbuild-ycl
-
-source $POKYDIR/oe-init-build-env .
-
-cat << EOF >> conf/local.conf
-# just define defaults
-AGL_FEATURES ?= ""
-AGL_EXTRA_IMAGE_FSTYPES ?= ""
-
-# important settings imported from poky-agl.conf
-# we do not import 
-DISTRO_FEATURES:append = " systemd smack"
-DISTRO_FEATURES_BACKFILL_CONSIDERED:append = " sysvinit"
-VIRTUAL-RUNTIME_init_manager = "systemd"
-
-# skip unnecessary in yocto-check-layer - aka FIXME upstream
-BBMASK += "meta-security/recipes-mac/smack/smack-test_1.0.bb"
-BBMASK += "packagegroup-core-security-ptest.bb"
-
-# missing in upstream recipes ... aka FIXME upstream
-BBCLASSEXTEND:pn-libzip = "native nativesdk"
-BBCLASSEXTEND:pn-xmlsec1 = "native nativesdk"
-
-DISTRO_FEATURES:append = " appfw smack "
-
-EOF
-
-
-yocto-check-layer \
-  --dependency $AGLROOT/external/meta-openembedded/meta-oe \
-               $AGLROOT/external/meta-security \
-               $AGLROOT/external/meta-openembedded/meta-python \
-               $AGLROOT/external/meta-openembedded/meta-networking \
-               $AGLROOT/external/meta-openembedded/meta-perl \
-               $AGLROOT/external/meta-qt5/ \
-               -- \
-               $AGLROOT/meta-agl/meta-app-framework/ 
-
-[ $? = 0 ] && rm -rf ${TMPROOT}/testbuild-ycl
-
-
diff --git a/meta-app-framework/scripts/run-yocto-check-layer.sh b/meta-app-framework/scripts/run-yocto-check-layer.sh
deleted file mode 100755 (executable)
index c324d64..0000000
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/bin/bash
-set -x
-SCRIPTPATH="$( cd $(dirname $0) >/dev/null 2>&1 ; pwd -P )"
-echo $SCRIPTPATH
-AGLROOT="$SCRIPTPATH/../../.."
-POKYDIR="$AGLROOT/external/poky"
-TMPROOT="/tmp"
-
-rm -rf ${TMPROOT}/testbuild-ycl || true
-mkdir -p ${TMPROOT}/testbuild-ycl
-cd ${TMPROOT}/testbuild-ycl
-
-source $POKYDIR/oe-init-build-env .
-
-cat << EOF >> conf/local.conf
-# just define defaults
-AGL_FEATURES ?= ""
-AGL_EXTRA_IMAGE_FSTYPES ?= ""
-
-# important settings imported from poky-agl.conf
-# we do not import 
-DISTRO_FEATURES:append = " systemd smack"
-DISTRO_FEATURES_BACKFILL_CONSIDERED:append = " sysvinit"
-VIRTUAL-RUNTIME_init_manager = "systemd"
-
-# skip unnecessary in yocto-check-layer - aka FIXME upstream
-BBMASK += "meta-security/recipes-mac/smack/smack-test_1.0.bb"
-BBMASK += "packagegroup-core-security-ptest.bb"
-
-# missing in upstream recipes ... aka FIXME upstream
-BBCLASSEXTEND:pn-libzip = "native nativesdk"
-BBCLASSEXTEND:pn-xmlsec1 = "native nativesdk"
-
-EOF
-
-
-yocto-check-layer \
-  --dependency $AGLROOT/external/meta-openembedded/meta-oe \
-               $AGLROOT/external/meta-security \
-               $AGLROOT/external/meta-openembedded/meta-python \
-               $AGLROOT/external/meta-openembedded/meta-networking \
-               $AGLROOT/external/meta-openembedded/meta-perl \
-               $AGLROOT/external/meta-qt5/ \
-               -- \
-               $AGLROOT/meta-agl/meta-app-framework/ 
-
-[ $? = 0 ] && rm -rf ${TMPROOT}/testbuild-ycl
-
-
index 2b8bc63..92927df 100644 (file)
@@ -21,7 +21,6 @@ EOF
 
 # global variables
 
-SMACK=n
 NBD_SERVER=
 NBD_PORT=10809
 NBD_DEV=/dev/nbd0
@@ -109,17 +108,6 @@ check_debug "Debug point 1. Exit to continue initrd script (mount NBD device)."
 
 log_info "NBD parameters: device $NBD_DEV, server $NBD_SERVER:$NBD_PORT"
 
-# check if smack is active (and if so, mount smackfs)
-grep -q smackfs /proc/filesystems && {
-       SMACK=y
-
-       do_mount_fs smackfs /sys/fs/smackfs
-
-       # adjust current label and network label
-       echo System >/proc/self/attr/current
-       echo System >/sys/fs/smackfs/ambient
-}
-
 # start nbd client
 try=5
 while :;do
@@ -165,9 +153,8 @@ fi
 # also use /proc/net/pnp to generate /etc/resolv.conf
 rm -f /etc/resolv.conf
 grep -v bootserver /proc/net/pnp | sed 's/^domain/search/g' >/etc/resolv.conf
-chsmack -A /etc/resolv.conf
 
-# unmount tmp and run to let systemd remount them with correct smack labels (SPEC-2596)
+# unmount tmp and run to let systemd remount them
 log_info "Unmounting /tmp and /run"
 umount /tmp
 umount /run
index cf7a75a..4e814f5 100755 (executable)
@@ -20,14 +20,10 @@ AGL_EXTRA_IMAGE_FSTYPES ?= ""
 
 # important settings imported from poky-agl.conf
 # we do not import 
-DISTRO_FEATURES:append = " systemd smack"
+DISTRO_FEATURES:append = " systemd"
 DISTRO_FEATURES_BACKFILL_CONSIDERED:append = " sysvinit"
 VIRTUAL-RUNTIME_init_manager = "systemd"
 
-# workaround
-# ERROR: Nothing PROVIDES 'smack' (but meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb DEPENDS on or otherwise requires it)
-BBMASK += "meta-oe/recipes-extended/ostree/ostree_2020.3.bb"
-
 NETBOOT_ENABLED = "1"
 NETBOOT_FSTYPES ??= "ext4.gz"
 
index 09e655a..b36788a 100755 (executable)
@@ -20,15 +20,10 @@ AGL_EXTRA_IMAGE_FSTYPES ?= ""
 
 # important settings imported from poky-agl.conf
 # we do not import 
-DISTRO_FEATURES:append = " systemd smack"
+DISTRO_FEATURES:append = " systemd"
 DISTRO_FEATURES_BACKFILL_CONSIDERED:append = " sysvinit"
 VIRTUAL-RUNTIME_init_manager = "systemd"
 
-# workaround
-# ERROR: Nothing PROVIDES 'smack' (but meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2020.3.bb DEPENDS on or otherwise requires it)
-BBMASK += "meta-oe/recipes-extended/ostree/ostree_2020.3.bb"
-
-
 EOF
 
 
index a4965e5..aec34d7 100644 (file)
@@ -12,10 +12,5 @@ BBFILE_PRIORITY_meta-pipewire = "71"
 LAYERSERIES_COMPAT_meta-pipewire = "dunfell"
 LAYERDEPENDS_meta-pipewire = "openembedded-layer"
 
-BBFILES_DYNAMIC += " \
-    app-framework:${LAYERDIR}/dynamic-layers/meta-app-framework/*/*/*.bb \
-    app-framework:${LAYERDIR}/dynamic-layers/meta-app-framework/*/*/*.bbappend \
-"
-
 #
 LICENSE_PATH += "${LAYERDIR}/licenses"
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-apis/agl-service-audiomixer/agl-service-audiomixer_git.bb b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-apis/agl-service-audiomixer/agl-service-audiomixer_git.bb
deleted file mode 100644 (file)
index f7235c1..0000000
+++ /dev/null
@@ -1,17 +0,0 @@
-SUMMARY     = "Audio Mixer Service Binding"
-DESCRIPTION = "AGL Audio Mixer Service Binding"
-SECTION     = "apps"
-LICENSE     = "MIT"
-LIC_FILES_CHKSUM = "file://LICENSE;beginline=3;md5=e8ad01a5182f2c1b3a2640e9ea268264"
-
-PV = "0.1+git${SRCPV}"
-
-SRC_URI = "git://gerrit.automotivelinux.org/gerrit/apps/agl-service-audiomixer.git;protocol=https;branch=${AGL_BRANCH}"
-SRCREV = "${AGL_APP_REVISION}"
-
-S  = "${WORKDIR}/git"
-
-inherit cmake aglwgt pkgconfig
-
-DEPENDS += "pipewire wireplumber json-c"
-RDEPENDS:${PN} = "agl-service-signal-composer"
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-core/packagegroups/packagegroup-pipewire.bbappend b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-core/packagegroups/packagegroup-pipewire.bbappend
deleted file mode 100644 (file)
index 691236d..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-RDEPENDS:${PN} += " \
-    agl-service-audiomixer \
-    "
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/0001-modules-add-new-access-seclabel-module.patch b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/0001-modules-add-new-access-seclabel-module.patch
deleted file mode 100644 (file)
index 17cb6ec..0000000
+++ /dev/null
@@ -1,263 +0,0 @@
-From b6854927aaf5e5970178ed9b0c6647bb759f2092 Mon Sep 17 00:00:00 2001
-From: George Kiagiadakis <george.kiagiadakis@collabora.com>
-Date: Tue, 16 Feb 2021 17:26:20 +0200
-Subject: [PATCH] modules: add new access-seclabel module
-
-This module allows access control based on the security label
-of the client. It is tailored for use with the semantics of SMACK
-
-Upstream-Status: Inappropriate [smack specific]
-
----
- src/modules/meson.build              |  10 ++
- src/modules/module-access-seclabel.c | 220 +++++++++++++++++++++++++++
- 2 files changed, 230 insertions(+)
- create mode 100644 src/modules/module-access-seclabel.c
-
-diff --git a/src/modules/meson.build b/src/modules/meson.build
-index f51aa29c..21b52d49 100644
---- a/src/modules/meson.build
-+++ b/src/modules/meson.build
-@@ -56,6 +56,16 @@ pipewire_module_echo_cancel = shared_library('pipewire-module-echo-cancel',
-   dependencies : [mathlib, dl_lib, pipewire_dep, webrtc_dep],
- )
-+pipewire_module_access_seclabel = shared_library('pipewire-module-access-seclabel',
-+  [ 'module-access-seclabel.c' ],
-+  c_args : pipewire_module_c_args,
-+  include_directories : [configinc, spa_inc],
-+  install : true,
-+  install_dir : modules_install_dir,
-+  install_rpath: modules_install_dir,
-+  dependencies : [mathlib, dl_lib, pipewire_dep],
-+)
-+
- pipewire_module_profiler = shared_library('pipewire-module-profiler',
-   [ 'module-profiler.c',
-     'module-profiler/protocol-native.c', ],
-diff --git a/src/modules/module-access-seclabel.c b/src/modules/module-access-seclabel.c
-new file mode 100644
-index 00000000..3739f2e4
---- /dev/null
-+++ b/src/modules/module-access-seclabel.c
-@@ -0,0 +1,220 @@
-+/* PipeWire
-+ *
-+ * Copyright © 2018 Wim Taymans
-+ * Copyright © 2021 Collabora Ltd.
-+ *   @author George Kiagiadakis <george.kiagiadakis@collabora.com>
-+ *
-+ * Permission is hereby granted, free of charge, to any person obtaining a
-+ * copy of this software and associated documentation files (the "Software"),
-+ * to deal in the Software without restriction, including without limitation
-+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
-+ * and/or sell copies of the Software, and to permit persons to whom the
-+ * Software is furnished to do so, subject to the following conditions:
-+ *
-+ * The above copyright notice and this permission notice (including the next
-+ * paragraph) shall be included in all copies or substantial portions of the
-+ * Software.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
-+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-+ * DEALINGS IN THE SOFTWARE.
-+ */
-+
-+#include <string.h>
-+#include <stdio.h>
-+#include <errno.h>
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <sys/vfs.h>
-+#include <fcntl.h>
-+#include <unistd.h>
-+
-+#include "config.h"
-+
-+#include <spa/utils/result.h>
-+#include <spa/utils/json.h>
-+
-+#include <pipewire/impl.h>
-+#include <pipewire/private.h>
-+
-+#define NAME "access-seclabel"
-+
-+#define MODULE_USAGE  "[ seclabel.allowed=<cmd-line> ] "      \
-+                      "[ seclabel.rejected=<cmd-line> ] "     \
-+                      "[ seclabel.restricted=<cmd-line> ] "   \
-+
-+static const struct spa_dict_item module_props[] = {
-+      { PW_KEY_MODULE_AUTHOR, "George Kiagiadakis <george.kiagiadakis@collabora.com>" },
-+      { PW_KEY_MODULE_DESCRIPTION, "Perform access check based on the security label" },
-+      { PW_KEY_MODULE_USAGE, MODULE_USAGE },
-+      { PW_KEY_MODULE_VERSION, PACKAGE_VERSION },
-+};
-+
-+struct impl {
-+      struct pw_context *context;
-+      struct pw_properties *properties;
-+
-+      struct spa_hook context_listener;
-+      struct spa_hook module_listener;
-+};
-+
-+static int check_label(const char *label, const char *str)
-+{
-+      char key[1024];
-+      int res = 0;
-+      struct spa_json it[2];
-+
-+      spa_json_init(&it[0], str, strlen(str));
-+      if ((res = spa_json_enter_array(&it[0], &it[1])) <= 0)
-+              goto exit;
-+
-+      res = 0;
-+      while (spa_json_get_string(&it[1], key, sizeof(key)) > 0) {
-+              if (strcmp(label, key) == 0) {
-+                      res = 1;
-+                      break;
-+              }
-+      }
-+exit:
-+      return res;
-+}
-+
-+static void
-+context_check_access(void *data, struct pw_impl_client *client)
-+{
-+      struct impl *impl = data;
-+      struct pw_permission permissions[1];
-+      struct spa_dict_item items[2];
-+      const struct pw_properties *props;
-+      const char *str, *access, *label = NULL;
-+      int res;
-+
-+      if ((props = pw_impl_client_get_properties(client)) != NULL) {
-+              if ((str = pw_properties_get(props, PW_KEY_ACCESS)) != NULL) {
-+                      pw_log_info(NAME " client %p: has already access: '%s'", client, str);
-+                      return;
-+              }
-+              label = pw_properties_get(props, PW_KEY_SEC_LABEL);
-+      }
-+
-+      if (!label) {
-+              pw_log_info(NAME " client %p: has no security label", client);
-+              return;
-+      }
-+
-+      if (impl->properties && (str = pw_properties_get(impl->properties, "seclabel.allowed")) != NULL) {
-+              res = check_label(label, str);
-+              if (res < 0) {
-+                      pw_log_warn(NAME" %p: client %p allowed check failed: %s",
-+                              impl, client, spa_strerror(res));
-+              } else if (res > 0) {
-+                      access = "allowed";
-+                      goto granted;
-+              }
-+      }
-+
-+      if (impl->properties && (str = pw_properties_get(impl->properties, "seclabel.rejected")) != NULL) {
-+              res = check_label(label, str);
-+              if (res < 0) {
-+                      pw_log_warn(NAME" %p: client %p rejected check failed: %s",
-+                              impl, client, spa_strerror(res));
-+              } else if (res > 0) {
-+                      res = -EACCES;
-+                      access = "rejected";
-+                      goto rejected;
-+              }
-+      }
-+
-+      if (impl->properties && (str = pw_properties_get(impl->properties, "seclabel.restricted")) != NULL) {
-+              res = check_label(label, str);
-+              if (res < 0) {
-+                      pw_log_warn(NAME" %p: client %p restricted check failed: %s",
-+                              impl, client, spa_strerror(res));
-+              }
-+              else if (res > 0) {
-+                      pw_log_debug(NAME" %p: restricted client %p added", impl, client);
-+                      access = "restricted";
-+                      goto wait_permissions;
-+              }
-+      }
-+
-+      return;
-+
-+granted:
-+      pw_log_info(NAME" %p: client %p '%s' access granted", impl, client, access);
-+      items[0] = SPA_DICT_ITEM_INIT(PW_KEY_ACCESS, access);
-+      pw_impl_client_update_properties(client, &SPA_DICT_INIT(items, 1));
-+
-+      permissions[0] = PW_PERMISSION_INIT(PW_ID_ANY, PW_PERM_ALL);
-+      pw_impl_client_update_permissions(client, 1, permissions);
-+      return;
-+
-+wait_permissions:
-+      pw_log_info(NAME " %p: client %p wait for '%s' permissions",
-+                      impl, client, access);
-+      items[0] = SPA_DICT_ITEM_INIT(PW_KEY_ACCESS, access);
-+      pw_impl_client_update_properties(client, &SPA_DICT_INIT(items, 1));
-+      return;
-+
-+rejected:
-+      pw_resource_error(pw_impl_client_get_core_resource(client), res, access);
-+      items[0] = SPA_DICT_ITEM_INIT(PW_KEY_ACCESS, access);
-+      pw_impl_client_update_properties(client, &SPA_DICT_INIT(items, 1));
-+      return;
-+}
-+
-+static const struct pw_context_events context_events = {
-+      PW_VERSION_CONTEXT_EVENTS,
-+      .check_access = context_check_access,
-+};
-+
-+static void module_destroy(void *data)
-+{
-+      struct impl *impl = data;
-+
-+      spa_hook_remove(&impl->context_listener);
-+      spa_hook_remove(&impl->module_listener);
-+
-+      if (impl->properties)
-+              pw_properties_free(impl->properties);
-+
-+      free(impl);
-+}
-+
-+static const struct pw_impl_module_events module_events = {
-+      PW_VERSION_IMPL_MODULE_EVENTS,
-+      .destroy = module_destroy,
-+};
-+
-+SPA_EXPORT
-+int pipewire__module_init(struct pw_impl_module *module, const char *args)
-+{
-+      struct pw_context *context = pw_impl_module_get_context(module);
-+      struct pw_properties *props;
-+      struct impl *impl;
-+
-+      impl = calloc(1, sizeof(struct impl));
-+      if (impl == NULL)
-+              return -errno;
-+
-+      pw_log_debug(NAME" module %p: new %s", impl, args);
-+
-+      if (args)
-+              props = pw_properties_new_string(args);
-+      else
-+              props = NULL;
-+
-+      impl->context = context;
-+      impl->properties = props;
-+
-+      pw_context_add_listener(context, &impl->context_listener, &context_events, impl);
-+      pw_impl_module_add_listener(module, &impl->module_listener, &module_events, impl);
-+
-+      pw_impl_module_update_properties(module, &SPA_DICT_INIT_ARRAY(module_props));
-+
-+      return 0;
-+}
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.conf b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.conf
deleted file mode 100644 (file)
index 5857c48..0000000
+++ /dev/null
@@ -1,56 +0,0 @@
-context.properties = {
-    core.daemon                = true
-    core.name                  = pipewire-0
-    support.dbus               = false
-    link.max-buffers           = 16
-
-    # 1=error, 2=warning, 3=info, 4=debug, 5=trace
-    log.level                  = 2
-
-    ## Properties for the DSP configuration.
-    default.clock.rate        = 48000
-    default.clock.quantum     = 1024
-    default.clock.min-quantum = 512
-    default.clock.max-quantum = 8192
-}
-
-context.spa-libs = {
-    audio.convert.* = audioconvert/libspa-audioconvert
-    api.alsa.*      = alsa/libspa-alsa
-    api.v4l2.*      = v4l2/libspa-v4l2
-    support.*       = support/libspa-support
-}
-
-context.modules = [
-    { name = libpipewire-module-protocol-native }
-    { name = libpipewire-module-metadata }
-    { name = libpipewire-module-spa-device-factory }
-    { name = libpipewire-module-spa-node-factory }
-    { name = libpipewire-module-client-node }
-    { name = libpipewire-module-client-device }
-    { name = libpipewire-module-adapter }
-    { name = libpipewire-module-link-factory }
-    { name = libpipewire-module-session-manager }
-
-    # allow clients with the "System" SMACK label
-    # such a client is also the session manager (wireplumber)
-    {
-      name = libpipewire-module-access-seclabel
-      args= {
-        seclabel.allowed = [ System ]
-      }
-    }
-
-    # and restrict all other clients
-    {
-      name = libpipewire-module-access
-      args= {
-        access.force = restricted
-      }
-    }
-
-    # The profile module. Allows application to access profiler
-    # and performance data. It provides an interface that is used
-    # by pw-top and pw-profiler.
-    #{ name = libpipewire-module-profiler }
-]
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.service b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.service
deleted file mode 100644 (file)
index b37fe25..0000000
+++ /dev/null
@@ -1,24 +0,0 @@
-[Unit]
-Description=Multimedia Service
-Requires=pipewire.socket
-
-[Service]
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
-RestrictNamespaces=yes
-SystemCallArchitectures=native
-SystemCallFilter=@system-service
-Type=simple
-ExecStart=/usr/bin/pipewire
-Restart=on-failure
-RuntimeDirectory=pipewire
-RuntimeDirectoryPreserve=yes
-User=pipewire
-Environment=PIPEWIRE_RUNTIME_DIR=%t/pipewire
-SmackProcessLabel=System::Pipewire
-UMask=0077
-
-[Install]
-Also=pipewire.socket
-WantedBy=default.target
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.socket b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.socket
deleted file mode 100644 (file)
index a83435b..0000000
+++ /dev/null
@@ -1,16 +0,0 @@
-[Unit]
-Description=Multimedia System
-
-[Socket]
-Priority=6
-Backlog=5
-ListenStream=%t/pipewire/pipewire-0
-SocketUser=pipewire
-SocketGroup=pipewire
-SocketMode=0666
-SmackLabel=*
-SmackLabelIPIn=System
-SmackLabelIPOut=System
-
-[Install]
-WantedBy=sockets.target
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/smack-pipewire b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/smack-pipewire
deleted file mode 100644 (file)
index 8d5b541..0000000
+++ /dev/null
@@ -1,8 +0,0 @@
-System System::Pipewire rwxa--
-System::Pipewire System -wx---
-System::Pipewire System::Shared r-x---
-System::Pipewire System::Run rwxat-
-System::Pipewire System::Log rwxa--
-System::Pipewire _ r-x--l
-System::Pipewire User::Home r-x--l
-System::Pipewire User::App-Shared rwxat-
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_0.3.30.bbappend b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_0.3.30.bbappend
deleted file mode 100644 (file)
index d0d7e9d..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
-FILESEXTRAPATHS:prepend := "${THISDIR}/pipewire:"
-
-SRC_URI:append= "\
-    file://0001-modules-add-new-access-seclabel-module.patch \
-    file://pipewire.conf \
-    file://pipewire.service \
-    file://pipewire.socket \
-    file://smack-pipewire \
-"
-
-do_install:append() {
-     # replace the original config with our smack-aware config
-    mkdir -p ${D}${sysconfdir}/pipewire/
-    install -m 0644 ${WORKDIR}/pipewire.conf ${D}${sysconfdir}/pipewire/pipewire.conf
-
-    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
-        # remove the original unit files shipped by pipewire
-        rm -rf ${D}${systemd_system_unitdir}/pipewire.*
-
-        # install our own system-level templates
-        mkdir -p ${D}${systemd_system_unitdir}/
-        install -m 0644 ${WORKDIR}/pipewire.service ${D}${systemd_system_unitdir}/pipewire.service
-        install -m 0644 ${WORKDIR}/pipewire.socket ${D}${systemd_system_unitdir}/pipewire.socket
-
-        # install smack rules
-        mkdir -p ${D}${sysconfdir}/smack/accesses.d
-        install -m 0644 ${WORKDIR}/smack-pipewire ${D}${sysconfdir}/smack/accesses.d/pipewire
-    fi
-}
-
-FILES:${PN}:append = "\
-    ${sysconfdir}/smack/accesses.d/* \
-    ${sysconfdir}/pipewire/pipewire.conf \
-"
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/50-access-agl.lua b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/50-access-agl.lua
deleted file mode 100644 (file)
index 10b3d7a..0000000
+++ /dev/null
@@ -1 +0,0 @@
-load_access("smack")
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/access-smack.lua b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/access-smack.lua
deleted file mode 100644 (file)
index a662a0f..0000000
+++ /dev/null
@@ -1,17 +0,0 @@
-clients_om = ObjectManager {
-  Interest {
-    type = "client",
-    Constraint { "pipewire.access", "=", "restricted" },
-  }
-}
-
-clients_om:connect("object-added", function (om, client)
-  local smack_label = client["global-properties"]["pipewire.sec.label"]
-
-  if smack_label:match("^User::App::.+") then
-    -- FIXME: apps can work with less permissions
-    client:update_permissions { ["any"] = "all" }
-  end
-end)
-
-clients_om:activate()
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl_git.bbappend b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl_git.bbappend
deleted file mode 100644 (file)
index 6a40b5f..0000000
+++ /dev/null
@@ -1,15 +0,0 @@
-FILESEXTRAPATHS:prepend := "${THISDIR}/wireplumber-config-agl:"
-
-SRC_URI += "\
-    file://50-access-agl.lua \
-    file://access-smack.lua \
-"
-
-do_install:append() {
-    # install smack-specific config
-    config_dir="${D}${sysconfdir}/wireplumber/host.lua.d/"
-    access_dir="${D}${datadir}/wireplumber/scripts/access/"
-    install -d ${access_dir}
-    install -m 0644 ${WORKDIR}/50-access-agl.lua ${config_dir}
-    install -m 0644 ${WORKDIR}/access-smack.lua ${access_dir}
-}
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-security/cynagora/cynagora_%.bbappend b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-security/cynagora/cynagora_%.bbappend
deleted file mode 100644 (file)
index 9dbf47a..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-do_install:append() {
-   echo "System::Pipewire * * http://tizen.org/privilege/internal/dbus yes forever" >> ${D}${sysconfdir}/security/cynagora.initial
-}
-
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-security/security-manager/security-manager_%.bbappend
deleted file mode 100644 (file)
index 6ab9d07..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-do_install:append() {
-   echo "~APP~ System::Pipewire rw" >> ${D}${datadir}/security-manager/policy/app-rules-template.smack
-}
index 8941539..508d8f7 100755 (executable)
@@ -20,7 +20,7 @@ AGL_EXTRA_IMAGE_FSTYPES ?= ""
 
 # important settings imported from poky-agl.conf
 # we do not import 
-DISTRO_FEATURES:append = " systemd smack"
+DISTRO_FEATURES:append = " systemd"
 DISTRO_FEATURES_BACKFILL_CONSIDERED:append = " sysvinit"
 VIRTUAL-RUNTIME_init_manager = "systemd"
 
index 27b1de1..f13256a 100644 (file)
@@ -75,7 +75,7 @@ else
 | To support the newest/upcoming features, please use the script aglsetup.sh.  |
  ------------------------------------------------------------------------------
 EOF
-       . $SOURCEDIR/aglsetup.sh -m $1 -b $BUILD_DIR agl-devel agl-netboot agl-appfw-smack agl-demo
+       . $SOURCEDIR/aglsetup.sh -m $1 -b $BUILD_DIR agl-devel agl-netboot agl-demo
        rc=$?
        unset SOURCEDIR
        unset BUILD_DIR
diff --git a/templates/feature/agl-appfw-smack/50_bblayers.conf.inc b/templates/feature/agl-appfw-smack/50_bblayers.conf.inc
deleted file mode 100644 (file)
index 2e79797..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-AGL_APPFW_LAYERS = " \
-  ${METADIR}/external/meta-security \
-  ${METADIR}/external/meta-openembedded/meta-perl \
-  ${METADIR}/meta-agl/meta-app-framework \
-    "
-
-BBLAYERS =+ "${AGL_APPFW_LAYERS}"
-
-# Indirection to avoid duplicate inclusions of the same folder into BBLAYERS
-# the evaluation is in the bblayers.conf.sample in meta-agl/templates/base
-AGL_META_PYTHON = "${METADIR}/external/meta-openembedded/meta-python"
-AGL_META_NETWORKING = "${METADIR}/external/meta-openembedded/meta-networking"
diff --git a/templates/feature/agl-appfw-smack/50_local.conf.inc b/templates/feature/agl-appfw-smack/50_local.conf.inc
deleted file mode 100644 (file)
index 8282a1c..0000000
+++ /dev/null
@@ -1 +0,0 @@
-require conf/include/agl-appfw-smack.inc
diff --git a/templates/feature/agl-appfw-smack/README_feature_agl-appfw-smack.md b/templates/feature/agl-appfw-smack/README_feature_agl-appfw-smack.md
deleted file mode 100644 (file)
index c96edac..0000000
+++ /dev/null
@@ -1,9 +0,0 @@
----
-description: Feature agl-appfw-smack
-authors: Jan-Simon Möller <jsmoeller@linuxfoundation.org>, José Bollo <jose.bollo@iot.bzh>, Ronan Le Martret <ronan.lemartret@iot.bzh>, Stephane Desneux <stephane.desneux@iot.bzh>
----
-       
-### Feature agl-appfw-smack
-        
-*Description is missing - please complete file meta-agl/templates/feature/agl-appfw-smack/README_feature_agl-appfw-smack.md*
-
diff --git a/templates/feature/agl-hmi-framework/50_local.conf.inc b/templates/feature/agl-hmi-framework/50_local.conf.inc
deleted file mode 100644 (file)
index fdff3db..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-# In order to enable the hmi-framework features ,
-# enables the following line:
-#
-AGL_FEATURES:append = " agl-hmi-framework"
diff --git a/templates/feature/agl-hmi-framework/README_feature_agl-hmi-framework.md b/templates/feature/agl-hmi-framework/README_feature_agl-hmi-framework.md
deleted file mode 100644 (file)
index e298023..0000000
+++ /dev/null
@@ -1,9 +0,0 @@
----
-description: Feature agl-hmi-framework
-authors: Jan-Simon Möller <jsmoeller@linuxfoundation.org>, Scott Murray <scott.murray@konsulko.com>
----
-       
-### Feature agl-hmi-framework
-        
-*Description is missing - please complete file meta-agl/templates/feature/agl-hmi-framework/README_feature_agl-hmi-framework.md*
-