reorg: move mac recipes to recipes-mac

Signed-off-by: Armin Kuster <akuster808@gmail.com>

recipes-mac/AppArmor/apparmor_2.12.bb

@@ -0,0 +1,154 @@
+SUMMARY = "AppArmor another MAC control system"
+DESCRIPTION = "user-space parser utility for AppArmor \
+ This provides the system initialization scripts needed to use the \
+ AppArmor Mandatory Access Control system, including the AppArmor Parser \
+ which is required to convert AppArmor text profiles into machine-readable \
+ policies that are loaded into the kernel for use with the AppArmor Linux \
+ Security Module."
+HOMEAPAGE = "http://apparmor.net/"
+SECTION = "admin"
+
+LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0"
+
+DEPENDS = "bison-native apr gettext-native coreutils-native"
+
+SRC_URI = " \
+	http://archive.ubuntu.com/ubuntu/pool/main/a/${BPN}/${BPN}_${PV}.orig.tar.gz \
+	file://disable_perl_h_check.patch \
+	file://crosscompile_perl_bindings.patch \
+	file://tool-paths.patch \
+	file://apparmor.rc \
+	file://functions \
+	file://apparmor \
+	file://apparmor.service \
+	file://run-ptest \
+	"
+
+SRC_URI[md5sum] = "49054f58042f8e51ea92cc866575a833"
+SRC_URI[sha256sum] = "8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056"
+
+PARALLEL_MAKE = ""
+
+inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd
+
+PACKAGECONFIG ??= "python perl"
+PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages"
+PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native"
+PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native"
+PACKAGECONFIG[apache2] = ",,apache2,"
+
+PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}"
+HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}"
+
+
+python() {
+    if 'apache2' in d.getVar('PACKAGECONFIG').split() and \
+            'webserver' not in d.getVar('BBFILE_COLLECTIONS').split():
+        raise bb.parse.SkipRecipe('Requires meta-webserver to be present.')
+}
+
+DISABLE_STATIC = ""
+
+do_configure() {
+	cd ${S}/libraries/libapparmor
+	aclocal
+	autoconf --force
+	libtoolize --automake -c --force
+	automake -ac
+	./configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
+}
+
+do_compile () {
+	oe_runmake -C ${B}/libraries/libapparmor
+        oe_runmake -C ${B}/binutils
+        oe_runmake -C ${B}/utils
+        oe_runmake -C ${B}/parser
+        oe_runmake -C ${B}/profiles
+
+	if test -z "${HTTPD}" ; then
+        	oe_runmake -C ${B}/changehat/mod_apparmor
+	fi	
+
+	if test -z "${PAMLIB}" ; then
+        	oe_runmake -C ${B}/changehat/pam_apparmor
+	fi
+}
+
+do_install () {
+	install -d ${D}/${INIT_D_DIR}
+	install -d ${D}/lib/apparmor
+		
+	oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
+	oe_runmake -C ${B}/binutils DESTDIR="${D}" install
+	oe_runmake -C ${B}/utils DESTDIR="${D}" install
+	oe_runmake -C ${B}/parser DESTDIR="${D}" install
+	oe_runmake -C ${B}/profiles DESTDIR="${D}" install
+
+	# If perl is disabled this script won't be any good
+	if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then
+		rm -f ${D}${sbindir}/aa-notify
+	fi
+
+	if test -z "${HTTPD}" ; then
+		oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install
+	fi
+
+	if test -z "${PAMLIB}" ; then
+		oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
+	fi
+
+	# aa-easyprof is installed by python-tools-setup.py, fix it up
+	sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof
+	chmod 0755 ${D}${bindir}/aa-easyprof
+
+	install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
+	install ${WORKDIR}/functions ${D}/lib/apparmor
+	install -d ${D}${systemd_system_unitdir}
+	install ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
+}
+
+do_compile_ptest () {
+        oe_runmake -C ${B}/tests/regression/apparmor
+        oe_runmake -C ${B}/parser/tst
+        oe_runmake -C ${B}/libraries/libapparmor
+}
+
+do_install_ptest () {
+	t=${D}/${PTEST_PATH}/testsuite
+	install -d ${t}
+	install -d ${t}/tests/regression/apparmor
+	cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression
+
+	install -d ${t}/parser/tst
+	cp -rf ${B}/parser/tst ${t}/parser
+	cp ${B}/parser/apparmor_parser ${t}/parser
+	cp ${B}/parser/frob_slack_rc ${t}/parser
+
+	install -d ${t}/libraries/libapparmor
+	cp -rf ${B}/libraries/libapparmor ${t}/libraries
+
+	install -d ${t}/common
+	cp -rf ${B}/common ${t}
+
+	install -d ${t}/binutils
+	cp -rf ${B}/binutils ${t}
+}
+
+INITSCRIPT_PACKAGES = "${PN}"
+INITSCRIPT_NAME = "apparmor"
+INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ."
+
+SYSTEMD_PACKAGES = "${PN}"
+SYSTEMD_SERVICE_${PN} = "apparmor.service"
+SYSTEMD_AUTO_ENABLE = "disable"
+
+PACKAGES += "mod-${PN}"
+
+FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}"
+FILES_mod-${PN} = "${libdir}/apache2/modules/*"
+
+RDEPENDS_${PN} += "bash lsb"
+RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}"
+RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}"
+RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash"

recipes-mac/AppArmor/files/apparmor

@@ -0,0 +1,227 @@
+#!/bin/sh
+# ----------------------------------------------------------------------
+#    Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
+#     NOVELL (All rights reserved)
+#    Copyright (c) 2008, 2009 Canonical, Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, contact Novell, Inc.
+# ----------------------------------------------------------------------
+# Authors:
+#  Steve Beattie <steve.beattie@canonical.com>
+#  Kees Cook <kees@ubuntu.com>
+#
+# /etc/init.d/apparmor
+#
+### BEGIN INIT INFO
+# Provides: apparmor
+# Required-Start: $local_fs
+# Required-Stop: umountfs
+# Default-Start: S
+# Default-Stop:
+# Short-Description: AppArmor initialization
+# Description: AppArmor init script. This script loads all AppArmor profiles.
+### END INIT INFO
+
+log_daemon_msg() {
+    echo $*
+}
+
+log_end_msg () {
+    retval=$1
+    if [ $retval -eq 0 ]; then
+        echo "."
+    else
+        echo " failed!"
+    fi
+    return $retval
+}
+
+. /lib/apparmor/functions
+. /lib/lsb/init-functions
+
+usage() {
+    echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}"
+}
+
+test -x ${PARSER} || exit 0 # by debian policy
+# LSM is built-in, so it is either there or not enabled for this boot
+test -d /sys/module/apparmor || exit 0
+
+securityfs() {
+	# Need securityfs for any mode
+	if [ ! -d "${AA_SFS}" ]; then
+		if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
+			log_daemon_msg "AppArmor not available as kernel LSM."
+			log_end_msg 1
+			exit 1
+		else
+			log_daemon_msg "Mounting securityfs on ${SECURITYFS}"
+			if ! mount -t securityfs none "${SECURITYFS}"; then
+				log_end_msg 1
+				exit 1
+			fi
+		fi
+	fi
+	if [ ! -w "$AA_SFS"/.load ]; then
+		log_daemon_msg "Insufficient privileges to change profiles."
+		log_end_msg 1
+		exit 1
+	fi
+}
+
+handle_system_policy_package_updates() {
+	apparmor_was_updated=0
+
+	if ! compare_previous_version ; then
+		# On snappy flavors, if the current and previous versions are
+		# different then clear the system cache. snappy will handle
+		# "$PROFILES_CACHE_VAR" itself (on Touch flavors
+		# compare_previous_version always returns '0' since snappy
+		# isn't available).
+		clear_cache_system
+		apparmor_was_updated=1
+	elif ! compare_and_save_debsums apparmor ; then
+		# If the system policy has been updated since the last time we
+		# ran, clear the cache to prevent potentially stale binary
+		# cache files after an Ubuntu image based upgrade (LP:
+		# #1350673). This can be removed once all system image flavors
+		# move to snappy (on snappy systems compare_and_save_debsums
+		# always returns '0' since /var/lib/dpkg doesn't exist).
+		clear_cache
+		apparmor_was_updated=1
+	fi
+
+	if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
+		# If packages for system policy that affect click packages have
+		# been updated since the last time we ran, run aa-clickhook -f
+                force_clickhook=0
+                force_profile_hook=0
+                if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
+                        force_clickhook=1
+                fi
+                if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
+                        force_clickhook=1
+                fi
+                if ! compare_and_save_debsums click-apparmor ; then
+                        force_clickhook=1
+                        force_profile_hook=1
+                fi
+                if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
+                        aa-clickhook -f
+                fi
+                if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
+                        aa-profile-hook -f
+                fi
+	fi
+}
+
+# Allow "recache" even when running on the liveCD
+if [ "$1" = "recache" ]; then
+	log_daemon_msg "Recaching AppArmor profiles"
+	recache_profiles
+	rc=$?
+	log_end_msg "$rc"
+	exit $rc
+fi
+
+# do not perform start/stop/reload actions when running from liveCD
+test -d /rofs/etc/apparmor.d && exit 0
+
+rc=255
+case "$1" in
+	start)
+		if test -x /sbin/systemd-detect-virt && \
+		   systemd-detect-virt --quiet --container && \
+		   ! is_container_with_internal_policy; then
+			log_daemon_msg "Not starting AppArmor in container"
+			log_end_msg 0
+			exit 0
+		fi
+		log_daemon_msg "Starting AppArmor profiles"
+		securityfs
+		# That is only useful for click, snappy and system images,
+		# i.e. not in Debian. And it reads and writes to /var, that
+		# can be remote-mounted, so it would prevent us from using
+		# Before=sysinit.target without possibly introducing dependency
+		# loops.
+		handle_system_policy_package_updates
+		load_configured_profiles
+		rc=$?
+		log_end_msg "$rc"
+		;;
+	stop)
+		log_daemon_msg "Clearing AppArmor profiles cache"
+		clear_cache
+		rc=$?
+		log_end_msg "$rc"
+		cat >&2 <<EOM
+All profile caches have been cleared, but no profiles have been unloaded.
+Unloading profiles will leave already running processes permanently
+unconfined, which can lead to unexpected situations.
+
+To set a process to complain mode, use the command line tool
+'aa-complain'. To really tear down all profiles, run the init script
+with the 'teardown' option."
+EOM
+		;;
+	teardown)
+		if test -x /sbin/systemd-detect-virt && \
+		   systemd-detect-virt --quiet --container && \
+		   ! is_container_with_internal_policy; then
+			log_daemon_msg "Not tearing down AppArmor in container"
+			log_end_msg 0
+			exit 0
+		fi
+		log_daemon_msg "Unloading AppArmor profiles"
+		securityfs
+		running_profile_names | while read profile; do
+			if ! unload_profile "$profile" ; then
+				log_end_msg 1
+				exit 1
+			fi
+		done
+		rc=0
+		log_end_msg $rc
+		;;
+	restart|reload|force-reload)
+		if test -x /sbin/systemd-detect-virt && \
+		   systemd-detect-virt --quiet --container && \
+		   ! is_container_with_internal_policy; then
+			log_daemon_msg "Not reloading AppArmor in container"
+			log_end_msg 0
+			exit 0
+		fi
+		log_daemon_msg "Reloading AppArmor profiles"
+		securityfs
+		clear_cache
+		load_configured_profiles
+		rc=$?
+		unload_obsolete_profiles
+
+		log_end_msg "$rc"
+		;;
+	status)
+		securityfs
+		if [ -x /usr/sbin/aa-status ]; then
+			aa-status --verbose
+		else
+			cat "$AA_SFS"/profiles
+		fi
+		rc=$?
+		;;
+	*)
+		usage
+		rc=1
+		;;
+	esac
+exit $rc

recipes-mac/AppArmor/files/apparmor.rc

@@ -0,0 +1,98 @@
+description "Pre-cache and pre-load apparmor profiles"
+author "Dimitri John Ledkov <xnox@ubuntu.com> and Jamie Strandboge <jamie@ubuntu.com>"
+
+task
+
+start on starting rc-sysinit
+
+script
+    [ -d /rofs/etc/apparmor.d ]  && exit 0 # do not load on liveCD
+    [ -d /sys/module/apparmor ]  || exit 0 # do not load without AppArmor
+    [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
+
+    . /lib/apparmor/functions
+
+    systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true
+
+    # Need securityfs for any mode
+    if [ ! -d /sys/kernel/security/apparmor ]; then
+        if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then
+            exit 0
+        else
+            mount -t securityfs none /sys/kernel/security || exit 0
+        fi
+    fi
+
+    [ -w /sys/kernel/security/apparmor/.load ] || exit 0
+
+    apparmor_was_updated=0
+    if ! compare_previous_version ; then
+        # On snappy flavors, if the current and previous versions are
+        # different then clear the system cache. snappy will handle
+        # "$PROFILES_CACHE_VAR" itself  (on Touch flavors
+        # compare_previous_version  always returns '0' since snappy
+        # isn't available).
+        clear_cache_system
+        apparmor_was_updated=1
+    elif ! compare_and_save_debsums apparmor ; then
+        # If the system policy has been updated since the last time we
+        # ran, clear the cache to prevent potentially stale binary
+        # cache files after an Ubuntu image based upgrade (LP:
+        # #1350673). This can be removed once all system image flavors
+        # move to snappy (on snappy systems compare_and_save_debsums
+        # always returns '0' since /var/lib/dpkg doesn't exist).
+        clear_cache
+        apparmor_was_updated=1
+    fi
+
+    if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
+        # If packages for system policy that affect click packages have
+        # been updated since the last time we ran, run aa-clickhook -f
+        force_clickhook=0
+        force_profile_hook=0
+        if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
+            force_clickhook=1
+        fi
+        if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
+            force_clickhook=1
+        fi
+        if ! compare_and_save_debsums click-apparmor ; then
+            force_clickhook=1
+            force_profile_hook=1
+        fi
+        if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
+            aa-clickhook -f
+        fi
+        if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
+            aa-profile-hook -f
+        fi
+    fi
+
+    if [ "$ACTION" = "teardown" ]; then
+        running_profile_names | while read profile; do
+            unload_profile "$profile"
+        done
+        exit 0
+    fi
+
+    if [ "$ACTION" = "clear" ]; then
+        clear_cache
+        exit 0
+    fi
+
+    if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then
+        clear_cache
+        load_configured_profiles
+	unload_obsolete_profiles
+        exit 0
+    fi
+
+    # Note: if apparmor-easyprof-ubuntu md5sums didn't match up above,
+    # aa-clickhook will have already compiled the policy, generated the cache
+    # files and loaded them into the kernel by this point, so reloading click
+    # policy from cache, while fairly fast (<2 seconds for 250 profiles on
+    # armhf), is redundant. Fixing this would complicate the logic quite a bit
+    # and it wouldn't improve the (by far) common case (ie, when
+    # 'aa-clickhook -f' is not run).
+    load_configured_profiles
+end script

recipes-mac/AppArmor/files/apparmor.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=AppArmor initialization
+After=local-fs.target
+Before=sysinit.target
+AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load
+ConditionSecurity=apparmor
+DefaultDependencies=no
+Documentation=man:apparmor(7)
+Documentation=http://wiki.apparmor.net/
+
+# Don't start this unit on the Ubuntu Live CD
+ConditionPathExists=!/rofs/etc/apparmor.d
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/etc/init.d/apparmor start
+ExecStop=/etc/init.d/apparmor stop
+ExecReload=/etc/init.d/apparmor reload
+
+[Install]
+WantedBy=sysinit.target

recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch

@@ -0,0 +1,25 @@
+Upstream-Status: Inappropriate [configuration]
+
+As we're cross-compiling here we need to override CC/LD that MakeMaker has
+stuck in the generated Makefile with our cross tools.  In this case, linking is
+done via the compiler rather than the linker directly so pass in CC not LD
+here.
+
+Signed-Off-By: Tom Rini <trini@konsulko.com>
+
+--- a/libraries/libapparmor/swig/perl/Makefile.am.orig	2017-06-13 19:04:43.296676212 -0400
++++ b/libraries/libapparmor/swig/perl/Makefile.am	2017-06-13 19:05:03.488676693 -0400
+@@ -16,11 +16,11 @@
+ 
+ LibAppArmor.so: libapparmor_wrap.c Makefile.perl
+ 	if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
+-	$(MAKE) -fMakefile.perl
++	$(MAKE) -fMakefile.perl CC='$(CC)' LD='$(CC)'
+ 	if test $(top_srcdir) != $(top_builddir) ; then rm -f libapparmor_wrap.c ; fi
+ 
+ install-exec-local: Makefile.perl
+-	$(MAKE) -fMakefile.perl install_vendor
++	$(MAKE) -fMakefile.perl install_vendor CC='$(CC)' LD='$(CC)'
+ 
+ # sadly there is no make uninstall for perl
+ #uninstall-local: Makefile.perl

recipes-mac/AppArmor/files/disable_pdf.patch

@@ -0,0 +1,33 @@
+Index: apparmor-2.10.95/parser/Makefile
+===================================================================
+--- apparmor-2.10.95.orig/parser/Makefile
++++ apparmor-2.10.95/parser/Makefile
+@@ -139,17 +139,6 @@ export Q VERBOSE BUILD_OUTPUT
+ po/${NAME}.pot: ${SRCS} ${HDRS}
+ 	$(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}"
+ 
+-techdoc.pdf: techdoc.tex
+-	timestamp=$(shell date --utc "+%Y%m%d%H%M%S%z" -r $< );\
+-	while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \
+-		grep -q "Label(s) may have changed" techdoc.log; \
+-	do :; done
+-
+-techdoc/index.html: techdoc.pdf
+-	latex2html -show_section_numbers -split 0 -noinfo -nonavigation -noaddress techdoc.tex ${BUILD_OUTPUT}
+-
+-techdoc.txt: techdoc/index.html
+-	w3m -dump $< > $@
+ 
+ # targets arranged this way so that people who don't want full docs can
+ # pick specific targets they want.
+@@ -159,9 +148,7 @@ manpages:	$(MANPAGES)
+ 
+ htmlmanpages:	$(HTMLMANPAGES)
+ 
+-pdf:	techdoc.pdf
+-
+-docs:	manpages htmlmanpages pdf
++docs:	manpages htmlmanpages 
+ 
+ indep: docs
+ 	$(Q)$(MAKE) -C po all

recipes-mac/AppArmor/files/disable_perl_h_check.patch

@@ -0,0 +1,19 @@
+Upstream-Status: Inappropriate [configuration]
+
+Remove file check for $perl_includedir/perl.h.  AC_CHECK_FILE will fail on
+cross compilation.  Rather than try and get a compile check to work here,
+we know that we have what's required via our metadata so remove only this
+check.
+
+Signed-Off-By: Tom Rini <trini@konsulko.com>
+
+--- a/libraries/libapparmor/configure.ac.orig	2017-06-13 16:41:38.668471495 -0400
++++ b/libraries/libapparmor/configure.ac	2017-06-13 16:41:40.708471543 -0400
+@@ -58,7 +58,6 @@
+    AC_PATH_PROG(PERL, perl)
+    test -z "$PERL" && AC_MSG_ERROR([perl is required when enabling perl bindings])
+    perl_includedir="`$PERL -e 'use Config; print $Config{archlib}'`/CORE"
+-   AC_CHECK_FILE($perl_includedir/perl.h, enable_perl=yes, enable_perl=no)
+ fi
+ 
+ 

recipes-mac/AppArmor/files/functions

@@ -0,0 +1,271 @@
+# /lib/apparmor/functions for Debian -*- shell-script -*-
+# ----------------------------------------------------------------------
+#    Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
+#     NOVELL (All rights reserved)
+#    Copyright (c) 2008-2010 Canonical, Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, contact Novell, Inc.
+# ----------------------------------------------------------------------
+# Authors:
+#  Kees Cook <kees@ubuntu.com>
+
+PROFILES="/etc/apparmor.d"
+PROFILES_CACHE="$PROFILES/cache"
+PROFILES_VAR="/var/lib/apparmor/profiles"
+PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles"
+PROFILES_CACHE_VAR="/var/cache/apparmor"
+PARSER="/sbin/apparmor_parser"
+SECURITYFS="/sys/kernel/security"
+export AA_SFS="$SECURITYFS/apparmor"
+
+# Suppress warnings when booting in quiet mode
+quiet_arg=""
+[ "${QUIET:-no}" = yes ] && quiet_arg="-q"
+[ "${quiet:-n}" = y ] && quiet_arg="-q"
+
+foreach_configured_profile() {
+	rc_all="0"
+	for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do
+		if [ ! -d "$pdir" ]; then
+			continue
+		fi
+		num=`find "$pdir" -type f ! -name '*.md5sums' | wc -l`
+		if [ "$num" = "0" ]; then
+			continue
+		fi
+
+		cache_dir="$PROFILES_CACHE"
+		if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then
+			cache_dir="$PROFILES_CACHE_VAR"
+		fi
+		cache_args="--cache-loc=$cache_dir"
+		if [ ! -d "$cache_dir" ]; then
+			cache_args=
+		fi
+
+		# LP: #1383858 - expr tree simplification is too slow for
+		# Touch policy on ARM, so disable it for now
+		cache_extra_args=
+		if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then
+			cache_extra_args="-O no-expr-simplify"
+		fi
+
+		# If need to compile everything, then use -n1 with xargs to
+		# take advantage of -P. When cache files are in use, omit -n1
+		# since it is considerably faster on moderately sized profile
+		# sets to give the parser all the profiles to load at once
+		n1_args=
+		num=`find "$cache_dir" -type f ! -name '.features' | wc -l`
+		if [ "$num" = "0" ]; then
+			n1_args="-n1"
+		fi
+
+		(ls -1 "$pdir" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \
+		while read profile; do
+			if [ -f "$pdir"/"$profile" ]; then
+				echo "$pdir"/"$profile"
+			fi
+		done) | \
+		xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
+			rc_all="$?"
+			# FIXME: when the parser properly handles broken
+			# profiles (LP: #1377338), remove this if statement.
+			# For now, if the xargs returns with error, just run
+			# through everything with -n1. (This could be broken
+			# out and refactored, but this is temporary so make it
+			# easy to understand and revert)
+			if [ "$rc_all" != "0" ]; then
+				(ls -1 "$pdir" | \
+				egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \
+				while read profile; do
+					if [ -f "$pdir"/"$profile" ]; then
+						echo "$pdir"/"$profile"
+					fi
+				done) | \
+				xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
+					rc_all="$?"
+				}
+			fi
+		}
+	done
+	return $rc_all
+}
+
+load_configured_profiles() {
+	clear_cache_if_outdated
+	foreach_configured_profile $quiet_arg --write-cache --replace
+}
+
+load_configured_profiles_without_caching() {
+	foreach_configured_profile $quiet_arg --replace
+}
+
+recache_profiles() {
+	clear_cache
+	foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load
+}
+
+configured_profile_names() {
+	foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '//'
+}
+
+running_profile_names() {
+	# Output a sorted list of loaded profiles, skipping libvirt's
+	# dynamically generated files
+	cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | egrep -v '^libvirt-[0-9a-f\-]+$' | LC_COLLATE=C sort | grep -v '//'
+}
+
+unload_profile() {
+	echo -n "$1" > "$AA_SFS"/.remove
+}
+
+clear_cache() {
+	clear_cache_system
+	clear_cache_var
+}
+
+clear_cache_system() {
+	find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
+}
+
+clear_cache_var() {
+	find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
+}
+
+read_features_dir()
+{
+	for f in `ls -AU "$1"` ; do
+		if [ -f "$1/$f" ] ; then
+			read -r KF < "$1/$f" || true
+			echo -n "$f {$KF } "
+		elif [ -d "$1/$f" ] ; then
+			echo -n "$f {"
+			KF=`read_features_dir "$1/$f"` || true
+			echo -n "$KF} "
+		fi
+	done
+}
+
+clear_cache_if_outdated() {
+	if [ -r "$PROFILES_CACHE"/.features ]; then
+		if [ -d "$AA_SFS"/features ]; then
+			KERN_FEATURES=`read_features_dir "$AA_SFS"/features`
+		else
+			read -r KERN_FEATURES < "$AA_SFS"/features
+		fi
+		CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features`
+		if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then
+			clear_cache
+		fi
+	fi
+}
+
+unload_obsolete_profiles() {
+	# Currently we must re-parse all the profiles to get policy names.  :(
+	aa_configured=$(mktemp -t aa-XXXXXX)
+	configured_profile_names > "$aa_configured" || true
+	aa_loaded=$(mktemp -t aa-XXXXXX)
+	running_profile_names > "$aa_loaded" || true
+	LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do
+		unload_profile "$profile"
+        done
+	rm -f "$aa_configured" "$aa_loaded"
+}
+
+# If the system debsum differs from the saved debsum, the new system debsum is
+# saved and non-zero is returned. Returns 0 if the two debsums matched or if
+# the system debsum file does not exist. This can be removed when system image
+# flavors all move to snappy.
+compare_and_save_debsums() {
+	pkg="$1"
+
+	if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then
+		sums="/var/lib/dpkg/info/${pkg}.md5sums"
+		# store saved md5sums in /var/lib/apparmor/profiles since
+		# /var/cache/apparmor might be cleared by apparmor
+		saved_sums="${PROFILES_VAR}/.${pkg}.md5sums"
+
+		if [ -f "$sums" ] && \
+		   ! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then
+			cp -f "$sums" "$saved_sums"
+			return 1
+		fi
+	fi
+
+	return 0
+}
+
+compare_previous_version() {
+	installed="/usr/share/snappy/security-policy-version"
+	previous="/var/lib/snappy/security-policy-version"
+
+	# When just $previous doesn't exist, assume this is a new system with
+	# no cache and don't do anything special.
+	if [ -f "$installed" ] && [ -f "$previous" ]; then
+		pv=`grep '^apparmor/' "$previous" | cut -d ' ' -f 2`
+		iv=`grep '^apparmor/' "$installed" | cut -d ' ' -f 2`
+		if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then
+			# snappy updates $previous elsewhere, so just return
+			return 1
+		fi
+	fi
+
+	return 0
+}
+
+# Checks to see if the current container is capable of having internal AppArmor
+# profiles that should be loaded. Callers of this function should have already
+# verified that they're running inside of a container environment with
+# something like `systemd-detect-virt --container`.
+#
+# The only known container environments capable of supporting internal policy
+# are LXD and LXC environment.
+#
+# Returns 0 if the container environment is capable of having its own internal
+# policy and non-zero otherwise.
+#
+# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC
+# system container technology being nested inside of a LXD/LXC container that
+# utilized an AppArmor namespace and profile stacking. The reason 0 will be
+# returned is because .ns_stacked will be "yes" and .ns_name will still match
+# "lx[dc]-*" since the nested system container technology will not have set up
+# a new AppArmor profile namespace. This will result in the nested system
+# container's boot process to experience failed policy loads but the boot
+# process should continue without any loss of functionality. This is an
+# unsupported configuration that cannot be properly handled by this function.
+is_container_with_internal_policy() {
+	local ns_stacked_path="${AA_SFS}/.ns_stacked"
+	local ns_name_path="${AA_SFS}/.ns_name"
+	local ns_stacked
+	local ns_name
+
+	if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
+		return 1
+	fi
+
+	read -r ns_stacked < "$ns_stacked_path"
+	if [ "$ns_stacked" != "yes" ]; then
+		return 1
+	fi
+
+	# LXD and LXC set up AppArmor namespaces starting with "lxd-" and
+	# "lxc-", respectively. Return non-zero for all other namespace
+	# identifiers.
+	read -r ns_name < "$ns_name_path"
+	if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
+	   [ "${ns_name#lxc-*}" = "$ns_name" ]; then
+		return 1
+	fi
+
+	return 0
+}

recipes-mac/AppArmor/files/run-ptest

@@ -0,0 +1,4 @@
+#! /bin/sh
+cd testsuite
+
+make -C  tests/regression/apparmor tests

recipes-mac/AppArmor/files/tool-paths.patch

@@ -0,0 +1,37 @@
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From e7edd937adcbf1b3c8d38a31de5bacb2029b1965 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Thu, 4 Oct 2018 23:15:28 -0700
+Subject: [PATCH] parser: fix Makefile hardcoded paths to flex and bison
+
+The hardcoded paths for flex and python can break builds on systems
+where those tools are stored in an alternate location. Use which
+to lookup where flex and bison are available.
+
+This fixes issue #4
+
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ parser/Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/parser/Makefile b/parser/Makefile
+index 4d370c36..015c218d 100644
+--- a/parser/Makefile
++++ b/parser/Makefile
+@@ -27,9 +27,9 @@ INSTALL_CONFDIR=${DESTDIR}${CONFDIR}
+ LOCALEDIR=/usr/share/locale
+ MANPAGES=apparmor.d.5 apparmor.7 apparmor_parser.8 subdomain.conf.5
+ 
+-YACC	:= /usr/bin/bison
++YACC	:= bison
+ YFLAGS	:= -d
+-LEX	:= /usr/bin/flex
++LEX	:= flex
+ LEXFLAGS = -B -v
+ WARNINGS = -Wall
+ EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter
+-- 
+2.11.0

recipes-mac/smack/files/run-ptest

@@ -0,0 +1,3 @@
+#!/bin/sh
+./tests/make_policies.bash ./tests/generator
+./tests/make_policies.bash ./tests/generator labels

recipes-mac/smack/files/smack_generator_make_fixup.patch

@@ -0,0 +1,18 @@
+Upstream-Status: Pending
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+
+Index: git/tests/Makefile
+===================================================================
+--- git.orig/tests/Makefile
++++ git/tests/Makefile
+@@ -4,7 +4,7 @@ clean:
+ 	rm -rf ./out ./generator
+ 
+ generator: generator.c
+-	gcc -Wall -O3 generator.c -o ./generator
++	${CC}  ${LDFLAGS} generator.c -o ./generator
+ 
+ policies: ./generator ./make_policies.bash
+ 	./make_policies.bash ./generator

recipes-mac/smack/smack_1.3.1.bb

@@ -0,0 +1,54 @@
+DESCRIPTION = "Selection of tools for developers working with Smack"
+HOMEPAGE = "https://github.com/smack-team/smack"
+SECTION = "Security/Access Control"
+LICENSE = "LGPL-2.1"
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
+
+SRCREV = "4a102c7584b39ce693995ffb65e0918a9df98dd8"
+SRC_URI = " \
+	git://github.com/smack-team/smack.git \
+	file://smack_generator_make_fixup.patch \
+	file://run-ptest"
+
+PV = "1.3.1"
+
+inherit autotools update-rc.d pkgconfig ptest ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)}
+
+S = "${WORKDIR}/git"
+
+PACKAGECONFIG ??= ""
+PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
+
+PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --without-systemdsystemunitdir, systemd"
+
+do_compile_append () {
+	oe_runmake -C ${S}/tests generator
+}
+
+do_install_append () {
+	install -d ${D}${sysconfdir}/init.d
+	install -d ${D}${sysconfdir}/smack
+	install -d ${D}${sysconfdir}/smack/accesses.d
+	install -d ${D}${sysconfdir}/smack/cipso.d
+	install ${S}/init/smack.rc ${D}/${sysconfdir}/init.d/smack
+}
+
+do_install_ptest () {
+	install -d ${D}${PTEST_PATH}/tests
+	install ${S}/tests/generator ${D}/${PTEST_PATH}/tests
+	install ${S}/tests/generate-rules.sh ${D}${PTEST_PATH}/tests
+	install ${S}/tests/make_policies.bash ${D}${PTEST_PATH}/tests
+}
+
+INITSCRIPT_PACKAGES = "${PN}"
+INITSCRIPT_NAME = "smack"
+INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ."
+
+FILES_${PN} += "${sysconfdir}/init.d/smack"
+FILES_${PN}-ptest += "generator"
+
+RDEPENDS_${PN} += "coreutils"
+RDEPENDS_${PN}-ptest += "make bash bc"
+
+BBCLASSEXTEND = "native"