diff --git a/meta-security/files/waf-cross-answers/README b/meta-security/files/waf-cross-answers/README
new file mode 100644
index 0000000..dda45c5
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/README
@@ -0,0 +1,3 @@
+The files in this directory are cross answers files
+used by waf-samba.bbclass, please see waf-samba.bbclass
+for details about how they are used.
diff --git a/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt b/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt
new file mode 100644
index 0000000..1023f6a
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-aarch64.txt
@@ -0,0 +1,39 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: OK
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt b/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt
new file mode 100644
index 0000000..1023f6a
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-aarch64_be.txt
@@ -0,0 +1,39 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: OK
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-arm.txt b/meta-security/files/waf-cross-answers/cross-answers-arm.txt
new file mode 100644
index 0000000..a5cd998
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-arm.txt
@@ -0,0 +1,40 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: NO
+Checking for -D_FILE_OFFSET_BITS=64: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: NO
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-armeb.txt b/meta-security/files/waf-cross-answers/cross-answers-armeb.txt
new file mode 100644
index 0000000..a5cd998
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-armeb.txt
@@ -0,0 +1,40 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: NO
+Checking for -D_FILE_OFFSET_BITS=64: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: NO
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-i586.txt b/meta-security/files/waf-cross-answers/cross-answers-i586.txt
new file mode 100644
index 0000000..a5cd998
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-i586.txt
@@ -0,0 +1,40 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: NO
+Checking for -D_FILE_OFFSET_BITS=64: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: NO
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-i686.txt b/meta-security/files/waf-cross-answers/cross-answers-i686.txt
new file mode 100644
index 0000000..a5cd998
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-i686.txt
@@ -0,0 +1,40 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: NO
+Checking for -D_FILE_OFFSET_BITS=64: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials with 32-bit system calls: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: NO
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips.txt b/meta-security/files/waf-cross-answers/cross-answers-mips.txt
new file mode 100644
index 0000000..3e239e7
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-mips.txt
@@ -0,0 +1,40 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: NO
+Checking for -D_FILE_OFFSET_BITS=64: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "128"
+Checking value of _NSIG: "128"
+Checking value of SIGRTMAX: "127"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: NO
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips64.txt b/meta-security/files/waf-cross-answers/cross-answers-mips64.txt
new file mode 100644
index 0000000..82e694f
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-mips64.txt
@@ -0,0 +1,39 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: OK
+Checking for HAVE_INCOHERENT_MMAP: OK
+Checking value of NSIG: "128"
+Checking value of _NSIG: "128"
+Checking value of SIGRTMAX: "127"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: OK
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt b/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt
new file mode 100644
index 0000000..82e694f
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-mips64el.txt
@@ -0,0 +1,39 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: OK
+Checking for HAVE_INCOHERENT_MMAP: OK
+Checking value of NSIG: "128"
+Checking value of _NSIG: "128"
+Checking value of SIGRTMAX: "127"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: OK
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt b/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt
new file mode 100644
index 0000000..3e239e7
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-mipsel.txt
@@ -0,0 +1,40 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: NO
+Checking for -D_FILE_OFFSET_BITS=64: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "128"
+Checking value of _NSIG: "128"
+Checking value of SIGRTMAX: "127"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: NO
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt b/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt
new file mode 100644
index 0000000..27b9378
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-powerpc.txt
@@ -0,0 +1,40 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: NO
+Checking for -D_FILE_OFFSET_BITS=64: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: NO
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt b/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt
new file mode 100644
index 0000000..7fd3092
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-powerpc64.txt
@@ -0,0 +1,40 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: (255, "")
+Checking if can we convert from IBM850 to UCS-2LE: (255, "")
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: OK
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt b/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt
new file mode 100644
index 0000000..1023f6a
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-riscv64.txt
@@ -0,0 +1,39 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: OK
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt b/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt
new file mode 100644
index 0000000..1023f6a
--- /dev/null
+++ b/meta-security/files/waf-cross-answers/cross-answers-x86_64.txt
@@ -0,0 +1,39 @@
+Checking uname sysname type: "Linux"
+Checking uname version type: "# Wed May 20 10:34:39 UTC 2015"
+Checking simple C program: "hello world"
+rpath library support: OK
+-Wl,--version-script support: OK
+Checking getconf LFS_CFLAGS: NO
+Checking correct behavior of strtoll: NO
+Checking for working strptime: OK
+Checking for C99 vsnprintf: "1"
+Checking for HAVE_SHARED_MMAP: OK
+Checking for HAVE_MREMAP: OK
+Checking for HAVE_SECURE_MKSTEMP: OK
+Checking for HAVE_IFACE_GETIFADDRS: NO
+Checking for HAVE_IFACE_IFCONF: NO
+Checking for HAVE_IFACE_IFREQ: NO
+Checking for large file support without additional flags: OK
+Checking for HAVE_INCOHERENT_MMAP: NO
+Checking value of NSIG: "65"
+Checking value of _NSIG: "65"
+Checking value of SIGRTMAX: "64"
+Checking value of SIGRTMIN: "34"
+Checking whether the WRFILE -keytab is supported: OK
+Checking for kernel change notify support: OK
+Checking for Linux kernel oplocks: OK
+Checking for kernel share modes: OK
+Checking whether POSIX capabilities are available: OK
+Checking if can we convert from CP850 to UCS-2LE: OK
+Checking if can we convert from UTF-8 to UCS-2LE: OK
+vfs_fileid checking for statfs() and struct statfs.f_fsid: OK
+Checking whether we can use Linux thread-specific credentials: OK
+Checking whether fcntl locking is available: OK
+Checking for the maximum value of the 'time_t' type: OK
+Checking whether the realpath function allows a NULL argument: OK
+Checking for ftruncate extend: OK
+getcwd takes a NULL argument: OK
+Checking for small off_t: NO
+Checking whether blkcnt_t is 32 bit: NO
+Checking whether blkcnt_t is 64 bit: OK
+Checking whether fcntl lock supports open file description locks: OK
diff --git a/meta-security/lib/oeqa/runtime/cases/apparmor.py b/meta-security/lib/oeqa/runtime/cases/apparmor.py
index e2cb316..b6a9537 100644
--- a/meta-security/lib/oeqa/runtime/cases/apparmor.py
+++ b/meta-security/lib/oeqa/runtime/cases/apparmor.py
@@ -25,3 +25,22 @@
             msg = ('aa-status  failed. '
                'Status and output:%s and %s' % (status, output))
             self.assertEqual(status, 0, msg = msg)
+
+    @OETestDepends(['apparmor.ApparmorTest.test_apparmor_aa_status'])
+    def test_apparmor_aa_complain(self):
+        status, output = self.target.run('aa-complain /etc/apparmor.d/*')
+        match = re.search('apparmor module is loaded.', output)
+        if not match:
+            msg = ('aa-complain  failed. '
+               'Status and output:%s and %s' % (status, output))
+            self.assertEqual(status, 0, msg = msg)
+
+    @OETestDepends(['apparmor.ApparmorTest.test_apparmor_aa_complain'])
+    def test_apparmor_aa_enforce(self):
+        status, output = self.target.run('aa-enforce /etc/apparmor.d/*')
+        match = re.search('apparmor module is loaded.', output)
+        if not match:
+            msg = ('aa-enforce  failed. '
+               'Status and output:%s and %s' % (status, output))
+            self.assertEqual(status, 0, msg = msg)
+
diff --git a/meta-security/lib/oeqa/runtime/cases/clamav.py b/meta-security/lib/oeqa/runtime/cases/clamav.py
index fc77330..d0bc645 100644
--- a/meta-security/lib/oeqa/runtime/cases/clamav.py
+++ b/meta-security/lib/oeqa/runtime/cases/clamav.py
@@ -1,6 +1,7 @@
 # Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
 #
 import re
+from tempfile import mkstemp
 
 from oeqa.runtime.case import OERuntimeTestCase
 from oeqa.core.decorator.depends import OETestDepends
@@ -9,6 +10,22 @@
 
 class ClamavTest(OERuntimeTestCase):
 
+    @classmethod
+    def setUpClass(cls):
+        cls.tmp_fd, cls.tmp_path = mkstemp()
+        with os.fdopen(cls.tmp_fd, 'w') as f:
+            # use gooled public dns
+            f.write("nameserver 8.8.8.8")
+            f.write(os.linesep)
+            f.write("nameserver 8.8.4.4")
+            f.write(os.linesep)
+            f.write("nameserver 127.0.0.1")
+            f.write(os.linesep)
+
+    @classmethod
+    def tearDownClass(cls):
+        os.remove(cls.tmp_path)
+
     @OEHasPackage(['clamav'])
     @OETestDepends(['ssh.SSHTest.test_ssh'])
     def test_freshclam_help(self):
@@ -18,6 +35,19 @@
         self.assertEqual(status, 0, msg = msg)
 
     @OETestDepends(['clamav.ClamavTest.test_freshclam_help'])
+    @OEHasPackage(['openssh-scp', 'dropbear'])
+    def test_ping_clamav_net(self):
+        dst = '/etc/resolv.conf'
+        self.tc.target.run('rm -f %s' % dst)
+        (status, output) = self.tc.target.copyTo(self.tmp_path, dst)
+        msg = 'File could not be copied. Output: %s' % output
+        self.assertEqual(status, 0, msg=msg)
+
+        status, output = self.target.run('ping -c 1 database.clamav.net')
+        msg = ('ping database.clamav.net failed: output is:\n%s' % output)
+        self.assertEqual(status, 0, msg = msg)
+
+    @OETestDepends(['clamav.ClamavTest.test_ping_clamav_net'])
     def test_freshclam_download(self):
         status, output = self.target.run('freshclam --show-progress')
         match = re.search('Database updated', output)
diff --git a/meta-security/lib/oeqa/runtime/cases/samhain.py b/meta-security/lib/oeqa/runtime/cases/samhain.py
index e4bae7b..5043a38 100644
--- a/meta-security/lib/oeqa/runtime/cases/samhain.py
+++ b/meta-security/lib/oeqa/runtime/cases/samhain.py
@@ -1,6 +1,7 @@
 # Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
 #
 import re
+import os
 
 from oeqa.runtime.case import OERuntimeTestCase
 from oeqa.core.decorator.depends import OETestDepends
@@ -11,10 +12,32 @@
 
     @OEHasPackage(['samhain-standalone'])
     @OETestDepends(['ssh.SSHTest.test_ssh'])
-    def test_samhain_standalone_help(self):
-        status, output = self.target.run('samhain --help')
-        match = re.search('Please report bugs to support@la-samhna.de.', output)
-        if not match:
-            msg = ('samhain-standalone command does not work as expected. '
+    def test_samhain_help(self):
+        machine = self.td.get('MACHINE', '')
+        status, output = self.target.run('echo "127.0.0.1 %s.localdomain  %s" >> /etc/hosts' % (machine, machine))
+        msg = ("samhain can't append hosts. "
                'Status and output:%s and %s' % (status, output))
-            self.assertEqual(status, 1, msg = msg)
+        self.assertEqual(status, 0, msg = msg)
+
+        status, output = self.target.run('samhain --help')
+        msg = ('samhain command does not work as expected. '
+               'Status and output:%s and %s' % (status, output))
+        self.assertEqual(status, 0, msg = msg)
+
+    @OETestDepends(['samhain.SamhainTest.test_samhain_help'])
+    def test_samhain_init_db(self):
+        status, output = self.target.run('samhain -t init')
+        match = re.search('FAILED: 0 ', output)
+        if not match:
+            msg = ('samhain database init had an unexpected failure. '
+               'Status and output:%s and %s' % (status, output))
+            self.assertEqual(status, 0, msg = msg)
+
+    @OETestDepends(['samhain.SamhainTest.test_samhain_init_db'])
+    def test_samhain_db_check(self):
+        status, output = self.target.run('samhain -t check')
+        match = re.search('FAILED: 0 ', output)
+        if not match:
+            msg = ('samhain errors found in db. '
+               'Status and output:%s and %s' % (status, output))
+            self.assertEqual(status, 0, msg = msg)
diff --git a/meta-security/lib/oeqa/runtime/cases/smack.py b/meta-security/lib/oeqa/runtime/cases/smack.py
new file mode 100644
index 0000000..35e87ef
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/cases/smack.py
@@ -0,0 +1,529 @@
+import unittest
+import re
+import os
+import string
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+from oeqa.core.decorator.data import skipIfNotFeature
+
+MAX_LABEL_LEN = 255
+LABEL = "a" * MAX_LABEL_LEN
+
+class SmackBasicTest(OERuntimeTestCase):
+    ''' base smack test '''
+
+    @classmethod
+    def setUpClass(cls):
+        cls.smack_path = ""
+        cls.current_label  = ""
+        cls.uid = 1000
+
+    @skipIfNotFeature('smack',
+        'Test requires smack to be in DISTRO_FEATURES')
+    @OEHasPackage(['smack-test'])
+    @OETestDepends(['ssh.SSHTest.test_ssh'])
+    def test_smack_basic(self):
+        status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'")
+        self.smack_path = output
+        status,output = self.target.run("cat /proc/self/attr/current")
+        self.current_label = output.strip()
+
+class SmackAccessLabel(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_add_access_label(self):
+        ''' Test if chsmack can correctly set a SMACK label '''
+        filename = "/tmp/test_access_label"
+        self.target.run("touch %s" %filename)
+        status, output = self.target.run("chsmack -a %s %s" %(LABEL, filename))
+        self.assertEqual(
+            status, 0,
+            "Cannot set smack access label. "
+            "Status and output: %d %s" %(status, output))
+        status, output = self.target.run("chsmack %s" %filename)
+        self.target.run("rm %s" %filename)
+        m = re.search('(?<=access=")\S+(?=")', output)
+        if m is None:
+            self.fail("Did not find access attribute")
+        else:
+            label_retrieved = m .group(0)
+            self.assertEqual(
+                LABEL, label_retrieved,
+                "label not set correctly. expected and gotten: "
+                "%s %s" %(LABEL,label_retrieved))
+
+
+class SmackExecLabel(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_add_exec_label(self):
+        '''Test if chsmack can correctly set a SMACK Exec label'''
+        filename = "/tmp/test_exec_label"
+        self.target.run("touch %s" %filename)
+        status, output = self.target.run("chsmack -e %s %s" %(LABEL, filename))
+        self.assertEqual(
+            status, 0,
+            "Cannot set smack exec label. "
+            "Status and output: %d %s" %(status, output))
+        status, output = self.target.run("chsmack %s" %filename)
+        self.target.run("rm %s" %filename)
+        m= re.search('(?<=execute=")\S+(?=")', output)
+        if m is None:
+            self.fail("Did not find execute attribute")
+        else:
+            label_retrieved = m.group(0)
+            self.assertEqual(
+                LABEL, label_retrieved,
+                "label not set correctly. expected and gotten: " +
+                "%s %s" %(LABEL,label_retrieved))
+
+
+class SmackMmapLabel(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_add_mmap_label(self):
+        '''Test if chsmack can correctly set a SMACK mmap label'''
+        filename = "/tmp/test_exec_label"
+        self.target.run("touch %s" %filename)
+        status, output = self.target.run("chsmack -m %s %s" %(LABEL, filename))
+        self.assertEqual(
+            status, 0,
+            "Cannot set smack mmap label. "
+            "Status and output: %d %s" %(status, output))
+        status, output = self.target.run("chsmack %s" %filename)
+        self.target.run("rm %s" %filename)
+        m = re.search('(?<=mmap=")\S+(?=")', output)
+        if m is None:
+            self.fail("Did not find mmap attribute")
+        else:
+            label_retrieved = m.group(0)
+            self.assertEqual(
+                LABEL, label_retrieved,
+                "label not set correctly. expected and gotten: " +
+                "%s %s" %(LABEL,label_retrieved))
+
+
+class SmackTransmutable(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_add_transmutable(self):
+        '''Test if chsmack can correctly set a SMACK transmutable mode'''
+
+        directory = "~/test_transmutable"
+        self.target.run("mkdir -p %s" %directory)
+        status, output = self.target.run("chsmack -t %s" %directory)
+        self.assertEqual(status, 0, "Cannot set smack transmutable. "
+                        "Status and output: %d %s" %(status, output))
+        status, output = self.target.run("chsmack %s" %directory)
+        self.target.run("rmdir %s" %directory)
+        m = re.search('(?<=transmute=")\S+(?=")', output)
+        if m is None:
+            self.fail("Did not find transmute attribute")
+        else:
+            label_retrieved = m.group(0)
+            self.assertEqual(
+                "TRUE", label_retrieved,
+                "label not set correctly. expected and gotten: " +
+                "%s %s" %(LABEL,label_retrieved))
+
+
+class SmackChangeSelfLabelPrivilege(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_privileged_change_self_label(self):
+        '''Test if privileged process (with CAP_MAC_ADMIN privilege)
+        can change its label.
+        '''
+
+        labelf = "/proc/self/attr/current"
+        command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf)
+
+        status, output = self.target.run(
+            "notroot.py 0 %s %s" %(self.current_label, command))
+
+        self.assertIn("PRIVILEGED", output,
+                    "Privilege process did not change label.Output: %s" %output)
+
+class SmackChangeSelfLabelUnprivilege(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_unprivileged_change_self_label(self):
+        '''Test if unprivileged process (without CAP_MAC_ADMIN privilege)
+        cannot change its label'''
+
+        command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL
+        status, output = self.target.run(
+            "notroot.py %d %s %s"
+            %(self.uid, self.current_label, command) +
+            " 2>&1 | grep 'Operation not permitted'" )
+
+        self.assertEqual(
+            status, 0,
+            "Unprivileged process should not be able to change its label")
+
+
+class SmackChangeFileLabelPrivilege(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_unprivileged_change_file_label(self):
+        '''Test if unprivileged process cannot change file labels'''
+
+        status, chsmack = self.target.run("which chsmack")
+        status, touch = self.target.run("which touch")
+        filename = "/tmp/test_unprivileged_change_file_label"
+
+        self.target.run("touch %s" % filename)
+        self.target.run("notroot.py %d %s" %(self.uid, self.current_label))
+        status, output = self.target.run(
+            "notroot.py " +
+            "%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) +
+            "| grep 'Operation not permitted'"  )
+
+        self.target.run("rm %s" % filename)
+        self.assertEqual( status, 0, "Unprivileged process changed label for %s" %filename)
+
+class SmackLoadRule(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_load_smack_rule(self):
+        '''Test if new smack access rules can be loaded'''
+
+        # old 23 character format requires special spaces formatting
+        #      12345678901234567890123456789012345678901234567890123
+        ruleA="TheOne                  TheOther                rwxat"
+        ruleB="TheOne                  TheOther                r----"
+        clean="TheOne                  TheOther                -----"
+        modeA = "rwxat"
+        modeB = "r"
+
+        status, output = self.target.run('echo -n "%s" > %s/load' %(ruleA, self.smack_path))
+        status, output = self.target.run( 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path)
+        self.assertEqual(status, 0, "Rule A was not added")
+        mode = list(filter(bool, output.split(" ")))[2].strip()
+        self.assertEqual( mode, modeA, "Mode A was not set correctly; mode: %s" %mode)
+
+        status, output = self.target.run( 'echo -n "%s" > %s/load' %(ruleB, self.smack_path))
+        status, output = self.target.run( 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path)
+        mode = list(filter(bool, output.split(" ")))[2].strip()
+        self.assertEqual( mode, modeB, "Mode B was not set correctly; mode: %s" %mode)
+
+        self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path))
+
+
+class SmackOnlycap(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_smack_onlycap(self):
+        '''Test if smack onlycap label can be set
+
+        test needs to change the running label of the current process,
+        so whole test takes places on image
+        '''
+        status, output = self.target.run("sh /usr/sbin/test_smack_onlycap.sh")
+        self.assertEqual(status, 0, output)
+
+class SmackNetlabel(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_smack_netlabel(self):
+
+        test_label="191.191.191.191 TheOne"
+        expected_label="191.191.191.191/32 TheOne"
+
+        status, output = self.target.run( "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path))
+        self.assertEqual( status, 0, "Netlabel /32 could not be set. Output: %s" %output)
+
+        status, output = self.target.run("cat %s/netlabel" %self.smack_path)
+        self.assertIn( expected_label, output, "Did not find expected label in output: %s" %output)
+
+        test_label="253.253.253.0/24 TheOther"
+        status, output = self.target.run( "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path))
+        self.assertEqual( status, 0, "Netlabel /24 could not be set. Output: %s" %output)
+
+        status, output = self.target.run("cat %s/netlabel" %self.smack_path)
+        self.assertIn(
+            test_label, output,
+            "Did not find expected label in output: %s" %output)
+
+class SmackCipso(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_smack_cipso(self):
+        '''Test if smack cipso rules can be set'''
+        #      12345678901234567890123456789012345678901234567890123456
+        ruleA="TheOneA                 2   0   "
+        ruleB="TheOneB                 3   1   55  "
+        ruleC="TheOneC                 4   2   17  33  "
+
+        status, output = self.target.run(
+            "echo -n '%s' > %s/cipso" %(ruleA, self.smack_path))
+        self.assertEqual(status, 0,
+            "Could not set cipso label A. Ouput: %s" %output)
+
+        status, output = self.target.run(
+            "cat %s/cipso | grep '^TheOneA'" %self.smack_path)
+        self.assertEqual(status, 0, "Cipso rule A was not set")
+        self.assertIn(" 2", output, "Rule A was not set correctly")
+
+        status, output = self.target.run(
+            "echo -n '%s' > %s/cipso" %(ruleB, self.smack_path))
+        self.assertEqual(status, 0,
+            "Could not set cipso label B. Ouput: %s" %output)
+
+        status, output = self.target.run(
+            "cat %s/cipso | grep '^TheOneB'" %self.smack_path)
+        self.assertEqual(status, 0, "Cipso rule B was not set")
+        self.assertIn("/55", output, "Rule B was not set correctly")
+
+        status, output = self.target.run(
+            "echo -n '%s' > %s/cipso" %(ruleC, self.smack_path))
+        self.assertEqual(
+            status, 0,
+            "Could not set cipso label C. Ouput: %s" %output)
+
+        status, output = self.target.run(
+            "cat %s/cipso | grep '^TheOneC'" %self.smack_path)
+        self.assertEqual(status, 0, "Cipso rule C was not set")
+        self.assertIn("/17,33", output, "Rule C was not set correctly")
+
+class SmackDirect(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_smack_direct(self):
+        status, initial_direct = self.target.run(
+            "cat %s/direct" %self.smack_path)
+
+        test_direct="17"
+        status, output = self.target.run(
+            "echo '%s' > %s/direct" %(test_direct, self.smack_path))
+        self.assertEqual(status, 0 ,
+            "Could not set smack direct. Output: %s" %output)
+        status, new_direct = self.target.run("cat %s/direct" %self.smack_path)
+        # initial label before checking
+        status, output = self.target.run(
+            "echo '%s' > %s/direct" %(initial_direct, self.smack_path))
+        self.assertEqual(
+            test_direct, new_direct.strip(),
+            "Smack direct label does not match.")
+
+
+class SmackAmbient(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_smack_ambient(self):
+        test_ambient = "test_ambient"
+        status, initial_ambient = self.target.run("cat %s/ambient" %self.smack_path)
+        status, output = self.target.run(
+            "echo '%s' > %s/ambient" %(test_ambient, self.smack_path))
+        self.assertEqual(status, 0,
+            "Could not set smack ambient. Output: %s" %output)
+
+        status, output = self.target.run("cat %s/ambient" %self.smack_path)
+        # Filter '\x00', which is sometimes added to the ambient label
+        new_ambient = ''.join(filter(lambda x: x in string.printable, output))
+        initial_ambient = ''.join(filter(lambda x: x in string.printable, initial_ambient))
+        status, output = self.target.run(
+            "echo '%s' > %s/ambient" %(initial_ambient, self.smack_path))
+        self.assertEqual(
+            test_ambient, new_ambient.strip(),
+            "Ambient label does not match")
+
+
+class SmackloadBinary(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_smackload(self):
+        '''Test if smackload command works'''
+        rule="testobject testsubject rwx"
+
+        status, output = self.target.run("echo -n '%s' > /tmp/rules" %rule)
+        status, output = self.target.run("smackload /tmp/rules")
+        self.assertEqual( status, 0, "Smackload failed to load rule. Output: %s" %output)
+
+        status, output = self.target.run( "cat %s/load | grep '%s'" %(self.smack_path, rule))
+        self.assertEqual(status, 0, "Smackload rule was loaded correctly")
+
+
+class SmackcipsoBinary(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_smackcipso(self):
+        '''Test if smackcipso command works'''
+        #     12345678901234567890123456789012345678901234567890123456
+        rule="cipsolabel                  2   2   "
+
+        status, output = self.target.run("echo '%s' | smackcipso" %rule)
+        self.assertEqual( status, 0, "Smackcipso failed to load rule. Output: %s" %output)
+
+        status, output = self.target.run(
+            "cat %s/cipso | grep 'cipsolabel'" %self.smack_path)
+        self.assertEqual(status, 0, "smackcipso rule was loaded correctly")
+        self.assertIn( "2/2", output, "Rule was not set correctly. Got: %s" %output)
+
+
+class SmackEnforceFileAccess(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_smack_enforce_file_access(self):
+        '''Test if smack file access is enforced (rwx)
+
+        test needs to change the running label of the current process,
+        so whole test takes places on image
+        '''
+        status, output = self.target.run("sh /usr/sbin/smack_test_file_access.sh")
+        self.assertEqual(status, 0, output)
+
+
+class SmackEnforceMmap(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_smack_mmap_enforced(self):
+        '''Test if smack mmap access is enforced'''
+        raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.")
+
+        #      12345678901234567890123456789012345678901234567890123456
+        delr1="mmap_label              mmap_test_label1        -----"
+        delr2="mmap_label              mmap_test_label2        -----"
+        delr3="mmap_file_label         mmap_test_label1        -----"
+        delr4="mmap_file_label         mmap_test_label2        -----"
+
+        RuleA="mmap_label              mmap_test_label1        rw---"
+        RuleB="mmap_label              mmap_test_label2        r--at"
+        RuleC="mmap_file_label         mmap_test_label1        rw---"
+        RuleD="mmap_file_label         mmap_test_label2        rwxat"
+
+        mmap_label="mmap_label"
+        file_label="mmap_file_label"
+        test_file = "/usr/sbin/smack_test_mmap"
+        mmap_exe = "/tmp/mmap_test"
+        status, echo = self.target.run("which echo")
+        status, output = self.target.run(
+            "notroot.py %d %s %s 'test' > %s" \
+            %(self.uid, self.current_label, echo, test_file))
+        status, output = self.target.run("ls %s" %test_file)
+        self.assertEqual(status, 0, "Could not create mmap test file")
+        self.target.run("chsmack -m %s %s" %(file_label, test_file))
+        self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe))
+
+        # test with no rules with mmap label or exec label as subject
+        # access should be granted
+        self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path))
+        self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path))
+        self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path))
+        self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path))
+        status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
+        self.assertEqual(
+            status, 0,
+            "Should have mmap access without rules. Output: %s" %output)
+
+        # add rules that do not match access required
+        self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path))
+        self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path))
+        status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
+        self.assertNotEqual(
+            status, 0,
+            "Should not have mmap access with unmatching rules. " +
+            "Output: %s" %output)
+        self.assertIn(
+            "Permission denied", output,
+            "Mmap access should be denied with unmatching rules")
+
+        # add rule to match only partially (one way)
+        self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path))
+        status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
+        self.assertNotEqual(
+            status, 0,
+            "Should not have mmap access with partial matching rules. " +
+            "Output: %s" %output)
+        self.assertIn(
+            "Permission denied", output,
+            "Mmap access should be denied with partial matching rules")
+
+        # add rule to match fully
+        self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path))
+        status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
+        self.assertEqual(
+            status, 0,
+            "Should have mmap access with full matching rules." +
+            "Output: %s" %output)
+
+
+class SmackEnforceTransmutable(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_smack_transmute_dir(self):
+        '''Test if smack transmute attribute works
+
+        test needs to change the running label of the current process,
+        so whole test takes places on image
+        '''
+        test_dir = "/tmp/smack_transmute_dir"
+        label="transmute_label"
+        status, initial_label = self.target.run("cat /proc/self/attr/current")
+
+        self.target.run("mkdir -p %s" % test_dir)
+        self.target.run("chsmack -a %s %s" % (label, test_dir))
+        self.target.run("chsmack -t %s" % test_dir)
+        self.target.run("echo -n '%s %s rwxat' | smackload" %(initial_label, label) )
+
+        self.target.run("touch %s/test" % test_dir)
+        status, output = self.target.run("chsmack %s/test" % test_dir)
+        self.assertIn( 'access="%s"' %label, output,
+            "Did not get expected label. Output: %s" % output)
+
+
+class SmackTcpSockets(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_smack_tcp_sockets(self):
+        '''Test if smack is enforced on tcp sockets
+
+        whole test takes places on image, depends on tcp_server/tcp_client'''
+
+        status, output = self.target.run("sh /usr/sbin/test_smack_tcp_sockets.sh")
+        self.assertEqual(status, 0, output)
+
+
+class SmackUdpSockets(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_smack_udp_sockets(self):
+        '''Test if smack is enforced on udp sockets
+
+        whole test takes places on image, depends on udp_server/udp_client'''
+
+        status, output = self.target.run("sh /usr/sbin/test_smack_udp_sockets.sh")
+        self.assertEqual(status, 0, output)
+
+
+class SmackFileLabels(SmackBasicTest):
+
+    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
+    def test_smack_labels(self):
+        '''Check for correct Smack labels.'''
+        expected = '''
+/tmp/ access="*"
+/etc/ access="System::Shared" transmute="TRUE"
+/etc/passwd access="System::Shared"
+/etc/terminfo access="System::Shared" transmute="TRUE"
+/etc/skel/ access="System::Shared" transmute="TRUE"
+/etc/skel/.profile access="System::Shared"
+/var/log/ access="System::Log" transmute="TRUE"
+/var/tmp/ access="*"
+'''
+        files = ' '.join([x.split()[0] for x in expected.split('\n') if x])
+        files_wildcard = ' '.join([x + '/*' for x in files.split()])
+        # Auxiliary information.
+        status, output = self.target.run(
+            'set -x; mount; ls -l -d %s; find %s | xargs ls -d -l; find %s | xargs chsmack' % (
+                ' '.join([x.rstrip('/') for x in files.split()]), files, files
+            )
+        )
+        msg = "File status:\n" + output
+        status, output = self.target.run('chsmack %s' % files)
+        self.assertEqual(
+            status, 0, msg="status and output: %s and %s\n%s" % (status,output, msg))
+        self.longMessage = True
+        self.maxDiff = None
+        self.assertEqual(output.strip().split('\n'), expected.strip().split('\n'), msg=msg)
diff --git a/meta-security/lib/oeqa/selftest/cases/cvechecker.py b/meta-security/lib/oeqa/selftest/cases/cvechecker.py
new file mode 100644
index 0000000..23ca7d2
--- /dev/null
+++ b/meta-security/lib/oeqa/selftest/cases/cvechecker.py
@@ -0,0 +1,27 @@
+import os
+import re
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import bitbake, get_bb_var
+
+class CveCheckerTests(OESelftestTestCase):
+    def test_cve_checker(self):
+        image = "core-image-sato"
+
+        deploy_dir = get_bb_var("DEPLOY_DIR_IMAGE")
+        image_link_name = get_bb_var('IMAGE_LINK_NAME', image)
+
+        manifest_link = os.path.join(deploy_dir, "%s.cve" % image_link_name)
+
+        self.logger.info('CVE_CHECK_MANIFEST = "%s"' % manifest_link)
+        if (not 'cve-check' in get_bb_var('INHERIT')):
+            add_cve_check_config = 'INHERIT += "cve-check"'
+            self.append_config(add_cve_check_config)
+        self.append_config('CVE_CHECK_MANIFEST = "%s"' % manifest_link)
+        result = bitbake("-k -c cve_check %s" % image, ignore_status=True)
+        if (not 'cve-check' in get_bb_var('INHERIT')):
+            self.remove_config(add_cve_check_config)
+
+        isfile = os.path.isfile(manifest_link)
+        self.assertEqual(True, isfile, 'Failed to create cve data file : %s' % manifest_link)
+
diff --git a/meta-security/meta-tpm/README b/meta-security/meta-tpm/README
index bbc70bb..dd662b3 100644
--- a/meta-security/meta-tpm/README
+++ b/meta-security/meta-tpm/README
@@ -2,3 +2,60 @@
 ==============
 
 This layer contains base TPM recipes.
+
+Dependencies
+============
+
+This layer depends on:
+
+  URI: git://git.openembedded.org/openembedded-core
+  branch: master
+  revision: HEAD
+  prio: default
+
+  URI: git://git.openembedded.org/meta-openembedded/meta-oe
+  branch: master
+  revision: HEAD
+  prio: default
+
+Adding the meta-tpm layer to your build
+========================================
+
+In order to use this layer, you need to make the build system aware of
+it.
+
+Assuming this layer exists at the top-level of your
+yocto build tree, you can add it to the build system by adding the
+location of the meta-tpm layer to bblayers.conf, along with any
+other layers needed. e.g.:
+
+  BBLAYERS ?= " \
+    /path/to/oe-core/meta \
+    /path/to/meta-openembedded/meta-oe \
+    /path/to/layer/meta-tpm \
+
+
+Maintenance
+-----------
+
+Send pull requests, patches, comments or questions to yocto@yoctoproject.org
+
+When sending single patches, please using something like:
+'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH'
+
+These values can be set as defaults for this repository:
+
+$ git config sendemail.to yocto@yoctoproject.org
+$ git config format.subjectPrefix meta-security][PATCH
+
+Now you can just do 'git send-email origin/master' to send all local patches.
+
+Maintainers:    Armin Kuster <akuster808@gmail.com>
+
+
+License
+=======
+
+All metadata is MIT licensed unless otherwise stated. Source code included
+in tree for individual recipes is under the LICENSE stated in each recipe
+(.bb file) unless otherwise stated.
diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf
index 15a2bef..bf9a76e 100644
--- a/meta-security/meta-tpm/conf/layer.conf
+++ b/meta-security/meta-tpm/conf/layer.conf
@@ -12,4 +12,5 @@
 
 LAYERDEPENDS_tpm-layer = " \
     core \
+    openembedded-layer \
 "
diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg
index b5f9bb2..ae6cdcd 100644
--- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg
+++ b/meta-security/recipes-kernel/linux/linux-yocto-5.0/apparmor.cfg
@@ -1,15 +1,9 @@
 CONFIG_AUDIT=y
-# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
-CONFIG_SECURITY_NETWORK=y
-# CONFIG_SECURITY_NETWORK_XFRM is not set
 CONFIG_SECURITY_PATH=y
-# CONFIG_SECURITY_SELINUX is not set
 CONFIG_SECURITY_APPARMOR=y
 CONFIG_SECURITY_APPARMOR_HASH=y
 CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
-# CONFIG_SECURITY_APPARMOR_DEBUG is not set
 CONFIG_INTEGRITY_AUDIT=y
 CONFIG_DEFAULT_SECURITY_APPARMOR=y
-# CONFIG_DEFAULT_SECURITY_DAC is not set
 CONFIG_DEFAULT_SECURITY="apparmor"
 CONFIG_AUDIT_GENERIC=y
diff --git a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg
index 62f465a..0d5fc64 100644
--- a/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg
+++ b/meta-security/recipes-kernel/linux/linux-yocto-5.0/smack.cfg
@@ -1,8 +1,7 @@
-CONFIG_IP_NF_SECURITY=m
-CONFIG_IP6_NF_SECURITY=m
-CONFIG_EXT2_FS_SECURITY=y
-CONFIG_EXT3_FS_SECURITY=y
-CONFIG_EXT4_FS_SECURITY=y
-CONFIG_SECURITY=y
+CONFIG_NETLABEL=y
+CONFIG_SECURITY_NETWORK=y
+# CONFIG_SECURITY_NETWORK_XFRM is not set
 CONFIG_SECURITY_SMACK=y
+CONFIG_SECURITY_SMACK_BRINGUP=y
+CONFIG_SECURITY_SMACK_APPEND_SIGNALS=y
 CONFIG_TMPFS_XATTR=y
diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb
index 62ed611..4eaec00 100644
--- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb
+++ b/meta-security/recipes-mac/AppArmor/apparmor_2.13.2.bb
@@ -14,7 +14,7 @@
 DEPENDS = "bison-native apr gettext-native coreutils-native"
 
 SRC_URI = " \
-	http://archive.ubuntu.com/ubuntu/pool/main/a/${BPN}/${BPN}_${PV}.orig.tar.gz \
+	git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \
 	file://disable_perl_h_check.patch \
 	file://crosscompile_perl_bindings.patch \
 	file://apparmor.rc \
@@ -24,8 +24,8 @@
 	file://run-ptest \
 	"
 
-SRC_URI[md5sum] = "2439b35266b5a3a461b0a2dba6e863c3"
-SRC_URI[sha256sum] = "844def9926dfda5c7858428d06e44afc80573f9706458b6e7282edbb40b11a30"
+SRCREV = "af4808b5f6b58946f5c5a4de4b77df5e0eae6ca0"
+S = "${WORKDIR}/git"
 
 PARALLEL_MAKE = ""
 
diff --git a/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c b/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c
new file mode 100644
index 0000000..f358d27
--- /dev/null
+++ b/meta-security/recipes-mac/smack/mmap-smack-test/mmap.c
@@ -0,0 +1,7 @@
+#include <stdio.h>
+
+int main(int argc, char **argv)
+{
+    printf("Original test program removed while investigating its license.\n");
+    return 1;
+}
diff --git a/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb b/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb
new file mode 100644
index 0000000..9d11509
--- /dev/null
+++ b/meta-security/recipes-mac/smack/mmap-smack-test_1.0.bb
@@ -0,0 +1,16 @@
+SUMMARY = "Mmap binary used to test smack mmap attribute"
+DESCRIPTION = "Mmap binary used to test smack mmap attribute"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "file://mmap.c" 
+
+S = "${WORKDIR}"
+do_compile() {
+    ${CC} mmap.c ${LDFLAGS} -o mmap_test
+}
+
+do_install() {
+    install -d ${D}${bindir}
+    install -m 0755 mmap_test ${D}${bindir}
+}
diff --git a/meta-security/recipes-mac/smack/smack-test/notroot.py b/meta-security/recipes-mac/smack/smack-test/notroot.py
new file mode 100644
index 0000000..f0eb0b5
--- /dev/null
+++ b/meta-security/recipes-mac/smack/smack-test/notroot.py
@@ -0,0 +1,33 @@
+#!/usr/bin/env python
+#
+# Script used for running executables with custom labels, as well as custom uid/gid
+# Process label is changed by writing to /proc/self/attr/curent
+#
+# Script expects user id and group id to exist, and be the same.
+#
+# From adduser manual: 
+# """By  default,  each  user  in Debian GNU/Linux is given a corresponding group 
+# with the same name. """
+#
+# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
+# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
+#
+# Author: Alexandru Cornea <alexandru.cornea@intel.com>
+import os
+import sys
+
+try:
+	uid = int(sys.argv[1])
+	sys.argv.pop(1)
+	label = sys.argv[1]
+	sys.argv.pop(1)
+	open("/proc/self/attr/current", "w").write(label)
+	path=sys.argv[1]
+	sys.argv.pop(0)
+	os.setgid(uid)
+	os.setuid(uid)	
+	os.execv(path,sys.argv)
+
+except Exception,e:
+	print e.message
+	sys.exit(1)
diff --git a/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh b/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh
new file mode 100644
index 0000000..5a0ce84
--- /dev/null
+++ b/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+RC=0
+TMP="/tmp"
+test_file=$TMP/smack_test_access_file
+CAT=`which cat`
+ECHO=`which echo`
+uid=1000
+initial_label=`cat /proc/self/attr/current`
+python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
+chsmack -a "TheOther" $test_file
+
+#        12345678901234567890123456789012345678901234567890123456
+delrule="TheOne                  TheOther                -----"
+rule_ro="TheOne                  TheOther                r----"
+
+# Remove pre-existent rules for "TheOne TheOther <access>"
+echo -n "$delrule" > $SMACK_PATH/load
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
+if [ $RC -ne 0 ]; then
+	echo "Process with different label than the test file and no read access on it can read it"
+	exit $RC
+fi
+
+# adding read access
+echo -n "$rule_ro" > $SMACK_PATH/load
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+if [ $RC -ne 0 ]; then
+	echo "Process with different label than the test file but with read access on it cannot read it"
+	exit $RC
+fi
+
+# Remove pre-existent rules for "TheOne TheOther <access>"
+echo -n "$delrule" > $SMACK_PATH/load
+# changing label of test file to *
+# according to SMACK documentation, read access on a * object is always permitted
+chsmack -a '*' $test_file
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+if [ $RC -ne 0 ]; then
+	echo  "Process cannot read file with * label"
+	exit $RC
+fi
+
+# changing subject label to *
+# according to SMACK documentation, every access requested by a star labeled subject is rejected
+TOUCH=`which touch`
+python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
+ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
+if [ $RC -ne 0 ];then
+	echo "Process with label '*' should not have any access"
+	exit $RC
+fi
+exit 0
diff --git a/meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh b/meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh
new file mode 100644
index 0000000..26d9e9d
--- /dev/null
+++ b/meta-security/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+initial_label=`cat /proc/self/attr/current 2>/dev/null`
+modified_label="test_label"
+
+echo "$modified_label" >/proc/self/attr/current 2>/dev/null
+
+new_label=`cat /proc/self/attr/current 2>/dev/null`
+
+if [ "$new_label" != "$modified_label" ]; then
+	# restore proper label
+	echo $initial_label >/proc/self/attr/current
+	echo "Privileged process could not change its label"
+	exit 1
+fi
+
+echo "$initial_label" >/proc/self/attr/current 2>/dev/null
+exit 0
\ No newline at end of file
diff --git a/meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh b/meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh
new file mode 100644
index 0000000..1c4a93a
--- /dev/null
+++ b/meta-security/recipes-mac/smack/smack-test/test_smack_onlycap.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+RC=0
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'`
+test_label="test_label"
+onlycap_initial=`cat $SMACK_PATH/onlycap`		
+smack_initial=`cat /proc/self/attr/current`
+
+# need to set out label to be the same as onlycap, otherwise we lose our smack privileges
+# even if we are root
+echo "$test_label" > /proc/self/attr/current
+
+echo "$test_label" > $SMACK_PATH/onlycap || RC=$?
+if [ $RC -ne 0 ]; then
+	echo "Onlycap label could not be set"
+	return $RC
+fi
+
+if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then
+	echo "Onlycap label was not set correctly."
+	return 1
+fi
+
+# resetting original onlycap label
+echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null
+
+# resetting our initial's process label
+echo "$smack_initial" > /proc/self/attr/current
diff --git a/meta-security/recipes-mac/smack/smack-test_1.0.bb b/meta-security/recipes-mac/smack/smack-test_1.0.bb
new file mode 100644
index 0000000..7cf8f2e
--- /dev/null
+++ b/meta-security/recipes-mac/smack/smack-test_1.0.bb
@@ -0,0 +1,21 @@
+SUMMARY = "Smack test scripts"
+DESCRIPTION = "Smack scripts"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = " \
+           file://notroot.py \
+           file://smack_test_file_access.sh \
+           file://test_privileged_change_self_label.sh \
+           file://test_smack_onlycap.sh \
+" 
+
+S = "${WORKDIR}"
+
+do_install() {
+    install -d ${D}${sbindir}
+    install -m 0755 notroot.py ${D}${sbindir}
+    install -m 0755 *.sh ${D}${sbindir}
+}
+
+RDEPENDS_${PN} = "smack python mmap-smack-test tcp-smack-test udp-smack-test"
diff --git a/meta-security/recipes-mac/smack/files/run-ptest b/meta-security/recipes-mac/smack/smack/run-ptest
similarity index 100%
rename from meta-security/recipes-mac/smack/files/run-ptest
rename to meta-security/recipes-mac/smack/smack/run-ptest
diff --git a/meta-security/recipes-mac/smack/files/smack_generator_make_fixup.patch b/meta-security/recipes-mac/smack/smack/smack_generator_make_fixup.patch
similarity index 100%
rename from meta-security/recipes-mac/smack/files/smack_generator_make_fixup.patch
rename to meta-security/recipes-mac/smack/smack/smack_generator_make_fixup.patch
diff --git a/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c
new file mode 100644
index 0000000..185f973
--- /dev/null
+++ b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_client.c
@@ -0,0 +1,111 @@
+// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <string.h>
+#include <sys/xattr.h>
+
+int main(int argc, char* argv[])
+{
+
+	int sock;
+	char message[255] = "hello";
+	struct sockaddr_in server_addr;
+	char* label_in;
+	char* label_out;
+	char* attr_out = "security.SMACK64IPOUT";
+	char* attr_in = "security.SMACK64IPIN";
+	char out[256];
+	int port;
+
+	struct timeval timeout;
+	timeout.tv_sec = 15;
+	timeout.tv_usec = 0;
+
+	struct hostent*  host = gethostbyname("localhost");
+
+	if (argc != 4)
+	{
+		perror("Client: Arguments missing, please provide socket labels");
+		return 2;
+	}
+
+	port = atoi(argv[1]);
+	label_in = argv[2];
+	label_out = argv[3];
+
+	if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+	{
+		perror("Client: Socket failure");
+		return 2;
+	}
+
+
+	if(fsetxattr(sock, attr_out, label_out, strlen(label_out), 0) < 0)
+	{
+		perror("Client: Unable to set attribute SMACK64IPOUT");
+		return 2;
+	}
+
+	if(fsetxattr(sock, attr_in, label_in, strlen(label_in), 0) < 0)
+	{
+		perror("Client: Unable to set attribute SMACK64IPIN");
+		return 2;
+	}
+
+	server_addr.sin_family = AF_INET;
+	server_addr.sin_port = htons(port);
+	bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
+	bzero(&(server_addr.sin_zero),8);
+	
+	if(setsockopt(sock, SOL_SOCKET, SO_SNDTIMEO, &timeout, sizeof(timeout)) < 0)
+	{
+		perror("Client: Set timeout failed\n");
+		return 2;
+	}
+	
+	if (connect(sock, (struct sockaddr *)&server_addr,sizeof(struct sockaddr)) == -1)
+	{
+    		perror("Client: Connection failure");
+			close(sock);
+        	return 1;
+	}
+
+
+	if(write(sock, message, strlen(message)) < 0)
+	{
+		perror("Client: Error sending data\n");
+		close(sock);
+		return 1;
+	}
+	close(sock);
+	return 0;
+}
+
+
+
+
+
+
diff --git a/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c
new file mode 100644
index 0000000..9285dc6
--- /dev/null
+++ b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c
@@ -0,0 +1,118 @@
+// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+
+	int sock;
+	int clientsock;
+	char message[255];
+	socklen_t client_length;
+	struct sockaddr_in server_addr, client_addr;
+	char* label_in;
+	char* attr_in = "security.SMACK64IPIN";
+	int port;
+
+	struct timeval timeout;
+	timeout.tv_sec = 15;
+	timeout.tv_usec = 0;
+
+	if (argc != 3)
+	{
+		perror("Server: Argument missing please provide port and label for SMACK64IPIN");
+		return 2;
+	}
+	
+	port = atoi(argv[1]);
+	label_in = argv[2];
+	bzero(message,255);
+
+	
+	if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
+	{
+		perror("Server: Socket failure");
+		return 2;
+	}
+	
+	
+	if(fsetxattr(sock, attr_in, label_in, strlen(label_in),0) < 0)
+	{
+		perror("Server: Unable to set attribute ipin 2");
+		return 2;
+	}
+
+	server_addr.sin_family = AF_INET;         
+	server_addr.sin_port = htons(port);     
+	server_addr.sin_addr.s_addr = INADDR_ANY; 
+ 	bzero(&(server_addr.sin_zero),8); 
+
+	if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
+	{
+		perror("Server: Set timeout failed\n");
+		return 2;
+	}
+
+	if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
+	{
+		perror("Server: Bind failure ");
+		return 2;
+	}
+
+	listen(sock, 1);
+	client_length = sizeof(client_addr);
+
+	clientsock = accept(sock,(struct sockaddr*) &client_addr, &client_length);
+
+	if (clientsock < 0)
+	{
+		perror("Server: Connection failed");
+		close(sock);
+		return 1;
+	}
+	
+
+	if(fsetxattr(clientsock, "security.SMACK64IPIN", label_in, strlen(label_in),0) < 0)
+	{
+		perror(" Server: Unable to set attribute ipin 2");
+		close(sock);
+		return 2;
+	}
+
+	if(read(clientsock, message, 254) < 0)
+	{
+		perror("Server: Error when reading from socket");
+		close(clientsock);
+		close(sock);
+		return 1;
+	}
+
+
+	close(clientsock);
+	close(sock);
+
+	return 0;
+}
diff --git a/meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh b/meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh
new file mode 100644
index 0000000..ed18f23
--- /dev/null
+++ b/meta-security/recipes-mac/smack/tcp-smack-test/test_smack_tcp_sockets.sh
@@ -0,0 +1,108 @@
+#!/bin/sh
+RC=0
+test_file=/tmp/smack_socket_tcp
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+# make sure no access is granted
+#        12345678901234567890123456789012345678901234567890123456
+echo -n "label1                  label2                  -----" > $SMACK_PATH/load
+
+tcp_server=`which tcp_server`
+if [ -z $tcp_server ]; then
+	if [ -f "/tmp/tcp_server" ]; then
+		tcp_server="/tmp/tcp_server"
+	else
+		echo "tcp_server binary not found"
+		exit 1
+	fi
+fi
+tcp_client=`which tcp_client`
+if [ -z $tcp_client ]; then
+	if [ -f "/tmp/tcp_client" ]; then
+		tcp_client="/tmp/tcp_client"
+	else
+		echo "tcp_client binary not found"
+		exit 1
+	fi
+fi
+
+# checking access for sockets with different labels
+$tcp_server 50016 label1 &>/dev/null &
+server_pid=$!
+sleep 2
+$tcp_client 50016 label2 label1 &>/dev/null &
+client_pid=$!
+
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+
+if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then
+	echo "Sockets with different labels should not communicate on tcp"
+	exit 1
+fi
+
+# granting access between different labels
+#        12345678901234567890123456789012345678901234567890123456
+echo -n "label1                  label2                  rw---" > $SMACK_PATH/load
+# checking access for sockets with different labels, but having a rule granting rw
+$tcp_server 50017 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50017 label2 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+	echo "Sockets with different labels, but having rw access, should communicate on tcp"
+	exit 1
+fi
+
+# checking access for sockets with the same label
+$tcp_server 50018 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50018 label1 label1  2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+	echo "Sockets with same labels should communicate on tcp"
+	exit 1
+fi
+
+# checking access on socket labeled star (*)
+# should always be permitted
+$tcp_server 50019 \* 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50019 label1 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+	echo "Should have access on tcp socket labeled star (*)"
+	exit 1
+fi
+
+# checking access from socket labeled star (*)
+# all access from subject star should be denied
+$tcp_server 50020 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50020 label1 \* 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 -o  $client_rv -eq 0 ]; then
+	echo "Socket labeled star should not have access to any tcp socket"
+	exit 1
+fi
diff --git a/meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb b/meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb
new file mode 100644
index 0000000..d2b3f6b
--- /dev/null
+++ b/meta-security/recipes-mac/smack/tcp-smack-test_1.0.bb
@@ -0,0 +1,24 @@
+SUMMARY = "Binary used to test smack tcp sockets"
+DESCRIPTION = "Server and client binaries used to test smack attributes on TCP sockets"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "file://tcp_server.c \
+           file://tcp_client.c \
+           file://test_smack_tcp_sockets.sh \
+" 
+
+S = "${WORKDIR}"
+
+do_compile() {
+    ${CC} tcp_client.c ${LDFLAGS} -o tcp_client
+    ${CC} tcp_server.c ${LDFLAGS} -o tcp_server
+}
+
+do_install() {
+    install -d ${D}${bindir}
+    install -d ${D}${sbindir}
+    install -m 0755 tcp_server ${D}${bindir}
+    install -m 0755 tcp_client ${D}${bindir}
+    install -m 0755 test_smack_tcp_sockets.sh ${D}${sbindir}
+}
diff --git a/meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh b/meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh
new file mode 100644
index 0000000..419ab9f
--- /dev/null
+++ b/meta-security/recipes-mac/smack/udp-smack-test/test_smack_udp_sockets.sh
@@ -0,0 +1,107 @@
+#!/bin/sh
+RC=0
+test_file="/tmp/smack_socket_udp"
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+
+udp_server=`which udp_server`
+if [ -z $udp_server ]; then
+	if [ -f "/tmp/udp_server" ]; then
+		udp_server="/tmp/udp_server"
+	else
+		echo "udp_server binary not found"
+		exit 1
+	fi
+fi
+udp_client=`which udp_client`
+if [ -z $udp_client ]; then
+	if [ -f "/tmp/udp_client" ]; then
+		udp_client="/tmp/udp_client"
+	else
+		echo "udp_client binary not found"
+		exit 1
+	fi
+fi
+
+# make sure no access is granted
+#        12345678901234567890123456789012345678901234567890123456
+echo -n "label1                  label2                  -----" > $SMACK_PATH/load
+
+# checking access for sockets with different labels
+$udp_server 50021 label2 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50021 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 ]; then
+	echo "Sockets with different labels should not communicate on udp"
+	exit 1
+fi
+
+# granting access between different labels
+#        12345678901234567890123456789012345678901234567890123456
+echo -n "label1                  label2                  rw---" > $SMACK_PATH/load
+# checking access for sockets with different labels, but having a rule granting rw
+$udp_server 50022 label2 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50022 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+	echo "Sockets with different labels, but having rw access, should communicate on udp"
+	exit 1
+fi
+
+# checking access for sockets with the same label
+$udp_server 50023 label1 &
+server_pid=$!
+sleep 1
+$udp_client 50023 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+	echo "Sockets with same labels should communicate on udp"
+	exit 1
+fi
+
+# checking access on socket labeled star (*)
+# should always be permitted
+$udp_server 50024 \* 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50024 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+	echo "Should have access on udp socket labeled star (*)"
+	exit 1
+fi
+
+# checking access from socket labeled star (*)
+# all access from subject star should be denied
+$udp_server 50025 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50025 \* 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 ]; then
+	echo "Socket labeled star should not have access to any udp socket"
+	exit 1
+fi
diff --git a/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c b/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c
new file mode 100644
index 0000000..4d3afbe
--- /dev/null
+++ b/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c
@@ -0,0 +1,75 @@
+// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <sys/socket.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+	char* message = "hello";
+	int sock, ret;
+	struct sockaddr_in server_addr;
+	struct hostent*  host = gethostbyname("localhost");
+	char* label;
+	char* attr = "security.SMACK64IPOUT";
+	int port;
+	if (argc != 3)
+	{
+		perror("Client: Argument missing, please provide port and  label for SMACK64IPOUT");
+		return 2;
+	}
+
+	port = atoi(argv[1]);
+	label = argv[2];
+	sock = socket(AF_INET, SOCK_DGRAM,0);
+	if(sock < 0)
+	{
+		perror("Client: Socket failure");
+		return 2;
+	}
+	
+
+	if(fsetxattr(sock, attr, label, strlen(label),0) < 0)
+	{
+		perror("Client: Unable to set attribute ");
+		return 2;
+	}
+
+
+	server_addr.sin_family = AF_INET;
+	server_addr.sin_port = htons(port);
+	bcopy((char*) host->h_addr, (char*) &server_addr.sin_addr.s_addr,host->h_length);
+	bzero(&(server_addr.sin_zero),8);
+	
+	ret = sendto(sock, message, strlen(message),0,(const struct sockaddr*)&server_addr,
+			sizeof(struct sockaddr_in));
+
+	close(sock);
+	if(ret < 0)
+	{
+		perror("Client: Error sending message\n");
+		return 1;
+	}
+	
+	return 0;
+}
+
diff --git a/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c b/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c
new file mode 100644
index 0000000..cbab71e
--- /dev/null
+++ b/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c
@@ -0,0 +1,93 @@
+// (C) Copyright 2015 Intel Corporation
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+#include <sys/socket.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <string.h>
+
+int main(int argc, char* argv[])
+{
+	int sock,ret;
+	struct sockaddr_in server_addr, client_addr;
+	socklen_t len;
+	char message[5];
+	char* label;
+	char* attr = "security.SMACK64IPIN";
+	int port;
+
+	if(argc != 3)
+	{
+		perror("Server: Argument missing, please provide port and label for SMACK64IPIN");
+		return 2;
+	}
+	
+	port = atoi(argv[1]);
+	label = argv[2];
+
+	struct timeval timeout;
+	timeout.tv_sec = 15;
+	timeout.tv_usec = 0;
+
+	sock = socket(AF_INET,SOCK_DGRAM,0);
+	if(sock < 0)
+	{
+		perror("Server: Socket error");
+		return 2;
+	}
+	
+
+	if(fsetxattr(sock, attr, label, strlen(label), 0) < 0)
+	{
+		perror("Server: Unable to set attribute ");
+		return 2;
+	}
+
+	server_addr.sin_family = AF_INET;         
+	server_addr.sin_port = htons(port);     
+	server_addr.sin_addr.s_addr = INADDR_ANY; 
+	bzero(&(server_addr.sin_zero),8); 
+	
+
+	if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout)) < 0)
+	{
+		perror("Server: Set timeout failed\n");
+		return 2;
+	}
+
+	if(bind(sock, (struct sockaddr*) &server_addr, sizeof(server_addr)) < 0)
+	{
+		perror("Server: Bind failure");
+		return 2;
+	}
+
+	len = sizeof(client_addr);
+	ret = recvfrom(sock, message, sizeof(message), 0, (struct sockaddr*)&client_addr,
+					&len);
+	close(sock);
+	if(ret < 0)
+	{
+		perror("Server: Error receiving");
+		return 1;
+
+	}
+	return 0;
+}
+
diff --git a/meta-security/recipes-mac/smack/udp-smack-test_1.0.bb b/meta-security/recipes-mac/smack/udp-smack-test_1.0.bb
new file mode 100644
index 0000000..9193f89
--- /dev/null
+++ b/meta-security/recipes-mac/smack/udp-smack-test_1.0.bb
@@ -0,0 +1,23 @@
+SUMMARY = "Binary used to test smack udp sockets"
+DESCRIPTION = "Server and client binaries used to test smack attributes on UDP sockets"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "file://udp_server.c \
+           file://udp_client.c \
+           file://test_smack_udp_sockets.sh \
+" 
+
+S = "${WORKDIR}"
+do_compile() {
+    ${CC} udp_client.c ${LDFLAGS} -o udp_client
+    ${CC} udp_server.c ${LDFLAGS} -o udp_server
+}
+
+do_install() {
+    install -d ${D}${bindir}
+    install -d ${D}${sbindir}
+    install -m 0755 udp_server ${D}${bindir}
+    install -m 0755 udp_client ${D}${bindir}
+    install -m 0755 test_smack_udp_sockets.sh ${D}${sbindir}
+}
diff --git a/meta-security/recipes-security/clamav/clamav_0.99.4.bb b/meta-security/recipes-security/clamav/clamav_0.99.4.bb
index 6219d9e..7d8767e 100644
--- a/meta-security/recipes-security/clamav/clamav_0.99.4.bb
+++ b/meta-security/recipes-security/clamav/clamav_0.99.4.bb
@@ -4,8 +4,9 @@
 SECTION = "security"
 LICENSE = "LGPL-2.1"
 
-DEPENDS = "libtool db libmspack chrpath-replacement-native"
-
+DEPENDS = "libtool db libmspack openssl zlib llvm chrpath-replacement-native clamav-native"
+DEPENDS_class-native = "db-native openssl-native zlib-native"
+ 
 LIC_FILES_CHKSUM = "file://COPYING.LGPL;beginline=2;endline=3;md5=4b89c05acc71195e9a06edfa2fa7d092"
 
 SRCREV = "b66e5e27b48c0a07494f9df9b809ed933cede047"
@@ -15,6 +16,7 @@
     file://freshclam.conf \
     file://volatiles.03_clamav \
     file://${BPN}.service \
+    file://freshclam-native.conf \
     "
 
 S = "${WORKDIR}/git"
@@ -28,42 +30,54 @@
 
 UID = "clamav"
 GID = "clamav"
+INSTALL_CLAMAV_CVD ?= "1"
 
 # Clamav has a built llvm version 2 but does not build with gcc 6.x,
 # disable the internal one. This is a known issue
 # If you want LLVM support, use the one in core
 
-PACKAGECONFIG ?= "ncurses openssl bz2 zlib llvm"
-PACKAGECONFIG += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}"
-PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
+CLAMAV_USR_DIR = "${STAGING_DIR_NATIVE}/usr"
+CLAMAV_USR_DIR_class-target = "${STAGING_DIR_HOST}/usr"
 
-PACKAGECONFIG[llvm] = "--with-system-llvm --with-llvm-linking=dynamic --disable-llvm, ,llvm8.0"
+PACKAGECONFIG_class-target ?= "ncurses bz2"
+PACKAGECONFIG_class-target += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}"
+PACKAGECONFIG_class-target += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
 
 PACKAGECONFIG[pcre] = "--with-pcre=${STAGING_LIBDIR},  --without-pcre, libpcre"
-PACKAGECONFIG[xml] = "--with-xml=${STAGING_LIBDIR}/.., --with-xml=no, libxml2,"
+PACKAGECONFIG[xml] = "--with-xml=${CLAMAV_USR_DIR}, --disable-xml, libxml2,"
 PACKAGECONFIG[json] = "--with-libjson=${STAGING_LIBDIR}, --without-libjson, json,"
 PACKAGECONFIG[curl] = "--with-libcurl=${STAGING_LIBDIR}, --without-libcurl, curl,"
 PACKAGECONFIG[ipv6] = "--enable-ipv6, --disable-ipv6"
-PACKAGECONFIG[openssl] = "--with-openssl=${STAGING_DIR_HOST}/usr, --without-openssl, openssl, openssl"
-PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_DIR_HOST}/usr --disable-zlib-vcheck , --without-zlib, zlib, "
-PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${STAGING_LIBDIR}/.., --without-libbz2-prefix, "
-PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${STAGING_LIBDIR}/.., --without-libncurses-prefix, ncurses, "
+PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${CLAMAV_USR_DIR}, --without-libbz2-prefix, "
+PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${CLAMAV_USR_DIR}, --without-libncurses-prefix, ncurses, "
 PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/, --without-systemdsystemunitdir, "
 
-EXTRA_OECONF += " --with-user=${UID}  --with-group=${GID} \
-            --without-libcheck-prefix --disable-unrar \
+EXTRA_OECONF_CLAMAV = "--without-libcheck-prefix --disable-unrar \
+            --with-system-llvm --with-llvm-linking=dynamic --disable-llvm \
             --disable-mempool \
             --program-prefix="" \
             --disable-yara \
-            --disable-rpath \
+            --disable-xml \
+            --with-openssl=${CLAMAV_USR_DIR} \
+            --with-zlib=${CLAMAV_USR_DIR} --disable-zlib-vcheck \
             "
 
+EXTRA_OECONF_class-native += "${EXTRA_OECONF_CLAMAV}"
+EXTRA_OECONF_class-target += "--with-user=${UID}  --with-group=${GID} --disable-rpath ${EXTRA_OECONF_CLAMAV}"
+
 do_configure () {
     cd ${S}
     ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} 
+    install -d ${S}/clamav_db
 }
 
-do_compile_append() {
+do_configure_class-native () {
+    cd ${S}
+    ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} 
+}
+
+
+do_compile_append_class-target() {
     # brute force removing RPATH
     chrpath -d  ${B}/libclamav/.libs/libclamav.so.${SO_VER}
     chrpath -d  ${B}/sigtool/.libs/sigtool
@@ -72,9 +86,14 @@
     chrpath -d  ${B}/clamconf/.libs/clamconf
     chrpath -d  ${B}/clamd/.libs/clamd
     chrpath -d  ${B}/freshclam/.libs/freshclam
+
+    if [ "${INSTALL_CLAMAV_CVD}" = "1" ]; then
+        bbnote "CLAMAV creating cvd"
+        ${STAGING_BINDIR_NATIVE}/freshclam --datadir=${S}/clamav_db --config=${WORKDIR}/freshclam-native.conf
+    fi
 }
 
-do_install_append() {
+do_install_append_class-target () {
     install -d ${D}/${sysconfdir}
     install -d ${D}/${localstatedir}/lib/clamav
     install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles
@@ -84,6 +103,7 @@
     install -m 0644 ${WORKDIR}/volatiles.03_clamav  ${D}${sysconfdir}/default/volatiles/volatiles.03_clamav
     sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc
     rm ${D}/${libdir}/libclamav.so
+    install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/.
     if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
         install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service
     fi
@@ -93,11 +113,12 @@
     if [ -e /etc/init.d/populate-volatile.sh ] ; then
         ${sysconfdir}/init.d/populate-volatile.sh update
     fi
-    chown ${UID}:${GID} ${localstatedir}/lib/clamav
+    mkdir -p ${localstatedir}/lib/clamav
+    chown -R ${UID}:${GID} ${localstatedir}/lib/clamav
 }
 
 
-PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc \
+PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc ${PN}-cvd \
             ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav ${PN}-staticdev"
 
 FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit \
@@ -140,6 +161,8 @@
                    ${datadir}/man/* \
                    ${docdir}/* "
 
+FILES_${PN}-cvd =  "${localstatedir}/lib/clamav/*.cvd ${localstatedir}/lib/clamav/*.dat"
+
 USERADD_PACKAGES = "${PN}"
 GROUPADD_PARAM_${PN} = "--system ${UID}"
 USERADD_PARAM_${PN} = "--system -g ${GID} --home-dir  \
@@ -151,4 +174,7 @@
 RCONFLICTS_${PN} += "${PN}-systemd"
 SYSTEMD_SERVICE_${PN} = "${BPN}.service"
 
-RDEPENDS_${PN} += "openssl ncurses-libncurses libbz2 ncurses-libtinfo clamav-freshclam clamav-libclamav"
+RDEPENDS_${PN} = "openssl ncurses-libncurses libbz2 ncurses-libtinfo clamav-freshclam clamav-libclamav"
+RDEPENDS_${PN}_class-native = ""
+
+BBCLASSEXTEND = "native"
diff --git a/meta-security/recipes-security/clamav/files/freshclam-native.conf b/meta-security/recipes-security/clamav/files/freshclam-native.conf
new file mode 100644
index 0000000..aaa8cf4
--- /dev/null
+++ b/meta-security/recipes-security/clamav/files/freshclam-native.conf
@@ -0,0 +1,224 @@
+# Path to the database directory.
+# WARNING: It must match clamd.conf's directive!
+# Default: hardcoded (depends on installation options)
+#DatabaseDirectory /var/lib/clamav
+
+# Path to the log file (make sure it has proper permissions)
+# Default: disabled
+#UpdateLogFile /var/log/clamav/freshclam.log
+
+# Maximum size of the log file.
+# Value of 0 disables the limit.
+# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
+# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
+# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
+# log rotation (the LogRotate option) will always be enabled.
+# Default: 1M
+LogFileMaxSize 2M
+
+# Log time with each message.
+# Default: no
+LogTime yes
+
+# Enable verbose logging.
+# Default: no
+#LogVerbose yes
+
+# Use system logger (can work together with UpdateLogFile).
+# Default: no
+#LogSyslog yes
+
+# Specify the type of syslog messages - please refer to 'man syslog'
+# for facility names.
+# Default: LOG_LOCAL6
+#LogFacility LOG_MAIL
+
+# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
+# Default: no
+#LogRotate yes
+
+# This option allows you to save the process identifier of the daemon
+# Default: disabled
+#PidFile /var/run/freshclam.pid
+
+# By default when started freshclam drops privileges and switches to the
+# "clamav" user. This directive allows you to change the database owner.
+# Default: clamav (may depend on installation options)
+DatabaseOwner clamav
+
+# Initialize supplementary group access (freshclam must be started by root).
+# Default: no
+#AllowSupplementaryGroups yes
+
+# Use DNS to verify virus database version. Freshclam uses DNS TXT records
+# to verify database and software versions. With this directive you can change
+# the database verification domain.
+# WARNING: Do not touch it unless you're configuring freshclam to use your
+# own database verification domain.
+# Default: current.cvd.clamav.net
+#DNSDatabaseInfo current.cvd.clamav.net
+
+# Uncomment the following line and replace XY with your country
+# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
+# You can use db.XY.ipv6.clamav.net for IPv6 connections.
+#DatabaseMirror db.XY.clamav.net
+
+# database.clamav.net is a round-robin record which points to our most 
+# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is 
+# not working. DO NOT TOUCH the following line unless you know what you
+# are doing.
+DatabaseMirror database.clamav.net
+
+# How many attempts to make before giving up.
+# Default: 3 (per mirror)
+#MaxAttempts 5
+
+# With this option you can control scripted updates. It's highly recommended
+# to keep it enabled.
+# Default: yes
+#ScriptedUpdates yes
+
+# By default freshclam will keep the local databases (.cld) uncompressed to
+# make their handling faster. With this option you can enable the compression;
+# the change will take effect with the next database update.
+# Default: no
+#CompressLocalDatabase no
+
+# With this option you can provide custom sources (http:// or file://) for
+# database files. This option can be used multiple times.
+# Default: no custom URLs
+#DatabaseCustomURL http://myserver.com/mysigs.ndb
+#DatabaseCustomURL file:///mnt/nfs/local.hdb
+
+# This option allows you to easily point freshclam to private mirrors.
+# If PrivateMirror is set, freshclam does not attempt to use DNS
+# to determine whether its databases are out-of-date, instead it will
+# use the If-Modified-Since request or directly check the headers of the
+# remote database files. For each database, freshclam first attempts
+# to download the CLD file. If that fails, it tries to download the
+# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
+# and ScriptedUpdates. It can be used multiple times to provide
+# fall-back mirrors.
+# Default: disabled
+#PrivateMirror mirror1.mynetwork.com
+#PrivateMirror mirror2.mynetwork.com
+
+# Number of database checks per day.
+# Default: 12 (every two hours)
+#Checks 24
+
+# Proxy settings
+# Default: disabled
+#HTTPProxyServer myproxy.com
+#HTTPProxyPort 1234
+#HTTPProxyUsername myusername
+#HTTPProxyPassword mypass
+
+# If your servers are behind a firewall/proxy which applies User-Agent
+# filtering you can use this option to force the use of a different
+# User-Agent header.
+# Default: clamav/version_number
+#HTTPUserAgent SomeUserAgentIdString
+
+# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
+# multi-homed systems.
+# Default: Use OS'es default outgoing IP address.
+#LocalIPAddress aaa.bbb.ccc.ddd
+
+# Send the RELOAD command to clamd.
+# Default: no
+#NotifyClamd /path/to/clamd.conf
+
+# Run command after successful database update.
+# Default: disabled
+#OnUpdateExecute command
+
+# Run command when database update process fails.
+# Default: disabled
+#OnErrorExecute command
+
+# Run command when freshclam reports outdated version.
+# In the command string %v will be replaced by the new version number.
+# Default: disabled
+#OnOutdatedExecute command
+
+# Don't fork into background.
+# Default: no
+#Foreground yes
+
+# Enable debug messages in libclamav.
+# Default: no
+#Debug yes
+
+# Timeout in seconds when connecting to database server.
+# Default: 30
+#ConnectTimeout 60
+
+# Timeout in seconds when reading from database server.
+# Default: 30
+#ReceiveTimeout 60
+
+# With this option enabled, freshclam will attempt to load new
+# databases into memory to make sure they are properly handled
+# by libclamav before replacing the old ones.
+# Default: yes
+#TestDatabases yes
+
+# When enabled freshclam will submit statistics to the ClamAV Project about
+# the latest virus detections in your environment. The ClamAV maintainers
+# will then use this data to determine what types of malware are the most
+# detected in the field and in what geographic area they are.
+# Freshclam will connect to clamd in order to get recent statistics.
+# Default: no
+#SubmitDetectionStats /path/to/clamd.conf
+
+# Country of origin of malware/detection statistics (for statistical
+# purposes only). The statistics collector at ClamAV.net will look up
+# your IP address to determine the geographical origin of the malware
+# reported by your installation. If this installation is mainly used to
+# scan data which comes from a different location, please enable this
+# option and enter a two-letter code (see http://www.iana.org/domains/root/db/)
+# of the country of origin.
+# Default: disabled
+#DetectionStatsCountry country-code
+
+# This option enables support for our "Personal Statistics" service. 
+# When this option is enabled, the information on malware detected by
+# your clamd installation is made available to you through our website.
+# To get your HostID, log on http://www.stats.clamav.net and add a new
+# host to your host list. Once you have the HostID, uncomment this option
+# and paste the HostID here. As soon as your freshclam starts submitting
+# information to our stats collecting service, you will be able to view
+# the statistics of this clamd installation by logging into
+# http://www.stats.clamav.net with the same credentials you used to
+# generate the HostID. For more information refer to:
+# http://www.clamav.net/documentation.html#cctts 
+# This feature requires SubmitDetectionStats to be enabled.
+# Default: disabled
+#DetectionStatsHostID unique-id
+
+# This option enables support for Google Safe Browsing. When activated for
+# the first time, freshclam will download a new database file (safebrowsing.cvd)
+# which will be automatically loaded by clamd and clamscan during the next
+# reload, provided that the heuristic phishing detection is turned on. This
+# database includes information about websites that may be phishing sites or
+# possible sources of malware. When using this option, it's mandatory to run
+# freshclam at least every 30 minutes.
+# Freshclam uses the ClamAV's mirror infrastructure to distribute the
+# database and its updates but all the contents are provided under Google's
+# terms of use. See http://www.google.com/transparencyreport/safebrowsing
+# and http://www.clamav.net/documentation.html#safebrowsing 
+# for more information.
+# Default: disabled
+#SafeBrowsing yes
+
+# This option enables downloading of bytecode.cvd, which includes additional
+# detection mechanisms and improvements to the ClamAV engine.
+# Default: enabled
+#Bytecode yes
+
+# Download an additional 3rd party signature database distributed through
+# the ClamAV mirrors. 
+# This option can be used multiple times.
+#ExtraDatabase dbname1
+#ExtraDatabase dbname2
diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.0.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb
similarity index 95%
rename from meta-security/recipes-security/libseccomp/libseccomp_2.4.0.bb
rename to meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb
index 41ffd62..dba1be5 100644
--- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.0.bb
+++ b/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb
@@ -4,7 +4,7 @@
 LICENSE = "LGPL-2.1"
 LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f"
 
-SRCREV = "4d64011741375bb1a4ba7d71905ca37b97885083"
+SRCREV = "fb43972ea1aab24f2a70193fb7445c2674f594e3"
 
 SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \
            file://run-ptest \
diff --git a/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch b/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch
new file mode 100644
index 0000000..8ab094f
--- /dev/null
+++ b/meta-security/recipes-support/libldb/libldb/avoid-openldap-unless-wanted.patch
@@ -0,0 +1,13 @@
+--- a/wscript	2015-11-18 12:43:33.000000000 +0100
++++ b/wscript	2015-11-18 12:46:25.000000000 +0100
+@@ -58,9 +58,7 @@
+     if conf.env.standalone_ldb:
+         conf.CHECK_XSLTPROC_MANPAGES()
+ 
+-        # we need this for the ldap backend
+-        if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'):
+-            conf.env.ENABLE_LDAP_BACKEND = True
++        conf.env.ENABLE_LDAP_BACKEND = False
+ 
+         # we don't want any libraries or modules to rely on runtime
+         # resolution of symbols
diff --git a/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch b/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch
new file mode 100755
index 0000000..fdd312c
--- /dev/null
+++ b/meta-security/recipes-support/libldb/libldb/do-not-import-target-module-while-cross-compile.patch
@@ -0,0 +1,58 @@
+Some modules such as dynamic library maybe cann't be imported while cross compile,
+we just check whether does the module exist.
+
+Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
+
+Index: ldb-1.1.26/buildtools/wafsamba/samba_bundled.py
+===================================================================
+--- ldb-1.1.26.orig/buildtools/wafsamba/samba_bundled.py
++++ ldb-1.1.26/buildtools/wafsamba/samba_bundled.py
+@@ -2,6 +2,7 @@
+ 
+ import sys
+ import Build, Options, Logs
++import imp, os
+ from Configure import conf
+ from samba_utils import TO_LIST
+ 
+@@ -230,17 +231,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li
+     # versions
+     minversion = minimum_library_version(conf, libname, minversion)
+ 
+-    try:
+-        m = __import__(modulename)
+-    except ImportError:
+-        found = False
+-    else:
++    # Find module in PYTHONPATH
++    stuff = imp.find_module(modulename, [os.environ["PYTHONPATH"]])
++    if stuff:
+         try:
+-            version = m.__version__
+-        except AttributeError:
++            m = imp.load_module(modulename, stuff[0], stuff[1], stuff[2])
++        except ImportError:
+             found = False
++
++            if conf.env.CROSS_COMPILE:
++                # Some modules such as dynamic library maybe cann't be imported
++                # while cross compile, we just check whether the module exist
++                Logs.warn('Cross module[%s] has been found, but can not be loaded.' % (stuff[1]))
++                found = True
+         else:
+-            found = tuplize_version(version) >= tuplize_version(minversion)
++            try:
++                version = m.__version__
++            except AttributeError:
++                found = False
++            else:
++                found = tuplize_version(version) >= tuplize_version(minversion)
++        finally:
++            if stuff[0]:
++                stuff[0].close()
++    else:
++        found = False
++
+     if not found and not conf.LIB_MAY_BE_BUNDLED(libname):
+         Logs.error('ERROR: Python module %s of version %s not found, and bundling disabled' % (libname, minversion))
+         sys.exit(1)
diff --git a/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch b/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch
new file mode 100644
index 0000000..ffe253b
--- /dev/null
+++ b/meta-security/recipes-support/libldb/libldb/options-1.3.1.patch
@@ -0,0 +1,193 @@
+From a4da3ab4d76013aaa731d43d52ccca1ebd37c395 Mon Sep 17 00:00:00 2001
+From: Jackie Huang <jackie.huang@windriver.com>
+Date: Wed, 21 Sep 2016 10:06:39 +0800
+Subject: [PATCH 1/1] ldb: Add configure options for packages
+
+Add configure options for the following packages:
+ - acl
+ - attr
+ - libaio
+ - libbsd
+ - libcap
+ - valgrind
+
+Upstream-Status: Inappropriate [oe deterministic build specific]
+
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+---
+ lib/replace/system/wscript_configure |  6 ++-
+ lib/replace/wscript                  | 94 +++++++++++++++++++++++++++---------
+ wscript                              |  7 +++
+ 3 files changed, 83 insertions(+), 24 deletions(-)
+
+diff --git a/lib/replace/system/wscript_configure b/lib/replace/system/wscript_configure
+index 2035474..10f9ae7 100644
+--- a/lib/replace/system/wscript_configure
++++ b/lib/replace/system/wscript_configure
+@@ -1,6 +1,10 @@
+ #!/usr/bin/env python
+ 
+-conf.CHECK_HEADERS('sys/capability.h')
++import Options
++
++if Options.options.enable_libcap:
++    conf.CHECK_HEADERS('sys/capability.h')
++
+ conf.CHECK_FUNCS('getpwnam_r getpwuid_r getpwent_r')
+ 
+ # solaris varients of getXXent_r
+diff --git a/lib/replace/wscript b/lib/replace/wscript
+index 2f94d49..68b2d3a 100644
+--- a/lib/replace/wscript
++++ b/lib/replace/wscript
+@@ -23,6 +23,41 @@ def set_options(opt):
+     opt.PRIVATE_EXTENSION_DEFAULT('')
+     opt.RECURSE('buildtools/wafsamba')
+ 
++    opt.add_option('--with-acl',
++                   help=("Enable use of acl"),
++                   action="store_true", dest='enable_acl')
++    opt.add_option('--without-acl',
++                   help=("Disable use of acl"),
++                   action="store_false", dest='enable_acl', default=False)
++
++    opt.add_option('--with-attr',
++                   help=("Enable use of attr"),
++                   action="store_true", dest='enable_attr')
++    opt.add_option('--without-attr',
++                   help=("Disable use of attr"),
++                   action="store_false", dest='enable_attr', default=False)
++
++    opt.add_option('--with-libaio',
++                   help=("Enable use of libaio"),
++                   action="store_true", dest='enable_libaio')
++    opt.add_option('--without-libaio',
++                   help=("Disable use of libaio"),
++                   action="store_false", dest='enable_libaio', default=False)
++
++    opt.add_option('--with-libbsd',
++                   help=("Enable use of libbsd"),
++                   action="store_true", dest='enable_libbsd')
++    opt.add_option('--without-libbsd',
++                   help=("Disable use of libbsd"),
++                   action="store_false", dest='enable_libbsd', default=False)
++
++    opt.add_option('--with-libcap',
++                   help=("Enable use of libcap"),
++                   action="store_true", dest='enable_libcap')
++    opt.add_option('--without-libcap',
++                   help=("Disable use of libcap"),
++                   action="store_false", dest='enable_libcap', default=False)
++
+ @Utils.run_once
+ def configure(conf):
+     conf.RECURSE('buildtools/wafsamba')
+@@ -32,12 +67,25 @@ def configure(conf):
+     conf.DEFINE('HAVE_LIBREPLACE', 1)
+     conf.DEFINE('LIBREPLACE_NETWORK_CHECKS', 1)
+ 
+-    conf.CHECK_HEADERS('linux/types.h crypt.h locale.h acl/libacl.h compat.h')
+-    conf.CHECK_HEADERS('acl/libacl.h attr/xattr.h compat.h ctype.h dustat.h')
++    conf.CHECK_HEADERS('linux/types.h crypt.h locale.h compat.h')
++    conf.CHECK_HEADERS('compat.h ctype.h dustat.h')
+     conf.CHECK_HEADERS('fcntl.h fnmatch.h glob.h history.h krb5.h langinfo.h')
+-    conf.CHECK_HEADERS('libaio.h locale.h ndir.h pwd.h')
+-    conf.CHECK_HEADERS('shadow.h sys/acl.h')
+-    conf.CHECK_HEADERS('sys/attributes.h attr/attributes.h sys/capability.h sys/dir.h sys/epoll.h')
++    conf.CHECK_HEADERS('locale.h ndir.h pwd.h')
++    conf.CHECK_HEADERS('shadow.h')
++    conf.CHECK_HEADERS('sys/attributes.h sys/dir.h sys/epoll.h')
++
++    if Options.options.enable_acl:
++        conf.CHECK_HEADERS('acl/libacl.h sys/acl.h')
++
++    if Options.options.enable_attr:
++        conf.CHECK_HEADERS('attr/attributes.h attr/xattr.h')
++
++    if Options.options.enable_libaio:
++        conf.CHECK_HEADERS('libaio.h')
++
++    if Options.options.enable_libcap:
++        conf.CHECK_HEADERS('sys/capability.h')
++
+     conf.CHECK_HEADERS('port.h')
+     conf.CHECK_HEADERS('sys/fcntl.h sys/filio.h sys/filsys.h sys/fs/s5param.h sys/fs/vx/quota.h')
+     conf.CHECK_HEADERS('sys/id.h sys/ioctl.h sys/ipc.h sys/mman.h sys/mode.h sys/ndir.h sys/priv.h')
+@@ -73,7 +121,9 @@ def configure(conf):
+ 
+     conf.CHECK_CODE('', headers='rpc/rpc.h rpcsvc/yp_prot.h', define='HAVE_RPCSVC_YP_PROT_H')
+ 
+-    conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h')
++    if Options.options.enable_valgrind:
++        conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h')
++
+     conf.CHECK_HEADERS('nss_common.h nsswitch.h ns_api.h')
+     conf.CHECK_HEADERS('sys/extattr.h sys/ea.h sys/proplist.h sys/cdefs.h')
+     conf.CHECK_HEADERS('utmp.h utmpx.h lastlog.h')
+@@ -266,22 +316,20 @@ def configure(conf):
+ 
+     conf.CHECK_FUNCS('prctl dirname basename')
+ 
+-    strlcpy_in_bsd = False
+-
+-    # libbsd on some platforms provides strlcpy and strlcat
+-    if not conf.CHECK_FUNCS('strlcpy strlcat'):
+-        if conf.CHECK_FUNCS_IN('strlcpy strlcat', 'bsd', headers='bsd/string.h',
+-                               checklibc=True):
+-            strlcpy_in_bsd = True
+-    if not conf.CHECK_FUNCS('getpeereid'):
+-        conf.CHECK_FUNCS_IN('getpeereid', 'bsd', headers='sys/types.h bsd/unistd.h')
+-    if not conf.CHECK_FUNCS_IN('setproctitle', 'setproctitle', headers='setproctitle.h'):
+-        conf.CHECK_FUNCS_IN('setproctitle', 'bsd', headers='sys/types.h bsd/unistd.h')
+-    if not conf.CHECK_FUNCS('setproctitle_init'):
+-        conf.CHECK_FUNCS_IN('setproctitle_init', 'bsd', headers='sys/types.h bsd/unistd.h')
+-
+-    if not conf.CHECK_FUNCS('closefrom'):
+-        conf.CHECK_FUNCS_IN('closefrom', 'bsd', headers='bsd/unistd.h')
++    if Options.options.enable_libbsd:
++        # libbsd on some platforms provides strlcpy and strlcat
++        if not conf.CHECK_FUNCS('strlcpy strlcat'):
++            conf.CHECK_FUNCS_IN('strlcpy strlcat', 'bsd', headers='bsd/string.h',
++                    checklibc=True)
++        if not conf.CHECK_FUNCS('getpeereid'):
++            conf.CHECK_FUNCS_IN('getpeereid', 'bsd', headers='sys/types.h bsd/unistd.h')
++        if not conf.CHECK_FUNCS_IN('setproctitle', 'setproctitle', headers='setproctitle.h'):
++            conf.CHECK_FUNCS_IN('setproctitle', 'bsd', headers='sys/types.h bsd/unistd.h')
++        if not conf.CHECK_FUNCS('setproctitle_init'):
++            conf.CHECK_FUNCS_IN('setproctitle_init', 'bsd', headers='sys/types.h bsd/unistd.h')
++
++        if not conf.CHECK_FUNCS('closefrom'):
++            conf.CHECK_FUNCS_IN('closefrom', 'bsd', headers='bsd/unistd.h')
+ 
+     conf.CHECK_CODE('''
+                 struct ucred cred;
+@@ -632,7 +680,7 @@ removeea setea
+     # look for a method of finding the list of network interfaces
+     for method in ['HAVE_IFACE_GETIFADDRS', 'HAVE_IFACE_AIX', 'HAVE_IFACE_IFCONF', 'HAVE_IFACE_IFREQ']:
+         bsd_for_strlcpy = ''
+-        if strlcpy_in_bsd:
++        if Options.options.enable_libbsd:
+             bsd_for_strlcpy = ' bsd'
+         if conf.CHECK_CODE('''
+                            #define %s 1
+diff --git a/wscript b/wscript
+index 8ae5be3..a178cc4 100644
+--- a/wscript
++++ b/wscript
+@@ -31,6 +31,13 @@ def set_options(opt):
+     opt.RECURSE('lib/replace')
+     opt.tool_options('python') # options for disabling pyc or pyo compilation
+ 
++    opt.add_option('--with-valgrind',
++                   help=("enable use of valgrind"),
++                   action="store_true", dest='enable_valgrind')
++    opt.add_option('--without-valgrind',
++                   help=("disable use of valgrind"),
++                   action="store_false", dest='enable_valgrind', default=False)
++
+ def configure(conf):
+     conf.RECURSE('lib/tdb')
+     conf.RECURSE('lib/tevent')
+-- 
+2.16.2
+
diff --git a/meta-security/recipes-support/libldb/libldb_1.3.1.bb b/meta-security/recipes-support/libldb/libldb_1.3.1.bb
new file mode 100644
index 0000000..c644b20
--- /dev/null
+++ b/meta-security/recipes-support/libldb/libldb_1.3.1.bb
@@ -0,0 +1,64 @@
+SUMMARY = "Hierarchical, reference counted memory pool system with destructors"
+HOMEPAGE = "http://ldb.samba.org"
+SECTION = "libs"
+LICENSE = "LGPL-3.0+ & LGPL-2.1+ & GPL-3.0+"
+
+DEPENDS += "libtdb libtalloc libtevent popt"
+RDEPENDS_pyldb += "python"
+
+SRC_URI = "http://samba.org/ftp/ldb/ldb-${PV}.tar.gz \
+           file://do-not-import-target-module-while-cross-compile.patch \
+           file://options-1.3.1.patch \
+          "
+
+PACKAGECONFIG ??= "\
+    ${@bb.utils.filter('DISTRO_FEATURES', 'acl', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'attr', '', d)} \
+"
+PACKAGECONFIG[acl] = "--with-acl,--without-acl,acl"
+PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr"
+PACKAGECONFIG[ldap] = ",,openldap"
+PACKAGECONFIG[libaio] = "--with-libaio,--without-libaio,libaio"
+PACKAGECONFIG[libbsd] = "--with-libbsd,--without-libbsd,libbsd"
+PACKAGECONFIG[libcap] = "--with-libcap,--without-libcap,libcap"
+PACKAGECONFIG[valgrind] = "--with-valgrind,--without-valgrind,valgrind"
+
+SRC_URI += "${@bb.utils.contains('PACKAGECONFIG', 'ldap', '', 'file://avoid-openldap-unless-wanted.patch', d)}"
+
+LIC_FILES_CHKSUM = "file://pyldb.h;endline=24;md5=dfbd238cecad76957f7f860fbe9adade \
+                    file://man/ldb.3.xml;beginline=261;endline=262;md5=137f9fd61040c1505d1aa1019663fd08 \
+                    file://tools/ldbdump.c;endline=19;md5=a7d4fc5d1f75676b49df491575a86a42"
+
+SRC_URI[md5sum] = "e5233f202bca27f6ce8474fb8ae65983"
+SRC_URI[sha256sum] = "b19f2c9f55ae0f46aa5ebaea0bf1a47ec1ac135e1d78af0f6318cf50bf62cbd2"
+
+CROSS_METHOD="exec"
+inherit waf-samba
+
+S = "${WORKDIR}/ldb-${PV}"
+
+EXTRA_OECONF += "--disable-rpath \
+                 --disable-rpath-install \
+                 --bundled-libraries=cmocka \
+                 --builtin-libraries=replace \
+                 --with-modulesdir=${libdir}/ldb/modules \
+                 --with-privatelibdir=${libdir}/ldb \
+                 --with-libiconv=${STAGING_DIR_HOST}${prefix}\
+                "
+
+PACKAGES =+ "pyldb pyldb-dbg pyldb-dev"
+
+NOAUTOPACKAGEDEBUG = "1"
+
+FILES_${PN} += "${libdir}/ldb/*"
+FILES_${PN}-dbg += "${bindir}/.debug/* \
+                    ${libdir}/.debug/* \
+                    ${libdir}/ldb/.debug/* \
+                    ${libdir}/ldb/modules/ldb/.debug/*"
+
+FILES_pyldb = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/* \
+               ${libdir}/libpyldb-util.so.* \
+              "
+FILES_pyldb-dbg = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.debug \
+                   ${libdir}/.debug/libpyldb-util.so.*"
+FILES_pyldb-dev = "${libdir}/libpyldb-util.so"