meta-security: subtree update:d6baccc068..4c2f7ffd49

Adrian (1):
      gitignore added

Armin Kuster (31):
      kas: build with ptest. remove apparmor
      softHSM: add pkg
      packagegroup-core-security: add softHSM
      libest: add recipe
      packagegroup-core-security: add libest package
      opendnssec: add recipe
      packagegroup-core-security:  add opendnssec to pkg grp
      gitlab-ci: allow test to fail
      libseccomp: fix ptest failures.
      packagegroup-core-security-ptest: remove keyutils-ptest
      security-test-image: simplify
      packagegroup-core-security-ptest: remove
      apparmor: fix build issue with ptest enabled.
      security-test-image: tweak to get more tests to runn
      apparmor: update to 3.0
      packagegroup-core-security: apparmor 3.0 ptest does not build
      suricata: fix compiling on gcc10
      qemux86-test: add apparmor back
      apparmor: fix build for on musl
      ecryptfs-utils: fix musl build
      libest: fix musl build.
      sssd: update to latest ltm 1.16.5
      packagegroup-core-security: remove clamav from musl image
      suricata: update to 4.1.9
      kas: fixup alt configs
      gitlab-ci: add qemux86 and qemuarm64 musl builds
      tpm2-tss: update to 2.4.3
      tpm2-totp: update to 0.2.1
      tpm2-abrmd: update to 2.3.3
      tpm2-tools: update to 4.3.0
      tpm2-pkcs11: update to 1.4.0

Mingli Yu (1):
      scap-security-guide: add expat-native to DEPENDS

Naveen Saini (3):
      initramfs-framework/dmverity: add retry loop for slow boot devices
      wic: add wks.in for intel dm-verity
      linux-%/5.x: Add dm-verity fragment as needed

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: If3a721fdd99bb6e35c82cf4e7485f06cebaef905
diff --git a/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb b/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb
deleted file mode 100644
index dcdc1f7..0000000
--- a/meta-security/recipes-mac/AppArmor/apparmor_2.13.4.bb
+++ /dev/null
@@ -1,201 +0,0 @@
-SUMMARY = "AppArmor another MAC control system"
-DESCRIPTION = "user-space parser utility for AppArmor \
- This provides the system initialization scripts needed to use the \
- AppArmor Mandatory Access Control system, including the AppArmor Parser \
- which is required to convert AppArmor text profiles into machine-readable \
- policies that are loaded into the kernel for use with the AppArmor Linux \
- Security Module."
-HOMEAPAGE = "http://apparmor.net/"
-SECTION = "admin"
-
-LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+"
-LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0"
-
-DEPENDS = "bison-native apr gettext-native coreutils-native"
-
-SRC_URI = " \
-	git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-2.13 \
-	file://disable_perl_h_check.patch \
-	file://crosscompile_perl_bindings.patch \
-	file://apparmor.rc \
-	file://functions \
-	file://apparmor \
-	file://apparmor.service \
-	file://0001-Makefile.am-suppress-perllocal.pod.patch \
-	file://run-ptest \
-	"
-
-SRCREV = "df0ac742f7a1146181d8734d03334494f2015134"
-S = "${WORKDIR}/git"
-
-PARALLEL_MAKE = ""
-
-COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*"
-
-inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan manpages systemd features_check
-REQUIRED_DISTRO_FEATURES = "apparmor"
-
-PACKAGECONFIG ??= "python perl aa-decode"
-PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages"
-PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native"
-PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native"
-PACKAGECONFIG[apache2] = ",,apache2,"
-PACKAGECONFIG[aa-decode] = ",,,bash"
-
-PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}"
-HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}"
-
-python() {
-    if 'apache2' in d.getVar('PACKAGECONFIG').split() and \
-            'webserver' not in d.getVar('BBFILE_COLLECTIONS').split():
-        raise bb.parse.SkipRecipe('Requires meta-webserver to be present.')
-}
-
-DISABLE_STATIC = ""
-
-do_configure() {
-	cd ${S}/libraries/libapparmor
-	aclocal
-	autoconf --force
-	libtoolize --automake -c --force
-	automake -ac
-	./configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
-}
-
-do_compile () {
-        # Fixes:
-        # | sed -ie 's///g' Makefile.perl
-        # | sed: -e expression #1, char 0: no previous regular expression
-        #| Makefile:478: recipe for target 'Makefile.perl' failed
-        sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile
-
-
-	oe_runmake -C ${B}/libraries/libapparmor
-        oe_runmake -C ${B}/binutils
-        oe_runmake -C ${B}/utils
-        oe_runmake -C ${B}/parser
-        oe_runmake -C ${B}/profiles
-
-	if test -z "${HTTPD}" ; then
-        	oe_runmake -C ${B}/changehat/mod_apparmor
-	fi	
-
-	if test -z "${PAMLIB}" ; then
-        	oe_runmake -C ${B}/changehat/pam_apparmor
-	fi
-}
-
-do_install () {
-	install -d ${D}/${INIT_D_DIR}
-	install -d ${D}/lib/apparmor
-	oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
-	oe_runmake -C ${B}/binutils DESTDIR="${D}" install
-	oe_runmake -C ${B}/utils DESTDIR="${D}" install
-	oe_runmake -C ${B}/parser DESTDIR="${D}" install
-	oe_runmake -C ${B}/profiles DESTDIR="${D}" install
-
-	# If perl is disabled this script won't be any good
-	if ! ${@bb.utils.contains('PACKAGECONFIG','perl','true','false', d)}; then
-		rm -f ${D}${sbindir}/aa-notify
-	fi
-
-	if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then
-		rm -f ${D}${sbindir}/aa-decode
-	fi
-
-	if test -z "${HTTPD}" ; then
-		oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install
-	fi
-
-	if test -z "${PAMLIB}" ; then
-		oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
-	fi
-
-	# aa-easyprof is installed by python-tools-setup.py, fix it up
-	sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof
-	chmod 0755 ${D}${bindir}/aa-easyprof
-
-	install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
-	install ${WORKDIR}/functions ${D}/lib/apparmor
-	sed -i -e 's/getconf _NPROCESSORS_ONLN/nproc/' ${D}/lib/apparmor/functions
-	sed -i -e 's/ls -AU/ls -A/' ${D}/lib/apparmor/functions  
-
-	if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
-		install -d ${D}${systemd_system_unitdir}
-		install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
-	fi
-}
-
-#Building ptest on arm fails.
-do_compile_ptest_aarch64 () {
-  :
-}
-
-do_compile_ptest_arm () {
-  :
-}
-
-do_compile_ptest () {
-        oe_runmake -C ${B}/tests/regression/apparmor
-        oe_runmake -C ${B}/parser/tst
-        oe_runmake -C ${B}/libraries/libapparmor
-}
-
-do_install_ptest () {
-	t=${D}/${PTEST_PATH}/testsuite
-	install -d ${t}
-	install -d ${t}/tests/regression/apparmor
-	cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression
-
-	install -d ${t}/parser/tst
-	cp -rf ${B}/parser/tst ${t}/parser
-	cp ${B}/parser/apparmor_parser ${t}/parser
-	cp ${B}/parser/frob_slack_rc ${t}/parser
-
-	install -d ${t}/libraries/libapparmor
-	cp -rf ${B}/libraries/libapparmor ${t}/libraries
-
-	install -d ${t}/common
-	cp -rf ${B}/common ${t}
-
-	install -d ${t}/binutils
-	cp -rf ${B}/binutils ${t}
-}
-
-#Building ptest on arm fails.
-do_install_ptest_aarch64 () {
-  :
-}
-
-do_install_ptest_arm() {
-  :
-}
-
-pkg_postinst_ontarget_${PN} () {
-if [ ! -d /etc/apparmor.d/cache ] ; then
-    mkdir /etc/apparmor.d/cache
-fi
-}
-
-# We need the init script so don't rm it
-RMINITDIR_class-target_remove = " rm_sysvinit_initddir"
-
-INITSCRIPT_PACKAGES = "${PN}"
-INITSCRIPT_NAME = "apparmor"
-INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ."
-
-SYSTEMD_PACKAGES = "${PN}"
-SYSTEMD_SERVICE_${PN} = "apparmor.service"
-SYSTEMD_AUTO_ENABLE ?= "enable"
-
-PACKAGES += "mod-${PN}"
-
-FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}"
-FILES_mod-${PN} = "${libdir}/apache2/modules/*"
-
-# Add coreutils and findutils only if sysvinit scripts are in use
-RDEPENDS_${PN} +=  "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}"
-RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}"
-RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash"
-
-PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*"
diff --git a/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb b/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb
new file mode 100644
index 0000000..35e95a0
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb
@@ -0,0 +1,193 @@
+SUMMARY = "AppArmor another MAC control system"
+DESCRIPTION = "user-space parser utility for AppArmor \
+ This provides the system initialization scripts needed to use the \
+ AppArmor Mandatory Access Control system, including the AppArmor Parser \
+ which is required to convert AppArmor text profiles into machine-readable \
+ policies that are loaded into the kernel for use with the AppArmor Linux \
+ Security Module."
+HOMEAPAGE = "http://apparmor.net/"
+SECTION = "admin"
+
+LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0"
+
+DEPENDS = "bison-native apr gettext-native coreutils-native swig-native"
+
+SRC_URI = " \
+    git://gitlab.com/apparmor/apparmor.git;protocol=https;branch=apparmor-3.0 \
+    file://disable_perl_h_check.patch \
+    file://crosscompile_perl_bindings.patch \
+    file://apparmor.rc \
+    file://functions \
+    file://apparmor \
+    file://apparmor.service \
+    file://0001-Makefile.am-suppress-perllocal.pod.patch \
+    file://run-ptest \
+    file://0001-apparmor-fix-manpage-order.patch \
+    file://0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch \
+    file://0001-libapparmor-add-missing-include-for-socklen_t.patch \
+    file://0002-libapparmor-add-aa_features_new_from_file-to-public-.patch \
+    file://0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch \
+    file://0001-aa_status-Fix-build-issue-with-musl.patch \
+    file://0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch \
+    "
+
+SRCREV = "5d51483bfecf556183558644dc8958135397a7e2"
+S = "${WORKDIR}/git"
+
+PARALLEL_MAKE = ""
+
+COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*"
+
+inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative cpan systemd features_check bash-completion
+
+REQUIRED_DISTRO_FEATURES = "apparmor"
+
+PACKAGECONFIG ?= "python perl aa-decode"
+PACKAGECONFIG[manpages] = "--enable-man-pages, --disable-man-pages"
+PACKAGECONFIG[python] = "--with-python, --without-python, python3 , python3-core python3-modules"
+PACKAGECONFIG[perl] = "--with-perl, --without-perl, "
+PACKAGECONFIG[apache2] = ",,apache2,"
+PACKAGECONFIG[aa-decode] = ",,,bash"
+
+python() {
+    if 'apache2' in d.getVar('PACKAGECONFIG').split() and \
+       'webserver' not in d.getVar('BBFILE_COLLECTIONS').split():
+        raise bb.parse.SkipRecipe('Requires meta-webserver to be present.')
+}
+
+DISABLE_STATIC = ""
+
+do_configure() {
+    cd ${S}/libraries/libapparmor
+    aclocal
+    autoconf --force
+    libtoolize --automake -c --force
+    automake -ac
+    ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
+}
+
+do_compile () {
+    sed -i "s@sed -ie 's///g' Makefile.perl@@" ${S}/libraries/libapparmor/swig/perl/Makefile
+    oe_runmake -C ${B}/libraries/libapparmor
+    oe_runmake -C ${B}/binutils
+    oe_runmake -C ${B}/utils
+    oe_runmake -C ${B}/parser
+    oe_runmake -C ${B}/profiles
+
+    if ${@bb.utils.contains('PACKAGECONFIG','apache2','true','false', d)}; then
+        oe_runmake -C ${B}/changehat/mod_apparmor
+    fi
+
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then
+        oe_runmake -C ${B}/changehat/pam_apparmor
+    fi
+}
+
+do_install () {
+    install -d ${D}/${INIT_D_DIR}
+    install -d ${D}/lib/apparmor
+    oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
+    oe_runmake -C ${B}/binutils DESTDIR="${D}" install
+    oe_runmake -C ${B}/utils DESTDIR="${D}" install
+    oe_runmake -C ${B}/parser DESTDIR="${D}" install
+    oe_runmake -C ${B}/profiles DESTDIR="${D}" install
+
+    if ! ${@bb.utils.contains('PACKAGECONFIG','aa-decode','true','false', d)}; then
+        rm -f ${D}${sbindir}/aa-decode
+    fi
+
+    if ${@bb.utils.contains('PACKAGECONFIG','apache2','true','false', d)}; then
+        oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install
+    fi
+
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then
+        install -d ${D}/lib/security
+        oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
+    fi
+
+    install -m 755 ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
+    install -m 755 ${WORKDIR}/functions ${D}/lib/apparmor
+
+    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+        install -d ${D}${systemd_system_unitdir}
+        install -m 0644 ${WORKDIR}/apparmor.service ${D}${systemd_system_unitdir}
+    fi
+}
+
+#Building ptest on arm fails.
+do_compile_ptest_aarch64 () {
+  :
+}
+
+do_compile_ptest_arm () {
+  :
+}
+
+do_compile_ptest () {
+    sed -i -e 's/cpp \-dM/${HOST_PREFIX}gcc \-dM/' ${B}/tests/regression/apparmor/Makefile
+    oe_runmake -C ${B}/tests/regression/apparmor USE_SYSTEM=0
+    oe_runmake -C ${B}/libraries/libapparmor 
+}
+
+do_install_ptest () {
+    t=${D}/${PTEST_PATH}/testsuite
+    install -d ${t}
+    install -d ${t}/tests/regression/apparmor
+    cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression
+
+    cp ${B}/parser/apparmor_parser ${t}/parser
+    cp ${B}/parser/frob_slack_rc ${t}/parser
+
+    install -d ${t}/libraries/libapparmor
+    cp -rf ${B}/libraries/libapparmor ${t}/libraries
+
+    install -d ${t}/common
+    cp -rf ${B}/common ${t}
+
+    install -d ${t}/binutils
+    cp -rf ${B}/binutils ${t}
+}
+
+#Building ptest on arm fails.
+do_install_ptest_aarch64 () {
+  :
+}
+
+do_install_ptest_arm() {
+  :
+}
+
+pkg_postinst_ontarget_${PN} () {
+if [ ! -d /etc/apparmor.d/cache ] ; then
+    mkdir /etc/apparmor.d/cache
+fi
+}
+
+# We need the init script so don't rm it
+RMINITDIR_class-target_remove = " rm_sysvinit_initddir"
+
+INITSCRIPT_PACKAGES = "${PN}"
+INITSCRIPT_NAME = "apparmor"
+INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ."
+
+SYSTEMD_PACKAGES = "${PN}"
+SYSTEMD_SERVICE_${PN} = "apparmor.service"
+SYSTEMD_AUTO_ENABLE ?= "enable"
+
+PACKAGES += "mod-${PN}"
+
+FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}"
+FILES_mod-${PN} = "${libdir}/apache2/modules/*"
+
+DEPENDS_append_libc-musl = " fts "
+RDEPENDS_${PN}_libc-musl +=  "musl-utils"
+RDEPENDS_${PN}_libc-glibc +=  "glibc-utils"
+
+# Add coreutils and findutils only if sysvinit scripts are in use
+RDEPENDS_${PN} +=  "${@["coreutils findutils", ""][(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd')]} ${@bb.utils.contains('PACKAGECONFIG','python','python3-core python3-modules','', d)}"
+RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}"
+RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib bash"
+
+INSANE_SKIP_${PN} = "ldflags"
+PRIVATE_LIBS_${PN}-ptest = "libapparmor.so*"
diff --git a/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch b/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch
new file mode 100644
index 0000000..791437d
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/files/0001-Revert-profiles-Update-make-check-to-select-tools-ba.patch
@@ -0,0 +1,91 @@
+From 5ed21abbef4d4c2983e70bd2868fb817150e883e Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Sat, 3 Oct 2020 11:26:46 -0700
+Subject: [PATCH] Revert "profiles: Update 'make check' to select tools based
+ on USE_SYSTEM"
+
+This reverts commit 6016f931ebf7b61e1358f19453ef262d9d184a4e.
+
+Upstream-Statue: OE specific
+These changes cause during packaging with perms changing.
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ profiles/Makefile | 50 ++++++++++-------------------------------------
+ 1 file changed, 10 insertions(+), 40 deletions(-)
+
+diff --git a/profiles/Makefile b/profiles/Makefile
+index ba47fc16..5384cb05 100644
+--- a/profiles/Makefile
++++ b/profiles/Makefile
+@@ -35,49 +35,9 @@ EXTRAS_SOURCE=./apparmor/profiles/extras/
+ SUBDIRS=$(shell find ${PROFILES_SOURCE} -type d -print)
+ TOPLEVEL_PROFILES=$(filter-out ${SUBDIRS}, $(wildcard ${PROFILES_SOURCE}/*))
+ 
+-ifdef USE_SYSTEM
+-    PYTHONPATH=
+-    PARSER?=apparmor_parser
+-    LOGPROF?=aa-logprof
+-else
+-    # PYTHON_DIST_BUILD_PATH based on libapparmor/swig/python/test/Makefile.am
+-    PYTHON_DIST_BUILD_PATH = ../libraries/libapparmor/swig/python/build/$$($(PYTHON) -c "import distutils.util; import platform; print(\"lib.%s-%s\" %(distutils.util.get_platform(), platform.python_version()[:3]))")
+-    LIBAPPARMOR_PATH=../libraries/libapparmor/src/.libs/
+-    LD_LIBRARY_PATH=$(LIBAPPARMOR_PATH):$(PYTHON_DIST_BUILD_PATH)
+-    PYTHONPATH=../utils/:$(PYTHON_DIST_BUILD_PATH)
+-    PARSER?=../parser/apparmor_parser
+-    # use ../utils logprof
+-    LOGPROF?=LD_LIBRARY_PATH=$(LD_LIBRARY_PATH) PYTHONPATH=$(PYTHONPATH) $(PYTHON) ../utils/aa-logprof
+-endif
+-
+ # $(PWD) is wrong when using "make -C profiles" - explicitely set it here to get the right value
+ PWD=$(shell pwd)
+ 
+-.PHONY: test-dependencies
+-test-dependencies: __parser __libapparmor
+-
+-
+-.PHONY: __parser __libapparmor
+-__parser:
+-ifndef USE_SYSTEM
+-	@if [ ! -f $(PARSER) ]; then \
+-		echo "error: $(PARSER) is missing. Pick one of these possible solutions:" 1>&2; \
+-		echo "  1) Test using the in-tree parser by building it first and then trying again. See the top-level README for help." 1>&2; \
+-		echo "  2) Test using the system parser by adding USE_SYSTEM=1 to your make command." 1>&2; \
+-		exit 1; \
+-	fi
+-endif
+-
+-__libapparmor:
+-ifndef USE_SYSTEM
+-	@if [ ! -f $(LIBAPPARMOR_PATH)libapparmor.so ]; then \
+-		echo "error: $(LIBAPPARMOR_PATH)libapparmor.so is missing. Pick one of these possible solutions:" 1>&2; \
+-		echo "  1) Build against the in-tree libapparmor by building it first and then trying again. See the top-level README for help." 1>&2; \
+-		echo "  2) Build against the system libapparmor by adding USE_SYSTEM=1 to your make command." 1>&2; \
+-		exit 1; \
+-	fi
+-endif
+-
+ local:
+ 	for profile in ${TOPLEVEL_PROFILES}; do \
+ 		fn=$$(basename $$profile); \
+@@ -109,6 +69,16 @@ else
+   Q=
+ endif
+ 
++ifndef PARSER
++# use system parser
++PARSER=../parser/apparmor_parser
++endif
++
++ifndef LOGPROF
++# use ../utils logprof
++LOGPROF=PYTHONPATH=../utils $(PYTHON) ../utils/aa-logprof
++endif
++
+ .PHONY: docs
+ # docs: should we have some here?
+ docs:
+-- 
+2.17.1
+
diff --git a/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch b/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch
new file mode 100644
index 0000000..239562a
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/files/0001-aa_status-Fix-build-issue-with-musl.patch
@@ -0,0 +1,31 @@
+From 2bf15cc68f31c9f41962bb60a669ab2b453a039b Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Wed, 7 Oct 2020 08:27:11 -0700
+Subject: [PATCH] aa_status: Fix build issue with musl
+
+add limits.h
+
+aa_status.c:269:22: error: 'PATH_MAX' undeclared (first use in this function); did you mean 'AF_MAX'?
+|   269 |    real_exe = calloc(PATH_MAX + 1, sizeof(char));
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ binutils/aa_status.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/binutils/aa_status.c b/binutils/aa_status.c
+index 78b03409..41f1954e 100644
+--- a/binutils/aa_status.c
++++ b/binutils/aa_status.c
+@@ -10,6 +10,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/wait.h>
+-- 
+2.17.1
+
diff --git a/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch b/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch
new file mode 100644
index 0000000..9f3dce4
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/files/0001-apparmor-fix-manpage-order.patch
@@ -0,0 +1,43 @@
+From c9baef0c70122e1be33b627874772e6e9a5d7744 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Fri, 2 Oct 2020 19:43:44 -0700
+Subject: [PATCH] apparmor: fix manpage order
+
+It trys to create a symlink before the man pages are installed.
+
+ ln -sf aa-status.8 /(path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8
+ | ln: failed to create symbolic link '{path}/apparmor/3.0-r0/image/usr/share/man/man8/apparmor_status.8': No such file or directory
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+...
+
+install -d /{path}/apparmor/3.0-r0/image/usr/share/man/man8 ; install -m 644 aa-status.8 /{path}/apparmor/3.0-r0/image/usr/share/man/man8;
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ binutils/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/binutils/Makefile b/binutils/Makefile
+index 99e54875..3f1d0011 100644
+--- a/binutils/Makefile
++++ b/binutils/Makefile
+@@ -156,12 +156,12 @@ install-arch: arch
+ 	install -m 755 -d ${SBINDIR}
+ 	ln -sf aa-status ${SBINDIR}/apparmor_status
+ 	install -m 755 ${SBINTOOLS} ${SBINDIR}
+-	ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
+ 
+ .PHONY: install-indep
+ install-indep: indep
+ 	$(MAKE) -C po install NAME=${NAME} DESTDIR=${DESTDIR}
+ 	$(MAKE) install_manpages DESTDIR=${DESTDIR}
++	ln -sf aa-status.8 ${DESTDIR}/${MANDIR}/man8/apparmor_status.8
+ 
+ ifndef VERBOSE
+ .SILENT: clean
+-- 
+2.17.1
+
diff --git a/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch b/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch
new file mode 100644
index 0000000..2a56d8b
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/files/0001-libapparmor-add-missing-include-for-socklen_t.patch
@@ -0,0 +1,36 @@
+From 47263a3a74d7973e7a54b17db6aa903701468ffd Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Sat, 3 Oct 2020 20:37:55 +0200
+Subject: [PATCH] libapparmor: add missing include for `socklen_t`
+
+While `include/sys/apparmor.h` makes use of `socklen_t`, it doesn't
+include the `<sys/socket.h>` header to make its declaration available.
+While this works on systems using glibc via transitive includes, it
+breaks compilation on musl libc.
+
+Fix the issue by including the header.
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ libraries/libapparmor/include/sys/apparmor.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libraries/libapparmor/include/sys/apparmor.h b/libraries/libapparmor/include/sys/apparmor.h
+index 32892d06..d70eff94 100644
+--- a/libraries/libapparmor/include/sys/apparmor.h
++++ b/libraries/libapparmor/include/sys/apparmor.h
+@@ -21,6 +21,7 @@
+ #include <stdbool.h>
+ #include <stdint.h>
+ #include <unistd.h>
++#include <sys/socket.h>
+ #include <sys/types.h>
+ 
+ #ifdef __cplusplus
+-- 
+2.17.1
+
diff --git a/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch b/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch
new file mode 100644
index 0000000..9f7ad3c
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/files/0001-parser-Makefile-dont-force-host-cpp-to-detect-reallo.patch
@@ -0,0 +1,37 @@
+From 965bb9c3e464f756b258a7c259a92bce3cde74e7 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster@mvista.com>
+Date: Wed, 7 Oct 2020 20:50:38 -0700
+Subject: [PATCH] parser/Makefile: dont force host cpp to detect reallocarray
+
+In cross build environments, using the hosts cpp gives incorrect
+detection of reallocarray. Change cpp to a variable.
+
+fixes:
+parser_misc.c: In function 'int capable_add_cap(const char*, int, unsigned int, capability_flags)':
+| parser_misc.c:297:37: error: 'reallocarray' was not declared in this scope
+|   297 |   tmp = (struct capability_table *) reallocarray(cap_table, sizeof(struct capability_table), cap_table_size+1);
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Upstream-Status: Pending
+
+---
+ parser/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/parser/Makefile b/parser/Makefile
+index acef3d77..8250ac45 100644
+--- a/parser/Makefile
++++ b/parser/Makefile
+@@ -54,7 +54,7 @@ endif
+ CPPFLAGS += -D_GNU_SOURCE
+ 
+ STDLIB_INCLUDE:="\#include <stdlib.h>"
+-HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | cpp ${CPPFLAGS} | grep -q reallocarray && echo true)
++HAVE_REALLOCARRAY:=$(shell echo $(STDLIB_INCLUDE) | ${CPP} ${CPPFLAGS} | grep -q reallocarray && echo true)
+ 
+ WARNINGS = -Wall
+ CXX_WARNINGS = ${WARNINGS} ${EXTRA_WARNINGS}
+-- 
+2.17.1
+
diff --git a/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch b/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch
new file mode 100644
index 0000000..333f40f
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/files/0002-libapparmor-add-aa_features_new_from_file-to-public-.patch
@@ -0,0 +1,37 @@
+From c9255a03436e6a91bd4e410601da8d43a341ffc2 Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Sat, 3 Oct 2020 20:58:45 +0200
+Subject: [PATCH] libapparmor: add `aa_features_new_from_file` to public
+ symbols
+
+With AppArmor release 3.0, a new function `aa_features_new_from_file`
+was added, but not added to the list of public symbols. As a result,
+it's not possible to make use of this function when linking against
+libapparmor.so.
+
+Fix the issue by adding it to the symbol map.
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ libraries/libapparmor/src/libapparmor.map | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
+index bbff51f5..1579509a 100644
+--- a/libraries/libapparmor/src/libapparmor.map
++++ b/libraries/libapparmor/src/libapparmor.map
+@@ -117,6 +117,7 @@ APPARMOR_2.13.1 {
+ 
+ APPARMOR_3.0 {
+   global:
++	aa_features_new_from_file;
+ 	aa_features_write_to_fd;
+ 	aa_features_value;
+   local:
+-- 
+2.17.1
+
diff --git a/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch b/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch
new file mode 100644
index 0000000..543c7a1
--- /dev/null
+++ b/meta-security/recipes-mac/AppArmor/files/0003-libapparmor-add-_aa_asprintf-to-private-symbols.patch
@@ -0,0 +1,34 @@
+From 9a8fee6bf1c79c261374d928b838b5eb9244ee9b Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Sat, 3 Oct 2020 21:04:57 +0200
+Subject: [PATCH] libapparmor: add _aa_asprintf to private symbols
+
+While `_aa_asprintf` is supposed to be of private visibility, it's used
+by apparmor_parser and thus required to be visible when linking. This
+commit thus adds it to the list of private symbols to make it available
+for linking in apparmor_parser.
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ libraries/libapparmor/src/libapparmor.map | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libraries/libapparmor/src/libapparmor.map b/libraries/libapparmor/src/libapparmor.map
+index 1579509a..41e541ac 100644
+--- a/libraries/libapparmor/src/libapparmor.map
++++ b/libraries/libapparmor/src/libapparmor.map
+@@ -127,6 +127,7 @@ APPARMOR_3.0 {
+ PRIVATE {
+ 	global:
+ 		_aa_is_blacklisted;
++		_aa_asprintf;
+ 		_aa_autofree;
+ 		_aa_autoclose;
+ 		_aa_autofclose;
+-- 
+2.17.1
+
diff --git a/meta-security/recipes-mac/AppArmor/files/functions b/meta-security/recipes-mac/AppArmor/files/functions
index cef8cfe..e9e2bbf 100644
--- a/meta-security/recipes-mac/AppArmor/files/functions
+++ b/meta-security/recipes-mac/AppArmor/files/functions
@@ -144,7 +144,7 @@
 
 read_features_dir()
 {
-	for f in `ls -AU "$1"` ; do
+	for f in `ls -A "$1"` ; do
 		if [ -f "$1/$f" ] ; then
 			read -r KF < "$1/$f" || true
 			echo -n "$f {$KF } "