summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStef Walter <stef@thewalter.net>2014-06-24 14:20:01 +0200
committerStef Walter <stef@thewalter.net>2014-07-08 08:59:30 +0200
commit8e132ab21378fb5fa1f44afb38c23f44b1277f7d (patch)
treef9d742ae979523a1fd713877e41502722386b15b
parent17ea60eaf9d1b4eab9546d6dfc7e7afe83779f91 (diff)
p11-kit: Add a new 'isolate' pkcs11 config option
This sets 'remote' appropriately to run the module in a separate process. https://bugs.freedesktop.org/show_bug.cgi?id=80472
-rw-r--r--doc/manual/p11-kit-sharing.xml4
-rw-r--r--doc/manual/pkcs11.conf.xml8
-rw-r--r--p11-kit/modules.c44
3 files changed, 44 insertions, 12 deletions
diff --git a/doc/manual/p11-kit-sharing.xml b/doc/manual/p11-kit-sharing.xml
index bf0ed01..453d42b 100644
--- a/doc/manual/p11-kit-sharing.xml
+++ b/doc/manual/p11-kit-sharing.xml
@@ -99,6 +99,10 @@
purposes. See the <link linkend="option-log-calls"><literal>log-calls = yes</literal></link>
module configuration option.</para>
</listitem>
+ <listitem>
+ <para>Managed modules have the ability to be isolated in their own process
+ See the <link linkend="option-isolated"><literal>isolated = yes</literal></link>
+ module configuration option.</para>
</itemizedlist>
</section>
</chapter>
diff --git a/doc/manual/pkcs11.conf.xml b/doc/manual/pkcs11.conf.xml
index 2617677..86c8fcb 100644
--- a/doc/manual/pkcs11.conf.xml
+++ b/doc/manual/pkcs11.conf.xml
@@ -131,6 +131,14 @@ x-custom : text
not present, then any process will load the module.</para>
</listitem>
</varlistentry>
+ <varlistentry id="option-isolated">
+ <term><option>isolated:</option></term>
+ <listitem>
+ <para>Set to <literal>yes</literal> to run this PKCS#11 module in its own
+ process. This is a simple way to set the <option>remote</option> to
+ accomplish the same thing.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><option>managed:</option></term>
<listitem>
diff --git a/p11-kit/modules.c b/p11-kit/modules.c
index 7dbb6ed..bfcd3e5 100644
--- a/p11-kit/modules.c
+++ b/p11-kit/modules.c
@@ -482,10 +482,12 @@ take_config_and_load_module_inlock (char **name,
p11_dict **config,
bool critical)
{
- const char *filename;
- const char *remote;
+ const char *filename = NULL;
+ const char *remote = NULL;
+ char *value = NULL;
+ CK_RV rv = CKR_OK;
+ bool isolated;
Module *mod;
- CK_RV rv;
assert (name);
assert (*name);
@@ -493,24 +495,40 @@ take_config_and_load_module_inlock (char **name,
assert (*config);
if (!is_module_enabled_unlocked (*name, *config))
- return CKR_OK;
+ goto out;
remote = p11_dict_get (*config, "remote");
+ if (remote == NULL) {
+ filename = p11_dict_get (*config, "module");
+ if (filename == NULL) {
+ p11_debug ("no module path for module, skipping: %s", *name);
+ goto out;
+ }
+ }
+
+ /* The 'isolated' setting is just a simple way to configure remote */
+ isolated = _p11_conf_parse_boolean (p11_dict_get (*config, "isolated"), false);
+ if (isolated) {
+ if (remote) {
+ p11_message ("ignoring 'isolated' on module '%s' because 'remote' is set", *name);
+ isolated = false;
+ } else {
+ if (asprintf (&value, "|" BINDIR "/p11-kit remote '%s'", filename) < 0)
+ return_val_if_reached (CKR_DEVICE_ERROR);
+ remote = value;
+ }
+ }
+
if (remote != NULL) {
rv = setup_module_for_remote_inlock (*name, remote, &mod);
if (rv != CKR_OK)
- return rv;
+ goto out;
} else {
- filename = p11_dict_get (*config, "module");
- if (filename == NULL) {
- p11_debug ("no module path for module, skipping: %s", *name);
- return CKR_OK;
- }
rv = load_module_from_file_inlock (*name, filename, &mod);
if (rv != CKR_OK)
- return CKR_OK;
+ goto out;
/*
* We support setting of CK_C_INITIALIZE_ARGS.pReserved from
@@ -529,7 +547,9 @@ take_config_and_load_module_inlock (char **name,
*name = NULL;
mod->critical = critical;
- return CKR_OK;
+out:
+ free (value);
+ return rv;
}
static CK_RV