summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStef Walter <stefw@redhat.com>2014-10-01 17:34:02 +0200
committerStef Walter <stefw@redhat.com>2014-10-02 11:44:02 +0200
commita3b1e1c2f2c8c1f14293d8158b6dfeb2a6560908 (patch)
tree0f24ca1420aca2c6171bd6bea9d71d22bc996236
parent76f230ced6e9ca2a598988bc00b7b971208e8f64 (diff)
remote: Run separate executable binary for 'p11-kit remote'
This allows security frameworks like SELinux or AppArmor to target it specifically.
-rw-r--r--Makefile.am1
-rw-r--r--p11-kit/Makefile.am13
-rw-r--r--p11-kit/p11-kit.c69
-rw-r--r--p11-kit/remote.c137
-rw-r--r--p11-kit/rpc-server.c101
5 files changed, 164 insertions, 157 deletions
diff --git a/Makefile.am b/Makefile.am
index 9032154..ea87f6a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -15,6 +15,7 @@ AM_CPPFLAGS = \
-DP11_KIT_FUTURE_UNSTABLE_API
bin_PROGRAMS =
+private_PROGRAMS =
CHECK_PROGS =
diff --git a/p11-kit/Makefile.am b/p11-kit/Makefile.am
index b4b4886..3ef70f9 100644
--- a/p11-kit/Makefile.am
+++ b/p11-kit/Makefile.am
@@ -20,7 +20,6 @@ MODULE_SRCS = \
p11-kit/private.h \
p11-kit/proxy.c p11-kit/proxy.h \
p11-kit/messages.c \
- p11-kit/remote.c \
p11-kit/rpc-transport.c p11-kit/rpc.h \
p11-kit/rpc-message.c p11-kit/rpc-message.h \
p11-kit/rpc-client.c p11-kit/rpc-server.c \
@@ -119,6 +118,18 @@ p11_kit_p11_kit_LDADD = \
$(LTLIBINTL) \
$(NULL)
+private_PROGRAMS += p11-kit-remote
+
+p11_kit_remote_SOURCES = \
+ p11-kit/remote.c \
+ $(NULL)
+
+p11_kit_remote_LDADD = \
+ libp11-tool.la \
+ libp11-common.la \
+ libp11-kit.la \
+ $(NULL)
+
# Tests ----------------------------------------------------------------
p11_kit_LIBS = \
diff --git a/p11-kit/p11-kit.c b/p11-kit/p11-kit.c
index f64359e..a7b9212 100644
--- a/p11-kit/p11-kit.c
+++ b/p11-kit/p11-kit.c
@@ -39,7 +39,6 @@
#include "message.h"
#include "path.h"
#include "p11-kit.h"
-#include "remote.h"
#include <assert.h>
#include <ctype.h>
@@ -61,12 +60,9 @@ int p11_kit_trust (int argc,
int p11_kit_external (int argc,
char *argv[]);
-int p11_kit_remote (int argc,
- char *argv[]);
-
static const p11_tool_command commands[] = {
{ "list-modules", p11_kit_list_modules, "List modules and tokens" },
- { "remote", p11_kit_remote, "Run a specific PKCS#11 module remotely" },
+ { "remote", p11_kit_external, "Run a specific PKCS#11 module remotely" },
{ P11_TOOL_FALLBACK, p11_kit_external, NULL },
{ 0, }
};
@@ -132,69 +128,6 @@ p11_kit_external (int argc,
}
int
-p11_kit_remote (int argc,
- char *argv[])
-{
- CK_FUNCTION_LIST *module;
- int opt;
- int ret;
-
- enum {
- opt_verbose = 'v',
- opt_help = 'h',
- };
-
- struct option options[] = {
- { "verbose", no_argument, NULL, opt_verbose },
- { "help", no_argument, NULL, opt_help },
- { 0 },
- };
-
- p11_tool_desc usages[] = {
- { 0, "usage: p11-kit remote <module>" },
- { 0 },
- };
-
- while ((opt = p11_tool_getopt (argc, argv, options)) != -1) {
- switch (opt) {
- case opt_verbose:
- p11_kit_be_loud ();
- break;
- case opt_help:
- case '?':
- p11_tool_usage (usages, options);
- return 0;
- default:
- assert_not_reached ();
- break;
- }
- }
-
- argc -= optind;
- argv += optind;
-
- if (argc != 1) {
- p11_message ("specify the module to remote");
- return 2;
- }
-
- if (isatty (0)) {
- p11_message ("the 'remote' tool is not meant to be run from a terminal");
- return 2;
- }
-
- module = p11_kit_module_load (argv[0], 0);
- if (module == NULL)
- return 1;
-
- ret = p11_kit_remote_serve_module (module, 0, 1);
- p11_kit_module_release (module);
-
- return ret;
-}
-
-
-int
main (int argc,
char *argv[])
{
diff --git a/p11-kit/remote.c b/p11-kit/remote.c
index 944e501..7717277 100644
--- a/p11-kit/remote.c
+++ b/p11-kit/remote.c
@@ -34,13 +34,12 @@
#include "config.h"
-#include "buffer.h"
#include "compat.h"
#include "debug.h"
#include "message.h"
-#include "rpc.h"
+#include "p11-kit.h"
#include "remote.h"
-#include "virtual.h"
+#include "tool.h"
#include <assert.h>
#include <errno.h>
@@ -50,101 +49,63 @@
#include <unistd.h>
int
-p11_kit_remote_serve_module (CK_FUNCTION_LIST *module,
- int in_fd,
- int out_fd)
+main (int argc,
+ char *argv[])
{
- p11_rpc_status status;
- unsigned char version;
- p11_virtual virt;
- p11_buffer options;
- p11_buffer buffer;
- size_t state;
- int ret = 1;
- int code;
-
- return_val_if_fail (module != NULL, 1);
-
- p11_buffer_init (&options, 0);
- p11_buffer_init (&buffer, 0);
-
- p11_virtual_init (&virt, &p11_virtual_base, module, NULL);
-
- switch (read (in_fd, &version, 1)) {
- case 0:
- goto out;
- case 1:
- if (version != 0) {
- p11_message ("unspported version received: %d", (int)version);
- goto out;
- }
- break;
- default:
- p11_message_err (errno, "couldn't read credential byte");
- goto out;
- }
-
- version = 0;
- switch (write (out_fd, &version, out_fd)) {
- case 1:
- break;
- default:
- p11_message_err (errno, "couldn't write credential byte");
- goto out;
- }
-
- status = P11_RPC_OK;
- while (status == P11_RPC_OK) {
- state = 0;
- code = 0;
-
- do {
- status = p11_rpc_transport_read (in_fd, &state, &code,
- &options, &buffer);
- } while (status == P11_RPC_AGAIN);
-
- switch (status) {
- case P11_RPC_OK:
+ CK_FUNCTION_LIST *module;
+ int opt;
+ int ret;
+
+ enum {
+ opt_verbose = 'v',
+ opt_help = 'h',
+ };
+
+ struct option options[] = {
+ { "verbose", no_argument, NULL, opt_verbose },
+ { "help", no_argument, NULL, opt_help },
+ { 0 },
+ };
+
+ p11_tool_desc usages[] = {
+ { 0, "usage: p11-kit remote <module>" },
+ { 0 },
+ };
+
+ while ((opt = p11_tool_getopt (argc, argv, options)) != -1) {
+ switch (opt) {
+ case opt_verbose:
+ p11_kit_be_loud ();
break;
- case P11_RPC_EOF:
- ret = 0;
- continue;
- case P11_RPC_AGAIN:
+ case opt_help:
+ case '?':
+ p11_tool_usage (usages, options);
+ return 0;
+ default:
assert_not_reached ();
- case P11_RPC_ERROR:
- p11_message_err (errno, "failed to read rpc message");
- goto out;
+ break;
}
+ }
- if (!p11_rpc_server_handle (&virt.funcs, &buffer, &buffer)) {
- p11_message ("unexpected error handling rpc message");
- goto out;
- }
+ argc -= optind;
+ argv += optind;
- state = 0;
- options.len = 0;
- do {
- status = p11_rpc_transport_write (out_fd, &state, code,
- &options, &buffer);
- } while (status == P11_RPC_AGAIN);
+ if (argc != 1) {
+ p11_message ("specify the module to remote");
+ return 2;
+ }
- switch (status) {
- case P11_RPC_OK:
- break;
- case P11_RPC_EOF:
- case P11_RPC_AGAIN:
- assert_not_reached ();
- case P11_RPC_ERROR:
- p11_message_err (errno, "failed to write rpc message");
- goto out;
- }
+ if (isatty (0)) {
+ p11_message ("the 'remote' tool is not meant to be run from a terminal");
+ return 2;
}
-out:
- p11_buffer_uninit (&buffer);
- p11_buffer_uninit (&options);
+ module = p11_kit_module_load (argv[0], 0);
+ if (module == NULL)
+ return 1;
- p11_virtual_uninit (&virt);
+ ret = p11_kit_remote_serve_module (module, 0, 1);
+ p11_kit_module_release (module);
return ret;
}
diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c
index b8288c9..a2562e9 100644
--- a/p11-kit/rpc-server.c
+++ b/p11-kit/rpc-server.c
@@ -41,6 +41,7 @@
#include "library.h"
#include "private.h"
#include "message.h"
+#include "remote.h"
#include "rpc.h"
#include "rpc-message.h"
@@ -1901,3 +1902,103 @@ p11_rpc_server_handle (CK_X_FUNCTION_LIST *self,
p11_rpc_message_clear (&msg);
return true;
}
+
+int
+p11_kit_remote_serve_module (CK_FUNCTION_LIST *module,
+ int in_fd,
+ int out_fd)
+{
+ p11_rpc_status status;
+ unsigned char version;
+ p11_virtual virt;
+ p11_buffer options;
+ p11_buffer buffer;
+ size_t state;
+ int ret = 1;
+ int code;
+
+ return_val_if_fail (module != NULL, 1);
+
+ p11_buffer_init (&options, 0);
+ p11_buffer_init (&buffer, 0);
+
+ p11_virtual_init (&virt, &p11_virtual_base, module, NULL);
+
+ switch (read (in_fd, &version, 1)) {
+ case 0:
+ goto out;
+ case 1:
+ if (version != 0) {
+ p11_message ("unspported version received: %d", (int)version);
+ goto out;
+ }
+ break;
+ default:
+ p11_message_err (errno, "couldn't read credential byte");
+ goto out;
+ }
+
+ version = 0;
+ switch (write (out_fd, &version, out_fd)) {
+ case 1:
+ break;
+ default:
+ p11_message_err (errno, "couldn't write credential byte");
+ goto out;
+ }
+
+ status = P11_RPC_OK;
+ while (status == P11_RPC_OK) {
+ state = 0;
+ code = 0;
+
+ do {
+ status = p11_rpc_transport_read (in_fd, &state, &code,
+ &options, &buffer);
+ } while (status == P11_RPC_AGAIN);
+
+ switch (status) {
+ case P11_RPC_OK:
+ break;
+ case P11_RPC_EOF:
+ ret = 0;
+ continue;
+ case P11_RPC_AGAIN:
+ assert_not_reached ();
+ case P11_RPC_ERROR:
+ p11_message_err (errno, "failed to read rpc message");
+ goto out;
+ }
+
+ if (!p11_rpc_server_handle (&virt.funcs, &buffer, &buffer)) {
+ p11_message ("unexpected error handling rpc message");
+ goto out;
+ }
+
+ state = 0;
+ options.len = 0;
+ do {
+ status = p11_rpc_transport_write (out_fd, &state, code,
+ &options, &buffer);
+ } while (status == P11_RPC_AGAIN);
+
+ switch (status) {
+ case P11_RPC_OK:
+ break;
+ case P11_RPC_EOF:
+ case P11_RPC_AGAIN:
+ assert_not_reached ();
+ case P11_RPC_ERROR:
+ p11_message_err (errno, "failed to write rpc message");
+ goto out;
+ }
+ }
+
+out:
+ p11_buffer_uninit (&buffer);
+ p11_buffer_uninit (&options);
+
+ p11_virtual_uninit (&virt);
+
+ return ret;
+}