From 8e132ab21378fb5fa1f44afb38c23f44b1277f7d Mon Sep 17 00:00:00 2001
From: Stef Walter <stef@thewalter.net>
Date: Tue, 24 Jun 2014 14:20:01 +0200
Subject: p11-kit: Add a new 'isolate' pkcs11 config option

This sets 'remote' appropriately to run the module in a separate
process.

https://bugs.freedesktop.org/show_bug.cgi?id=80472
---
 doc/manual/p11-kit-sharing.xml |  4 ++++
 doc/manual/pkcs11.conf.xml     |  8 ++++++++
 p11-kit/modules.c              | 44 ++++++++++++++++++++++++++++++------------
 3 files changed, 44 insertions(+), 12 deletions(-)

diff --git a/doc/manual/p11-kit-sharing.xml b/doc/manual/p11-kit-sharing.xml
index bf0ed01..453d42b 100644
--- a/doc/manual/p11-kit-sharing.xml
+++ b/doc/manual/p11-kit-sharing.xml
@@ -99,6 +99,10 @@
 			purposes. See the <link linkend="option-log-calls"><literal>log-calls = yes</literal></link>
 			module configuration option.</para>
 		</listitem>
+		<listitem>
+			<para>Managed modules have the ability to be isolated in their own process
+			See the <link linkend="option-isolated"><literal>isolated = yes</literal></link>
+			module configuration option.</para>
 		</itemizedlist>
 	</section>
 </chapter>
diff --git a/doc/manual/pkcs11.conf.xml b/doc/manual/pkcs11.conf.xml
index 2617677..86c8fcb 100644
--- a/doc/manual/pkcs11.conf.xml
+++ b/doc/manual/pkcs11.conf.xml
@@ -131,6 +131,14 @@ x-custom : text
 			not present, then any process will load the module.</para>
 		</listitem>
 	</varlistentry>
+	<varlistentry id="option-isolated">
+		<term><option>isolated:</option></term>
+		<listitem>
+			<para>Set to <literal>yes</literal> to run this PKCS#11 module in its own
+			process. This is a simple way to set the <option>remote</option> to
+			accomplish the same thing.</para>
+		</listitem>
+	</varlistentry>
 	<varlistentry>
 		<term><option>managed:</option></term>
 		<listitem>
diff --git a/p11-kit/modules.c b/p11-kit/modules.c
index 7dbb6ed..bfcd3e5 100644
--- a/p11-kit/modules.c
+++ b/p11-kit/modules.c
@@ -482,10 +482,12 @@ take_config_and_load_module_inlock (char **name,
                                     p11_dict **config,
                                     bool critical)
 {
-	const char *filename;
-	const char *remote;
+	const char *filename = NULL;
+	const char *remote = NULL;
+	char *value = NULL;
+	CK_RV rv = CKR_OK;
+	bool isolated;
 	Module *mod;
-	CK_RV rv;
 
 	assert (name);
 	assert (*name);
@@ -493,24 +495,40 @@ take_config_and_load_module_inlock (char **name,
 	assert (*config);
 
 	if (!is_module_enabled_unlocked (*name, *config))
-		return CKR_OK;
+		goto out;
 
 	remote = p11_dict_get (*config, "remote");
+	if (remote == NULL) {
+		filename = p11_dict_get (*config, "module");
+		if (filename == NULL) {
+			p11_debug ("no module path for module, skipping: %s", *name);
+			goto out;
+		}
+	}
+
+	/* The 'isolated' setting is just a simple way to configure remote */
+	isolated = _p11_conf_parse_boolean (p11_dict_get (*config, "isolated"), false);
+	if (isolated) {
+		if (remote) {
+			p11_message ("ignoring 'isolated' on module '%s' because 'remote' is set", *name);
+			isolated = false;
+		} else {
+			if (asprintf (&value, "|" BINDIR "/p11-kit remote '%s'", filename) < 0)
+				return_val_if_reached (CKR_DEVICE_ERROR);
+			remote = value;
+		}
+	}
+
 	if (remote != NULL) {
 		rv = setup_module_for_remote_inlock (*name, remote, &mod);
 		if (rv != CKR_OK)
-			return rv;
+			goto out;
 
 	} else {
-		filename = p11_dict_get (*config, "module");
-		if (filename == NULL) {
-			p11_debug ("no module path for module, skipping: %s", *name);
-			return CKR_OK;
-		}
 
 		rv = load_module_from_file_inlock (*name, filename, &mod);
 		if (rv != CKR_OK)
-			return CKR_OK;
+			goto out;
 
 		/*
 		 * We support setting of CK_C_INITIALIZE_ARGS.pReserved from
@@ -529,7 +547,9 @@ take_config_and_load_module_inlock (char **name,
 	*name = NULL;
 	mod->critical = critical;
 
-	return CKR_OK;
+out:
+	free (value);
+	return rv;
 }
 
 static CK_RV
-- 
cgit v1.1