From a3b1e1c2f2c8c1f14293d8158b6dfeb2a6560908 Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Wed, 1 Oct 2014 17:34:02 +0200 Subject: remote: Run separate executable binary for 'p11-kit remote' This allows security frameworks like SELinux or AppArmor to target it specifically. --- Makefile.am | 1 + p11-kit/Makefile.am | 13 ++++- p11-kit/p11-kit.c | 69 +------------------------- p11-kit/remote.c | 137 ++++++++++++++++++--------------------------------- p11-kit/rpc-server.c | 101 +++++++++++++++++++++++++++++++++++++ 5 files changed, 164 insertions(+), 157 deletions(-) diff --git a/Makefile.am b/Makefile.am index 9032154..ea87f6a 100644 --- a/Makefile.am +++ b/Makefile.am @@ -15,6 +15,7 @@ AM_CPPFLAGS = \ -DP11_KIT_FUTURE_UNSTABLE_API bin_PROGRAMS = +private_PROGRAMS = CHECK_PROGS = diff --git a/p11-kit/Makefile.am b/p11-kit/Makefile.am index b4b4886..3ef70f9 100644 --- a/p11-kit/Makefile.am +++ b/p11-kit/Makefile.am @@ -20,7 +20,6 @@ MODULE_SRCS = \ p11-kit/private.h \ p11-kit/proxy.c p11-kit/proxy.h \ p11-kit/messages.c \ - p11-kit/remote.c \ p11-kit/rpc-transport.c p11-kit/rpc.h \ p11-kit/rpc-message.c p11-kit/rpc-message.h \ p11-kit/rpc-client.c p11-kit/rpc-server.c \ @@ -119,6 +118,18 @@ p11_kit_p11_kit_LDADD = \ $(LTLIBINTL) \ $(NULL) +private_PROGRAMS += p11-kit-remote + +p11_kit_remote_SOURCES = \ + p11-kit/remote.c \ + $(NULL) + +p11_kit_remote_LDADD = \ + libp11-tool.la \ + libp11-common.la \ + libp11-kit.la \ + $(NULL) + # Tests ---------------------------------------------------------------- p11_kit_LIBS = \ diff --git a/p11-kit/p11-kit.c b/p11-kit/p11-kit.c index f64359e..a7b9212 100644 --- a/p11-kit/p11-kit.c +++ b/p11-kit/p11-kit.c @@ -39,7 +39,6 @@ #include "message.h" #include "path.h" #include "p11-kit.h" -#include "remote.h" #include #include @@ -61,12 +60,9 @@ int p11_kit_trust (int argc, int p11_kit_external (int argc, char *argv[]); -int p11_kit_remote (int argc, - char *argv[]); - static const p11_tool_command commands[] = { { "list-modules", p11_kit_list_modules, "List modules and tokens" }, - { "remote", p11_kit_remote, "Run a specific PKCS#11 module remotely" }, + { "remote", p11_kit_external, "Run a specific PKCS#11 module remotely" }, { P11_TOOL_FALLBACK, p11_kit_external, NULL }, { 0, } }; @@ -132,69 +128,6 @@ p11_kit_external (int argc, } int -p11_kit_remote (int argc, - char *argv[]) -{ - CK_FUNCTION_LIST *module; - int opt; - int ret; - - enum { - opt_verbose = 'v', - opt_help = 'h', - }; - - struct option options[] = { - { "verbose", no_argument, NULL, opt_verbose }, - { "help", no_argument, NULL, opt_help }, - { 0 }, - }; - - p11_tool_desc usages[] = { - { 0, "usage: p11-kit remote " }, - { 0 }, - }; - - while ((opt = p11_tool_getopt (argc, argv, options)) != -1) { - switch (opt) { - case opt_verbose: - p11_kit_be_loud (); - break; - case opt_help: - case '?': - p11_tool_usage (usages, options); - return 0; - default: - assert_not_reached (); - break; - } - } - - argc -= optind; - argv += optind; - - if (argc != 1) { - p11_message ("specify the module to remote"); - return 2; - } - - if (isatty (0)) { - p11_message ("the 'remote' tool is not meant to be run from a terminal"); - return 2; - } - - module = p11_kit_module_load (argv[0], 0); - if (module == NULL) - return 1; - - ret = p11_kit_remote_serve_module (module, 0, 1); - p11_kit_module_release (module); - - return ret; -} - - -int main (int argc, char *argv[]) { diff --git a/p11-kit/remote.c b/p11-kit/remote.c index 944e501..7717277 100644 --- a/p11-kit/remote.c +++ b/p11-kit/remote.c @@ -34,13 +34,12 @@ #include "config.h" -#include "buffer.h" #include "compat.h" #include "debug.h" #include "message.h" -#include "rpc.h" +#include "p11-kit.h" #include "remote.h" -#include "virtual.h" +#include "tool.h" #include #include @@ -50,101 +49,63 @@ #include int -p11_kit_remote_serve_module (CK_FUNCTION_LIST *module, - int in_fd, - int out_fd) +main (int argc, + char *argv[]) { - p11_rpc_status status; - unsigned char version; - p11_virtual virt; - p11_buffer options; - p11_buffer buffer; - size_t state; - int ret = 1; - int code; - - return_val_if_fail (module != NULL, 1); - - p11_buffer_init (&options, 0); - p11_buffer_init (&buffer, 0); - - p11_virtual_init (&virt, &p11_virtual_base, module, NULL); - - switch (read (in_fd, &version, 1)) { - case 0: - goto out; - case 1: - if (version != 0) { - p11_message ("unspported version received: %d", (int)version); - goto out; - } - break; - default: - p11_message_err (errno, "couldn't read credential byte"); - goto out; - } - - version = 0; - switch (write (out_fd, &version, out_fd)) { - case 1: - break; - default: - p11_message_err (errno, "couldn't write credential byte"); - goto out; - } - - status = P11_RPC_OK; - while (status == P11_RPC_OK) { - state = 0; - code = 0; - - do { - status = p11_rpc_transport_read (in_fd, &state, &code, - &options, &buffer); - } while (status == P11_RPC_AGAIN); - - switch (status) { - case P11_RPC_OK: + CK_FUNCTION_LIST *module; + int opt; + int ret; + + enum { + opt_verbose = 'v', + opt_help = 'h', + }; + + struct option options[] = { + { "verbose", no_argument, NULL, opt_verbose }, + { "help", no_argument, NULL, opt_help }, + { 0 }, + }; + + p11_tool_desc usages[] = { + { 0, "usage: p11-kit remote " }, + { 0 }, + }; + + while ((opt = p11_tool_getopt (argc, argv, options)) != -1) { + switch (opt) { + case opt_verbose: + p11_kit_be_loud (); break; - case P11_RPC_EOF: - ret = 0; - continue; - case P11_RPC_AGAIN: + case opt_help: + case '?': + p11_tool_usage (usages, options); + return 0; + default: assert_not_reached (); - case P11_RPC_ERROR: - p11_message_err (errno, "failed to read rpc message"); - goto out; + break; } + } - if (!p11_rpc_server_handle (&virt.funcs, &buffer, &buffer)) { - p11_message ("unexpected error handling rpc message"); - goto out; - } + argc -= optind; + argv += optind; - state = 0; - options.len = 0; - do { - status = p11_rpc_transport_write (out_fd, &state, code, - &options, &buffer); - } while (status == P11_RPC_AGAIN); + if (argc != 1) { + p11_message ("specify the module to remote"); + return 2; + } - switch (status) { - case P11_RPC_OK: - break; - case P11_RPC_EOF: - case P11_RPC_AGAIN: - assert_not_reached (); - case P11_RPC_ERROR: - p11_message_err (errno, "failed to write rpc message"); - goto out; - } + if (isatty (0)) { + p11_message ("the 'remote' tool is not meant to be run from a terminal"); + return 2; } -out: - p11_buffer_uninit (&buffer); - p11_buffer_uninit (&options); + module = p11_kit_module_load (argv[0], 0); + if (module == NULL) + return 1; - p11_virtual_uninit (&virt); + ret = p11_kit_remote_serve_module (module, 0, 1); + p11_kit_module_release (module); return ret; } diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c index b8288c9..a2562e9 100644 --- a/p11-kit/rpc-server.c +++ b/p11-kit/rpc-server.c @@ -41,6 +41,7 @@ #include "library.h" #include "private.h" #include "message.h" +#include "remote.h" #include "rpc.h" #include "rpc-message.h" @@ -1901,3 +1902,103 @@ p11_rpc_server_handle (CK_X_FUNCTION_LIST *self, p11_rpc_message_clear (&msg); return true; } + +int +p11_kit_remote_serve_module (CK_FUNCTION_LIST *module, + int in_fd, + int out_fd) +{ + p11_rpc_status status; + unsigned char version; + p11_virtual virt; + p11_buffer options; + p11_buffer buffer; + size_t state; + int ret = 1; + int code; + + return_val_if_fail (module != NULL, 1); + + p11_buffer_init (&options, 0); + p11_buffer_init (&buffer, 0); + + p11_virtual_init (&virt, &p11_virtual_base, module, NULL); + + switch (read (in_fd, &version, 1)) { + case 0: + goto out; + case 1: + if (version != 0) { + p11_message ("unspported version received: %d", (int)version); + goto out; + } + break; + default: + p11_message_err (errno, "couldn't read credential byte"); + goto out; + } + + version = 0; + switch (write (out_fd, &version, out_fd)) { + case 1: + break; + default: + p11_message_err (errno, "couldn't write credential byte"); + goto out; + } + + status = P11_RPC_OK; + while (status == P11_RPC_OK) { + state = 0; + code = 0; + + do { + status = p11_rpc_transport_read (in_fd, &state, &code, + &options, &buffer); + } while (status == P11_RPC_AGAIN); + + switch (status) { + case P11_RPC_OK: + break; + case P11_RPC_EOF: + ret = 0; + continue; + case P11_RPC_AGAIN: + assert_not_reached (); + case P11_RPC_ERROR: + p11_message_err (errno, "failed to read rpc message"); + goto out; + } + + if (!p11_rpc_server_handle (&virt.funcs, &buffer, &buffer)) { + p11_message ("unexpected error handling rpc message"); + goto out; + } + + state = 0; + options.len = 0; + do { + status = p11_rpc_transport_write (out_fd, &state, code, + &options, &buffer); + } while (status == P11_RPC_AGAIN); + + switch (status) { + case P11_RPC_OK: + break; + case P11_RPC_EOF: + case P11_RPC_AGAIN: + assert_not_reached (); + case P11_RPC_ERROR: + p11_message_err (errno, "failed to write rpc message"); + goto out; + } + } + +out: + p11_buffer_uninit (&buffer); + p11_buffer_uninit (&options); + + p11_virtual_uninit (&virt); + + return ret; +} -- cgit v1.1