From d3505c2b556b859e1a14062579fd67ec2ab25435 Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@redhat.com>
Date: Wed, 1 Oct 2014 17:14:50 +0200
Subject: p11-kit: Remove the 'isolated' option for now

This option was not completed in time, and as implemented suffers
from limitations that the module is not really completely isolated
as it still runs under the same user id as the calling process.
---
 doc/manual/p11-kit-sharing.xml |  5 +++--
 doc/manual/pkcs11.conf.xml     | 11 ++---------
 p11-kit/modules.c              | 13 -------------
 3 files changed, 5 insertions(+), 24 deletions(-)

diff --git a/doc/manual/p11-kit-sharing.xml b/doc/manual/p11-kit-sharing.xml
index 95dd865..8be3057 100644
--- a/doc/manual/p11-kit-sharing.xml
+++ b/doc/manual/p11-kit-sharing.xml
@@ -100,8 +100,9 @@
 			module configuration option.</para>
 		</listitem>
 		<listitem>
-			<para>Managed modules have the ability to be isolated in their own process
-			See the <link linkend="option-isolated"><literal>isolated = yes</literal></link>
+			<para>Managed modules have the ability to be remoted to another machine or
+			isolated in their own process.
+			See the <link linkend="option-remote"><literal>remote = ...</literal></link>
 			module configuration option.</para>
 		</listitem>
 		</itemizedlist>
diff --git a/doc/manual/pkcs11.conf.xml b/doc/manual/pkcs11.conf.xml
index 86c8fcb..16e6cb2 100644
--- a/doc/manual/pkcs11.conf.xml
+++ b/doc/manual/pkcs11.conf.xml
@@ -131,14 +131,6 @@ x-custom : text
 			not present, then any process will load the module.</para>
 		</listitem>
 	</varlistentry>
-	<varlistentry id="option-isolated">
-		<term><option>isolated:</option></term>
-		<listitem>
-			<para>Set to <literal>yes</literal> to run this PKCS#11 module in its own
-			process. This is a simple way to set the <option>remote</option> to
-			accomplish the same thing.</para>
-		</listitem>
-	</varlistentry>
 	<varlistentry>
 		<term><option>managed:</option></term>
 		<listitem>
@@ -162,7 +154,7 @@ x-custom : text
 			alphabetically.</para>
 		</listitem>
 	</varlistentry>
-	<varlistentry>
+	<varlistentry id="option-remote">
 		<term><option>remote:</option></term>
 		<listitem>
 			<para>Instead of loading the PKCS#11 module locally, run the module
@@ -173,6 +165,7 @@ x-custom : text
 <programlisting>
 remote: |ssh user@remote p11-kit remote /path/to/module.so
 </programlisting>
+			<para>Other forms of remoting will appear in later p11-kit releases.</para>
 		</listitem>
 	</varlistentry>
 	<varlistentry>
diff --git a/p11-kit/modules.c b/p11-kit/modules.c
index bc6f768..8aaa769 100644
--- a/p11-kit/modules.c
+++ b/p11-kit/modules.c
@@ -486,7 +486,6 @@ take_config_and_load_module_inlock (char **name,
 	const char *remote = NULL;
 	char *value = NULL;
 	CK_RV rv = CKR_OK;
-	bool isolated;
 	Module *mod;
 
 	assert (name);
@@ -506,18 +505,6 @@ take_config_and_load_module_inlock (char **name,
 		}
 	}
 
-	/* The 'isolated' setting is just a simple way to configure remote */
-	isolated = _p11_conf_parse_boolean (p11_dict_get (*config, "isolated"), false);
-	if (isolated) {
-		if (remote) {
-			p11_message ("ignoring 'isolated' on module '%s' because 'remote' is set", *name);
-		} else {
-			if (asprintf (&value, "|" BINDIR "/p11-kit remote '%s'", filename) < 0)
-				return_val_if_reached (CKR_DEVICE_ERROR);
-			remote = value;
-		}
-	}
-
 	if (remote != NULL) {
 		rv = setup_module_for_remote_inlock (*name, remote, &mod);
 		if (rv != CKR_OK)
-- 
cgit v1.1