[PATCH] Support addiitional 'progname' tags

Stef Walter stefw at redhat.com
Fri Dec 12 08:27:49 PST 2014


On 11.12.2014 16:52, David Woodhouse wrote:
> There are cases where we want to use enable-in/disable-in options for a
> whole *class* of programs. Such as 'python' or 'p11-kit-proxy.so'.
> 
> This adds an internal API for managing extra prognames, and fixes the
> enable-in/disable-in processing to handle them.

Thanks a lot much for doing the research and getting this patch together.

> The proxy module now sets an additional progname of 'p11-kit-proxy.so',
> and this can be used to control visibility of modules via the proxy
> regardless of the actual program name in argv[0].
> 
> I'd also like p11-kit-proxy.so to take addtional 'extra prognames' via
> the init_args.pReserved pointer in C_Initialize(). But unfortunately we
> already processed the configuration in C_GetFunctionList() and decided
> which modules to load, so it's too late by then. We'll need some
> refactoring to make that possible.

Unfortunately (even though I may have suggested it) I think this
approach is a bit broken.

In particular if p11-kit-proxy.so is loaded in a process, then *all*
callers in that process (including for example gnutls) will get the
enable-in/disable-in applied as if they were using p11-kit-proxy.so

Can we pass an extra "p11-kit-proxy" progname into
p11_modules_load_inlock_reentrant() directly? That would solve this one
use case, and I think it's reasonable to only solve this rather than the
broader scope.

Stef


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/p11-glue/attachments/20141212/27dd5de4/attachment.sig>


More information about the p11-glue mailing list