patch: isolate a pkcs11 module

Nikos Mavrogiannopoulos nmav at
Tue Nov 11 01:36:05 PST 2014

On Mon, 2014-11-10 at 11:41 +0100, Stef Walter wrote:

> +int       p11_kit_server          (int argc,
> +                                   char *argv[]);
> Because things like like SELinux and AppArmor would want to treat the
> server differently, we should make it run in a separate process. You
> can see how this was done for 'p11-kit remote'.

I think it would make more sense to separate it from the p11-kit binary completely.

> This sorta thing should go into common/compat.[ch]. Ideally it would
> be broken out as a separate commit.
> I'm uncomfortable with libraries changing signal handlers like this.
> It would be better to put all such logic into the actual binary of the
> server. What is missing from p11_kit_remote_serve_module() to enable that?

These are used by the server only. If they are included in the library, that is
not intentional. I'll see to separate them.

> +		if (!p11_rpc_server_handle (name, &virt->funcs, buffer, buffer)) {
> +			p11_message ("unexpected error handling rpc message");
> +			goto out;
> +		}
> This means we cannot handle multi-threading in the PKCS#11 client. Is
> this expected? Is it a limitation of your first round implementation?
> Do you plan to address it later?
> I think that 'p11-kit remote' has a similar issue outstanding. Any
> thoughts here?

True. I based it on that code so the limitations are shared. That's a pretty
serious limitation and it's nice you spotted it. As far as I understand
they can be done thread safe by a mutex.


More information about the p11-glue mailing list