patch: isolate a pkcs11 module

Stef Walter stefw at
Tue Nov 11 05:09:58 PST 2014

Hash: SHA1

On 11.11.2014 10:36, Nikos Mavrogiannopoulos wrote:
> On Mon, 2014-11-10 at 11:41 +0100, Stef Walter wrote:
>> +int       p11_kit_server          (int argc, +
>> char *argv[]); Because things like like SELinux and AppArmor
>> would want to treat the server differently, we should make it run
>> in a separate process. You can see how this was done for 'p11-kit
>> remote'.
> I think it would make more sense to separate it from the p11-kit
> binary completely.
>> This sorta thing should go into common/compat.[ch]. Ideally it
>> would be broken out as a separate commit.
>> I'm uncomfortable with libraries changing signal handlers like
>> this. It would be better to put all such logic into the actual
>> binary of the server. What is missing from
>> p11_kit_remote_serve_module() to enable that?
> These are used by the server only. If they are included in the
> library, that is not intentional. I'll see to separate them.
>> +		if (!p11_rpc_server_handle (name, &virt->funcs, buffer,
>> buffer)) { +			p11_message ("unexpected error handling rpc
>> message"); +			goto out; +		} This means we cannot handle
>> multi-threading in the PKCS#11 client. Is this expected? Is it a
>> limitation of your first round implementation? Do you plan to
>> address it later? I think that 'p11-kit remote' has a similar
>> issue outstanding. Any thoughts here?
> True. I based it on that code so the limitations are shared. That's
> a pretty serious limitation and it's nice you spotted it. As far as
> I understand they can be done thread safe by a mutex.

I have some unfinished server mainloop code here. In case it's helpful:


Version: GnuPG v1


More information about the p11-glue mailing list