libffi prevents p11-kit from being usable with selinux
Stef Walter
stefw at redhat.com
Tue Sep 22 07:19:41 PDT 2015
On 22.09.2015 11:55, Nikos Mavrogiannopoulos wrote:
> On Mon, 2015-09-21 at 15:12 +0200, Stef Walter wrote:
>
>> Several functions (such as CloseAllSessions()) in PKCS#11 act
>> globally.
>> By returning a different closure for those function pointers to each
>> caller, we can scope those effects. We don't do this only in the
>> proxy
>> module, but throughout the PKCS#11 API.
>>
>> The following functions are routinely wrapped in a closure:
>>
>> C_Initialize
>> C_Finalize
>> C_CloseAllSessions
>> C_CloseSession
>> C_OpenSession
>>
>> In addition, if things like remoting or logging are enabled, then all
>> functions are wrapped ... so their arguments can be remoted or logged
>> respectively.
> [...]
>> 2. We could precompile NNNN closures into the executable, and these
>> would be consumed as necessary. This is how p11-kit used to
>> perform
>> this task. It's really horrible code ... but could be done as a
>> last
>> resort ... and the code is in the git history.
>
> I've tried with avoiding the tmpdir in libffi, and have the same issue
> with executable memory. So I think we are at this point...
That would place a static limit on the amount of callers of any
"managed" PKCS#11 modules in p11-kit. What is the number you think is
appropriate to limit that to to in a single process?
Stef
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/p11-glue/attachments/20150922/0f15e963/attachment.sig>
More information about the p11-glue
mailing list