libffi prevents p11-kit from being usable with selinux

Nikos Mavrogiannopoulos nmav at redhat.com
Wed Sep 23 04:41:59 PDT 2015


On Tue, 2015-09-22 at 16:19 +0200, Stef Walter wrote:
> On 22.09.2015 11:55, Nikos Mavrogiannopoulos wrote:
> > On Mon, 2015-09-21 at 15:12 +0200, Stef Walter wrote:
> > 
> > > Several functions (such as CloseAllSessions()) in PKCS#11 act
> > > globally.
> > > By returning a different closure for those function pointers to
> > > each
> > > caller, we can scope those effects. We don't do this only in the
> > > proxy
> > > module, but throughout the PKCS#11 API.
> > > 
> > > The following functions are routinely wrapped in a closure:
> > > 
> > > C_Initialize
> > > C_Finalize
> > > C_CloseAllSessions
> > > C_CloseSession
> > > C_OpenSession
> > > 
> > > In addition, if things like remoting or logging are enabled, then 
> > > all functions are wrapped ... so their arguments can be remoted 
> > > or logged respectively.

I'm wondering, what if we treat a failure of libffi to initialize the
same as when WITH_FFI is not defined? That way we wouldn't get all
features but the basic stuff that apache could work. What do you think,
could that work? Does it worth a try?






More information about the p11-glue mailing list