libffi prevents p11-kit from being usable with selinux
Stef Walter
stefw at redhat.com
Wed Sep 23 07:20:43 PDT 2015
On 23.09.2015 13:41, Nikos Mavrogiannopoulos wrote:
> On Tue, 2015-09-22 at 16:19 +0200, Stef Walter wrote:
>> On 22.09.2015 11:55, Nikos Mavrogiannopoulos wrote:
>>> On Mon, 2015-09-21 at 15:12 +0200, Stef Walter wrote:
>>>
>>>> Several functions (such as CloseAllSessions()) in PKCS#11 act
>>>> globally.
>>>> By returning a different closure for those function pointers to
>>>> each
>>>> caller, we can scope those effects. We don't do this only in the
>>>> proxy
>>>> module, but throughout the PKCS#11 API.
>>>>
>>>> The following functions are routinely wrapped in a closure:
>>>>
>>>> C_Initialize
>>>> C_Finalize
>>>> C_CloseAllSessions
>>>> C_CloseSession
>>>> C_OpenSession
>>>>
>>>> In addition, if things like remoting or logging are enabled, then
>>>> all functions are wrapped ... so their arguments can be remoted
>>>> or logged respectively.
>
> I'm wondering, what if we treat a failure of libffi to initialize the
> same as when WITH_FFI is not defined? That way we wouldn't get all
> features but the basic stuff that apache could work. What do you think,
> could that work? Does it worth a try?
What is calling p11-kit in the apache case? Could it just ask for
P11_KIT_UNMANAGED modules? That would avoid the issue here, I think.
Stef
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/p11-glue/attachments/20150923/8ae526d7/attachment.sig>
More information about the p11-glue
mailing list