purposes. See the <link linkend="option-log-calls"><literal>log-calls = yes</literal></link>
module configuration option.</para>
</listitem>
+ <listitem>
+ <para>Managed modules have the ability to be isolated in their own process
+ See the <link linkend="option-isolated"><literal>isolated = yes</literal></link>
+ module configuration option.</para>
</itemizedlist>
</section>
</chapter>
not present, then any process will load the module.</para>
</listitem>
</varlistentry>
+ <varlistentry id="option-isolated">
+ <term><option>isolated:</option></term>
+ <listitem>
+ <para>Set to <literal>yes</literal> to run this PKCS#11 module in its own
+ process. This is a simple way to set the <option>remote</option> to
+ accomplish the same thing.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><option>managed:</option></term>
<listitem>
p11_dict **config,
bool critical)
{
- const char *filename;
- const char *remote;
+ const char *filename = NULL;
+ const char *remote = NULL;
+ char *value = NULL;
+ CK_RV rv = CKR_OK;
+ bool isolated;
Module *mod;
- CK_RV rv;
assert (name);
assert (*name);
assert (*config);
if (!is_module_enabled_unlocked (*name, *config))
- return CKR_OK;
+ goto out;
remote = p11_dict_get (*config, "remote");
+ if (remote == NULL) {
+ filename = p11_dict_get (*config, "module");
+ if (filename == NULL) {
+ p11_debug ("no module path for module, skipping: %s", *name);
+ goto out;
+ }
+ }
+
+ /* The 'isolated' setting is just a simple way to configure remote */
+ isolated = _p11_conf_parse_boolean (p11_dict_get (*config, "isolated"), false);
+ if (isolated) {
+ if (remote) {
+ p11_message ("ignoring 'isolated' on module '%s' because 'remote' is set", *name);
+ isolated = false;
+ } else {
+ if (asprintf (&value, "|" BINDIR "/p11-kit remote '%s'", filename) < 0)
+ return_val_if_reached (CKR_DEVICE_ERROR);
+ remote = value;
+ }
+ }
+
if (remote != NULL) {
rv = setup_module_for_remote_inlock (*name, remote, &mod);
if (rv != CKR_OK)
- return rv;
+ goto out;
} else {
- filename = p11_dict_get (*config, "module");
- if (filename == NULL) {
- p11_debug ("no module path for module, skipping: %s", *name);
- return CKR_OK;
- }
rv = load_module_from_file_inlock (*name, filename, &mod);
if (rv != CKR_OK)
- return CKR_OK;
+ goto out;
/*
* We support setting of CK_C_INITIALIZE_ARGS.pReserved from
*name = NULL;
mod->critical = critical;
- return CKR_OK;
+out:
+ free (value);
+ return rv;
}
static CK_RV
projects / p11-kit / commitdiff