systemd: add per-user remoting socket

This allows daemons outside user's session to use per-user PKCS#11
modules. Useful for letting VPN daemons or wpa_supplicant use
certificates stored in user's GNOME keyring, etc.

diff --git a/.gitignore b/.gitignore
index d190914ebe72aaf11592d1e994e399f02e07fb24..f25914e7f76f19e4fff47240648ccb4b2a81b6d0 100644 (file)
--- a/.gitignore
+++ b/.gitignore
@@ -102,6 +102,7 @@ x86_64-w64-mingw32
 /p11-kit/p11-kit.pc
 /p11-kit/p11-kit-1.pc
 /p11-kit/pkcs11.conf.example
+/p11-kit/p11-kit-remote@.service
 
 /po/POTFILES
 /po/stamp-po

diff --git a/configure.ac b/configure.ac
index a5f044a2276e095d5043ddba5cf3a0f0c4e0c2a1..b6ac61c80c1a1e01f960daae8c4ead28970f811b 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -507,6 +507,7 @@ AC_CONFIG_FILES([Makefile
        po/Makefile.in
        p11-kit/p11-kit-1.pc
        p11-kit/pkcs11.conf.example
+       p11-kit/p11-kit-remote@.service
        trust/trust-extract-compat
        trust/test-extract
 ])

diff --git a/p11-kit/Makefile.am b/p11-kit/Makefile.am
index f1c05831039ad500ec3e62c6154dcdd104eb09fd..507be5f04348bfc6a4ffa81d286066a3e5f4ab0a 100644 (file)
--- a/p11-kit/Makefile.am
+++ b/p11-kit/Makefile.am
@@ -93,13 +93,23 @@ install-exec-hook:
        done
        $(MKDIR_P) $(DESTDIR)$(p11_package_config_modules)
 
+install-data-hook:
+       $(MKDIR_P) $(DESTDIR)$(systemduserdir)/sockets.target.wants
+       $(LN_S) -f ../p11-kit-remote.socket $(DESTDIR)$(systemduserdir)/sockets.target.wants/p11-kit-remote.socket
+
 uninstall-local:
        for i in so dylib; do \
                rm -f $(DESTDIR)$(libdir)/p11-kit-proxy.$$i; \
        done
+       rm -f $(DESTDIR)$(systemduserdir)/sockets.target.wants/p11-kit-remote.socket
 
 endif
 
+systemduserdir = $(prefix)/lib/systemd/user
+systemduser_DATA = \
+       p11-kit/p11-kit-remote.socket \
+       p11-kit/p11-kit-remote@.service
+
 pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = p11-kit/p11-kit-1.pc
 
@@ -108,6 +118,7 @@ example_DATA = p11-kit/pkcs11.conf.example
 
 EXTRA_DIST += \
        p11-kit/docs.h \
+       p11-kit/p11-kit-remote.socket \
        $(NULL)
 
 bin_PROGRAMS += p11-kit/p11-kit

diff --git a/p11-kit/p11-kit-remote.socket b/p11-kit/p11-kit-remote.socket
new file mode 100644 (file)
index 0000000..37a277b
--- /dev/null
+++ b/p11-kit/p11-kit-remote.socket
@@ -0,0 +1,10 @@
+[Unit]
+Description=PKCS#11 Remote Access Socket
+
+[Socket]
+Accept=true
+ListenStream=%t/p11-kit-remote
+SocketMode=0600
+
+[Install]
+WantedBy=sockets.target

diff --git a/p11-kit/p11-kit-remote@.service.in b/p11-kit/p11-kit-remote@.service.in
new file mode 100644 (file)
index 0000000..dd6d332
--- /dev/null
+++ b/p11-kit/p11-kit-remote@.service.in
@@ -0,0 +1,10 @@
+[Unit]
+Description=PKCS#11 Remote Access
+Documentation=man:p11-kit(8)
+Requires=p11-kit-remote.socket
+
+[Service]
+StandardInput=socket
+StandardOutput=socket
+StandardError=journal
+ExecStart=@libdir@/p11-kit/p11-kit-remote @libdir@/p11-kit-proxy.so