[apparmor] [PATCH] add p11-kit abstraction
Jamie Strandboge
jamie at canonical.com
Fri Jan 6 17:53:50 UTC 2012
Several applications are linking against p11-kit[1] and we are seeing
AppArmor denials in Ubuntu as a result[2][3].
From the README in the toplevel source:
"[P11-KIT] Provides a way to load and enumerate PKCS#11 modules.
Provides a standard configuration setup for installing PKCS#11 modules
in such a way that they're discoverable."
File locatations are described in [4]. There is a global configuration
file in /etc/pkcs11/pkcs11.conf. Per module configuration happens
in /etc/pkcs11/<module name>. There is also user configuration in
~/.pkcs11, but IMO this should not be allowed in the abstraction.
Example configuration can be seen in the upstream documentation[5].
This will likely need to be refined as more applications use p11-kit.
Attached is a second patch to add p11-kit to the authentication
abstraction, since PKCS#11 deals with cryptographic tokens used in
authentication.
This could conceivably also be added to the gnome abstraction since
anything using gnome-keyring will now require the pk11-kit abstraction,
but since most gnome applications don't use gnome-keyring I don't think
this is desired.
[1]http://p11-glue.freedesktop.org/doc/p11-kit/
[2]https://launchpad.net/bugs/912752
[3]https://launchpad.net/bugs/912754
[4]http://p11-glue.freedesktop.org/doc/p11-kit/config-locations.html
[5]http://p11-glue.freedesktop.org/doc/p11-kit/config-example.html
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-p11-kit.patch
Type: text/x-patch
Size: 2063 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120106/261786bf/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-authentication-uses-p11-kit.patch
Type: text/x-patch
Size: 1066 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120106/261786bf/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120106/261786bf/attachment.pgp>
More information about the AppArmor
mailing list