[apparmor] [PATCH] add p11-kit abstraction
Steve Beattie
steve at nxnw.org
Fri Jan 6 22:35:20 UTC 2012
On Fri, Jan 06, 2012 at 11:53:50AM -0600, Jamie Strandboge wrote:
> Several applications are linking against p11-kit[1] and we are seeing
> AppArmor denials in Ubuntu as a result[2][3].
>
> From the README in the toplevel source:
> "[P11-KIT] Provides a way to load and enumerate PKCS#11 modules.
> Provides a standard configuration setup for installing PKCS#11 modules
> in such a way that they're discoverable."
>
> File locatations are described in [4]. There is a global configuration
> file in /etc/pkcs11/pkcs11.conf. Per module configuration happens
> in /etc/pkcs11/<module name>. There is also user configuration in
> ~/.pkcs11, but IMO this should not be allowed in the abstraction.
Yeah, I agree.
> Example configuration can be seen in the upstream documentation[5].
>
> This will likely need to be refined as more applications use p11-kit.
>
> Attached is a second patch to add p11-kit to the authentication
> abstraction, since PKCS#11 deals with cryptographic tokens used in
> authentication.
Acked-By: Steve Beattie <sbeattie at ubuntu.com> for both patches, thanks.
> This could conceivably also be added to the gnome abstraction since
> anything using gnome-keyring will now require the pk11-kit abstraction,
> but since most gnome applications don't use gnome-keyring I don't think
> this is desired.
Agreed.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120106/3f072e4e/attachment-0001.pgp>
More information about the AppArmor
mailing list