mirror of
https://github.com/flatpak/flatpak.git
synced 2026-02-01 03:21:23 -05:00
66b2ff40f7
If p11-kit server is installed on the host, we spawn a copy of this, forwarding the access to the p11-kit trust module in a read-only way. We then (if the above worked) bind mount the socket as /run/user/$UID/p11-kit/pkcs11 in the sandbox, which is the default socket path for the p11-kit-client module. We also add a configuration file in /etc/pkcs11/modules/p11-kit-trust.module that makes the trust module actually load the client module instead. This means applications automatically switch to using the host certs for trust if possible, and use the runtime ca-certificates otherwise. Additionally we add a config file that always disables pkcs user config merging, because pkcs11 modules on the host are unlikely to work in a random runtime. Closes: #1757 Approved by: alexlarsson