[Feature Request] Sandbox PKCS#11 module

[frankmorgner]

PKCS#11 modules could be sandboxed (made abortable at the same time) with https://github.com/google/sandboxed-api, for example. This would prevent a bogus PKCS#11 module from corrupting the process. Also, this would allow keeping the process responsive if the module has some I/O problem, for example.

[ueno]

Part of that is already possible with the remote configuration option and bubblewrap (see #172 (comment)). I suspect that making it fully automatic might require support from the sandboxing runtime, such as flatpak.

[frankmorgner]

Interesting... Maybe adding this to the documentation would be a good idea to create awareness of this feature.

Anyway, blocking I/O is still a problem with applications like Firefox, that are hanging if a module is not responding.

[ueno]

Having said that, it would be nice if p11-kit transparently does sandboxing. The current configuration syntax is a bit too limited for that; maybe adding a new option to refer external policy settings would be nice (e.g., sandbox-profile:).

[fdelapena]

Likely unrelated, but it feels like adding the p11-kit-proxy.so symlinked as /usr/lib/firefox/libosclientcerts.so feels like it runs smoother than overriding libnssckbi.so. This feature is enabled by default but the .so is not provided by Firefox yet. Note this does not consolidate with other NSS apps, but good to know there is yet another potential way to use it with Firefox: