Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 4 Jul 2012 21:40:17 +0100
From:      David Chisnall <theraven@FreeBSD.org>
To:        Andrey Chernov <ache@FreeBSD.org>
Cc:        src-committers@FreeBSD.org, Pawel Jakub Dawidek <pjd@FreeBSD.org>, svn-src-all@FreeBSD.org, svn-src-head@FreeBSD.org, Konstantin Belousov <kostikbel@gmail.com>, markm@FreeBSD.org
Subject:   Re: svn commit: r238118 - head/lib/libc/gen
Message-ID:  <8344944B-1CEE-4CAD-96FB-EC5A743F6909@FreeBSD.org>
In-Reply-To: <20120704203239.GA42326@vniz.net>
References:  <201207041951.q64JpPXu029310@svn.freebsd.org> <20120704200220.GM2337@deviant.kiev.zoral.com.ua> <20120704203239.GA42326@vniz.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On 4 Jul 2012, at 21:32, Andrey Chernov wrote:

> 1) /dev/urandom may not exist in jails/sandboxes while sysctls (or old =
way=20
> initialization) always exists.

=46rom the perspective of Capsicum sandboxes, a device node is better =
than a sysctl.  The kernel must hard-code policy about which sysctls are =
permitted, but access to file descriptors is decided on a per-sandbox =
basis and is configurable by the user.  The same applies to jails, =
although it's slightly more effort to make device nodes appear inside a =
jail.

David=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8344944B-1CEE-4CAD-96FB-EC5A743F6909>