From owner-svn-src-all@FreeBSD.ORG  Wed Jul  4 20:40:26 2012
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CD5D8106564A;
	Wed,  4 Jul 2012 20:40:26 +0000 (UTC)
	(envelope-from theraven@FreeBSD.org)
Received: from theravensnest.org (theraven.freebsd.your.org [216.14.102.27])
	by mx1.freebsd.org (Postfix) with ESMTP id 8C0A28FC08;
	Wed,  4 Jul 2012 20:40:26 +0000 (UTC)
Received: from [192.168.0.2] (cpc2-cmbg15-2-0-cust445.5-4.cable.virginmedia.com
	[86.26.13.190]) (authenticated bits=0)
	by theravensnest.org (8.14.5/8.14.5) with ESMTP id q64KeM2v023421
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES128-SHA bits=128 verify=NO);
	Wed, 4 Jul 2012 20:40:25 GMT (envelope-from theraven@FreeBSD.org)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset=us-ascii
From: David Chisnall <theraven@FreeBSD.org>
In-Reply-To: <20120704203239.GA42326@vniz.net>
Date: Wed, 4 Jul 2012 21:40:17 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <8344944B-1CEE-4CAD-96FB-EC5A743F6909@FreeBSD.org>
References: <201207041951.q64JpPXu029310@svn.freebsd.org>
	<20120704200220.GM2337@deviant.kiev.zoral.com.ua>
	<20120704203239.GA42326@vniz.net>
To: Andrey Chernov <ache@FreeBSD.org>
X-Mailer: Apple Mail (2.1278)
Cc: src-committers@FreeBSD.org, Pawel Jakub Dawidek <pjd@FreeBSD.org>,
	svn-src-all@FreeBSD.org, svn-src-head@FreeBSD.org,
	Konstantin Belousov <kostikbel@gmail.com>, markm@FreeBSD.org
Subject: Re: svn commit: r238118 - head/lib/libc/gen
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jul 2012 20:40:26 -0000

On 4 Jul 2012, at 21:32, Andrey Chernov wrote:

> 1) /dev/urandom may not exist in jails/sandboxes while sysctls (or old =
way=20
> initialization) always exists.

=46rom the perspective of Capsicum sandboxes, a device node is better =
than a sysctl.  The kernel must hard-code policy about which sysctls are =
permitted, but access to file descriptors is decided on a per-sandbox =
basis and is configurable by the user.  The same applies to jails, =
although it's slightly more effort to make device nodes appear inside a =
jail.

David=