From owner-freebsd-security@FreeBSD.ORG Wed Dec 25 22:50:04 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EB61E325 for ; Wed, 25 Dec 2013 22:50:04 +0000 (UTC) Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8268619DC for ; Wed, 25 Dec 2013 22:50:04 +0000 (UTC) Received: by mail-wi0-f171.google.com with SMTP id bz8so12944952wib.4 for ; Wed, 25 Dec 2013 14:50:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=KnirY9Pn267N8NQ2qdkYwhxRPTRiacijDdCutiy1J34=; b=mYiv/kaGTOYXt7H/3yPAnIHKQp8uyUYdxCDkmQXJG9WbaS5AEjU8ijaKP7lMbVhhEz 32B6U7ssSWZbOQz9pPAZgpuFR2DllR++YE2RbAJClzYcdxn2yGpQf0NDN5jXDPpKFdA8 F4j27rz1Xy1VsKdy8jeb7cMrnv5IxzVekzzAtJpealWTyTpEBKJa9hA14mXofNCOl7Gl a2QpQFbEFmW1aX+eI1d0DBYUSFfEJQ8oXgSFwYjetgXRPhPU7Kb0UAOYz/I+rXx3IACA f7fdNmavmDdx/XOcafj2hsUClKmk2nm+OdP6W6itJgpJvsxyJPjx4hqqnUfGaZ0AznUy BCPw== X-Received: by 10.194.240.197 with SMTP id wc5mr27923592wjc.23.1388011802901; Wed, 25 Dec 2013 14:50:02 -0800 (PST) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPSA id cx3sm46461438wib.0.2013.12.25.14.50.01 for (version=SSLv3 cipher=RC4-SHA bits=128/128); Wed, 25 Dec 2013 14:50:02 -0800 (PST) Date: Wed, 25 Dec 2013 22:50:00 +0000 From: RW To: freebsd-security@freebsd.org Subject: Re: [PATCH RFC] Disable save-entropy in jails Message-ID: <20131225225000.0c9ad452@gumby.homeunix.com> In-Reply-To: <20131225212338.GA2679@garage.freebsd.pl> References: <52B9F232.1090002@delphij.net> <20131225212338.GA2679@garage.freebsd.pl> X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Dec 2013 22:50:05 -0000 On Wed, 25 Dec 2013 22:24:27 +0100 Pawel Jakub Dawidek wrote: > We could do the same for save-entropy. It would be even nicer to have > some flag so that even sysctl(8) is not executed. The only security consideration here is that a bug in that conditional test might prevent entropy being saved. The benefit is saving a few KBs of disk space and a few cpu cycles a few times an hour. Tiny risk, even tinier benefit IMO.