From owner-freebsd-security@FreeBSD.ORG Thu Dec 26 15:21:05 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B1A81EBC; Thu, 26 Dec 2013 15:21:05 +0000 (UTC) Received: from gromit.grondar.org (grandfather.grondar.org [IPv6:2a01:348:0:15:5d59:5c20:0:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 756FB18A2; Thu, 26 Dec 2013 15:21:05 +0000 (UTC) Received: from 41-132-74-122.dsl.mweb.co.za ([41.132.74.122] helo=[192.168.0.6]) by gromit.grondar.org with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1VwCk9-000Jh6-5E; Thu, 26 Dec 2013 15:21:02 +0000 Subject: Re: [PATCH RFC] Disable save-entropy in jails Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) Content-Type: multipart/signed; boundary="Apple-Mail=_2E445BD2-D202-4E8E-9E15-DAF30A9708B3"; protocol="application/pgp-signature"; micalg=pgp-sha512 From: Mark Robert Vaughan Murray In-Reply-To: <20131225225000.0c9ad452@gumby.homeunix.com> Date: Thu, 26 Dec 2013 17:20:46 +0200 Message-Id: <5AFFCAA2-6F1F-4E3C-8311-4993B79C87EF@FreeBSD.org> References: <52B9F232.1090002@delphij.net> <20131225212338.GA2679@garage.freebsd.pl> <20131225225000.0c9ad452@gumby.homeunix.com> To: RW X-Mailer: Apple Mail (2.1827) X-SA-Score: -1.0 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Dec 2013 15:21:05 -0000 --Apple-Mail=_2E445BD2-D202-4E8E-9E15-DAF30A9708B3 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 On 26 Dec 2013, at 00:50, RW wrote: > On Wed, 25 Dec 2013 22:24:27 +0100 > Pawel Jakub Dawidek wrote: >=20 >=20 >> We could do the same for save-entropy. It would be even nicer to have >> some flag so that even sysctl(8) is not executed. >=20 > The only security consideration here is that a bug in that conditional > test might prevent entropy being saved. The benefit is saving a few = KBs > of disk space and a few cpu cycles a few times an hour. Tiny risk, = even > tinier benefit IMO. Yes. It would be more work but nicer if these scripts could be somehow = marked =93not for jail use=94 and then dealt with by the boot process. Hmm. It looks like rcorder(8) may already know about a =91nojail=92 = attribute. I think using that would be best. M=20 --=20 Mark R V Murray --Apple-Mail=_2E445BD2-D202-4E8E-9E15-DAF30A9708B3 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQCVAwUBUrxJVN58vKOKE6LNAQoiOAQArqG/mxL3u3/uCgNYcLSz/hHnA13rzXWZ mDa05WaUowIloGLAmkZyc3YcEuJ6XNUZQhY2cCIDmdOKv8V7pJaRYkwNe7IuJbdV 30YREyo1aVVX+cGJNrnCgnWpVBatlgCInjbTjB7bjKdQGcOtvk9gbpa000cCnxa5 WhRqTevQ70s= =kM3a -----END PGP SIGNATURE----- --Apple-Mail=_2E445BD2-D202-4E8E-9E15-DAF30A9708B3--