From owner-freebsd-current@FreeBSD.ORG Wed Dec 25 21:23:49 2013 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 74D79B6F; Wed, 25 Dec 2013 21:23:49 +0000 (UTC) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 37DC1143A; Wed, 25 Dec 2013 21:23:48 +0000 (UTC) Received: from localhost (user-94-254-144-148.play-internet.pl [94.254.144.148]) by mail.dawidek.net (Postfix) with ESMTPSA id 7F31939D; Wed, 25 Dec 2013 22:16:52 +0100 (CET) Date: Wed, 25 Dec 2013 22:24:27 +0100 From: Pawel Jakub Dawidek To: d@delphij.net Subject: Re: [PATCH RFC] Disable save-entropy in jails Message-ID: <20131225212338.GA2679@garage.freebsd.pl> References: <52B9F232.1090002@delphij.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw" Content-Disposition: inline In-Reply-To: <52B9F232.1090002@delphij.net> X-OS: FreeBSD 11.0-CURRENT amd64 User-Agent: Mutt/1.5.22 (2013-10-16) Cc: "freebsd-security@freebsd.org" , FreeBSD Current X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Dec 2013 21:23:49 -0000 --GvXjxJ+pjyke8COw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 24, 2013 at 12:44:34PM -0800, Xin Li wrote: > Hi, >=20 > I think we shouldn't save entropy inside jails, as the data is not going > to be used by rc script (pjd@126744). If there is no objections, I will > commit this changeset on January 1, 2014. I agree we shouldn't do it. I have this line in my crontab that I wanted to commit at some point: 1,31 0-5 * * * root [ `sysctl -n security.jail.= jailed` -eq 0 ] && adjkerntz -a It prevents executing adjkerntz from within a jail, but allows to keep the same crontab in and outside jails. We could do the same for save-entropy. It would be even nicer to have some flag so that even sysctl(8) is not executed. > Index: libexec/save-entropy/save-entropy.sh > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- libexec/save-entropy/save-entropy.sh (revision 259828) > +++ libexec/save-entropy/save-entropy.sh (working copy) > @@ -42,6 +42,10 @@ elif [ -r /etc/rc.conf ]; then > . /etc/rc.conf 2>/dev/null > fi >=20 > +if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then > + exit 0 > +fi > + > case ${entropy_dir} in > [Nn][Oo]) > exit 0 --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --GvXjxJ+pjyke8COw Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iEYEARECAAYFAlK7TNoACgkQForvXbEpPzTsSQCg7jQLc3nPkE//ysiqTbOtJBMw kQcAnjujd8rjiMJJu3ifsf2caNBfttIr =G2p5 -----END PGP SIGNATURE----- --GvXjxJ+pjyke8COw--