From owner-svn-src-head@FreeBSD.ORG Wed Jul 4 20:45:57 2012 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 77000106564A; Wed, 4 Jul 2012 20:45:57 +0000 (UTC) (envelope-from asmrookie@gmail.com) Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) by mx1.freebsd.org (Postfix) with ESMTP id 8B4F18FC17; Wed, 4 Jul 2012 20:45:55 +0000 (UTC) Received: by lbon10 with SMTP id n10so13664899lbo.13 for ; Wed, 04 Jul 2012 13:45:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=bcWpk3OPPWyl+X5CeLf1AtEXLqbnsU+KwRYRiWzBKV0=; b=o4LaL1499fhoZqLRdv9FwagQmpFuwT4iSb9nmQwQpinH3C86AhjthKmge88ofq/D6v YcUpQZeLEvRv1ALRcy/OWlYD8oL4EXzFGVbXQjV31r53Les+VzVH/XDm+qxxbLTXRibb NeXmOKNlgOcejHiCTsysQ9eys1Boo1/8CRJ9J5hrEAO5MB/76z9xZ3fIJ4EhVvn2XMSS ZFOP6k3DHxtpH5BH+sMKxhO9jJQVsyi8xshRDKYuqFTk5XLEgy9RGzOyDgvtVzRCqGXk W4mnPmIKR6eFRrsccuUUvzVTooDwRL40pt94nmQZQPreB/59hvGAn0Luptqrgsk1trg+ Z6rA== MIME-Version: 1.0 Received: by 10.112.23.196 with SMTP id o4mr10720646lbf.49.1341434754402; Wed, 04 Jul 2012 13:45:54 -0700 (PDT) Sender: asmrookie@gmail.com Received: by 10.112.27.65 with HTTP; Wed, 4 Jul 2012 13:45:54 -0700 (PDT) In-Reply-To: <8344944B-1CEE-4CAD-96FB-EC5A743F6909@FreeBSD.org> References: <201207041951.q64JpPXu029310@svn.freebsd.org> <20120704200220.GM2337@deviant.kiev.zoral.com.ua> <20120704203239.GA42326@vniz.net> <8344944B-1CEE-4CAD-96FB-EC5A743F6909@FreeBSD.org> Date: Wed, 4 Jul 2012 21:45:54 +0100 X-Google-Sender-Auth: 1BDlpz4IoF7GvbbAv_uwj-HEotM Message-ID: From: Attilio Rao To: David Chisnall Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: src-committers@freebsd.org, Pawel Jakub Dawidek , svn-src-all@freebsd.org, Konstantin Belousov , svn-src-head@freebsd.org, Andrey Chernov , markm@freebsd.org Subject: Re: svn commit: r238118 - head/lib/libc/gen X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jul 2012 20:45:57 -0000 2012/7/4 David Chisnall : > On 4 Jul 2012, at 21:32, Andrey Chernov wrote: > >> 1) /dev/urandom may not exist in jails/sandboxes while sysctls (or old w= ay >> initialization) always exists. > > From the perspective of Capsicum sandboxes, a device node is better than = a sysctl. The kernel must hard-code policy about which sysctls are permitt= ed, but access to file descriptors is decided on a per-sandbox basis and is= configurable by the user. The same applies to jails, although it's slight= ly more effort to make device nodes appear inside a jail. Also don't understimate the locking factor here. I recall that at some point /dev/random was introducing some scalability penalty on php (maybe related to the suhosin patch) until kib made shared lookups available on devfs. IIRC, sysctls are still Giant locked. Attilio --=20 Peace can only be achieved by understanding - A. Einstein