Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 5 Jul 2012 07:49:42 -0400
From:      John Baldwin <jhb@freebsd.org>
To:        Attilio Rao <attilio@freebsd.org>
Cc:        src-committers@freebsd.org, Andrey Chernov <ache@freebsd.org>, svn-src-all@freebsd.org, David Chisnall <theraven@freebsd.org>, Konstantin Belousov <kostikbel@gmail.com>, svn-src-head@freebsd.org, Pawel Jakub Dawidek <pjd@freebsd.org>, markm@freebsd.org
Subject:   Re: svn commit: r238118 - head/lib/libc/gen
Message-ID:  <201207050749.43210.jhb@freebsd.org>
In-Reply-To: <CAJ-FndAGgkgi5W3LqgMkeK9AquQ=1RhhYcj4jnLmuRg2EwVuqA@mail.gmail.com>
References:  <201207041951.q64JpPXu029310@svn.freebsd.org> <8344944B-1CEE-4CAD-96FB-EC5A743F6909@FreeBSD.org> <CAJ-FndAGgkgi5W3LqgMkeK9AquQ=1RhhYcj4jnLmuRg2EwVuqA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Wednesday, July 04, 2012 4:45:54 pm Attilio Rao wrote:
> 2012/7/4 David Chisnall <theraven@freebsd.org>:
> > On 4 Jul 2012, at 21:32, Andrey Chernov wrote:
> >
> >> 1) /dev/urandom may not exist in jails/sandboxes while sysctls (or old 
way
> >> initialization) always exists.
> >
> > From the perspective of Capsicum sandboxes, a device node is better than a 
sysctl.  The kernel must hard-code policy about which sysctls are permitted, 
but access to file descriptors is decided on a per-sandbox basis and is 
configurable by the user.  The same applies to jails, although it's slightly 
more effort to make device nodes appear inside a jail.
> 
> Also don't understimate the locking factor here.
> I recall that at some point /dev/random was introducing some
> scalability penalty on php (maybe related to the suhosin patch) until
> kib made shared lookups available on devfs. IIRC, sysctls are still
> Giant locked.

sysctls are not all Giant locked.   KERN_ARND is marked MPSAFE, so it does not 
use Giant:

static int
sysctl_kern_arnd(SYSCTL_HANDLER_ARGS)
{
	char buf[256];
	size_t len;

	len = req->oldlen;
	if (len > sizeof(buf))
		len = sizeof(buf);
	arc4rand(buf, len, 0);
	return (SYSCTL_OUT(req, buf, len));
}

SYSCTL_PROC(_kern, KERN_ARND, arandom,
    CTLTYPE_OPAQUE | CTLFLAG_RD | CTLFLAG_MPSAFE | CTLFLAG_CAPRD, NULL, 0,
    sysctl_kern_arnd, "", "arc4rand");

-- 
John Baldwin

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207050749.43210.jhb>