Date: Thu, 26 Dec 2013 17:20:46 +0200 From: Mark Robert Vaughan Murray <markm@FreeBSD.org> To: RW <rwmaillists@googlemail.com> Cc: freebsd-security@freebsd.org Subject: Re: [PATCH RFC] Disable save-entropy in jails Message-ID: <5AFFCAA2-6F1F-4E3C-8311-4993B79C87EF@FreeBSD.org> In-Reply-To: <20131225225000.0c9ad452@gumby.homeunix.com> References: <52B9F232.1090002@delphij.net> <20131225212338.GA2679@garage.freebsd.pl> <20131225225000.0c9ad452@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On 26 Dec 2013, at 00:50, RW <rwmaillists@googlemail.com> wrote: > On Wed, 25 Dec 2013 22:24:27 +0100 > Pawel Jakub Dawidek wrote: > > >> We could do the same for save-entropy. It would be even nicer to have >> some flag so that even sysctl(8) is not executed. > > The only security consideration here is that a bug in that conditional > test might prevent entropy being saved. The benefit is saving a few KBs > of disk space and a few cpu cycles a few times an hour. Tiny risk, even > tinier benefit IMO. Yes. It would be more work but nicer if these scripts could be somehow marked “not for jail use” and then dealt with by the boot process. Hmm. It looks like rcorder(8) may already know about a ‘nojail’ attribute. I think using that would be best. M -- Mark R V Murray [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQCVAwUBUrxJVN58vKOKE6LNAQoiOAQArqG/mxL3u3/uCgNYcLSz/hHnA13rzXWZ mDa05WaUowIloGLAmkZyc3YcEuJ6XNUZQhY2cCIDmdOKv8V7pJaRYkwNe7IuJbdV 30YREyo1aVVX+cGJNrnCgnWpVBatlgCInjbTjB7bjKdQGcOtvk9gbpa000cCnxa5 WhRqTevQ70s= =kM3a -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5AFFCAA2-6F1F-4E3C-8311-4993B79C87EF>