[PATCH RFC] Disable save-entropy in jails
Mark Robert Vaughan Murray
markm at FreeBSD.org
Thu Dec 26 15:21:05 UTC 2013
On 26 Dec 2013, at 00:50, RW <rwmaillists at googlemail.com> wrote:
> On Wed, 25 Dec 2013 22:24:27 +0100
> Pawel Jakub Dawidek wrote:
>
>
>> We could do the same for save-entropy. It would be even nicer to have
>> some flag so that even sysctl(8) is not executed.
>
> The only security consideration here is that a bug in that conditional
> test might prevent entropy being saved. The benefit is saving a few KBs
> of disk space and a few cpu cycles a few times an hour. Tiny risk, even
> tinier benefit IMO.
Yes. It would be more work but nicer if these scripts could be somehow marked
“not for jail use” and then dealt with by the boot process.
Hmm.
It looks like rcorder(8) may already know about a ‘nojail’ attribute. I
think using that would be best.
M
--
Mark R V Murray
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 353 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20131226/52540c5b/attachment-0001.sig>
More information about the freebsd-security
mailing list