Is fork() hook ever possible?
das at freebsd.org
Mon Nov 14 23:08:57 UTC 2011
On Tue, Nov 15, 2011, Andrey Chernov wrote:
> On Mon, Nov 14, 2011 at 03:58:55PM -0500, David Schultz wrote:
> > On Mon, Nov 14, 2011, Andrey Chernov wrote:
> > > 1) We should use
> > > mib = CTL_KERN;
> > > mib = KERN_ARND;
> > >
> > > len = sizeof(rnd);
> > > sysctl(mib, 2, rnd, &len, NULL, 0);
> > > here instead of /dev/random, like OpenBSD did. It helps jails, and
> > > re-stearing not happens too often in anycase. Obviously it minimizes
> > > OpenBSD diffs too.
> > Yes, that was in my list of suggested follow-on work, but I don't
> > have time for it right now.
> I can add this to your patch, we have the same semantics here as OpenBSD,
> so there will be no surprizes.
Not quite. OpenBSD's implementation is more careful. I just
noticed a funny thing about FreeBSD's KERN_ARND sysctl: If the
random device isn't (or can't be) loaded, KERN_ARND silently
decides to initialize itself with the output of random(). This
means that whatever minuscule amount of entropy it might have
picked up from the clock is reduced to a maximum of 31 bits.
That's a fantastic way to provide a false sense of security...
More information about the freebsd-current