svn commit: r238118 - head/lib/libc/gen
Konstantin Belousov
kostikbel at gmail.com
Wed Jul 4 20:50:44 UTC 2012
On Wed, Jul 04, 2012 at 09:45:54PM +0100, Attilio Rao wrote:
> 2012/7/4 David Chisnall <theraven at freebsd.org>:
> > On 4 Jul 2012, at 21:32, Andrey Chernov wrote:
> >
> >> 1) /dev/urandom may not exist in jails/sandboxes while sysctls (or old way
> >> initialization) always exists.
> >
> > From the perspective of Capsicum sandboxes, a device node is better than a sysctl. The kernel must hard-code policy about which sysctls are permitted, but access to file descriptors is decided on a per-sandbox basis and is configurable by the user. The same applies to jails, although it's slightly more effort to make device nodes appear inside a jail.
>
> Also don't understimate the locking factor here.
> I recall that at some point /dev/random was introducing some
> scalability penalty on php (maybe related to the suhosin patch) until
> kib made shared lookups available on devfs. IIRC, sysctls are still
> Giant locked.
/dev/random has further optimizations which eliminate the dev_mtx
aquisitions as well. KERN_ARND is mpsafe.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/svn-src-all/attachments/20120704/0badd441/attachment.pgp
More information about the svn-src-all
mailing list