Date: Thu, 26 Dec 2013 17:20:46 +0200 From: Mark Robert Vaughan Murray <markm@FreeBSD.org> To: RW <rwmaillists@googlemail.com> Cc: freebsd-security@freebsd.org Subject: Re: [PATCH RFC] Disable save-entropy in jails Message-ID: <5AFFCAA2-6F1F-4E3C-8311-4993B79C87EF@FreeBSD.org> In-Reply-To: <20131225225000.0c9ad452@gumby.homeunix.com> References: <52B9F232.1090002@delphij.net> <20131225212338.GA2679@garage.freebsd.pl> <20131225225000.0c9ad452@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_2E445BD2-D202-4E8E-9E15-DAF30A9708B3 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 On 26 Dec 2013, at 00:50, RW <rwmaillists@googlemail.com> wrote: > On Wed, 25 Dec 2013 22:24:27 +0100 > Pawel Jakub Dawidek wrote: >=20 >=20 >> We could do the same for save-entropy. It would be even nicer to have >> some flag so that even sysctl(8) is not executed. >=20 > The only security consideration here is that a bug in that conditional > test might prevent entropy being saved. The benefit is saving a few = KBs > of disk space and a few cpu cycles a few times an hour. Tiny risk, = even > tinier benefit IMO. Yes. It would be more work but nicer if these scripts could be somehow = marked =93not for jail use=94 and then dealt with by the boot process. Hmm. It looks like rcorder(8) may already know about a =91nojail=92 = attribute. I think using that would be best. M=20 --=20 Mark R V Murray --Apple-Mail=_2E445BD2-D202-4E8E-9E15-DAF30A9708B3 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQCVAwUBUrxJVN58vKOKE6LNAQoiOAQArqG/mxL3u3/uCgNYcLSz/hHnA13rzXWZ mDa05WaUowIloGLAmkZyc3YcEuJ6XNUZQhY2cCIDmdOKv8V7pJaRYkwNe7IuJbdV 30YREyo1aVVX+cGJNrnCgnWpVBatlgCInjbTjB7bjKdQGcOtvk9gbpa000cCnxa5 WhRqTevQ70s= =kM3a -----END PGP SIGNATURE----- --Apple-Mail=_2E445BD2-D202-4E8E-9E15-DAF30A9708B3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5AFFCAA2-6F1F-4E3C-8311-4993B79C87EF>