Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 25 Dec 2013 22:24:27 +0100
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        d@delphij.net
Cc:        "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, FreeBSD Current <freebsd-current@freebsd.org>
Subject:   Re: [PATCH RFC] Disable save-entropy in jails
Message-ID:  <20131225212338.GA2679@garage.freebsd.pl>
In-Reply-To: <52B9F232.1090002@delphij.net>
References:  <52B9F232.1090002@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Dec 24, 2013 at 12:44:34PM -0800, Xin Li wrote:
> Hi,
>=20
> I think we shouldn't save entropy inside jails, as the data is not going
> to be used by rc script (pjd@126744).  If there is no objections, I will
> commit this changeset on January 1, 2014.

I agree we shouldn't do it. I have this line in my crontab that I wanted
to commit at some point:

1,31    0-5     *       *       *       root    [ `sysctl -n security.jail.=
jailed` -eq 0 ] && adjkerntz -a

It prevents executing adjkerntz from within a jail, but allows to keep
the same crontab in and outside jails.

We could do the same for save-entropy. It would be even nicer to have
some flag so that even sysctl(8) is not executed.

> Index: libexec/save-entropy/save-entropy.sh
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> --- libexec/save-entropy/save-entropy.sh	(revision 259828)
> +++ libexec/save-entropy/save-entropy.sh	(working copy)
> @@ -42,6 +42,10 @@ elif [ -r /etc/rc.conf ]; then
>  	. /etc/rc.conf 2>/dev/null
>  fi
>=20
> +if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
> +	exit 0
> +fi
> +
>  case ${entropy_dir} in
>  [Nn][Oo])
>  	exit 0

--=20
Pawel Jakub Dawidek                       http://www.wheelsystems.com
FreeBSD committer                         http://www.FreeBSD.org
Am I Evil? Yes, I Am!                     http://mobter.com

--GvXjxJ+pjyke8COw
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iEYEARECAAYFAlK7TNoACgkQForvXbEpPzTsSQCg7jQLc3nPkE//ysiqTbOtJBMw
kQcAnjujd8rjiMJJu3ifsf2caNBfttIr
=G2p5
-----END PGP SIGNATURE-----

--GvXjxJ+pjyke8COw--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20131225212338.GA2679>