On 4 Jul 2012, at 21:32, Andrey Chernov wrote: > 1) /dev/urandom may not exist in jails/sandboxes while sysctls (or old way > initialization) always exists.
From the perspective of Capsicum sandboxes, a device node is better than a sysctl. The kernel must hard-code policy about which sysctls are permitted, but access to file descriptors is decided on a per-sandbox basis and is configurable by the user. The same applies to jails, although it's slightly more effort to make device nodes appear inside a jail. David_______________________________________________ svn-src-head@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
