2012/7/4 David Chisnall <thera...@freebsd.org>: > On 4 Jul 2012, at 21:32, Andrey Chernov wrote: > >> 1) /dev/urandom may not exist in jails/sandboxes while sysctls (or old way >> initialization) always exists. > > From the perspective of Capsicum sandboxes, a device node is better than a > sysctl. The kernel must hard-code policy about which sysctls are permitted, > but access to file descriptors is decided on a per-sandbox basis and is > configurable by the user. The same applies to jails, although it's slightly > more effort to make device nodes appear inside a jail.
Also don't understimate the locking factor here. I recall that at some point /dev/random was introducing some scalability penalty on php (maybe related to the suhosin patch) until kib made shared lookups available on devfs. IIRC, sysctls are still Giant locked. Attilio -- Peace can only be achieved by understanding - A. Einstein _______________________________________________ svn-src-head@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
