On Wed, Jul 04, 2012 at 09:45:54PM +0100, Attilio Rao wrote: > 2012/7/4 David Chisnall <thera...@freebsd.org>: > > On 4 Jul 2012, at 21:32, Andrey Chernov wrote: > > > >> 1) /dev/urandom may not exist in jails/sandboxes while sysctls (or old way > >> initialization) always exists. > > > > From the perspective of Capsicum sandboxes, a device node is better than a > > sysctl. The kernel must hard-code policy about which sysctls are > > permitted, but access to file descriptors is decided on a per-sandbox basis > > and is configurable by the user. The same applies to jails, although it's > > slightly more effort to make device nodes appear inside a jail. > > Also don't understimate the locking factor here. > I recall that at some point /dev/random was introducing some > scalability penalty on php (maybe related to the suhosin patch) until > kib made shared lookups available on devfs. IIRC, sysctls are still > Giant locked.
/dev/random has further optimizations which eliminate the dev_mtx aquisitions as well. KERN_ARND is mpsafe.
pgp6loglNYja5.pgp
Description: PGP signature
