-
Notifications
You must be signed in to change notification settings - Fork 682
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use getrandom function #5851
Comments
Worth mentioning that we also need to test password-protected files and document signing, which both depend on /dev/[u]random to be available. |
While Basically, we need to add a check in configure.ac to see if We cannot remove the old code, just yet. |
The Linux side is now supported, thanks to #5897 and @bayramcicek. However, BSD is still missing, so will keep this open until we support BSD as well. |
Thanks for not forgetting FreeBSD when adding new features! |
This is an Easy Hack.
Potential mentors: @Ashod
Detailed description and rationale
Currently we need the capability CAP_MKNOD in order to create our jails - but we only use this to create /dev/random and /dev/urandom. There is however no need for these nodes on modern systems:
https://lwn.net/Articles/711013/
Suggests this is un-necessary - and we can detect and use 'getrandom' on Linux, and getentropy on BSD which should use direct sys-calls. That should let us drop this un-necessary capability.
Code pointers
git grep /dev/urandom # in online - and also in core.
git grep CAP_MKNOD
Hopefully not a horribly hard one. Quite probably we want to test hard vs. eg. inserting https:// URLs to ensure our required openssl / nss etc. libraries can live without /dev/urandom and /dev/random.
The text was updated successfully, but these errors were encountered: