Re: [Exherbo-dev] Exherbo-dev Digest, Vol 47, Issue 2

[Mathias Ruediger]

On 06/06/11 13:00, exherbo-dev-requ...@lists.exherbo.org wrote:
Send Exherbo-dev mailing list submissions to
        exherbo-dev@lists.exherbo.org
To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.exherbo.org/mailman/listinfo/exherbo-dev
or, via email, send a message with subject or body 'help' to
        exherbo-dev-requ...@lists.exherbo.org

You can reach the person managing the list at
        exherbo-dev-ow...@lists.exherbo.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Exherbo-dev digest..."


Today's Topics:

    1. Re: sandboxing (Ciaran McCreesh)


----------------------------------------------------------------------

Message: 1
Date: Sun, 5 Jun 2011 19:38:50 +0100
From: Ciaran McCreesh<ciaran.mccre...@googlemail.com>
To: exherbo-dev@lists.exherbo.org
Subject: Re: [Exherbo-dev] sandboxing
Message-ID:<20110605193850.16f4c...@googlemail.com>
Content-Type: text/plain; charset="us-ascii"

On Sun, 05 Jun 2011 12:55:45 +0000
Mathias Ruediger<ruedi...@blueboot.org>  wrote:
Since I upgraded my machine to a Phenom x6, I have some issues
regarding sydbox. It runs at 100% and can (afaik) only utilize one
core. Therefore it is quite a performance gap, meaning that the other
five cores never are fully utilized.
That's not really very true. It's better to say that sydbox slightly
increases the amount of time spent invoking the non-parallelisable part
of a syscall. The question is whether this makes a large enough
difference that it's worth taking the risk of not doing sandboxing, and
the answer to that is almost certainly no.

As I understand, the reason is the kernels pthread implementation
which has some shortcomings. As I doubt this problem will be solved
anytime soon, it might be a good idea to look for alternative
approaches.
The approaches are LD_PRELOAD-based (which is what Sandbox did, at
least clasically), or ptrace-based. The LD_PRELOAD approach is horrible
and doesn't really work.

Is there a list of features a sandbox has to have to be of any use?
The big one is that it has to work reliably and consistently and
without weird side effects.

Thanks for the info's Ciaran. I will do some further measurements and 
take a closer look how big sydbox impact is. I know that LD_PRELOAD 
based sandboxes wouldn't work for us, but what do you think of lxc's 
cgroup based approach? Since we need a cgroup capable kernel for systemd 
anyways, it might be worth a try. I just don't really know where sydbox 
hooks into paludis but maybe I should ask zlin in the IRC for further 
information.

so long
Mathias

_______________________________________________
Exherbo-dev mailing list
Exherbo-dev@lists.exherbo.org
http://lists.exherbo.org/mailman/listinfo/exherbo-dev