[Exherbo-dev] sandboxing

Ciaran McCreesh ciaran.mccreesh at googlemail.com
Sun Jun 5 19:38:50 BST 2011


On Sun, 05 Jun 2011 12:55:45 +0000
Mathias Ruediger <ruediger at blueboot.org> wrote:
> Since I upgraded my machine to a Phenom x6, I have some issues
> regarding sydbox. It runs at 100% and can (afaik) only utilize one
> core. Therefore it is quite a performance gap, meaning that the other
> five cores never are fully utilized.

That's not really very true. It's better to say that sydbox slightly
increases the amount of time spent invoking the non-parallelisable part
of a syscall. The question is whether this makes a large enough
difference that it's worth taking the risk of not doing sandboxing, and
the answer to that is almost certainly no.

> As I understand, the reason is the kernels pthread implementation
> which has some shortcomings. As I doubt this problem will be solved
> anytime soon, it might be a good idea to look for alternative
> approaches.

The approaches are LD_PRELOAD-based (which is what Sandbox did, at
least clasically), or ptrace-based. The LD_PRELOAD approach is horrible
and doesn't really work.

> Is there a list of features a sandbox has to have to be of any use?

The big one is that it has to work reliably and consistently and
without weird side effects.

-- 
Ciaran McCreesh
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.exherbo.org/pipermail/exherbo-dev/attachments/20110605/097536ba/attachment.pgp>


More information about the Exherbo-dev mailing list