hm, as I understand it, fork()/exec()/… are allowed after cap_enter(), is there some way to yield the permission to use those? I'm writing some program that reads a file and writes some stuff to stdout/stderr, it shouldn't be allowed to use fork() or exec()

Abstract 213 wskyx.github.io/2024/08/24/abstract213.html

To me as a first-time-reader, the man page of cap_enter() seems a bit ambiguous: "processes may only issue system calls operating on file descriptors or reading limited global system state". If "reading limited global system state" suffices to call fork(), it might be allowed. The following sentence "Future process descendants created with fork(2) [...]" suggests that fork() is allowed, too.

yeah, fork is allowed, but I would like to give up any right to call fork in my process, but I don't see a way for that

mane: was that meant for -social ?

ah i forgot there is -social channel

I guess you can kludge it with a pthread_atfork that calls abort()

I'm not very experienced with FreeBSD but I don't know of a POSIX or FreeBSD function that drops the privilege to fork()

I want to use a capability system and give up any capabilities I don't need, even if I had handles for them, not build hacky workarounds, which wouldn't work anyway as not using fork in the code is simple static analysis, so it would be about bugs, where someone does rce and could just use _Fork() instead of fork() and my process could still do stuff I don't need (enumerating badness doesn't

scale)

nimaje: a workaround might be to try something like: rctl -a process:$PID:maxproc:deny=0

not really what you're looking for though

Dear zfs experts, are there any default values I should change when creating a pool and datasets for a puter with a Ryzen 5 5600g in it?

vkarlsen: maybe i could ask the question differently: What type hard storage setup do you have? and what are you trying to achieve? The CPU (especially that size) has little impact on what storage needs you may or may not require.

so with kern.securelevel=2 you can't even boot ?

it must be manually adjusted post-boot ?

last1: why do you think so?

because I tried it

it fails to boot and drops to single user mode

says it can't mount the root device

last1: where are you setting securelevel? proper way is using rc.conf, kern_securelevel/kern_securelevel_enable

I see there is a port of signal-cli

can anyone testify that it actually works on freebsd, and that it lets you register and use signal without linking an ios/android device?

I was doing it in /etc/sysctl.conf

maybe that's why. oops

last1: sysctl.conf is still way after mounting root, are you sure you don't have it set in loader.conf?

yuri: absolutely

you can test if you want

I believe you, probably remounting root rw

voy4g3r2: I'm wondering if there are any algorithms for checksumming or compression that that cpu is particularly good or bad at

Every wondered how old the package repos are? dev.freshports.org/--/package-imports.php?sort=name ... or dev.freshports.org/--/package-imports.php?sort=date - coming soon to prod.

yuri: I can confirm that with the setting in rc.conf it boots fine

vkarlsen: as in compression algorithms? like lz4 vs gzip?

unless you are having a large user base.. i think it would be a small impact.. i think the bigger impact (potential is deduping)

i have personally have been setting lz4 compression on my datasets but my volume is only 2-3TB of data.. and it is just me streaming music and backing up various machines at my house.. enterprise level, iw ould default to better experts than me.. my experience and judgement is ancedotal.. with a small user base

and my server is just an i3 with 32 gig of ram

afaik anything you would use for checksumming should be faster than IO at most cpus, so it is basically free

that is also how i see it

it would be more.. what are the speed of the drives and channels.. old school spin drivee (5400, 7200, 10k) ssd, blah blah

vkarlsen: does it have SHA512 via aesni(4)?

I can't remember which CPUs do, but if it does, you could test sha512 checksumming offloaded via aesni(4).

Sorry, technically speaking, it's SHA512/256.

debdrup: I'm trying to find out

vkarlsen: /var/run/dmesg.boot should tell you

debdrup: I don't have it yet, it's in the mail :)

techpowerup.com/cpu-specs/ryzen-5-5600g.c2471 says it has "features: SHA and AES"

vkarlsen: that does make it a little difficult to get a dmesg from it, admittedly.

vkarlsen: a Ryzen 9 doesn't appear to have it according to dmesgd.nycbug.org/index.cgi?do=view&id=7839 - so I'm guessing not.

Another machine here has the following in dmesg.boot: aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS,SHA1,SHA256>. It has a different cpu, but I take it this is what I should look for?

don't forget to submit to dmesgd dmesgd.nycbug.org/index.cgi

nimaje: Oh, that's neat

Anyone successful in using a USB BLUETOOTH DEVICE ON FREEBSD ?

I found a few 5600x (should be close enough) on dmesgd, and they have aesni0: <AES-CBC,AES-CCM,AES-GCM,AES-ICM,AES-XTS,SHA1,SHA256>

I'll submit some of my dmesg.boots later