diff options
| author | Jirka Hladky <jhladky@redhat.com> | 2021-12-31 22:01:41 +0100 |
|---|---|---|
| committer | Jirka Hladky <jhladky@redhat.com> | 2021-12-31 22:01:41 +0100 |
| commit | 1f6a41a112dc3a52792f8d981f0812c7bed0d5db (patch) | |
| tree | 9018a172ef0f38407050141d9877476640efca14 /contrib | |
| parent | Updated Copyright message (year). Added log messages (diff) | |
| download | haveged-1f6a41a112dc3a52792f8d981f0812c7bed0d5db.tar.xz haveged-1f6a41a112dc3a52792f8d981f0812c7bed0d5db.zip | |
Added haveged-once.service to provide entropy once (intended for initramfs)
Diffstat (limited to 'contrib')
| -rw-r--r-- | contrib/Fedora/haveged-once.service | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/contrib/Fedora/haveged-once.service b/contrib/Fedora/haveged-once.service new file mode 100644 index 0000000..eef0e55 --- /dev/null +++ b/contrib/Fedora/haveged-once.service @@ -0,0 +1,31 @@ +[Unit] +Description=Entropy Daemon based on the HAVEGE algorithm +Documentation=man:haveged(8) http://www.issihosts.com/haveged/ +DefaultDependencies=no + +[Service] +Type=oneshot +ExecStart=/usr/bin/haveged -w 1024 -v 1 --once --Foreground +SuccessExitStatus=137 143 + +SecureBits=noroot-locked +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_CHROOT +# We can *not* set PrivateTmp=true as it can cause an ordering cycle. +PrivateTmp=false +PrivateDevices=true +# We can *not* set PrivateNetwork=true to allow command mode (chroot when included in initramfs) +#PrivateNetwork=true +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +RestrictNamespaces=true +RestrictRealtime=true + +LockPersonality=true +MemoryDenyWriteExecute=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@mount +SystemCallErrorNumber=EPERM |