[Unit]
Description=Entropy Daemon based on the HAVEGE algorithm
Documentation=man:haveged(8) http://www.issihosts.com/haveged/
DefaultDependencies=no
ConditionKernelVersion=<5.6
After=systemd-tmpfiles-setup-dev.service
Before=sysinit.target shutdown.target systemd-journald.service

[Service]
ExecStart=@SBIN_DIR@/haveged -w 1024 -v 1 --Foreground
Restart=always
SuccessExitStatus=137 143

SecureBits=noroot-locked
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_CHROOT
# We can *not* set PrivateTmp=true as it can cause an ordering cycle.
PrivateTmp=false
PrivateDevices=true
# We can *not* set PrivateNetwork=true to allow command mode (chroot when included in initramfs)
#PrivateNetwork=true
ProtectSystem=full
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
RestrictNamespaces=true
RestrictRealtime=true

LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
SystemCallFilter=@system-service newuname
SystemCallFilter=~@mount
SystemCallErrorNumber=EPERM

[Install]
WantedBy=sysinit.target