package/haveged: change systemd service file to run earlier

Drop default dependencies, haveged needs nothing but local sockets and
/dev/random.

The service file now mostly matches the upstream Fedora file, except a
lot of isolation options have been dropped. The benefit for a
completely controlled system is small, and those option would pull in
dependencies, delaying entropy being filled up.

Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

diff --git a/package/haveged/haveged.service b/package/haveged/haveged.service
index 91035c6711147fc65890d82e417be62b19b08ff2..5a2336b0a7edb6e3fceaa714f821a1aef0d91797 100644 (file)
--- a/package/haveged/haveged.service
+++ b/package/haveged/haveged.service
@@ -1,10 +1,22 @@
 [Unit]
-Description=Entropy Harvesting Daemon
-Documentation=man:haveged(8)
+# inspiration from upstream init.d/service.fedora
+Description=Entropy Daemon based on the HAVEGE algorithm
+Documentation=man:haveged(8) http://www.issihosts.com/haveged/
+DefaultDependencies=no
+# This would wait for filesystems, but we only need /dev/random, which
+# is certainly available after systemd initialised
+# After=systemd-tmpfiles-setup-dev.service
+Before=sysinit.target shutdown.target systemd-journald.service
 
 [Service]
-ExecStart=/usr/sbin/haveged -F -w 1024 -v 1
-SuccessExitStatus=143
+ExecStart=/usr/sbin/haveged -w 1024 -v 1 --Foreground
+Restart=always
+SuccessExitStatus=137 143
+
+# Only simple isolation methods that don't pull in dependencies
+CapabilityBoundingSet=CAP_SYS_ADMIN
+SecureBits=noroot-locked
+ProtectSystem=full
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=sysinit.target