From patchwork Tue Jun 9 22:41:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Norbert Lange X-Patchwork-Id: 1306337 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=eoJs8TCY; dkim-atps=neutral Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49hQ9K71TKz9sRR for ; Wed, 10 Jun 2020 08:42:13 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 4627123337; Tue, 9 Jun 2020 22:42:12 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2jhNCkT01JWj; Tue, 9 Jun 2020 22:42:11 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id 1133A2051C; Tue, 9 Jun 2020 22:42:11 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 36A7D1BF4DB for ; Tue, 9 Jun 2020 22:42:04 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 323BA8886C for ; Tue, 9 Jun 2020 22:42:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s0Con1ui0bNU for ; Tue, 9 Jun 2020 22:42:03 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com [209.85.208.52]) by hemlock.osuosl.org (Postfix) with ESMTPS id 3261F88744 for ; Tue, 9 Jun 2020 22:42:03 +0000 (UTC) Received: by mail-ed1-f52.google.com with SMTP id m21so17618177eds.13 for ; Tue, 09 Jun 2020 15:42:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=U5RVXg9fzt0LH1IedXykfN5fiyf/h7IN+/94ihoeqKE=; b=eoJs8TCYLEbbR5A6wpK0WUGqFzc4oryBFIFFxbNDeDEqp5Ea4yKD1qEZilZp504spM 8Ux/SWtIIu6yJAiB4P5aF4Esi6YG+DhE9GR/o3p29JnnxQLIcdHE8uCz0yplFoJ2cpu1 UlVtxK/9C43C4SlnjQS+I2BmknNx8zW8XsQVKZ3ZcII7aEHoLMaZkKWR/8H0mpjIYb/D 0PcXX9+o4eES4HN2GI+7J8cOM+7zT8F//C+/JiTBNDXd+LhuXraXM/Q8hTrBPjpyl/F/ XyfGndIjjxvYa+vVzBO+ddBlhyfLQjh5muxdWolAeiZjQMw1jQsIvtpYM8eO0/FMhQnV uLng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=U5RVXg9fzt0LH1IedXykfN5fiyf/h7IN+/94ihoeqKE=; b=m1KC1JIYW29HckRr9lgxL29JQ9P1keZiPOgYpYW3bdSnfcqT1ER/jC9mjfYJ2bILFl XXraPL4a4rBfkJhXCPjVNR0qWYQSC9fZjt9BUftJtwQXz6OK6BVtuS6fSLL7jmQVgznZ rxXoPArmAiw0/mGyvEYq2kZbvXhZBzAz1deaMs7MwGDjYX34tdsCP8Hn3+3S8M1sQm0D wmSV+0nftXQQU9j1FJ4ugWTLpKWcJcaJ5D83LrcqFN+64yqVnqtv/JnlIiLQ1hNdHiOS EOdzuZl80g0d90SxzImTnH+M9IJcZLEBTP1MnFexyutsbmxoZCJRMuCZYfamB5gZYuMY TzFw== X-Gm-Message-State: AOAM530WKT7a9ON5StB0Xd983fc1amcpaiZFtEllwBM6YdINWaM9RhkO rR0OXZHhiJrje4smxImsV6T9D+q41qk= X-Google-Smtp-Source: ABdhPJycdsArHgqsZdFza8wp57wXa0c7BDZQNAk9kuIHw4BXVoe+QGGWXBexFHN69LdtmePnW7+A3w== X-Received: by 2002:a05:6402:1604:: with SMTP id f4mr29823913edv.379.1591742521233; Tue, 09 Jun 2020 15:42:01 -0700 (PDT) Received: from localhost.localdomain (84-114-45-16.cable.dynamic.surfer.at. [84.114.45.16]) by smtp.gmail.com with ESMTPSA id g16sm13943721ejw.47.2020.06.09.15.42.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Jun 2020 15:42:00 -0700 (PDT) From: Norbert Lange To: buildroot@buildroot.org Date: Wed, 10 Jun 2020 00:41:15 +0200 Message-Id: <20200609224116.13607-2-nolange79@gmail.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200609224116.13607-1-nolange79@gmail.com> References: <20200609224116.13607-1-nolange79@gmail.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH v2 1/2] package/haveged: Change service file to run early X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Pierre-Jean Texier , Norbert Lange , jeremy.rosen@smile.fr Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Drop default dependencies, haveged needs nothing but local sockets and /dev/random. The service file now mostly matches the upstream fedora file, except alot of isolation options have been dropped. The benefit for a completely controlled system is small, and those option would pull in dependencies, delaying entropy being filled up. Signed-off-by: Norbert Lange --- package/haveged/haveged.service | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/package/haveged/haveged.service b/package/haveged/haveged.service index 91035c6711..cfdaa93a37 100644 --- a/package/haveged/haveged.service +++ b/package/haveged/haveged.service @@ -1,10 +1,22 @@ [Unit] -Description=Entropy Harvesting Daemon -Documentation=man:haveged(8) +# inspiration from upstream init.d/service.fedora +Description=Entropy Daemon based on the HAVEGE algorithm +Documentation=man:haveged(8) http://www.issihosts.com/haveged/ +DefaultDependencies=no +# This would wait for filesystems, but we only need /dev/random, +# which is certainly available after systemd initialised +# After=systemd-tmpfiles-setup-dev.service +Before=sysinit.target shutdown.target systemd-journald.service [Service] -ExecStart=/usr/sbin/haveged -F -w 1024 -v 1 -SuccessExitStatus=143 +ExecStart=/usr/sbin/haveged -w 1024 -v 1 --Foreground +Restart=always +SuccessExitStatus=137 143 + +# Only simple isolation methods that dont pull in dependencies +CapabilityBoundingSet=CAP_SYS_ADMIN +SecureBits=noroot-locked +ProtectSystem=full [Install] -WantedBy=multi-user.target +WantedBy=sysinit.target