summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--INSTALL2
-rw-r--r--Makefile.in18
-rw-r--r--configure.ac1
-rw-r--r--random-seed-save.service16
-rw-r--r--random-seed-save.timer11
-rw-r--r--random-seed.service28
-rw-r--r--random-seed.service.in28
7 files changed, 97 insertions, 7 deletions
diff --git a/INSTALL b/INSTALL
index 11f3a22..1ee0cf6 100644
--- a/INSTALL
+++ b/INSTALL
@@ -6,5 +6,5 @@ Tests must be run as root in order to access RNDADDENTROPY.
On systemd, to set random-seed as your random seed provider, execute:
- systemctl enable random-seed
+ systemctl enable random-seed.service random-seed-save.timer
systemctl mask systemd-random-seed
diff --git a/Makefile.in b/Makefile.in
index cbd4cdf..57aa4cb 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -11,6 +11,7 @@ sysconfdir = @sysconfdir@
localstatedir = @localstatedir@
mandir = @mandir@
systemdsystemunitdir = @systemdsystemunitdir@
+default_seed_path_dir = @default_seed_path_dir@
CC = @CC@
CFLAGS = -Wall -Wextra -pedantic @CFLAGS@ -MD -MP -UNDEBUG -include @abs_top_builddir@/config.h
@@ -22,15 +23,22 @@ OBJ := $(SRC:.c=.o)
DEP := $(SRC:.c=.d)
TEST_FILE := random-seed.test
-all: random-seed
+all: random-seed random-seed.service
random-seed: $(OBJ)
-install: random-seed
- install -D -m755 random-seed $(sbindir)/random-seed
- install -D -m644 $(abs_srcdir)/random-seed.8 $(mandir)/man8/random-seed.8
+random-seed.service: random-seed.service.in
+ sed -e 's|@sbindir[@]|$(sbindir)|g' \
+ -e 's|@default_seed_path_dir[@]|$(default_seed_path_dir)|g' \
+ $< > $@
+
+install: all
+ install -D -m755 random-seed $(DESTDIR)$(sbindir)/random-seed
+ install -D -m644 $(abs_srcdir)/random-seed.8 $(DESTDIR)$(mandir)/man8/random-seed.8
ifneq ($(systemdsystemunitdir),)
- install -D -m644 $(abs_srcdir)/random-seed.service $(systemdsystemunitdir)/random-seed.service
+ install -D -m644 random-seed.service $(DESTDIR)$(systemdsystemunitdir)/random-seed.service
+ install -D -m644 $(abs_srcdir)/random-seed-save.service $(DESTDIR)$(systemdsystemunitdir)/random-seed-save.service
+ install -D -m644 $(abs_srcdir)/random-seed-save.timer $(DESTDIR)$(systemdsystemunitdir)/random-seed-save.timer
endif
test: $(TEST_FILE)
diff --git a/configure.ac b/configure.ac
index 51397a3..d13b943 100644
--- a/configure.ac
+++ b/configure.ac
@@ -42,7 +42,6 @@ AC_ARG_WITH([default-seed-path],
[default_seed_path=$withval],
[default_seed_path=/var/lib/random-seed])
AC_DEFINE_UNQUOTED(DEFAULT_SEED_PATH, "$default_seed_path", [default seed path])
-# assume people will not specify default_seed_path=/
default_seed_path_dir=${default_seed_path%/*}
AC_SUBST(default_seed_path_dir)
diff --git a/random-seed-save.service b/random-seed-save.service
new file mode 100644
index 0000000..a9858bc
--- /dev/null
+++ b/random-seed-save.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Random seed save
+RequiresMountsFor=@default_seed_path_dir@
+After=systemd-remount-fs.service
+
+[Service]
+ExecStart=@sbindir@/random-seed save
+CapabilityBoundingSet=CAP_SYS_ADMIN
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+LockPersonality=yes
+TemporaryFileSystem=/:ro
+BindPaths=@default_seed_path_dir@
diff --git a/random-seed-save.timer b/random-seed-save.timer
new file mode 100644
index 0000000..f39227d
--- /dev/null
+++ b/random-seed-save.timer
@@ -0,0 +1,11 @@
+[Unit]
+Description=Random seed save timer
+ConditionVirtualization=!container
+
+[Timer]
+OnActiveSec=3h
+OnUnitInactiveSec=3h
+AccuracySec=2h
+
+[Install]
+WantedBy=timers.target
diff --git a/random-seed.service b/random-seed.service
new file mode 100644
index 0000000..04b2ef5
--- /dev/null
+++ b/random-seed.service
@@ -0,0 +1,28 @@
+[Unit]
+Description=Random seed load/save
+Documentation=man:random-seed(8) man:random(4)
+DefaultDependencies=no
+RequiresMountsFor=/var/lib
+Conflicts=shutdown.target
+After=systemd-remount-fs.service
+Before=sysinit.target shutdown.target
+ConditionVirtualization=!container
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/random-seed load
+ExecStop=/usr/local/sbin/random-seed save
+CapabilityBoundingSet=CAP_SYS_ADMIN
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+LockPersonality=yes
+TemporaryFileSystem=/:ro
+BindPaths=/var/lib
+TimeoutSec=30s
+
+[Install]
+WantedBy=sysinit.target
diff --git a/random-seed.service.in b/random-seed.service.in
new file mode 100644
index 0000000..97bda54
--- /dev/null
+++ b/random-seed.service.in
@@ -0,0 +1,28 @@
+[Unit]
+Description=Random seed load/save
+Documentation=man:random-seed(8) man:random(4)
+DefaultDependencies=no
+RequiresMountsFor=@default_seed_path_dir@
+Conflicts=shutdown.target
+After=systemd-remount-fs.service
+Before=sysinit.target shutdown.target
+ConditionVirtualization=!container
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=@sbindir@/random-seed load
+ExecStop=@sbindir@/random-seed save
+CapabilityBoundingSet=CAP_SYS_ADMIN
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+LockPersonality=yes
+TemporaryFileSystem=/:ro
+BindPaths=@default_seed_path_dir@
+TimeoutSec=30s
+
+[Install]
+WantedBy=sysinit.target