summaryrefslogtreecommitdiffstats
path: root/meta/recipes-support/rng-tools/rng-tools/rngd.service
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-support/rng-tools/rng-tools/rngd.service')
-rw-r--r--meta/recipes-support/rng-tools/rng-tools/rngd.service22
1 files changed, 21 insertions, 1 deletions
diff --git a/meta/recipes-support/rng-tools/rng-tools/rngd.service b/meta/recipes-support/rng-tools/rng-tools/rngd.service
index aaaaa29074..568686e80e 100644
--- a/meta/recipes-support/rng-tools/rng-tools/rngd.service
+++ b/meta/recipes-support/rng-tools/rng-tools/rngd.service
@@ -3,11 +3,31 @@ Description=Hardware RNG Entropy Gatherer Daemon
DefaultDependencies=no
After=systemd-udev-settle.service
Before=sysinit.target shutdown.target
+Wants=systemd-udev-settle.service
Conflicts=shutdown.target
[Service]
EnvironmentFile=-@SYSCONFDIR@/default/rng-tools
ExecStart=@SBINDIR@/rngd -f $EXTRA_ARGS
+CapabilityBoundingSet=CAP_SYS_ADMIN
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
[Install]
-WantedBy=multi-user.target
+WantedBy=sysinit.target
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-06 23:01:14 +0000