poky/meta/recipes-support/rng-tools/rng-tools/rng-tools.service - mdmillerii/openbmc - Gitiles

 [Unit]
 Description=Hardware RNG Entropy Gatherer Daemon
 DefaultDependencies=no
 Conflicts=shutdown.target
 Before=sysinit.target shutdown.target
 ConditionVirtualization=!container

 [Service]
 EnvironmentFile=-@SYSCONFDIR@/default/rng-tools
 ExecStart=@SBINDIR@/rngd -f $EXTRA_ARGS
 CapabilityBoundingSet=CAP_SYS_ADMIN
 IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelLogs=yes
 ProtectSystem=strict
 RestrictAddressFamilies=AF_UNIX
 RestrictNamespaces=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
 SystemCallArchitectures=native
 SystemCallErrorNumber=EPERM
 SystemCallFilter=@system-service

 [Install]
 WantedBy=sysinit.target
	[Unit]
	Description=Hardware RNG Entropy Gatherer Daemon
	DefaultDependencies=no
	Conflicts=shutdown.target
	Before=sysinit.target shutdown.target
	ConditionVirtualization=!container

	[Service]
	EnvironmentFile=-@SYSCONFDIR@/default/rng-tools
	ExecStart=@SBINDIR@/rngd -f $EXTRA_ARGS
	CapabilityBoundingSet=CAP_SYS_ADMIN
	IPAddressDeny=any
	LockPersonality=yes
	MemoryDenyWriteExecute=yes
	NoNewPrivileges=yes
	PrivateTmp=yes
	ProtectControlGroups=yes
	ProtectHome=yes
	ProtectHostname=yes
	ProtectKernelModules=yes
	ProtectKernelLogs=yes
	ProtectSystem=strict
	RestrictAddressFamilies=AF_UNIX
	RestrictNamespaces=yes
	RestrictRealtime=yes
	RestrictSUIDSGID=yes
	SystemCallArchitectures=native
	SystemCallErrorNumber=EPERM
	SystemCallFilter=@system-service

	[Install]
	WantedBy=sysinit.target