From 58febd6d204311986fc3fec604dd736662387389 Mon Sep 17 00:00:00 2001
From: unman <unman@thirdeyesecurity.org>
Date: Mon, 14 Nov 2016 02:33:20 +0000
Subject: [PATCH] Add systemd override for haveged in xenial and stretch.
 (#2161) Reenable haveged.service after debian package installation

---
 Makefile                         |  5 +++++
 debian/qubes-core-agent.postinst |  1 +
 vm-systemd/haveged.service       | 22 ++++++++++++++++++++++
 3 files changed, 28 insertions(+)
 create mode 100644 vm-systemd/haveged.service

diff --git a/Makefile b/Makefile
index 7a3cd5b..73ce53d 100644
--- a/Makefile
+++ b/Makefile
@@ -263,6 +263,11 @@ else
 	install -m 0644 misc/py2/xdg.py* $(DESTDIR)/$(PYTHON_SITEARCH)/qubes/
 endif
 
+ifneq (,$(filter xenial stretch, $(shell lsb_release -cs)))
+	mkdir -p $(DESTDIR)/etc/systemd/system/
+	install -m 0644 vm-systemd/haveged.service  $(DESTDIR)/etc/systemd/system/
+endif
+
 	install -d $(DESTDIR)/mnt/removable
 
 	install -D -m 0644 misc/xorg-preload-apps.conf $(DESTDIR)/etc/X11/xorg-preload-apps.conf
diff --git a/debian/qubes-core-agent.postinst b/debian/qubes-core-agent.postinst
index 8d82112..d61b5c8 100755
--- a/debian/qubes-core-agent.postinst
+++ b/debian/qubes-core-agent.postinst
@@ -111,6 +111,7 @@ case "${1}" in
             # Maybe install overridden serial.conf init script
             installSerialConf
         fi
+        systemctl reenable haveged
 
         debug "UPDATE..."
         # disable some Upstart services
diff --git a/vm-systemd/haveged.service b/vm-systemd/haveged.service
new file mode 100644
index 0000000..e0b8fc6
--- /dev/null
+++ b/vm-systemd/haveged.service
@@ -0,0 +1,22 @@
+[Unit]
+Description=Entropy daemon using the HAVEGE algorithm
+Documentation=man:haveged(8) http://www.issihosts.com/haveged/
+DefaultDependencies=no
+ConditionVirtualization=!container
+After=apparmor.service systemd-random-seed.service systemd-tmpfiles-setup.service
+
+[Service]
+EnvironmentFile=/etc/default/haveged
+ExecStart=/usr/sbin/haveged --Foreground --verbose=1 $DAEMON_ARGS
+SuccessExitStatus=143
+SecureBits=noroot-locked
+NoNewPrivileges=yes
+CapabilityBoundingSet=CAP_SYS_ADMIN
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectSystem=full
+ProtectHome=yes
+
+[Install]
+WantedBy=multi-user.target