Allow rngd to run as non-privledged user

Resolves: rhbz#1965318

Signed-off-by: Vladis Dronov <vdronov@redhat.com>

rng-tools.spec

@@ -16,6 +16,7 @@ License:        GPLv2+
 URL:            https://github.com/nhorman/rng-tools
 Source0:        https://github.com/nhorman/rng-tools/archive/v%{version}/rng-tools-%{version}.tar.gz
 Source1:        rngd.service
+Source2:        rngd-wake-threshold.service
 
 BuildRequires: gcc make
 BuildRequires: gettext
@@ -64,15 +65,19 @@ Hardware random number generation tools.
 
 # install systemd unit file
 install -Dt %{buildroot}%{_unitdir} -m0644 %{SOURCE1}
+install -Dt %{buildroot}%{_unitdir} -m0644 %{SOURCE2}
+
+%pre
+getent passwd rngd >/dev/null || useradd -r -M -d %{_localstatedir}/lib/rngd -s /sbin/nologin -c "Random Number Generator Daemon" rngd
 
 %post
-%systemd_post rngd.service
+%systemd_post rngd.service rngd-wake-threshold.service
 
 %preun
-%systemd_preun rngd.service
+%systemd_preun rngd.service rngd-wake-threshold.service
 
 %postun
-%systemd_postun_with_restart rngd.service
+%systemd_postun_with_restart rngd.service rngd-wake-threshold.service
 
 %files
 %{!?_licensedir:%global license %%doc}
@@ -83,14 +88,16 @@ install -Dt %{buildroot}%{_unitdir} -m0644 %{SOURCE1}
 %{_mandir}/man1/rngtest.1.*
 %{_mandir}/man8/rngd.8.*
 %attr(0644,root,root)   %{_unitdir}/rngd.service
+%attr(0644,root,root)   %{_unitdir}/rngd-wake-threshold.service
 
 %changelog
 * Mon May 24 2021 Vladis Dronov <vdronov@redhat.com> - 6.12-4
+- Allow rngd to run as non-privledged user (bz 1965318)
 - Update the rngd.service file
 - Add 3 small upstream patches fixing issues
 
 * Wed Apr 28 2021 Vladis Dronov <vdronov@redhat.com> - 6.12-3
-- There is no need to hardcode _sbindir anymore, also the old value is incorrect
+- There is no need to hardcode _sbindir anymore, also the old value is incorrect (bz 1965318)
 
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 6.12-2
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

rngd-wake-threshold.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Hardware RNG Entropy Gatherer Wake threshold service
+Before=rngd.service
+
+[Service]
+CapabilityBoundingSet=CAP_SYS_ADMIN
+AmbientCapabilities=CAP_SYS_ADMIN
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/sh -c "PSIZE=$(cat /proc/sys/kernel/random/poolsize); let THRESH=$PSIZE*3/4; echo $THRESH>/proc/sys/kernel/random/write_wakeup_threshold"
+
+[Install]
+WantedBy=sysinit.target

rngd.service

@@ -1,9 +1,15 @@
 [Unit]
 Description=Hardware RNG Entropy Gatherer Daemon
 ConditionVirtualization=!container
+Requires=rngd-wake-threshold.service
 
 [Service]
-ExecStart=/usr/sbin/rngd -f
+User=rngd
+Group=rngd
+CapabilityBoundingSet=CAP_SYS_ADMIN
+AmbientCapabilities=CAP_SYS_ADMIN
+ExecStart=/usr/sbin/rngd -f --fill-watermark=0
+TimeoutStartSec=60s
 
 [Install]
 WantedBy=multi-user.target

tests/selftest/runtest.sh

@@ -65,6 +65,7 @@ rlJournalStart
 	else
 		rlFail "Selftest Failed"
 	fi
+        rlFileSubmit $TESTLOG
     rlPhaseEnd
 
     rlPhaseStartCleanup