add seedrng service for Linux

This moves urandom to *bsd only and adds seedrng as a separate service
for Linux.

This fixes #510

10 files changed, 101 insertions, 47 deletions

diff --git a/conf.d/Makefile b/conf.d/Makefile
index 64168374..6d2e7de1 100644
--- a/conf.d/Makefile
+++ b/conf.d/Makefile
@@ -1,7 +1,7 @@
 include ../mk/net.mk
 
 DIR=	${CONFDIR}
-CONF=	bootmisc fsck hostname localmount netmount swap urandom ${CONF-${OS}}
+CONF=	bootmisc fsck hostname localmount netmount swap ${CONF-${OS}}
 
 ifeq (${MKNET},yes)
 CONF+= network staticroute
@@ -10,11 +10,11 @@ endif
 MK=	../mk
 include ${MK}/os.mk
 
-CONF-FreeBSD=	ipfw modules moused powerd rarpd savecore syscons
+CONF-FreeBSD=	ipfw modules moused powerd rarpd savecore syscons urandom
 
 CONF-Linux=	agetty consolefont devfs dmesg hwclock keymaps killprocs modules \
 	mtab net-online
 
-CONF-NetBSD=	moused rarpd savecore
+CONF-NetBSD=	moused rarpd savecore urandom
 
 include ${MK}/scripts.mk
diff --git a/conf.d/meson.build b/conf.d/meson.build
index ddb056a4..ce704180 100644
--- a/conf.d/meson.build
+++ b/conf.d/meson.build
@@ -7,7 +7,6 @@ conf_common = [
   'localmount',
   'netmount',
   'swap',
-  'urandom',
   ]
 
 conf_net = [
@@ -23,6 +22,7 @@ conf_FreeBSD = [
   'rarpd',
   'savecore',
   'syscons',
+  'urandom',
   ]
 
 conf_Linux = [
@@ -36,12 +36,14 @@ conf_Linux = [
   'modules',
   'mtab',
   'net-online',
+  'seedrng',
   ]
 
 conf_NetBSD =  [
   'moused',
   'rarpd',
   'savecore',
+  'urandom',
   ]
 
 conf_data = conf_common
diff --git a/conf.d/seedrng b/conf.d/seedrng
new file mode 100644
index 00000000..61670504
--- /dev/null
+++ b/conf.d/seedrng
@@ -0,0 +1,17 @@
+# The convention in this file is to show the default settings
+# commented out.
+#
+# Sometimes you want to have urandom start before "localmount"
+# (say for crypt swap), so you will need to customize this
+# behavior.  If you have /var on a separate partition, make sure paths
+# under /var are adjusted to point to locations on your
+# root device.
+#
+# Set skip_credit to yes or true if  you do not want seed files to
+# actually credit the random number generator.
+# For example, you should set this if you plan to replicate the file
+# system image without removing the contents of ${seed_dir}.
+#
+# lock_file=/var/run/seedrng.lock
+# seed_dir=/var/lib/seedrng
+# skip_credit=no
diff --git a/conf.d/urandom b/conf.d/urandom
index 744e4f70..f721a249 100644
--- a/conf.d/urandom
+++ b/conf.d/urandom
@@ -2,11 +2,4 @@
 # (say for crypt swap), so you will need to customize this
 # behavior.  If you have /var on a separate partition, then
 # make sure this path lives on your root device somewhere.
-seed_dir="/var/lib/seedrng"
-lock_file="/var/run/seedrng.lock"
-
-# Set this to true if you do not want seed files to actually
-# credit the RNG. Set this if you plan to replicate this
-# file system image and do not have the wherewithal to first
-# delete the contents of /var/lib/seedrng.
-skip_credit="false"
+urandom_seed="/var/lib/misc/random-seed"
diff --git a/init.d/Makefile b/init.d/Makefile
index c97aeda9..ee227f43 100644
--- a/init.d/Makefile
+++ b/init.d/Makefile
@@ -3,7 +3,7 @@ include ../mk/net.mk
 DIR=	${INITDIR}
 SRCS=	bootmisc.in fsck.in hostname.in local.in localmount.in loopback.in \
 	netmount.in osclock.in root.in savecache.in swap.in swclock.in \
-	sysctl.in runsvdir.in urandom.in s6-svscan.in ${SRCS-${OS}}
+	sysctl.in runsvdir.in s6-svscan.in ${SRCS-${OS}}
 BIN=	${OBJS}
 
 # Are we installing our network scripts?
@@ -16,7 +16,7 @@ include ${MK}/os.mk
 
 # Generic BSD scripts
 SRCS-FreeBSD=	hostid.in modules.in moused.in newsyslog.in pf.in rarpd.in \
-		rc-enabled.in rpcbind.in savecore.in syslogd.in
+		rc-enabled.in rpcbind.in savecore.in syslogd.in urandom.in
 # These are FreeBSD specific
 SRCS-FreeBSD+=	adjkerntz.in devd.in dumpon.in encswap.in ipfw.in \
 		mixer.in nscd.in powerd.in syscons.in
@@ -24,11 +24,11 @@ SRCS-FreeBSD+=	adjkerntz.in devd.in dumpon.in encswap.in ipfw.in \
 SRCS-Linux=	agetty.in binfmt.in devfs.in cgroups.in dmesg.in hwclock.in \
 	consolefont.in keymaps.in killprocs.in modules.in \
 	mount-ro.in mtab.in numlock.in procfs.in net-online.in save-keymaps.in \
-	save-termencoding.in sysfs.in termencoding.in
+	save-termencoding.in seedrng.in sysfs.in termencoding.in
 
 # Generic BSD scripts
 SRCS-NetBSD=	hostid.in moused.in newsyslog.in pf.in rarpd.in rc-enabled.in \
-		rpcbind.in savecore.in syslogd.in
+		rpcbind.in savecore.in syslogd.in urandom.in
 # These are NetBSD specific
 SRCS-NetBSD+=	devdb.in swap-blk.in ttys.in wscons.in
 
diff --git a/init.d/meson.build b/init.d/meson.build
index a34f1c35..ab4b27f4 100644
--- a/init.d/meson.build
+++ b/init.d/meson.build
@@ -15,7 +15,6 @@ init_common =  [
   'swclock.in',
   'sysctl.in',
   'runsvdir.in',
-  'urandom.in',
   's6-svscan.in',
   ]
 
@@ -44,6 +43,7 @@ init_Linux =  [
   'net-online.in',
   'save-keymaps.in',
   'save-termencoding.in',
+  'seedrng.in',
   'sysfs.in',
   'termencoding.in',
   ]
@@ -58,6 +58,7 @@ init_BSD =  [
   'rpcbind.in',
   'savecore.in',
   'syslogd.in',
+  'urandom.in',
   ]
 
 init_FreeBSD =  [
diff --git a/init.d/seedrng.in b/init.d/seedrng.in
new file mode 100644
index 00000000..25e9ad13
--- /dev/null
+++ b/init.d/seedrng.in
@@ -0,0 +1,46 @@
+#!@SBINDIR@/openrc-run
+# Copyright (c) 2007-2022 The OpenRC Authors.
+# See the Authors file at the top-level directory of this distribution and
+# https://github.com/OpenRC/openrc/blob/HEAD/AUTHORS
+#
+# This file is part of OpenRC. It is subject to the license terms in
+# the LICENSE file found in the top-level directory of this
+# distribution and at https://github.com/OpenRC/openrc/blob/HEAD/LICENSE
+# This file may not be copied, modified, propagated, or distributed
+# except according to the terms contained in the LICENSE file.
+
+description="Initializes the random number generator."
+
+depend()
+{
+	after clock
+	need localmount
+	keyword -docker -jail -lxc -openvz -prefix -systemd-nspawn
+	provide urandom
+}
+
+seedrng_options()
+{
+	[ -n "${lock_file}" ] &&
+		echo "--lock-file \"${lock_file}\""
+	[ -n "${seed_dir}" ] &&
+		echo "--seed-dir \"${seed_dir}\""
+	rc_yesno "${skip_credit}" &&
+		echo "--skip-credit"
+}
+
+start()
+{
+	ebegin "Seeding random number generator"
+	seedrng $(seedrng_options)
+	eend $? "Error seeding random number generator"
+	return 0
+}
+
+stop()
+{
+	ebegin "Saving random number generator seed"
+	seedrng $(seedrng_options)
+	eend $? "Error saving random number generator seed"
+	return 0
+}
diff --git a/init.d/urandom.in b/init.d/urandom.in
index cda431fd..8b7072c1 100644
--- a/init.d/urandom.in
+++ b/init.d/urandom.in
@@ -9,10 +9,7 @@
 # This file may not be copied, modified, propagated, or distributed
 # except according to the terms contained in the LICENSE file.
 
-export SEEDRNG_SEED_DIR="${seed_dir:-/var/lib/seedrng}"
-export SEEDRNG_LOCK_FILE="${lock_file:-/var/run/seedrng.lock}"
-export SEEDRNG_SKIP_CREDIT="${skip_credit:-false}"
-: ${urandom_seed:=${SEEDRNG_SEED_DIR}/../misc/random-seed}
+: ${urandom_seed:=${URANDOM_SEED:-/var/lib/misc/random-seed}}
 description="Initializes the random number generator."
 
 depend()
@@ -24,35 +21,33 @@ depend()
 
 save_seed()
 {
+	local psz=1
+
+	if [ -e /proc/sys/kernel/random/poolsize ]; then
+		: $(( psz = $(cat /proc/sys/kernel/random/poolsize) / 4096 ))
+	fi
+
 	(	# sub shell to prevent umask pollution
 		umask 077
-		dd if=/dev/urandom of="$urandom_seed" count=1 2>/dev/null
+		dd if=/dev/urandom of="$urandom_seed" count=${psz} 2>/dev/null
 	)
 }
 
 start()
 {
-	if [ "$RC_UNAME" = Linux ]; then
-		seedrng
-	else
-		[ -c /dev/urandom ] || return
-		if [ -f "$urandom_seed" ]; then
-			ebegin "Initializing random number generator"
-			cat "$urandom_seed" > /dev/urandom
-			eend $? "Error initializing random number generator"
-		fi
-		rm -f "$urandom_seed" && save_seed
+	[ -c /dev/urandom ] || return
+	if [ -f "$urandom_seed" ]; then
+		ebegin "Initializing random number generator"
+		cat "$urandom_seed" > /dev/urandom
+		eend $? "Error initializing random number generator"
 	fi
+	rm -f "$urandom_seed" && save_seed
 	return 0
 }
 
 stop()
 {
-	if [ "$RC_UNAME" = Linux ]; then
-		seedrng
-	else
-		ebegin "Saving random seed"
-		save_seed
-		eend $? "Failed to save random seed"
-	fi
+	ebegin "Saving random seed"
+	save_seed
+	eend $? "Failed to save random seed"
 }
diff --git a/runlevels/Makefile b/runlevels/Makefile
index 73843d8b..8d8b8e9e 100644
--- a/runlevels/Makefile
+++ b/runlevels/Makefile
@@ -1,7 +1,7 @@
 include ../mk/net.mk
 
 BOOT=		bootmisc fsck hostname localmount loopback \
-		root swap sysctl urandom ${BOOT-${OS}}
+		root swap sysctl ${BOOT-${OS}}
 DEFAULT=	local netmount
 NONETWORK=	local
 SHUTDOWN=	savecache ${SHUTDOWN-${OS}}
@@ -29,20 +29,20 @@ BOOT-${OS}=
 SHUTDOWN-${OS}=
 SYSINIT-${OS}=
 
-BOOT-BSD=	hostid newsyslog savecore syslogd swap-blk
+BOOT-BSD=	hostid newsyslog savecore syslogd swap-blk urandom
 
 # Generic BSD stuff
-BOOT-FreeBSD+=	hostid modules newsyslog savecore syslogd
+BOOT-FreeBSD+=	hostid modules newsyslog savecore syslogd urandom
 # FreeBSD specific stuff
 BOOT-FreeBSD+=	adjkerntz dumpon syscons
 
 BOOT-Linux+=	binfmt hwclock keymaps modules mtab procfs save-keymaps \
-	save-termencoding termencoding
+	save-termencoding seedrng termencoding
 SHUTDOWN-Linux=	killprocs mount-ro
 SYSINIT-Linux=	devfs cgroups dmesg sysfs
 
 # Generic BSD stuff
-BOOT-NetBSD+=	hostid newsyslog savecore syslogd
+BOOT-NetBSD+=	hostid newsyslog savecore syslogd urandom
 # NetBSD specific stuff
 BOOT-NetBSD+=	devdb swap-blk ttys wscons
 
diff --git a/tools/meson_runlevels.sh b/tools/meson_runlevels.sh
index e24c2e2e..1473d4e2 100755
--- a/tools/meson_runlevels.sh
+++ b/tools/meson_runlevels.sh
@@ -24,11 +24,11 @@ case "${os}" in
 		;;
 esac
 
-boot="bootmisc fsck hostname localmount loopback root swap sysctl urandom"
+boot="bootmisc fsck hostname localmount loopback root swap sysctl"
 if [ "${net}" = yes ]; then
 	boot="${boot} network staticroute"
 fi
-boot_BSD="hostid newsyslog savecore syslogd"
+boot_BSD="hostid newsyslog savecore syslogd urandom"
 
 case "${os}" in
 	DragonFly)
@@ -39,7 +39,7 @@ case "${os}" in
 		;;
 	Linux)
 		boot="${boot} binfmt hwclock keymaps modules mtab procfs
-		save-keymaps save-termencoding termencoding"
+		save-keymaps save-termencoding seedrng termencoding"
 		;;
 	NetBSD)
 		boot="${boot} ${boot_BSD} devdb swap-blk tys wscons"