diff options
author | skydrome | 2017-09-23 15:36:29 -0400 |
---|---|---|
committer | skydrome | 2017-09-23 15:36:29 -0400 |
commit | d150032a3039f340a3bd7b2c43433374be27b0eb (patch) | |
tree | 7d4213a35a4c79a42ebbd5e96fb62d18257bec12 /tor.service | |
parent | f9ea4cc1ba33df587edb3ea71f06f8a7ccd50e9e (diff) | |
download | aur-d150032a3039f340a3bd7b2c43433374be27b0eb.tar.gz |
0.3.2.1.alpha
add systemd hardening options
Diffstat (limited to 'tor.service')
-rw-r--r-- | tor.service | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/tor.service b/tor.service index b83b3da56400..cfde74de1d19 100644 --- a/tor.service +++ b/tor.service @@ -1,12 +1,24 @@ [Unit] -Description=Anonymizing overlay network -After=network.target +Description=Anonymizing overlay network for TCP +After=syslog.target network.target nss-lookup.target [Service] Type=forking ExecStart=/usr/bin/tor -f /etc/tor/torrc +ExecReload=/bin/kill -HUP $MAINPID KillSignal=SIGINT -LimitNOFILE=8196 +LimitNOFILE=32768 + +# Hardening +PrivateTmp=yes +PrivateDevices=yes +ProtectHome=yes +ProtectSystem=full +ReadOnlyDirectories=/ +ReadWriteDirectories=-/var/lib/tor +ReadWriteDirectories=-/var/log/tor +NoNewPrivileges=yes +CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target |