0.3.2.1.alpha

add systemd hardening options
author: skydrome 2017-09-23 15:36:29 -0400
committer: skydrome 2017-09-23 15:36:29 -0400
commit: d150032a3039f340a3bd7b2c43433374be27b0eb (patch)
tree: 7d4213a35a4c79a42ebbd5e96fb62d18257bec12 /tor.service
parent: f9ea4cc1ba33df587edb3ea71f06f8a7ccd50e9e (diff)
download: aur-d150032a3039f340a3bd7b2c43433374be27b0eb.tar.gz
1 files changed, 15 insertions, 3 deletions
diff --git a/tor.service b/tor.service
index b83b3da56400..cfde74de1d19 100644
--- a/tor.service
+++ b/tor.service
@@ -1,12 +1,24 @@
 [Unit]
-Description=Anonymizing overlay network
-After=network.target
+Description=Anonymizing overlay network for TCP
+After=syslog.target network.target nss-lookup.target
 
 [Service]
 Type=forking
 ExecStart=/usr/bin/tor -f /etc/tor/torrc
+ExecReload=/bin/kill -HUP $MAINPID
 KillSignal=SIGINT
-LimitNOFILE=8196
+LimitNOFILE=32768
+
+# Hardening
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=-/var/lib/tor
+ReadWriteDirectories=-/var/log/tor
+NoNewPrivileges=yes
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
 
 [Install]
 WantedBy=multi-user.target
author	skydrome	2017-09-23 15:36:29 -0400
committer	skydrome	2017-09-23 15:36:29 -0400
commit	d150032a3039f340a3bd7b2c43433374be27b0eb (patch)
tree	7d4213a35a4c79a42ebbd5e96fb62d18257bec12 /tor.service
parent	f9ea4cc1ba33df587edb3ea71f06f8a7ccd50e9e (diff)
download	aur-d150032a3039f340a3bd7b2c43433374be27b0eb.tar.gz