systemd unit file: only allow tor to write to /var/lib/tor and /var/log/tor (#12751).

The rest of the filesystem is accessible for reading only. Still, quoting systemd.exec(5): Note that restricting access with these options does not extend to submounts of a directory that are created later on.
author: intrigeri <intrigeri@boum.org> 2014-08-27 03:05:12 +0000
committer: intrigeri <intrigeri@boum.org> 2014-08-27 03:13:53 +0000
commit: c9f30c4512fa6409eaf829c8448c8e086271c94f (patch)
tree: 7398f1633e4d0fb7187734e176eb9817717ffb99 /contrib/dist
parent: b159ffb675a274b285acc55204eaf6e83cd72bf8 (diff)
download: tor-c9f30c4512fa6409eaf829c8448c8e086271c94f.tar.gz
tor-c9f30c4512fa6409eaf829c8448c8e086271c94f.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/contrib/dist/tor.service.in b/contrib/dist/tor.service.in
index 2fe51c75d9..8c70ccc6e3 100644
--- a/contrib/dist/tor.service.in
+++ b/contrib/dist/tor.service.in
@@ -19,6 +19,9 @@ PrivateTmp = yes
 DeviceAllow = /dev/null rw
 DeviceAllow = /dev/urandom r
 InaccessibleDirectories = /home
+ReadOnlyDirectories = /
+ReadWriteDirectories = @LOCALSTATEDIR@/lib/tor
+ReadWriteDirectories = @LOCALSTATEDIR@/log/tor
 
 [Install]
 WantedBy = multi-user.target
author	intrigeri <intrigeri@boum.org>	2014-08-27 03:05:12 +0000
committer	intrigeri <intrigeri@boum.org>	2014-08-27 03:13:53 +0000
commit	c9f30c4512fa6409eaf829c8448c8e086271c94f (patch)
tree	7398f1633e4d0fb7187734e176eb9817717ffb99 /contrib/dist
parent	b159ffb675a274b285acc55204eaf6e83cd72bf8 (diff)
download	tor-c9f30c4512fa6409eaf829c8448c8e086271c94f.tar.gz tor-c9f30c4512fa6409eaf829c8448c8e086271c94f.zip