diff options
Diffstat (limited to 'contrib/dist/tor.service.in')
| -rw-r--r-- | contrib/dist/tor.service.in | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/contrib/dist/tor.service.in b/contrib/dist/tor.service.in index 2fe51c75d9..c251158d9a 100644 --- a/contrib/dist/tor.service.in +++ b/contrib/dist/tor.service.in @@ -3,22 +3,27 @@ Description = Anonymizing overlay network for TCP After = syslog.target network.target nss-lookup.target [Service] -Type = simple +Type = notify +NotifyAccess = all ExecStartPre = @BINDIR@/tor -f @CONFDIR@/torrc --verify-config -# A torrc that has "RunAsDaemon 1" won't work with the "simple" service type; -# let's explicitly override it. -ExecStart = @BINDIR@/tor -f @CONFDIR@/torrc --RunAsDaemon 0 +ExecStart = @BINDIR@/tor -f @CONFDIR@/torrc ExecReload = /bin/kill -HUP ${MAINPID} KillSignal = SIGINT TimeoutSec = 30 Restart = on-failure +WatchdogSec = 1m LimitNOFILE = 32768 # Hardening PrivateTmp = yes -DeviceAllow = /dev/null rw -DeviceAllow = /dev/urandom r -InaccessibleDirectories = /home +PrivateDevices = yes +ProtectHome = yes +ProtectSystem = full +ReadOnlyDirectories = / +ReadWriteDirectories = -@LOCALSTATEDIR@/lib/tor +ReadWriteDirectories = -@LOCALSTATEDIR@/log/tor +NoNewPrivileges = yes +CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE [Install] WantedBy = multi-user.target |