The previous patch had a bug, /var/run/tor was not getting created. Sadly as long as we emulate the init script (tor starts as root and daemonizes) we can't use the systemd RuntimeDirectory feature. Instead the attached updated patch uses a ExecStartPre command to create the directory.
Also, I quickly tested obfs4 and at least that pluggable transport seems to work even with the systemd hardening stuff enabled. I'll test some others at a later point. -- Arto Jantunen
>From 3f50f0225b09bee31472ea62e79fcc8da05487f5 Mon Sep 17 00:00:00 2001 From: Arto Jantunen <vi...@debian.org> Date: Thu, 30 Apr 2015 13:56:43 +0300 Subject: [PATCH] Install and enable the systemd service file - Patch the included service file to closely match the initscript - Add build-dep on dh-systemd - Install the service file --- debian/control | 2 +- debian/patches/debianize-systemd-service | 40 ++++++++++++++++++++++++++++++++ debian/patches/series | 1 + debian/rules | 3 ++- debian/tor.dirs | 1 + 5 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 debian/patches/debianize-systemd-service diff --git a/debian/control b/debian/control index 76b8ce1..c5e1258 100644 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: tor Section: net Priority: optional Maintainer: Peter Palfrader <wea...@debian.org> -Build-Depends: debhelper (>= 8.1.0~), quilt, libssl-dev, zlib1g-dev, libevent-dev (>= 1.1), binutils (>= 2.14.90.0.7), hardening-includes, asciidoc (>= 8.2), docbook-xml, docbook-xsl, xmlto, dh-apparmor, libseccomp-dev [amd64 i386] +Build-Depends: debhelper (>= 8.1.0~), quilt, libssl-dev, zlib1g-dev, libevent-dev (>= 1.1), binutils (>= 2.14.90.0.7), hardening-includes, asciidoc (>= 8.2), docbook-xml, docbook-xsl, xmlto, dh-apparmor, libseccomp-dev [amd64 i386], dh-systemd Build-Conflicts: libnacl-dev, libseccomp-dev [!amd64 !i386] Standards-Version: 3.9.4 Homepage: https://www.torproject.org/ diff --git a/debian/patches/debianize-systemd-service b/debian/patches/debianize-systemd-service new file mode 100644 index 0000000..6243e65 --- /dev/null +++ b/debian/patches/debianize-systemd-service @@ -0,0 +1,40 @@ +From: Arto Jantunen <vi...@debian.org> +Date: Wed, 29 Apr 2015 19:27:02 +0300 +Subject: Debianize systemd service file + +--- + contrib/dist/tor.service.in | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/contrib/dist/tor.service.in b/contrib/dist/tor.service.in +index c251158..57e5ecf 100644 +--- a/contrib/dist/tor.service.in ++++ b/contrib/dist/tor.service.in +@@ -3,10 +3,12 @@ Description = Anonymizing overlay network for TCP + After = syslog.target network.target nss-lookup.target + + [Service] +-Type = notify +-NotifyAccess = all +-ExecStartPre = @BINDIR@/tor -f @CONFDIR@/torrc --verify-config +-ExecStart = @BINDIR@/tor -f @CONFDIR@/torrc ++Type = forking ++PIDFile = /var/run/tor/tor.pid ++EnvironmentFile=-/etc/default/tor ++ExecStartPre = /usr/bin/install -Z -m 02750 -o debian-tor -g debian-tor -d @LOCALSTATEDIR@/run/tor ++ExecStartPre = @BINDIR@/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --verify-config ++ExecStart = @BINDIR@/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc $ARGS + ExecReload = /bin/kill -HUP ${MAINPID} + KillSignal = SIGINT + TimeoutSec = 30 +@@ -22,8 +24,8 @@ ProtectSystem = full + ReadOnlyDirectories = / + ReadWriteDirectories = -@LOCALSTATEDIR@/lib/tor + ReadWriteDirectories = -@LOCALSTATEDIR@/log/tor +-NoNewPrivileges = yes +-CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE ++ReadWriteDirectories = -@LOCALSTATEDIR@/run ++CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER + + [Install] + WantedBy = multi-user.target diff --git a/debian/patches/series b/debian/patches/series index 19e8864..b267a32 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ improve-geoip-warning +debianize-systemd-service diff --git a/debian/rules b/debian/rules index d404e19..2bf6b9b 100755 --- a/debian/rules +++ b/debian/rules @@ -15,7 +15,7 @@ endif %: dh \ $@ \ - --with quilt \ + --with quilt,systemd \ --builddirectory=build \ --parallel @@ -52,6 +52,7 @@ override_dh_install: cp debian/tor.apparmor-profile debian/tor/etc/apparmor.d/system_tor cp debian/tor.apparmor-profile.abstraction debian/tor/etc/apparmor.d/abstractions/tor dh_apparmor --profile-name=system_tor -ptor + cp build/contrib/dist/tor.service debian/tor/lib/systemd/system override_dh_installdocs: dh_installdocs -ptor-dbg --link-doc=tor diff --git a/debian/tor.dirs b/debian/tor.dirs index f693956..7c82b44 100644 --- a/debian/tor.dirs +++ b/debian/tor.dirs @@ -1 +1,2 @@ etc/apparmor.d/abstractions +lib/systemd/system -- 2.1.4
