fyi, from the debian-0.2.7 branch: >From fcdeff2c1d84dd984d61bab73bb81ef08b31674e Mon Sep 17 00:00:00 2001 From: Peter Palfrader <[email protected]> Date: Tue, 20 Oct 2015 17:15:18 +0200 Subject: [PATCH] Enable apparmor support for the default tor service (re: #761404).
Apparmor is not yet being enabled for any other tor instance. --- debian/changelog | 4 +++- debian/systemd/[email protected] | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 18b3cd5..c603cf8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,8 +5,10 @@ tor (0.2.7.3-rc-1.1) experimental; urgency=medium * Support multiple instances (closes: #791393). * Split systemd service timeout into start and stop timeout, and raise them to 120 and 60 seconds from 45 (closes: tor#16398). + * Enable apparmor support for the default tor service (re: #761404). + Apparmor is not yet being enabled for any other tor instance. - -- Peter Palfrader <[email protected]> Tue, 20 Oct 2015 17:09:01 +0200 + -- Peter Palfrader <[email protected]> Tue, 20 Oct 2015 17:14:23 +0200 tor (0.2.7.3-rc-1) experimental; urgency=medium diff --git a/debian/systemd/[email protected] b/debian/systemd/[email protected] index 7910d24..52ba846 100644 --- a/debian/systemd/[email protected] +++ b/debian/systemd/[email protected] @@ -20,12 +20,14 @@ Restart=on-failure LimitNOFILE=65536 # Hardening +AppArmorProfile=system_tor NoNewPrivileges=yes PrivateTmp=yes PrivateDevices=yes ProtectHome=yes ProtectSystem=full ReadOnlyDirectories=/ +ReadWriteDirectories=-/proc ReadWriteDirectories=-/var/lib/tor ReadWriteDirectories=-/var/log/tor ReadWriteDirectories=-/var/run -- 2.1.4 -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `- https://www.debian.org/
