summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJamie Nguyen <j@jamielinux.com>2015-09-29 12:04:18 +0100
committerJamie Nguyen <j@jamielinux.com>2015-09-29 12:50:57 +0100
commit486f3398c66b41275e0c8e52792a1492143d0b22 (patch)
tree5bb37eb93364d588dd0a7715e8f7a4bd85b67682
parent48330691b2f54b50c759ad0ad565d202f9cbc162 (diff)
Sync systemd service with upstream
-rw-r--r--tor.service35
-rw-r--r--tor.spec28
-rw-r--r--tor@.service24
3 files changed, 46 insertions, 41 deletions
diff --git a/tor.service b/tor.service
index 7911e66..128a8a8 100644
--- a/tor.service
+++ b/tor.service
@@ -3,22 +3,27 @@ Description = Anonymizing overlay network for TCP
After = syslog.target network.target nss-lookup.target
[Service]
-Type = simple
-ExecStartPre = /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc --verify-config
-ExecStart = /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc
-ExecReload = /bin/kill -HUP ${MAINPID}
-KillSignal = SIGINT
-TimeoutSec = 30
-Restart = on-failure
-LimitNOFILE = 32768
+Type=notify
+NotifyAccess=all
+ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc --verify-config
+ExecStart=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc
+ExecReload=/bin/kill -HUP ${MAINPID}
+KillSignal=SIGINT
+TimeoutSec=30
+Restart=on-failure
+WatchdogSec=1m
+LimitNOFILE=32768
-PrivateTmp = yes
-DeviceAllow = /dev/null rw
-DeviceAllow = /dev/urandom r
-InaccessibleDirectories = /home
-ReadOnlyDirectories = /
-ReadWriteDirectories = /var/lib/tor
-ReadWriteDirectories = /var/log/tor
+# Hardening
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=/var/lib/tor
+ReadWriteDirectories=/var/log/tor
+NoNewPrivileges=yes
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
[Install]
WantedBy = multi-user.target
diff --git a/tor.spec b/tor.spec
index eed94f2..fca4d39 100644
--- a/tor.spec
+++ b/tor.spec
@@ -5,6 +5,12 @@
%global homedir %{_localstatedir}/lib/%{name}
%global logdir %{_localstatedir}/log/%{name}
+%if 0%{?fedora} || 0%{?rhel} >= 8
+%bcond_without libsystemd
+%else
+%bcond_with libsystemd
+%endif
+
Name: tor
Version: 0.2.6.10
Release: 1%{?dist}
@@ -22,12 +28,16 @@ Source2: tor.logrotate
# and writes to /var/lib/tor instead of /root/.tor directory.
Source3: tor.defaults-torrc
Source10: tor.service
-Source11: tor@.service
BuildRequires: asciidoc
BuildRequires: libevent-devel
BuildRequires: openssl-devel
+%if 0%{with libsystemd}
+# Requires systemd >= 209. RHEL 7 has systemd 208.
+BuildRequires: systemd-devel
+%endif
+
# /usr/bin/torify is now just a wrapper for torsocks and is only there for
# backwards compatibility.
Requires: torsocks
@@ -74,10 +84,24 @@ mkdir -p $RPM_BUILD_ROOT%{logdir}
mkdir -p $RPM_BUILD_ROOT%{homedir}
install -D -p -m 0644 %{SOURCE10} $RPM_BUILD_ROOT%_unitdir/%{name}.service
-install -D -p -m 0644 %{SOURCE11} $RPM_BUILD_ROOT%_unitdir/%{name}@.service
install -D -p -m 0644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/tor
install -D -p -m 0644 %{SOURCE3} $RPM_BUILD_ROOT%{_datadir}/%{name}/defaults-torrc
+%if 0%{without libsystemd}
+# Some features are not available for systemd 208 on RHEL 7.
+sed -i $RPM_BUILD_ROOT%_unitdir/%{name}.service \
+ -e 's/^Type=.*/Type=simple/g' \
+ -e '/^NotifyAccess=.*/d' \
+ -e '/^WatchdogSec=.*/d' \
+ -e 's#^PrivateDevices=.*#DeviceAllow=/dev/null rw\nDeviceAllow=/dev/urandom r#g' \
+ -e 's#^ProtectHome=.*#InaccessibleDirectories=/home#g' \
+ -e '/^ProtectSystem=.*/d'
+%endif
+
+sed -e 's#/etc/tor/torrc#/etc/tor/%%i.torrc#g' \
+ $RPM_BUILD_ROOT%_unitdir/%{name}.service \
+ > $RPM_BUILD_ROOT%_unitdir/%{name}@.service
+
# Install docs manually.
rm -rf %{buildroot}%{_datadir}/doc
diff --git a/tor@.service b/tor@.service
deleted file mode 100644
index 8dc2068..0000000
--- a/tor@.service
+++ /dev/null
@@ -1,24 +0,0 @@
-[Unit]
-Description = Anonymizing overlay network for TCP
-After = syslog.target network.target nss-lookup.target
-
-[Service]
-Type = simple
-ExecStartPre = /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/%i.torrc --verify-config
-ExecStart = /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/%i.torrc
-ExecReload = /bin/kill -HUP ${MAINPID}
-KillSignal = SIGINT
-TimeoutSec = 30
-Restart = on-failure
-LimitNOFILE = 32768
-
-PrivateTmp = yes
-DeviceAllow = /dev/null rw
-DeviceAllow = /dev/urandom r
-InaccessibleDirectories = /home
-ReadOnlyDirectories = /
-ReadWriteDirectories = /var/lib/tor
-ReadWriteDirectories = /var/log/tor
-
-[Install]
-WantedBy = multi-user.target