summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJamie Nguyen <j@jamielinux.com>2015-12-10 18:11:50 +0000
committerJamie Nguyen <j@jamielinux.com>2015-12-10 18:26:51 +0000
commitc53f0939cdf06c801c86ca0355c1ebd32433c424 (patch)
tree1b831646c960eae1c3a1ec09202acfe1d88195f7
parentf3e09cc679a0236d3fb0a749638bf86acbf55420 (diff)
Improve service files (#1290444)
-rw-r--r--tor.service2
-rw-r--r--tor.spec4
-rw-r--r--tor@.service2
3 files changed, 4 insertions, 4 deletions
diff --git a/tor.service b/tor.service
index 4c60acf..8518d52 100644
--- a/tor.service
+++ b/tor.service
@@ -23,7 +23,7 @@ DeviceAllow=/dev/null rw
DeviceAllow=/dev/urandom r
ProtectHome=yes
ProtectSystem=full
-ReadOnlyDirectories=/
+ReadOnlyDirectories=/var
ReadWriteDirectories=/var/lib/tor
ReadWriteDirectories=/var/log/tor
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
diff --git a/tor.spec b/tor.spec
index a4d25c4..a037010 100644
--- a/tor.spec
+++ b/tor.spec
@@ -108,8 +108,8 @@ sed -i $RPM_BUILD_ROOT%_unitdir/%{name}.service \
-e 's/^Type=.*/Type=simple/g' \
-e '/^NotifyAccess=.*/d' \
-e '/^WatchdogSec=.*/d' \
- -e 's#^ProtectHome=.*#InaccessibleDirectories=/home#g' \
- -e '/^ProtectSystem=.*/d'
+ -e 's#^ProtectHome=.*#InaccessibleDirectories=/home\nInaccessibleDirectories=/root\nInaccessibleDirectories=/run/user#g' \
+ -e 's#^ProtectSystem=.*#ReadOnlyDirectories=/boot\nReadOnlyDirectories=/etc\nReadOnlyDirectories=/usr#g'
%endif
# Install docs manually.
diff --git a/tor@.service b/tor@.service
index 8a5e1ed..987135d 100644
--- a/tor@.service
+++ b/tor@.service
@@ -23,7 +23,7 @@ DeviceAllow=/dev/null rw
DeviceAllow=/dev/urandom r
ProtectHome=yes
ProtectSystem=full
-ReadOnlyDirectories=/
+ReadOnlyDirectories=/var
ReadWriteDirectories=/var/lib/tor
ReadWriteDirectories=/var/log/tor
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE