Improve hardening in tor.service

I suggest that tor.service's hardening implementation be changed. These lines would be replaced:

[Service]
DeviceAllow = /dev/null rw
DeviceAllow = /dev/urandom r
InaccessibleDirectories = /home
ReadOnlyDirectories = /
ReadWriteDirectories = /var/lib/tor
ReadWriteDirectories = /var/log/tor
ReadWriteDirectories = /var/run/tor
ReadWriteDirectories = /proc

With these lines:

PrivateDevices = yes
ProtectHome = yes
ProtectSystem = full
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID

Using PrivateDevices instead of DeviceAllow's is more secure as it create a totally separate /dev as well as removing the CAP_MKNOD capability.

ProtectHome makes /home inaccessible, equivalent to "InaccessibleDirectories = /home" but (arguably) more comprehensible.

ProtectSystem=full make /usr and /etc read only.

CapabilityBoundingSet reduces the process capability to just what it needs.

See http://www.freedesktop.org/software/systemd/man/systemd.exec.html

This discussion was started at https://bugs.gentoo.org/show_bug.cgi?id=529212 and the suggestion to use the higher level constructs was made by the Gentoo systemd team.

For historical reference, tor.service was added in #8368 (moved)

Trac:
Username: candrews