systemd unit file is not compatible with the AppArmorProfile= directive
If I add the
AppArmorProfile=system_tor directive to the unit file on current Debian sid, tor doesn't start and I get:
tor.service: Failed at step APPARMOR spawning /usr/bin/tor: Read-only file system
As discussed on the systemd mailing-list last year (http://lists.freedesktop.org/archives/systemd-devel/2014-October/023909.html), setting up AppArmor confinement requires /proc to be writable.
And indeed, adding
ReadWriteDirectories=-/proc fixes this problem for me. I intend to ask weasel to enable the AppArmor profile back in Debian (which we lost when migrating to systemd), so my question is: do you want
ReadWriteDirectories=-/proc upstream (as a way to ease the work for downstreams who want to enable AppArmor confinement), or should we add it to the Debian delta?