Use new systemd hardening options
Using systemd 232, I discovered some more hardening options. This is my working systemd unit file. I'd say the most interesting one is "PrivateUsers" and "PrivateDevices" Note that I start tor directly as the tor user, listening on ports > 1024, because CAP_NET_BIND_SERVICE isn't enough to listen on ports < 1024. Setting this capability is enough to start dnsmasq as non-root (listening on correct ports), so it is something within tor that breaks. AFAIK setting these is safe even for older systems since systemd ignores unknown keywords.
[Unit]
Description=The Onion Router
After=network-online.target
[Service]
User=tor
Group=tor
ExecStartPre=/usr/bin/tor --verify-config -f /etc/tor/torrc
ExecStart=/usr/bin/tor --RunAsDaemon 0 -f /etc/tor/torrc
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGINT
TimeoutStopSec=32
LimitNOFILE=32768
# Hardening options:
#CapabilityBoundingSet = CAP_NET_BIND_SERVICE
#AmbientCapabilities = CAP_NET_BIND_SERVICE
# Capabilities aren't enough to have ports < 1024
RuntimeDirectory=tor
RuntimeDirectoryMode=0700 # Tor is happy with this default mask
ReadWriteDirectories=/var/lib/tor/
PrivateTmp = yes
PrivateUsers = yes
ProtectKernelTunables = yes
ProtectControlGroups = yes
ProtectKernelModules = yes
PrivateDevices = yes
ProtectHome = yes
ProtectSystem = strict
NoNewPrivileges = yes
[Install]
WantedBy=multi-user.target
Trac:
Username: serafean