Use new systemd hardening options
Using systemd 232, I discovered some more hardening options. This is my working systemd unit file. I'd say the most interesting one is "PrivateUsers" and "PrivateDevices" Note that I start tor directly as the tor user, listening on ports > 1024, because CAP_NET_BIND_SERVICE isn't enough to listen on ports < 1024. Setting this capability is enough to start dnsmasq as non-root (listening on correct ports), so it is something within tor that breaks. AFAIK setting these is safe even for older systems since systemd ignores unknown keywords.
[Unit] Description=The Onion Router After=network-online.target [Service] User=tor Group=tor ExecStartPre=/usr/bin/tor --verify-config -f /etc/tor/torrc ExecStart=/usr/bin/tor --RunAsDaemon 0 -f /etc/tor/torrc ExecReload=/bin/kill -HUP $MAINPID KillSignal=SIGINT TimeoutStopSec=32 LimitNOFILE=32768 # Hardening options: #CapabilityBoundingSet = CAP_NET_BIND_SERVICE #AmbientCapabilities = CAP_NET_BIND_SERVICE # Capabilities aren't enough to have ports < 1024 RuntimeDirectory=tor RuntimeDirectoryMode=0700 # Tor is happy with this default mask ReadWriteDirectories=/var/lib/tor/ PrivateTmp = yes PrivateUsers = yes ProtectKernelTunables = yes ProtectControlGroups = yes ProtectKernelModules = yes PrivateDevices = yes ProtectHome = yes ProtectSystem = strict NoNewPrivileges = yes [Install] WantedBy=multi-user.target