Use new systemd hardening options

Using systemd 232, I discovered some more hardening options. This is my working systemd unit file. I'd say the most interesting one is "PrivateUsers" and "PrivateDevices" Note that I start tor directly as the tor user, listening on ports > 1024, because CAP_NET_BIND_SERVICE isn't enough to listen on ports < 1024. Setting this capability is enough to start dnsmasq as non-root (listening on correct ports), so it is something within tor that breaks. AFAIK setting these is safe even for older systems since systemd ignores unknown keywords.

[Unit]
Description=The Onion Router
After=network-online.target

[Service]
User=tor
Group=tor
ExecStartPre=/usr/bin/tor --verify-config -f /etc/tor/torrc
ExecStart=/usr/bin/tor  --RunAsDaemon 0 -f /etc/tor/torrc
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGINT
TimeoutStopSec=32
LimitNOFILE=32768

# Hardening options:
#CapabilityBoundingSet = CAP_NET_BIND_SERVICE
#AmbientCapabilities = CAP_NET_BIND_SERVICE
# Capabilities aren't enough to have ports < 1024
RuntimeDirectory=tor
RuntimeDirectoryMode=0700 # Tor is happy with this default mask
ReadWriteDirectories=/var/lib/tor/
PrivateTmp = yes
PrivateUsers = yes
ProtectKernelTunables = yes
ProtectControlGroups = yes
ProtectKernelModules = yes
PrivateDevices = yes
ProtectHome = yes
ProtectSystem = strict
NoNewPrivileges = yes

[Install]
WantedBy=multi-user.target

Trac:
Username: serafean