Control: tag -1 + patch Hi weasel,
this does the job for me: --- a/debian/tor.service +++ b/debian/tor.service @@ -17,11 +17,13 @@ Restart=on-failure LimitNOFILE=65536 # Hardening +AppArmorProfile=system_tor PrivateTmp=yes PrivateDevices=yes ProtectHome=yes ProtectSystem=full ReadOnlyDirectories=/ +ReadWriteDirectories=-/proc ReadWriteDirectories=-/var/lib/tor ReadWriteDirectories=-/var/log/tor ReadWriteDirectories=-/var/run I've explained on https://trac.torproject.org/projects/tor/ticket/16782 why write access to /proc is needed. I've confirmed that works fine both with and without AppArmor enabled. I've also tested it with obfs4proxy, and with "Sandbox 1" (independently since these two are not compatible, but both with AppArmor enabled). Note that it requires systemd >= 218-4, which has been in testing since the end of June. I'll let you judge if a versioned dependency is needed for a nicer upgrade path from Jessie and/or for backports. Cheers, -- intrigeri
