As discussed on IRC, here is a new patch that drops PermissionsStartOnly. I also updated the backport script.
commit eaf325d3cf3a42033e32b5535599a3f0427fa519 Author: Nicolas Braud-Santoni <nico...@braud-santoni.eu> Date: Sun Dec 24 17:07:12 2017 +0100
debian/systemd: Drop PermissionsStartOnly
This avoids running --verify-config unconfined
diff --git a/debian/misc/build-tor-sources b/debian/misc/build-tor-sources
index a145a2034..cc83d1b44 100755
--- a/debian/misc/build-tor-sources
+++ b/debian/misc/build-tor-sources
@@ -166,10 +166,15 @@ remove_systemd() {
fi
}
-remove_systemd_instance_namespace() {
+# Remove systemd hardening features that require systemd >= 232
+remove_systemd_hardening() {
if [ -d debian/systemd ]; then
sed -i 's,^(ReadWriteDirectories=.*)/%i$,\1,' debian/systemd/*.service
dch --append 'Remove templated ReadWriteDirectories from
debian/systemd'
+
+ sed -i 's,^(PermissionsStartOnly=).*$,\1=yes,' debian/systemd/*.service
+ sed -i 's,^(Exec[^= ]+)=+(.*)$,\1=\2,' debian/systemd/*.service
+ dch --append 'Remove privileged ExecXYZ directives from debian/systemd'
fi
}
@@ -258,7 +263,7 @@ backport_all() {
bp1 $pkg $dir $sid_debian_version jessie
(cd $dir; remove_libzstd)
(cd $dir; old_debug_pkg)
- (cd $dir; remove_systemd_instance_namespace)
+ (cd $dir; remove_systemd_hardening)
bp2 $pkg $dir $origtar
# wheezy
@@ -277,13 +282,13 @@ backport_all() {
(cd $dir; remove_libzstd)
(cd $dir; remove_systemd)
(cd $dir; old_debug_pkg)
- (cd $dir; remove_systemd_instance_namespace)
+ (cd $dir; remove_systemd_hardening)
bp2 $pkg $dir $origtar
# xenial (EOL: Apr 2021)
#################################################
bp1 $pkg $dir $sid_debian_version xenial
- (cd $dir; remove_systemd_instance_namespace)
+ (cd $dir; remove_systemd_hardening)
bp2 $pkg $dir $origtar
# zesty (EOL: Jan 2018)
diff --git a/debian/systemd/tor@.service b/debian/systemd/tor@.service
index acfbf14b9..a0ea3a10f 100644
--- a/debian/systemd/tor@.service
+++ b/debian/systemd/tor@.service
@@ -8,9 +8,9 @@ ReloadPropagatedFrom=tor.service
Type=notify
NotifyAccess=all
PIDFile=/var/run/tor-instances/%i/tor.pid
-PermissionsStartOnly=yes
-ExecStartPre=/usr/bin/install -Z -m 02755 -o _tor-%i -g _tor-%i -d
/var/run/tor-instances/%i
-ExecStartPre=/bin/sed -e 's/@@NAME@@/%i/g; w
/var/run/tor-instances/%i.defaults'
/usr/share/tor/tor-service-defaults-torrc-instances
+PermissionsStartOnly=no
+ExecStartPre=+/usr/bin/install -Z -m 02755 -o _tor-%i -g _tor-%i -d
/var/run/tor-instances/%i
+ExecStartPre=+/bin/sed -e 's/@@NAME@@/%i/g; w
/var/run/tor-instances/%i.defaults'
/usr/share/tor/tor-service-defaults-torrc-instances
ExecStartPre=/usr/bin/tor --defaults-torrc /var/run/tor-instances/%i.defaults
-f /etc/tor/instances/%i/torrc --verify-config
ExecStart=/usr/bin/tor --defaults-torrc /var/run/tor-instances/%i.defaults -f
/etc/tor/instances/%i/torrc
ExecReload=/bin/kill -HUP ${MAINPID}
diff --git a/debian/systemd/tor@default.service
b/debian/systemd/tor@default.service
index 161838f56..864b02df5 100644
--- a/debian/systemd/tor@default.service
+++ b/debian/systemd/tor@default.service
@@ -8,8 +8,8 @@ ReloadPropagatedFrom=tor.service
Type=notify
NotifyAccess=all
PIDFile=/var/run/tor/tor.pid
-PermissionsStartOnly=yes
-ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d
/var/run/tor
+PermissionsStartOnly=no
+ExecStartPre=+/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d
/var/run/tor
ExecStartPre=/usr/bin/tor --defaults-torrc
/usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
--verify-config
ExecStart=/usr/bin/tor --defaults-torrc
/usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
ExecReload=/bin/kill -HUP ${MAINPID}
signature.asc
Description: PGP signature
