Add ProtectSystem = full

See 13805

contrib/dist/tor.service.in

@@ -18,6 +18,7 @@ LimitNOFILE = 32768
 PrivateTmp = yes
 PrivateDevices = yes
 ProtectHome = yes
+ProtectSystem = full
 ReadOnlyDirectories = /
 ReadWriteDirectories = -@LOCALSTATEDIR@/lib/tor
 ReadWriteDirectories = -@LOCALSTATEDIR@/log/tor