systemd unit file: only allow tor to write to /var/lib/tor and /var/log/tor (#12751).

The rest of the filesystem is accessible for reading only. Still, quoting
systemd.exec(5):

  Note that restricting access with these options does not extend to submounts
  of a directory that are created later on.

contrib/dist/tor.service.in

@@ -19,6 +19,9 @@ PrivateTmp = yes
 DeviceAllow = /dev/null rw
 DeviceAllow = /dev/urandom r
 InaccessibleDirectories = /home
+ReadOnlyDirectories = /
+ReadWriteDirectories = @LOCALSTATEDIR@/lib/tor
+ReadWriteDirectories = @LOCALSTATEDIR@/log/tor
 
 [Install]
 WantedBy = multi-user.target