Merge remote-tracking branch 'intrigeri/bug12751-systemd-filesystem-sandbox'

changes/bug12751-systemd-filesystem-sandbox

@@ -0,0 +1,5 @@
+  o Distribution:
+    - systemd unit file: only allow tor to write to /var/lib/tor
+      and /var/log/tor. The rest of the filesystem is accessible
+      for reading only.
+      Patch by intrigeri; resolves ticket 12751.

contrib/dist/tor.service.in

@@ -19,6 +19,9 @@ PrivateTmp = yes
 DeviceAllow = /dev/null rw
 DeviceAllow = /dev/urandom r
 InaccessibleDirectories = /home
+ReadOnlyDirectories = /
+ReadWriteDirectories = @LOCALSTATEDIR@/lib/tor
+ReadWriteDirectories = @LOCALSTATEDIR@/log/tor
 
 [Install]
 WantedBy = multi-user.target