Thanks for your help! On Wed, 04 Jan 2017, Laurent Bigonville wrote:
> I just tried with the following hardening features, and the daemon is > starting (I kept the old value in comment): > > # Hardening > AppArmorProfile=system_tor > NoNewPrivileges=yes > PrivateTmp=yes > PrivateDevices=yes > ProtectHome=yes > ProtectControlGroups=yes #added > ProtectKernelTunables=yes #added Maybe. > #ProtectSystem=full > ProtectSystem=strict Maybe. That's new in sid/testing. > #ReadOnlyDirectories=/ > #ReadWriteDirectories=-/proc Maybe. > ReadWriteDirectories=-/var/lib/tor > ReadWriteDirectories=-/var/log/tor > #ReadWriteDirectories=-/var/run > ReadWriteDirectories=-/var/run/tor Can we still create the directory if it isn't there yet? > #CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE > CAP_DAC_OVERRIDE > CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE No, that breaks hidden services. See https://bugs.debian.org/847598 > torify wget http://www.perdu.com returns the expected content I think other useful tests would be - can Tor start when a hidden service is configured? - can Hidden services read/write to backend sockets in /var/lib/tor-onion-sockets/? - does transparent proxying still work (TransPort)? - can we log to syslog? Cheers, -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `- https://www.debian.org/
