From c53f0939cdf06c801c86ca0355c1ebd32433c424 Mon Sep 17 00:00:00 2001
From: Jamie Nguyen <j@jamielinux.com>
Date: Dec 10 2015 18:26:51 +0000
Subject: Improve service files (#1290444)


---

diff --git a/tor.service b/tor.service
index 4c60acf..8518d52 100644
--- a/tor.service
+++ b/tor.service
@@ -23,7 +23,7 @@ DeviceAllow=/dev/null rw
 DeviceAllow=/dev/urandom r
 ProtectHome=yes
 ProtectSystem=full
-ReadOnlyDirectories=/
+ReadOnlyDirectories=/var
 ReadWriteDirectories=/var/lib/tor
 ReadWriteDirectories=/var/log/tor
 CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
diff --git a/tor.spec b/tor.spec
index a4d25c4..a037010 100644
--- a/tor.spec
+++ b/tor.spec
@@ -108,8 +108,8 @@ sed -i $RPM_BUILD_ROOT%_unitdir/%{name}.service \
     -e 's/^Type=.*/Type=simple/g' \
     -e '/^NotifyAccess=.*/d' \
     -e '/^WatchdogSec=.*/d' \
-    -e 's#^ProtectHome=.*#InaccessibleDirectories=/home#g' \
-    -e '/^ProtectSystem=.*/d'
+    -e 's#^ProtectHome=.*#InaccessibleDirectories=/home\nInaccessibleDirectories=/root\nInaccessibleDirectories=/run/user#g' \
+    -e 's#^ProtectSystem=.*#ReadOnlyDirectories=/boot\nReadOnlyDirectories=/etc\nReadOnlyDirectories=/usr#g'
 %endif
 
 # Install docs manually.
diff --git a/tor@.service b/tor@.service
index 8a5e1ed..987135d 100644
--- a/tor@.service
+++ b/tor@.service
@@ -23,7 +23,7 @@ DeviceAllow=/dev/null rw
 DeviceAllow=/dev/urandom r
 ProtectHome=yes
 ProtectSystem=full
-ReadOnlyDirectories=/
+ReadOnlyDirectories=/var
 ReadWriteDirectories=/var/lib/tor
 ReadWriteDirectories=/var/log/tor
 CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE