Merge pull request #122452 from ju1m/tor

author: Sandro <sandro.jaeckel@gmail.com> 2021-11-09 21:50:57 +0100
committer: GitHub <noreply@github.com> 2021-11-09 21:50:57 +0100
commit: e5ac2e1a52bbc9b7aaedd7ffc0b059471f20107e (patch)
tree: a168368fcaf3b6ca928a2e053e38f9d4646477f1 /nixos
parent: 33ffba995d853658fb4db5f63ffb8ddc454c666f (diff)
parent: cd1f6bc712e7f337a44ab5ee7fdb67745f850b9b (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix
index c94b248d5f10..c3e3248ee8ab 100644
--- a/nixos/modules/services/security/tor.nix
+++ b/nixos/modules/services/security/tor.nix
@@ -1012,6 +1012,7 @@ in
         # Tor cannot currently bind privileged port when PrivateUsers=true,
         # see https://gitlab.torproject.org/legacy/trac/-/issues/20930
         PrivateUsers = !bindsPrivilegedPort;
+        ProcSubset = "pid";
         ProtectClock = true;
         ProtectControlGroups = true;
         ProtectHome = true;
@@ -1019,6 +1020,7 @@ in
         ProtectKernelLogs = true;
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
+        ProtectProc = "invisible";
         ProtectSystem = "strict";
         RemoveIPC = true;
         RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
author	Sandro <sandro.jaeckel@gmail.com>	2021-11-09 21:50:57 +0100
committer	GitHub <noreply@github.com>	2021-11-09 21:50:57 +0100
commit	e5ac2e1a52bbc9b7aaedd7ffc0b059471f20107e (patch)
tree	a168368fcaf3b6ca928a2e053e38f9d4646477f1 /nixos
parent	33ffba995d853658fb4db5f63ffb8ddc454c666f (diff)
parent	cd1f6bc712e7f337a44ab5ee7fdb67745f850b9b (diff)