set additional hardening options for tor.service file, wrt bug #529212

Package-Manager: portage-2.2.14/cvs/Linux x86_64
Manifest-Sign-Key: 0xBD3A97A3

5 files changed, 39 insertions, 24 deletions

diff --git a/net-misc/tor/ChangeLog b/net-misc/tor/ChangeLog
index 7a45d9a99c8e..63b795270135 100644
--- a/net-misc/tor/ChangeLog
+++ b/net-misc/tor/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for net-misc/tor
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/tor/ChangeLog,v 1.448 2014/11/20 14:41:41 blueness Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/tor/ChangeLog,v 1.449 2014/11/21 23:51:22 tamiko Exp $
+
+*tor-0.2.6.1_alpha-r3 (21 Nov 2014)
+*tor-0.2.5.10-r3 (21 Nov 2014)
+
+  21 Nov 2014; Matthias Maier <tamiko@gentoo.org> +tor-0.2.5.10-r3.ebuild,
+  +tor-0.2.6.1_alpha-r3.ebuild, -tor-0.2.5.10-r2.ebuild,
+  -tor-0.2.6.1_alpha-r2.ebuild, files/tor.service:
+  set additional hardening options for tor.service file, wrt bug #529212
 
 *tor-0.2.5.10-r2 (20 Nov 2014)
 *tor-0.2.6.1_alpha-r2 (20 Nov 2014)
diff --git a/net-misc/tor/Manifest b/net-misc/tor/Manifest
index f51c9230cbf1..0eed3768ff26 100644
--- a/net-misc/tor/Manifest
+++ b/net-misc/tor/Manifest
@@ -7,7 +7,7 @@ AUX tor.conf 62 SHA256 809f5f09758c1eec5fd3cef94536ec83358dc380f3ece0bc4890b1c2e
 AUX tor.confd 44 SHA256 41d780f291847e19f632428bbf27c3f289414afd237546d2974da1b75384c25c SHA512 9028ac41e3acdf4405095addb69537e87edecafaec840296ac27a5a8992fe132dc822e4e4abb8826f76460c438da2719dea17859690d03e17198a82086a3d660 WHIRLPOOL d3060208cf59c2de5839e7358fae37db883899f715a7411c7ba4c9e09926b6098aca7bfcaa269ea51b47b9f197ccd509f0c1e19909a87b1e087a88b30915a1cf
 AUX tor.initd-r6 1627 SHA256 49da1b5f267927023bc092adcf89d406ec294584039d6bca6b7aea0a9e7c4c4f SHA512 09aea50280fe0efee605e9235ce43d171efdf4cf6c2ccef272e797bac7277940e08155c5f294d9901507112a25a9be3aec5e40466caba4a54dfdb1e48683ab12 WHIRLPOOL 8c7fe6e6f53daa47676e040afceb716308bd836df6db35ddafd9a35d9c7ea2ef2d9c4e10ab971b882ae8b84ad4106a7b3f6a68791f9eefd3977c178b745f96b0
 AUX tor.initd-r7 2388 SHA256 3576a541e3bf76a526cd859af5690a149aedb3187eed555ba78b49e493179064 SHA512 4028bcb485890a98a7567031c550417babe2b2d505858d4d4b84ac689f975b9c1a2b7ab6d3b6ae8409a1559b914010836e7861ffec369382833ea193bba42b95 WHIRLPOOL 064a397af5a34b6e258f40d8d73f9425c834d4ffbfda5a6297a3092a45c0cc957ae9ead9d1ae2da63ae591905807df1900cf3aefffde5a0ba6fa731c7f0a9c8b
-AUX tor.service 316 SHA256 22293c36ae4043cb351ff7e5b18ab392de5ac431683dd03de658bf3627fe5c3d SHA512 cee692525037ff1ed466863058bfa06e6cf17917f0d5546ab9a53e27f89228feecb20eb13be616e901584e73851022be68aa03c67aa8c12824998ed2533d2571 WHIRLPOOL d4ab37f1e8c4de6e38613c6d2e53500e2bab73e31f13bdf594ae5c8ff13e40bbf9eccc3b56e776e64d847cce0d36f61b0a1de3f72f1858cf1d2e0f1e68c2e7e7
+AUX tor.service 479 SHA256 647572301c444896c6958af4481f443e39f7232f0ad919e4a154a27733aae709 SHA512 5eab6d99bc9210546b750596e6b660904a098868a07d4df41e14e39586a12965cbed94e7bda2bf315472fd40b4df4f68f1a8393c12e085524b80e02e26de9c14 WHIRLPOOL bf23275b4a847e5a806d7052b17ac9bbbc6c16e23a9add351bc6f7ee3afde844914ed0505fcadd3b15bcf2519fc7a352cb09d2e46cebec19b88ba7ece3c3835d
 AUX torrc-r1 140 SHA256 6766943a69e4784d02f173b5d74b8eb9345f878ef4eb36edab34bbf649ef2738 SHA512 6e3c481b34f2cb6f48bf87fe10565daded00415cc233332d43e18206d46eb7b32f92c55035584b5992e7a056e79e862124a573a9724f7762f76d4c4f0824de82 WHIRLPOOL 14a0e40219457b3ea26113fca561db338fb7324c20fee3b30287315974975001fab3cd3272932a1325e8dc9a227e0242bedf9fb424e2c5db755112f3fdeb815d
 DIST tor-0.2.4.23.tar.gz 2977006 SHA256 05a3793cfb66b694cb5b1c8d81226d0f7655031b0d5e6a8f5d9c4c2850331429 SHA512 8941a296c613ae30e98933ec05810cb655f3fe345ed9942f7c76799e00b893aa17a5e023b020aeca0b730834e6df4fb86927fc4e3d66ebd0cb26a36e6d94103b WHIRLPOOL 2b461eee1d31a338167f6a8267e63f2b6b1999668a82d2d9db3fc99f83cd6e959c922d2102e356815b776c0fc15780f46ed2bf0b7afcb9d0d95aee88979c0bd8
 DIST tor-0.2.4.25.tar.gz 2987749 SHA256 84693bf5875857bf1aef3a8ff8109da4cc10e64269208054bbcf94fb615da627 SHA512 0b89628be737087078fc4955ffb1824da4c5a8d614ccb39052ea65b2926b8a381bc3accb394a3b84fcea68170f23e163d147ace3683a946fb23b27960b32228b WHIRLPOOL 35668c31070a4f6dcd1a95d43986088e6f4e3fe59565e3a0abc19c0716b5bb3dd95937b7de249d7e80f9505f6ea77769582d37449e464d9acf9bffb57d20ca92
@@ -15,24 +15,24 @@ DIST tor-0.2.5.10.tar.gz 3166480 SHA256 b3dd02a5dcd2ffe14d9a37956f92779d4427edf7
 DIST tor-0.2.6.1-alpha.tar.gz 3347886 SHA256 83154b8e5514978722add6c888d050420342405d4567e5945e89ae40b78b8761 SHA512 28cf0ab2a2b3272624855163f2a17e5b5cbc909fa42aabf2626c0e0fb8f92dfeefdfc16aaf9282bcefb9984db482878469c908e9cf38090fa9006c28df304b51 WHIRLPOOL fa86a5b6200724f49c0a663db22402fbbcf5fef2a2af1187a042fc934780c31067785563fb41f57ea1a428902c8aad65b2a3787b9c1039f415b4436398f26347
 EBUILD tor-0.2.4.23.ebuild 2561 SHA256 7fa0c96147cb0d7f0fd97f189b581809453529ac8b34cd912b811dc696012642 SHA512 0c71d01888ebcf04fd8f95ecef4318d6819be280150d02ccc73062174dc4acbed83ed2ef5eef99bdb133d3524b4745d13e5a9d1c0fea96ffe3bef2746e5519f6 WHIRLPOOL 2c93badc8dbaf8df752655396f04af32ca68a17ef5df421368344b1c026f2771b611a200d4406c8b03936a7eecefe118478a098743db77bec5dc5960a8fe4062
 EBUILD tor-0.2.4.25.ebuild 2600 SHA256 c26cfe2a4b741476a4a7ff2c5e8a8c88ed34a4f693504c2afa3a7deb70b1240d SHA512 e074662aba9a49eb67e2b7121ffd40aa5d332c7f280e52fa8238d81e5c0fe946e5c5b5037b4acb6f1c32b43ae6f99ea2e77be157b87c597736e6108af3ae8542 WHIRLPOOL 5be7ddd6dba912fcfcb6eb2cdb98d065380df2880b103af2857fb0f4ac41a72b57e757705f68e63ea4eb4a11e553a95858bf59155f7e4ff05a45825e37f80d70
-EBUILD tor-0.2.5.10-r2.ebuild 2847 SHA256 b84284dd1963409d0e9e84651aaf384ce72fb2355231187a679f99313f537c8b SHA512 46d35638502968106ff418d9d9f71d9b1fbb81879bb5e6e945d33a6c333a89d2911807b5943acb0ceb01341fdc6a34876dbb8c85726a229cbb21421d8c2eaf44 WHIRLPOOL 90c70fe4d2b42f38a9817e228462fd2b29deb7d04da8eb968623bfbdf10ffb025396ac231d6edd14a91e636de64d873aadd6e8db40d42ef47eafb56481d48923
-EBUILD tor-0.2.6.1_alpha-r2.ebuild 2832 SHA256 b937dd035a85bc219731b98b460e345574385b7e5ade94fa3bf29b261455d354 SHA512 b87d4294a659c12384c28d0861914549c759dd527892000e33a9f21d078d674496a2df61cb9724058031ec5abcf9319573fec8373a3d383c5fd641faae81bb9f WHIRLPOOL 7603f8ceeec81e2a31d8f66c7399995735ac503d9622fab8c7346e5efa408e38cf93d277a3d40ac5da4edda6940509ac57c9090aea3e512e594e5b8aa902af3c
-MISC ChangeLog 67259 SHA256 978b8a0f8eb7801e68fb6b1bcf0c3061016ffd273d3f2fcd048c31d7c310b496 SHA512 40075dc6b40b290a285003cdae38b11b2e116c476591545838d2cc3ee32be50ac7a619424d1345bd75448f916358c79fd5b2263d5209ef127a0af6a1e5d207e5 WHIRLPOOL eca2f59071cc656abfbcede885c659742994bb54c990617c030613742258dab2abd7cbe542aef400fa462f642f315dc2c415505bb5c91ef48f0043d9dccd8bf3
+EBUILD tor-0.2.5.10-r3.ebuild 2845 SHA256 d5ec3ef0ac4cea8a6db12cfc08835b196e6cf2cd4f2058283170f4b349f49ab4 SHA512 b4135b07700c4a75f66ba8e89fb787de3d0a3597446f816640e7b3927d39440cab70ec7146e7c08faa3d6dcb2f0a7b52e4b05e7b516e0c9b86033354a1d9abf2 WHIRLPOOL a6254f62798f7c43197bac6ce62664adffd4d3bab92f0604740a11849cac19f569cc3d4c5b5a0b7c15cdb4c73a39c047a8c7d40f87713ffb91d6d6035b976be1
+EBUILD tor-0.2.6.1_alpha-r3.ebuild 2830 SHA256 446eb0691d7b4223ff4d56b1116667487a9939894f87ba0136b6384f832ea8fc SHA512 48c2327e7bf72d5d4f6a194d398cae07981a327d76a83c99cf520512bec84e6a16843c92e9926c6fee1a064f8dbe99bbd67a1bbd7d6c0d2474891bd800c84a11 WHIRLPOOL 2a65257658d8626b63dc33831589879eaf117c8cedc253a4f88497e4ad478b862e57828770d8df53cf67635c5b6cb2b6322f8eed6f03104ff714693538c8b85a
+MISC ChangeLog 67582 SHA256 924fabad5d3ab04ce73344d292ef475956856f0030ace34c1393e9a0b81b2d44 SHA512 797fc2b1a28b8372ec651641b7ecff2186385c702d191d76b3fd5db3291ce31f64d75fd8faf8907b7186eade24796044cb26447b716c69dd0e8669afe8d6abb1 WHIRLPOOL 91223cc05b2373498bc0e287590f54200c9628b8808e7cb146a77bc830b9af449dfb38699761b97e3e8d1f60fe825f935178fdaba5fb021a8ff99736ddfc1612
 MISC metadata.xml 960 SHA256 72aa6e682760ca7595c958a1042bf0e0556855b1079cab9ba9c8b1cc58b4b26c SHA512 4d5ce716467499618e070462ca076f4dd26276e71c2f19f38a31f13d88e65e63e987e4b2633dae85653ec060501b61acfdab9ec8509e966321383e950d50eb28 WHIRLPOOL 8139724f2b0d2fd177f13059ca9066258849234a4aa5638a3a763d334528a0cbd35d7b26badb0e3228f16ebf83bb26c2344c327e60e30801bb783677c3176525
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2
+Version: GnuPG v2.1
 
-iQIcBAEBCAAGBQJUbf5DAAoJEJOE+m71LUu6svcQAIS17vYiboIWaudljXPPtT8W
-7xUOOHM6q7VicGloAIn1Z/61YkwothdFomyzM2jVWia888dGUr2lKbPQeMdDWPU8
-1WzWRidjCVG4mteA+HXBlynuK0OjpdB/SGBU0EIN2GXEzDBWgFaSuDtxo3kqnR0S
-Z4OmsB6wWRMBky1rnJByFlnWkY4xQlPI6Vd+pXgGC7qDtfTTQZ2JB6SDFWYTzlaX
-MQNjkljJ6v7FYODBFg9gPguZv9knOsXse4onU91FFEusJQpubdBo+dj9Wahny0Sw
-McSBhWPyczW7CFKLg9KFVMt7KgfcmcclkaX4Ruh55lkutRlg1ncxPe2pTfYbavMP
-Bg0MgcFZgGdqZsLdGnu3vvOxqGsIG6m3nCN9P0SvgAVJqYWHPV00yhFVU0oPVJkY
-0YK9hOsgDq7hahjO27dvJ6OfCTMkb9zFllazYHDbJpFvm02k4Jby1JLczLgKSkyK
-WldaMVbXF8TfELMK+2U5TN6XX7DRU9HRtE7VCN0Uqvbma5179ZmZIUZ2Omt6zsbR
-6dakBowAKUea/SlU6TR9KMgs22tCkZUeRhaF2DfOCAF/iY6K2icseSfebCThOK3E
-XoUA5PLnBv3c01mUYwhHOHoW+XxxtYQK0sFXM9ue/gd238vNEDzrIxGZHJ8GVy+c
-kjyz0IqQMyiWjJckeFVB
-=bLsM
+iQIcBAEBCAAGBQJUb8/8AAoJELhOzYlK7nn/4r4QALnkT4Mb9Reg2xwFsLrPH41s
+I5xERbWA1LgqICsmgRl8lNFMDSHxvKPnHp4VkAgx71bopyta6zFJQzJeElkoQU4n
+qGVACO49TNQYG374bHzlUmMQeCAaI8ZQ4VOyNC8WTZZpTLJJmDV9DYXxHamvSsix
+eC1x1X6Bg62jAYYsht45wT+hXhoxZal+hu78yPn5qcojdY6rdjtn+8uKjAYYQ+rk
+576rXeknPcwRmY36M6tfNOfpcL4tLTi5VSff/KhCoS2vS52EejUAVSJ2SO3xs9An
+81ZS3usOkJ6HxPgWr8VVckH/A5ouO30FEFBJ4wxcfCh+tiHTLCk9VaURDuL74NMA
+9vlpCUXF0lr8X7tmccQR2oej3/Xbuokm5nXZP91k17DtLh9wZTbI+qnSUTSxdpPu
+luAIIhEzKycEFS51Jj9Srb49qxbQGkrr1H70TEOY0QU7LX7Q2Z94etEM+nmeaB/C
+L2P1n58jaIrr9OSS9U+z2k8fhELZ+UmYd6DdtHowdILLJ92MhxZWQolE/eupHy80
++uGlXzYrTqoRTMzW9Kyb1T799VbmeBZ69J1+MAQegugq6JD1+y7IPVr5cB1WEcM+
+w/38bJe1meAyfV4oOQ2d+AlCCGKLt3kq/HcHi0AdZ4jM/G1uaGGgW8xL4+he4tl+
+6MaKd/pR2xIy+JE+hPZW
+=HJ1K
 -----END PGP SIGNATURE-----
diff --git a/net-misc/tor/files/tor.service b/net-misc/tor/files/tor.service
index 9d84caa6f690..8fcc6740ed91 100644
--- a/net-misc/tor/files/tor.service
+++ b/net-misc/tor/files/tor.service
@@ -3,12 +3,19 @@ Description=The Onion Router
 
 [Service]
 ExecStartPre=/usr/bin/tor --verify-config -f /etc/tor/torrc
-ExecStart=/usr/bin/tor --runasdaemon 0 -f /etc/tor/torrc
-ExecStop=/bin/kill -INT $MAINPID
+ExecStart=/usr/bin/tor --RunAsDaemon 0 -f /etc/tor/torrc
 ExecReload=/bin/kill -HUP $MAINPID
+KillSignal=SIGINT
 TimeoutStopSec=32
 LimitNOFILE=30000
-Group=tor
+
+# Hardening options:
+CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
+PrivateTmp = yes
+PrivateDevices = yes
+ProtectHome = yes
+ProtectSystem = full
+NoNewPrivileges = yes
 
 [Install]
 WantedBy=multi-user.target
diff --git a/net-misc/tor/tor-0.2.5.10-r2.ebuild b/net-misc/tor/tor-0.2.5.10-r3.ebuild
index 00747bc6be52..e7f28de12442 100644
--- a/net-misc/tor/tor-0.2.5.10-r2.ebuild
+++ b/net-misc/tor/tor-0.2.5.10-r3.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/tor/tor-0.2.5.10-r2.ebuild,v 1.1 2014/11/20 14:41:41 blueness Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/tor/tor-0.2.5.10-r3.ebuild,v 1.1 2014/11/21 23:51:22 tamiko Exp $
 
 EAPI="5"
 
diff --git a/net-misc/tor/tor-0.2.6.1_alpha-r2.ebuild b/net-misc/tor/tor-0.2.6.1_alpha-r3.ebuild
index a0dfa826e04d..577cfb746ae3 100644
--- a/net-misc/tor/tor-0.2.6.1_alpha-r2.ebuild
+++ b/net-misc/tor/tor-0.2.6.1_alpha-r3.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/tor/tor-0.2.6.1_alpha-r2.ebuild,v 1.1 2014/11/20 14:41:41 blueness Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/tor/tor-0.2.6.1_alpha-r3.ebuild,v 1.1 2014/11/21 23:51:22 tamiko Exp $
 
 EAPI="5"