## Copyright (C) 2015 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

[Unit]
Description=Tor control port filter proxy
Documentation=https://tails.boum.org/contribute/design/
After=network.target
Wants=network.target
ConditionPathExists=!/var/run/qubes/this-is-templatevm

[Service]
Type=notify
ExecStart=/usr/lib/onion-grater

User=onion-grater
Group=onion-grater
SuccessExitStatus=143
WatchdogSec=10
TimeoutSec=30
Restart=always

# Hardening
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SYS_PTRACE
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=strict
ReadWriteDirectories=/etc/onion-grater.d/ /etc/onion-grater-merger.d/
NoNewPrivileges=yes
SystemCallFilter=stat close open mmap fstat rt_sigaction read munmap mprotect readlink getdents write lstat poll lseek brk rt_sigprocmask ioctl access dup getpid socket connect sendto recvmsg bind listen getsockname getpeername setsockopt execve uname fcntl getrlimit sysinfo getuid getgid geteuid getegid sigaltstack statfs arch_prctl futex set_tid_address set_robust_list getrandom
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target