From cd1f6bc712e7f337a44ab5ee7fdb67745f850b9b Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+nixpkgs@sourcephile.fr>
Date: Mon, 10 May 2021 15:29:52 +0200
Subject: [PATCH] nixos/tor: harden ProcSubset and ProtectProc

---
 nixos/modules/services/security/tor.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix
index 54c2c2dea23a..b58412e2424d 100644
--- a/nixos/modules/services/security/tor.nix
+++ b/nixos/modules/services/security/tor.nix
@@ -1007,6 +1007,7 @@ in
         # Tor cannot currently bind privileged port when PrivateUsers=true,
         # see https://gitlab.torproject.org/legacy/trac/-/issues/20930
         PrivateUsers = !bindsPrivilegedPort;
+        ProcSubset = "pid";
         ProtectClock = true;
         ProtectControlGroups = true;
         ProtectHome = true;
@@ -1014,6 +1015,7 @@ in
         ProtectKernelLogs = true;
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
+        ProtectProc = "invisible";
         ProtectSystem = "strict";
         RemoveIPC = true;
         RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];