-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Nick, thanks for your answer.

...

What capability would one have to add to the list to make it work with CapabilityBoundingSet?

It probably depends on what's in your configuration.

torrc file while testing: User debian-tor DataDirectory /var/lib/tor Log debug file /var/log/tor/log RunAsDaemon 1 DisableDebuggerAttachment 0

My first guess on how to find out would be to look to see if you can possibly use strace or gdb or something to figure out what system call is failing.

strace output when I trigger the reload via systemctl: 2362 epoll_wait(3, 7f105298a7f0, 32, 99) = -1 EINTR (Interrupted system call) 2362 --- SIGINT {si_signo=SIGINT, si_code=SI_USER, si_pid=1, si_uid=0} --- 2362 sendto(4, 0x7fffe6bcbf57, 1, 0, NULL, 0) = 1 2362 rt_sigreturn() = -1 EINTR (Interrupted system call) 2362 --- SIGCONT {si_signo=SIGCONT, si_code=SI_USER, si_pid=1, si_uid=0} --- 2362 epoll_wait(3, {?} 0x7f105298a7f0, 32, 54) = 1 2362 recvfrom(5, 0x7f10514bb500, 1024, 0, NULL, NULL) = 1 2362 recvfrom(5, 0x7f10514bb500, 1024, 0, 0, 0) = -1 EAGAIN (Resource temporarily unavailable) 2362 write(7, 0x7fffe6bc9a40, 57) = 57 2362 open(0x7f10529933e0, O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0600) = 10 2362 write(10, 0x7f105379ac10, 3662) = 3662 2362 close(10) = 0 2362 write(7, 0x7fffe6bc98c0, 96) = 96 2362 rename(0x7f10529933e0, 0x7f1052993200) = 0 2362 write(7, 0x7fffe6bc99c0, 80) = 80 2362 munmap(0x7f1051a06000, 1052672) = 0 2362 write(7, 0x7fffe6bc99c0, 82) = 82 2362 write(7, 0x7fffe6bc99f0, 84) = 84 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVCW/1AAoJEFv7XvVCELh0c8EP/RVNFNFdIieFMYZycf0IMReM TqtwOaWsGhkxzf3clXi9rECv0cis6Dvw+PROyPeMaQup/HSLaEwEpqmcKamyk8K2 pXrxVUOI4w8jkUymPMaZX5blnpuVmhPECCYTfkSi8AAbUC9Jl7qnKtu/r6JyoxKC NKf23Aoa0W4Wqn4KzXQff+5dpXUfyysE5r95mhh6z1xL+TfI+Th4IAUO6EsdgbB/ a/qRdtIu1bkKjiwHd6bBiY1ar1IH+GA8ud9QTAUXVkHHZ0w9w3GuEV8n4rP93QWf M+wi0LRnYsw0X3s+jyze811FYNzDfDXmzY27MqVhzZZzwUjqHgEOZQVvFUYaOe4C wTv/cAmj15Moo76dvthwRYeK6NweiS1pYh+qcZy+EGq4Ty57vUmqkmxLe51ylExM yCuJ1IOSC08UA0Ntk80cs/nC4xtSNxrh3P9zLNnzJQweLxUSK/S84PAg/l+CqE+Q 3WzO7CcQOkV8qR1gL2kP0NS1HDZyArfvOLRV6UdGCRCw//hKVACKTP5fh9Acx5Sw PqJIpVu5OMpmZxcBpuv5rhubzA3X3rwbmWqEFTOzL8K7SlxOPha4V/1RIHAOG6Qr /KVdl7EwQPY5gpSWdMHrZa+pnF9VNUv5x3c4VhEenlSUkq6fiBfrivmHWHIyTeSb MwagvB1k5o2aaH834ANm =ClGh -----END PGP SIGNATURE-----