services: tor: Run in a container.

* gnu/services/networking.scm (tor-shepherd-service): Use (gnu build
shepherd) and use 'make-forkexec-constructor/container' instead of
'make-forkexec-constructor'.

gnu/services/networking.scm

@@ -595,6 +595,9 @@ (define (tor-shepherd-service config)
   (match config
     (($ <tor-configuration> tor)
      (let ((torrc (tor-configuration->torrc config)))
+       (with-imported-modules (source-module-closure
+                               '((gnu build shepherd)
+                                 (gnu system file-systems)))
          (list (shepherd-service
                 (provision '(tor))
 
@@ -602,10 +605,21 @@ (define (tor-shepherd-service config)
                 ;; dependency on 'loopback'.
                 (requirement '(user-processes loopback syslogd))
 
-              (start #~(make-forkexec-constructor
+                (modules '((gnu build shepherd)
-                        (list (string-append #$tor "/bin/tor") "-f" #$torrc)))
+                           (gnu system file-systems)))
+
+                (start #~(make-forkexec-constructor/container
+                          (list #$(file-append tor "/bin/tor") "-f" #$torrc)
+
+                          #:mappings (list (file-system-mapping
+                                            (source "/var/lib/tor")
+                                            (target source)
+                                            (writable? #t))
+                                           (file-system-mapping
+                                            (source "/dev/log") ;for syslog
+                                            (target source)))))
                 (stop #~(make-kill-destructor))
-              (documentation "Run the Tor anonymous network overlay.")))))))
+                (documentation "Run the Tor anonymous network overlay."))))))))
 
 (define (tor-hidden-service-activation config)
   "Return the activation gexp for SERVICES, a list of hidden services."