Opened 5 years ago

Closed 2 years ago

Last modified 2 years ago

#14014 closed enhancement (fixed)

Add obfs4proxy to the default tor apparmor profile

Reported by: vladtsyrklevich Owned by: weasel
Priority: Low Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Normal Keywords: apparmor obfs4
Cc: yawning, ali.mirjamali@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The current apparmor profile shipped with tor allows tor to launch obfsproxy but not Yawning's new obfs4proxy. To fix you just need to add:

  /usr/bin/obfs4proxy PUx,

to debian/tor.apparmor-profile.abstraction. I specify that path because that's where the current debian package installs to; however, obfs4's debian packaging source does not appear to be included in tor's git. Perhaps Yawning can verify whether this will continue to be the stable install location?

Child Tickets

Change History (8)

comment:1 Changed 5 years ago by erinn

Owner: changed from erinn to weasel
Status: newassigned

comment:2 Changed 5 years ago by yawning

Perhaps Yawning can verify whether this will continue to be the stable install location?

I'm not the one that made the package, so my answer isn't definitive, but I don't see this changing in the future.

comment:3 Changed 5 years ago by vladtsyrklevich

Status: assignedneeds_review

comment:4 Changed 5 years ago by weasel

Resolution: fixed
Status: needs_reviewclosed

I think this is #777592.

comment:5 Changed 3 years ago by alimj

Cc: ali.mirjamali@… added
Resolution: fixed
Severity: Normal
Status: closedreopened

Unfortunately this bug was not fully fixed (at last in Ubuntu 16.04) Bug #1568435 and affects multiple users. If using obfs4proxy as a ClientTransportPlugin

The solution for me was to set the apparmor profile to: ix - Execute and inherit the current profile Rather than PUx

  /usr/bin/obfs4proxy ix,

comment:6 Changed 2 years ago by ccppuu

I can confirm the comment left by @alimj - On my own Ubuntu 16.04 test systems with Tor 0.3.0.9 (git-100816d92ab5664d), the latest release at the time of writing, AppArmor will block obfs4proxy from operating unless the /etc/apparmor.d/abstractions/tor entries for the obfs4proxy binaries are changed from PUx to ix.

Streisand is currently carrying a a workaround patch that I would love to remove :-)

How can I help resolve this bug upstream? Is there someone more familiar with AppArmor that could explain the intention of the PUx modifiers present in the debian package's abstractions file?

Thanks! -- @cpu

comment:7 Changed 2 years ago by weasel

Resolution: fixed
Status: reopenedclosed

don't recycle old tickets.

comment:8 Changed 2 years ago by ccppuu

don't recycle old tickets.

Ok, opened a new issue at https://trac.torproject.org/projects/tor/ticket/22860

Note: See TracTickets for help on using tickets.