Opened 4 years ago

Closed 4 years ago

#17693 closed defect (fixed)

AppArmor profile denies access to run/systemd/notify

Reported by: regar42 Owned by: weasel
Priority: High Milestone: Tor: 0.2.7.x-final
Component: Core Tor/Tor Version: Tor: 0.2.7.5
Severity: Critical Keywords: AppArmor systemd/notify
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When I upgraded from tor-0.2.6.10 to tor-0.2.7.5, I noticed my relay lost its Stable flag after a few days, so I started wondering why. It appears that I encounter this error :

Nov 25 23:06:06 Dalekanium kernel: [12493.410382] audit: type=1400 audit(1448489166.546:62): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="system_tor" name="run/systemd/notify" pid=9878 comm="tor" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

systemctl keeps restarting tor every 30seconds because he never receives the signal of start success from tor.

How to reproduce :

-install tor-0.2.7.5
-check syslogs

My machines specs :
-apparmor 2.10-0ubuntu6
-Ubuntu 15.10

I fixed the bug adding a attach_disconnected flag to the tor apparmor profile and a writing autorisation on notify : /{,var/}run/systemd/notify w, like you can see in the two profiles I joined.

Child Tickets

Attachments (2)

system_tor_orig (408 bytes) - added by regar42 4 years ago.
Original AppArmor profile for Tor
system_tor_fixed (468 bytes) - added by regar42 4 years ago.
AppArmor profile for Tor with the 2 fixes

Download all attachments as: .zip

Change History (10)

Changed 4 years ago by regar42

Attachment: system_tor_orig added

Original AppArmor profile for Tor

Changed 4 years ago by regar42

Attachment: system_tor_fixed added

AppArmor profile for Tor with the 2 fixes

comment:1 Changed 4 years ago by teor

Milestone: Tor: 0.2.7.x-final
Severity: NormalCritical
Status: newneeds_review

This has a patch attached, and it affects 0.2.7.5 on systems with systemd.

comment:2 Changed 4 years ago by 4e28

This manifested as tor working, but all connections being dropped as the tor process restarts ~2 minutes while logging:

[notice] Interrupt: exiting cleanly.

Applying the fix here worked. Many thanks!

Ubuntu 15.10.

comment:3 Changed 4 years ago by teor

Can we get this merged soon into 0.2.7?

It seems like it's vital for those using systemd.

comment:4 Changed 4 years ago by nickm

I don't think we ship an apparmor profile in Tor. Which package did the original apparmor profile come from?

comment:5 Changed 4 years ago by regar42

Well, I just checked, I find the "system_tor" profile in the tor_0.2.7.5-1~vivid+1_amd64.deb package from deb.torproject.org

comment:6 in reply to:  5 Changed 4 years ago by teor

Replying to regar42:

Well, I just checked, I find the "system_tor" profile in the tor_0.2.7.5-1~vivid+1_amd64.deb package from deb.torproject.org

It's from our debian/tor packaging repository, likely somewhere under tor/debian/systemd/, maintained by weasel.

Do we have a separate component for the debian package, nickm?

comment:7 Changed 4 years ago by weasel

Owner: set to weasel
Status: needs_reviewassigned

comment:8 Changed 4 years ago by weasel

Resolution: fixed
Status: assignedclosed

tor (0.2.7.6-1) unstable; urgency=high

  • New upstream version.
    • Actually look at the Guard flag when selecting a new directory guard.
  • Actually install tor-instance-create.8 manpage.
  • Change the apparmor profile tor allow Tor to access the systemd notification socket. Thanks for regar42. Closes Tor#17693.
  • tor-instance-create: Do systemctl daemon-reload *after* writing the new torrc.
Note: See TracTickets for help on using tickets.