Apparmor prevents last tor build from starting
tor_0.2.8.1-alpha-dev-20160222T073925Z package is broken Directory /var/lib/tor cannot be read: Permission denied Failed to parse/validate config: Couldn't access/create private data directory "/var/lib/tor" Reading config failed--see warnings above. apparmor="DENIED" operation="open" profile="system_tor" name="/var/lib/tor/" pid=9747 comm="tor" requested_mask="r" denied_mask="r" fsuid=120 ouid=120 previous build worked without trouble Also file tor-service-defaults-torrc-instances can be totally removed from package.
Trac:
Username: Ricky_Martin
Activity
changed milestone to %Tor: 0.2.8.x-final
Please answer all of the following questions (some of them nick asked previously, and you didn't answer them then)
- which OS
- which kernel
- on what kind of system (hw/vps/..)
- how are you starting tor
- what does "service tor status" say
- what does "service tor@default status" say
- Please argue your drive-by comment that claims tor-service-defaults-torrc-instances "can be totally removed from package".
Replying to lunar:
In
/etc/apparmor.d/system_tor, change the following line:owner /varlib/tor/** rwk,by:/var/lib/tor/** rwk,and the service should start.I think the changes related to
DataDirectoryhandling make that it's read before switching the user todebian-tor, hence AppArmor denied the read. I tried it but issue remains after apparmor profile reload.Replying to weasel:
Please answer all of the following questions (some of them nick asked previously, and you didn't answer them then)
- which OS
- which kernel
- on what kind of system (hw/vps/..)
- how are you starting tor
- what does "service tor status" say
- what does "service tor@default status" say
- Please argue your drive-by comment that claims tor-service-defaults-torrc-instances "can be totally removed from package". Line provided above already includes OS (trusty - Ubuntu 14.04) and possible kernels: since trusty supports only 3 kernel versions now but in contents of fast security support only two, LTS hw stack from wily and default trusty 3.13.x kernel. Forgive me my rudeness, but its obvious that problem related to current apparmor profile and abstractions provided with package. And kernel version makes no sense at all here. But its quite strange that same binary wants extra permissions, but using the same starting options from tor-service-defaults-torrc, init.d file remains the same too. And it makes no difference here at all starting tor using /etc/init.d/tor or using 'service' command. Since tor status will be always "not running" since apparmor prevents tor from starting. And tor-service-defaults-torrc-instances is just a dump file now, since all logic included in tor-service-defaults-tor file.
Trac:
Username: Ricky_Martin-
Was able to fix issue with adding
owner /varlib/tor/ r,in /etc/apparmor.d/system_tor Possible reason can be that now tor checking directory reading right before writing to directory directly. And this prevents tor from starting with current apparmor profile in tor package. After fix tor starting without any problem, but I have warning: apparmor="DENIED" operation="open" profile="system_tor" name="/run/tor/" pid=45755 comm="tor" requested_mask="r" denied_mask="r" I tried adding/{,var/}run/tor/ r,or/run/tor/ r,to /etc/apparmor.d/system_tor file, but warning remains. Will be great if package will be updated with fix.Trac:
Username: Ricky_Martin Replying to Ricky_Martin:
Was able to fix issue with adding
owner /varlib/tor/ r,in /etc/apparmor.d/system_tor Possible reason can be that now tor checking directory reading right before writing to directory directly. And this prevents tor from starting with current apparmor profile in tor package.Interesting. Apparently this is now a problem because we changed from directly stat()ing the directory to open()ing it [R1]. So, I think it may be necessary to explicitly allow reading /var/lib/tor/. I thought lunar may be correct about the uid, but we do drop privs before we start playing with the data dir.
So, If I may make a suggestion, there are (at least) two choices for changing the system_tor profile. 1)
- owner /var/lib/tor/** rwk, + owner /var/lib/tor/{,**} rwk,- (as suggested by Ricky_Martin)
owner /var/lib/tor/** rwk, + owner /var/lib/tor/ r,These should both provide the needed access, but the first one also allows the writing and locking privs for the directory, so tor could delete and lock the directory, too. Maybe that's not wanted, so 2 is better.
[R1] f48c607fd970aedaf0180a0a23b04eb5101abca0
After fix tor starting without any problem, but I have warning: apparmor="DENIED" operation="open" profile="system_tor" name="/run/tor/" pid=45755 comm="tor" requested_mask="r" denied_mask="r" I tried adding
/{,var/}run/tor/ r,or/run/tor/ r,to /etc/apparmor.d/system_tor file, but warning remains.Ricky_Martin, does tor's logfile show any warning message for this? Usually /run/tor/ is only used for tor's pidfile and a unix control socket and friends. I don't see where we open the /run/tor/ directory, we always open the full filepath directly and emit a warning log message on failure. In general, /run/tor/ is created by the init script, so it's safe-ish for tor to blindly assume it exists. Do you have any non-standard config options in the torrc that use /run/tor?
Will be great if package will be updated with fix.
Thanks for reporting this, but please be patient with us next time and please answer our stupid questions. We try to avoid jumping to conclusions about the cause of a problem and sometimes bugs like this are a user-error rather than programming, and sometimes the answers give us a hint even if the information seems irrelevant.
Trac:
Reviewer: N/A to N/A
Status: new to needs_informationmoved to tpo/core/tor#18370 (closed)
