Opened 4 years ago

Closed 4 years ago

#18370 closed defect (fixed)

Apparmor prevents last tor build from starting

Reported by: Ricky_Martin Owned by:
Priority: Medium Milestone: Tor: 0.2.8.x-final
Component: Core Tor/Tor Version: Tor: 0.2.8.1-alpha
Severity: Normal Keywords:
Cc: weasel Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

tor_0.2.8.1-alpha-dev-20160222T073925Z package is broken
Directory /var/lib/tor cannot be read: Permission denied
Failed to parse/validate config: Couldn't access/create private data directory "/var/lib/tor"
Reading config failed--see warnings above.
apparmor="DENIED" operation="open" profile="system_tor" name="/var/lib/tor/" pid=9747 comm="tor" requested_mask="r" denied_mask="r" fsuid=120 ouid=120
previous build worked without trouble
Also file tor-service-defaults-torrc-instances can be totally removed from package.

Child Tickets

Change History (13)

comment:1 Changed 4 years ago by Ricky_Martin

Issue with 20160222T192222Z too. 20160222T192222Z looks like automatic build, only binary changed.

comment:2 Changed 4 years ago by nickm

Where are you getting this package from? What OS are you running on?

comment:3 Changed 4 years ago by Ricky_Martin

tor_0.2.8.1-alpha-dev-20160223T051406Z broken too, another auto build
deb.torproject.org/torproject.org tor-nightly-master-trusty main

Last edited 4 years ago by Ricky_Martin (previous) (diff)

comment:4 Changed 4 years ago by nickm

Cc: weasel added
Milestone: Tor: 0.2.8.x-final
Priority: HighMedium

comment:5 Changed 4 years ago by weasel

Please answer all of the following questions (some of them nick asked previously, and you didn't answer them then)

  • which OS
  • which kernel
  • on what kind of system (hw/vps/..)
  • how are you starting tor
  • what does "service tor status" say
  • what does "service tor@default status" say
  • Please argue your drive-by comment that claims tor-service-defaults-torrc-instances "can be totally removed from package".

comment:6 Changed 4 years ago by lunar

In /etc/apparmor.d/system_tor, change the following line:
owner /varlib/tor/** rwk,
by:
/var/lib/tor/** rwk,
and the service should start.

I think the changes related to DataDirectory handling make that it's read before switching the user to debian-tor, hence AppArmor denied the read.

comment:7 in reply to:  5 Changed 4 years ago by Ricky_Martin

Replying to lunar:

In /etc/apparmor.d/system_tor, change the following line:
owner /varlib/tor/** rwk,
by:
/var/lib/tor/** rwk,
and the service should start.

I think the changes related to DataDirectory handling make that it's read before switching the user to debian-tor, hence AppArmor denied the read.

I tried it but issue remains after apparmor profile reload.

Replying to weasel:

Please answer all of the following questions (some of them nick asked previously, and you didn't answer them then)

  • which OS
  • which kernel
  • on what kind of system (hw/vps/..)
  • how are you starting tor
  • what does "service tor status" say
  • what does "service tor@default status" say
  • Please argue your drive-by comment that claims tor-service-defaults-torrc-instances "can be totally removed from package".

Line provided above already includes OS (trusty - Ubuntu 14.04) and possible kernels: since trusty supports only 3 kernel versions now but in contents of fast security support only two, LTS hw stack from wily and default trusty 3.13.x kernel. Forgive me my rudeness, but its obvious that problem related to current apparmor profile and abstractions provided with package.
And kernel version makes no sense at all here. But its quite strange that same binary wants extra permissions, but using the same starting options from tor-service-defaults-torrc, init.d file remains the same too. And it makes no difference here at all starting tor using /etc/init.d/tor or using 'service' command. Since tor status will be always "not running" since apparmor prevents tor from starting. And tor-service-defaults-torrc-instances is just a dump file now, since all logic included in tor-service-defaults-tor file.

comment:8 Changed 4 years ago by weasel

Thank you for not answering the questions. They are asked because sometimes the answers are relevant.

comment:9 Changed 4 years ago by Ricky_Martin

Was able to fix issue with adding
owner /varlib/tor/ r, in /etc/apparmor.d/system_tor
Possible reason can be that now tor checking directory reading right before writing to directory directly. And this prevents tor from starting with current apparmor profile in tor package.
After fix tor starting without any problem, but I have warning:
apparmor="DENIED" operation="open" profile="system_tor" name="/run/tor/" pid=45755 comm="tor" requested_mask="r" denied_mask="r"
I tried adding /{,var/}run/tor/ r, or /run/tor/ r, to /etc/apparmor.d/system_tor file, but warning remains.
Will be great if package will be updated with fix.

Last edited 4 years ago by Ricky_Martin (previous) (diff)

comment:10 Changed 4 years ago by nickm

Keywords: must-fix-before-028-rc added

Marking these as must-fix-before-028-rc.

Actually, some of them may not need to get 'fixed' before the rc, but I believe that they should either get fixed, or we should have a good explanation of why they don't need to get fixed.

comment:11 in reply to:  9 Changed 4 years ago by sysrqb

Status: newneeds_information

Replying to Ricky_Martin:

Was able to fix issue with adding
owner /varlib/tor/ r, in /etc/apparmor.d/system_tor
Possible reason can be that now tor checking directory reading right before writing to directory directly. And this prevents tor from starting with current apparmor profile in tor package.

Interesting. Apparently this is now a problem because we changed from directly stat()ing the directory to open()ing it [R1]. So, I think it may be necessary to explicitly allow reading /var/lib/tor/. I thought lunar may be correct about the uid, but we do drop privs before we start playing with the data dir.

So, If I may make a suggestion, there are (at least) two choices for changing the system_tor profile.

1)

- owner /var/lib/tor/** rwk,
+ owner /var/lib/tor/{,**} rwk,

2) (as suggested by Ricky_Martin)

  owner /var/lib/tor/** rwk,
+ owner /var/lib/tor/ r,

These should both provide the needed access, but the first one also allows the writing and locking privs for the directory, so tor could delete and lock the directory, too. Maybe that's not wanted, so 2 is better.

[R1] f48c607fd970aedaf0180a0a23b04eb5101abca0

After fix tor starting without any problem, but I have warning:
apparmor="DENIED" operation="open" profile="system_tor" name="/run/tor/" pid=45755 comm="tor" requested_mask="r" denied_mask="r"
I tried adding /{,var/}run/tor/ r, or /run/tor/ r, to /etc/apparmor.d/system_tor file, but warning remains.

Ricky_Martin, does tor's logfile show any warning message for this? Usually /run/tor/ is only used for tor's pidfile and a unix control socket and friends. I don't see where we open the /run/tor/ directory, we always open the full filepath directly and emit a warning log message on failure. In general, /run/tor/ is created by the init script, so it's safe-ish for tor to blindly assume it exists. Do you have any non-standard config options in the torrc that use /run/tor?

Will be great if package will be updated with fix.

Thanks for reporting this, but please be patient with us next time and please answer our stupid questions. We try to avoid jumping to conclusions about the cause of a problem and sometimes bugs like this are a user-error rather than programming, and sometimes the answers give us a hint even if the information seems irrelevant.

comment:12 Changed 4 years ago by nickm

Keywords: must-fix-before-028-rc removed

comment:13 Changed 4 years ago by weasel

Resolution: fixed
Status: needs_informationclosed

fixed in d8a70b09fe7194c8d1e09e3fdd46665df8351442

Note: See TracTickets for help on using tickets.