Opened 12 months ago

Last modified 9 months ago

#19426 new enhancement

meek-client on ubuntu requires apparmor profile adjustment for system_tor

Reported by: 6h72Q484AddGha8H Owned by: dcf
Priority: Low Milestone:
Component: Obfuscation/meek Version:
Severity: Minor Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

meek-client

$ apt-cache policy tor
tor:

Installed: 0.2.7.6-1ubuntu1

$ apt-cache policy meek-client
meek-client:

Installed: 0.20+git20151006-1
Candidate: 0.20+git20151006-1
Version table:

* 0.20+git20151006-1 500

500 https://people.debian.org/~infinity0/apt unstable/contrib amd64 Packages

$ dmesg | tail -n 1
[ 2553.433359] audit: type=1400 audit(1466045658.589:84): apparmor="DENIED" operation="open" profile="system_tor" name="/proc/sys/net/core/somaxconn" pid=7983 comm="meek-client" requested_mask="r" denied_mask="r" fsuid=117 ouid=0

You need to add the following to your config at /etc/apparmor.d/system_tor:

/proc/sys/net/core/somaxconn r,

This allows meek-client to read the procfs setting when called by tor.

Child Tickets

Change History (9)

comment:1 Changed 12 months ago by cypherpunks

  • Component changed from - Select a component to Internal Services/Service - deb.tpo
  • Owner set to weasel

comment:2 Changed 12 months ago by weasel

  • Resolution set to invalid
  • Status changed from new to closed

The deb.tpo component is not for bugs against packages on deb.tpo.

comment:3 Changed 12 months ago by cypherpunks

  • Component changed from Internal Services/Service - deb.tpo to - Select a component
  • Resolution invalid deleted
  • Status changed from closed to reopened

I'm sorry for using the wrong component. Which component would be appropriate instead?

comment:4 Changed 11 months ago by infinity0

Hi, I'm (1) still an apparmor noob, (2) a bit hesitant to continue working on meek since David is ignoring my suggested changes to make it more generic (see #12716) and (3) don't have a lot of spare time to dedicate at the moment.

However, if you'd like to fix this yourself, send me a PR here:

https://github.com/infinity0/meek/pulls

I'd be happy to review it, merge it, and then build updated packages.

comment:5 Changed 11 months ago by arma

  • Owner weasel deleted
  • Status changed from reopened to assigned

comment:6 Changed 11 months ago by arma

  • Status changed from assigned to new

comment:7 follow-up: Changed 11 months ago by arma

  • Component changed from - Select a component to Obfuscation/meek
  • Owner set to dcf

I'm trying the meek component here -- it isn't perfect but we don't have a better one. (Unless the better one is the ubuntu bug tracker? Is this meek-client thing in ubuntu itself? If so then that's probably the best place for this ticket.)

comment:8 Changed 9 months ago by 6h72Q484AddGha8H

@arma -- no meek-client is coming from infinity0's repository at:

https://people.debian.org/~infinity0/apt

comment:9 in reply to: ↑ 7 Changed 9 months ago by 6h72Q484AddGha8H

Replying to arma:

I'm trying the meek component here -- it isn't perfect but we don't have a better one. (Unless the better one is the ubuntu bug tracker? Is this meek-client thing in ubuntu itself? If so then that's probably the best place for this ticket.)

@arma -- no meek-client is coming from infinity0's repository at:

https://people.debian.org/~infinity0/apt

Note: See TracTickets for help on using tickets.