Opened 3 years ago

Last modified 18 months ago

#22860 new defect

Ubuntu 16.04 apparmor policy blocks obfs4proxy without modification

Reported by: ccppuu Owned by:
Priority: Medium Milestone:
Component: Circumvention/Pluggable transport Version:
Severity: Major Keywords: apparmor, obfs4proxy, tor-pt
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Moving the discussion from to avoid recycling an old issue.

As reported by @alimj in #14014, on a Ubuntu 16.04 system with Tor (git-100816d92ab5664d), the latest release at the time of writing, AppArmor will block obfs4proxy from operating unless the /etc/apparmor.d/abstractions/tor entries for the obfs4proxy binaries are changed from PUx to ix.

Streisand is currently carrying a a workaround patch that I would love to remove :-)

Frustratingly while this fix works I can't easily demonstrate that it is required. I've increased the verbosity of the tor daemon to debug and don't see any failure messages, but configuring a tor browser client fails. I've also tried updating my torrc ServerTransportPlugin config line to add --enableLogging -logLevel=debug to the obfs4 exec but it doesn't seem to produce any logs indicating failure either, probably because apparmor is preventing it from executing at all. I also don't see any audit messages from the apparmor profile in dmesg or the systemd journal. Changing the abstractions file entries to ix and running apparmor_parser -r /etc/apparmor.d/system_tor && systemctl restart tor is enough to fix the configured Tor browser client that fails without the modification.

How can I help resolve this bug upstream? Is there someone more familiar with AppArmor that could explain the intention of the PUx modifiers present in the debian package's abstractions file? I do not have much experience debugging tor and would happily provide more information with guidance.

Thanks! -- @cpu

Child Tickets

Change History (6)

comment:1 Changed 3 years ago by cypherpunks

Severity: MinorMajor

Upping the severity.

comment:2 Changed 3 years ago by dgoulet

Component: Core TorCore Tor/Tor
Keywords: tor-pt added; obfsproxy removed
Milestone: Tor: 0.3.2.x-final

comment:3 Changed 3 years ago by nickm

Component: Core Tor/TorObfuscation/Pluggable transport
Milestone: Tor: 0.3.2.x-final
Owner: set to asn

This looks like a PT bug to me, not a Tor bug?

comment:4 Changed 2 years ago by traumschule

group tickets related to AppArmorForTBB/tor packages

comment:5 Changed 19 months ago by teor

Owner: asn deleted
Status: newassigned

asn does not need to own any obfuscation tickets any more. Default owners are trouble.

comment:6 Changed 18 months ago by cohosh

Status: assignednew

tickets were assigned to asn, setting them as unassigned (new) again.

Note: See TracTickets for help on using tickets.