Opened 19 months ago

Closed 14 months ago

Last modified 14 months ago

#24203 closed defect (fixed)

AppArmor default config blocks Snowflake from running with system tor

Reported by: cypherpunks Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Major Keywords: snowflake
Cc: dcf, arlolra Actual Points:
Parent ID: #19409 Points:
Reviewer: Sponsor:

Description

(This isn't a problem with Snowflake itself so putting Core Tor as component.)

Steps to reproduce:

  1. Copy paste snowflake-client inside /Browser/TorBrowser/Tor/PluggableTransports to /usr/bin.
  2. Add UseBridges 1, ClientTransportPlugin snowflake exec /usr/bin/snowflake-client, as well as Bridge snowflake 0.0.3.0:1 2B280B23E1107BB62ABFC40DDCC8824814F80A72 to torrc.
  3. sudo service tor restart
  4. Looking at the task manager I don't see that snowflake is running as a process, this most likely means that it was blocked from launching due to the AppArmor profile distributed with Tor.

OS: Ubuntu 17.10. /etc/apt/sources.list has Tor Project repositories. Also Tor 0.3.2.x-alpha that was used when testing.

Child Tickets

Change History (14)

comment:1 Changed 19 months ago by dgoulet

Milestone: Tor: unspecified

comment:2 Changed 19 months ago by cypherpunks

Somewhat related: #23742

comment:3 Changed 18 months ago by cypherpunks

This seems to be the error when trying to launch it:

ENV-ERROR no TOR_PT_STATE_LOCATION environment variable

(Note: I had already added /usr/bin/snowflake ix, in the last line of /etc/apparmor.d/abstractions/tor)

comment:4 Changed 18 months ago by cypherpunks

Summary: Snowflake can't be configured to run with system tor because of AppArmorSnowflake can't be configured to run with system tor: ENV-ERROR no TOR_PT_STATE_LOCATION environment variable

comment:5 in reply to:  3 ; Changed 18 months ago by dcf

Replying to cypherpunks:

This seems to be the error when trying to launch it:

ENV-ERROR no TOR_PT_STATE_LOCATION environment variable

There might be some other problem in your setup. That ENV-ERROR comes from pt.MakeStateDir. But snowflake-client doesn't call pt.MakeStateDir; only snowflake-server does. Are you use you copied the client to /usr/bin, and not the server? (Your comment:3 refers to /usr/bin/snowflake, but the ticket description refers to /usr/bin/snowflake-client.)

snowflake-server wants access to $TOR_PT_STATE_LOCATION because that's where it caches its TLS certificates and keys.

In any case, the problem is not that the executable was blocked from launching, because the error message comes from code inside the pluggable transport, not from tor.

comment:6 Changed 18 months ago by arlolra

There might be some other problem in your setup. That ENV-ERROR comes from ​pt.MakeStateDir. But snowflake-client doesn't call pt.MakeStateDir;

At least some point in the past it did, see: https://github.com/keroserene/snowflake/commit/12922a232ba63bd8d94c92ced32e23aa2fb055ed

comment:7 in reply to:  5 Changed 18 months ago by cypherpunks

Replying to dcf:

There might be some other problem in your setup. That ENV-ERROR comes from pt.MakeStateDir. But snowflake-client doesn't call pt.MakeStateDir; only snowflake-server does. Are you use you copied the client to /usr/bin, and not the server? (Your comment:3 refers to /usr/bin/snowflake, but the ticket description refers to /usr/bin/snowflake-client.)

Yes (I copied snowflake-client from a Tor Browser alpha directory and renamed it to snowflake in my case).

comment:8 Changed 15 months ago by dcf

Status: newneeds_information

cypherpunks, what version of Tor Browser did you copy snowflake-client from? And does Snowflake work inside Tor Browser (not with system tor)? I ask because I tried with tor-browser-linux64-7.5a4_en-US.tar.xz and I didn't get the ENV-ERROR from comment:3; rather I got the libatomic error from #24465/#25087:

# /usr/bin/snowflake-client -h
/usr/bin/snowflake-client: error while loading shared libraries: libatomic.so.1: cannot open shared object file: No such file or directory

This is what I did:

  • wget http://archive.ubuntu.com/ubuntu/dists/artful/main/installer-amd64/current/images/netboot/mini.iso
  • qemu-img create -f qcow2 ubuntu.hda 5G
  • kvm -cpu host -hda ubuntu.hda -cdrom mini.iso -k en-us -m 2G and install, halt
  • kvm -cpu host -hda ubuntu.hda -k en-us -m 2G

Inside the VM:

  • sudo apt-get install tor
  • wget https://archive.torproject.org/tor-package-archive/torbrowser/7.5a4/tor-browser-linux64-7.5a4_en-US.tar.xz
  • tar xf tor-browser-linux64-7.5a4_en-US.tar.xz
  • sudo cp tor-browser_en-US/Browser/TorBrowser/Tor/PluggableTransports/snowflake-client /usr/bin
  • sudo chmod +rx /usr/bin/snowflake-client
  • Edit /etc/tor/torrc:
    UseBridges 1
    ClientTransportPlugin snowflake exec /usr/bin/snowflake-client
    Bridge snowflake 0.0.3.0:1
    
  • sudo service tor restart (Note I hadn't changed apparmor settings yet.) /var/log/syslog shows
    Cloud not launch managed proxy executable at '/usr/bin/snowflake-client' ('Permission denied').
    
  • Add to /etc/apparmor.d/abstractions/tor:
      /usr/bin/snowflake-client ix,
    
  • sudo service apparmor restart
  • sudo service tor restart Now I get the expected error:
    The communication stream of managed proxy '/usr/bin/snowflake-client' is 'closed'. Most probably the managed proxy stopped running. This might be a bug of the managed proxy, a bug of Tor, or a misconfiguration. Please enable logging on your managed proxy and check the logs for errors.
    
  • /usr/bin/snowflake-client -h
    /usr/bin/snowflake-client: error while loading shared libraries: libatomic.so.1: cannot open shared object file: No such file or directory
    

comment:9 Changed 15 months ago by cypherpunks

Status: needs_informationnew
Summary: Snowflake can't be configured to run with system tor: ENV-ERROR no TOR_PT_STATE_LOCATION environment variableAppArmor default config blocks Snowflake from running with system tor

Thanks dcf that was so helpful! 😊

what version of Tor Browser did you copy snowflake-client from?

Since this was 3 months ago I guess I had copied it from a Tor Browser 7.5a8.

And does Snowflake work inside Tor Browser (not with system tor)?

Yes.

I already have the libatomic1 package installed so that's not the problem. After retrying the steps you followed, I figured out that the missing step was to do,

sudo chmod +rx /usr/bin/snowflake-client

After that system Tor correctly bootstraps and works fine and I can see snowflake in the task manager!!! 🎉🎉

However when I launch ./snowflake-client from the command line I do get the error,

ENV-ERROR no TOR_PT_STATE_LOCATION environment variable

So I had assumed that this may have been the error.

In any case, the /etc/apparmor.d/abstractions/tor changes for snowflake are necessary and should be added when #19409 is ready.

comment:10 Changed 15 months ago by cypherpunks

Parent ID: #19409

comment:11 in reply to:  9 Changed 15 months ago by arlolra

However when I launch ./snowflake-client from the command line I do get the error,

ENV-ERROR no TOR_PT_STATE_LOCATION environment variable

As mentioned above, we're currently pegged at 9f2e9a6ecb696149708716ca06ce842df03cf492,

https://gitweb.torproject.org/builders/tor-browser-build.git/tree/projects/snowflake/config#n4

which wants to create the log file in the state dir,
https://github.com/keroserene/snowflake/blob/9f2e9a6ecb696149708716ca06ce842df03cf492/client/snowflake.go#L125-L133

This will continue to be a problem until we bump the version.

comment:12 Changed 14 months ago by arlolra

Resolution: fixed
Status: newclosed

This will continue to be a problem until we bump the version.

Should be resolved by #25449

comment:13 Changed 14 months ago by cypherpunks

Aren't the /etc/apparmor.d/abstractions/tor changes still needed?

comment:14 Changed 14 months ago by arlolra

Yes, but I assumed that was part of #19409

Note: See TracTickets for help on using tickets.