Opened 2 years ago

Closed 2 years ago

#26202 closed defect (invalid)

Packaged apparmor settings break tor within LXD containers

Reported by: b Owned by:
Priority: Medium Milestone: Tor: 0.3.4.x-final
Component: Core Tor/Tor Version: Tor:
Severity: Normal Keywords: lxc lxd apparmor 033-backport, 032-backport, 031-backport, 029-backport, 034-backport
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


The packaged apparmor settings in the latest ( .deb packages provided via will stop the tor service from starting up in at least Xenial (16.04) and Bionic (18.04) containers on Ubuntu, using the latest LXD snap.

The machine hosting the container will see this in its syslog/auditlog:

May 25 14:16:01 localhost kernel: [84735.795087] audit: type=1400 audit(1527257761.902:653): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-juju-ef908d-1_<var-snap-lxd-common-lxd>" profile="system_tor" name="/usr/bin/tor" pid=18256 comm="tor" requested_mask="m" denied_mask="m" fsuid=1000000 ouid=1000000

The fix is a simple one-character change in the /etc/apparmor.d/abstractions/tor file installed by the tor package, where the line /usr/bin/tor r, simply needs to change to /usr/bin/tor mr,.

Child Tickets

Change History (3)

comment:1 Changed 2 years ago by teor

Component: - Select a componentCore Tor/Tor
Keywords: 033-backport 032-backport 031-backport 029-backport 034-backport added
Milestone: Tor: 0.3.4.x-final
Status: newneeds_review

I think we should backport this simple change all the way back to 0.2.9.

If this change doesn't apply to the upstream apparmour file at , then this bug report is about the downstream Debian apparmour file, and needs to be opened on the Debian bug tracker instead.

comment:3 Changed 2 years ago by teor

Resolution: invalid
Status: needs_reviewclosed

Ok, since this is a Debian bug, it needs to be fixed in th Debian package.

Please report the bug and the suggested fix on the Debian bug tracker at

Note: See TracTickets for help on using tickets.