Packaged apparmor settings break tor within LXD containers

[b]

The packaged apparmor settings in the latest (0.3.3.6-1) .deb packages provided via torproject.org will stop the tor service from starting up in at least Xenial (16.04) and Bionic (18.04) containers on Ubuntu, using the latest LXD snap.

The machine hosting the container will see this in its syslog/auditlog:

May 25 14:16:01 localhost kernel: [84735.795087] audit: type=1400 audit(1527257761.902:653): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-juju-ef908d-1_<var-snap-lxd-common-lxd>" profile="system_tor" name="/usr/bin/tor" pid=18256 comm="tor" requested_mask="m" denied_mask="m" fsuid=1000000 ouid=1000000

The fix is a simple one-character change in the /etc/apparmor.d/abstractions/tor file installed by the tor package, where the line /usr/bin/tor r, simply needs to change to /usr/bin/tor mr,.

[teor]

I think we should backport this simple change all the way back to 0.2.9.

If this change doesn't apply to the upstream apparmour file at ​https://gitweb.torproject.org/tor.git , then this bug report is about the downstream Debian apparmour file, and needs to be opened on the Debian bug tracker instead.

[b]

To be clearer, this appears to be the source:

​https://gitweb.torproject.org/debian/tor.git/tree/debian/tor.apparmor-profile.abstraction?h=master

[teor]

Ok, since this is a Debian bug, it needs to be fixed in th Debian package.

Please report the bug and the suggested fix on the Debian bug tracker at ​https://bugs.debian.org