Opened 9 months ago
Closed 9 months ago
#26202 closed defect (invalid)
Packaged apparmor settings break tor within LXD containers
Reported by: | b | Owned by: | |
---|---|---|---|
Priority: | Medium | Milestone: | Tor: 0.3.4.x-final |
Component: | Core Tor/Tor | Version: | Tor: 0.3.3.6 |
Severity: | Normal | Keywords: | lxc lxd apparmor 033-backport, 032-backport, 031-backport, 029-backport, 034-backport |
Cc: | Actual Points: | ||
Parent ID: | Points: | ||
Reviewer: | Sponsor: |
Description
The packaged apparmor settings in the latest (0.3.3.6-1) .deb packages provided via torproject.org will stop the tor service from starting up in at least Xenial (16.04) and Bionic (18.04) containers on Ubuntu, using the latest LXD snap.
The machine hosting the container will see this in its syslog/auditlog:
May 25 14:16:01 localhost kernel: [84735.795087] audit: type=1400 audit(1527257761.902:653): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-juju-ef908d-1_<var-snap-lxd-common-lxd>" profile="system_tor" name="/usr/bin/tor" pid=18256 comm="tor" requested_mask="m" denied_mask="m" fsuid=1000000 ouid=1000000
The fix is a simple one-character change in the /etc/apparmor.d/abstractions/tor
file installed by the tor package, where the line /usr/bin/tor r,
simply needs to change to /usr/bin/tor mr,
.
Child Tickets
Change History (3)
comment:1 Changed 9 months ago by
Component: | - Select a component → Core Tor/Tor |
---|---|
Keywords: | 033-backport 032-backport 031-backport 029-backport 034-backport added |
Milestone: | → Tor: 0.3.4.x-final |
Status: | new → needs_review |
comment:2 Changed 9 months ago by
To be clearer, this appears to be the source:
https://gitweb.torproject.org/debian/tor.git/tree/debian/tor.apparmor-profile.abstraction?h=master
comment:3 Changed 9 months ago by
Resolution: | → invalid |
---|---|
Status: | needs_review → closed |
Ok, since this is a Debian bug, it needs to be fixed in th Debian package.
Please report the bug and the suggested fix on the Debian bug tracker at https://bugs.debian.org
I think we should backport this simple change all the way back to 0.2.9.
If this change doesn't apply to the upstream apparmour file at https://gitweb.torproject.org/tor.git , then this bug report is about the downstream Debian apparmour file, and needs to be opened on the Debian bug tracker instead.