Packaged apparmor settings break tor within LXD containers
The packaged apparmor settings in the latest (0.3.3.6-1) .deb packages provided via torproject.org will stop the tor service from starting up in at least Xenial (16.04) and Bionic (18.04) containers on Ubuntu, using the latest LXD snap.
The machine hosting the container will see this in its syslog/auditlog:
May 25 14:16:01 localhost kernel: [84735.795087] audit: type=1400 audit(1527257761.902:653): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-juju-ef908d-1_<var-snap-lxd-common-lxd>" profile="system_tor" name="/usr/bin/tor" pid=18256 comm="tor" requested_mask="m" denied_mask="m" fsuid=1000000 ouid=1000000
The fix is a simple one-character change in the /etc/apparmor.d/abstractions/tor
file installed by the tor package, where the line /usr/bin/tor r,
simply needs to change to /usr/bin/tor mr,
.
Trac:
Username: b