[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #22860 [Core Tor]: Ubuntu 16.04 apparmor policy blocks obfs4proxy without modification
#22860: Ubuntu 16.04 apparmor policy blocks obfs4proxy without modification
--------------------------+---------------------------------------------
Reporter: ccppuu | Owner:
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Core Tor | Version:
Severity: Minor | Keywords: apparmor, obfsproxy, obfs4proxy
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
--------------------------+---------------------------------------------
Moving the discussion from
https://trac.torproject.org/projects/tor/ticket/14014#comment:5 to avoid
recycling an old issue.
As reported by @alimj in #14014, on a Ubuntu 16.04 system with Tor 0.3.0.9
(git-100816d92ab5664d), the latest release at the time of writing,
AppArmor will block obfs4proxy from operating unless the
`/etc/apparmor.d/abstractions/tor` entries for the obfs4proxy binaries are
changed from `PUx` to `ix`.
[https://github.com/jlund/streisand Streisand] is currently carrying a
[https://github.com/jlund/streisand/blob/5cab34a22892666eeba9411b810f9d039706ba56/playbooks/roles
/tor-bridge/tasks/main.yml#L50:L66 a workaround patch] that I would love
to remove :-)
Frustratingly while this fix works I can't easily demonstrate that it is
required. I've increased the verbosity of the tor daemon to `debug` and
don't see any failure messages, but configuring a tor browser client
fails. I've also tried updating my `torrc` `ServerTransportPlugin` config
line to add `--enableLogging -logLevel=debug` to the obfs4 exec but it
doesn't seem to produce any logs indicating failure either, probably
because apparmor is preventing it from executing at all. I also don't see
any audit messages from the apparmor profile in dmesg or the systemd
journal. Changing the abstractions file entries to `ix` and running
`apparmor_parser -r /etc/apparmor.d/system_tor && systemctl restart tor`
is enough to fix the configured Tor browser client that fails without the
modification.
How can I help resolve this bug upstream? Is there someone more familiar
with AppArmor that could explain the intention of the `PUx` modifiers
present in the debian package's abstractions file? I do not have much
experience debugging tor and would happily provide more information with
guidance.
Thanks! -- @cpu
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22860>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs