s7r wrote:
Hello,
I think it has something to do with our hardening configuration. On Debian Bullseye, I start my bridge with log info and I get:
[info] process_exec(): Starting new process: /usr/local/bin/obfs4proxy [info] launch_managed_proxy(): Managed proxy at '/usr/local/bin/obfs4proxy' has spawned with PID '1856'.
When I start the bridge (using systemd/systemctl), there are no Tor processes or obfs4proxy processes running on the machine.
After it logs that info that it has spawned with another PID, I can find that PID in my system as DEFUNCT.
# ps aux | grep tor debian-+ 1855 91.9 5.7 243532 230668 ? Rs 17:28 0:15 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 debian-+ 1856 5.2 0.0 0 0 ? Z 17:28 0:00 [tor]
<defunct>
Wonder what is causing this. I am using the default install from deb.tp.o just with NoNewPrivileges=no to tor@default.service and tor@.service.
I also find it buggy that this is at info level.
Fixed it. this was due to apparmor incorrect settings.
The obfs4proxy process was being killed by apparmor:
audit[2994]: AVC apparmor="DENIED" operation="exec" profile="system_tor" name="/usr/local/bin/obfs4proxy" pid=2994 comm="tor" requested_mask="x" denied_mask="x" fsuid=107 ouid=0
kernel: audit: type=1400 audit(1630685584.124:19): apparmor="DENIED" operation="exec" profile="system_tor" name="/usr/local/bin/obfs4proxy" pid=2994 comm="tor" requested_mask="x" denied_mask="x" >
And this is because my obfs4proxy executable was installed in a different path than /usr/bin/obfs4proxy which is in the "deafult" shipped apparmor settings for Tor.
All I had to do was to edit /etc/apparmor.d/abstractions/tor
and change from:
/usr/bin/obfs4proxy Pix,
to
/usr/local/bin/obfs4proxy Pix,
and
$ sudo service apparmor reload
And it worked. This extra step is in addition to setcap +ep obfs4proxy and NoNewPrivileges=no in /lib/systemd/system/tor@default.service and /lib/systemd/system/tor@.service and it's only necessary if you install obfs4proxy (or other pluggable transport) in a different location that /usr/bin/$transport, otherwise it works normally.
Thanks for reading and sorry about the noise. Logged https://gitlab.torproject.org/tpo/core/tor/-/issues/40459 to improve the wiki and maybe escalade the log level for those two messages.