[tor-bugs] #22860 [Core Tor]: Ubuntu 16.04 apparmor policy blocks obfs4proxy without modification

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Jul 9 00:36:49 UTC 2017 

#22860: Ubuntu 16.04 apparmor policy blocks obfs4proxy without modification
--------------------------+---------------------------------------------
     Reporter:  ccppuu    |      Owner:
         Type:  defect    |     Status:  new
     Priority:  Medium    |  Milestone:
    Component:  Core Tor  |    Version:
     Severity:  Minor     |   Keywords:  apparmor, obfsproxy, obfs4proxy
Actual Points:            |  Parent ID:
       Points:            |   Reviewer:
      Sponsor:            |
--------------------------+---------------------------------------------
 Moving the discussion from
 https://trac.torproject.org/projects/tor/ticket/14014#comment:5 to avoid
 recycling an old issue.

 As reported by @alimj in #14014, on a Ubuntu 16.04 system with Tor 0.3.0.9
 (git-100816d92ab5664d), the latest release at the time of writing,
 AppArmor will block obfs4proxy from operating unless the
 `/etc/apparmor.d/abstractions/tor` entries for the obfs4proxy binaries are
 changed from `PUx` to `ix`.

 [https://github.com/jlund/streisand Streisand] is currently carrying a
 [https://github.com/jlund/streisand/blob/5cab34a22892666eeba9411b810f9d039706ba56/playbooks/roles
 /tor-bridge/tasks/main.yml#L50:L66 a workaround patch] that I would love
 to remove :-)

 Frustratingly while this fix works I can't easily demonstrate that it is
 required. I've increased the verbosity of the tor daemon to `debug` and
 don't see any failure messages, but configuring a tor browser client
 fails. I've also tried updating my `torrc` `ServerTransportPlugin` config
 line to add `--enableLogging -logLevel=debug` to the obfs4 exec but it
 doesn't seem to produce any logs indicating failure either, probably
 because apparmor is preventing it from executing at all. I also don't see
 any audit messages from the apparmor profile in dmesg or the systemd
 journal. Changing the abstractions file entries to `ix` and running
 `apparmor_parser -r /etc/apparmor.d/system_tor && systemctl restart tor`
 is enough to fix the configured Tor browser client that fails without the
 modification.

 How can I help resolve this bug upstream? Is there someone more familiar
 with AppArmor that could explain the intention of the `PUx` modifiers
 present in the debian package's abstractions file? I do not have much
 experience debugging tor and would happily provide more information with
 guidance.

 Thanks! -- @cpu

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22860>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list