[tor-bugs] #26202 [- Select a component]: Packaged apparmor settings break tor within LXD containers
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri May 25 14:37:38 UTC 2018
#26202: Packaged apparmor settings break tor within LXD containers
--------------------------------------+------------------------------
Reporter: b | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: - Select a component | Version: Tor: 0.3.3.6
Severity: Normal | Keywords: lxc lxd apparmor
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
--------------------------------------+------------------------------
The packaged apparmor settings in the latest (0.3.3.6-1) .deb packages
provided via torproject.org will stop the tor service from starting up in
at least Xenial (16.04) and Bionic (18.04) containers on Ubuntu, using the
latest LXD snap.
The machine hosting the container will see this in its syslog/auditlog:
`May 25 14:16:01 localhost kernel: [84735.795087] audit: type=1400
audit(1527257761.902:653): apparmor="DENIED" operation="file_mmap"
namespace="root//lxd-juju-ef908d-1_<var-snap-lxd-common-lxd>"
profile="system_tor" name="/usr/bin/tor" pid=18256 comm="tor"
requested_mask="m" denied_mask="m" fsuid=1000000 ouid=1000000`
The fix is a simple one-character change in the
`/etc/apparmor.d/abstractions/tor` file installed by the tor package,
where the line `/usr/bin/tor r,` simply needs to change to `/usr/bin/tor
mr,`.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26202>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list