Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
Trac
Trac
  • Project overview
    • Project overview
    • Details
    • Activity
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Create a new issue
  • Issue Boards

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • Legacy
  • TracTrac
  • Issues
  • #22860

Closed (moved)
Open
Opened Jul 09, 2017 by Trac@tracbot

Ubuntu 16.04 apparmor policy blocks obfs4proxy without modification

Moving the discussion from https://trac.torproject.org/projects/tor/ticket/14014#comment:5 to avoid recycling an old issue.

As reported by @alimj in #14014 (closed), on a Ubuntu 16.04 system with Tor 0.3.0.9 (git-100816d92ab5664d), the latest release at the time of writing, AppArmor will block obfs4proxy from operating unless the /etc/apparmor.d/abstractions/tor entries for the obfs4proxy binaries are changed from PUx to ix.

Streisand is currently carrying a a workaround patch that I would love to remove :-)

Frustratingly while this fix works I can't easily demonstrate that it is required. I've increased the verbosity of the tor daemon to debug and don't see any failure messages, but configuring a tor browser client fails. I've also tried updating my torrc ServerTransportPlugin config line to add --enableLogging -logLevel=debug to the obfs4 exec but it doesn't seem to produce any logs indicating failure either, probably because apparmor is preventing it from executing at all. I also don't see any audit messages from the apparmor profile in dmesg or the systemd journal. Changing the abstractions file entries to ix and running apparmor_parser -r /etc/apparmor.d/system_tor && systemctl restart tor is enough to fix the configured Tor browser client that fails without the modification.

How can I help resolve this bug upstream? Is there someone more familiar with AppArmor that could explain the intention of the PUx modifiers present in the debian package's abstractions file? I do not have much experience debugging tor and would happily provide more information with guidance.

Thanks! -- @cpu

Trac:
Username: ccppuu

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: legacy/trac#22860