AppArmor default config blocks Snowflake from running with system tor

(This isn't a problem with Snowflake itself so putting Core Tor as component.)

Steps to reproduce:

1. Copy paste snowflake-client inside /Browser/TorBrowser/Tor/PluggableTransports to /usr/bin.
2. Add UseBridges 1, ClientTransportPlugin snowflake exec /usr/bin/snowflake-client, as well as Bridge snowflake 0.0.3.0:1 2B280B23E1107BB62ABFC40DDCC8824814F80A72 to torrc.
3. sudo service tor restart
4. Looking at the task manager I don't see that snowflake is running as a process, this most likely means that it was blocked from launching due to the AppArmor profile distributed with Tor.

OS: Ubuntu 17.10. /etc/apt/sources.list has Tor Project repositories. Also Tor 0.3.2.x-alpha that was used when testing.

changed milestone to %Tor: unspecified

added component::core tor/tor milestone::Tor: unspecified parent::19409 priority::medium resolution::fixed severity::major snowflake status::closed type::defect labels

Trac:
Milestone: N/A to Tor: unspecified

Somewhat related: #23742 (moved)

This seems to be the error when trying to launch it:

ENV-ERROR no TOR_PT_STATE_LOCATION environment variable

(Note: I had already added /usr/bin/snowflake ix, in the last line of /etc/apparmor.d/abstractions/tor)

Trac:
Summary: Snowflake can't be configured to run with system tor because of AppArmor to Snowflake can't be configured to run with system tor: ENV-ERROR no TOR_PT_STATE_LOCATION environment variable

Replying to cypherpunks:

This seems to be the error when trying to launch it:

{{{ ENV-ERROR no TOR_PT_STATE_LOCATION environment variable }}}

There might be some other problem in your setup. That ENV-ERROR comes from pt.MakeStateDir. But snowflake-client doesn't call pt.MakeStateDir; only snowflake-server does. Are you use you copied the client to /usr/bin, and not the server? (Your comment:3 refers to /usr/bin/snowflake, but the ticket description refers to /usr/bin/snowflake-client.)

snowflake-server wants access to $TOR_PT_STATE_LOCATION because that's where it caches its TLS certificates and keys.

In any case, the problem is not that the executable was blocked from launching, because the error message comes from code inside the pluggable transport, not from tor.

There might be some other problem in your setup. That ENV-ERROR comes from ​pt.MakeStateDir. But snowflake-client doesn't call pt.MakeStateDir;

At least some point in the past it did, see: https://github.com/keroserene/snowflake/commit/12922a232ba63bd8d94c92ced32e23aa2fb055ed

Replying to dcf:

There might be some other problem in your setup. That ENV-ERROR comes from pt.MakeStateDir. But snowflake-client doesn't call pt.MakeStateDir; only snowflake-server does. Are you use you copied the client to /usr/bin, and not the server? (Your comment:3 refers to /usr/bin/snowflake, but the ticket description refers to /usr/bin/snowflake-client.) Yes (I copied snowflake-client from a Tor Browser alpha directory and renamed it to snowflake in my case).

cypherpunks, what version of Tor Browser did you copy snowflake-client from? And does Snowflake work inside Tor Browser (not with system tor)? I ask because I tried with tor-browser-linux64-7.5a4_en-US.tar.xz and I didn't get the ENV-ERROR from comment:3; rather I got the libatomic error from #24465 (moved)/#25087 (moved):

# /usr/bin/snowflake-client -h
/usr/bin/snowflake-client: error while loading shared libraries: libatomic.so.1: cannot open shared object file: No such file or directory

This is what I did:

• wget http://archive.ubuntu.com/ubuntu/dists/artful/main/installer-amd64/current/images/netboot/mini.iso
• qemu-img create -f qcow2 ubuntu.hda 5G
• kvm -cpu host -hda ubuntu.hda -cdrom mini.iso -k en-us -m 2G and install, halt
• kvm -cpu host -hda ubuntu.hda -k en-us -m 2G Inside the VM:
• sudo apt-get install tor
• wget https://archive.torproject.org/tor-package-archive/torbrowser/7.5a4/tor-browser-linux64-7.5a4_en-US.tar.xz
• tar xf tor-browser-linux64-7.5a4_en-US.tar.xz
• sudo cp tor-browser_en-US/Browser/TorBrowser/Tor/PluggableTransports/snowflake-client /usr/bin
• sudo chmod +rx /usr/bin/snowflake-client
• Edit /etc/tor/torrc: {{{ UseBridges 1 ClientTransportPlugin snowflake exec /usr/bin/snowflake-client Bridge snowflake 0.0.3.0:1 }}}
• sudo service tor restart (Note I hadn't changed apparmor settings yet.) /var/log/syslog shows {{{ Cloud not launch managed proxy executable at '/usr/bin/snowflake-client' ('Permission denied'). }}}
• Add to /etc/apparmor.d/abstractions/tor: {{{ /usr/bin/snowflake-client ix, }}}
• sudo service apparmor restart
• sudo service tor restart Now I get the expected error: {{{ The communication stream of managed proxy '/usr/bin/snowflake-client' is 'closed'. Most probably the managed proxy stopped running. This might be a bug of the managed proxy, a bug of Tor, or a misconfiguration. Please enable logging on your managed proxy and check the logs for errors. }}}
• /usr/bin/snowflake-client -h {{{ /usr/bin/snowflake-client: error while loading shared libraries: libatomic.so.1: cannot open shared object file: No such file or directory }}}

Trac:
Status: new to needs_information

Thanks dcf that was so helpful!

what version of Tor Browser did you copy snowflake-client from?

Since this was 3 months ago I guess I had copied it from a Tor Browser 7.5a8.

And does Snowflake work inside Tor Browser (not with system tor)?

Yes.

I already have the libatomic1 package installed so that's not the problem. After retrying the steps you followed, I figured out that the missing step was to do,

sudo chmod +rx /usr/bin/snowflake-client

After that system Tor correctly bootstraps and works fine and I can see snowflake in the task manager!!!

However when I launch ./snowflake-client from the command line I do get the error,

ENV-ERROR no TOR_PT_STATE_LOCATION environment variable

So I had assumed that this may have been the error.

In any case, the /etc/apparmor.d/abstractions/tor changes for snowflake are necessary and should be added when #19409 (moved) is ready.

Trac:
Summary: Snowflake can't be configured to run with system tor: ENV-ERROR no TOR_PT_STATE_LOCATION environment variable to AppArmor default config blocks Snowflake from running with system tor
Status: needs_information to new

Trac:
Parent: N/A to #19409 (moved)

However when I launch ./snowflake-client from the command line I do get the error,

{{{ ENV-ERROR no TOR_PT_STATE_LOCATION environment variable }}}

As mentioned [comment:6 above], we're currently pegged at 9f2e9a6ecb696149708716ca06ce842df03cf492,

https://gitweb.torproject.org/builders/tor-browser-build.git/tree/projects/snowflake/config#n4

which wants to create the log file in the state dir, https://github.com/keroserene/snowflake/blob/9f2e9a6ecb696149708716ca06ce842df03cf492/client/snowflake.go#L125-L133

This will continue to be a problem until we bump the version.

This will continue to be a problem until we bump the version.

Should be resolved by #25449 (moved)

Trac:
Status: new to closed
Resolution: N/A to fixed

Aren't the /etc/apparmor.d/abstractions/tor changes still needed?

Yes, but I assumed that was part of #19409 (moved)

closed

moved to tpo/core/tor#24203 (closed)