Packaged apparmor settings break tor within LXD containers

The packaged apparmor settings in the latest (0.3.3.6-1) .deb packages provided via torproject.org will stop the tor service from starting up in at least Xenial (16.04) and Bionic (18.04) containers on Ubuntu, using the latest LXD snap.

The machine hosting the container will see this in its syslog/auditlog:

May 25 14:16:01 localhost kernel: [84735.795087] audit: type=1400 audit(1527257761.902:653): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-juju-ef908d-1_<var-snap-lxd-common-lxd>" profile="system_tor" name="/usr/bin/tor" pid=18256 comm="tor" requested_mask="m" denied_mask="m" fsuid=1000000 ouid=1000000

The fix is a simple one-character change in the /etc/apparmor.d/abstractions/tor file installed by the tor package, where the line /usr/bin/tor r, simply needs to change to /usr/bin/tor mr,.

Trac:
Username: b

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information