Ubuntu 16.04 apparmor policy blocks obfs4proxy without modification

Moving the discussion from https://trac.torproject.org/projects/tor/ticket/14014#comment:5 to avoid recycling an old issue.

As reported by @alimj in legacy/trac#14014 (closed), on a Ubuntu 16.04 system with Tor 0.3.0.9 (git-100816d92ab5664d), the latest release at the time of writing, AppArmor will block obfs4proxy from operating unless the /etc/apparmor.d/abstractions/tor entries for the obfs4proxy binaries are changed from PUx to ix.

Streisand is currently carrying a a workaround patch that I would love to remove :-)

Frustratingly while this fix works I can't easily demonstrate that it is required. I've increased the verbosity of the tor daemon to debug and don't see any failure messages, but configuring a tor browser client fails. I've also tried updating my torrc ServerTransportPlugin config line to add --enableLogging -logLevel=debug to the obfs4 exec but it doesn't seem to produce any logs indicating failure either, probably because apparmor is preventing it from executing at all. I also don't see any audit messages from the apparmor profile in dmesg or the systemd journal. Changing the abstractions file entries to ix and running apparmor_parser -r /etc/apparmor.d/system_tor && systemctl restart tor is enough to fix the configured Tor browser client that fails without the modification.

How can I help resolve this bug upstream? Is there someone more familiar with AppArmor that could explain the intention of the PUx modifiers present in the debian package's abstractions file? I do not have much experience debugging tor and would happily provide more information with guidance.

Thanks! -- @cpu

Trac:
Username: ccppuu