Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • O obfs4
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 13
    • Issues 13
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 0
    • Merge requests 0
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • The Tor Project
  • Anti-censorship
  • Pluggable Transports
  • obfs4
  • Issues
  • #40004
Closed
Open
Issue created Jul 09, 2017 by Trac@tracbot

Ubuntu 16.04 apparmor policy blocks obfs4proxy without modification

Moving the discussion from https://trac.torproject.org/projects/tor/ticket/14014#comment:5 to avoid recycling an old issue.

As reported by @alimj in legacy/trac#14014 (closed), on a Ubuntu 16.04 system with Tor 0.3.0.9 (git-100816d92ab5664d), the latest release at the time of writing, AppArmor will block obfs4proxy from operating unless the /etc/apparmor.d/abstractions/tor entries for the obfs4proxy binaries are changed from PUx to ix.

Streisand is currently carrying a a workaround patch that I would love to remove :-)

Frustratingly while this fix works I can't easily demonstrate that it is required. I've increased the verbosity of the tor daemon to debug and don't see any failure messages, but configuring a tor browser client fails. I've also tried updating my torrc ServerTransportPlugin config line to add --enableLogging -logLevel=debug to the obfs4 exec but it doesn't seem to produce any logs indicating failure either, probably because apparmor is preventing it from executing at all. I also don't see any audit messages from the apparmor profile in dmesg or the systemd journal. Changing the abstractions file entries to ix and running apparmor_parser -r /etc/apparmor.d/system_tor && systemctl restart tor is enough to fix the configured Tor browser client that fails without the modification.

How can I help resolve this bug upstream? Is there someone more familiar with AppArmor that could explain the intention of the PUx modifiers present in the debian package's abstractions file? I do not have much experience debugging tor and would happily provide more information with guidance.

Thanks! -- @cpu

Trac:
Username: ccppuu

Assignee
Assign to
Time tracking