[tor-bugs] #18370 [Tor]: Apparmor prevents last tor build from starting
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Mar 15 05:37:10 UTC 2016
#18370: Apparmor prevents last tor build from starting
------------------------------------+------------------------------------
Reporter: Ricky_Martin | Owner:
Type: defect | Status: needs_information
Priority: Medium | Milestone: Tor: 0.2.8.x-final
Component: Tor | Version: Tor: 0.2.8.1-alpha
Severity: Normal | Resolution:
Keywords: must-fix-before-028-rc | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------------+------------------------------------
Changes (by sysrqb):
* status: new => needs_information
Comment:
Replying to [comment:9 Ricky_Martin]:
> Was able to fix issue with adding
> {{{owner /varlib/tor/ r,}}} in /etc/apparmor.d/system_tor
> Possible reason can be that now tor checking directory reading right
before writing to directory directly. And this prevents tor from starting
with current apparmor profile in tor package.
Interesting. Apparently this is now a problem because we changed from
directly stat()ing the directory to open()ing it [R1]. So, I think it may
be necessary to explicitly allow reading /var/lib/tor/. I thought lunar
may be correct about the uid, but we do drop privs before we start playing
with the data dir.
So, If I may make a suggestion, there are (at least) two choices for
changing the system_tor profile.
1)
{{{
- owner /var/lib/tor/** rwk,
+ owner /var/lib/tor/{,**} rwk,
}}}
2) (as suggested by Ricky_Martin)
{{{
owner /var/lib/tor/** rwk,
+ owner /var/lib/tor/ r,
}}}
These should both provide the needed access, but the first one also allows
the writing and locking privs for the directory, so tor could delete and
lock the directory, too. Maybe that's not wanted, so 2 is better.
[R1] f48c607fd970aedaf0180a0a23b04eb5101abca0
> After fix tor starting without any problem, but I have warning:
> apparmor="DENIED" operation="open" profile="system_tor" name="/run/tor/"
pid=45755 comm="tor" requested_mask="r" denied_mask="r"
> I tried adding {{{/{,var/}run/tor/ r,}}} or {{{/run/tor/ r,}}} to
/etc/apparmor.d/system_tor file, but warning remains.
Ricky_Martin, does tor's logfile show any warning message for this?
Usually /run/tor/ is only used for tor's pidfile and a unix control socket
and friends. I don't see where we open the /run/tor/ directory, we always
open the full filepath directly and emit a warning log message on failure.
In general, /run/tor/ is created by the init script, so it's safe-ish for
tor to blindly assume it exists. Do you have any non-standard config
options in the torrc that use /run/tor?
> Will be great if package will be updated with fix.
Thanks for reporting this, but please be patient with us next time and
please answer our stupid questions. We try to avoid jumping to conclusions
about the cause of a problem and sometimes bugs like this are a user-error
rather than programming, and sometimes the answers give us a hint even if
the information seems irrelevant.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18370#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list