tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined" name="system_tor"
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Yakkety |
Fix Released
|
Undecided
|
Unassigned | ||
tor (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Xenial |
Invalid
|
Undecided
|
Unassigned | ||
Yakkety |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Environment:
----------------
Distribution: ubuntu
Distribution version: 16.10
lxc info:
apiextensions:
storage_
container_
container_
auth_pki
container_
etag
patch
usb_devices
https_
image_
directory_
container_
storage_
storage_
network
profile_usedby
container_push
apistatus: stable
apiversion: "1.0"
auth: trusted
environment:
addresses:
x86_64
i686
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
driver: lxc
kernel: Linux
server: lxd
serverpid: 32694
storage: btrfs
config:
Container: ubuntu 16.10
Issue description
------------------
tor can't start in a non privileged container
Logs from the container:
-------
Dec 7 15:03:00 anonymous tor[302]: Configuration was valid
Dec 7 15:03:00 anonymous systemd[303]: <email address hidden>: Failed at step APPARMOR spawning /usr/bin/tor: No such file or directory
Dec 7 15:03:00 anonymous systemd[1]: <email address hidden>: Main process exited, code=exited, status=231/APPARMOR
Dec 7 15:03:00 anonymous systemd[1]: Failed to start Anonymizing overlay network for TCP.
Dec 7 15:03:00 anonymous systemd[1]: <email address hidden>: Unit entered failed state.
Dec 7 15:03:00 anonymous systemd[1]: <email address hidden>: Failed with result 'exit-code'.
Dec 7 15:03:00 anonymous systemd[1]: <email address hidden>: Service hold-off time over, scheduling restart.
Dec 7 15:03:00 anonymous systemd[1]: Stopped Anonymizing overlay network for TCP.
Dec 7 15:03:00 anonymous systemd[1]: <email address hidden>: Failed to reset devices.list: Operation not permitted
Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /<email address hidden>: Operation not permitted
Dec 7 15:03:00 anonymous systemd[1]: message repeated 6 times: [ Failed to set devices.allow on /<email address hidden>: Operation not permitted]
Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/
Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/
Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /<email address hidden>: Operation not permitted
Logs from the host
-------
audit: type=1400 audit(148111937
pid=12164 comm="(tor)"
Steps to reproduce
-------
install ubuntu container 16.10 on a ubuntu 16.10 host
install tor in the container
Launch tor
no longer affects: | tor (Ubuntu) |
Changed in linux (Ubuntu Yakkety): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Xenial): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Xenial): | |
status: | Triaged → Fix Committed |
Changed in apparmor (Ubuntu): | |
status: | Confirmed → Invalid |
no longer affects: | apparmor (Ubuntu Xenial) |
no longer affects: | apparmor (Ubuntu Yakkety) |
using ubuntu/ yakkety torcontainer
lxc launch images:
to create the container
the installing tor into the container and starting it I can replicate the error. However this is due to the container not having apparmor installed. The container is not booting with apparmor or loading the tor profile.
Once apparmor is installed the container reports a different error.
[103975.623545] audit: type=1400 audit(148128451 1.494:2807) : apparmor="DENIED" operation= "change_ onexec" info="no new privs" error=-1 namespace= "root// lxd-tor_ <var-lib- lxd>" profile= "unconfined" name="system_tor" pid=18593 comm="(tor)" target="system_tor"
Which upon investigation is an error in the change_profile check around seccomp no_new_privs when policy is stacked.