Tor cannot start `obfs4proxy` ('Operation not permitted')

Bug #1568435 reported by postadelmaga on 2016-04-10
70
This bug affects 14 people
Affects Status Importance Assigned to Milestone
tor (Debian)
Fix Released
Unknown
tor (Ubuntu)
Medium
Unassigned

Bug Description

After upgrading to 16.04 tor is not start as service anymore, I have checked this `/var/log/tor/log` and it says:

Apr 10 10:11:34.000 [notice] Signaled readiness to systemd
Apr 10 10:11:35.000 [warn] Could not launch managed proxy executable at '/usr/bin/obfs4proxy' ('Operation not permitted').

If I stop tor service and I start tor with my user everything works fine so it looks something related to apparmor.

** UPDATE: **
Syslog reports the following entries:

kernel: [18790.510656] audit: type=1400 audit(1460698172.043:76): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="system_tor" pid=12285 comm="(tor)"

kernel: [18791.184460] audit: type=1400 audit(1460698172.715:77): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="system_tor" pid=12301 comm="(tor)"

kernel: [18791.697212] audit: type=1400 audit(1460698173.231:78): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="system_tor" pid=12315 comm="(tor)"

kernel: [18792.402319] audit: type=1400 audit(1460698173.935:79): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="system_tor" pid=12330 comm="(tor)"

kernel: [18792.940413] audit: type=1400 audit(1460698174.471:80): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="system_tor" pid=12346 comm="(tor)"

kernel: [18868.825379] audit: type=1400 audit(1460698250.359:151): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="system_tor" name="/usr/bin/obfs4proxy" pid=12760 comm="tor" requested_mask="x" denied_mask="x" fsuid=123 ouid=0 target="unconfined"

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: tor 0.2.7.6-1ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-17.33-generic 4.4.6
Uname: Linux 4.4.0-17-generic x86_64
ApportVersion: 2.20.1-0ubuntu1
Architecture: amd64
CurrentDesktop: Unity
Date: Sun Apr 10 10:19:11 2016
InstallationDate: Installed on 2015-12-22 (109 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
SourcePackage: tor
UpgradeStatus: Upgraded to xenial on 2016-04-07 (2 days ago)
modified.conffile..etc.init.d.tor: [modified]
modified.conffile..etc.tor.torrc: [modified]
mtime.conffile..etc.init.d.tor: 2016-04-10T10:09:51.334803
mtime.conffile..etc.tor.torrc: 2016-04-09T18:15:10.502760

postadelmaga (postadelmaga) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

information type: Private Security → Public
Steve Beattie (sbeattie) wrote :

Can you report any apparmor rejections in syslog?

  grep DENIED /var/log/syslog

This will help anybody tracking down what's going wrong here. Thanks.

tags: added: apparmor
postadelmaga (postadelmaga) wrote :

I have added the required infos into the bug descrition ( see the section below 'UPDATE' )

description: updated
description: updated
description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in tor (Ubuntu):
status: New → Confirmed
Changed in tor (Ubuntu):
importance: Undecided → Medium
Ali Mirjamali (alimirjamali) wrote :

Solution is to use the latest updated apparmor profile for tor (/etc/apparmor.d/system_tor):
https://gitweb.torproject.org/debian/tor.git/tree/debian/tor.apparmor-profile

And in the Abstraction file (/etc/apparmor.d/abstraction/tor)
https://gitweb.torproject.org/debian/tor.git/tree/debian/tor.apparmor-profile.abstraction
Line 27 should be modified from:
  /usr/bin/obfs4proxy PUx,
to
  /usr/bin/obfs4proxy ix,

I opened a ticket on Torproject to address this:
https://trac.torproject.org/projects/tor/ticket/14014#comment:5

postadelmaga (postadelmaga) wrote :

I confirm the suggested changes fix the issue for me.

Note:
the second path is wrong, correct path is /etc/apparmor.d/abstractions/tor ( the final `s` in `abstractions` is missed)

seanlano (seanlano) wrote :

I am also affected by this, and I can confirm that making the change in #6 (https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1568435/comments/6) fixes it (on Ubuntu 16.04).

Mark (guch9ux9ch) wrote :

I think I am also affected by this.

In a live Ubuntu 16.04 (and 16.04.1) session I cannot get the tor service running due to some apparmor restrictions (see dmesg logs someone else posted).
The updated apparmor profiles did not really fix my situation...

I think this should be upgrade to a defect because right now tor is not usable on a Ubuntu 16.04 live OS (I haven't tested it on a full installation yet).

seanlano (seanlano) wrote :

I think the problem is the 'P' flag - according to the reference (http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Execute_rules) this causes environment scrubbing, which obfs4proxy needs in order to communicate with Tor.

seanlano (seanlano) wrote :

@guch9ux9cx, you'll need to reload the apparmor profile once you make the change. You can do this with:
  sudo apparmor_parser -r /etc/apparmor.d/system_tor
Or you can reboot - but on a LiveCD this will overwrite the change.

Mark (guch9ux9ch) wrote :

@seanlano:
Thanks, reloading the the apparmor profile works!

I do something like this now:

sudo cp system_tor /etc/apparmor.d/system_tor
sudo cp tor /etc/apparmor.d/abstractions/tor

sudo apparmor_parser -r /etc/apparmor.d/system_tor

sudo apt-get install tor

It's a fine workaround.

I wonder what we have to do to fix this within Ubuntu itself?

On Mon, 01 Aug 2016, Mark wrote:

> I do something like this now:
>
>
> sudo cp system_tor /etc/apparmor.d/system_tor
> sudo cp tor /etc/apparmor.d/abstractions/tor
>
> sudo apparmor_parser -r /etc/apparmor.d/system_tor
>
> sudo apt-get install tor
>
> It's a fine workaround.
>
>
> I wonder what we have to do to fix this within Ubuntu itself?

I wonder if we're running into #822349 - https://bugs.debian.org/822349

Are there any apparmor policies loaded other than Tor?

--
                            | .''`. ** Debian **
      Peter Palfrader | : :' : The universal
 https://www.palfrader.org/ | `. `' Operating System
                            | `- https://www.debian.org/

seanlano (seanlano) wrote :

A fix would just have to be changing the apparmor profile that comes with the tor package in Ubuntu.
I don't know how to do that, but I guess it would involve submitting a patch or something. I'll try figure it out - it's such an easy fix, we just need someone to put it into the repository.

Mark (guch9ux9ch) wrote :

Sounds great!
Have you already made progress by any chance?
I am eagerly waiting for a fix! :)

Mark (guch9ux9ch) wrote :

Update:

the same issue exists with Ubuntu 14.04.5 and Ubuntu 15.10 when installing tor from the "universe" repo.

Partial install log from Ubuntu 15.10
[...]
Setting up tor (0.2.6.10-1ubuntu2) ...
Something or somebody made /var/lib/tor disappear.
Creating one for you again.
Something or somebody made /var/log/tor disappear.
Creating one for you again.
invoke-rc.d: policy-rc.d denied execution of start.
Setting up torsocks (2.1.0-1) ...
Setting up tor-geoipdb (0.2.6.10-1ubuntu2) ...
Processing triggers for systemd (225-1ubuntu9.1) ...
Processing triggers for libc-bin (2.21-0ubuntu4.3) ...

I have not tested it with the official deb.torproject.org repo on Ub1404/Ub15.10

I am surprised not more people are reporting this issue... At least for me tor is not installable without tinkering...

Changed in tor (Debian):
status: Unknown → Fix Released
Simon Déziel (sdeziel) wrote :

Should be fixed by the recent SRU for Xenial (0.2.9.14-1ubuntu1~16.04.1) and Artful (0.3.0.13-0ubuntu1~17.10.1).

Changed in tor (Ubuntu):
status: Confirmed → New
status: New → Fix Committed
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.