onion-grater fails to start - no permission to /proc/cmdline

whonyx · February 19, 2024, 12:41am

When I try to start onion-grater service, it fails. This is probably after Whonix-Gateway upgrade.

sudo systemctl start onion-grater
sudo systemctl status onion-grater.service

• onion-grater.service - Tor control port filter proxy
     Loaded: loaded (/lib/systemd/system/onion-grater.service; enabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/onion-grater.service.d
             ˪ 30_cpfpy.conf
     Active: activating (auto-restart) (Result: exit-code) since ...
    Process: 644825 ExecStartPre=/usr/lib/onion-grater-merger (code=exited, status=0/SUCCESS)
    Process: 644826 ExecStart=/usr/lib/onion-grater --listen-interface eth1 --listen-port 9051 (code=exited, status=1/FAILURE)
   Main PID: 644826 (code=exited, status=1/FAILURE)

sudo journalctl -u onion-grater.service

Traceback (most recent call last):
  File "/usr/lib/onion-grater", line 884, in <module>
    main()
  File "/usr/lib/onion-grater", line 852, in main
    default='debug' in open('/proc/cmdline').read().split(),

Permissionerror: [Errno 13] Permission denied: '/proc/cmdline'

The /proc/cmdline file has -r--r--r-- permissions and belongs to root user.

Patrick · February 19, 2024, 11:23am

That doesn’t happen on its own in a default installation. How did you reach that state?
Bug report as per Reporting Guidelines required to be able to proceed here.

whonyx · February 20, 2024, 3:49am

I found out that apparmor was blocking it despite valid configuration to allow onion-grater read /proc/cmdline. After reboot of Whonix-Gateway the issue is gone.

Recently I updated Whonix from bullseye to bookworm in the way described here:

Now I’m struggling with Whonix-Workstation because after upgrading from bullseye to bookworm Redis is not starting anymore. Again, it’s apparmor blocking Redis to load a shared library. This might not be Whonix specific issue or at some sort.

redis-server[2723]: /usr/bin/redis-server: error while loading shared libraries: libgpg-error.so.0: failed to map segment from shared object
systemd[1]: redis-server.service: Main process exited, code=exited, status=127/n/a

Profile: /usr/libexec/whonix-firewall/**
Operation: file_mmap
Name: /usr/local/lib/libgpg-error.so.0.33.1
Denied: rm
Logfile: /var/log/audit/audit.log

Not sure if it’s really apparmor issue (no profile for redis-server) or libraries versions.

sudo apt uninstall redis-server
sudo apt autoremove
sudo apt install redis
 
sudo apt install libgpg-error-dev
libgpg-error-dev is already the newest version (1.46-1).

If this is unspecific to Whonix, then I will ask for help at package maintainers.

Linux version:

Linux version 6.1.0-18-amd64 (debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01)

Whonix version: the latest after runing release-upgrade
Components: Whonix-Workstation (non-Qubes)

Patrick · February 20, 2024, 3:09pm

Reboot is part of upgrade instructions and not optional for something as big as a release upgrade.

Redis issues are unspecific to Whonix as Whonix source code does not mention redis in any form.