Tor denied message /etc/torrc.d/95_whonix.conf after upgrade from Whonix 13 to Whonix 14

Harlem · August 30, 2018, 7:53pm

Ok, everything went fine until final reboot.

So after starting ws-gw tor connection is off.

Some logs:

ERROR: Tor Pid Check Result:
Tor not running. (tor_pid_message: Pid file /var/run/tor/tor.pid does not exist.)
You have to fix this error, before you can use Tor.

So I checked:

ls -l /var/run/tor
total 0

ls -l /var/run/tor/tor.pida
ls: cannot access ‘/var/run/tor/tor.pid’: No such file or directory

Next (from “systemctl status tor@default.service” and “journalctl -xe”):

systemctl status tor@default.service

● tor@default.service - Anonymizing overlay network for TCP
Loaded: loaded (/lib/systemd/system/tor@default.service; static; vendor preset: enabled)
Drop-In: /lib/systemd/system/tor@default.service.d
└─40_obfs4proxy-workaround.conf, 50_controlsocket-workaround.conf
Active: failed (Result: exit-code) since Thu 2018-08-30 18:33:43 UTC; 1min 35s ago
Process: 2968 ExecStart=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc ----RunAsDaemon 0 (code=exited, status=1/FAILURE)
Process: 2964 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS)
Process: 2963 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /var/run/tor (code=exited, status=0/SUCCESS)
Main PID: 2968 (code=exited, status=1/FAILURE)

Aug 30 18:33:43 host systemd[1]: Failed to start Anonymizing overlay network for TCP.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Unit entered failed state.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Failed with result ‘exit-code’.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Service hold-off time over, scheduling restart.
Aug 30 18:33:43 host systemd[1]: Stopped Anonymizing overlay network for TCP.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Start request repeated too quickly.
Aug 30 18:33:43 host systemd[1]: Failed to start Anonymizing overlay network for TCP.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Unit entered failed state.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Failed with result ‘exit-code’.

Also (this is going on an on…):

Aug 30 18:33:42 host systemd[1]: Starting Anonymizing overlay network for TCP…
– Subject: Unit tor@default.service has begun start-up
– Defined-By: systemd
– Support: Debian -- User Support
**-- **
– Unit tor@default.service has begun starting up.
Aug 30 18:33:42 host tor[2964]: Aug 30 18:33:42.847 [notice] Tor 0.3.3.9 (git-ca1a436fa8e53a32) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0f, Zlib 1.2.8, Liblzma 5.2.2, and Libzstd 1.1.2.
Aug 30 18:33:42 host tor[2964]: Aug 30 18:33:42.848 [notice] Tor can’t help you if you use it wrong! Learn how to be safe at Tor Project | Download
Aug 30 18:33:42 host tor[2964]: Aug 30 18:33:42.849 [notice] Read configuration file “/usr/share/tor/tor-service-defaults-torrc”.
Aug 30 18:33:42 host tor[2964]: Aug 30 18:33:42.849 [notice] Read configuration file “/etc/tor/torrc”.
Aug 30 18:33:42 host tor[2964]: Aug 30 18:33:42.858 [warn] Option ‘DisableNetwork’ used more than once; all but the last value will be ignored.
Aug 30 18:33:42 host tor[2964]: Aug 30 18:33:42.858 [notice] You configured a non-loopback address ‘10.152.152.10:5300’ for DNSPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Aug 30 18:33:42 host tor[2964]: Aug 30 18:33:42.858 [notice] You configured a non-loopback address ‘10.152.152.10:9040’ for TransPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Aug 30 18:33:42 host tor[2964]: Configuration was valid
Aug 30 18:33:43 host tor[2968]: Aug 30 18:33:43.377 [notice] Tor 0.3.3.9 (git-ca1a436fa8e53a32) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0f, Zlib 1.2.8, Liblzma 5.2.2, and Libzstd 1.1.2.
Aug 30 18:33:43 host tor[2968]: Aug 30 18:33:43.379 [notice] Tor can’t help you if you use it wrong! Learn how to be safe at Tor Project | Download
Aug 30 18:33:43 host tor[2968]: Aug 30 18:33:43.380 [notice] Read configuration file “/usr/share/tor/tor-service-defaults-torrc”.
Aug 30 18:33:43 host tor[2968]: Aug 30 18:33:43.380 [notice] Read configuration file “/etc/tor/torrc”.
Aug 30 18:33:43 host audit[2968]: AVC apparmor=“DENIED” operation=“open” profile=“system_tor” name=“/etc/torrc.d/95_whonix.conf” pid=2968 comm=“tor” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0
Aug 30 18:33:43 host audit[2968]: SYSCALL arch=40000003 syscall=5 success=no exit=-13 a0=a2ad20 a1=88000 a2=0 a3=b7278000 items=1 ppid=1 pid=2968 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=“tor” exe=“/usr/bin/tor” key=(null)
Aug 30 18:33:43 host audit: CWD cwd=“/”
Aug 30 18:33:43 host audit: PATH item=0 name=“/etc/torrc.d/95_whonix.conf” inode=3016178 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
Aug 30 18:33:43 host audit: PROCTITLE proctitle=2F7573722F62696E2F746F72002D2D64656661756C74732D746F727263002F7573722F73686172652F746F722F746F722D736572766963652D64656661756C74732D746F727263002D66002F6574632F746F722F746F727263002D2D52756E41734461656D6F6E0030
Aug 30 18:33:43 host tor[2968]: Aug 30 18:33:43.389 [warn] Could not open “/etc/torrc.d/95_whonix.conf”: Permission denied
Aug 30 18:33:43 host tor[2968]: Aug 30 18:33:43.389 [warn] Error reading included configuration file or directory: “/etc/torrc.d/95_whonix.conf”.
Aug 30 18:33:43 host tor[2968]: Aug 30 18:33:43.389 [err] Reading config failed–see warnings above.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Main process exited, code=exited, status=1/FAILURE
Aug 30 18:33:43 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=tor@default comm=“systemd” exe=“/lib/systemd/systemd” hostname=? addr=? terminal=? res=failed’
Aug 30 18:33:43 host systemd[1]: Failed to start Anonymizing overlay network for TCP.
– Subject: Unit tor@default.service has failed
– Defined-By: systemd
– Support: Debian -- User Support
**-- **
– Unit tor@default.service has failed.
**-- **
– The result is failed.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Unit entered failed state.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Failed with result ‘exit-code’.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Service hold-off time over, scheduling restart.
Aug 30 18:33:43 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=tor@default comm=“systemd” exe=“/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
Aug 30 18:33:43 host systemd[1]: brltty.service: Cannot add dependency job, ignoring: Unit brltty.service is masked.
Aug 30 18:33:43 host audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=tor@default comm=“systemd” exe=“/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
Aug 30 18:33:43 host systemd[1]: Stopped Anonymizing overlay network for TCP.
– Subject: Unit tor@default.service has finished shutting down
– Defined-By: systemd
– Support: Debian -- User Support
**-- **
– Unit tor@default.service has finished shutting down.
Aug 30 18:33:43 host systemd[1]: tor@default.service: Start request repeated too quickly.
Aug 30 18:33:43 host systemd[1]: Failed to start Anonymizing overlay network for TCP.

I have checked network interfaces, it look ok (same as posted here).

Patrick · August 30, 2018, 8:28pm

Does your

/etc/apparmor.d/local/system_tor.anondist

and

/etc/apparmor.d/local/system_tor

Look the same? Should be. To check:

diff /etc/apparmor.d/local/system_tor /etc/apparmor.d/local/system_tor.anondist ; echo $?

Expected output: 0

Does your /etc/apparmor.d/local/system_tor look like https://raw.githubusercontent.com/Whonix/anon-gw-anonymizer-config/master/etc/apparmor.d/local/system_tor.anondist?

Harlem · August 30, 2018, 9:06pm

Yes and yes. Both files are the same, and look like the one from the link.

zealot · March 23, 2019, 2:55pm

Have exactly same problem. How to fix it?

0brand · March 24, 2019, 1:39am

Hi zealot

Did you try rebooting? You can also try restarting Tor.

https://forums.whonix.org/t/error-tor-not-running-tor-pid-message-pid-file-var-run-tor-tor-pid-doest-not-exist-noob-need-help/5785

zealot · March 24, 2019, 10:30am

Nope, I have same result

Sorry, looks like virtialbox guest utils broken, so i could not copypaste logs

I think it is apparmor issue

Patrick · March 24, 2019, 2:23pm

Tor config wrong? Please try Configuration Check as per:

Tor - Whonix

Please watch Tor log while restarting Tor as per:

Tor - Whonix

This might give some clues what’s wrong.

zealot · March 24, 2019, 3:00pm

There no any tor logs

And, i could start tor manually.

Patrick · March 24, 2019, 4:19pm

Please watch Tor log while restarting Tor as per:

Tor - Whonix

This might give some clues what’s wrong.

zealot · March 24, 2019, 4:27pm

Weird openssl issue only.

Patrick · March 24, 2019, 4:44pm

grep -i error /var/run/tor/log

?

Patrick · March 24, 2019, 4:46pm

sudo journalctl -f

while doing this, restart Tor. That would show any apparmor related issues.

From Whonix 14 / Debian stretch AppArmor related changes

sudo cat /var/log/audit/audit.log | grep -i DENIED

zealot · March 24, 2019, 4:52pm

grep -i error /var/run/tor/log

return no result

sudo journalctl -f

return several identical attempt to start tor

sudo cat /var/log/audit/audit.log | grep -i DENIED

I could see many messages about tor config files

zealot · March 24, 2019, 4:59pm

Its completly look like apparmor issue

Patrick · March 24, 2019, 6:08pm

github.com

Whonix/anon-gw-anonymizer-config/blob/master/etc/apparmor.d/local/system_tor.anondist

## Copyright (C) 2012 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## Begin Tor Local AppArmor Profile for Anonymity Distributions

#### meta start
#### project Whonix
#### category tor and security
#### gateway_only yes
#### description
## Local AppArmor Profile for Anonymity Distributions
##
## AUDIT desired.
#### meta end

## Workaround for: config-package-dev clashes with AppArmor profiles
## https://github.com/Whonix/Whonix/issues/66

## A profile /etc/apparmor.d/anondist could not cover the system_tor
## profile, since that is enforced by the Tor systemd unit file.

This file has been truncated. show original

Patrick · March 24, 2019, 6:08pm

Does your /etc/apparmor.d/local/system_tor.anondist looks the same like anon-gw-anonymizer-config/system_tor.anondist at master · Whonix/anon-gw-anonymizer-config · GitHub?

zealot · March 24, 2019, 6:17pm

Yes, completly same.

Patrick · March 24, 2019, 6:19pm

And /etc/apparmor.d/local/system_tor also looks same?

It’s actually a symlink.

ls -la /etc/apparmor.d/local/system_tor

lrwxrwxrwx 1 root root 19 Jan 23 14:41 /etc/apparmor.d/local/system_tor → system_tor.anondist

I am just trying to figure out why that file is non-effective for you and wondering if that symlink may be broken.

zealot · March 24, 2019, 6:22pm

Patrick · March 24, 2019, 6:52pm

Could you check please if /etc/apparmor.d/system_tor looks like this:

# vim:syntax=apparmor
#include <tunables/global>

profile system_tor flags=(attach_disconnected) {
  #include <abstractions/tor>

  owner /var/lib/tor/** rwk,
  owner /var/lib/tor/ r,
  owner /var/log/tor/* w,

  # During startup, tor (as root) tries to open various things such as
  # directories via check_private_dir().  Let it.
  /var/lib/tor/** r,

  /{,var/}run/tor/ r,
  /{,var/}run/tor/control w,
  /{,var/}run/tor/socks w,
  /{,var/}run/tor/tor.pid w,
  /{,var/}run/tor/control.authcookie w,
  /{,var/}run/tor/control.authcookie.tmp rw,
  /{,var/}run/systemd/notify w,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/system_tor>
}