/var/run/tor/log AppArmor help needed

Patrick · July 10, 2014, 6:44pm

Could you add.

To /etc/tor/torrc please? Then restart Tor?

AppArmor complains about missing mknod © access to /run/tor/log. And I failed to find out how to add an exception to /etc/apparmor.d/local/system_tor. Maybe you can help out?

Background:
We can keep /var/log/tor/log to have a log that survives reboot. An additional (multiple instances of the “Log” command seem to be supported by Tor) /var/run/tor/log that only contains messages since last boot would be helpful as well. whonxicheck could grep it for clock related messages and warn if it found something.

troubadour · July 10, 2014, 8:44pm

Added the line to /etc/tor/torrc and restarted Tor. No complain from AppArmor, but the process system_tor is not enforced (the profile is is in enforce mode).

Tried to force it “sudo aa-enforce /etc/apparmor.d/system_tor” or “sudo apparmor_parser -r /etc/apparmor.d/system_tor”.

Yours must be. Could you check with “sudo aa-status”?

And by the way, I have never seen the process system_tor going in enforce mode in the Gateway. Perhaps in Whonix 9?

troubadour · July 10, 2014, 8:58pm

And it does not complain in complain mode.

Patrick · July 10, 2014, 10:14pm

I was indeed testing in Whonix 9.

Tor’s AppArmor profile works differently. There is no global profile. It’s load by /etc/init.d/tor. At release time of Whonix 8 there was a bug in AppArrmor, so this profile needed to be deactivated. The AppArmor bug should be fixed when you have latest updates.

In /etc/default/tor comment out.

Then that profile will be load. Forgot to mention it.

You can see a bit more how /etc/init.d/tor works by running.

And more interestingly.

Patrick · July 11, 2014, 11:11am

SocksSocket discussion moved here:

troubadour · July 11, 2014, 12:39pm

The updates /etc/apparmor.d/system_tor

# vim:syntax=apparmor
#include <tunables/global>

profile system_tor {
  #include <abstractions/tor>

  owner /var/lib/tor/** rwk,
  owner /var/log/tor/* w,

  /run/tor r,
  /run/tor/* rwk,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/system_tor>
}

We cannot uses /var/run because it is a symlink to a directory.

Had to add the loc(k) mask too.

Patrick · July 11, 2014, 2:26pm

Can we add this to local one

/etc/apparmor.d/local/system_tor

instead?

Can you commit to anon-gw-anonymizer-config/system_tor.anondist at master · Whonix/anon-gw-anonymizer-config · GitHub please?

So we use this

Log notice file /run/tor/log

in

/usr/share/tor/tor-service-defaults-torrc

?

(anon-gw-anonymizer-config/tor-service-defaults-torrc.anondist at master · Whonix/anon-gw-anonymizer-config · GitHub)

That would be fine as well.

Are you sure AppArmor was in use on your test system? Check.

sudo aa-status | grep tor system_tor

Because I was still getting the mknod complaint.

type=1400 audit(1405088443.779:33): apparmor="DENIED" operation="mknod" parent=1 profile="system_tor" name="/run/tor/log" pid=3447 comm="tor" requested_mask="c" denied_mask="c" fsuid=106 ouid=106

Even though using your suggested config.

troubadour · July 11, 2014, 3:42pm

Are you sure AppArmor was in use on your test system? Check.

The last part of aa-status

1 processes have profiles defined.
1 processes are in enforce mode.
   system_tor (2475) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

The process is in enforce mode. That’s what matters.

Have you replaced the profile in the kernel with

sudo apparmor_parser -r /etc/apparmor.d/system_tor

?

Patrick · July 11, 2014, 4:18pm

No, I forgot that. Didn’t know it’s not required, since the init script is starting it with AppArmor.

Implemented:

Thanks!