/var/run/tor/log AppArmor help needed

Could you add.

To /etc/tor/torrc please? Then restart Tor?

AppArmor complains about missing mknod © access to /run/tor/log. And I failed to find out how to add an exception to /etc/apparmor.d/local/system_tor. Maybe you can help out?

We can keep /var/log/tor/log to have a log that survives reboot. An additional (multiple instances of the “Log” command seem to be supported by Tor) /var/run/tor/log that only contains messages since last boot would be helpful as well. whonxicheck could grep it for clock related messages and warn if it found something.

Added the line to /etc/tor/torrc and restarted Tor. No complain from AppArmor, but the process system_tor is not enforced (the profile is is in enforce mode).

Tried to force it “sudo aa-enforce /etc/apparmor.d/system_tor” or “sudo apparmor_parser -r /etc/apparmor.d/system_tor”.

Yours must be. Could you check with “sudo aa-status”?

And by the way, I have never seen the process system_tor going in enforce mode in the Gateway. Perhaps in Whonix 9?

And it does not complain in complain mode.

I was indeed testing in Whonix 9.

Tor’s AppArmor profile works differently. There is no global profile. It’s load by /etc/init.d/tor. At release time of Whonix 8 there was a bug in AppArrmor, so this profile needed to be deactivated. The AppArmor bug should be fixed when you have latest updates.

In /etc/default/tor comment out.

Then that profile will be load. Forgot to mention it.

You can see a bit more how /etc/init.d/tor works by running.

And more interestingly.

SocksSocket discussion moved here:

The updates /etc/apparmor.d/system_tor

# vim:syntax=apparmor
#include <tunables/global>

profile system_tor {
  #include <abstractions/tor>

  owner /var/lib/tor/** rwk,
  owner /var/log/tor/* w,

  /run/tor r,
  /run/tor/* rwk,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/system_tor>

We cannot uses /var/run because it is a symlink to a directory.

Had to add the loc(k) mask too.

Can we add this to local one



Can you commit to anon-gw-anonymizer-config/system_tor.anondist at master · Whonix/anon-gw-anonymizer-config · GitHub please?

So we use this

Log notice file /run/tor/log




(anon-gw-anonymizer-config/tor-service-defaults-torrc.anondist at master · Whonix/anon-gw-anonymizer-config · GitHub)

That would be fine as well.

Are you sure AppArmor was in use on your test system? Check.

sudo aa-status | grep tor system_tor

Because I was still getting the mknod complaint.

type=1400 audit(1405088443.779:33): apparmor="DENIED" operation="mknod" parent=1 profile="system_tor" name="/run/tor/log" pid=3447 comm="tor" requested_mask="c" denied_mask="c" fsuid=106 ouid=106

Even though using your suggested config.

Are you sure AppArmor was in use on your test system? Check.

The last part of aa-status

1 processes have profiles defined.
1 processes are in enforce mode.
   system_tor (2475) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

The process is in enforce mode. That’s what matters.

Have you replaced the profile in the kernel with

sudo apparmor_parser -r /etc/apparmor.d/system_tor


No, I forgot that. Didn’t know it’s not required, since the init script is starting it with AppArmor.