[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

/var/run/tor/log AppArmor help needed

Development
#1

Could you add.

To /etc/tor/torrc please? Then restart Tor?

AppArmor complains about missing mknod © access to /run/tor/log. And I failed to find out how to add an exception to /etc/apparmor.d/local/system_tor. Maybe you can help out?

Background:
We can keep /var/log/tor/log to have a log that survives reboot. An additional (multiple instances of the “Log” command seem to be supported by Tor) /var/run/tor/log that only contains messages since last boot would be helpful as well. whonxicheck could grep it for clock related messages and warn if it found something.

#2

Added the line to /etc/tor/torrc and restarted Tor. No complain from AppArmor, but the process system_tor is not enforced (the profile is is in enforce mode).

Tried to force it “sudo aa-enforce /etc/apparmor.d/system_tor” or “sudo apparmor_parser -r /etc/apparmor.d/system_tor”.

Yours must be. Could you check with “sudo aa-status”?

And by the way, I have never seen the process system_tor going in enforce mode in the Gateway. Perhaps in Whonix 9?

#3

And it does not complain in complain mode.

#4

I was indeed testing in Whonix 9.

Tor’s AppArmor profile works differently. There is no global profile. It’s load by /etc/init.d/tor. At release time of Whonix 8 there was a bug in AppArrmor, so this profile needed to be deactivated. The AppArmor bug should be fixed when you have latest updates.

In /etc/default/tor comment out.

Then that profile will be load. Forgot to mention it.

You can see a bit more how /etc/init.d/tor works by running.

And more interestingly.

#5

SocksSocket discussion moved here:
https://www.whonix.org/forum/index.php/topic,375.0.html

#6

The updates /etc/apparmor.d/system_tor

# vim:syntax=apparmor
#include <tunables/global>

profile system_tor {
  #include <abstractions/tor>

  owner /var/lib/tor/** rwk,
  owner /var/log/tor/* w,

  /run/tor r,
  /run/tor/* rwk,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/system_tor>
}

We cannot uses /var/run because it is a symlink to a directory.

Had to add the loc(k) mask too.

#7

Can we add this to local one

instead?

Can you commit to https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/etc/apparmor.d/local/system_tor.anondist please?

So we use this

in

?

(https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/usr/share/tor/tor-service-defaults-torrc.anondist)

That would be fine as well.

Are you sure AppArmor was in use on your test system? Check.

sudo aa-status | grep tor system_tor

Because I was still getting the mknod complaint.

Even though using your suggested config.

#8
Are you sure AppArmor was in use on your test system? Check.

The last part of aa-status

1 processes have profiles defined.
1 processes are in enforce mode.
   system_tor (2475) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

The process is in enforce mode. That’s what matters.

Have you replaced the profile in the kernel with

sudo apparmor_parser -r /etc/apparmor.d/system_tor

?

#9

No, I forgot that. Didn’t know it’s not required, since the init script is starting it with AppArmor.

Implemented:

Thanks!

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]