Whonix 14 (Anon Connection Wizard) - Cannot start tor@default

halo9en · 2018-03-27 11:06:09 UTC

[Cannot copy and paste from VirtualBox – please bear with me]

Anon Connection Wizard fails to connect to Tor.

From journalctl -xe:
AVC apparmor="DENIED" operation="open" profile="system_tor" name="/etc/torrc.d/95_whonix.conf" pid=1029 comm="tor" requested_mask="r" denied_mask="r" fsuid=0
…
Error reading included configuration file or directory: "/etc/torrc.d/95_whonix.conf". tor@default.service: Main process exited, code=exited, status=1/FAILURE Failed to start Anonymizing overlay network for TCP.

All Apparmor profiles and configurations are unchanged. This is a fresh upgrade to 14 from a newly imported Whonix Gateway 13.0.0.1.4 following the instructions at /wiki/Upgrading_Whonix_13_to_Whonix_14.

0brand · 2018-03-27 23:10:15 UTC

Looks like the problem you are having is addressed in these 2 threads. Same solution is in both threads but first one is where they first started troubleshooting the problem.

https://forums.whonix.org/t/graphical-gui-whonix-setup-wizard-anon-connection-wizard-technical-discussion/650/396

https://forums.whonix.org/t/anon-connection-wizard-apparmor/4665

iry · 2018-03-28 05:39:10 UTC

Hi @halo9en !

Thank you so much for reporting this!

I am sorry to hear that you have to type all the info manually. Do you mean the copy and paste does not work anymore since updating to Whonix 14? Were you able to do the operations in Whonix13?

For the anon-connection-wizard failure, would you please check the output of the following commands? (I do not want you type all of them, so I am going to provide it here and you can just check against my output. )

Expected output (I guess yours will complain about the configuration error):

user@host:~$ sudo --non-interactive /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config
Mar 28 05:32:42.970 [notice] Tor 0.3.2.9 (git-64a719dd25a21acb) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0f, Zlib 1.2.8, Liblzma 5.2.2, and Libzstd 1.1.2.
Mar 28 05:32:42.970 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Mar 28 05:32:42.970 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Mar 28 05:32:42.970 [notice] Read configuration file "/etc/tor/torrc".
Mar 28 05:32:42.973 [notice] You configured a non-loopback address '10.137.13.1:5300' for DNSPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Mar 28 05:32:42.973 [notice] You configured a non-loopback address '10.137.13.1:9040' for TransPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Configuration was valid

Check the chain of torrc files (lines starts with # can be ignored):

user@host:~$ cat /etc/tor/torrc
%include /etc/torrc.d/95_whonix.conf

user@host:~$ cat /etc/torrc.d/95_whonix.conf
## Do not edit this file!
## Please create and add modifications to the following file instead:
## /usr/local/etc/torrc.d/50_user.conf
%include /usr/local/etc/torrc.d/40_anon_connection_wizard.conf
%include /usr/local/etc/torrc.d/50_user.conf

user@host:~$ cat /usr/local/etc/torrc.d/40_anon_connection_wizard.conf
# This file is generated by and should ONLY be used by anon-connection-wizard.
# User configuration should go to /usr/local/etc/torrc.d/50_user.conf, not here. Because:
#    1. This file can be easily overwritten by anon-connection-wizard.
#    2. Even a single character change in this file may cause error.
# However, deleting this file will be fine since a new plain file will be generated the next time you run anon-connection-wizard.
DisableNetwork 0

user@host:~$ cat /usr/local/etc/torrc.d/50_user.conf
## Tor user specific configuration file
##
## Add user modifications below this line:
############################################

halo9en · 2018-03-29 04:03:16 UTC

@iry - my outputs were all identical

@0brand - my apparmor config files match the latest version from that thread.

Here’s some useful copy and pasted info:

$ journalctl -xe
-- 
-- Unit tor@default.service has begun starting up.
Mar 27 16:26:30 host tor[2597]: Mar 27 16:26:30.300 [notice] Tor 0.3.2.9 (git-64a719dd25a21acb) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0f, Zlib 1.2.8, Liblzma 5.2.2, and Lib
Mar 27 16:26:30 host tor[2597]: Mar 27 16:26:30.301 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Mar 27 16:26:30 host tor[2597]: Mar 27 16:26:30.301 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Mar 27 16:26:30 host tor[2597]: Mar 27 16:26:30.301 [notice] Read configuration file "/etc/tor/torrc".
Mar 27 16:26:30 host tor[2597]: Mar 27 16:26:30.304 [notice] You configured a non-loopback address '10.152.152.10:5300' for DNSPort. This allows everybody on your local network to use your mac
Mar 27 16:26:30 host tor[2597]: Mar 27 16:26:30.304 [notice] You configured a non-loopback address '10.152.152.10:9040' for TransPort. This allows everybody on your local network to use your m
Mar 27 16:26:30 host tor[2597]: Configuration was valid
Mar 27 16:26:30 host tor[2601]: Mar 27 16:26:30.429 [notice] Tor 0.3.2.9 (git-64a719dd25a21acb) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0f, Zlib 1.2.8, Liblzma 5.2.2, and Lib
Mar 27 16:26:30 host tor[2601]: Mar 27 16:26:30.429 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Mar 27 16:26:30 host tor[2601]: Mar 27 16:26:30.430 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Mar 27 16:26:30 host tor[2601]: Mar 27 16:26:30.430 [notice] Read configuration file "/etc/tor/torrc".
Mar 27 16:26:30 host audit[2601]: AVC apparmor="DENIED" operation="open" profile="system_tor" name="/etc/torrc.d/95_whonix.conf" pid=2601 comm="tor" requested_mask="r" denied_mask="r" fsuid=0 
Mar 27 16:26:30 host audit[2601]: SYSCALL arch=40000003 syscall=5 success=no exit=-13 a0=228dac0 a1=88000 a2=0 a3=b71eb000 items=1 ppid=1 pid=2601 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsu
Mar 27 16:26:30 host audit: CWD cwd="/"
Mar 27 16:26:30 host audit: PATH item=0 name="/etc/torrc.d/95_whonix.conf" inode=2361771 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
Mar 27 16:26:30 host audit: PROCTITLE proctitle=2F7573722F62696E2F746F72002D2D64656661756C74732D746F727263002F7573722F73686172652F746F722F746F722D736572766963652D64656661756C74732D746F72726300
Mar 27 16:26:30 host tor[2601]: Mar 27 16:26:30.433 [warn] Could not open "/etc/torrc.d/95_whonix.conf": Permission denied
Mar 27 16:26:30 host tor[2601]: Mar 27 16:26:30.433 [warn] Error reading included configuration file or directory: "/etc/torrc.d/95_whonix.conf".
Mar 27 16:26:30 host tor[2601]: Mar 27 16:26:30.434 [err] Reading config failed--see warnings above.
Mar 27 16:26:30 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=tor@default comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Mar 27 16:26:30 host systemd[1]: tor@default.service: Main process exited, code=exited, status=1/FAILURE
Mar 27 16:26:30 host systemd[1]: Failed to start Anonymizing overlay network for TCP.
-- Subject: Unit tor@default.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit tor@default.service has failed.
-- 
-- The result is failed.
Mar 27 16:26:30 host systemd[1]: tor@default.service: Unit entered failed state.
Mar 27 16:26:30 host systemd[1]: tor@default.service: Failed with result 'exit-code'.
Mar 27 16:26:30 host audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=tor@default comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success
Mar 27 16:26:30 host audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=tor@default comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Mar 27 16:26:30 host systemd[1]: tor@default.service: Service hold-off time over, scheduling restart.
Mar 27 16:26:30 host systemd[1]: brltty.service: Cannot add dependency job, ignoring: Unit brltty.service is masked.
Mar 27 16:26:30 host systemd[1]: Stopped Anonymizing overlay network for TCP.
-- Subject: Unit tor@default.service has finished shutting down
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- Unit tor@default.service has finished shutting down.
Mar 27 16:26:30 host systemd[1]: tor@default.service: Start request repeated too quickly.
Mar 27 16:26:30 host systemd[1]: Failed to start Anonymizing overlay network for TCP.
-- Subject: Unit tor@default.service has failed
-- Defined-By: systemd
user@host:/etc/apparmor.d/local$ ls -la /etc/torrc.d/
total 20
drwxr-xr-x   2 root root  4096 Mar 26 11:00 .
drwxr-xr-x 131 root root 12288 Mar 27 10:49 ..
-rw-r--r--   1 root root   243 Feb 22 01:59 95_whonix.conf
user@host:/etc/apparmor.d/local$ cat /etc/torrc.d/95_whonix.conf 
## Do not edit this file!
## Please create and add modifications to the following file instead:
## /usr/local/etc/torrc.d/50_user.conf
%include /usr/local/etc/torrc.d/40_anon_connection_wizard.conf
%include /usr/local/etc/torrc.d/50_user.conf
user@host:/etc/apparmor.d/local$ sudo --non-interactive /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config
Mar 27 16:36:58.608 [notice] Tor 0.3.2.9 (git-64a719dd25a21acb) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0f, Zlib 1.2.8, Liblzma 5.2.2, and Libzstd 1.1.2.
Mar 27 16:36:58.608 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Mar 27 16:36:58.608 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Mar 27 16:36:58.608 [notice] Read configuration file "/etc/tor/torrc".
Mar 27 16:36:58.612 [notice] You configured a non-loopback address '10.152.152.10:5300' for DNSPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Mar 27 16:36:58.612 [notice] You configured a non-loopback address '10.152.152.10:9040' for TransPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Configuration was valid
user@host:/etc/apparmor.d/local$ echo $?
0

troubadour · 2018-03-29 22:25:55 UTC

@halo9en
Could you post the content of
/etc/apparmor.d/local/system_tor.anondist

halo9en · 2018-03-30 00:47:48 UTC

@troubadour - yes, here:

user@host:/etc/apparmor.d/local$ cat /etc/apparmor.d/local/system_tor.anondist
## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

## Begin Tor Local AppArmor Profile for Anonymity Distributions

## Workaround for: config-package-dev clashes with AppArmor profiles
## https://github.com/Whonix/Whonix/issues/66

## A profile /etc/apparmor.d/anondist could not cover the system_tor
## profile, since that is enforced by the Tor systemd unit file.
## https://github.com/Whonix/Whonix/issues/67

  ## Anonymity Distributions
  /etc/hosts.anondist r,
  /etc/resolv.conf.anondist r,
  /run/tor r,
  /run/tor/log rwk,

## Add permissions for obfsproxy and flashproxy.
## AUDIT:
## These profile rules may be too permissive. Needs audit and someone dedicated
## to work on AppArmor profiles. It's not a serious security issue in any case,
## because AppArmor isn't enabled by default in Debian stretch yet and little
## work is being done on it at time of writing. So it's a lax AppArmor profile
## versus no AppArmor at all.

  ## anon-connection-wizard
  /etc/ r,
  /etc/torrc.d/ rw,
  /etc/torrc.d/* rw,

  /usr/local/etc/torrc.d/ rw,
  /usr/local/etc/torrc.d/* rw,

  ## obfsproxy
  /usr/local/lib/python*/** r,
  /var/log/tor/log rw,
  /dev/urandom r,
  /dev/random r,
  /usr/** r,
  /etc/python*/sitecustomize.py r,
  ## https://forums.whonix.org/t/after-last-apt-get-upgrade-gateway-doesnt-connect-to-tor-anymore
  #/usr/bin/obfsproxy rix,

  ## flashproxy
  @{HOME}/.tb/tor-browser/App/flashproxy-client rix,
  @{HOME}/.tb/tor-browser/App/flashproxy-reg-appspot rix,
  @{HOME}/.tb/tor-browser/App/flashproxy-reg-url rix,
  @{HOME}/.tb/tor-browser/App/flashproxy-reg-http rix,
  @{HOME}/.tb/tor-browser/App/flashproxy-reg-email rix,
  @{HOME}/.tb/tor-browser/App/** rm,
  /usr/bin/python* rix,
  /usr/lib/python*/dist-packages/** m,
  /usr/lib/python*/lib-dynload/** m,
  /usr/lib/pyshared/python*/OpenSSL/** m,
  /usr/lib/python*/lib-dynload/** m,
  /usr/lib/pyshared/python*/numpy/** m,
  /proc/*/mounts r,

## End Tor Local AppArmor Profile for Anonymity Distributions

iry · 2018-03-31 20:46:26 UTC

The apparmor denied reading to /etc/torrc.d/95_whonix.conf:

But it seems it has been set to allowed to read and write:

Do you have any ideas on this, @torjunkie , @troubadour ?

torjunkie · 2018-04-01 18:09:36 UTC

No idea Iry - AppArmor issues are generally above my pay grade I’m afraid!

entr0py · 2018-04-01 19:18:51 UTC

Try giving read permissions to the directory also, not just contents of directory:

/etc/torrc.d/ r,

troubadour · 2018-04-01 20:06:38 UTC

@entr0py You might be right. AppArmor permission w[write] is not required for a directory, and indeed can create a problem.

I have pushed an update to anon-gw-anonymizer-config modifying /usr/local/etc/torrc.d/ too.

https://github.com/troubadoour/anon-gw-anonymizer-config/commit/cd85983c9e61eacbf1e353de0d0aaf2e70bc1fd3

Patrick · 2018-04-02 10:55:00 UTC

troubadour:

@entr0py You might be right. AppArmor permission w[write] is not required for a directory, and indeed can create a problem.

I have pushed an update to anon-gw-anonymizer-config modifying /usr/local/etc/torrc.d/ too.

https://github.com/troubadoour/anon-gw-anonymizer-config/commit/cd85983c9e61eacbf1e353de0d0aaf2e70bc1fd3

Merged.

unman · 2018-04-02 17:55:48 UTC

I’m not sure these changes are required…
I believe that the issue arises because the version of /etc/apparmor.d/system_tor installed with the tor package has the include statement commented out, so that the local version is not consulted.
If that include statement is activated then the Anon Connection Wizard works as expected.

I’m not sure whether this is best done in a package or as a manual step on the upgrade?

entr0py · 2018-04-02 18:17:03 UTC

@unman good to see you here! I know you’ve used your own Tor gateway in the past - hope you’ll be using Whonix regularly.

You’re probably right that it’s not the root cause of the issue (unable to test here). Still, it’s good form.

https://gitlab.com/apparmor/apparmor/wikis/QuickProfileLanguage :
For directories, read access ( r) allows reading of directory meta data (eg, owner) and reading of directory contents (ie listing) but is not needed for traversal. Write access (w) allows creation, deletion, and updating of directory meta data.

Doesn’t tor 3.2.10 have #include <local/system_tor>. This should pull in local overrides unless #include has been deprecated.

Policy files can include other files to share text segments. AppArmor includes follow the C include convention. They start with #include followed by either < > for text chucks relative to a set include directory or " " for files relative to the current file. The # is optional and shouldn’t be used in newer profiles.

#include conflicts with commenting rules and takes precedence. The # and include must not be separated from the include with white space otherwise it is considered a comment

Where is system_tor defined? Could root be executing /usr/sbin/tor?

unman · 2018-04-02 18:50:29 UTC

Hi @entr0py
Yes, I’ve switched to Whonix in Qubes

I was misled here - if you restart apparmor after booting the upgraded GW, then the wizard works as expected.
NB On starting the gw after upgrade, the Tor connection is made and whonixcheck reports all well, before the wizard appears. How?

Patrick · 2018-04-02 21:21:00 UTC

unman:

I believe that the issue arises because the version of /etc/apparmor.d/system_tor installed with the tor package has the include statement commented out

You sure it is out commented?

Survey says…

grep -r include /etc/apparmor.d

They all use #include for everything. I don’t think # means comment
here. (Would agree any second that this is weird syntax, bad design by
the apparmor profile language.)

Patrick · 2018-04-02 21:26:00 UTC

/etc/apparmor.d/system_tor is referenced from the systemd unit file.

cat /lib/systemd/system/tor@default.service | grep -i apparmor

unman:

If that include statement is activated then the Anon Connection Wizard works as expected.

THAT is strange. Sure about that?

I’m not sure whether this is best done in a package or as a manual step on the upgrade?

Only required for upgrade?
(Otherwise we shouldn’t ask everyone as part of initial Whonix setup to
modify some file.)

Package anon-gw-anonymizer-config using config-package-dev displace.
Only if we must. I hope not.

Patrick · 2018-04-02 21:34:00 UTC

unman:

On starting the gw after upgrade, the Tor connection is made and whonixcheck reports all well, before the wizard appears. How?

Since

Tor is still enabled in Tor config but how? /etc/tor/torrc should be
no longer a bind-dirs covered file. (So Qubes-Whonix /etc/tor/torrc
settings would be recoverable from /rw/bind-dirs/etc/tor/torrc.) but
no longer being active in /etc/tor/torrc. Should equal
https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/etc/tor/torrc.anondist
right?
Since ACW status file does no longer exist (Why?) or since ACW status
file checking code broke?

unman · 2018-04-02 21:42:16 UTC

You’re right, and it is now deprecated.
I was fooled by the fact that editing and then reloading apparmor allowed the Connection Wizard to start.
In fact, just reloading/restarting without editing the file has the same effect.