Package: tor Version: 0.3.5.10-1 As stated in the subject: The tor service won't start when apparmor is active and the root filesystem is stored on an overlayfs.
Steps to reproduce: 1. Download the current "standard" Debian 10 live iso for amd64 (at the time of writing, this is: <https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-10.4.0-amd64-standard.iso>) 2. Boot this image, either on real hardware or in a VM, and make sure you have a working internet connection for the apt update/apt install commands that are about to follow 3. at the "user@debian" prompt, enter "sudo -i" (you will not be prompted for a password) 4. run the following commands: apt update apt install apparmor -y service apparmor start apt install tor -y apparmor_status # Apparmor will show "system_tor" among the list of "enforced" # profiles 5. check for a running tor instance using "ps -C tor" Expected result: tor is running Actual result: tor is not running 6. try to start tor manually using "service tor start", and check for a running tor instance using "ps -C tor" Expected result: tor is running Actual result: tor is not running 7. run the following commands: apt install apparmor-utils -y aa-complain system_tor apparmor_status # Apparmor will show "system_tor" among the list of "complain" # profiles 8. try to start tor manually using "service tor start", and check for a running tor instance using "ps -C tor" Result: Only now that we switched the apparmor config from "enforce" to "complain", tor is able to start. The problem seems to arise whenever an overlay file system is used for "/" - in other words, I'm seeing this not only on Debian-Live (combination of overlayfs and squashfs), but also in other use cases of overlay, where only overlayfs (but not squashfs) is being used. I believe tails (The Amnesic Incognito Live System) uses tor and apparmor for their live cd, which, as far as I know, is Debian-based as well, so it would be interesting to see how they solved this issue. Maybe intrigeri (https://people.debian.org/~intrigeri / intrigeri at debian dot org) can provide some insight? As apparmor is causing the issue, but the corresponding "system_tor" config file is part of the tor package, I figured I should file this against the tor package. Feel free to reassign the bug to the apparmor package if bugs about broken/incomplete apparmor profiles should be filed against that one. The apparmor package version at the time of writing was 2.13.2-10. Kind Regards, Stefan Baur -- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
