[Touch-packages] [Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor"
My /etc/apparmor.d/system_tor: # Last Modified: Sun Jan 1 21:47:33 2017 #include # vim:syntax=apparmor profile system_tor flags=(attach_disconnected) { #include /run/systemd/journal/stdout rw, /usr/bin/tor mr, owner /var/lib/tor/ r, owner /var/lib/tor/** wk, /var/lib/tor/** r, owner /var/log/tor/* w, /{,var/}run/systemd/notify w, /{,var/}run/tor/ r, /{,var/}run/tor/control w, /{,var/}run/tor/control.authcookie w, /{,var/}run/tor/control.authcookie.tmp rw, /{,var/}run/tor/socks w, /{,var/}run/tor/tor.pid w, } -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1648143 Title: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor" Status in apparmor package in Ubuntu: Confirmed Status in tor package in Ubuntu: Confirmed Bug description: Environment: Distribution: ubuntu Distribution version: 16.10 lxc info: apiextensions: storage_zfs_remove_snapshots container_host_shutdown_timeout container_syscall_filtering auth_pki container_last_used_at etag patch usb_devices https_allowed_credentials image_compression_algorithm directory_manipulation container_cpu_time storage_zfs_use_refquota storage_lvm_mount_options network profile_usedby container_push apistatus: stable apiversion: "1.0" auth: trusted environment: addresses: 163.172.48.149:8443 172.20.10.1:8443 172.20.11.1:8443 172.20.12.1:8443 172.20.22.1:8443 172.20.21.1:8443 10.8.0.1:8443 architectures: x86_64 i686 certificate: | -BEGIN CERTIFICATE- -END CERTIFICATE- certificatefingerprint: 3048baa9f20d316f60a6c602452b58409a6d9e2c3218897e8de7c7c72af0179b driver: lxc driverversion: 2.0.5 kernel: Linux kernelarchitecture: x86_64 kernelversion: 4.8.0-27-generic server: lxd serverpid: 32694 serverversion: 2.4.1 storage: btrfs storageversion: 4.7.3 config: core.https_address: '[::]:8443' core.trust_password: true Container: ubuntu 16.10 Issue description -- tor can't start in a non privileged container Logs from the container: - Dec 7 15:03:00 anonymous tor[302]: Configuration was valid Dec 7 15:03:00 anonymous systemd[303]: tor@default.service: Failed at step APPARMOR spawning /usr/bin/tor: No such file or directory Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Main process exited, code=exited, status=231/APPARMOR Dec 7 15:03:00 anonymous systemd[1]: Failed to start Anonymizing overlay network for TCP. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Unit entered failed state. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed with result 'exit-code'. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Service hold-off time over, scheduling restart. Dec 7 15:03:00 anonymous systemd[1]: Stopped Anonymizing overlay network for TCP. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed to reset devices.list: Operation not permitted Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted Dec 7 15:03:00 anonymous systemd[1]: message repeated 6 times: [ Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted] Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/chr Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/blk Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted Logs from the host audit: type=1400 audit(1481119378.856:6950): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 namespace="root//lxd-anonymous_" profile="unconfined" name="system_tor" pid=12164 comm="(tor)" Steps to reproduce - install ubuntu container 16.10 on a ubuntu 16.10 host install tor in the container Launch tor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor"
No problem, it is the holiday season. I get the following errors on 16.04: [0.511712] audit: initializing netlink subsys (disabled) [0.511802] audit: type=2000 audit(1483302109.500:1): initialized [7.355509] audit: type=1400 audit(1483302117.275:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default" pid=1248 comm="apparmor_parser" [7.355514] audit: type=1400 audit(1483302117.275:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-cgns" pid=1248 comm="apparmor_parser" [7.355517] audit: type=1400 audit(1483302117.275:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-mounting" pid=1248 comm="apparmor_parser" [7.355519] audit: type=1400 audit(1483302117.275:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-nesting" pid=1248 comm="apparmor_parser" [7.356597] audit: type=1400 audit(1483302117.275:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="system_tor" pid=1250 comm="apparmor_parser" [7.357507] audit: type=1400 audit(1483302117.279:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=1249 comm="apparmor_parser" [7.357511] audit: type=1400 audit(1483302117.279:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=1249 comm="apparmor_parser" [7.357514] audit: type=1400 audit(1483302117.279:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=1249 comm="apparmor_parser" [7.357517] audit: type=1400 audit(1483302117.279:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=1249 comm="apparmor_parser" [7.357701] audit: type=1400 audit(1483302117.279:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/lxc-start" pid=1254 comm="apparmor_parser" [ 13.742946] audit_printk_skb: 57 callbacks suppressed [ 13.742948] audit: type=1400 audit(1483302123.663:31): apparmor="DENIED" operation="unlink" profile="/usr/sbin/ntpd" name="/var/lib/openntpd/run/ntpd.sock" pid=2764 comm="ntpd" requested_mask="d" denied_mask="d" fsuid=0 ouid=0 [ 14.590740] audit: type=1400 audit(1483302124.511:32): apparmor="DENIED" operation="unlink" profile="/usr/sbin/ntpd" name="/var/lib/openntpd/run/ntpd.sock" pid=2818 comm="ntpd" requested_mask="d" denied_mask="d" fsuid=0 ouid=0 [ 17.359442] audit: type=1400 audit(1483302127.279:33): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd-mysql_" pid=3054 comm="apparmor_parser" [ 19.061796] audit: type=1400 audit(1483302128.983:34): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd-torelay_" pid=3535 comm="apparmor_parser" [ 20.960218] audit: type=1400 audit(1483302130.879:35): apparmor="DENIED" operation="unlink" profile="/usr/sbin/ntpd" name="/var/lib/openntpd/run/ntpd.sock" pid=3848 comm="ntpd" requested_mask="d" denied_mask="d" fsuid=0 ouid=0 [ 21.072519] audit: type=1400 audit(1483302130.991:36): apparmor="STATUS" operation="profile_load" label="lxd-mysql_//&:lxd-mysql_://unconfined" name="lxc-container-default" pid=3908 comm="apparmor_parser" [ 21.072525] audit: type=1400 audit(1483302130.991:37): apparmor="STATUS" operation="profile_load" label="lxd-mysql_//&:lxd-mysql_://unconfined" name="lxc-container-default-cgns" pid=3908 comm="apparmor_parser" [ 21.072529] audit: type=1400 audit(1483302130.991:38): apparmor="STATUS" operation="profile_load" label="lxd-mysql_//&:lxd-mysql_://unconfined" name="lxc-container-default-with-mounting" pid=3908 comm="apparmor_parser" [ 21.072533] audit: type=1400 audit(1483302130.991:39): apparmor="STATUS" operation="profile_load" label="lxd-mysql_//&:lxd-mysql_://unconfined" name="lxc-container-default-with-nesting" pid=3908 comm="apparmor_parser" [ 21.073788] audit: type=1400 audit(1483302130.995:40): apparmor="STATUS" operation="profile_load" label="lxd-mysql_//&:lxd-mysql_://unconfined" name="/usr/bin/lxc-start" pid=3910 comm="apparmor_parser" [ 21.075677] audit: type=1400 audit(1483302130.995:41): apparmor="STATUS" operation="profile_load" label="lxd-mysql_//&:lxd-mysql_://unconfined" name="/usr/lib/lxd/lxd-bridge-proxy" pid=3911 comm="apparmor_parser" [ 21.076554] audit: type=1400 audit(1483302130.995:42): apparmor="STATUS" operation="profile_load" label="lxd-mysql_//&:lxd-mysql_://unconfined" name="/sbin/dhclient" pid=3909 comm="apparmor_parser" [ 21.076559] audit: type=1400 audit(1483302130.995:43): apparmor="STATUS" operation="profile_load" label="lxd-mysql_//&:lxd-mysql_://unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=3909 comm="apparmor_parser" [ 24.173189] audit_printk_s
[Touch-packages] [Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor"
Let me know if I you need somebody else to test your kernel. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1648143 Title: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor" Status in apparmor package in Ubuntu: Confirmed Status in tor package in Ubuntu: Confirmed Bug description: Environment: Distribution: ubuntu Distribution version: 16.10 lxc info: apiextensions: storage_zfs_remove_snapshots container_host_shutdown_timeout container_syscall_filtering auth_pki container_last_used_at etag patch usb_devices https_allowed_credentials image_compression_algorithm directory_manipulation container_cpu_time storage_zfs_use_refquota storage_lvm_mount_options network profile_usedby container_push apistatus: stable apiversion: "1.0" auth: trusted environment: addresses: 163.172.48.149:8443 172.20.10.1:8443 172.20.11.1:8443 172.20.12.1:8443 172.20.22.1:8443 172.20.21.1:8443 10.8.0.1:8443 architectures: x86_64 i686 certificate: | -BEGIN CERTIFICATE- -END CERTIFICATE- certificatefingerprint: 3048baa9f20d316f60a6c602452b58409a6d9e2c3218897e8de7c7c72af0179b driver: lxc driverversion: 2.0.5 kernel: Linux kernelarchitecture: x86_64 kernelversion: 4.8.0-27-generic server: lxd serverpid: 32694 serverversion: 2.4.1 storage: btrfs storageversion: 4.7.3 config: core.https_address: '[::]:8443' core.trust_password: true Container: ubuntu 16.10 Issue description -- tor can't start in a non privileged container Logs from the container: - Dec 7 15:03:00 anonymous tor[302]: Configuration was valid Dec 7 15:03:00 anonymous systemd[303]: tor@default.service: Failed at step APPARMOR spawning /usr/bin/tor: No such file or directory Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Main process exited, code=exited, status=231/APPARMOR Dec 7 15:03:00 anonymous systemd[1]: Failed to start Anonymizing overlay network for TCP. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Unit entered failed state. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed with result 'exit-code'. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Service hold-off time over, scheduling restart. Dec 7 15:03:00 anonymous systemd[1]: Stopped Anonymizing overlay network for TCP. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed to reset devices.list: Operation not permitted Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted Dec 7 15:03:00 anonymous systemd[1]: message repeated 6 times: [ Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted] Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/chr Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/blk Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted Logs from the host audit: type=1400 audit(1481119378.856:6950): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 namespace="root//lxd-anonymous_" profile="unconfined" name="system_tor" pid=12164 comm="(tor)" Steps to reproduce - install ubuntu container 16.10 on a ubuntu 16.10 host install tor in the container Launch tor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor"
I have exactly the same issue on 16.04: [172512.094995] audit: type=1400 audit(1482614869.625:1439): apparmor="DENIED" operation="change_onexec" info="no new privs" error=-1 namespace="root//lxd-torelay_" profile="unconfined" name="system_tor" pid=128522 comm="(tor)" target="system_tor" -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1648143 Title: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor" Status in apparmor package in Ubuntu: Confirmed Status in tor package in Ubuntu: Confirmed Bug description: Environment: Distribution: ubuntu Distribution version: 16.10 lxc info: apiextensions: storage_zfs_remove_snapshots container_host_shutdown_timeout container_syscall_filtering auth_pki container_last_used_at etag patch usb_devices https_allowed_credentials image_compression_algorithm directory_manipulation container_cpu_time storage_zfs_use_refquota storage_lvm_mount_options network profile_usedby container_push apistatus: stable apiversion: "1.0" auth: trusted environment: addresses: 163.172.48.149:8443 172.20.10.1:8443 172.20.11.1:8443 172.20.12.1:8443 172.20.22.1:8443 172.20.21.1:8443 10.8.0.1:8443 architectures: x86_64 i686 certificate: | -BEGIN CERTIFICATE- -END CERTIFICATE- certificatefingerprint: 3048baa9f20d316f60a6c602452b58409a6d9e2c3218897e8de7c7c72af0179b driver: lxc driverversion: 2.0.5 kernel: Linux kernelarchitecture: x86_64 kernelversion: 4.8.0-27-generic server: lxd serverpid: 32694 serverversion: 2.4.1 storage: btrfs storageversion: 4.7.3 config: core.https_address: '[::]:8443' core.trust_password: true Container: ubuntu 16.10 Issue description -- tor can't start in a non privileged container Logs from the container: - Dec 7 15:03:00 anonymous tor[302]: Configuration was valid Dec 7 15:03:00 anonymous systemd[303]: tor@default.service: Failed at step APPARMOR spawning /usr/bin/tor: No such file or directory Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Main process exited, code=exited, status=231/APPARMOR Dec 7 15:03:00 anonymous systemd[1]: Failed to start Anonymizing overlay network for TCP. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Unit entered failed state. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed with result 'exit-code'. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Service hold-off time over, scheduling restart. Dec 7 15:03:00 anonymous systemd[1]: Stopped Anonymizing overlay network for TCP. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed to reset devices.list: Operation not permitted Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted Dec 7 15:03:00 anonymous systemd[1]: message repeated 6 times: [ Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted] Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/chr Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/blk Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted Logs from the host audit: type=1400 audit(1481119378.856:6950): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 namespace="root//lxd-anonymous_" profile="unconfined" name="system_tor" pid=12164 comm="(tor)" Steps to reproduce - install ubuntu container 16.10 on a ubuntu 16.10 host install tor in the container Launch tor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp