[Touch-packages] [Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor"
My /etc/apparmor.d/system_tor:
# Last Modified: Sun Jan 1 21:47:33 2017
#include
# vim:syntax=apparmor
profile system_tor flags=(attach_disconnected) {
#include
/run/systemd/journal/stdout rw,
/usr/bin/tor mr,
owner /var/lib/tor/ r,
owner /var/lib/tor/** wk,
/var/lib/tor/** r,
owner /var/log/tor/* w,
/{,var/}run/systemd/notify w,
/{,var/}run/tor/ r,
/{,var/}run/tor/control w,
/{,var/}run/tor/control.authcookie w,
/{,var/}run/tor/control.authcookie.tmp rw,
/{,var/}run/tor/socks w,
/{,var/}run/tor/tor.pid w,
}
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1648143
Title:
tor in lxd: apparmor="DENIED" operation="change_onexec"
namespace="root//CONTAINERNAME_" profile="unconfined"
name="system_tor"
Status in apparmor package in Ubuntu:
Confirmed
Status in tor package in Ubuntu:
Confirmed
Bug description:
Environment:
Distribution: ubuntu
Distribution version: 16.10
lxc info:
apiextensions:
storage_zfs_remove_snapshots
container_host_shutdown_timeout
container_syscall_filtering
auth_pki
container_last_used_at
etag
patch
usb_devices
https_allowed_credentials
image_compression_algorithm
directory_manipulation
container_cpu_time
storage_zfs_use_refquota
storage_lvm_mount_options
network
profile_usedby
container_push
apistatus: stable
apiversion: "1.0"
auth: trusted
environment:
addresses:
163.172.48.149:8443
172.20.10.1:8443
172.20.11.1:8443
172.20.12.1:8443
172.20.22.1:8443
172.20.21.1:8443
10.8.0.1:8443
architectures:
x86_64
i686
certificate: |
-BEGIN CERTIFICATE-
-END CERTIFICATE-
certificatefingerprint:
3048baa9f20d316f60a6c602452b58409a6d9e2c3218897e8de7c7c72af0179b
driver: lxc
driverversion: 2.0.5
kernel: Linux
kernelarchitecture: x86_64
kernelversion: 4.8.0-27-generic
server: lxd
serverpid: 32694
serverversion: 2.4.1
storage: btrfs
storageversion: 4.7.3
config:
core.https_address: '[::]:8443'
core.trust_password: true
Container: ubuntu 16.10
Issue description
--
tor can't start in a non privileged container
Logs from the container:
-
Dec 7 15:03:00 anonymous tor[302]: Configuration was valid
Dec 7 15:03:00 anonymous systemd[303]: tor@default.service: Failed at step
APPARMOR spawning /usr/bin/tor: No such file or directory
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Main process
exited, code=exited, status=231/APPARMOR
Dec 7 15:03:00 anonymous systemd[1]: Failed to start Anonymizing overlay
network for TCP.
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Unit entered failed
state.
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed with result
'exit-code'.
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Service hold-off
time over, scheduling restart.
Dec 7 15:03:00 anonymous systemd[1]: Stopped Anonymizing overlay network for
TCP.
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed to reset
devices.list: Operation not permitted
Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on
/system.slice/system-tor.slice/tor@default.service: Operation not permitted
Dec 7 15:03:00 anonymous systemd[1]: message repeated 6 times: [ Failed to
set devices.allow on /system.slice/system-tor.slice/tor@default.service:
Operation not permitted]
Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device
/run/systemd/inaccessible/chr
Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device
/run/systemd/inaccessible/blk
Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on
/system.slice/system-tor.slice/tor@default.service: Operation not permitted
Logs from the host
audit: type=1400 audit(1481119378.856:6950): apparmor="DENIED"
operation="change_onexec" info="label not found" error=-2
namespace="root//lxd-anonymous_" profile="unconfined" name="system_tor"
pid=12164 comm="(tor)"
Steps to reproduce
-
install ubuntu container 16.10 on a ubuntu 16.10 host
install tor in the container
Launch tor
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor"
No problem, it is the holiday season. I get the following errors on 16.04: [0.511712] audit: initializing netlink subsys (disabled) [0.511802] audit: type=2000 audit(1483302109.500:1): initialized [7.355509] audit: type=1400 audit(1483302117.275:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default" pid=1248 comm="apparmor_parser" [7.355514] audit: type=1400 audit(1483302117.275:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-cgns" pid=1248 comm="apparmor_parser" [7.355517] audit: type=1400 audit(1483302117.275:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-mounting" pid=1248 comm="apparmor_parser" [7.355519] audit: type=1400 audit(1483302117.275:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxc-container-default-with-nesting" pid=1248 comm="apparmor_parser" [7.356597] audit: type=1400 audit(1483302117.275:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="system_tor" pid=1250 comm="apparmor_parser" [7.357507] audit: type=1400 audit(1483302117.279:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=1249 comm="apparmor_parser" [7.357511] audit: type=1400 audit(1483302117.279:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=1249 comm="apparmor_parser" [7.357514] audit: type=1400 audit(1483302117.279:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=1249 comm="apparmor_parser" [7.357517] audit: type=1400 audit(1483302117.279:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=1249 comm="apparmor_parser" [7.357701] audit: type=1400 audit(1483302117.279:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/lxc-start" pid=1254 comm="apparmor_parser" [ 13.742946] audit_printk_skb: 57 callbacks suppressed [ 13.742948] audit: type=1400 audit(1483302123.663:31): apparmor="DENIED" operation="unlink" profile="/usr/sbin/ntpd" name="/var/lib/openntpd/run/ntpd.sock" pid=2764 comm="ntpd" requested_mask="d" denied_mask="d" fsuid=0 ouid=0 [ 14.590740] audit: type=1400 audit(1483302124.511:32): apparmor="DENIED" operation="unlink" profile="/usr/sbin/ntpd" name="/var/lib/openntpd/run/ntpd.sock" pid=2818 comm="ntpd" requested_mask="d" denied_mask="d" fsuid=0 ouid=0 [ 17.359442] audit: type=1400 audit(1483302127.279:33): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd-mysql_" pid=3054 comm="apparmor_parser" [ 19.061796] audit: type=1400 audit(1483302128.983:34): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd-torelay_" pid=3535 comm="apparmor_parser" [ 20.960218] audit: type=1400 audit(1483302130.879:35): apparmor="DENIED" operation="unlink" profile="/usr/sbin/ntpd" name="/var/lib/openntpd/run/ntpd.sock" pid=3848 comm="ntpd" requested_mask="d" denied_mask="d" fsuid=0 ouid=0 [ 21.072519] audit: type=1400 audit(1483302130.991:36): apparmor="STATUS" operation="profile_load" label="lxd-mysql_//&:lxd-mysql_://unconfined" name="lxc-container-default" pid=3908 comm="apparmor_parser" [ 21.072525] audit: type=1400 audit(1483302130.991:37): apparmor="STATUS" operation="profile_load" label="lxd-mysql_//&:lxd-mysql_://unconfined" name="lxc-container-default-cgns" pid=3908 comm="apparmor_parser" [ 21.072529] audit: type=1400 audit(1483302130.991:38): apparmor="STATUS" operation="profile_load" label="lxd-mysql_//&:lxd-mysql_://unconfined" name="lxc-container-default-with-mounting" pid=3908 comm="apparmor_parser" [ 21.072533] audit: type=1400 audit(1483302130.991:39): apparmor="STATUS" operation="profile_load" label="lxd-mysql_//&:lxd-mysql_://unconfined" name="lxc-container-default-with-nesting" pid=3908 comm="apparmor_parser" [ 21.073788] audit: type=1400 audit(1483302130.995:40): apparmor="STATUS" operation="profile_load" label="lxd-mysql_//&:lxd-mysql_://unconfined" name="/usr/bin/lxc-start" pid=3910 comm="apparmor_parser" [ 21.075677] audit: type=1400 audit(1483302130.995:41): apparmor="STATUS" operation="profile_load" label="lxd-mysql_//&:lxd-mysql_://unconfined" name="/usr/lib/lxd/lxd-bridge-proxy" pid=3911 comm="apparmor_parser" [ 21.076554] audit: type=1400 audit(1483302130.995:42): apparmor="STATUS" operation="profile_load" label="lxd-mysql_//&:lxd-mysql_://unconfined" name="/sbin/dhclient" pid=3909 comm="apparmor_parser" [ 21.076559] audit: type=1400 audit(1483302130.995:43): apparmor="STATUS" operation="profile_load" label="lxd-mysql_//&:lxd-mysql_://unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=3909 comm="apparmor_parser" [ 24.173189]
[Touch-packages] [Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor"
Let me know if I you need somebody else to test your kernel. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1648143 Title: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor" Status in apparmor package in Ubuntu: Confirmed Status in tor package in Ubuntu: Confirmed Bug description: Environment: Distribution: ubuntu Distribution version: 16.10 lxc info: apiextensions: storage_zfs_remove_snapshots container_host_shutdown_timeout container_syscall_filtering auth_pki container_last_used_at etag patch usb_devices https_allowed_credentials image_compression_algorithm directory_manipulation container_cpu_time storage_zfs_use_refquota storage_lvm_mount_options network profile_usedby container_push apistatus: stable apiversion: "1.0" auth: trusted environment: addresses: 163.172.48.149:8443 172.20.10.1:8443 172.20.11.1:8443 172.20.12.1:8443 172.20.22.1:8443 172.20.21.1:8443 10.8.0.1:8443 architectures: x86_64 i686 certificate: | -BEGIN CERTIFICATE- -END CERTIFICATE- certificatefingerprint: 3048baa9f20d316f60a6c602452b58409a6d9e2c3218897e8de7c7c72af0179b driver: lxc driverversion: 2.0.5 kernel: Linux kernelarchitecture: x86_64 kernelversion: 4.8.0-27-generic server: lxd serverpid: 32694 serverversion: 2.4.1 storage: btrfs storageversion: 4.7.3 config: core.https_address: '[::]:8443' core.trust_password: true Container: ubuntu 16.10 Issue description -- tor can't start in a non privileged container Logs from the container: - Dec 7 15:03:00 anonymous tor[302]: Configuration was valid Dec 7 15:03:00 anonymous systemd[303]: tor@default.service: Failed at step APPARMOR spawning /usr/bin/tor: No such file or directory Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Main process exited, code=exited, status=231/APPARMOR Dec 7 15:03:00 anonymous systemd[1]: Failed to start Anonymizing overlay network for TCP. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Unit entered failed state. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed with result 'exit-code'. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Service hold-off time over, scheduling restart. Dec 7 15:03:00 anonymous systemd[1]: Stopped Anonymizing overlay network for TCP. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed to reset devices.list: Operation not permitted Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted Dec 7 15:03:00 anonymous systemd[1]: message repeated 6 times: [ Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted] Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/chr Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/blk Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted Logs from the host audit: type=1400 audit(1481119378.856:6950): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 namespace="root//lxd-anonymous_" profile="unconfined" name="system_tor" pid=12164 comm="(tor)" Steps to reproduce - install ubuntu container 16.10 on a ubuntu 16.10 host install tor in the container Launch tor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor"
I have exactly the same issue on 16.04: [172512.094995] audit: type=1400 audit(1482614869.625:1439): apparmor="DENIED" operation="change_onexec" info="no new privs" error=-1 namespace="root//lxd-torelay_" profile="unconfined" name="system_tor" pid=128522 comm="(tor)" target="system_tor" -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1648143 Title: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_" profile="unconfined" name="system_tor" Status in apparmor package in Ubuntu: Confirmed Status in tor package in Ubuntu: Confirmed Bug description: Environment: Distribution: ubuntu Distribution version: 16.10 lxc info: apiextensions: storage_zfs_remove_snapshots container_host_shutdown_timeout container_syscall_filtering auth_pki container_last_used_at etag patch usb_devices https_allowed_credentials image_compression_algorithm directory_manipulation container_cpu_time storage_zfs_use_refquota storage_lvm_mount_options network profile_usedby container_push apistatus: stable apiversion: "1.0" auth: trusted environment: addresses: 163.172.48.149:8443 172.20.10.1:8443 172.20.11.1:8443 172.20.12.1:8443 172.20.22.1:8443 172.20.21.1:8443 10.8.0.1:8443 architectures: x86_64 i686 certificate: | -BEGIN CERTIFICATE- -END CERTIFICATE- certificatefingerprint: 3048baa9f20d316f60a6c602452b58409a6d9e2c3218897e8de7c7c72af0179b driver: lxc driverversion: 2.0.5 kernel: Linux kernelarchitecture: x86_64 kernelversion: 4.8.0-27-generic server: lxd serverpid: 32694 serverversion: 2.4.1 storage: btrfs storageversion: 4.7.3 config: core.https_address: '[::]:8443' core.trust_password: true Container: ubuntu 16.10 Issue description -- tor can't start in a non privileged container Logs from the container: - Dec 7 15:03:00 anonymous tor[302]: Configuration was valid Dec 7 15:03:00 anonymous systemd[303]: tor@default.service: Failed at step APPARMOR spawning /usr/bin/tor: No such file or directory Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Main process exited, code=exited, status=231/APPARMOR Dec 7 15:03:00 anonymous systemd[1]: Failed to start Anonymizing overlay network for TCP. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Unit entered failed state. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed with result 'exit-code'. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Service hold-off time over, scheduling restart. Dec 7 15:03:00 anonymous systemd[1]: Stopped Anonymizing overlay network for TCP. Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed to reset devices.list: Operation not permitted Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted Dec 7 15:03:00 anonymous systemd[1]: message repeated 6 times: [ Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted] Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/chr Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/blk Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted Logs from the host audit: type=1400 audit(1481119378.856:6950): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 namespace="root//lxd-anonymous_" profile="unconfined" name="system_tor" pid=12164 comm="(tor)" Steps to reproduce - install ubuntu container 16.10 on a ubuntu 16.10 host install tor in the container Launch tor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
