Minor apparmor problem with tor

G

glaeken2

Member
Jun 7, 2023
26
3
8
Where should I report such problems:

System logs full of:
Code: 
apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="system_tor" pid=28980 comm="tor" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none

Related to unix socket creation under /run
Affected: every machine upgraded from proxmox 8 to 9 which has tor running
Should I report here or to debian folks?
 
Hi,
it fully depends on whether the issue occurs in Debian too. The tor package is provided by Debian, but Proxmox VE uses a different version of apparmor and the kernel. The issue doesn't seem to occur on pure Debian 13 from a quick test, so https://bugzilla.proxmox.com/ would be the right place. However, running tor on the Proxmox VE host directly is a rather uncommon use case, so I'd keep my expectations low with how quickly the issue will be looked into.
 
Yep, kernel<->apparmor incompatibility confirmed. Ubuntu vs debian. Problem occurs not only with tor.
It would be nice to have the apparmor working on the host. Especially because it's a host.
Some backporting may help. Tor can be used in multiple different ways, but maybe it's better if people haven't discovered it yet.
 
Proxmox utilizes Ubuntu’s kernels with patches for virtual machines and LXC optimizations. Consequently, AppArmor closely resembles Ubuntu rather than Debian. Therefore, the patches Ubuntu incorporated into AppArmor are the root cause of the issue.

A solution can be implemented by applying a patch to the kernel. The source code can be downloaded from https://git.proxmox.com/?p=pve-kernel.git;a=summary. Subsequently, a patch should be created and placed within the patches/kernel folder. The trixie-6.14 branch is currently the primary kernel used for Proxmox 9, while the master branch is undergoing testing of 6.17.

I am currently testing the 6.17.1-6.6 release, which incorporates my AppArmor fixes. The relevant repository is available at https://github.com/jaminmc/pve-kernel/releases/tag/6.17.1-6.6. This release addresses all the AppArmor bugs I identified during my testing of Proxmox 9. It should be regarded as an Alpha release, as the Proxmox team has not yet released a test version of 6.17.

It is worth noting that running Podman in a LXC container on ZFS will result in a kernel panic without my patches. Patch 13 specifically addresses this issue.

However, I have not yet tested TOR.
 
Hi,
jaminmc said:
I am currently testing the 6.17.1-6.6 release, which incorporates my AppArmor fixes. The relevant repository is available at https://github.com/jaminmc/pve-kernel/releases/tag/6.17.1-6.6. This release addresses all the AppArmor bugs I identified during my testing of Proxmox 9. It should be regarded as an Alpha release, as the Proxmox team has not yet released a test version of 6.17.

It is worth noting that running Podman in a LXC container on ZFS will result in a kernel panic without my patches. Patch 13 specifically addresses this issue.
Click to expand...
nice work! Would you mind submitting these patches to the development mailing list, so that all users can profit from your findings? See:
https://pve.proxmox.com/wiki/Developer_Documentation
https://pve.proxmox.com/wiki/Developer_Documentation#Software_License_and_Copyright

EDIT: okay, it seems like you are using LLMs to help you write patches. In that case it's a legal and trust gray zone, so it'll be better to properly investigate the issues ourselves. Also just to note that the tor issue is already for kernel 6.14.
 
Last edited:
You must log in or register to reply here.
Top Bottom