Tor inside LXC blocked by AppArmor

I

inDane

Active Member
Jan 11, 2019
34
1
28
34
Hey fellas,
this is what dmesg gives:

Code: 
[153434.316515] audit: type=1400 audit(1566380002.099:292): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" label="lxc-110_</var/lib/lxc>//&:lxc-110_<-var-lib-lxc>:unconfined" name="system_tor" pid=24893 comm="apparmor_parser"
[153446.206824] audit: type=1400 audit(1566380013.991:293): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxc-110_</var/lib/lxc>" name="/usr/bin/tor" pid=25084 comm="(tor)" requested_mask="x" denied_mask="x" fsuid=100000 ouid=100000 target="lxc-110_</var/lib/lxc>//&:lxc-110_<-var-lib-lxc>:system_tor"
[153446.210107] audit: type=1400 audit(1566380013.991:294): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxc-110_<-var-lib-lxc>" profile="unconfined" name="/usr/bin/tor" pid=25084 comm="(tor)" requested_mask="x" denied_mask="x" fsuid=100000 ouid=100000 target="system_tor"
[153446.490158] audit: type=1400 audit(1566380014.271:295): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxc-110_</var/lib/lxc>" name="/usr/bin/tor" pid=25089 comm="(tor)" requested_mask="x" denied_mask="x" fsuid=100000 ouid=100000 target="lxc-110_</var/lib/lxc>//&:lxc-110_<-var-lib-lxc>:system_tor"
[153446.493353] audit: type=1400 audit(1566380014.271:296): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxc-110_<-var-lib-lxc>" profile="unconfined" name="/usr/bin/tor" pid=25089 comm="(tor)" requested_mask="x" denied_mask="x" fsuid=100000 ouid=100000 target="system_tor"
[153446.740021] audit: type=1400 audit(1566380014.523:297): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxc-110_</var/lib/lxc>" name="/usr/bin/tor" pid=25094 comm="(tor)" requested_mask="x" denied_mask="x" fsuid=100000 ouid=100000 target="lxc-110_</var/lib/lxc>//&:lxc-110_<-var-lib-lxc>:system_tor"
[153446.743311] audit: type=1400 audit(1566380014.523:298): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxc-110_<-var-lib-lxc>" profile="unconfined" name="/usr/bin/tor" pid=25094 comm="(tor)" requested_mask="x" denied_mask="x" fsuid=100000 ouid=100000 target="system_tor"
[153446.989971] audit: type=1400 audit(1566380014.771:299): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxc-110_</var/lib/lxc>" name="/usr/bin/tor" pid=25099 comm="(tor)" requested_mask="x" denied_mask="x" fsuid=100000 ouid=100000 target="lxc-110_</var/lib/lxc>//&:lxc-110_<-var-lib-lxc>:system_tor"
[153446.993408] audit: type=1400 audit(1566380014.771:300): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxc-110_<-var-lib-lxc>" profile="unconfined" name="/usr/bin/tor" pid=25099 comm="(tor)" requested_mask="x" denied_mask="x" fsuid=100000 ouid=100000 target="system_tor"
[153447.239828] audit: type=1400 audit(1566380015.023:301): apparmor="DENIED" operation="exec" info="no new privs" error=-1 profile="lxc-110_</var/lib/lxc>" name="/usr/bin/tor" pid=25104 comm="(tor)" requested_mask="x" denied_mask="x" fsuid=100000 ouid=100000 target="lxc-110_</var/lib/lxc>//&:lxc-110_<-var-lib-lxc>:system_tor"
[153447.243473] audit: type=1400 audit(1566380015.023:302): apparmor="DENIED" operation="exec" info="no new privs" error=-1 namespace="root//lxc-110_<-var-lib-lxc>" profile="unconfined" name="/usr/bin/tor" pid=25104 comm="(tor)" requested_mask="x" denied_mask="x" fsuid=100000 ouid=100000 target="system_tor"

tor cannot be started and from the looks i would say its due to apparmor. This error occured after i upgraded from 5.4 to 6. Does anyone know how to solve this? I got no clue about Apparmor...

I found this, but it didn't help me.

best regards
Ken
 
I can confirm this happening. It seems to be related to this bug, introduced in 6.0. If you want, you can add your problem to the bug report.

As a workaround, you can edit your tor service config (by default in /lib/systemd/system/tor@default.service) and change NoNewPrivileges=yes to 'no', or start the 'tor' binary manually.
 
Hi there!
Stefan_R said:
As a workaround, you can edit your tor service config (by default in /lib/systemd/system/tor@default.service) and change NoNewPrivileges=yes to 'no', or start the 'tor' binary manually.
Click to expand...

Thanks a lot for your advice and I wonder does it really work for your system? Because it doesn't work for me:
Code: 
Oct 18 10:03:19 HOSTNAME kernel: [2767206.872943] audit: type=1400 audit(1571382199.533:306): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-101_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=25029 comm="(install)" srcname="/" flags="rw, rbind"
Oct 18 10:03:19 HOSTNAME systemd[1]: Stopping Anonymizing overlay network for TCP (multi-instance-master)...
Oct 18 10:03:19 HOSTNAME systemd[5351]: tor@default.service: Failed to set up mount namespacing: Permission denied
Oct 18 10:03:19 HOSTNAME systemd[5351]: tor@default.service: Failed at step NAMESPACE spawning /usr/bin/install: Permission denied
Oct 18 10:03:19 HOSTNAME systemd[1]: Starting Anonymizing overlay network for TCP (multi-instance-master)...
Oct 18 10:03:19 HOSTNAME systemd[1]: tor@default.service: Control process exited, code=exited, status=226/NAMESPACE
Oct 18 10:03:19 HOSTNAME systemd[1]: tor@default.service: Failed with result 'exit-code'.
Oct 18 10:03:19 HOSTNAME systemd[1]: Failed to start Anonymizing overlay network for TCP.
Manual start of tor binary gives success.
conf:
Linux HOSTNAME 5.0.18-1-pve #1 SMP PVE 5.0.18-3 (Thu, 8 Aug 2019 09:05:29 +0200) x86_64 GNU/Linux

apparmor 2.13.2-10
libapparmor1:amd64 2.13.2-10
lxc-pve 3.1.0-65

101.conf:
arch: amd64
cores: 2
hostname: HOSTNAME
memory: 1024
net0: name=eth0,bridge=vmbr0,hwaddr=xx:xx:xx:xx:xx:xx,ip=dhcp,type=veth
onboot: 1
ostype: debian
rootfs: pve-local:101/vm-101-disk-0.raw,size=2G
swap: 512
Does anybody know any other solution?
 
It works for me with the workaround enabled*. Have you tried restarting the container and maybe the host machine, to make sure AppArmor rules are reloaded?

Keep in mind that the error you are seeing happens during the PreExec phase's 'install' command in the systemd service, so it's a different issue entirely from the one discussed in this thread.

* FYI: It still only works with the workaround in Ubuntu containers, even with the fix mentioned in the linked bug report - seems those two issues were actually somewhat seperate. Debian containers work a bit better with AppArmor at the moment.
 
Stefan_R said:
It works for me with the workaround enabled*. Have you tried restarting the container and maybe the host machine, to make sure AppArmor rules are reloaded?

Keep in mind that the error you are seeing happens during the PreExec phase's 'install' command in the systemd service, so it's a different issue entirely from the one discussed in this thread.

* FYI: It still only works with the workaround in Ubuntu containers, even with the fix mentioned in the linked bug report - seems those two issues were actually somewhat seperate. Debian containers work a bit better with AppArmor at the moment.
Click to expand...

Thanks a lot for your response, Stefan!
Yes, I have restarted container after changes. But not host machine (just have restarted AppArmor service on host machine). And I have Debian on host and in containers as well.
So, this problem appears just after last update Debian and Proxmox packages. Before this action all worked fine even on Proxmox 6.

Any way could you please, tell me should I create new thread with my problem or is it not a bug and should I try to resolve it by myself? I realise that I'm not commercial customer thus I don't claim anything from Proxmox team ;)

Regards!
 
Last edited:
0a797182 said:
Yes, I have restarted container after changes. But not host machine (just have restarted AppArmor service on host machine).
Click to expand...

Restarting the host machine could certainly make a difference. You potentially have a new kernel installed, that hasn't been loaded yet.

Other than that, you could try downgrading lxc-pve, just to test if the change fixing OP's issue is actually related (e.g. apt install lxc-pve=3.1.0-61 through to 3.1.0-65).

0a797182 said:
Any way could you please, tell me should I create new thread with my problem or is it not a bug and should I try to resolve it by myself? I realise that I'm not commercial customer thus I don't claim anything from Proxmox team ;)
Click to expand...
The forum is here to help :) I'd say it's related enough, though opening a new thread might bring more attention from other folks.
 
Thanks again, Stefan!
Unfortunately nothing helped me. Even downgrade to lxc-pve 3.1.0-61 (the same error as well). So if you have interest in this issue I could provide some additional information about system and config. Or just wait until further updates :)

Regards!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back