Dev1 Galaxy Forum / runit + tor service (+apparmor) bug

Re: runit + tor service (+apparmor) bug

dummy@example.com (xinomilo) — Tue, 12 Jul 2022 10:01:24 +0000

Lorenzo wrote:

It might be that apparmor needs some initialization task or filesystem setup that are not done properly at boot.. just a random idea

i think this is the case.. might have something to do with changes since runit 2.1.2-46 or could be due to wrong sysv apparmor script cause no apparmor profiles are loaded on boot. (you can see output above). something's buggy on stage 1... aa-enabled is true, but no profiles loading.
tor runscript is the only runscript implementing apparmor, so that's what initially bugged me...
apparmor profile loading can only occur manually after boot, not sure why. ( got tired and purged apparmor alltogether - no time currently to debug further...)

Re: runit + tor service (+apparmor) bug

dummy@example.com (xinomilo) — Fri, 08 Jul 2022 12:42:32 +0000

thanks for this, hadn't checked apparmor status. it helped figure out why tor reinstall workedaround the issue..: reinstalling tor, puts system_tor apparmor profile in complain mode...

# aa-status                             
apparmor module is loaded.

# dmesg
[  584.993215] audit: type=1400 audit(1657283243.307:533): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="system_tor" pid=27149 comm="aa-exec"

# apt install --reinstall tor        
...
Preparing to unpack .../tor_0.4.7.8-1_amd64.deb ...
Unpacking tor (0.4.7.8-1) over (0.4.7.8-1) ...
Installing tor (0.4.7.8-1) ...
ok: run: tor: (pid 27210) 0s
....
Stopping tor daemon...done.
Starting tor daemon...done (already running).
Processing triggers for man-db (2.10.2-1) ...

# aa-status                  
apparmor module is loaded.
1 profiles are loaded.
0 profiles are in enforce mode.
1 profiles are in complain mode.
   system_tor
0 profiles are in kill mode.
0 profiles are in unconfined mode.
1 processes have profiles defined.
0 processes are in enforce mode.
1 processes are in complain mode.
   /usr/bin/tor (27261) system_tor
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

# dmesg
[  585.705564] audit: type=1400 audit(1657283244.019:534): apparmor="STATUS" operation="profile_load" profile="unconfined" name="system_tor" pid=27198 comm="apparmor_parser"

so i guess tor apparmor profile isn't working properly.. there are a few debian bugs concerning it, strange it didn't appear till runit upgrade.. (?)
also tried to test with another kernel, but another debian bug (#1014319) proves too time wasting, will try that + submit a tor bug, when i have more time to test...

thx,

Re: runit + tor service (+apparmor) bug

dummy@example.com (Lorenzo) — Fri, 08 Jul 2022 10:44:32 +0000

this behavior started since latest runit upgrade in ceres, so i thought i asked you first if it's connected to the latest upgrade somehow.. (?)

Humm .. if with the last upgrade you have 2.1.2-47 there are few changes that might impact boot scripts like

runit (2.1.2-46) experimental; urgency=medium

  * ...
  * ...
  * Stage[1,3]: hook to experiment with alternative
     sets of boot scripts. Only initscript are packaged
     in Debian right now, but native sets of scripts
     can be found downstream or on github.
  * ...

but it's hard to trigger, you have to use an alternative set of boot scripts in the right directory and there must be a flag file..
I'm using initscript (from sysvinit package) to boot and shutdown the system: are you using a different set of scripts from somewhere else?
It might be that apparmor needs some initialization task or filesystem setup that are not done properly at boot.. just a random idea

Did you check the output of

/etc/init.d/apparmor status

?
and

/etc/init.d/apparmor start

/etc/init.d/apparmor restart

Re: runit + tor service (+apparmor) bug

dummy@example.com (xinomilo) — Fri, 08 Jul 2022 09:31:09 +0000

(no obfs4proxy)
so, purged both tor + apparmor and reinstalled with defaults, but same error on boot. removed apparmor and tor starts again normally.. didn't try another boot without apparmor installed, but will probably file a bug with tor since that package provides apparmor profile and reinstalling tor is a "workaround" for some reason..

just wanted to know if its reproducible in other systems with runit+tor+apparmor.. this behavior started since latest runit upgrade in ceres, so i thought i asked you first if it's connected to the latest upgrade somehow.. (?)

Re: runit + tor service (+apparmor) bug

dummy@example.com (Lorenzo) — Thu, 07 Jul 2022 11:00:13 +0000

do you think i should file a bug in tor or apparmor in debian?

do you have any custom configuration on tor and/or on apparmor?
Before filing a bug report, I would try to remove + purge tor, then reinstall it and see if the problem persist;
then do the same (remove + purge) with apparmor and check again

EDIT
in case you have obfs4proxy installed, see also
https://bugs.debian.org/cgi-bin/bugrepo … ug=1004012

Re: runit + tor service (+apparmor) bug

dummy@example.com (xinomilo) — Thu, 07 Jul 2022 07:59:23 +0000

yes, same error..

# sv status tor 
down: tor: 1s, normally up, want up; run: log: (pid 1674) 240s
# update-service --remove /etc/sv/tor
Service tor removed, the service daemon received the TERM and CONT signals.
# /etc/init.d/tor stop
Stopping tor daemon...done (not running - there is no /run/tor/tor.pid).
# /usr/bin/aa-exec --profile=system_tor -- /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --Log 'notice stdout' --RunAsDaemon 0 --verify-config
[9778] aa-exec: ERROR: profile 'system_tor' does not exist
# /usr/bin/aa-exec --profile=system_tor -- /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --Log 'notice stdout' --RunAsDaemon 0
[9804] aa-exec: ERROR: profile 'system_tor' does not exist

(same with custom /etc/tor/torrc )

do you think i should file a bug in tor or apparmor in debian?

Re: runit + tor service (+apparmor) bug

dummy@example.com (Lorenzo) — Wed, 06 Jul 2022 23:09:05 +0000

Hi,

I have tor running and it works as expected, but I don't have apparmor.
I tried to install apparmor and restart tor, and it seems to work so I can't reproduce.
( I can't reboot right now, will try later )

Do the following:
stop any running tor instance

update-service --remove /etc/sv/tor

/etc/init.d/tor stop

then try to start manually from a root console

/usr/bin/aa-exec --profile=system_tor -- /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --Log 'notice stdout' --RunAsDaemon 0 --verify-config

/usr/bin/aa-exec --profile=system_tor -- /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --Log 'notice stdout' --RunAsDaemon 0

does it give any error?

Re: runit + tor service (+apparmor) bug

dummy@example.com (xinomilo) — Tue, 05 Jul 2022 09:36:07 +0000

after new boot :

/etc/init.d/tor status
tor is not running ... failed!
➜  /etc/init.d/tor stop  
Stopping tor daemon...done (not running - there is no /run/tor/tor.pid).
➜  /etc/init.d/tor start
Starting tor daemon...[15690] aa-exec: ERROR: profile 'system_tor' does not exist

➜  sv status tor
down: tor: 1s, normally up, want up; run: log: (pid 1656) 933s
➜  sv stop tor
ok: down: tor: 1s, normally up, want up
➜  sv start tor
timeout: down: tor: 0s, normally up, want up

/etc/sv/tor/run 
Jul 05 12:34:04.739 [notice] Tor 0.4.7.8 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.4, Zlib 1.2.11, Liblzma 5.2.5, Libzstd 1.5.2 and Glibc 2.33 as libc.
Jul 05 12:34:04.739 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
Jul 05 12:34:04.739 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Jul 05 12:34:04.739 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid
[17313] aa-exec: ERROR: profile 'system_tor' does not exist

 apt install --reinstall tor
....
Preparing to unpack .../tor_0.4.7.8-1_amd64.deb ...
Unpacking tor (0.4.7.8-1) over (0.4.7.8-1) ...
Installing tor (0.4.7.8-1) ...
ok: run: tor: (pid 17844) 0s
.....
Stopping tor daemon...done.
Starting tor daemon...done (already running).
Processing triggers for man-db (2.10.2-1) ...

sv status tor
run: tor: (pid 17895) 15s; run: log: (pid 1656) 1032s

runit + tor service (+apparmor) bug

dummy@example.com (xinomilo) — Tue, 05 Jul 2022 07:22:03 +0000

got a strange bug for the past couple of days (since runit upgrade perhaps? ) , tor doesn't start at boot.
as a temporary workaround have to manually reinstall tor and then it "magically" works again.. `apt install --reinstall tor`

when booting tor is down. `sv start tor` doesn't do anything, tor remains down. manually running ./etc/sv/tor/run also doesn't start the daemon and message seems to involve apparmor (aa-exec : system_tor profile not found) .
dmesg :

[ 1444.543116] audit: type=1400 audit(1657004335.151:1337): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="unconfined" name="system_tor" pid=29674 comm="aa-exec"

profile is in /etc/apparmor.d/system_tor since 23/8/2021, and tor reinstall workaround still uses that one. after reinstalling tor :

[ 1444.634675] audit: type=1400 audit(1657004335.243:1338): apparmor="STATUS" operation="profile_load" profile="unconfined" name="system_tor" pid=29702 comm="apparmor_parser"

do others (with runit/tor/apparmor) have such an issue too?
not sure why reinstalling tor fixes it temporarily (till next boot), maybe @Lorenzo can direct me on this. (?)
is it a bug? is it tor related (since both runscript and apparmor profile come with tor package) or some change in recent runit made it fail?

thx,