[Whonix-devel] whonix apparmor not enforcing for tor process?
Patrick Schleizer
patrick-mailinglists at whonix.org
Wed Feb 10 01:21:31 CET 2016
vuarnet:
> 
> 
> On Tuesday, February 9, 2016 at 4:41:29 PM UTC-5, raah... at gmail.com wrote:
>>
>> oh btw way man ty for your effort with the apprmor profile for iceweasel 
>>  :)
>>
> 
> Happy to help... very rough, but it has actually worked nicely for a while. 
> I filed a ticket against the deb pkg but haven't heard anything yet. Will 
> probably bump again to try to get some progress on it.
> 
> On Tuesday, February 9, 2016 at 4:39:17 PM UTC-5, raah... at gmail.com wrote:
>>
>> On Tuesday, February 9, 2016 at 4:23:29 PM UTC-5, vuarnet wrote:
>>> In sys-whonix, when I run #aa-status -- I see that system_tor does 
>> indeed have a loaded profile in enforcing mode, but, although the process 
>> is running, it doesn't show under "x processes are running in enforce 
>> mode". Only cpfpd.
>>>
>>> Any ideas what's up and why it's not showing tor as confined with 
>> apparmor in enforce mode while the process is running? Indeed I checked 
>> that it's running via ps aux and systemctl status... it's definitely 
>> running.
>>>
>>> Any guidance greatly appreciated. Thanks!
>>
>> systemctl shows system_tor.service as not-found(no such file or directory) 
>>  inactive (dead)  and I don't see a process for it running.   You sure?   
>> aa-status should also show two sdwdates running also as well as cpfpd.
>>
> 
> run:
> 
> sudo systemctl status tor
> 
> and you'll see the tor service is up and running. The "system_tor" name is 
> only for the apparmor profile and abstraction.
> 
> I just updated to 3.1 RC2 and the whonix-gw template was out of date, like 
> a dummy... so I just updated...and same result. Here's what I'm seeing in 
> whonix-sys VM:
> 
> user at host:~$ sudo aa-status
> apparmor module is loaded.
> 3 profiles are loaded.
> 3 profiles are in enforce mode.
>    /usr/bin/obfsproxy
>    /usr/sbin/cpfpd
>    system_tor
> 0 profiles are in complain mode.
> 1 processes have profiles defined.
> 1 processes are in enforce mode.
>    /usr/sbin/cpfpd (839) 
> 0 processes are in complain mode.
> 0 processes are unconfined but have a profile defined.
> 
> That would suggest that the tor process isn't running, otherwise it should 
> be under "processes are in enforce mode"... but it is definitely running. 
> So I don't know if apparmor protections are being applied or not.. but if I 
> can't tell by aa-status, then I'm going to assume they're not. Upon a 
> little more investigation, it looks like additional profiles are being 
> loaded from /etc/apparmor.d/local that might be causing the effect I'm 
> seeing, but I need to look further into it.
> 
> Will keep looking into it and I also copied Patrick to see if he can shed 
> some light...
> 
> Thanks!
>  
> 
on-topic:
Just now reported the issue against The Tor Project.
https://trac.torproject.org/projects/tor/ticket/18294
Not a Whonix specific issue. Rather a general issue specific when using
Debian in combination with deb.torproject.org.
off-topic:
wrong...
sudo service tor status
--> right
sudo service tor at default status
Cheers,
Patrick
More information about the Whonix-devel
mailing list