group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #12166
[Bug 1648143] Re: tor in lxd: apparmor="DENIED" operation="change_onexec" namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined" name="system_tor"
This bug was fixed in the package linux - 4.8.0-45.48
---------------
linux (4.8.0-45.48) yakkety; urgency=low
* CVE-2017-7184
- xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
- xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
-- Stefan Bader <stefan.bader@xxxxxxxxxxxxx> Fri, 24 Mar 2017 12:03:39
+0100
** Changed in: linux (Ubuntu Yakkety)
Status: Triaged => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-7184
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1648143
Title:
tor in lxd: apparmor="DENIED" operation="change_onexec"
namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined"
name="system_tor"
Status in apparmor package in Ubuntu:
Confirmed
Status in linux package in Ubuntu:
Fix Released
Status in tor package in Ubuntu:
Invalid
Status in apparmor source package in Xenial:
New
Status in linux source package in Xenial:
Triaged
Status in tor source package in Xenial:
Invalid
Status in apparmor source package in Yakkety:
New
Status in linux source package in Yakkety:
Fix Released
Status in tor source package in Yakkety:
Invalid
Bug description:
Environment:
----------------
Distribution: ubuntu
Distribution version: 16.10
lxc info:
apiextensions:
storage_zfs_remove_snapshots
container_host_shutdown_timeout
container_syscall_filtering
auth_pki
container_last_used_at
etag
patch
usb_devices
https_allowed_credentials
image_compression_algorithm
directory_manipulation
container_cpu_time
storage_zfs_use_refquota
storage_lvm_mount_options
network
profile_usedby
container_push
apistatus: stable
apiversion: "1.0"
auth: trusted
environment:
addresses:
163.172.48.149:8443
172.20.10.1:8443
172.20.11.1:8443
172.20.12.1:8443
172.20.22.1:8443
172.20.21.1:8443
10.8.0.1:8443
architectures:
x86_64
i686
certificate: |
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
certificatefingerprint: 3048baa9f20d316f60a6c602452b58409a6d9e2c3218897e8de7c7c72af0179b
driver: lxc
driverversion: 2.0.5
kernel: Linux
kernelarchitecture: x86_64
kernelversion: 4.8.0-27-generic
server: lxd
serverpid: 32694
serverversion: 2.4.1
storage: btrfs
storageversion: 4.7.3
config:
core.https_address: '[::]:8443'
core.trust_password: true
Container: ubuntu 16.10
Issue description
------------------
tor can't start in a non privileged container
Logs from the container:
-------------------------
Dec 7 15:03:00 anonymous tor[302]: Configuration was valid
Dec 7 15:03:00 anonymous systemd[303]: tor@default.service: Failed at step APPARMOR spawning /usr/bin/tor: No such file or directory
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Main process exited, code=exited, status=231/APPARMOR
Dec 7 15:03:00 anonymous systemd[1]: Failed to start Anonymizing overlay network for TCP.
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Unit entered failed state.
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed with result 'exit-code'.
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Service hold-off time over, scheduling restart.
Dec 7 15:03:00 anonymous systemd[1]: Stopped Anonymizing overlay network for TCP.
Dec 7 15:03:00 anonymous systemd[1]: tor@default.service: Failed to reset devices.list: Operation not permitted
Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted
Dec 7 15:03:00 anonymous systemd[1]: message repeated 6 times: [ Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted]
Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/chr
Dec 7 15:03:00 anonymous systemd[1]: Couldn't stat device /run/systemd/inaccessible/blk
Dec 7 15:03:00 anonymous systemd[1]: Failed to set devices.allow on /system.slice/system-tor.slice/tor@default.service: Operation not permitted
Logs from the host
--------------------
audit: type=1400 audit(1481119378.856:6950): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 namespace="root//lxd-anonymous_" profile="unconfined" name="system_tor"
pid=12164 comm="(tor)"
Steps to reproduce
---------------------
install ubuntu container 16.10 on a ubuntu 16.10 host
install tor in the container
Launch tor
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143/+subscriptions