Open slrslr opened 1 year ago
Are you have apparmor activated?
Are you have apparmor activated?
# aa-status
apparmor module is loaded.
# aa-status --verbose
apparmor module is loaded.
4 profiles are loaded.
4 profiles are in enforce mode.
lsb_release
nvidia_modprobe
nvidia_modprobe//kmod
system_tor
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
/usr/bin/tor (18673) system_tor
/usr/bin/obfs4proxy (18674) system_tor
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
# journalctl -rg apparmor|grep -E "den|fail"
May 21 21:34:56 abc kernel: audit: type=1400 audit(1684701296.592:6): apparmor="DENIED" operation="open" profile="system_tor" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=18674 comm="obfs4proxy" requested_mask="r" denied_mask="r" fsuid=106 ouid=0
May 21 21:34:56 abc audit[18674]: AVC apparmor="DENIED" operation="open" profile="system_tor" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=18674 comm="obfs4proxy" requested_mask="r" denied_mask="r" fsuid=106 ouid=0
# cat /etc/apparmor.d/usr.sbin.i2pd
# Basic profile for i2pd
# Should work without modifications with Ubuntu/Debian packages
# Author: Darknet Villain <supervillain@riseup.net>
#
#include <tunables/global>
profile i2pd /{usr/,}sbin/i2pd {
#include <abstractions/base>
#include <abstractions/openssl>
#include <abstractions/nameservice>
# path specific (feel free to modify if you have another paths)
/etc/i2pd/** r,
/var/lib/i2pd/** rw,
/var/log/i2pd/i2pd.log w,
/{var/,}run/i2pd/i2pd.pid rwk,
/{usr/,}sbin/i2pd mr,
@{system_share_dirs}/i2pd/** r,
# user homedir (if started not by init.d or systemd)
owner @{HOME}/.i2pd/ rw,
owner @{HOME}/.i2pd/** rwk,
#include if exists <local/usr.sbin.i2pd>
}
If apparmor is the cause, can you do something on your side to prevent this issue? Is there any command i can run so this issue is fixed? (ideally if for security reason i do not need to disable apparmor entirely?)
Looks like there is no enabled profile for i2pd, so there can be other problem. Anyway, it can be disabled for sure like this:
sudo ln -s /etc/apparmor.d/usr.sbin.i2pd /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.i2pd
btw, check who is owner of /run/i2pd and i2pd.pid in it.
owner is i2pd i am now on different VPS with same OS release, only with higher kernel. Change from Linux 5.10.0-20-amd64 -> 5.10.0-23-amd64 I2Pd should be installed same way with same configuration as before, now unlike previous system/kernel, the # aa-status shows i2pd:
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
i2pd
lsb_release
nvidia_modprobe
nvidia_modprobe//kmod
system_tor
0 profiles are in complain mode.
3 processes have profiles defined.
3 processes are in enforce mode.
/usr/sbin/i2pd (584) i2pd
/usr/bin/tor (611) system_tor
/usr/bin/obfs4proxy (615) system_tor
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
journalctl -rg apparmor|grep i2p
kernel: audit: type=1400 audit(1686561884.728:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="i2pd" pid=361 comm="apparmor_parser" audit[361]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="i2pd" pid=361 comm="apparmor_parser"
And the "i2pd.service: Can't open PID file /run/i2pd/i2pd.pid (yet?) after start: Operation not permitted" for which i have opened this issue, no longer happen..
Hello,
I have installed I2Pd on Debian 11 like this under root terminal:
apt-get install apt-transport-https gpg && wget -q -O - https://repo.i2pd.xyz/.help/add_repo | bash -s - && apt update && wget -q -O - https://repo.i2pd.xyz/r4sas.gpg | sudo apt-key add - && apt install i2pd
also as root: "systemctl status i2pd" shows:
Any idea what to try to get rid of that "operation not permitted"? It is confusing to appear under root.
stat /run/i2pd/i2pd.pid
lsof -p $(pidof i2pd)
Operating System: Debian GNU/Linux 11 (bullseye) Kernel: Linux 5.10.0-20-amd64 Architecture: x86-64
i2pd --version
i2pd version 2.47.0 (0.9.58) Boost version 1.74.0 OpenSSL 1.1.1n 15 Mar 2022