Could not launch managed proxy executable at '/usr/bin/obfs4proxy' ('Operation not permitted')

Question

For the life of me, I cannot get my tor bridge relay working with obfsproxy, or obfs4proxy. I am running Ubuntu 15.10 with tor v0.2.7.6 (git-605ae665009853bd). Tor starts and bootstraps fine and is accessible to the outside world, but the managed proxy fails to start:

Jan 22 12:59:38.000 [notice] Bootstrapped 0%: Starting
Jan 22 12:59:39.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Jan 22 12:59:39.000 [notice] Signaled readiness to systemd

------------------------------------------------------------------------------
Jan 22 12:59:40.000 [warn] Could not launch managed proxy executable at '/usr/bin/obfs4proxy' ('Operation not permitted').
------------------------------------------------------------------------------

Jan 22 12:59:40.000 [notice] Bootstrapped 85%: Finishing handshake with first hop
Jan 22 12:59:40.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Jan 22 12:59:41.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Jan 22 12:59:41.000 [notice] Bootstrapped 100%: Done
Jan 22 12:59:41.000 [notice] Now checking whether ORPort xxx.xxx.xxx.xxx:xxx is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
Jan 22 12:59:42.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Jan 22 12:59:46.000 [notice] Performing bandwidth self-test...done.

I have tried changing the ownership for obfs4proxy/obfsproxy to the debian-tor account, to no avail.

-rwxr-xr-x 1 debian-tor debian-tor 5.0M Jun 28  2015 /usr/bin/obfs4proxy

I have also tried the apparmor patch from Debian:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739279

But that also didn't allow the proxy to start. Any suggestions on what I can do to get this working? Or maybe there is an apparmor or tor bug here?

Here is my torrc:

#Log debug file /var/log/tor/debug.log
SocksPort 0 # Default: Bind to localhost:9050 for local connections.
ExtORPort auto
ORPort xxx
Nickname xxxxxxxxxx
RelayBandwidthRate 200 KBytes  # Throttle traffic to 100KB/s (800Kbps)
RelayBandwidthBurst 250 KBytes # But allow bursts up to 200KB (1600Kb)
AccountingMax 100 GBytes
AccountingStart day 00:00
ContactInfo xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BridgeRelay 1
ExitPolicy reject *:*
ServerTransportPlugin obfs3,obfs4 exec /usr/bin/obfs4proxy

Here is debug logging from when tor tried to start obfs4proxy:

Jan 22 13:12:07.000 [info] handle_proxy_line(): Got a line from managed proxy '/usr/bin/obfs4proxy': (ERR: Failed to spawn background process - code 9/1)
Jan 22 13:12:07.000 [warn] Could not launch managed proxy executable at '/usr/bin/obfs4proxy' ('Operation not permitted').

Edit:

lost@shithead:~$ obfs4proxy 
2016/01/24 19:23:06 [ERROR]: obfs4proxy - must be run as a managed transport
lost@shithead:~$ obfs4proxy --managed
flag provided but not defined: -managed
Usage of obfs4proxy:
  -enableLogging=false: Log to TOR_PT_STATE_LOCATION/obfs4proxy.log
  -logLevel="ERROR": Log level (ERROR/WARN/INFO/DEBUG)
  -obfs4-distBias=false: Enable obfs4 using ScrambleSuit style table generation
  -unsafeLogging=false: Disable the address scrubber
  -version=false: Print version and exit
lost@shithead:~$ obfsproxy 
usage: obfsproxy [-h] [-v] [--log-file LOG_FILE]
                 [--log-min-severity {error,warning,info,debug}] [--no-log]
                 [--no-safe-logging] [--data-dir DATA_DIR] [--proxy PROXY]
                 {managed,obfs2,dummy,obfs3,scramblesuit,b64} ...
obfsproxy: error: too few arguments
lost@shithead:~$ obfsproxy --managed
Traceback (most recent call last):
  File "/usr/local/bin/obfsproxy", line 9, in <module>
    load_entry_point('obfsproxy==0.2.13', 'console_scripts', 'obfsproxy')()
  File "/usr/local/lib/python2.7/dist-packages/obfsproxy/pyobfsproxy.py", line 205, in run
    pyobfsproxy()
  File "/usr/local/lib/python2.7/dist-packages/obfsproxy/pyobfsproxy.py", line 175, in pyobfsproxy
    do_managed_mode()
  File "/usr/local/lib/python2.7/dist-packages/obfsproxy/pyobfsproxy.py", line 76, in do_managed_mode
    if checkClientMode():
  File "/usr/local/lib/python2.7/dist-packages/pyptlib/config.py", line 121, in checkClientMode
    raise EnvError('neither TOR_PT_{SERVER,CLIENT}_TRANSPORTS set')
pyptlib.config.EnvError: neither TOR_PT_{SERVER,CLIENT}_TRANSPORTS set
lost@shithead:~$ 

Answer 1

I have finally found a solution to this problem. For me, the offender was the /lib/systemd/system/tor@default.service file. I was directed by Tor ops to modify this file to include only the following after the "Hardening" comment:

# Hardening
AppArmorProfile=
NoNewPrivileges=yes
PrivateTmp=no

Comment out or delete everything else and you will no longer get the "Operation not permitted" error when launching obfs4proxy.

Answer 2

I modified apparmor profile /etc/apparmor.d/system_tor, just added three lines in it:

/usr/bin/obfsproxy PUx,
profile /etc/apparmor.d/usr.bin.obfsproxy {
}

Whole file sample:

# vim:syntax=apparmor
#include <tunables/global>

profile system_tor flags=(attach_disconnected) {
  #include <abstractions/tor>

  /usr/bin/obfsproxy PUx,

  profile /etc/apparmor.d/usr.bin.obfsproxy {
  }

  owner /var/lib/tor/** rwk,
  owner /var/lib/tor/ r,
  owner /var/log/tor/* w,

  # During startup, tor (as root) tries to open various things such as
  # directories via check_private_dir().  Let it.
  /var/lib/tor/** r,

  /{,var/}run/tor/ r,
  /{,var/}run/tor/control w,
  /{,var/}run/tor/socks w,
  /{,var/}run/tor/tor.pid w,
  /{,var/}run/tor/control.authcookie w,
  /{,var/}run/tor/control.authcookie.tmp rw,
  /{,var/}run/systemd/notify w,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/system_tor>
}

Answer 3

I used this method..have to change the NoNewPrivileges=yes to NoNewPrivileges=no

https://community.torproject.org/relay/setup/bridge/debian-ubuntu/