Service Tor does not use Control Port from its config file in Github Actions

Hi there,

I am using tor service as part of a project, and I wanted to make a little pipeline to test it.
I have been able to install tor and customize its config file, like so:

    - name: Setup Tor config
      run: |
        sudo bash -c 'echo "ControlPort 9051" >> /etc/tor/torrc'
        sudo bash -c 'echo "CookieAuthentication 1" >> /etc/tor/torrc'
        sudo bash -c 'echo "CacheDirectoryGroupReadable 1" >> /etc/tor/torrc'
    - name: Setup Tor Service config
      run: |
        sudo mkdir -p /etc/systemd/system/tor@default.service.d/
        sudo bash -c 'echo -e "[Service]\nAppArmorProfile=" > /etc/systemd/system/tor@default.service.d/override.conf'
    - name: Run Tor service
      run: |
        sudo systemctl start tor && sleep 10
    - name: Tor is runnable
      run: curl --socks5 localhost:9050 --socks5-hostname localhost:9050 -s https://check.torproject.org/ | cat | grep -m 1 Congratulations | xargs

the systemctl start tor seems to work, since the action Tor is runnable result is :

Run curl --socks5 localhost:9050 --socks5-hostname localhost:9050 -s https://check.torproject.org/ | cat | grep -m 1 Congratulations | xargs
Congratulations. This browser is configured to use Tor.

Then, I perform three actions: I check the tor service status, I check ports and I show logs to ensure that everything went well (those are debug actions, I will remove them once I fix the issue, but they are quite useful here)

    - name: Check Tor service status
      run:
        sudo systemctl status tor
    - name: Check that Tor is running on good ports
      run: sudo lsof -i -P -n
    - name: Check Tor logs
      run: sudo cat /var/log/syslog | grep tor -i 

I then check the ports, and I realize that port 9051 (which should be mapped) is not mapped :

COMMAND    PID            USER   FD   TYPE DEVICE SIZE/OFF NODE NAM
systemd-n  806 systemd-network   19u  IPv4  17699      0t0  UDP 10.1.0.4:68 
systemd-r  830 systemd-resolve   12u  IPv4  17685      0t0  UDP 127.0.0.53:53 
systemd-r  830 systemd-resolve   13u  IPv4  17686      0t0  TCP 127.0.0.53:53 (LISTEN)
provision 1075            root  131u  IPv4  26598      0t0  TCP 10.1.0.4:42030->13.107.43.16:443 (ESTABLISHED)
provision 1075            root  150u  IPv4  29880      0t0  TCP 10.1.0.4:34470->13.107.42.16:443 (ESTABLISHED)
container 1135            root   10u  IPv4  24743      0t0  TCP 127.0.0.1:43713 (LISTEN)
sshd      1203            root    3u  IPv4  22809      0t0  TCP *:22 (LISTEN)
sshd      1203            root    4u  IPv6  22811      0t0  TCP *:22 (LISTEN)
Runner.Li 3385          runner   85u  IPv4  35797      0t0  TCP 10.1.0.4:37380->13.107.42.16:443 (ESTABLISHED)
Runner.Li 3385          runner   86u  IPv4  35799      0t0  TCP 10.1.0.4:37382->13.107.42.16:443 (ESTABLISHED)
Runner.Li 3385          runner   93u  IPv4  35801      0t0  TCP 10.1.0.4:37384->13.107.42.16:443 (ESTABLISHED)
Runner.Wo 3408          runner   91u  IPv4  35814      0t0  TCP 10.1.0.4:37396->13.107.42.16:443 (ESTABLISHED)
Runner.Wo 3408          runner  103u  IPv4  36561      0t0  TCP 10.1.0.4:37398->13.107.42.16:443 (ESTABLISHED)
Runner.Wo 3408          runner  112u  IPv4  37592      0t0  TCP 10.1.0.4:37422->13.107.42.16:443 (ESTABLISHED)
tor       6391      debian-tor    6u  IPv4  44845      0t0  TCP 127.0.0.1:9050 (LISTEN)
tor       6391      debian-tor   11u  IPv4  43734      0t0  TCP 10.1.0.4:50644->185.100.86.100:443 (SYN_SENT)
tor       6391      debian-tor   12u  IPv4  45087      0t0  TCP 10.1.0.4:49488->171.25.193.25:443 (ESTABLISHED)
tor       6391      debian-tor   13u  IPv4  45623      0t0  TCP 10.1.0.4:56010->149.56.185.56:9001 (ESTABLISHED
tor       6391      debian-tor   14u  IPv4  45624      0t0  TCP 10.1.0.4:34448->94.130.108.214:443 (ESTABLISHED)
tor       6391      debian-tor   15u  IPv4  45625      0t0  TCP 10.1.0.4:33090->91.194.84.89:9001 (ESTABLISHED)
tor       6391      debian-tor   16u  IPv4  46342      0t0  TCP 10.1.0.4:56016->149.56.185.56:9001 (ESTABLISHED)

Then, when I see the logs, the following lines seem weird:

Mar  8 20:17:25 fv-az177-932 Tor[6391]: Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Mar  8 20:17:25 fv-az177-932 Tor[6391]: Read configuration file "/etc/tor/torrc".
Mar  8 20:17:25 fv-az177-932 Tor[6391]: Scheduler type KIST has been enabled.
Mar  8 20:17:25 fv-az177-932 Tor[6391]: Opening Socks listener on 127.0.0.1:905
Mar  8 20:17:25 fv-az177-932 Tor[6391]: Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Mar  8 20:17:25 fv-az177-932 Tor[6391]: Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Mar  8 20:17:25 fv-az177-932 kernel:[ 1959.562077] audit: type=1400 audit(1615234645.602:21): apparmor="DENIED" operation="open" profile="system_tor" name="/etc/ssl/openssl.cnf" pid=6391 comm="tor" requested_mask="r" denied_mask="r" fsuid=115 ouid=0
Mar  8 20:17:25 fv-az177-932 Tor[6391]: TLS error while constructing a TLS context: Permission denied (in system library:fopen:---)
Mar  8 20:17:25 fv-az177-932 Tor[6391]: TLS error while constructing a TLS context: system lib (in BIO routines:BIO_new_file:---)
Mar  8 20:17:25 fv-az177-932 Tor[6391]: TLS error while constructing a TLS context: system lib (in configuration file routines:def_load:---)

I can’t understand why this error happens, and I don’t find anything that seems related or relevant online. Could it be a simple misconfiguration from my side, or a limitation from GitHub Actions ?

Not a Linux expert, but it looks to me as if the system denied read access to /etc/ssl/openssl.cnf. It’s just a configuration files by the look of things, but the permissions might be insufficient to access it. Now, the question is which process tries to read the file and whether that process was started with super-user permissions or not. It would also be insightful to see the permissions, user and user group for that file, e.g. with sudo ls -l /etc/ssl/openssl.cnf.