I’ve followed the guide here: [url=https://www.whonix.org/wiki/KVM#KVM_Shared_Folders]Whonix ™ for KVM for creating a shared folder for file transferring. It worked flawlessly. After mounting the folder in Whonix, I can access the files inside and transfer it. However, I have Apparmor installed on the host and can’t add files to the folder from Whonix, even in root.
There could be many things at play here causing the block. Do you logs show it is an apparmor issue or something else. You first need to create exceptions to the folder you want to share on the host.
[quote=“troubadour, post:3, topic:656”]@hulahoop
After following the instructions in Whonix ™ for KVM, I cannot start Whonix-Gateway from Virtual Machine Manager.
The error:
“Error starting domain:
Requested operation is not valid:
network ‘default’ is not active”.[/quote]
For that please create a separate thread in KVM sub forum.
I don’t know if it’s Apparmor causing the problem. I read on the KVM shared folder instructions that I may need to make an exception to Apparmor to allow guest write to the mounted folder. That’s why I thought it was an Apparmor issue.
There is no Apparmor output with the command you asked. See below.
In Whonix, I open dolphin in root and when I try to move a file into /mnt/share (the shared folder), I get a “access denied” prompt. Could the bold part be the issue? There is only read access to /mnt/share. This is on the host at /etc/apparmor.d/libvirt. If so, how to fix it?
DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
@troubadour
Are you using Debian? An identical complaint by another user said the same. Please enable the “default” NAT network from the Virtual Machine Manager settings and make sure its set to autostart with KVM. Tell me if it works.
I’m positive apparmor is blocking this - like it should. There might be other reasons but this is one of them for sure.
Please see if auditd is installed on your system. If not install it from the repos. Its apparmor’s preferred error reporting daemon.
For more information on what we need to do when its installed refer to this: http://wiki.apparmor.net/index.php/AppArmor_Failures#Messages_in_the_Log_files
but for now I want to make sure you have the right diagnostic tools in place.
[quote=“whonixfaithful, post:5, topic:656”]I don’t know if it’s Apparmor causing the problem. I read on the KVM shared folder instructions that I may need to make an exception to Apparmor to allow guest write to the mounted folder. That’s why I thought it was an Apparmor issue.
There is no Apparmor output with the command you asked. See below.[/quote]
That was expected. To try to ascertain that AppArmor is the cause of the problem, you could edit “etc/default/grub”.
Change the line
to
Reboot gateway / workstation. AppArmor should not be loaded in the kernel.
After installing auditd, I tried to write to the folder, got the denied prompt, ran the sudo grep -i denied /var/log/audit/audit.log command but nothing shows.
I did the edit for GRUB_CMDLINE_LINUX_DEFAULT=“”, updated grub then rebooted both the gateway and workstation and still can’t write to the /mnt/share folder. I get the same “access denied” prompt. I don’t have permission to do it.
sudo grep -i denied /var/log/audit/audit.log command doesn’t show anything.
sudo grep -i denied /var/log/syslog doesn’t show anything either.
sudo grep -i denied /var/log/kern.log show stuff unrelated to apparmor
I uninstalled apparmor (and profiles) all together and still can’t write to the folder. Logs for auditd and syslog doesn’t show anything and kern.log is unrelated to apparmor.
This is frustrating. I think I’m going to just stick to a website like wikisend.com and transfer files that way. Sad because I switched to KVM because of it.
I’ve found out how to fix it! I changed the ownership for shared to libvirt-qemu. The exact command I used was: sudo chown libvirt-qemu /mnt/shared. I can now write to it from Whonix.
Sorry I took the link down because it wasn’t working. Here is the correct one: [url=https://github.com/adrahon/vagrant-kvm/issues/167]https://github.com/adrahon/vagrant-kvm/issues/167[/url]. The guy explains why libvirt-qemu is needed.
I tried adding libvirt-qemu to my own account with that command but couldn’t, see below.
user@user-pc ~ $ sudo addgroup “$(whoami)” libvirt-qemu
addgroup: The group `libvirt-qemu’ does not exist.
@Patrick I was going to get to that but first he needs to add a permanent apparmor exception to that folder path (even if he can’t see errors atm). This excludes MAC conflicts further.
You will then need to chmod the folder - this step is only needed once and run chown on it every time you transfer something new from guest to host.
Please make sure your shared folder is configured as mapped only before proceeding.