[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Apparmor exception for shared folder on guess

I’ve followed the guide here: https://www.whonix.org/wiki/KVM#KVM_Shared_Folders for creating a shared folder for file transferring. It worked flawlessly. After mounting the folder in Whonix, I can access the files inside and transfer it. However, I have Apparmor installed on the host and can’t add files to the folder from Whonix, even in root.

I’ve read the guides below and can’t for the life of me find the exception that need to be added and where to add it at. Everything points to /etc/apparmor.d.
http://manpages.ubuntu.com/manpages/trusty/en/man5/apparmor.d.5.html
http://wiki.apparmor.net/index.php/Documentation
http://www.linux-kvm.org/page/9p_virtio

Anybody can help? I’m using Linux Mint 17 (Ubuntu 14.04 LTS Trusty) and have the default profiles installed.

Thanks.

There could be many things at play here causing the block. Do you logs show it is an apparmor issue or something else. You first need to create exceptions to the folder you want to share on the host.

After booting and trying to write in the shared folder, could you run

sudo tail -f /var/log/kern.log

and report the lines mentioning apparmor, if any.

@hulahoop
After following the instructions in https://www.whonix.org/wiki/KVM, I cannot start Whonix-Gateway from Virtual Machine Manager.

The error:
“Error starting domain:
Requested operation is not valid:
network ‘default’ is not active”.

[quote=“troubadour, post:3, topic:656”]@hulahoop
After following the instructions in https://www.whonix.org/wiki/KVM, I cannot start Whonix-Gateway from Virtual Machine Manager.

The error:
“Error starting domain:
Requested operation is not valid:
network ‘default’ is not active”.[/quote]
For that please create a separate thread in KVM sub forum.

Thanks for the response.

I don’t know if it’s Apparmor causing the problem. I read on the KVM shared folder instructions that I may need to make an exception to Apparmor to allow guest write to the mounted folder. That’s why I thought it was an Apparmor issue.

There is no Apparmor output with the command you asked. See below.

Nov 8 13:43:24 user-pc kernel: [ 6817.687504] [UFW BLOCK] IN=wlan0 OUT= MAC=01:00:5e:00:00:01:00:4f:26:56:74:b6:09:00 SRC=***.*.. DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2

In Whonix, I open dolphin in root and when I try to move a file into /mnt/share (the shared folder), I get a “access denied” prompt. Could the bold part be the issue? There is only read access to /mnt/share. This is on the host at /etc/apparmor.d/libvirt. If so, how to fix it?

DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.

“/var/log/libvirt//Whonix-Workstation.log" w,
"/var/lib/libvirt/
/Whonix-Workstation.monitor” rw,
"/var/run/libvirt//Whonix-Workstation.pid" rwk,
"/run/libvirt/
/Whonix-Workstation.pid" rwk,
"/var/run/libvirt//*.tunnelmigrate.dest.Whonix-Workstation" rw,
"/run/libvirt/
/*.tunnelmigrate.dest.Whonix-Workstation" rw,
"/var/lib/libvirt/images/Whonix-Workstation.qcow2" rw,
"/mnt/shared/**" rw,
"/mnt/shared/" r,
/dev/vhost-net rw,

@troubadour
Are you using Debian? An identical complaint by another user said the same. Please enable the “default” NAT network from the Virtual Machine Manager settings and make sure its set to autostart with KVM. Tell me if it works.

@whonixfaithful

I’m positive apparmor is blocking this - like it should. There might be other reasons but this is one of them for sure.
Please see if auditd is installed on your system. If not install it from the repos. Its apparmor’s preferred error reporting daemon.
For more information on what we need to do when its installed refer to this:


but for now I want to make sure you have the right diagnostic tools in place.

Auditd wasn’t installed on the host. I now have it installed. I also have apparmor-utils installed.

The output of sudo cat /sys/module/apparmor/parameters/audit is normal.

I’m ready with the right diagnostic tool in place :slight_smile:

Good. Now try the steps that don’t work once more to trigger an error then check the apparmor log and paste the out put.

grep -i denied /var/log/audit/audit.log (if using auditd)

I think it’s confusing to add “(if using auditd)” without the code block.

You’ll also need sudo, at least I needed.

To search the logs for existing apparmor denid messages, simply use.

[quote=“whonixfaithful, post:5, topic:656”]I don’t know if it’s Apparmor causing the problem. I read on the KVM shared folder instructions that I may need to make an exception to Apparmor to allow guest write to the mounted folder. That’s why I thought it was an Apparmor issue.

There is no Apparmor output with the command you asked. See below.[/quote]

That was expected. To try to ascertain that AppArmor is the cause of the problem, you could edit “etc/default/grub”.
Change the line

to

Reboot gateway / workstation. AppArmor should not be loaded in the kernel.

If you do this, you need to also run

before reboot.

After installing auditd, I tried to write to the folder, got the denied prompt, ran the sudo grep -i denied /var/log/audit/audit.log command but nothing shows.

I did the edit for GRUB_CMDLINE_LINUX_DEFAULT="", updated grub then rebooted both the gateway and workstation and still can’t write to the /mnt/share folder. I get the same “access denied” prompt. I don’t have permission to do it.

sudo grep -i denied /var/log/audit/audit.log command doesn’t show anything.
sudo grep -i denied /var/log/syslog doesn’t show anything either.
sudo grep -i denied /var/log/kern.log show stuff unrelated to apparmor

I uninstalled apparmor (and profiles) all together and still can’t write to the folder. Logs for auditd and syslog doesn’t show anything and kern.log is unrelated to apparmor.

Doing a little more research, a lot of people using Ubuntu have had the same problem. See below.
http://serverdown.ttwait.com/que/559726
https://bugs.launchpad.net/ubuntu/+source/qemu-kvm/+bug/1018530
http://ubuntuforums.org/showthread.php?t=1864680
http://ubuntuforums.org/archive/index.php/t-1998227.html

This is frustrating. I think I’m going to just stick to a website like wikisend.com and transfer files that way. Sad because I switched to KVM because of it.

I’ve found out how to fix it! I changed the ownership for shared to libvirt-qemu. The exact command I used was: sudo chown libvirt-qemu /mnt/shared. I can now write to it from Whonix.

Question for the admins: Is this safe?

That link is broken.

Just a thought. What about adding the libvirt-qemu group to your own account instead? (Maybe that’s missing here https://www.whonix.org/wiki/KVM#Addgroup ?)

Maybe that would be the more canonical way to do this?

Sorry I took the link down because it wasn’t working. Here is the correct one: https://github.com/adrahon/vagrant-kvm/issues/167. The guy explains why libvirt-qemu is needed.

I tried adding libvirt-qemu to my own account with that command but couldn’t, see below.
user@user-pc ~ $ sudo addgroup “$(whoami)” libvirt-qemu
addgroup: The group `libvirt-qemu’ does not exist.

Maybe there is a user with that name but not a group.

(Not that it matters for security: chown doesn’t seem right, I’d rather use “chmod o+rw /mnt/shared” if there is no canonical solution.)

@HulaHoop:
What’s the canonical way to do this? Can you ask upstream please?

@Patrick I was going to get to that but first he needs to add a permanent apparmor exception to that folder path (even if he can’t see errors atm). This excludes MAC conflicts further.

You will then need to chmod the folder - this step is only needed once and run chown on it every time you transfer something new from guest to host.

Please make sure your shared folder is configured as mapped only before proceeding.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]