Kicksecure Host - Shared folder not working with Whonix KVM

Using Kicksecure as Host, and Whonix as a virtual machine running in KVM, the workstation does not launch due to error with shared folder.

"Error starting domain: internal error: qemu unexpectedly closed the monitor: […] qemu-system-x86_64: -device virtio-9p-pc,id=fs0,fdev=fsdev-fs0,mount_tag=shared,bus=pci.0,addr=0x8: cannot initialize fsdev ‘fsdev-fs0’: failed to open ‘/home/user/shared’: Permission denied

Traceback (most recent call last): File “/usr/share/virt-manager/virtManager/asyncjob.psy”, line 75 in cb_wrapper
callback(asyncjob, *args, **kwargs)
File “/usr/share/virt-manager/virtManager/asyncjob.psy”, line 111, in tmpcb
calback(*args, **kwargs)
File “/usr/share/virt-manager/virtManager/domain.py”,
line 1400, in startup
self._backend.create()
File “/usr/lib/python3/dist-packages/libvirt.py”, line 1080, in create
if ret == -1: raise libvirtError (‘virDomainCreate() failed’, dom=self)
libvirt.libvirtError: internal error: qemu unexpectedly closed the monitor: […] and then repeats the section from the start.
"

Kicksecure Host was installed like this: debian netinst with no desktop environment, then installing according to distro morphing documentation with Whonix Onion Repository.

sudo apt-get install --no-install-recommends kicksecure-xfce

Was used.

KVM and Whonix were installed according to whonix KVM documentation, and shared folder was also set up according to the documentation.

Does a linux user account named user exist?

Output of the following?

id user

Yes

id user output:

uid=1000(user)
gid=1000(user)
groups=1000(user),
24(cdrom),
25(floppy),
27(sudo),
29(audio),
30(dip),
44(video),
46(plugdev),
106(kvm),
109(netdev),
113(console),
123(libvirt)

User exists. Looks good.

I don’t think https://github.com/Whonix/shared-folder-help/blob/master/lib/systemd/system/mnt-shared-kvm.service causes this.

Please post output of these two commands:

ls -la /home/user/

ls -la /home/user/shared

You can redact most output. Only need to see permissions of that /home/user/shared folder.

Did you enable SELinux or any other mandatory access control (MAC) framework?

Try also this command. Does that help?

sudo chmod 777 /home/user/shared

Shows any output? If not: expected.

total 232
drwxr-x— 19 user user 4096 [date&time] .
drwxr-xr-x 3 root root 4096 [date&time] . .
[ . . . ]
drwxrwxrwx 6 root root 4096 [date&time] shared
[ . . . ]

drwxrwxrwx 6 root root 4096 [date&time] .
drwxr-x— 19 user user 4096 [date&time] . .

Not that I’m aware of

No, same error, no output, and when watching journalctl when doing that command:

host sudo [1812]: user : TTY=pts/1 ; PWD=/home/user ; USER=root ; COMMAND=/usr/bin/chmod 777 /home/user/shared
host sudo [1812]: pam_unix (sudo:session): session opened for user root by (uid=0)
host sudo [1813]: pam_exec(sudo:session): Calling /usr/lib/security-misc/permission-lockdown . . .
host sudo [1812]: pam_unix(sudo:session): session closed for user root
host sudo [1817]: pam_exec(sudo:session): Calling /usr/lib/security-misc/permission-lockdown . . .

/home/user/shared should not be owned by root. Did you create it using sudo mkdir shared?

To fix, try this:

sudo chown --recursive user:user /home/user

Yes “sudo mkdir /home/user/shared” as per the wiki

sudo chown --recursive user:user /home/user

Same error

I then did

sudo chown --recursive user:user /home/user/shared

Same error still

No idea. Suggestions:

1. “google”:

cannot initialize fsdev ‘fsdev-fs0’: failed to open

2. contact KVM support

It could be caused by 9p modules not loading:

9p
9pnet
9pnet_virtio

Or the user account not belonging to the libvirtd group?

I just tried installing vagrant-libvirt, same error.

I then tried

sudo nano /etc/modules

And added

9p
9pnet
9pnet_virtio

Restarted, still same error.

The libvirtd group did not exist, so I created it, then I added user to it, still same error.

From https://www.whonix.org/wiki/KVM#Addgroup
Try run these commands. And post output here.

sudo addgroup "$(whoami)" libvirt
sudo addgroup "$(whoami)" kvm

Then reboot.

Then try run these commands

sudo modprobe 9p
sudo modprobe 9pnet
sudo modprobe 9pnet_virtio

And post output here.

Then try VM start. See if that helps.

https://www.whonix.org/wiki/KVM#Addgroup says libvirt not libvirtd.

The user ‘user’ is already a member of ‘libvirt’.
The user ‘user’ is already a member of ‘kvm’.

No output (and nothing interesting in journalctl either)
Did this, same error still.

libvirt was already used as per documentation, only additionaly created libvirtd as hula mentioned it

Strange because you are essentially using a Debian stable with our customizations that shouldn’t really interfere with this.

Try adding any other shred folder manually created in your home folder. Does it give the same error?

Good idea, I made /home/shared and it worked, then I deleted and remade the shared folder in /home/user/shared the same way but it did not work (same error), so it has to do with the user directory and probably permissions, any idea to fix it in the user directory?

That’s great news. @Patrick are we shipping Kicksecure Host with a shared folder already? Perhaps the problem is caused by the mkdir command run as root?

mkdir --parents /mnt/gateway-shared

mkdir --parents /mnt/workstation-shared

chmod 777 /mnt/gateway-shared

chmod 777 /mnt/workstation-shared

@59mpci2GJ5xlHhY have you used the shared folders on the host at these paths?

Okay I just did that, but it had insufficient permissions without sudo, so I ran all those commands with sudo.

The machine launched successfully without error however, when testing by putting a file from the host, the file did not appear inside the vm shared folder.

Note, test file did show successfully up when mounting to /home/shared, but not /mnt/workstation-shared.

Going to reinstall everything from source next time I have some free time, so I will continue with more tests.

Kicksecure is NOT Whonix-Host.
Kicksecure Host is NOT Whonix-Host.
Whonix-Host and Kicksecure are separate projects.

HulaHoop via Whonix Forum:

That’s great news. @Patrick are we shipping Kicksecure Host with a shared folder already?

No, I don’t think so, because Kicksecure is NOT Whonix-Host. Package
whonix-libvirt is not installed on Kicksecure.

Please check:

dpkg -l | grep whonix-libvirt

Perhaps the problem is caused by the mkdir command run as root?

Could be in theory but chmod should fix that.

https://github.com/Whonix/whonix-libvirt/blob/2fc6fc5318665db8bfb697d7d6b71495c7c8d229/usr/lib/whonix-libvirt/install

mkdir --parents /mnt/gateway-shared

mkdir --parents /mnt/workstation-shared

chmod 777 /mnt/gateway-shared

chmod 777 /mnt/workstation-shared

Development of Whonix-Host didn’t progress as far yet as testing shared
folders.

http://permissions-calculator.org/decode/0777/

chmod 0777 means that user, group and others (everyone) can
read/write/execute. That doesn’t seem very appropriate anyhow.

What would be an appropriate way to set this up anyhow? What would be
the most secure and canonical location for these shared folders?
Somewhere in user’s home folder /home/user? Or under /mnt/ better? Group
owner user “user” and user/group “user” the only one allowed to
read/write but not execute?

I got confused by his thread title saying Kicksecure “Host”

I always did it under home folder. Seems more contained than using /mnt/? As for permissions I am open to more secure suggestions that don’t break functionality.

And Kicksecure Host is NOT Whonix-Host too.