Live-mode.sh: Permission denied

marmarek · March 30, 2025, 11:00am

Found while browsing logs of whonix-gateway based AppVM on Qubes OS 4.2:

[2025-03-30 01:46:26] [   10.562428] canary-daemon[1300]: /usr/libexec/systemcheck/canary-daemon: INFO: start.
[2025-03-30 01:46:26] [   10.581494] canary-daemon[1327]: /usr/libexec/systemcheck/canary: line 17: /usr/libexec/helper-scripts/live-mode.sh: Permission denied
[2025-03-30 01:46:26] [   10.590349] canary-daemon[1300]: /usr/libexec/systemcheck/canary-daemon: INFO: end.

I don’t see any negative effects of this, just the log message.

Patrick · March 31, 2025, 4:21pm

Should be fixed.

marmarek · March 31, 2025, 4:59pm

Now I got in the log (test job 2h ago, so might be before your fix):

   AVC apparmor="DENIED" operation="open" class="file" profile="/usr/libexec/systemcheck/canary" name="/usr/libexec/helper-scripts/live-mode.sh" comm="canary" requested_mask="r" denied_mask="r"

Patrick · April 1, 2025, 6:35am

Very most likely already fixed in apparmor · Kicksecure/systemcheck@2fb295e · GitHub.

I could reproduce this and I am not longer able to reproduce it now.