Often systemcheck errors notifications. whonix 18lxqt

Patrick · February 20, 2026, 5:54pm

Did you edit the systemd unit file and was it fixed? What was the systemd unit file edit?

jordanyell · February 21, 2026, 8:23am

[workstation user ~/Desktop]% ausyscall 48 
faccessat
[workstation user ~/Desktop]% sudoedit /usr/lib/systemd/system/kloak.service && sudo systemctl daemon-reload && sudo systemctl restart kloak && sudo systemctl --no-pager --full status kloak
sudoedit: /usr/lib/systemd/system/kloak.service unchanged
● kloak.service - kloak anti keystroke deanonymization tool
     Loaded: loaded (/usr/lib/systemd/system/kloak.service; enabled; preset: enabled)
     Active: active (running) since Sat 2026-02-21 08:07:13 UTC; 16ms ago
 Invocation: 9cd070abfc1e433e918d229ea710f92f
       Docs: https://github.com/Whonix/kloak
             man:kloak(8)
    Process: 18934 ExecStartPre=/usr/libexec/kloak/find_wl_compositor (code=exited, status=0/SUCCESS)
   Main PID: 18943 ((kloak))
      Tasks: 1 (limit: 4604)
     Memory: 1.8M (peak: 7.4M)
        CPU: 41ms
     CGroup: /system.slice/kloak.service
             └─18943 "(kloak)"

Feb 21 08:07:13 host systemd[1]: Starting kloak.service - kloak anti keystroke deanonymization tool...
Feb 21 08:07:13 host systemd[1]: Started kloak.service - kloak anti keystroke deanonymization tool.
[workstation user ~/Desktop]%

In the opened file, I’ve inserted faccessat to the end of SystemCallFilter. Here’s that upgraded file. How to check, was it fixed or no?

## Copyright (C) 2016 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

[Unit]
Description=kloak anti keystroke deanonymization tool
Documentation=https://github.com/Whonix/kloak
Documentation=man:kloak(8)
ConditionPathExists=!/run/qubes/this-is-templatevm
After=graphical.target
After=sysmaint-boot.target

[Service]
Type=simple

## This cannot be trivially made work on Qubes!
##
## /dev/input/event0 is not a keyboard device.
##
## ls -la /dev/input/event0
## crw-rw---- 1 root input 13, 64 May  6 08:25 /dev/input/event0
##
## ls -la /dev/input/by-path/platform-pcspkr-event-spkr
## lrwxrwxrwx 1 root root 9 May  6 08:25 /dev/input/by-path/platform-pcspkr-event-spkr -> ../event0
##
## https://github.com/QubesOS/qubes-issues/issues/2558
## https://github.com/QubesOS/qubes-issues/issues/1850
## https://forums.whonix.org/t/current-state-of-kloak/5605/6
##
## For Qubes, see Qubes Event Buffering instead.
## https://www.whonix.org/wiki/Keystroke_and_Mouse_Deanonymization#Qubes_Event_Buffering

## find_wl_compositor.py generates /run/kloak_wl_compositor_data.
ExecStartPre=+-/usr/libexec/kloak/find_wl_compositor
EnvironmentFile=-/run/kloak_wl_compositor_data
ExecStart=/usr/bin/kloak

Restart=always
RestartSec=2s

CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_TTY_CONFIG CAP_SYS_PTRACE

ProtectSystem=strict
#ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
## hardened kernels without CONFIG_USER_NS_UNPRIVILEGED=Y
## need to:
## * disable or comment out the 3 'Private' namespaces below
## $ systemctl edit --full kloak
PrivateTmp=true
#PrivateUsers=true
PrivateNetwork=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
RestrictRealtime=true
RestrictNamespaces=true
SystemCallArchitectures=native
SystemCallFilter=brk open poll close ioctl mmap munmap read pread64 getdents64 socket connect getsockopt epoll_create1 epoll_ctl rt_sigprocmask epoll_wait inotify_init1 access openat fstat prctl sendmsg recvmsg newfstatat unlink ftruncate fcntl timerfd_create statx readlinkat faccessat2 fstatfs inotify_add_watch timerfd_settime madvise sigaltstack faccessat

[Install]
WantedBy=graphical.target

Patrick · February 21, 2026, 11:09am

sudo systemctl daemon-reload

sudo systemctl restart kloak

sudo systemctl status kloak

(Will be added to documentation in the near future.)

jordanyell · February 21, 2026, 11:38am

[workstation user ~/Desktop]% sudo systemctl daemon-reload
[workstation user ~/Desktop]% sudo systemctl restart kloak
[workstation user ~/Desktop]% sudo systemctl status kloak
× kloak.service - kloak anti keystroke deanonymization tool
Loaded: loaded (/usr/lib/systemd/system/kloak.service; enabled; preset: enabled)
Active: failed (Result: core-dump) since Sat 2026-02-21 11:31:52 UTC; 701ms ago
Duration: 25ms
Invocation: c092b1a738cf4699bfcb27c3f03d81c6
Docs: GitHub - Whonix/kloak: anti keystroke deanonymization tool
man:kloak(8)
Process: 18030 ExecStartPre=/usr/libexec/kloak/find_wl_compositor (code=exited, status=0/SUCCESS)
Process: 18032 ExecStart=/usr/bin/kloak (code=dumped, signal=SYS)
Main PID: 18032 (code=dumped, signal=SYS)

Feb 21 11:31:52 host systemd[1]: kloak.service: Scheduled restart job, restart counter is at 2.
Feb 21 11:31:52 host systemd[1]: kloak.service: Start request repeated too quickly.
Feb 21 11:31:52 host systemd[1]: kloak.service: Failed with result ‘core-dump’.
Feb 21 11:31:52 host systemd[1]: Failed to start kloak.service - kloak anti keystroke deanonymization tool.
zsh: exit 3 sudo systemctl status kloak
[workstation user ~/Desktop]%

Patrick · February 21, 2026, 2:30pm

Rinse and repeat. Either the wrong syscall has been adding (wrong architecture) or additional syscalls are required.