opened 09:51AM - 19 Aug 25 UTC
C: Whonix
P: default
needs diagnosis
affects-4.2
affects-4.3
C: Qubes Video Companion
community template
### Qubes OS release
Qubes OS 4.3, Qubes OS 4.2
### Brief summary
QVC has a l…ot of [sudo calls](https://github.com/search?q=repo%3AQubesOS%2Fqubes-video-companion+sudo+path%3A%2F%5Ereceiver%5C%2F%2F&type=code).
But Whonix has two things blocking QVC usage:
- permission-hardener sets `/usr/lib/modules` to `0700`, only root can rwx it.
- user mode without privilege (sysmaint and privleap)
I don't think that every Qubes package that has sudo, should have a privleap workaround, which in the past, could have been [doas](https://github.com/qubesos/qubes-issues/issues/9599). There are minimal qubes that don't have qubes-core-agent-passwordless-root also. It seems that a unified authorization mechanism for every template is not easily doable.
I believe that a solution using capabilities as well as excluding /lib/modules from permission hardener could be a solution. I have tinkered a bit with that idea but didn't complete with only capabilities.
- The lockfile doesn't require root if it is placed on /tmp
- Every modprobe and modinfo command used seem to require at least reading permission to /lib/modules
- Module insertion requires write and execute permissions
### Steps to reproduce
1. Install QVC on Whonix-Workstation
2. `qubes-video-companion screenshare`
### Expected behavior
Success using qubes-video-companion.
### Actual behavior
sudo is not executable.
### Additional information
https://openqa.qubes-os.org/tests/149582#step/TC_00_QVCTest_whonix-workstation-17/1