Shared Folder does not work with Kicksecure

I have a following question: after I’ve distro-morphed my debian host into Kicksecure I cannot start Whonix WS with KVM anymore. The reason is the shared folder: “failed to open ‘/home/user/shared’: Permission denied”. Whonix WS can be started after removing the shared Filesystem. Permission was set as required: chmod 777 /home/user/shared.
Any suggestions?

Does anyone successfully use Kicksecure as a Host + Shared Folder with Whonix WS / KVM?

Here is a complete error message:

Error starting domain: internal error: qemu unexpectedly closed the monitor: 2021-08-02T19:29:55.777651Z qemu-system-x86_64: -device virtio-9p-pci,id=fs0,fsdev=fsdev-fs0,mount_tag=shared,bus=pci.0,addr=0x8: cannot initialize fsdev ‘fsdev-fs0’: failed to open ‘/home/user/shared’: Permission denied

Traceback (most recent call last):
File “/usr/share/virt-manager/virtManager/asyncjob.py”, line 75, in cb_wrapper
callback(asyncjob, *args, **kwargs)
File “/usr/share/virt-manager/virtManager/asyncjob.py”, line 111, in tmpcb
callback(*args, **kwargs)
File “/usr/share/virt-manager/virtManager/libvirtobject.py”, line 66, in newfn
ret = fn(self, *args, **kwargs)
File “/usr/share/virt-manager/virtManager/domain.py”, line 1400, in startup
self._backend.create()
File “/usr/lib/python3/dist-packages/libvirt.py”, line 1080, in create
if ret == -1: raise libvirtError (‘virDomainCreate() failed’, dom=self)
libvirt.libvirtError: internal error: qemu unexpectedly closed the monitor: 2021-08-02T19:29:55.777651Z qemu-system-x86_64: -device virtio-9p-pci,id=fs0,fsdev=fsdev-fs0,mount_tag=shared,bus=pci.0,addr=0x8: cannot initialize fsdev ‘fsdev-fs0’: failed to open ‘/home/user/shared’: Permission denied

Consider this one until/if someone gets around it:

Are you running a distro with SELinux enabled?

No, I did not enable SELinux.
I’ve started with the standard Debian 10 Buster and shared folder worked just fine.
After that I’ve converted Debian into Kicksecure as described here: /wiki/Kicksecure/Debian
After that Whonix Workstation could not be started anymore.
If I remove shared Filesystem I can use Workstation again, but re-enabling the shared Filesystem makes Whonix Workstation unusable again.

I think Kicksecure tightens directory permissions more than the plain Debian and that would interfere with shared folder permissions
cc/ @Patrick

/usr/lib/security-misc/permission-lockdown runs:

chmod o-rwx /home/user

chmod others (o) remove (-) permissions:

Which is very important for meaningful user separation.

Whonix KVM shared folder needs a cleaner solution. Putting it in user home folder /home/user/shared is unclean. Mentioned here: