virtualbox: libkmod Permission denied & NS_ERROR_FAILURE (AppArmor) #5765

hotcapy · 2023-03-29T08:43:31Z

hotcapy
Mar 29, 2023

Good day to my new favorite customer support service :-)

My VirtualBox VMs are stored at /vbox/VMs directrory instead of default one.
${HOME}/.local/share/sync/whonix is Shared Folder for file transfer between VM filesystem and host.

Following the logic of default profiles, I blacklisted /vbox/VMs folder for any app using Firejail in disable-common.local:
blacklist /vbox/VMs

And then did the opposite for VirtualBox itself in virtualbox.local:

noblacklist /vbox/VMs
whitelist /vbox/VMs
whitelist ${HOME}/.local/share/sync/whonix

When I start VirtualBox, there are lots of errors about access to /sys/module/* in output:

[user@host ~]$ firejail VirtualBox
Reading profile /etc/firejail/VirtualBox.profile
Reading profile /etc/firejail/virtualbox.profile
Reading profile /home/user/.config/firejail/virtualbox.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /home/user/.config/firejail/disable-common.local
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 1612, child pid 1613
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 62.93 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 176.72 ms
libkmod: kmod_module_get_holders: could not open '/sys/module/snd_seq_dummy/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/snd_hrtimer/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/snd_seq/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/tun/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nft_reject_ipv6/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nf_reject_ipv6/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nft_reject/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nft_ct/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nft_chain_nat/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nf_nat/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nf_conntrack/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nf_defrag_ipv6/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nf_defrag_ipv4/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nf_tables/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nfnetlink/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/rfkill/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nct6775/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nct6775_core/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/hwmon_vid/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/vfat/holders': Permission denied                                                                                                 
libkmod: kmod_module_get_holders: could not open '/sys/module/fat/holders': Permission denied                                                                                                  
libkmod: kmod_module_get_holders: could not open '/sys/module/snd_hda_codec_realtek/holders': Permission denied                                                                                
libkmod: kmod_module_get_holders: could not open '/sys/module/snd_hda_codec_generic/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/intel_rapl_msr/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/ledtrig_audio/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/snd_hda_codec_hdmi/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/intel_rapl_common/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/ucsi_ccg/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/typec_ucsi/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/snd_hda_intel/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/snd_usb_audio/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/kvm_amd/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/roles/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/snd_intel_dspcfg/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/ppdev/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/typec/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/snd_usbmidi_lib/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/snd_hda_codec/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/kvm/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/snd_hwdep/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/snd_hda_core/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/wmi_bmof/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/snd_rawmidi/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/irqbypass/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/r8169/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/rapl/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/snd_pcm/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/snd_seq_device/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/realtek/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/sp5100_tco/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/pcspkr/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/snd_timer/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/mdio_devres/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/k10temp/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/i2c_piix4/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/snd/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/libphy/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/i2c_nvidia_gpu/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/soundcore/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/mc/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/parport_pc/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/mousedev/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/joydev/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/parport/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/gpio_amdpt/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/gpio_generic/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/acpi_cpufreq/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/mac_hid/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/vboxnetflt/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/vboxnetadp/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/vboxdrv/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/fuse/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/loop/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/ip_tables/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/x_tables/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/btrfs/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/blake2b_generic/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/xor/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/zlib_deflate/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/raid6_pq/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/libcrc32c/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/crc32c_generic/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/dm_crypt/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/cbc/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/encrypted_keys/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/trusted/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/asn1_encoder/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/tee/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nvidia_uvm/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nvidia_drm/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nvidia_modeset/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/video/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/usbhid/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nvidia/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/dm_mod/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/crct10dif_pclmul/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/crc32_pclmul/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/crc32c_intel/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/polyval_clmulni/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/polyval_generic/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/gf128mul/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/ghash_clmulni_intel/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nvme/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/sha512_ssse3/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/aesni_intel/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/crypto_simd/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/cryptd/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nvme_core/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/ccp/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/xhci_pci/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/xhci_pci_renesas/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/nvme_common/holders': Permission denied
libkmod: kmod_module_get_holders: could not open '/sys/module/wmi/holders': Permission denied

VirtualBox GUI works, but VM fails to start:

Powering VM up...

The VM session was aborted.

Result Code: NS_ERROR_FAILURE (0X80004005)
Component: Session Machine
Interface: |Session{c0447716-ff5a-4795-b57a-ecd5fffa18a4}

Unfortunately, I do not know much about filtering VMs logs from particular sessions (since there are several files), nor if them apply for immediately aborted start. If providing those will help troubleshoot, please let me know.

Answered by hotcapy

Apr 3, 2023

I finally discovered what caused this issue! Firejail profile is fine, it's due to my specific configuration.
As mentioned before, I use custom /vbox/VMs folder for storing my VMs instead of default one ~/VirtualBox VMs.

To make it work, I had to allow write access to /vbox directory in Firejail's AppArmor profile by adding the following line to /etc/apparmor.d/local/firejail-default file:

/{,run/firejail/mnt/oroot/}vbox/** w,

Now VMs successfully start with this virtualbox.local:

env LD_PRELOAD=/usr/lib/libhardened_malloc-light.so
ignore noblacklist ${HOME}/VirtualBox VMs
noblacklist /vbox/VMs
ignore mkdir ${HOME}/VirtualBox VMs
ignore whitelist ${HOME}/VirtualBox VMs
whitelist /vbox/VMs…

View full answer

glitsj16 · 2023-03-29T13:24:36Z

glitsj16
Mar 29, 2023
Collaborator

Firejail protects some /proc and /sys paths by default:

firejail/src/firejail/fs.c

Lines 739 to 745 in ab70db5

    
           disable_file(BLACKLIST_FILE, "/sys/firmware"); 
        
           disable_file(BLACKLIST_FILE, "/sys/hypervisor"); 
        
           { // allow user access to some directories in /sys/ by specifying 'noblacklist' option 
        
           	profile_add("blacklist /sys/fs"); 
        
           	profile_add("blacklist /sys/module"); 
        
           }

Try adding noblacklist /sys/module and check if that improves anything.

1 reply

hotcapy Mar 29, 2023
Author

It resolves mentioned errors in terminal output - now there are no errors in it at all.

But VM still can't start with same error code and "Aborted" status. Such failed start attempt not seem to create any new VBox.log files.

hotcapy · 2023-04-03T22:23:20Z

hotcapy
Apr 3, 2023
Author

I finally discovered what caused this issue! Firejail profile is fine, it's due to my specific configuration.
As mentioned before, I use custom /vbox/VMs folder for storing my VMs instead of default one ~/VirtualBox VMs.

To make it work, I had to allow write access to /vbox directory in Firejail's AppArmor profile by adding the following line to /etc/apparmor.d/local/firejail-default file:

/{,run/firejail/mnt/oroot/}vbox/** w,

Now VMs successfully start with this virtualbox.local:

env LD_PRELOAD=/usr/lib/libhardened_malloc-light.so
ignore noblacklist ${HOME}/VirtualBox VMs
noblacklist /vbox/VMs
ignore mkdir ${HOME}/VirtualBox VMs
ignore whitelist ${HOME}/VirtualBox VMs
whitelist /vbox/VMs
whitelist ${HOME}/.local/share/sync/whonix
whitelist ${HOME}/.config/lxqt

Without noblacklist /sys/module option there are still same errors in terminal output, but everything seem to work.
Can I safely ignore them, or it can affect security/performance and I should include this option again? Thanks!

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

virtualbox: libkmod Permission denied & NS_ERROR_FAILURE (AppArmor) #5765

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

virtualbox: libkmod Permission denied & NS_ERROR_FAILURE (AppArmor) #5765

hotcapy Mar 29, 2023

Replies: 2 comments · 1 reply

glitsj16 Mar 29, 2023 Collaborator

hotcapy Mar 29, 2023 Author

hotcapy Apr 3, 2023 Author

hotcapy
Mar 29, 2023

Replies: 2 comments 1 reply

glitsj16
Mar 29, 2023
Collaborator

hotcapy Mar 29, 2023
Author

hotcapy
Apr 3, 2023
Author