AppArmor and Whonix

AppArmor (“Application Armor”) for better security.

Current status of AppArmor and Whonix:

– Non-Qubes-Whonix: We do enable apparmor by default for a while now. (https://github.com/Whonix/grub-enable-apparmor)
– Qubes-Whonix: requires some extra instructions to enable AppArmor, see: https://www.whonix.org/wiki/Qubes/AppArmor
– Therefore The Tor Project’s apparmor profile for Tor is in use on Whonix-Gateway.
– We tweak that one a bit to make it work with Whonix and obfsproxy. (https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/etc/apparmor.d/local/system_tor.anondist)
– We don’t install any apparmor profiles by default as of Whonix 11.
– We do not install any longer the profiles from Debian (packages apparmor-profiles, apparmor-profiles-extra) since Whonix 10 because of the noise they generate in the forums.
– We do not plan on installing apparmor profiles by default for packages that are not developed under the Whonix umbrella such as for Tor Browser, pidgin, xchat, etc. (list: https://github.com/Whonix?utf8=%E2%9C%93&query=apparmor) – Package upgrades that we don’t control by upstream could make it impossible to start the application, lead to eventual fingerprinting issues, therefore installation of such apparmor profiles is manual for testers and advanced users.
– Upstreaming such profiles is a very time consuming process, also a slow process (requires a new stable debian release). Help welcome.
– For apparmor profiles developed under the Whonix such as sdwdate, whonixcheck, we plan in future for Whonix 13 or so on deprecating the separate apparmor profiles and installing those profiles by default, that is doable, because we control package upgrades.

The Whonix profiles can be installed with:

sudo apt-get install apparmor-profiles-whonix

AppArmor Whonix Wiki Page:
https://www.whonix.org/wiki/AppArmor

AppArmor Whonix Forum:
https://forums.whonix.org/c/apparmor

Apparmor Whonix Phabricator TODO List:
https://phabricator.whonix.org/tag/apparmor/

Comments / Forum Discussion:
https://forums.whonix.org/t/apparmor-and-whonix

Patrick Schleizer on BloggerPatrick Schleizer on EmailPatrick Schleizer on FacebookPatrick Schleizer on GithubPatrick Schleizer on Twitter
Patrick Schleizer
Developer and maintainer at Whonix
Patrick started developing Whonix, the Anonymous Operating System in 2012, when quickly others joined efforts. He collected experiences working pseudonymous on Whonix for two years, enjoys collaboratively working on privacy preserving software.

Patrick started developing Whonix, the Anonymous Operating System in 2012, when quickly others joined efforts. He collected experiences working pseudonymous on Whonix for two years, enjoys collaboratively working on privacy preserving software.

Posted in Whonix Development News