AppArmor
Installation[edit]
It is recommended to install the available AppArmor profiles for improved security on the Whonix platform.
Introduction[edit]
 | Testers only! |
 | Qubes-Whonix users require some extra instructions for setting up AppArmor. Non-Qubes-Whonix users can skip this section. [1] |
If you are interested, click on Expand on the right.
The following steps should be completed in dom0 for both whonix-gw-14 and whonix-ws-14 TemplateVMs. After these settings have been applied to the Whonix templates, the sys-whonix (ProxyVM) and anon-whonix (AppVM) will inherit the AppArmor kernel settings.
It is unnecessary to recreate the sys-whonix and anon-whonix TemplateBasedVMs to benefit from the new kernel parameters.[2] It is also important for users to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.
Whonix-Gateway[edit]
Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal
List the current kernel parameters.
qvm-prefs -g whonix-gw-14 kernelopts
Qubes R3.2 and later releases will show.
nopat
Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.
qvm-prefs -s whonix-gw-14 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s sys-whonix kernelopts "nopat apparmor=1 security=apparmor"
List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
qvm-prefs -g whonix-gw-14 kernelopts
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
Start the sys-whonix ProxyVM and confirm AppArmor is now active.
sudo aa-status --enabled ; echo $?
The output should show.
0
Whonix-Workstation[edit]
Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal
List the current kernel parameters.
qvm-prefs -g whonix-ws-14 kernelopts
Qubes R3.2 and later releases will show.
nopat
Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.
qvm-prefs -s whonix-ws-14 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"
List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
qvm-prefs -g whonix-ws-14 kernelopts
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
Start the anon-whonix AppVM and confirm AppArmor is now active.
sudo aa-status --enabled ; echo $?
The output should show.
0
The profiles packages are available from Whonix's APT repository.
| Tip: It is strongly recommended to switch to the Whonix testers repository before installing profiles. The profiles in the stable repository are much older and have some issues. Note that switching to the testers repository will also update other packages from that same repository unless the user knows how to avoid this. [3] |
Enable the Whonix testers repository.
sudo whonix_repository --enable --repository testers
In Whonix-Workstation as well as on Whonix-Gateway.
Update the package lists.
sudo apt-get update
Install all AppArmor Profiles[edit]
The easiest method is to install all available AppArmor profiles. This can result in a few profiles being enforced for software that is not installed, but this will not have any adverse impacts.
sudo apt-get install apparmor-profiles-hardened-debian
Install Select AppArmor Profiles[edit]
Click on Expand on the right side.
Profile for Tor Browser. Useful in Whonix-Workstation. [4]
sudo apt-get install apparmor-profile-torbrowser
Profile for sdwdate. [5] Useful in Whonix-Gateway and Whonix-Workstation.
sudo apt-get install apparmor-profile-sdwdate
Profile for the HexChat Chat client. Useful in Whonix-Workstation.
sudo apt-get install apparmor-profile-xchat
Profile for the Mozilla Thunderbird E-Mail client. Useful in Whonix-Workstation.
sudo apt-get install apparmor-profile-icedove
Profile for whonixcheck. Useful in Whonix-Gateway and Whonix-Workstation.
sudo apt-get install apparmor-profile-whonixcheck
Profile for VirtualBox. This is useful on the host, but there are no documented instructions for this procedure yet. It is also useful if running VirtualBox inside VirtualBox.
sudo apt-get install apparmor-profile-virtualbox
Revert any Whonix Repository Change[edit]
If AppArmor profiles were installed from the testers repository, reverting to the stable repository is recommended.
sudo whonix_repository --enable --repository stable
Update the package lists.
sudo apt-get update
Profile Unloading[edit]
| Tip: Only complete these steps to disable an AppArmor profile. |
Click on expand on the right side.
To view the list of all available profiles, run.
ls /etc/apparmor.d/
Once the profile is loaded in the kernel, to remove it run.
sudo aa-disable /etc/apparmor.d/profile-name
This command expects the profile file to exist. This means if the profile has been deleted manually or via apt-get purge, it can only be unloaded by rebooting.
The name of the specific profile to unload must be known in advance; refer to the list further above.
Common Operations[edit]
Maintain a Functional Tor Browser[edit]
Tor Browser upgrades frequently break the Whonix AppArmor profile used to contain it. Even when AppArmor-related fixes are confirmed in Phabricator, most often the packages are not made available to Whonix stable or even the developer version. This means manual profile fixes are required until the next Whonix version is released.
At the time of writing, Tor Browser is non-functional with the available profile in the repositories. Advanced users can follow these steps to rectify the problem.
1. Open a terminal in Whonix-Workstation TemplateVM.
whonix-ws-14 -> Konsole
2. List the available AppArmor profiles.
ls /etc/apparmor.d/
3. Edit the Tor Browser AppArmor profile.
Note: change the name of the file to match whatever version is installed on the system.
sudo nano /etc/apparmor.d/home.*.tor-browser_*Browser.firefox
4. Navigate to the Whonix Github resource for AppArmor.
The latest git commits can be found here.
Select Code -> etc/apparmor.d -> home.tor-browser.firefox
Select the Raw button on the right-hand side. [6]
| Users should check the profile text does not contain any unexpected content. For greater security, utilize a different viewer and/or retrieve the profile using git and perform git commit gpg verification. |
Cut and paste the profile text into the old Tor Browser profile which is open in nano. Save and exit.
5. Enforce the new Tor Browser profile.
Note: In the command below, change the name of the file to match whatever version is installed on the system.
In the Whonix-Workstation TemplateVM, run.
sudo aa-enforce /etc/apparmor.d/home.*.tor-browser_*.Browser.firefox
6. Shutdown Whonix-Workstation TemplateVM and any running instances of Whonix-Workstation AppVM.
7. Restart the Whonix-Workstation AppVM.
Launch Tor Browser. If everything has been applied correctly, Tor Browser will have full functionality. If the following AppArmor warning appears, it can be safely ignored.
Profile: /home/**/tor-browser*/Browser/firefox Operation: open Name: /dev/ Denied: r Logfile: /var/log/kern.log For more information, please see: https://wiki.ubuntu.com/DebuggingApparmor
To manually check AppArmor is correctly running and enforced, in a terminal run.
sudo aa-status
The output should show the Tor Browser profile is loaded and in enforce mode.
Correcting Other Whonix AppArmor Profiles[edit]
Advanced users can follow the same method to resolve other AppArmor problems impacting full functionality of applications in Whonix. For instance, in Whonix 13 the whonixcheck AppArmor profile caused continuous "denied" messages in Qubes-Whonix. Resolving this was quite simple: [7]
- Navigate to the raw updated whonixcheck profile.
- In both the Whonix-Gateway (
whonix-gw-14) and Whonix-Workstation (whonix-ws-14) TemplateVMs, replace the existing content in /etc/apparmor.d/usr.bin.whonixcheck with the updated github content. - Shutdown both TemplateVMs and any running instances of
sys-whonixandanon-whonix. - Restart the
sys-whonixandanon-whonixAppVMs.
Inspecting and Disabling AppArmor Notifications[edit]
From Whonix 14, apparmor-notify is no longer installed by default. This means desktop notifications will not appear concerning AppArmor denied messages, which are stored in /var/log/audit/audit.log [8] [9] [10]
Inspect Notifications[edit]
To inspect relevant logs, run.
Open /var/log/audit/audit.log in an editor with root rights.
If you are using a graphical Whonix or Qubes-Whonix with KDE, run.
kdesudo kwrite /var/log/audit/audit.log
If you are using a graphical Whonix or Qubes-Whonix with XFCE, run.
kdesudo mousepad /var/log/audit/audit.log
If you are using a terminal-only Whonix, run.
sudo nano /var/log/audit/audit.log
To show denied AppArmor messages of any age, run.
sudo cat /var/log/audit/audit.log | grep -i DENIED
It is possible to keep watching the file as it is appended. This is useful for reproducing AppArmor denied messages and testing amended profiles.
sudo tail -f /var/log/audit/audit.log | grep --line-buffered DENIED
Disable Notifications[edit]
If users installed apparmor-notify manually, then some applications may be functional, but AppArmor "denied" messages can constantly appear on the desktop. Rather than updating the relevant AppArmor profile(s), it is possible to disable notifications.
In the offending Whonix (App)VM, launch Konsole and run.
sudo killall aa-notify
To revert this change, reboot the VM.
More Profiles[edit]
Users can also utilize profiles by other vendors, but this is unsupported by Whonix developers. It is not necessary to install an AppArmor profile for applications that will not be used. For example, it is unnecessary to install the dovecot AppArmor profile if it will never be run.
- Debian has packages that you can be easily installed from the apt repository.
- Ubuntu also provides profiles. These are not so easy to download as a package to be installed in Debian. The profiles may or may not differ or complement those profiles listed further above.
Support[edit]
- Need help? Visit the Whonix AppArmor Forum.
- Profile Creation Advice.
Development[edit]
Footnotes[edit]
- ↑ Non-Qubes-Whonix means all Whonix platforms except Qubes-Whonix. This includes KVM, VirtualBox and Physical Isolation.
- ↑ Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.
- ↑ Broken link: https://www.whonix.org/old-forum/index.php/topic,1548.0.html
- ↑ Tor Browser is installed by tb-updater; the latter is a default Whonix application.
- ↑ The network time sync is installed in Whonix by default.
- ↑ Otherwise essential profile formatting might break, or unwanted content (such as line numbers) might be copied inadvertently, causing the profile to become non-functional.
- ↑ This issue was fixed in the Whonix 14 release.
- ↑ To install it, run:
sudo apt-get update && sudo apt-get install apparmor-notify - ↑ https://forums.whonix.org/t/whonix-14-debian-stretch-apparmor-related-changes/3563
- ↑ The Debian default location is /var/log/kern.log
Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.
Are you proficient with iptables? Want to contribute? Check out possible improvements to iptables. Please come and introduce yourself in the development forum.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.
Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)
Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.
Enable comment auto-refresher