AppArmor
Introduction[edit]
According to debian.org: [1]
AppArmor is a Mandatory Access Control framework. When enabled, AppArmor confines programs according to a set of rules that specify what files a given program can access. This proactive approach helps protect the system against both known and unknown vulnerabilities.
Whonix ™ developer madaidan has noted:
[2]
Mandatory access control (MAC) systems give fine-grained control over what programs can access. This means that your browser won't have access to your entire home directory or similarly. The most used MAC systems are SELinux and AppArmor. SELinux is a lot more secure than AppArmor as it is more fine-grained. For example, it's inode-based rather than path-based, allows enforcing significantly stronger restrictions
, can filter kernel ioctls
and much more. Unfortunately, this comes at the cost of being much more difficult to use and harder to learn so AppArmor may be preferred by some.
AppArmor provides a number of advantages: [3]
- It protects the operating system and applications from external or internal threats, including zero-day attacks.
- "Good behavior" is enforced and it mitigates exploits via unknown application flaws.
- AppArmor security policies define the system resources that individual applications can access, and with what privileges. For instance:
- Network access.
- Raw socket access.
- Read, write or execute file permissions on specific paths.
Some AppArmor profiles for some default installed applications such as Tor, sdwdate and kloak are enforced by default. To see which, run.
More AppArmor profiles are available for testers.
Installation[edit]
It is recommended to use the Whonix ™ AppArmor profiles which are available for various programs that run in both Whonix-Gateway ™ and Whonix-Workstation ™, such as Tor, Tor Browser, Thunderbird and more. The profiles are easy to apply and provide a considerable security benefit.
Qubes Users Note[edit]
Qubes-Whonix ™ users require some extra steps to set up AppArmor. Non-Qubes-Whonix ™ users can skip this section.
[4]
[5]
If you are interested, click on Expand on the right.
- Qubes R4.0: Opt-in. If you are interested, follow the steps below.
- Qubes R4.1: Default. No extra steps required.
The following steps should be completed in dom0
for both whonix-gw-16
and whonix-ws-16
Templates. [6] After these settings are applied to the Whonix ™ templates, the sys-whonix
(ProxyVM) and anon-whonix
(App Qube) will inherit the AppArmor kernel settings.
It is unnecessary to recreate the sys-whonix
and anon-whonix
App Qubes to benefit from the new kernel parameters. [7] It is also important to verify AppArmor is active in the sys-whonix
and anon-whonix
VMs after making these changes.
Whonix-Gateway ™[edit]
1. Open a dom0
terminal.
Qubes App Launcher (blue/grey "Q")
→ System Tools
→ Xfce Terminal
2. List the current kernel parameters.
Qubes R4 and later releases will show.
nopat
3. Keep the existing kernel parameters and add apparmor=1 security=apparmor
.
For example.
4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
5. Start the sys-whonix
ProxyVM and confirm AppArmor is now active.
The output should show.
0
Whonix-Workstation ™[edit]
1. Open a dom0
terminal.
Qubes App Launcher (blue/grey "Q")
→ System Tools
→ Xfce Terminal
2. List the current kernel parameters.
Qubes R4 and later releases will show.
nopat
3. Keep the existing kernel parameters and add apparmor=1 security=apparmor
.
For example.
4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
5. Start the anon-whonix
App Qube and confirm AppArmor is now active.
The output should show.
0
Install all AppArmor Profiles[edit]
Installation[edit]
The easiest method is to install all available AppArmor profiles. This can result in a few profiles being enforced for software that is not installed, but this will not have any adverse impacts.
At time of writing it is not required to change Whonix ™ APT repository.
Install package(s) apparmor-utils apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure
.
A. Update the package lists and upgrade the system.
B. Install the apparmor-utils apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure
package(s).
Using apt
command line parameter --no-install-recommends
is in most cases optional.
C. Done.
The procedure of installing package(s) apparmor-utils apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure
is complete.
Enabling[edit]
Some profiles in the apparmor-profiles
and apparmor-profiles-extra
packages are not enforced by default because the Debian maintainers do not believe they are mature enough. [8]
apparmor-profiles provides various experimental AppArmor profiles. Do not expect these profiles to work out-of-the-box.
These profiles are not mature enough to be shipped in enforce mode by default on Debian. They are shipped in complain mode so that users can test them, choose which are desired, and help improve them upstream if needed.
Some even more experimental profiles are included in folder
/usr/share/apparmor/extra-profiles
.
1. Check which profiles are in complain mode (not actually providing protection) and which are in enforce mode (providing actual protection).
Run.
2. Locate the profile to enable.
To enable a profile which is currently in complain mode, locate it in folder /etc/apparmor.d
.
3. Enable the profile.
After locating the relevant profile, enable it. For example.
(The following example is already enforced by default if installed as per above.)
It might be inadvisable or unsuitable to enable all available AppArmor profiles.
4. Inspect other available AppArmor profiles.
The /usr/share/apparmor/extra-profiles
folder has additional AppArmor profiles.
5. Copy relevant AppArmor profiles.
If any of these applications are in use, copy the profile over to folder /etc/apparmor.d
. Example.
6. Enable the additional profile(s).
Example.
Install Select AppArmor Profiles[edit]
Click on Expand on the right side.
Update your package lists.
apparmor-profiles
apparmor-profiles-extra
Profile for Tor Browser. Useful in Whonix-Workstation ™. [9]
Profile for the HexChat client. Useful in Whonix-Workstation ™. (Soon to be renamed apparmor-profile-hexchat
.)
Profile for the Mozilla Thunderbird E-Mail client. Useful in Whonix-Workstation ™. (Soon to be renamed apparmor-profile-thunderbird
.)
Profile Unloading[edit]
The name of the specific profile to unload must be known in advance; refer to the list above.
If it is necessary to disable an AppArmor profile, first list those which are available.
Or.
Once a profile is loaded in the kernel, it can be easily removed.
This command expects the profile file to exist, so if it has been manually deleted or removed via apt purge
, it can only be unloaded by rebooting.
Common Operations[edit]
Maintain Tor Browser Functionality[edit]
Tor Browser upgrades frequently break the Whonix ™ AppArmor profile used to contain it. Even when AppArmor-related fixes are confirmed in forums.whonix.org, most often updated, fixed packages are immediately made available to Whonix ™ stable or even the developer version.
If Tor Browser is non-functional with the available AppArmor profile, follow these steps to rectify the problem.
1. Open a terminal in Whonix-Workstation ™ (whonix-ws-16
).
whonix-ws-16
→ Xfce Terminal
2. List the available AppArmor profiles.
3. Edit the Tor Browser AppArmor profile.
Note: change the name of the file to match whatever version is installed on the system.
4. Navigate to the Whonix ™ Github resource for AppArmor.
The latest git commits can be found here.
Select Code
→ etc/apparmor.d
→ home.tor-browser.firefox
Select the Raw
button on the right-hand side. [10]
It is recommended to check the profile does not contain any unexpected content. For greater security, utilize a different viewer and/or retrieve the profile using git and perform git commit gpg verification.
Cut and paste the profile text into the old Tor Browser profile which is open in nano. Save and exit.
5. Enforce the new Tor Browser profile.
In the command below, change the name of the file to match whatever version is installed on the system.
In Whonix-Workstation ™ (whonix-ws-16
), run.
6. Shutdown Whonix-Workstation ™ (whonix-ws-16
).
7. Restart Whonix-Workstation ™ (anon-whonix
).
Launch Tor Browser. If everything has been applied correctly, Tor Browser will have full functionality. If the following AppArmor warning appears, it can be safely ignored.
Profile: /etc/apparmor.d/home.tor-browser.firefox Operation: open Name: /dev/ Denied: r Logfile: /var/log/kern.log For more information, please see: https://wiki.ubuntu.com/DebuggingApparmor
8. Manually check AppArmor is correctly running and enforced.
In a terminal, run.
The output should show the Tor Browser profile is loaded and in enforce mode.
Correcting Other Whonix ™ AppArmor Profiles[edit]
The same method can be used to resolve other AppArmor problems impacting full functionality of applications in Whonix ™. For instance, the [[systemcheck
]] AppArmor profile previously caused continuous "denied" messages in Qubes-Whonix ™. [11] Correcting this issue was quite simple: [12]
- Navigate to the raw, updated
systemcheck
profile.
- Replace the existing content in
/etc/apparmor.d/usr.bin.systemcheck
with the updated github content, in both Templateswhonix-gw-16
andwhonix-ws-16
. - Shut down both Templates and any running instances of
sys-whonix
andanon-whonix
. - Restart
sys-whonix
andanon-whonix
.
AppArmor Notifications[edit]
apparmor-info[edit]
apparmor-info
is a helper utility to simplify viewing AppArmor logs. It parses AppArmor logs, hides unnecessary information [13] and removes duplicates.
apparmor-notify[edit]
apparmor-notify is not installed by default. [14] By installing it, desktop notifications would appear concerning AppArmor denied messages, which are stored in file
/var/log/kern.log
.
To install:
Install package(s) apparmor-notify
.
A. Update the package lists and upgrade the system.
B. Install the apparmor-notify
package(s).
Using apt
command line parameter --no-install-recommends
is in most cases optional.
C. Done.
The procedure of installing package(s) apparmor-notify
is complete.
If apparmor-notify
is manually installed, then on occasion an application may be functional but AppArmor "denied" messages constantly appear. Rather than updating the relevant AppArmor profile(s), it is possible to disable notifications instead.
In the offending Whonix ™ (App)VM, launch Xfce Terminal and run.
To revert this change, reboot the VM.
Manual Notifications Inspection[edit]
Use of apparmor-info
is simpler.
1. Manually inspect relevant logs.
Open file /var/log/kern.log
in an editor with administrative (root) write permissions.
This box uses sudoedit
for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link
.
2. Show denied AppArmor messages of any age.
Run.
3. Optional: Keep watching the file as it is appended.
This is useful for reproducing AppArmor denied messages and testing amended profiles.
More Profiles[edit]
It is possible to utilize profiles by other vendors, but this is unsupported by Whonix ™ developers. As a reminder, it is not necessary to install AppArmor profiles for any applications that are unlikely to be used (such as dovecot). Additional options include:
- Debian has packages that can be easily installed via the APT package manager
.
- Ubuntu also provides profiles
. It is not easy to download these as a package to be installed in Debian. Further, the profiles may or may not differ from (or complement) profiles listed earlier.
- Advanced users can attempt to create additional, strict AppArmor profiles by executing: [2]
Then open the program and use it as normal. AppArmor detects which files need to be accessed and adds them to the profile if you choose. This is insufficient for high quality profiles though; refer to the AppArmor documentation for further details.
Fix Profiles[edit]
1. Put folder /etc/apparmor.d
under git version control.
Git is a useful tool to record which files in a folder changed in what way.
Git setup for folder /etc/apparmor.d
.
Install package(s) git
.
A. Update the package lists and upgrade the system.
B. Install the git
package(s).
Using apt
command line parameter --no-install-recommends
is in most cases optional.
C. Done.
The procedure of installing package(s) git
is complete.
Change directory to folder /etc/apparmor.d
.
Initialize git in that folder.
Git needs an e-mail address. That e-mail address doesn't need to actually exist. That e-mail address would appear in git commit change logs if that git repository was ever pushed to any remote. If only used locally, the default you@example.com
could be kept. Otherwise, the user may change you@example.com
to any e-mail address of their choice.
Git needs an name. That name address doesn't need to actually exist. That name would appear in git commit change logs if that git repository was ever pushed to any remote. If only used locally, the default Your Name
could be kept. Otherwise, the user may change Your Name
to any name of their choice.
Add all files in that folder to git.
Commit all files to git. [15]
2. Use aa-logprof
to correct any AppArmor denied or allowed messages. [16]
3. Re-run any applications that had any AppArmor issues.
4. Repeat step 2 and 3 until there are no new AppArmor denied or allowed messages.
5. See which files were modified by aa-logprof
.
From the same folder.
6. Submit fixes to developers.
Ideally to github or gitlab.
- https://github.com/Whonix?q=apparmor&type=&language=&sort=
- https://gitlab.com/whonix?filter=apparmor
- Related: Search the Source Code and Find Files.
- In doubt ask in https://forums.whonix.org/c/apparmor/14
.
Support[edit]
- Need help? Visit the Whonix ™ AppArmor Forum
- Profile Creation Advice
Development[edit]
Footnotes[edit]
This box Expand All
is mostly useful for wiki editors. Users can safely ignore it.
- ↑
https://wiki.debian.org/AppArmor
- ↑ 2.0 2.1 https://madaidans-insecurities.github.io/guides/linux-hardening.html#mac
- ↑
http://wiki.apparmor.net/index.php/Main_Page
- ↑ Non-Qubes-Whonix ™ means all Whonix ™ platforms except Qubes-Whonix ™. This includes Whonix ™ KVM, Whonix ™ VirtualBox and Whonix ™ Physical Isolation.
- ↑ Advanced users attempting to enable SE Linux instead would utilize the following parameters in this section:
selinux=1 security=selinux
- ↑
Debian has enabled AppArmor by default since the
buster
release, but Fedora has not. This matters because Qubes is Fedora-based and therefore uses thedom0
(not VM) kernel by default. Therefore this step is still required even though Whonix ™ is based on a recent enough Debian version. - ↑ Since Qubes R3.0, App Qubes inherit the kernelopts setting of their Template
.
- ↑
https://packages.debian.org/bullseye/apparmor-profiles
- ↑ Tor Browser is installed by tb-updater; the latter is a default Whonix ™ application.
- ↑ Otherwise essential profile formatting might break or unwanted content (such as line numbers) might be copied inadvertently, leading to a non-functional profile.
- ↑ In Whonix ™ 13.
- ↑ This issue was fixed in the Whonix ™ 14 release.
- ↑
Jul 18 13:50:28 host kernel: [ 117.212029] audit: type=1400 audit(1626616228.947:23):
- ↑
https://forums.whonix.org/t/whonix-14-debian-stretch-apparmor-related-changes/3563
- ↑
Commits all files to git with commit message
.
for simplicity. Commit message could also be something else such as{{{sudo_maybe}}} git commit -a -m "initial commit"
. - ↑
https://gitlab.com/apparmor/apparmor/-/issues/200#note_685907209