- 1 Installation
- 2 Common Operations
- 3 Support
- 4 Development
- 5 Footnotes
It is recommended to install the available AppArmor profiles for improved security on the Whonix ™ platform.
Qubes Users Note
If you are interested, click on Expand on the right.
- Complete these instructions in dom0 for both
- After changes are made to the Whonix ™ templates, the
anon-whonix(AppVM) will inherit the AppArmor kernel settings.
anon-whonixTemplateBasedVMs do not need to be recreated to benefit from the new kernel parameters. 
- Verify AppArmor is active in both
anon-whonixafter changes are made.
Install all AppArmor Profiles
The easiest method is to install all available AppArmor profiles. This can result in a few profiles being enforced for software that is not installed, but this will not have any adverse impacts.
sudo apt-get install apparmor-profiles-hardened-debian
Install Select AppArmor Profiles
Click on Expand on the right side.
sudo apt-get install apparmor-profile-torbrowser
Profile for the HexChat client. Useful in Whonix-Workstation ™.
sudo apt-get install apparmor-profile-xchat
sudo apt-get install apparmor-profile-icedove
Profile for VirtualBox. This is useful on the host, but instructions are not available for this procedure. It is also useful if running VirtualBox inside VirtualBox.
sudo apt-get install apparmor-profile-virtualbox
The name of the specific profile to unload must be known in advance; refer to the list further above.
If it is necessary to disable an AppArmor profile, first list those which are available.
Once a profile is loaded in the kernel, it can be easily removed.
sudo aa-disable /etc/apparmor.d/profile-name
This command expects the profile file to exist, so if it has been manually deleted or removed via apt-get purge, it can only be unloaded by rebooting.
Maintain Tor Browser Functionality
Tor Browser upgrades frequently break the Whonix ™ AppArmor profile used to contain it. Even when AppArmor-related fixes are confirmed in Phabricator, most often the packages are not made available to Whonix ™ stable or even the developer version. This means manual profile fixes are often required until the next Whonix ™ version is released.
If Tor Browser is non-functional with the available AppArmor profile, follow these steps to rectify the problem.
Correcting Other Whonix ™ AppArmor Profiles
The same method can be used to resolve other AppArmor problems impacting full functionality of applications in Whonix ™. For instance, in Whonix ™ 13 the
whonixcheck AppArmor profile caused continuous "denied" messages in Qubes-Whonix ™. Correcting this issue was quite simple: 
- Navigate to the raw, updated whonixcheck profile.
- Replace the existing content in /etc/apparmor.d/usr.bin.whonixcheck with the updated github content, in both TemplateVMs
- Shut down both TemplateVMs and any running instances of
Inspecting and Disabling AppArmor Notifications
From Whonix ™ 14, apparmor-notify is no longer installed by default. This means desktop notifications will not appear concerning AppArmor denied messages, which are stored in /var/log/audit/audit.log   
To inspect relevant logs, run.
Open /var/log/audit/audit.log in an editor with root rights.
To show denied AppArmor messages of any age, run.
sudo cat /var/log/audit/audit.log | grep -i DENIED
It is possible to keep watching the file as it is appended. This is useful for reproducing AppArmor denied messages and testing amended profiles.
sudo tail -f /var/log/audit/audit.log | grep --line-buffered DENIED
If apparmor-notify is manually installed, then on occasion an application may be functional but AppArmor "denied" messages constantly appear. Rather than updating the relevant AppArmor profile(s), it is possible to disable notifications instead.
In the offending Whonix ™ (App)VM, launch Konsole and run.
sudo killall aa-notify
To revert this change, reboot the VM.
It is possible to utilize profiles by other vendors, but this is unsupported by Whonix ™ developers. As a reminder, it is not necessary to install AppArmor profiles for any applications that are unlikely to be used (such as dovecot). Additional options include:
- Debian has packages that can be easily installed via the APT package manager.
- Ubuntu also provides profiles. It is not easy to download these as a package to be installed in Debian. Further, the profiles may or may not differ from (or complement) profiles listed earlier.
- Non-Qubes-Whonix ™ means all Whonix ™ platforms except Qubes-Whonix ™. This includes Whonix ™ KVM, Whonix ™ VirtualBox and Whonix ™ Physical Isolation.
- Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.
- Hit the up arrow key twice; it is unnecessary to type the command again.
- Tor Browser is installed by tb-updater; the latter is a default Whonix ™ application.
- Otherwise essential profile formatting might break or unwanted content (such as line numbers) might be copied inadvertently, leading to a non-functional profile.
- This issue was fixed in the Whonix ™ 14 release.
- To install it, run:
sudo apt-get update && sudo apt-get install apparmor-notify
- The Debian default location is /var/log/kern.log
No user support in comments. See Support.
Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)