AppArmor
From Whonix
Introduction[edit]
According to debian.org: [1]
AppArmor is a Mandatory Access Control framework. When enabled, AppArmor confines programs according to a set of rules that specify what files a given program can access. This proactive approach helps protect the system against both known and unknown vulnerabilities.
AppArmor provides a number of advantages: [2]
- It protects the operating system and applications from external or internal threats, including zero-day attacks.
- "Good behavior" is enforced and it mitigates exploits via unknown application flaws.
- AppArmor security policies define the system resources that individual applications can access, and with what privileges. For instance:
- Network access.
- Raw socket access.
- Read, write or execute file permissions on specific paths.
Some AppArmor profiles for some default applications such as Tor are enforced by default. To see which, run.
sudo aa-status
More AppArmor profiles are available for testers.
Installation[edit]
Testers only!
It is recommended to use the Whonix ™ AppArmor [archive] profiles which are available for various programs that run in both Whonix-Gateway ™ and Whonix-Workstation ™, such as Tor, Tor Browser, Thunderbird and more. The profiles are easy to apply and provide a considerable security benefit.
Qubes Users Note[edit]
Qubes-Whonix ™ users require some extra steps to set up AppArmor. Non-Qubes-Whonix ™ users can skip this section. [3]
If you are interested, click on Expand on the right.
The following steps should be completed in dom0 for both whonix-gw-15 and whonix-ws-15 TemplateVMs. [4] After these settings have been applied to the Whonix templates, the sys-whonix (ProxyVM) and anon-whonix (AppVM) will inherit the AppArmor kernel settings.
It is unnecessary to recreate the sys-whonix and anon-whonix TemplateBasedVMs to benefit from the new kernel parameters.[5] It is also important for users to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.
Whonix-Gateway ™[edit]
1. Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") → System Tools → Xfce Terminal
2. List the current kernel parameters.
qvm-prefs -g whonix-gw-15 kernelopts
Qubes R4 and later releases will show.
nopat
3. Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'.
For example.
qvm-prefs -s whonix-gw-15 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s sys-whonix kernelopts "nopat apparmor=1 security=apparmor"
4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
qvm-prefs -g whonix-gw-15 kernelopts
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
5. Start the sys-whonix ProxyVM and confirm AppArmor is now active.
sudo aa-status --enabled ; echo $?
The output should show.
0
Whonix-Workstation ™[edit]
1. Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") → System Tools → Xfce Terminal
2. List the current kernel parameters.
qvm-prefs -g whonix-ws-15 kernelopts
Qubes R4 and later releases will show.
nopat
3. Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'.
For example.
qvm-prefs -s whonix-ws-15 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"
4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
qvm-prefs -g whonix-ws-15 kernelopts
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
5. Start the anon-whonix AppVM and confirm AppArmor is now active.
sudo aa-status --enabled ; echo $?
The output should show.
0
Install all AppArmor Profiles[edit]
Installation[edit]
The easiest method is to install all available AppArmor profiles. This can result in a few profiles being enforced for software that is not installed, but this will not have any adverse impacts.
At time of writing it is not required to change Whonix ™ APT repository.
Install apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure.
1. Update the package lists.
sudo apt-get update
2. Upgrade the system.
sudo apt-get dist-upgrade
3. Install the apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure package.
sudo apt-get install apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure
The procedure of installing apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure is complete.
Enabling[edit]
Some profiles in the apparmor-profiles and apparmor-profiles-extra packages are not enforced by default because the Debian maintainers do not believe they are mature enough. [6]
apparmor-profiles provides various experimental AppArmor profiles. Do not expect these profiles to work out-of-the-box.
These profiles are not mature enough to be shipped in enforce mode by default on Debian. They are shipped in complain mode so that users can test them, choose which are desired, and help improve them upstream if needed.
Some even more experimental profiles are included in folder
/usr/share/apparmor/extra-profiles.
To see which profiles are in complain mode (not actually providing protection) and which are in enforce mode (providing actual protection), run.
sudo aa-status
To enable a profile which is currently in complain mode you need to find it in folder /etc/apparmor.d.
ls /etc/apparmor.d
And then enable. For example.
(The following example is already enforced by default if installed as per above.)
sudo aa-enforce /etc/apparmor.d/home.tor-browser.firefox
It might not be advisable or useful to enable all available AppArmor profiles.
Next see the contents of folder /usr/share/apparmor/extra-profiles to see what other AppArmor profiles are available.
ls /usr/share/apparmor/extra-profiles
If you are using any of these applications, copy the profile over to folder /etc/apparmor.d. Example.
sudo cp /usr/share/apparmor/extra-profiles/bin.netstat /etc/apparmor.d
And then enable it. Example.
sudo aa-enforce /etc/apparmor.d/bin.netstat
Install Select AppArmor Profiles[edit]
Click on Expand on the right side.
Update your package lists.
sudo apt-get update
apparmor-profiles
sudo apt-get install apparmor-profiles
apparmor-profiles-extra
sudo apt-get install apparmor-profiles-extra
Profile for Tor Browser. Useful in Whonix-Workstation ™. [7]
sudo apt-get install apparmor-profile-torbrowser
Profile for the HexChat client. Useful in Whonix-Workstation ™. (Soon renamed to apparmor-profile-hexchat.)
sudo apt-get install apparmor-profile-xchat
Profile for the Mozilla Thunderbird E-Mail client. Useful in Whonix-Workstation ™. (Soon renamed to apparmor-profile-thunderbird.)
sudo apt-get install apparmor-profile-icedove
Profile Unloading[edit]
The name of the specific profile to unload must be known in advance; refer to the list above.
If it is necessary to disable an AppArmor profile, first list those which are available.
ls /etc/apparmor.d/
Or.
sudo aa-status
Once a profile is loaded in the kernel, it can be easily removed.
sudo aa-disable /etc/apparmor.d/profile-name
This command expects the profile file to exist, so if it has been manually deleted or removed via apt-get purge, it can only be unloaded by rebooting.
Common Operations[edit]
Maintain Tor Browser Functionality[edit]
Tor Browser upgrades frequently break the Whonix ™ AppArmor profile used to contain it. Even when AppArmor-related fixes are confirmed in Phabricator, most often the packages are not made available to Whonix ™ stable or even the developer version. This means manual profile fixes are often required until the next Whonix ™ version is released.
If Tor Browser is non-functional with the available AppArmor profile, follow these steps to rectify the problem.
1. Open a terminal in Whonix-Workstation ™ (whonix-ws-15).
whonix-ws-15 → Xfce Terminal
2. List the available AppArmor profiles.
ls /etc/apparmor.d/
3. Edit the Tor Browser AppArmor profile.
Note: change the name of the file to match whatever version is installed on the system.
sudoedit /etc/apparmor.d/home.tor-browser.firefox
4. Navigate to the Whonix ™ Github resource for AppArmor.
The latest git commits can be found here [archive].
Select Code → etc/apparmor.d → home.tor-browser.firefox
Select the Raw button on the right-hand side. [8]
It is recommended to check the profile does not contain any unexpected content. For greater security, utilize a different viewer and/or retrieve the profile using git and perform git commit gpg verification.
Cut and paste the profile text into the old Tor Browser profile which is open in nano. Save and exit.
5. Enforce the new Tor Browser profile.
In the command below, change the name of the file to match whatever version is installed on the system.
In Whonix-Workstation ™ (whonix-ws-15), run.
sudo aa-enforce /etc/apparmor.d/home.tor-browser.firefox
6. Shutdown Whonix-Workstation ™ (whonix-ws-15).
7. Restart Whonix-Workstation ™ (anon-whonix).
Launch Tor Browser. If everything has been applied correctly, Tor Browser will have full functionality. If the following AppArmor warning appears, it can be safely ignored.
Profile: /etc/apparmor.d/home.tor-browser.firefox Operation: open Name: /dev/ Denied: r Logfile: /var/log/kern.log For more information, please see: https://wiki.ubuntu.com/DebuggingApparmor
8. Manually check AppArmor is correctly running and enforced.
In a terminal, run.
sudo aa-status
The output should show the Tor Browser profile is loaded and in enforce mode.
Correcting Other Whonix ™ AppArmor Profiles[edit]
The same method can be used to resolve other AppArmor problems impacting full functionality of applications in Whonix ™. For instance, the whonixcheck AppArmor profile previously caused continuous "denied" messages in Qubes-Whonix ™. [9] Correcting this issue was quite simple: [10]
- Navigate to the raw, updated whonixcheck profile [archive].
- Replace the existing content in /etc/apparmor.d/usr.bin.whonixcheck with the updated github content, in both TemplateVMs
whonix-gw-15andwhonix-ws-15. - Shut down both TemplateVMs and any running instances of
sys-whonixandanon-whonix. - Restart
sys-whonixandanon-whonix.
Inspecting and Disabling AppArmor Notifications[edit]
apparmor-notify [archive] is no longer installed by default. This means desktop notifications will not appear concerning AppArmor denied messages, which are stored in /var/log/kern.log. [11] [12]
Inspect Notifications[edit]
To inspect relevant logs, run.
Open file /var/log/kern.log in an editor with root rights.
(Qubes-Whonix ™: In TemplateVM)
This box uses sudoedit for better security [archive]. This is an example and other tools could also achieve the same goal. If this example does not work for you or if you are not using Whonix, please refer to this link.
sudoedit /var/log/kern.log
To show denied AppArmor messages of any age, run.
sudo cat /var/log/kern.log | grep -i DENIED
It is possible to keep watching the file as it is appended. This is useful for reproducing AppArmor denied messages and testing amended profiles.
sudo tail -f /var/log/kern.log | grep --line-buffered DENIED
Disable Notifications[edit]
If apparmor-notify is manually installed, then on occasion an application may be functional but AppArmor "denied" messages constantly appear. Rather than updating the relevant AppArmor profile(s), it is possible to disable notifications instead.
In the offending Whonix ™ (App)VM, launch Xfce Terminal and run.
sudo killall aa-notify
To revert this change, reboot the VM.
More Profiles[edit]
It is possible to utilize profiles by other vendors, but this is unsupported by Whonix ™ developers. As a reminder, it is not necessary to install AppArmor profiles for any applications that are unlikely to be used (such as dovecot). Additional options include:
- Debian has packages that can be easily installed via the APT package manager [archive].
- Ubuntu also provides profiles [archive]. It is not easy to download these as a package to be installed in Debian. Further, the profiles may or may not differ from (or complement) profiles listed earlier.
Support[edit]
- Need help? Visit the Whonix ™ AppArmor Forum [archive]
- Profile Creation Advice [archive]
Development[edit]
Footnotes[edit]
- ↑ https://wiki.debian.org/AppArmor [archive]
- ↑ http://wiki.apparmor.net/index.php/Main_Page [archive]
- ↑ Non-Qubes-Whonix ™ means all Whonix ™ platforms except Qubes-Whonix ™. This includes Whonix ™ KVM, Whonix ™ VirtualBox and Whonix ™ Physical Isolation.
- ↑
While Debian enabled AppArmor by default since Debian
buster, Fedora does not. This matters since Qubes, which is Fedora based, by default uses dom0, not VM kernel. Therefore this is still required even though Whonix is based on a recent enough Debian version. - ↑ Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM [archive].
- ↑ https://packages.debian.org/buster/apparmor-profiles [archive]
- ↑ Tor Browser is installed by tb-updater; the latter is a default Whonix ™ application.
- ↑ Otherwise essential profile formatting might break or unwanted content (such as line numbers) might be copied inadvertently, leading to a non-functional profile.
- ↑ In Whonix ™ 13.
- ↑ This issue was fixed in the Whonix ™ 14 release.
- ↑
To install it, run:
sudo apt-get update && sudo apt-get install apparmor-notify. - ↑ https://forums.whonix.org/t/whonix-14-debian-stretch-apparmor-related-changes/3563 [archive]
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier
Please consider a recurring donation [archive]!
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.