Actions

AppArmor

From Whonix


Installation[edit]

Exterimental AppArmor Profile Warning Testers only!

It is recommended to install the available AppArmor profiles for improved security on the Whonix ™ platform.

Qubes Users Note[edit]

Qubes-Whonix ™ Note Qubes-Whonix ™ users require some extra steps to set up AppArmor. Non-Qubes-Whonix ™ users can skip this section. [1]

If you are interested, click on Expand on the right.

Note:

  • Complete these instructions in dom0 for both whonix-gw-15 and whonix-ws-15 TemplateVMs.
  • After changes are made to the Whonix ™ templates, the sys-whonix (ProxyVM) and anon-whonix (AppVM) will inherit the AppArmor kernel settings.
    • The sys-whonix and anon-whonix TemplateBasedVMs do not need to be recreated to benefit from the new kernel parameters. [2]
  • Verify AppArmor is active in both sys-whonix and anon-whonix after changes are made.

Whonix-Gateway ™[edit]

1. Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q")System ToolsXfce Terminal

2. List the current kernel parameters. 

qvm-prefs -g whonix-gw-15 kernelopts

Qubes R4.0 and later releases will show.

nopat

3. Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'.

For example. 

qvm-prefs -s whonix-gw-15 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s sys-whonix kernelopts "nopat apparmor=1 security=apparmor"

4. List the kernel parameters again. [3] 

qvm-prefs -g whonix-gw-15 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

5. Start sys-whonix ProxyVM and confirm AppArmor is active. 

sudo aa-status --enabled ; echo $?

The output should show.

0

Whonix-Workstation ™[edit]

1. Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q")System ToolsXfce Terminal

2. List the current kernel parameters. 

qvm-prefs -g whonix-ws-15 kernelopts

Qubes R4.0 and later releases will show.

nopat

3. Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'.

For example. 

qvm-prefs -s whonix-ws-15 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"

4. List the current kernel parameters again. [3] 

qvm-prefs -g whonix-ws-15 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

5. Start anon-whonix AppVM and confirm AppArmor is active. 

sudo aa-status --enabled ; echo $?

The output should show.

0

Install all AppArmor Profiles[edit]

The easiest method is to install all available AppArmor profiles. This can result in a few profiles being enforced for software that is not installed, but this will not have any adverse impacts. 

sudo apt-get install apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure

Some profiles in the apparmor-profiles and apparmor-profiles-extra packages are not enforced by default as the Debian maintainers believe them to not be mature enough. [4] You can manually enforce all profiles by running 

sudo aa-enforce /etc/apparmor.d/*

More AppArmor profiles can be found in /usr/share/apparmor/extra-profiles/ although these AppArmor profiles are experimental and may not work.

Install Select AppArmor Profiles[edit]

Click on Expand on the right side.

Profile for Tor Browser. Useful in Whonix-Workstation ™. [5] 

sudo apt-get install apparmor-profile-torbrowser

Profile for the HexChat client. Useful in Whonix-Workstation ™. 

sudo apt-get install apparmor-profile-xchat

Profile for the Mozilla Thunderbird E-Mail client. Useful in Whonix-Workstation ™. 

sudo apt-get install apparmor-profile-icedove

Profile for VirtualBox. This is useful on the host, but instructions are not available for this procedure. It is also useful if running VirtualBox inside VirtualBox. 

sudo apt-get install apparmor-profile-virtualbox

Profile Unloading[edit]

The name of the specific profile to unload must be known in advance; refer to the list further above.

If it is necessary to disable an AppArmor profile, first list those which are available. 

ls /etc/apparmor.d/

Once a profile is loaded in the kernel, it can be easily removed. 

sudo aa-disable /etc/apparmor.d/profile-name

This command expects the profile file to exist, so if it has been manually deleted or removed via apt-get purge, it can only be unloaded by rebooting.

Common Operations[edit]

Maintain Tor Browser Functionality[edit]

Tor Browser upgrades frequently break the Whonix ™ AppArmor profile used to contain it. Even when AppArmor-related fixes are confirmed in Phabricator, most often the packages are not made available to Whonix ™ stable or even the developer version. This means manual profile fixes are often required until the next Whonix ™ version is released.

If Tor Browser is non-functional with the available AppArmor profile, follow these steps to rectify the problem.

1. Open a terminal in Whonix-Workstation ™ (whonix-ws-15).

whonix-ws-15Konsole

2. List the available AppArmor profiles. 

ls /etc/apparmor.d/

3. Edit the Tor Browser AppArmor profile.

Note: change the name of the file to match whatever version is installed on the system. 

sudo nano /etc/apparmor.d/home.tor-browser.firefox

4. Navigate to the Whonix ™ Github resource for AppArmor.

The latest git commits can be found here.

Select Codeetc/apparmor.dhome.tor-browser.firefox

Select the Raw button on the right-hand side. [6]

Info It is recommended to check the profile does not contain any unexpected content. For greater security, utilize a different viewer and/or retrieve the profile using git and perform git commit gpg verification.

Cut and paste the profile text into the old Tor Browser profile which is open in nano. Save and exit.

5. Enforce the new Tor Browser profile.

In the command below, change the name of the file to match whatever version is installed on the system.

In Whonix-Workstation ™ (whonix-ws-15), run. 

sudo aa-enforce /etc/apparmor.d/home.tor-browser.firefox

6. Shutdown Whonix-Workstation ™ (whonix-ws-15).

7. Restart Whonix-Workstation ™ (anon-whonix).

Launch Tor Browser. If everything has been applied correctly, Tor Browser will have full functionality. If the following AppArmor warning appears, it can be safely ignored. 

Profile: /etc/apparmor.d/home.tor-browser.firefox Operation: open Name: /dev/ Denied: r Logfile: /var/log/kern.log For more information, please see: https://wiki.ubuntu.com/DebuggingApparmor

8. Manually check AppArmor is correctly running and enforced.

In a terminal, run. 

sudo aa-status

The output should show the Tor Browser profile is loaded and in enforce mode.

Correcting Other Whonix ™ AppArmor Profiles[edit]

The same method can be used to resolve other AppArmor problems impacting full functionality of applications in Whonix ™. For instance, in Whonix ™ 13 the whonixcheck AppArmor profile caused continuous "denied" messages in Qubes-Whonix ™. Correcting this issue was quite simple: [7]

  1. Navigate to the raw, updated whonixcheck profile.
  2. Replace the existing content in /etc/apparmor.d/usr.bin.whonixcheck with the updated github content, in both TemplateVMs whonix-gw-15 and whonix-ws-15.
  3. Shut down both TemplateVMs and any running instances of sys-whonix and anon-whonix.
  4. Restart sys-whonix and anon-whonix.

Inspecting and Disabling AppArmor Notifications[edit]

From Whonix ™ 14, apparmor-notify is no longer installed by default. This means desktop notifications will not appear concerning AppArmor denied messages, which are stored in /var/log/audit/audit.log [8] [9] [10]

Inspect Notifications[edit]

To inspect relevant logs, run.

Open file /var/log/audit/audit.log in an editor with root rights.

(Qubes-Whonix ™: In TemplateVM)

This box uses lxsudo for root privilege escalation and mousepad as editor. These are examples. Other tools could archive the same goal too. If these example tools do not work for you or if you are not using Whonix, please see this link.

If you are using a graphical Whonix or Qubes-Whonix ™ with XFCE, run. 

lxsudo mousepad /var/log/audit/audit.log

If you are using a terminal-only Whonix, run. 

sudo nano /var/log/audit/audit.log

To show denied AppArmor messages of any age, run. 

sudo cat /var/log/audit/audit.log | grep -i DENIED

It is possible to keep watching the file as it is appended. This is useful for reproducing AppArmor denied messages and testing amended profiles. 

sudo tail -f /var/log/audit/audit.log | grep --line-buffered DENIED

Disable Notifications[edit]

If apparmor-notify is manually installed, then on occasion an application may be functional but AppArmor "denied" messages constantly appear. Rather than updating the relevant AppArmor profile(s), it is possible to disable notifications instead.

In the offending Whonix ™ (App)VM, launch Konsole and run. 

sudo killall aa-notify

To revert this change, reboot the VM.

More Profiles[edit]

It is possible to utilize profiles by other vendors, but this is unsupported by Whonix ™ developers. As a reminder, it is not necessary to install AppArmor profiles for any applications that are unlikely to be used (such as dovecot). Additional options include:

Support[edit]

Development[edit]

Footnotes[edit]

  1. Non-Qubes-Whonix ™ means all Whonix ™ platforms except Qubes-Whonix ™. This includes Whonix ™ KVM, Whonix ™ VirtualBox and Whonix ™ Physical Isolation.
  2. Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.
  3. 3.0 3.1 Hit the up arrow key twice; it is unnecessary to type the command again.
  4. https://packages.debian.org/buster/apparmor-profiles
  5. Tor Browser is installed by tb-updater; the latter is a default Whonix ™ application.
  6. Otherwise essential profile formatting might break or unwanted content (such as line numbers) might be copied inadvertently, leading to a non-functional profile.
  7. This issue was fixed in the Whonix ™ 14 release.
  8. To install it, run: sudo apt-get update && sudo apt-get install apparmor-notify
  9. https://forums.whonix.org/t/whonix-14-debian-stretch-apparmor-related-changes/3563
  10. The Debian default location is /var/log/kern.log

No user support in comments. See Support. Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.

Random News:

Interested in becoming an author for the Whonix News Blog or writing about anonymity, privacy and security? Please get in touch!

https | (forcing) onion

Follow: Twitter | Facebook | gab.ai | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.

Retrieved from "https://www.whonix.org/w/index.php?title=AppArmor&oldid=51001"