AppArmor
Contents
Introduction[edit]
AppArmor profiles. For better security.
Installation[edit]
Introduction[edit]
 | Testers only! |
 | Qubes-Whonix users require some extra instructions for setting up AppArmor. Non-Qubes-Whonix users can skip this section. (Non-Qubes-Whonix means all Whonix platforms except Qubes-Whonix. This includes KVM, VirtualBox and Physical Isolation.) |
If you are interested, click on Expand on the right.
The following steps should be completed in dom0 for both {{{{whonix-gw}}}} and whonix-ws-14 TemplateVMs. After these settings have been applied to the Whonix templates, the sys-whonix (ProxyVM) and anon-whonix (AppVM) will inherit the AppArmor kernel settings. It is unnecessary for users to recreate the sys-whonix and anon-whonix TemplateBasedVMs to benefit from these new kernel parameters.[1] It is also important for users to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.
Whonix-Gateway
Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal
List the current kernel parameters.
For Qubes R3.2, and later releases this will show.
nopat
Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.
List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
Start the sys-whonix ProxyVM and confirm AppArmor is now active.
The output should show.
0
Whonix-Workstation
Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal
List the current kernel parameters.
For Qubes R3.2, and later releases this will show.
nopat
Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.
List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
Start the anon-whonix AppVM and confirm AppArmor is now active.
The output should show.
0
The profiles packages are available from Whonix's APT repository.
| Tip: It is strongly recommended to switch to the Whonix testers repository before installing profiles. The profiles in the stable repository are much older and have some issues. Note that switching to the testers repository will also update other packages from that same repository unless the user knows how to avoid this. [2] |
Enable the Whonix testers repository.
In Whonix-Workstation as well as on Whonix-Gateway.
Update the package lists.
Install All AppArmor Profiles[edit]
The easiest method is to install all available AppArmor profiles. This can result in a few profiles being enforced for software that is not installed, but this will not have any adverse impacts.
Install Select AppArmor Profiles[edit]
Click on expand on the right side.
Profile for Tor Browser. Useful in Whonix-Workstation. [3]
Profile for sdwdate. [4] Useful in Whonix-Gateway and Whonix-Workstation.
Profile for the HexChat Chat client. Useful in Whonix-Workstation.
Profile for the Mozilla Thunderbird E-Mail client. Useful in Whonix-Workstation.
Profile for whonixcheck. Useful in Whonix-Gateway and Whonix-Workstation.
Profile for VirtualBox. This is useful on the host, but there are no documented instructions for this procedure yet. It is also useful if running VirtualBox inside VirtualBox.
Revert any Whonix Repository Change[edit]
If AppArmor profiles were installed from the testers repository, reverting to the stable repository is recommended.
Update the package lists.
Profile Unloading[edit]
| Tip: Only complete these steps to disable an AppArmor profile. |
Click on expand on the right side.
To view the list of all available profiles, run.
Once the profile is loaded in the kernel, to remove it run.
This command expects the profile file to exist. This means if the profile has been deleted manually or via apt-get purge, it can only be unloaded by rebooting.
The name of the specific profile to unload must be known in advance - refer to the list further above.
Maintain a Functional Tor Browser[edit]
Tor Browser upgrades frequently break the Whonix AppArmor profile used to contain it. Even when AppArmor related fixes are confirmed in Phabricator, most often the packages are not made available to Whonix stable or even the developer version. This means manual profile fixes are required until the next Whonix version is released.
At the time of writing, Tor Browser is non-functional with the available profile in the repositories. Advanced users can follow these steps to rectify the problem.
1. Open a terminal in Whonix-Workstation TemplateVM
Whonix-WS TemplateVM -> Konsole
2. List the available AppArmor profiles
3. Edit the Tor Browser AppArmor profile
Note: change the name of the file to match whatever version is installed on the system.
4. Navigate to the Whonix Github resource for AppArmor
The latest git commits can be found here.
Select Code -> etc/apparmor.d -> home.tor-browser.firefox
Select the Raw button on the right-hand side. [5]
| Users should check the profile text does not contain any unexpected content. For greater security, utilize a different viewer and/or retrieve the profile using git and perform git commit gpg verification. |
Cut and paste the profile text into the old Tor Browser profile which is open in nano. Save and exit.
5. Enforce the new Tor Browser profile
Note: In the command below, change the name of the file to match whatever version is installed on the system.
In the Whonix-Workstation TemplateVM, run.
6. Shutdown Whonix-Workstation TemplateVM and any running instances of Whonix-Workstation AppVM
7. Restart the Whonix-Workstation AppVM
Launch Tor Browser. If everything has been applied correctly, Tor Browser will have full functionality. If the following AppArmor warning appears, it can be safely ignored.
Profile: /home/**/tor-browser*/Browser/firefox Operation: open Name: /dev/ Denied: r Logfile: /var/log/kern.log For more information, please see: https://wiki.ubuntu.com/DebuggingApparmor
To manually check AppArmor is really running and enforced, in a terminal run.
The output should show the Tor Browser profile is loaded and in enforce mode.
Fixing Other Whonix AppArmor Profiles[edit]
Advanced users can imitate the method outlined above to resolve similar AppArmor problems impacting full functionality of applications in Whonix. For instance, at the time of writing the whonixcheck AppArmor profile causes continuous "denied" messages in Qubes-Whonix. Resolving this is quite simple: [6]
- Navigate to the raw updated whonixcheck profile.
- In both the Whonix-Gateway (
whonix-gw-14) and Whonix-Workstation (whonix-ws-14) TemplateVMs, replace the existing content in /etc/apparmor.d/usr.bin.whonixcheck with the updated github content. - Shutdown both TemplateVMs and any running instances of
sys-whonixandanon-whonix. - Restart the
sys-whonixandanon-whonixAppVMs.
Inspecting and Disabling AppArmor Notifications[edit]
From Whonix 14, apparmor-notify is no longer installed by default. This means desktop notifications will not appear concerning AppArmor denied messages, which are stored in /var/log/audit/audit.log [7] [8] [9]
Inspect Notifications
To inspect relevant logs, run.
To show denied AppArmor messages of any age, run.
It is possible to keep watching the file as it is appended. This is useful for reproducing AppArmor denied messages and testing amended profiles.
Disable AppArmor Notifications
If users installed apparmor-notify manually, then some applications may be functional, but AppArmor "denied" messages can constantly appear on the desktop. Rather than updating the relevant AppArmor profile(s), it is possible to disable notifications.
In the offending Whonix (App)VM, launch Konsole and run.
To revert this change, reboot the VM.
More Profiles[edit]
Users can also utilize profiles by other vendors, but this is unsupported by Whonix developers. It is not necessary to install an AppArmor profile for applications that will not be used. For example, it is unnecessary to install the dovecot AppArmor profile if it will never be run.
- Debian has packages that you can be easily installed from the apt repository - https://wiki.debian.org/AppArmor/HowToUse#Enable_.2F_install_more_profiles
- Ubuntu also provides profiles. These are not so easy to download as a package to be installed in Debian. The profiles may or may not differ or complement those profiles listed further above. http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/files/head:/ubuntu/16.04/
Support[edit]
- Need help? Go to Whonix AppArmor Forum.
- Profile Creation Advice
Development[edit]
Footnotes[edit]
- ↑ Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.
- ↑ Broken link: https://www.whonix.org/old-forum/index.php/topic,1548.0.html
- ↑ Tor Browser is installed by tb-updater, which comes installed by default in Whonix.
- ↑ The network time sync is installed in Whonix by default.
- ↑ Otherwise essential profile formatting might break, or unwanted content (such as line numbers) might be copied inadvertently, causing the profile to become non-functional.
- ↑ This issue has been fixed in Whonix 14.
- ↑ To install it, run:
sudo apt-get update && sudo apt-get install apparmor-notify - ↑ https://forums.whonix.org/t/whonix-14-debian-stretch-apparmor-related-changes/3563
- ↑ The Debian default location is /var/log/kern.log
Have you contributed to Whonix? If so, feel free to add your name and highlight what you did on the Whonix authorship page.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.
Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)