Jump to: navigation, search

AppArmor

(Redirected from AppArmor/HexChat)
This page contains changes which are not marked for translation.


Introduction[edit]

AppArmor profiles. For better security.

Installation[edit]

Introduction[edit]


If you are interested, click on Expand on the right.

Proceed at your own risk!
Note: If considering the use of Tor bridges, be aware that AppArmor has caused problems with obfsproxy in the past. [1]

The following steps should be completed in dom0 for both the Whonix-Gateway (commonly called whonix-gw) and the Whonix-Workstation (commonly called whonix-ws) TemplateVMs. It is also important to check AppArmor is active in the TemplateBasedVMs sys-whonix and anon-whonix after making the changes.

Note: After these settings are applied to the TemplateVMs, the TemplateBasedVMs based on the whonix-gw / whonix-ws Whonix templates - namely anon-whonix and sys-whonix - will inherit the AppArmor kernel settings. It is not necessary to recreate the anon-whonix and sys-whonix TemplateBasedVMs to benefit from this change. [2]

Whonix-Gateway

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal

List the current kernel parameters.

qvm-prefs -l whonix-gw kernelopts

As of Qubes R3.2, this will show.
nopat

Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-gw kernelopts "nopat apparmor=1 security=apparmor"

List the current kernel parameters again (hit the up arrow key twice; you don't have to type the command again).

qvm-prefs -l whonix-gw kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor

Start the sys-whonix ProxyVM and check AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.
0

Whonix-Workstation

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal

List the current kernel parameters.

qvm-prefs -l whonix-ws kernelopts

As of Qubes R3.2, this will show.
nopat

Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-ws kernelopts "nopat apparmor=1 security=apparmor"

List the current kernel parameters again (hit the up arrow key twice; you don't have to type the command again).

qvm-prefs -l whonix-ws kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor

Start the anon-whonix AppVM and check AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.
0

The profiles packages are available from the Whonix's APT repository.

It is highly recommend to switch to Whonix's testers repository before installing them, because the profiles in the stable repository are much older and have some issues. Note, that switching to the testers repository would update also other packages from that testers repository unless you know how to avoid this (advanced users only).

Enable Whonix's testers repository.

sudo whonix_repository --enable --repository testers

In Whonix-Workstation as well as on Whonix-Gateway.

Update the package lists.

sudo apt-get update

If you want to install all of them[edit]

The easiest way to install all of them. You might end up with a few apparmor profiles for software that you have not installed, but then they don't have any effect, so it does not matter.

sudo apt-get install apparmor-profiles-whonix

If you only want to install specific ones[edit]

Click on expand on the right side.

Profile for Tor Browser (installed by tb-updater [the one that comes installed by default with Whonix]). Useful in Whonix-Workstation.

sudo apt-get install apparmor-profile-torbrowser

Profile for sdwdate. (The network time sync that comes installed with Whonix by default.) Useful for Whonix-Gateway and Whonix-Workstation.

sudo apt-get install apparmor-profile-sdwdate

Profile for the HexChat Chat client. Useful in Whonix-Workstation.

sudo apt-get install apparmor-profile-xchat

Profile for the Icedove (Mozilla Thunderbird) E-Mail client. Useful in Whonix-Workstation.

sudo apt-get install apparmor-profile-icedove

Profile for whonixcheck. Useful for Whonix-Gateway and Whonix-Workstation.

sudo apt-get install apparmor-profile-whonixcheck

Profile for VirtualBox. Useful on the host - we don't have instructions for that yet. Also useful if you run VirtualBox inside VirtualBox.

sudo apt-get install apparmor-profile-virtualbox

Profile Unloading[edit]

Only in case you want to disable an apparmor profile.
Click on expand on the right side.

You can view a list of all available profiles here:

ls /etc/apparmor.d/

Once the profile is loaded in the kernel, to remove it to run.

sudo aa-disable /etc/apparmor.d/profile-name

This command expect the profile file to be existing. So when the profile file is deleted (manually or after apt-get purge), the only way I know to unload it is rebooting.

Need to know the names of the profiles, have a look above #If you only want to install specific ones.

More Profiles[edit]

Only as additional inspiration. Profiles by other vendors than Whonix. Unsupported by Whonix developers. Don't bother installing an AppArmor profile for applications that you are not going to use anyhow. For example, it is a waste of time to install the dovecot AppArmor profile if you are never going to use dovecot.

Support[edit]

Development[edit]

Whonix 14 and above:

https://forums.whonix.org/t/whonix-14-debian-stretch-apparmor-related-changes

sudo apt-get update && sudo apt-get install apparmor-notify

kdesudo kwrite /var/log/audit/audit.log

sudo cat /var/log/audit/audit.log | grep DENIED

sudo tail -f /var/log/audit/audit.log | grep --line-buffered DENIED


Random News:

Do you wonder why Whonix will always be free? Check out Why Whonix is Free Software.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)
  1. https://github.com/Whonix/Whonix/issues/67
  2. Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.