AppArmor
Contents
Introduction[edit]
AppArmor profiles. For better security.
Installation[edit]
Introduction[edit]
 | Testers only! |
 | Qubes-Whonix users require some extra instructions for setting up AppArmor. Non-Qubes-Whonix users can skip this. (Non-Qubes-Whonix means all Whonix platforms except Qubes-Whonix. This includes KVM, VirtualBox and Physical Isolation.) |
If you are interested, click on Expand on the right.
Proceed at your own risk!
Note: If considering the use of Tor bridges, be aware that AppArmor has caused problems with obfsproxy in the past. [1]
The following steps should be completed in dom0 for both the Whonix-Gateway (commonly called whonix-gw) and the Whonix-Workstation (commonly called whonix-ws) TemplateVMs. It is also important to check AppArmor is active in the TemplateBasedVMs sys-whonix and anon-whonix after making the changes.
Note: After these settings are applied to the TemplateVMs, the TemplateBasedVMs based on the whonix-gw / whonix-ws Whonix templates - namely anon-whonix and sys-whonix - will inherit the AppArmor kernel settings. It is not necessary to recreate the anon-whonix and sys-whonix TemplateBasedVMs to benefit from this change. [2]
Whonix-Gateway
Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal
List the current kernel parameters.
As of Qubes R3.2, this will show.
nopat
Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.
List the current kernel parameters again (hit the up arrow key twice; you don't have to type the command again).
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
Start the sys-whonix ProxyVM and check AppArmor is now active.
The output should show.
0
Whonix-Workstation
Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal
List the current kernel parameters.
As of Qubes R3.2, this will show.
nopat
Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.
List the current kernel parameters again (hit the up arrow key twice; you don't have to type the command again).
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
Start the anon-whonix AppVM and check AppArmor is now active.
The output should show.
0
The profiles packages are available from the Whonix's APT repository.
It is highly recommend to switch to Whonix's testers repository before installing them, because the profiles in the stable repository are much older and have some issues. Note, that switching to the testers repository would update also other packages from that testers repository unless you know how to avoid this (advanced users only).
Enable Whonix's testers repository.
In Whonix-Workstation as well as on Whonix-Gateway.
Update the package lists.
If you want to install all of them[edit]
The easiest way to install all of them. You might end up with a few apparmor profiles for software that you have not installed, but then they don't have any effect, so it does not matter.
If you only want to install specific ones[edit]
Click on expand on the right side.
Profile for Tor Browser (installed by tb-updater [the one that comes installed by default with Whonix]). Useful in Whonix-Workstation.
Profile for sdwdate. (The network time sync that comes installed with Whonix by default.) Useful for Whonix-Gateway and Whonix-Workstation.
Profile for the HexChat Chat client. Useful in Whonix-Workstation.
Profile for the Icedove (Mozilla Thunderbird) E-Mail client. Useful in Whonix-Workstation.
Profile for whonixcheck. Useful for Whonix-Gateway and Whonix-Workstation.
Profile for VirtualBox. Useful on the host - we don't have instructions for that yet. Also useful if you run VirtualBox inside VirtualBox.
Profile Unloading[edit]
Only in case you want to disable an apparmor profile.
Click on expand on the right side.
You can view a list of all available profiles here:
Once the profile is loaded in the kernel, to remove it to run.
This command expect the profile file to be existing. So when the profile file is deleted (manually or after apt-get purge), the only way I know to unload it is rebooting.
Need to know the names of the profiles, have a look above #If you only want to install specific ones.
More Profiles[edit]
Only as additional inspiration. Profiles by other vendors than Whonix. Unsupported by Whonix developers. Don't bother installing an AppArmor profile for applications that you are not going to use anyhow. For example, it is a waste of time to install the dovecot AppArmor profile if you are never going to use dovecot.
- Debian has packages that you can easily install from Debian's apt repository - https://wiki.debian.org/AppArmor/HowToUse#Enable_.2F_install_more_profiles
- Ubuntu also provides profiles. Not so easily downloadable as package to be installed in Debian. The profiles may or may not differ or compleement from the above. http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/files/head:/ubuntu/16.04/
Support[edit]
- Need help? Go to Whonix AppArmor Forum.
- Profile Creation Advice
Development[edit]
Whonix 14 and above:
https://forums.whonix.org/t/whonix-14-debian-stretch-apparmor-related-changes
Interested in becoming an author for the Whonix blog or writing about anonymity, privacy and security? Please get in touch!
Impressum | Datenschutz | Haftungsausschluss
https | (forcing) onion
Share: Twitter
|
Facebook
|
Google+
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.
Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)