Jump to: navigation, search

AppArmor

(Redirected from AppArmor/Icedove)
This page contains changes which are not marked for translation.


Introduction[edit]

AppArmor profiles. For better security.

Installation[edit]

Introduction[edit]



If you are interested, click on Expand on the right.

Proceed at your own risk!
Note: If considering the use of Tor bridges, be aware that AppArmor has caused problems with obfsproxy in the past. [1]

The following steps should be completed in dom0 for both the Whonix-Gateway (commonly called whonix-gw) and the Whonix-Workstation (commonly called whonix-ws) TemplateVMs. It is also important to check AppArmor is active in the TemplateBasedVMs sys-whonix and anon-whonix after making the changes.

Note: After these settings are applied to the TemplateVMs, the TemplateBasedVMs based on the whonix-gw / whonix-ws Whonix templates - namely anon-whonix and sys-whonix - will inherit the AppArmor kernel settings. It is not necessary to recreate the anon-whonix and sys-whonix TemplateBasedVMs to benefit from this change. [2]

Whonix-Gateway

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal

List the current kernel parameters.

qvm-prefs -l whonix-gw kernelopts

As of Qubes R3.2, this will show.
nopat

Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-gw kernelopts "nopat apparmor=1 security=apparmor"

List the current kernel parameters again (hit the up arrow key twice; you don't have to type the command again).

qvm-prefs -l whonix-gw kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor

Start the sys-whonix ProxyVM and check AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.
0

Whonix-Workstation

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal

List the current kernel parameters.

qvm-prefs -l whonix-ws kernelopts

As of Qubes R3.2, this will show.
nopat

Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-ws kernelopts "nopat apparmor=1 security=apparmor"

List the current kernel parameters again (hit the up arrow key twice; you don't have to type the command again).

qvm-prefs -l whonix-ws kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor

Start the anon-whonix AppVM and check AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.
0

The profiles packages are available from Whonix's APT repository.


Enable Whonix's testers repository.

sudo whonix_repository --enable --repository testers

In Whonix-Workstation as well as on Whonix-Gateway.

Update the package lists.

sudo apt-get update

If you want to install all of them[edit]

The easiest way to install all of them. You might end up with a few apparmor profiles for software that you have not installed, but then they don't have any effect, so it does not matter.

sudo apt-get install apparmor-profiles-whonix

If you only want to install specific ones[edit]

Click on expand on the right side.

Profile for Tor Browser. Useful in Whonix-Workstation. [3]

sudo apt-get install apparmor-profile-torbrowser

Profile for sdwdate. [4] Useful for Whonix-Gateway and Whonix-Workstation.

sudo apt-get install apparmor-profile-sdwdate

Profile for the HexChat Chat client. Useful in Whonix-Workstation.

sudo apt-get install apparmor-profile-xchat

Profile for the Icedove (Mozilla Thunderbird) E-Mail client. Useful in Whonix-Workstation.

sudo apt-get install apparmor-profile-icedove

Profile for whonixcheck. Useful for Whonix-Gateway and Whonix-Workstation.

sudo apt-get install apparmor-profile-whonixcheck

Profile for VirtualBox. This is useful on the host, but there are no instructions for that yet. It is also useful if running VirtualBox inside VirtualBox.

sudo apt-get install apparmor-profile-virtualbox

Profile Unloading[edit]


Click on expand on the right side.

To view the list of all available profiles, run.

ls /etc/apparmor.d/

Once the profile is loaded in the kernel, to remove it run.

sudo aa-disable /etc/apparmor.d/profile-name

This command expects the profile file to exist. This means if the profile has been deleted manually or via apt-get purge, it can only be unloaded by rebooting.

The user must know the name of the specific profile to unload - refer to the list further above.

Maintain a Functional Tor Browser[edit]

Tor Browser upgrades frequently break the Whonix AppArmor profile used to contain it. Even when AppArmor related fixes are confirmed in Phabricator, most often the packages are not made available to Whonix stable or even the developer version. This means manual profile fixes are required until the next Whonix version is released.

At the time of writing, Tor Browser is non-functional with the available profile in the repositories. Advanced users can follow these steps to rectify the problem.

1. Open a terminal in Whonix-Workstation TemplateVM

Whonix-WS TemplateVM -> Konsole

2. List the available AppArmor profiles

ls /etc/apparmor.d/

3. Edit the Tor Browser AppArmor profile

Note: change the name of the file to match whatever version is installed on the system.

sudo nano /etc/apparmor.d/home.*.tor-browser_*Browser.firefox

4. Navigate to the Whonix Github resource for AppArmor

The latest git commits can be found here.

Select Code -> etc/apparmor.d -> home.tor-browser.firefox

Cut and paste the profile text into the old Tor Browser profile which is open in nano. Save and exit.

5. Enforce the new Tor Browser profile

In the Whonix-Workstation TemplateVM, run.

sudo aa-enforce /etc/apparmor.d/home.*.tor-browser_*.Browser.firefox

6. Shutdown Whonix-Workstation TemplateVM and any running instances of Whonix-Workstation AppVM

7. Restart the Whonix-Workstation AppVM

Launch Tor Browser. If everything has been applied correctly, Tor Browser will have full functionality. If the following AppArmor warning appears, it can be safely ignored.

Profile: /home/**/tor-browser*/Browser/firefox Operation: open Name: /dev/ Denied: r Logfile: /var/log/kern.log For more information, please see: https://wiki.ubuntu.com/DebuggingApparmor

To manually check AppArmor is really running and enforced, in a terminal run.

sudo aa-status

The output should show the Tor Browser profile is loaded and in enforce mode.

More Profiles[edit]

Users can also utilize profiles by other vendors, but this is unsupported by Whonix developers. It is not necessary to install an AppArmor profile for applications that will not be used. For example, it is unnecessary to install the dovecot AppArmor profile if it will never be run.

Support[edit]

Development[edit]

Whonix 14 and above:

https://forums.whonix.org/t/whonix-14-debian-stretch-apparmor-related-changes

sudo apt-get update && sudo apt-get install apparmor-notify

kdesudo kwrite /var/log/audit/audit.log

sudo cat /var/log/audit/audit.log | grep DENIED

sudo tail -f /var/log/audit/audit.log | grep --line-buffered DENIED

Footnotes[edit]

  1. https://github.com/Whonix/Whonix/issues/67
  2. Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.
  3. Tor Browser is installed by tb-updater, which comes installed by default in Whonix.
  4. The network time sync is installed in Whonix by default.

Random News:

Please help in testing new features and bug fixes in Whonix.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)