(Redirected from AppArmor/Pidgin)
According to debian.org: 
AppArmor is a Mandatory Access Control framework. When enabled, AppArmor confines programs according to a set of rules that specify what files a given program can access. This proactive approach helps protect the system against both known and unknown vulnerabilities.
Mandatory access control (MAC) systems give fine-grained control over what programs can access. This means that your browser won't have access to your entire home directory or similarly. The most used MAC systems are SELinux and AppArmor. SELinux is a lot more secure than AppArmor as it is more fine-grained. For example, it's inode-based rather than path-based, allows enforcing significantly stronger restrictions [archive], can filter kernel ioctls [archive] and much more. Unfortunately, this comes at the cost of being much more difficult to use and harder to learn so AppArmor may be preferred by some.
AppArmor provides a number of advantages: 
- It protects the operating system and applications from external or internal threats, including zero-day attacks.
- "Good behavior" is enforced and it mitigates exploits via unknown application flaws.
- AppArmor security policies define the system resources that individual applications can access, and with what privileges. For instance:
- Network access.
- Raw socket access.
- Read, write or execute file permissions on specific paths.
Some AppArmor profiles for some default applications such as Tor are enforced by default. To see which, run.
More AppArmor profiles are available for testers.
It is recommended to use the Whonix ™ AppArmor [archive] profiles which are available for various programs that run in both Whonix-Gateway ™ and Whonix-Workstation ™, such as Tor, Tor Browser, Thunderbird and more. The profiles are easy to apply and provide a considerable security benefit.
Qubes Users Note
If you are interested, click on Expand on the right.
The following steps should be completed in
dom0 for both
whonix-ws-16 Templates.  After these settings are applied to the Whonix ™ templates, the
sys-whonix (ProxyVM) and
anon-whonix (App Qube) will inherit the AppArmor kernel settings.
It is unnecessary to recreate the
anon-whonix App Qubes to benefit from the new kernel parameters.  It is also important to verify AppArmor is active in the
anon-whonix VMs after making these changes.
Install all AppArmor Profiles
The easiest method is to install all available AppArmor profiles. This can result in a few profiles being enforced for software that is not installed, but this will not have any adverse impacts.
At time of writing it is not required to change Whonix ™ APT repository.
Some profiles in the
apparmor-profiles-extra packages are not enforced by default because the Debian maintainers do not believe they are mature enough. 
apparmor-profiles provides various experimental AppArmor profiles. Do not expect these profiles to work out-of-the-box.
These profiles are not mature enough to be shipped in enforce mode by default on Debian. They are shipped in complain mode so that users can test them, choose which are desired, and help improve them upstream if needed.
Some even more experimental profiles are included in folder
Install Select AppArmor Profiles
Click on Expand on the right side.
Update your package lists.
sudo apt-get update
sudo apt-get install apparmor-profiles
sudo apt-get install apparmor-profiles-extra
sudo apt-get install apparmor-profile-torbrowser
Profile for the HexChat client. Useful in Whonix-Workstation ™. (Soon to be renamed
sudo apt-get install apparmor-profile-xchat
sudo apt-get install apparmor-profile-icedove
The name of the specific profile to unload must be known in advance; refer to the list above.
If it is necessary to disable an AppArmor profile, first list those which are available.
Once a profile is loaded in the kernel, it can be easily removed.
sudo aa-disable /etc/apparmor.d/profile-name
This command expects the profile file to exist, so if it has been manually deleted or removed via
apt-get purge, it can only be unloaded by rebooting.
Maintain Tor Browser Functionality
Tor Browser upgrades frequently break the Whonix ™ AppArmor profile used to contain it. Even when AppArmor-related fixes are confirmed in Phabricator, most often the packages are not made available to Whonix ™ stable or even the developer version. This means manual profile fixes are often required until the next Whonix ™ version is released.
If Tor Browser is non-functional with the available AppArmor profile, follow these steps to rectify the problem.
Correcting Other Whonix ™ AppArmor Profiles
The same method can be used to resolve other AppArmor problems impacting full functionality of applications in Whonix ™. For instance, the
systemcheck AppArmor profile previously caused continuous "denied" messages in Qubes-Whonix ™.  Correcting this issue was quite simple: 
- Navigate to the raw, updated systemcheck profile [archive].
- Replace the existing content in /etc/apparmor.d/usr.bin.systemcheck with the updated github content, in both TemplateVMs
- Shut down both TemplateVMs and any running instances of
sudo apparmor-info --boot | grep DENIED
apparmor-notify is manually installed, then on occasion an application may be functional but AppArmor "denied" messages constantly appear. Rather than updating the relevant AppArmor profile(s), it is possible to disable notifications instead.
In the offending Whonix ™ (App)VM, launch Xfce Terminal and run.
sudo killall aa-notify
To revert this change, reboot the VM.
Manual Notifications Inspection
It is possible to utilize profiles by other vendors, but this is unsupported by Whonix ™ developers. As a reminder, it is not necessary to install AppArmor profiles for any applications that are unlikely to be used (such as dovecot). Additional options include:
- Debian has packages that can be easily installed via the APT package manager [archive].
- Ubuntu also provides profiles [archive]. It is not easy to download these as a package to be installed in Debian. Further, the profiles may or may not differ from (or complement) profiles listed earlier.
- Advanced users can attempt to create additional, strict AppArmor profiles by executing: 
Then open the program and use it as normal. AppArmor detects which files need to be accessed and adds them to the profile if you choose. This is insufficient for high quality profiles though; refer to the AppArmor documentation [archive] for further details.
- https://wiki.debian.org/AppArmor [archive]
- https://madaidans-insecurities.github.io/guides/linux-hardening.html#mac [archive]
- http://wiki.apparmor.net/index.php/Main_Page [archive]
- Non-Qubes-Whonix ™ means all Whonix ™ platforms except Qubes-Whonix ™. This includes Whonix ™ KVM, Whonix ™ VirtualBox and Whonix ™ Physical Isolation.
- Advanced users attempting to enable SE Linux instead would utilize the following parameters in this section:
While Debian has enabled AppArmor by default since the
busterrelease, Fedora has not. This matters since Qubes, which is Fedora based, by default uses the
dom0(not VM) kernel. Therefore this is still required even though Whonix ™ is based on a recent enough Debian version.
- Since Qubes R3.0, App Qubes inherit the kernelopts setting of their Template [archive].
- https://packages.debian.org/bullseye/apparmor-profiles [archive]
- Tor Browser is installed by tb-updater; the latter is a default Whonix ™ application.
- Otherwise essential profile formatting might break or unwanted content (such as line numbers) might be copied inadvertently, leading to a non-functional profile.
- In Whonix ™ 13.
- This issue was fixed in the Whonix ™ 14 release.
Jul 18 13:50:28 host kernel: [ 117.212029] audit: type=1400 audit(1626616228.947:23):
- https://forums.whonix.org/t/whonix-14-debian-stretch-apparmor-related-changes/3563 [archive]