Jump to: navigation, search

AppArmor

(Redirected from AppArmor/Tor Browser Bundle)


Introduction[edit]

AppArmor profiles. For better security.

Installation[edit]

Introduction[edit]


If you are interested, click on Expand on the right.

Do this at your own risk!
Note, if you want to use Tor bridges, AppArmor has been known in the past to cause problems with obfsproxy. [1]

You will want to complete the following directions in both the Whonix-Gateway (commonly called whonix-gw) and the Whonix-Workstation (commonly called whonix-ws). You only need to apply these settings to the TemplateVMs before creating any TemplateBasedVMs based on Whonix templates. [2]

For Whonix-Gateway, complete the following:

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Konsole

Get a list of current kernel parameters.

qvm-prefs -l whonix-gw kernelopts

As of Qubes Q3 RC1, this will show:
nopat

Keep those existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-gw kernelopts "nopat apparmor=1 security=apparmor"

When running the command to get a list of current kernel parameters again (just hit the arrow up key twice, so you don't have to type the command again).

qvm-prefs -l whonix-gw kernelopts

It should show the old and the new kernel parameters. For example:
nopat apparmor=1 security=apparmor

Once you started the VM, you can check if AppArmor is now active.

sudo aa-status --enabled ; echo $?

It should show:
0

For Whonix-Workstation, complete the following:

In dom0 terminal.

Get a list of current kernel parameters.

qvm-prefs -l whonix-ws kernelopts

As of Qubes Q3 RC1, this will show:
nopat

Keep those existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-ws kernelopts "nopat apparmor=1 security=apparmor"

When running the command to get a list of current kernel parameters again (just hit the arrow up key twice, so you don't have to type the command again).

qvm-prefs -l whonix-ws kernelopts

It should show the old and the new kernel parameters. For example:
nopat apparmor=1 security=apparmor

Once you started the VM, you can check if AppArmor is now active.

sudo aa-status --enabled ; echo $?

It should show:
0

The profiles packages are available from the Whonix's APT repository.

It is highly recommend to switch to Whonix's testers repository before installing them, because the profiles in the stable repository are much older and have some issues. Note, that switching to the testers repository would update also other packages from that testers repository unless you know how to avoid this (advanced users only).

Enable Whonix's testers repository.

sudo whonix_repository --enable --repository testers

In Whonix-Workstation as well as on Whonix-Gateway.

Update your package lists.

sudo apt-get update

If you want to install all of them[edit]

The easiest way to install all of them. You might end up with a few apparmor profiles for software that you have not installed, but then they don't have any effect, so it does not matter.

sudo apt-get install apparmor-profiles-whonix

If you only want to install specific ones[edit]

Click on expand on the right side.

Profile for Tor Browser (installed by tb-updater [the one that comes installed by default with Whonix]). Useful in Whonix-Workstation.

sudo apt-get install apparmor-profile-torbrowser

Profile for sdwdate. (The network time sync that comes installed with Whonix by default.) Useful for Whonix-Gateway and Whonix-Workstation.

sudo apt-get install apparmor-profile-sdwdate

Profile for the HexChat Chat client. Useful in Whonix-Workstation.

sudo apt-get install apparmor-profile-xchat

Profile for the Icedove (Mozilla Thunderbird) E-Mail client. Useful in Whonix-Workstation.

sudo apt-get install apparmor-profile-icedove

Profile for whonixcheck. Useful for Whonix-Gateway and Whonix-Workstation.

sudo apt-get install apparmor-profile-whonixcheck

Profile for VirtualBox. Useful on the host - we don't have instructions for that yet. Also useful if you run VirtualBox inside VirtualBox.

sudo apt-get install apparmor-profile-virtualbox

Profile Unloading[edit]

Only in case you want to disable an apparmor profile.
Click on expand on the right side.

You can view a list of all available profiles here:

ls /etc/apparmor.d/

Once the profile is loaded in the kernel, to remove it to run.

sudo aa-disable /etc/apparmor.d/profile-name

This command expect the profile file to be existing. So when the profile file is deleted (manually or after apt-get purge), the only way I know to unload it is rebooting.

Need to know the names of the profiles, have a look above #If you only want to install specific ones.

More Profiles[edit]

Only as additional inspiration. Profiles by other vendors than Whonix. Unsupported by Whonix developers. Don't bother installing an AppArmor profile for applications that you are not going to use anyhow. For example, it's a waste of time to install the dovecot AppArmor profile if you are never going to use dovecot.

Support[edit]

Development[edit]


Random News:

Did you know that anyone can edit Whonix's wiki?


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.
  1. Since Qubes Q3, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.