Actions

AppArmor

(Redirected from AppArmor/Whonixcheck)


Introduction[edit]

AppArmor profiles. For better security.

Installation[edit]

Introduction[edit]



If you are interested, click on Expand on the right.

The following steps should be completed in dom0 for both {{{{whonix-gw}}}} and whonix-ws-14 TemplateVMs. After these settings have been applied to the Whonix templates, the sys-whonix (ProxyVM) and anon-whonix (AppVM) will inherit the AppArmor kernel settings. It is unnecessary for users to recreate the sys-whonix and anon-whonix TemplateBasedVMs to benefit from these new kernel parameters.[1] It is also important for users to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.

Whonix-Gateway

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal

List the current kernel parameters.

qvm-prefs -g {{{{whonix-gw}}}} kernelopts

For Qubes R3.2, and later releases this will show.

nopat

Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s {{{{whonix-gw}}}} kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s sys-whonix kernelopts "nopat apparmor=1 security=apparmor"

List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).

qvm-prefs -g {{{{whonix-gw}}}} kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

Start the sys-whonix ProxyVM and confirm AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.

0

Whonix-Workstation

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal

List the current kernel parameters.

qvm-prefs -g whonix-ws-14 kernelopts

For Qubes R3.2, and later releases this will show.

nopat

Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-ws-14 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"

List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).

qvm-prefs -g whonix-ws-14 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

Start the anon-whonix AppVM and confirm AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.

0

The profiles packages are available from Whonix's APT repository.


Enable the Whonix testers repository.

sudo whonix_repository --enable --repository testers

In Whonix-Workstation as well as on Whonix-Gateway.

Update the package lists.

sudo apt-get update

Install All AppArmor Profiles[edit]

The easiest method is to install all available AppArmor profiles. This can result in a few profiles being enforced for software that is not installed, but this will not have any adverse impacts.

sudo apt-get install apparmor-profiles-whonix

Install Select AppArmor Profiles[edit]

Click on expand on the right side.

Profile for Tor Browser. Useful in Whonix-Workstation. [3]

sudo apt-get install apparmor-profile-torbrowser

Profile for sdwdate. [4] Useful in Whonix-Gateway and Whonix-Workstation.

sudo apt-get install apparmor-profile-sdwdate

Profile for the HexChat Chat client. Useful in Whonix-Workstation.

sudo apt-get install apparmor-profile-xchat

Profile for the Mozilla Thunderbird E-Mail client. Useful in Whonix-Workstation.

sudo apt-get install apparmor-profile-icedove

Profile for whonixcheck. Useful in Whonix-Gateway and Whonix-Workstation.

sudo apt-get install apparmor-profile-whonixcheck

Profile for VirtualBox. This is useful on the host, but there are no documented instructions for this procedure yet. It is also useful if running VirtualBox inside VirtualBox.

sudo apt-get install apparmor-profile-virtualbox

Revert any Whonix Repository Change[edit]

If AppArmor profiles were installed from the testers repository, reverting to the stable repository is recommended.

sudo whonix_repository --enable --repository stable

Update the package lists.

sudo apt-get update

Profile Unloading[edit]


Click on expand on the right side.

To view the list of all available profiles, run.

ls /etc/apparmor.d/

Once the profile is loaded in the kernel, to remove it run.

sudo aa-disable /etc/apparmor.d/profile-name

This command expects the profile file to exist. This means if the profile has been deleted manually or via apt-get purge, it can only be unloaded by rebooting.

The name of the specific profile to unload must be known in advance - refer to the list further above.

Maintain a Functional Tor Browser[edit]

Tor Browser upgrades frequently break the Whonix AppArmor profile used to contain it. Even when AppArmor related fixes are confirmed in Phabricator, most often the packages are not made available to Whonix stable or even the developer version. This means manual profile fixes are required until the next Whonix version is released.

At the time of writing, Tor Browser is non-functional with the available profile in the repositories. Advanced users can follow these steps to rectify the problem.

1. Open a terminal in Whonix-Workstation TemplateVM

Whonix-WS TemplateVM -> Konsole

2. List the available AppArmor profiles

ls /etc/apparmor.d/

3. Edit the Tor Browser AppArmor profile

Note: change the name of the file to match whatever version is installed on the system.

sudo nano /etc/apparmor.d/home.*.tor-browser_*Browser.firefox

4. Navigate to the Whonix Github resource for AppArmor

The latest git commits can be found here.

Select Code -> etc/apparmor.d -> home.tor-browser.firefox

Select the Raw button on the right-hand side. [5]


Cut and paste the profile text into the old Tor Browser profile which is open in nano. Save and exit.

5. Enforce the new Tor Browser profile

Note: In the command below, change the name of the file to match whatever version is installed on the system.

In the Whonix-Workstation TemplateVM, run.

sudo aa-enforce /etc/apparmor.d/home.*.tor-browser_*.Browser.firefox

6. Shutdown Whonix-Workstation TemplateVM and any running instances of Whonix-Workstation AppVM

7. Restart the Whonix-Workstation AppVM

Launch Tor Browser. If everything has been applied correctly, Tor Browser will have full functionality. If the following AppArmor warning appears, it can be safely ignored.

Profile: /home/**/tor-browser*/Browser/firefox Operation: open Name: /dev/ Denied: r Logfile: /var/log/kern.log For more information, please see: https://wiki.ubuntu.com/DebuggingApparmor

To manually check AppArmor is really running and enforced, in a terminal run.

sudo aa-status

The output should show the Tor Browser profile is loaded and in enforce mode.

Fixing Other Whonix AppArmor Profiles[edit]

Advanced users can imitate the method outlined above to resolve similar AppArmor problems impacting full functionality of applications in Whonix. For instance, at the time of writing the whonixcheck AppArmor profile causes continuous "denied" messages in Qubes-Whonix. Resolving this is quite simple: [6]

  • Navigate to the raw updated whonixcheck profile.
  • In both the Whonix-Gateway (whonix-gw-14) and Whonix-Workstation (whonix-ws-14) TemplateVMs, replace the existing content in /etc/apparmor.d/usr.bin.whonixcheck with the updated github content.
  • Shutdown both TemplateVMs and any running instances of sys-whonix and anon-whonix.
  • Restart the sys-whonix and anon-whonix AppVMs.

Inspecting and Disabling AppArmor Notifications[edit]

From Whonix 14, apparmor-notify is no longer installed by default. This means desktop notifications will not appear concerning AppArmor denied messages, which are stored in /var/log/audit/audit.log [7] [8] [9]

Inspect Notifications

To inspect relevant logs, run.

kdesudo kwrite /var/log/audit/audit.log

To show denied AppArmor messages of any age, run.

sudo cat /var/log/audit/audit.log | grep -i DENIED

It is possible to keep watching the file as it is appended. This is useful for reproducing AppArmor denied messages and testing amended profiles.

sudo tail -f /var/log/audit/audit.log | grep --line-buffered DENIED

Disable AppArmor Notifications

If users installed apparmor-notify manually, then some applications may be functional, but AppArmor "denied" messages can constantly appear on the desktop. Rather than updating the relevant AppArmor profile(s), it is possible to disable notifications.

In the offending Whonix (App)VM, launch Konsole and run.

sudo killall aa-notify

To revert this change, reboot the VM.

More Profiles[edit]

Users can also utilize profiles by other vendors, but this is unsupported by Whonix developers. It is not necessary to install an AppArmor profile for applications that will not be used. For example, it is unnecessary to install the dovecot AppArmor profile if it will never be run.

Support[edit]

Development[edit]

Footnotes[edit]

  1. Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.
  2. Broken link: https://www.whonix.org/old-forum/index.php/topic,1548.0.html
  3. Tor Browser is installed by tb-updater, which comes installed by default in Whonix.
  4. The network time sync is installed in Whonix by default.
  5. Otherwise essential profile formatting might break, or unwanted content (such as line numbers) might be copied inadvertently, causing the profile to become non-functional.
  6. This issue has been fixed in Whonix 14.
  7. To install it, run: sudo apt-get update && sudo apt-get install apparmor-notify
  8. https://forums.whonix.org/t/whonix-14-debian-stretch-apparmor-related-changes/3563
  9. The Debian default location is /var/log/kern.log

Random News:

Did you know that Whonix could provide protection against backdoors? See Verifiable Builds. Help is wanted and welcomed.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)