Actions

AppArmor

(Redirected from AppArmor/XChat)


Installation[edit]

It is recommended to install the available AppArmor profiles for improved security on the Whonix platform.

Introduction[edit]


If you are interested, click on Expand on the right.

The following steps should be completed in dom0 for both whonix-gw-14 and whonix-ws-14 TemplateVMs. After these settings have been applied to the Whonix templates, the sys-whonix (ProxyVM) and anon-whonix (AppVM) will inherit the AppArmor kernel settings.

It is unnecessary to recreate the sys-whonix and anon-whonix TemplateBasedVMs to benefit from the new kernel parameters.[2] It is also important for users to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.

Whonix-Gateway[edit]

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal

List the current kernel parameters.

qvm-prefs -g whonix-gw-14 kernelopts

Qubes R3.2 and later releases will show.

nopat

Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-gw-14 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s sys-whonix kernelopts "nopat apparmor=1 security=apparmor"

List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).

qvm-prefs -g whonix-gw-14 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

Start the sys-whonix ProxyVM and confirm AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.

0

Whonix-Workstation[edit]

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal

List the current kernel parameters.

qvm-prefs -g whonix-ws-14 kernelopts

Qubes R3.2 and later releases will show.

nopat

Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-ws-14 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"

List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).

qvm-prefs -g whonix-ws-14 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

Start the anon-whonix AppVM and confirm AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.

0

The profiles packages are available from Whonix's APT repository.


Enable the Whonix testers repository.

sudo whonix_repository --enable --repository testers

In Whonix-Workstation as well as on Whonix-Gateway.

Update the package lists.

sudo apt-get update

Install all AppArmor Profiles[edit]

The easiest method is to install all available AppArmor profiles. This can result in a few profiles being enforced for software that is not installed, but this will not have any adverse impacts.

sudo apt-get install apparmor-profiles-hardened-debian

Install Select AppArmor Profiles[edit]

Click on Expand on the right side.

Profile for Tor Browser. Useful in Whonix-Workstation. [4]

sudo apt-get install apparmor-profile-torbrowser

Profile for sdwdate. [5] Useful in Whonix-Gateway and Whonix-Workstation.

sudo apt-get install apparmor-profile-sdwdate

Profile for the HexChat Chat client. Useful in Whonix-Workstation.

sudo apt-get install apparmor-profile-xchat

Profile for the Mozilla Thunderbird E-Mail client. Useful in Whonix-Workstation.

sudo apt-get install apparmor-profile-icedove

Profile for whonixcheck. Useful in Whonix-Gateway and Whonix-Workstation.

sudo apt-get install apparmor-profile-whonixcheck

Profile for VirtualBox. This is useful on the host, but there are no documented instructions for this procedure yet. It is also useful if running VirtualBox inside VirtualBox.

sudo apt-get install apparmor-profile-virtualbox

Revert any Whonix Repository Change[edit]

If AppArmor profiles were installed from the testers repository, reverting to the stable repository is recommended.

sudo whonix_repository --enable --repository stable

Update the package lists.

sudo apt-get update

Profile Unloading[edit]


Click on expand on the right side.

To view the list of all available profiles, run.

ls /etc/apparmor.d/

Once the profile is loaded in the kernel, to remove it run.

sudo aa-disable /etc/apparmor.d/profile-name

This command expects the profile file to exist. This means if the profile has been deleted manually or via apt-get purge, it can only be unloaded by rebooting.

The name of the specific profile to unload must be known in advance; refer to the list further above.

Common Operations[edit]

Maintain a Functional Tor Browser[edit]

Tor Browser upgrades frequently break the Whonix AppArmor profile used to contain it. Even when AppArmor-related fixes are confirmed in Phabricator, most often the packages are not made available to Whonix stable or even the developer version. This means manual profile fixes are required until the next Whonix version is released.

At the time of writing, Tor Browser is non-functional with the available profile in the repositories. Advanced users can follow these steps to rectify the problem.

1. Open a terminal in Whonix-Workstation TemplateVM.

whonix-ws-14 -> Konsole

2. List the available AppArmor profiles.

ls /etc/apparmor.d/

3. Edit the Tor Browser AppArmor profile.

Note: change the name of the file to match whatever version is installed on the system.

sudo nano /etc/apparmor.d/home.*.tor-browser_*Browser.firefox

4. Navigate to the Whonix Github resource for AppArmor.

The latest git commits can be found here.

Select Code -> etc/apparmor.d -> home.tor-browser.firefox

Select the Raw button on the right-hand side. [6]


Cut and paste the profile text into the old Tor Browser profile which is open in nano. Save and exit.

5. Enforce the new Tor Browser profile.

Note: In the command below, change the name of the file to match whatever version is installed on the system.

In the Whonix-Workstation TemplateVM, run.

sudo aa-enforce /etc/apparmor.d/home.*.tor-browser_*.Browser.firefox

6. Shutdown Whonix-Workstation TemplateVM and any running instances of Whonix-Workstation AppVM.

7. Restart the Whonix-Workstation AppVM.

Launch Tor Browser. If everything has been applied correctly, Tor Browser will have full functionality. If the following AppArmor warning appears, it can be safely ignored.

Profile: /home/**/tor-browser*/Browser/firefox Operation: open Name: /dev/ Denied: r Logfile: /var/log/kern.log For more information, please see: https://wiki.ubuntu.com/DebuggingApparmor

To manually check AppArmor is correctly running and enforced, in a terminal run.

sudo aa-status

The output should show the Tor Browser profile is loaded and in enforce mode.

Correcting Other Whonix AppArmor Profiles[edit]

Advanced users can follow the same method to resolve other AppArmor problems impacting full functionality of applications in Whonix. For instance, in Whonix 13 the whonixcheck AppArmor profile caused continuous "denied" messages in Qubes-Whonix. Resolving this was quite simple: [7]

  • Navigate to the raw updated whonixcheck profile.
  • In both the Whonix-Gateway (whonix-gw-14) and Whonix-Workstation (whonix-ws-14) TemplateVMs, replace the existing content in /etc/apparmor.d/usr.bin.whonixcheck with the updated github content.
  • Shutdown both TemplateVMs and any running instances of sys-whonix and anon-whonix.
  • Restart the sys-whonix and anon-whonix AppVMs.

Inspecting and Disabling AppArmor Notifications[edit]

From Whonix 14, apparmor-notify is no longer installed by default. This means desktop notifications will not appear concerning AppArmor denied messages, which are stored in /var/log/audit/audit.log [8] [9] [10]

Inspect Notifications[edit]

To inspect relevant logs, run.

Open /var/log/audit/audit.log in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix with KDE, run.

kdesudo kwrite /var/log/audit/audit.log

If you are using a graphical Whonix or Qubes-Whonix with XFCE, run.

kdesudo mousepad /var/log/audit/audit.log

If you are using a terminal-only Whonix, run.

sudo nano /var/log/audit/audit.log

To show denied AppArmor messages of any age, run.

sudo cat /var/log/audit/audit.log | grep -i DENIED

It is possible to keep watching the file as it is appended. This is useful for reproducing AppArmor denied messages and testing amended profiles.

sudo tail -f /var/log/audit/audit.log | grep --line-buffered DENIED

Disable Notifications[edit]

If users installed apparmor-notify manually, then some applications may be functional, but AppArmor "denied" messages can constantly appear on the desktop. Rather than updating the relevant AppArmor profile(s), it is possible to disable notifications.

In the offending Whonix (App)VM, launch Konsole and run.

sudo killall aa-notify

To revert this change, reboot the VM.

More Profiles[edit]

Users can also utilize profiles by other vendors, but this is unsupported by Whonix developers. It is not necessary to install an AppArmor profile for applications that will not be used. For example, it is unnecessary to install the dovecot AppArmor profile if it will never be run.

Support[edit]

Development[edit]

Footnotes[edit]

  1. Non-Qubes-Whonix means all Whonix platforms except Qubes-Whonix. This includes KVM, VirtualBox and Physical Isolation.
  2. Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.
  3. Broken link: https://www.whonix.org/old-forum/index.php/topic,1548.0.html
  4. Tor Browser is installed by tb-updater; the latter is a default Whonix application.
  5. The network time sync is installed in Whonix by default.
  6. Otherwise essential profile formatting might break, or unwanted content (such as line numbers) might be copied inadvertently, causing the profile to become non-functional.
  7. This issue was fixed in the Whonix 14 release.
  8. To install it, run: sudo apt-get update && sudo apt-get install apparmor-notify
  9. https://forums.whonix.org/t/whonix-14-debian-stretch-apparmor-related-changes/3563
  10. The Debian default location is /var/log/kern.log

Random News:

Want to make Whonix safer and more usable? We're looking for helping hands. Check out the Open Issues and development forum.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)

Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.