This is an AppArmor policy to confine all user space processes on the system which allows one to enforce a strong security model and follow principle of least privilege. An AppArmor policy for the init, systemd is loaded in the initramfs which then applies to all other processes. Specific policies for many system services/applications are also enforced.
This follows design ideas already present in other operating systems such as Android and attempts to make something similar available on desktop Linux.
In addition to locking down user space, this also protects the kernel as it restricts access to kernel interfaces like
/sys, making kernel pointer and other leaks much less likely.
This does not and cannot confine the kernel or initramfs.
This is expected to be used in combination with other security technologies such as a hardened kernel, strong sandboxing architecture, verified boot and so on.
apparmor-profile-everything supports different boot modes: aadebug and superroot. aadebug allows certain permissions necessary for advanced debugging and superroot relaxes the policy substantially, even making bypasses possible. It is highly recommended to stick to the default boot mode.
It also contains a wrapper to restrict apt as apt requires permissions that may be abused to circumvent the policy. When updating or installing applications, you must use the rapt command.
This is still in development and breakage is likely. This should only be used by developers for now.
- Broken in Qubes-Whonix.
- Only developed for Non-Qubes-Whonix by @madaidan.
- Nobody working on Qubes-Whonix support. (Mentioned in Qubes-Whonix Security Disadvantages - Help Wanted! [archive])
- https://github.com/Whonix/apparmor-profile-everything [archive]
- https://forums.whonix.org/t/using-apparmor-profile-everything-on-debian-buster/8650 [archive]
- https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339 [archive]
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.