Actions

Qubes/AppArmor

< Qubes

Qubes-Whonix users require some extra instructions for setting up AppArmor.

If you are interested, click on Expand on the right.

Proceed at your own risk!

Info
If considering the use of Tor bridges, be aware that AppArmor has caused problems with obfsproxy in the past. [1]


The following steps should be completed in dom0 for both whonix-gw and whonix-ws TemplateVMs. After these settings have been applied to the Whonix templates, the sys-whonix (ProxyVM) and anon-whonix (AppVM) will inherit the AppArmor kernel settings. It is unnecessary for users to recreate the sys-whonix and anon-whonix TemplateBasedVMs to benefit from these new kernel parameters.[2] It is also important for users to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.

Whonix-Gateway

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal

List the current kernel parameters.

[select code]
qvm-prefs -g whonix-gw kernelopts
[select code]
qvm-prefs -g whonix-gw-14 kernelopts

For Qubes R3.2, and later releases this will show.

nopat

Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

[select code]
qvm-prefs -s whonix-gw kernelopts "nopat apparmor=1 security=apparmor"
[select code]
qvm-prefs -s whonix-gw-14 kernelopts "nopat apparmor=1 security=apparmor"
[select code]
qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"

List the current kernel parameters again (hit the up arrow key twice; you don't have to type the command again).

[select code]
qvm-prefs -g whonix-gw kernelopts
[select code]
qvm-prefs -g whonix-gw-14 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

Start the sys-whonix ProxyVM and confirm AppArmor is now active.

[select code]
sudo aa-status --enabled ; echo $?

The output should show.

0

Whonix-Workstation

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal

List the current kernel parameters.

[select code]
qvm-prefs -g whonix-ws kernelopts
[select code]
qvm-prefs -g whonix-ws-14 kernelopts

For Qubes R3.2, and later releases this will show.

nopat

Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

[select code]
qvm-prefs -s whonix-ws kernelopts "nopat apparmor=1 security=apparmor"
[select code]
qvm-prefs -s whonix-ws-14 kernelopts "nopat apparmor=1 security=apparmor"
[select code]
qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"

List the current kernel parameters again (hit the up arrow key twice; you don't have to type the command again).

[select code]
qvm-prefs -g whonix-ws kernelopts
[select code]
qvm-prefs -g whonix-ws-14 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

Start the anon-whonix AppVM and confirm AppArmor is now active.

[select code]
sudo aa-status --enabled ; echo $?

The output should show.

0

See also Whonix's general documentation on AppArmor.

Random News:

Please help us to improve the Whonix Wikipedia Page. Also see the feedback thread.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)

  1. https://github.com/Whonix/Whonix/issues/67
  2. Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.
Retrieved from "http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/w/index.php?title=Qubes/AppArmor&oldid=19119"