Qubes/AppArmor
From Whonix
< Qubes
Qubes-Whonix ™ users require some extra instructions for setting up AppArmor.
The following steps should be completed in dom0 for both whonix-gw-15 and whonix-ws-15 TemplateVMs. [1] After these settings have been applied to the Whonix templates, the sys-whonix (ProxyVM) and anon-whonix (AppVM) will inherit the AppArmor kernel settings.
It is unnecessary to recreate the sys-whonix and anon-whonix TemplateBasedVMs to benefit from the new kernel parameters.[2] It is also important for users to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.
Whonix-Gateway ™[edit]
1. Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") → System Tools → Xfce Terminal
2. List the current kernel parameters.
qvm-prefs -g whonix-gw-15 kernelopts
Qubes R4 and later releases will show.
nopat
3. Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'.
For example.
qvm-prefs -s whonix-gw-15 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s sys-whonix kernelopts "nopat apparmor=1 security=apparmor"
4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
qvm-prefs -g whonix-gw-15 kernelopts
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
5. Start the sys-whonix ProxyVM and confirm AppArmor is now active.
sudo aa-status --enabled ; echo $?
The output should show.
0
Whonix-Workstation ™[edit]
1. Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") → System Tools → Xfce Terminal
2. List the current kernel parameters.
qvm-prefs -g whonix-ws-15 kernelopts
Qubes R4 and later releases will show.
nopat
3. Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'.
For example.
qvm-prefs -s whonix-ws-15 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"
4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
qvm-prefs -g whonix-ws-15 kernelopts
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
5. Start the anon-whonix AppVM and confirm AppArmor is now active.
sudo aa-status --enabled ; echo $?
The output should show.
0
Debugging[edit]
If you see any of the following messages that means the instructions above have not been applied.
sudo systemctl status apparmor
Dec 21 06:57:56 host systemd[1]: Starting Load AppArmor profiles… Dec 21 06:57:56 host apparmor.systemd[483]: Error: Loading AppArmor profiles - failed, Do you have the correct privileges? Dec 21 06:57:56 host systemd[1]: apparmor.service: Main process exited, code=exited, status=4/NOPERMISSION Dec 21 06:57:56 host systemd[1]: apparmor.service: Failed with result ‘exit-code’. Dec 21 06:57:56 host systemd[1]: Failed to start Load AppArmor profiles.
sudo /lib/apparmor/apparmor.systemd reload
Error: Loading AppArmor profiles - failed, Do you have the correct privileges?
See Also[edit]
See also Whonix ™ general documentation on AppArmor.
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
Love Whonix and want to help spread the word? You can start by telling your friends or posting news [archive] about Whonix on your website, blog or social media.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].
Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.
- ↑ While Debian enabled AppArmor by default since Debian buster, Fedora does not. This matters since Qubes, which is Fedora based, by default uses dom0, not VM kernel. Therefore this is still required even though Whonix 15 is Debian buster based.
- ↑ Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM [archive].