Jump to: navigation, search

Qubes/AppArmor

Qubes-Whonix users require some extra instructions for setting up AppArmor.

If you are interested, click on Expand on the right.

Proceed at your own risk!
Note: If considering the use of Tor bridges, be aware that AppArmor has caused problems with obfsproxy in the past. [1]

The following steps should be completed in dom0 for both the Whonix-Gateway (commonly called whonix-gw) and the Whonix-Workstation (commonly called whonix-ws) TemplateVMs. It is also important to check AppArmor is active in the TemplateBasedVMs sys-whonix and anon-whonix after making the changes.

Note: After these settings are applied to the TemplateVMs, the TemplateBasedVMs based on the whonix-gw / whonix-ws Whonix templates - namely anon-whonix and sys-whonix - will inherit the AppArmor kernel settings. It is not necessary to recreate the anon-whonix and sys-whonix TemplateBasedVMs to benefit from this change. [2]

Whonix-Gateway

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal

List the current kernel parameters.

qvm-prefs -l whonix-gw kernelopts

As of Qubes R3.2, this will show.
nopat

Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-gw kernelopts "nopat apparmor=1 security=apparmor"

List the current kernel parameters again (hit the up arrow key twice; you don't have to type the command again).

qvm-prefs -l whonix-gw kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor

Start the sys-whonix ProxyVM and check AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.
0

Whonix-Workstation

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal

List the current kernel parameters.

qvm-prefs -l whonix-ws kernelopts

As of Qubes R3.2, this will show.
nopat

Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-ws kernelopts "nopat apparmor=1 security=apparmor"

List the current kernel parameters again (hit the up arrow key twice; you don't have to type the command again).

qvm-prefs -l whonix-ws kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor

Start the anon-whonix AppVM and check AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.
0

See also Whonix's general documentation on AppArmor.


Random News:

We are looking for help in managing our social media accounts. Are you interested?


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)
  1. https://github.com/Whonix/Whonix/issues/67
  2. Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.