The following steps should be completed in
dom0 for both
whonix-ws-15 TemplateVMs.  After these settings are applied to the Whonix ™ templates, the
sys-whonix (ProxyVM) and
anon-whonix (AppVM) will inherit the AppArmor kernel settings.
It is unnecessary to recreate the
anon-whonix TemplateBasedVMs to benefit from the new kernel parameters. It is also important to verify AppArmor is active in the
anon-whonix VMs after making these changes.
If you see any of the following messages that means the instructions above have not been applied.
sudo systemctl status apparmor
Dec 21 06:57:56 host systemd: Starting Load AppArmor profiles… Dec 21 06:57:56 host apparmor.systemd: Error: Loading AppArmor profiles - failed, Do you have the correct privileges? Dec 21 06:57:56 host systemd: apparmor.service: Main process exited, code=exited, status=4/NOPERMISSION Dec 21 06:57:56 host systemd: apparmor.service: Failed with result ‘exit-code’. Dec 21 06:57:56 host systemd: Failed to start Load AppArmor profiles.
sudo /lib/apparmor/apparmor.systemd reload
Error: Loading AppArmor profiles - failed, Do you have the correct privileges?
Also refer to the general Whonix ™ wiki entry concerning AppArmor.
While Debian has enabled AppArmor by default since the
busterrelease, Fedora has not. This matters since Qubes, which is Fedora based, by default uses the
dom0(not VM) kernel. Therefore this is still required even though Whonix ™ is based on a recent enough Debian version.
- Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM [archive].