The following steps should be completed in
dom0 for both
whonix-ws-16 Templates.  After these settings are applied to the Whonix ™ templates, the
sys-whonix (ProxyVM) and
anon-whonix (App Qube) will inherit the AppArmor kernel settings.
It is unnecessary to recreate the
anon-whonix App Qubes to benefit from the new kernel parameters.  It is also important to verify AppArmor is active in the
anon-whonix VMs after making these changes.
If you see any of the following messages that means the instructions above have not been applied.
sudo systemctl status apparmor
Dec 21 06:57:56 host systemd: Starting Load AppArmor profiles… Dec 21 06:57:56 host apparmor.systemd: Error: Loading AppArmor profiles - failed, Do you have the correct privileges? Dec 21 06:57:56 host systemd: apparmor.service: Main process exited, code=exited, status=4/NOPERMISSION Dec 21 06:57:56 host systemd: apparmor.service: Failed with result ‘exit-code’. Dec 21 06:57:56 host systemd: Failed to start Load AppArmor profiles.
sudo /lib/apparmor/apparmor.systemd reload
Error: Loading AppArmor profiles - failed, Do you have the correct privileges?
It is recommended to also read the general Whonix ™ AppArmor chapter.
Debian has enabled AppArmor by default since the
busterrelease, but Fedora has not. This matters because Qubes is Fedora-based and therefore uses the
dom0(not VM) kernel by default. Therefore this step is still required even though Whonix ™ is based on a recent enough Debian version.
- Since Qubes R3.0, App Qubes inherit the kernelopts setting of their Template [archive].