Qubes AppArmor
From Whonix
< Qubes
Introduction[edit]
Qubes-Whonix ™ users require some extra instructions for setting up AppArmor.
AppArmor[edit]
The following steps should be completed in dom0 for both whonix-gw-16 and whonix-ws-16 Templates. [1] After these settings are applied to the Whonix ™ templates, the sys-whonix (ProxyVM) and anon-whonix (App Qube) will inherit the AppArmor kernel settings.
It is unnecessary to recreate the sys-whonix and anon-whonix App Qubes to benefit from the new kernel parameters. [2] It is also important to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.
Whonix-Gateway ™[edit]
1. Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") → System Tools → Xfce Terminal
2. List the current kernel parameters.
qvm-prefs -g whonix-gw-16 kernelopts
Qubes R4 and later releases will show.
nopat
3. Keep the existing kernel parameters and add apparmor=1 security=apparmor.
For example.
qvm-prefs -s whonix-gw-16 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s sys-whonix kernelopts "nopat apparmor=1 security=apparmor"
4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
qvm-prefs -g whonix-gw-16 kernelopts
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
5. Start the sys-whonix ProxyVM and confirm AppArmor is now active.
sudo aa-status --enabled ; echo $?
The output should show.
0
Whonix-Workstation ™[edit]
1. Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") → System Tools → Xfce Terminal
2. List the current kernel parameters.
qvm-prefs -g whonix-ws-16 kernelopts
Qubes R4 and later releases will show.
nopat
3. Keep the existing kernel parameters and add apparmor=1 security=apparmor.
For example.
qvm-prefs -s whonix-ws-16 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"
4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
qvm-prefs -g whonix-ws-16 kernelopts
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
5. Start the anon-whonix App Qube and confirm AppArmor is now active.
sudo aa-status --enabled ; echo $?
The output should show.
0
Debugging[edit]
If you see any of the following messages that means the instructions above have not been applied.
sudo systemctl status apparmor
Dec 21 06:57:56 host systemd[1]: Starting Load AppArmor profiles… Dec 21 06:57:56 host apparmor.systemd[483]: Error: Loading AppArmor profiles - failed, Do you have the correct privileges? Dec 21 06:57:56 host systemd[1]: apparmor.service: Main process exited, code=exited, status=4/NOPERMISSION Dec 21 06:57:56 host systemd[1]: apparmor.service: Failed with result ‘exit-code’. Dec 21 06:57:56 host systemd[1]: Failed to start Load AppArmor profiles.
sudo /lib/apparmor/apparmor.systemd reload
Error: Loading AppArmor profiles - failed, Do you have the correct privileges?
See Also[edit]
It is recommended to also read the general Whonix ™ AppArmor chapter.
Footnotes[edit]
- ↑
Debian has enabled AppArmor by default since the
busterrelease, but Fedora has not. This matters because Qubes is Fedora-based and therefore uses thedom0(not VM) kernel by default. Therefore this step is still required even though Whonix ™ is based on a recent enough Debian version. - ↑ Since Qubes R3.0, App Qubes inherit the kernelopts setting of their Template [archive].
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
|
|
| Fosshost | About Advertisements |
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
Priority Support | Investors | Professional Support
Whonix ™ | © ENCRYPTED SUPPORT LP | 
Freedom Software / 
Open Source (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.