Jump to: navigation, search

Qubes/AppArmor

Qubes-Whonix users require some extra instructions for setting up AppArmor.

If you are interested, click on Expand on the right.

Do this at your own risk!
Note, if you want to use Tor bridges, AppArmor has been known in the past to cause problems with obfsproxy. [1]

You will want to complete the following directions in both the Whonix-Gateway (commonly called whonix-gw) and the Whonix-Workstation (commonly called whonix-ws). You only need to apply these settings to the TemplateVMs before creating any TemplateBasedVMs based on Whonix templates. [2]

For Whonix-Gateway, complete the following:

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Konsole

Get a list of current kernel parameters.

qvm-prefs -l whonix-gw kernelopts

As of Qubes Q3 RC1, this will show:
nopat

Keep those existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-gw kernelopts "nopat apparmor=1 security=apparmor"

When running the command to get a list of current kernel parameters again (just hit the arrow up key twice, so you don't have to type the command again).

qvm-prefs -l whonix-gw kernelopts

It should show the old and the new kernel parameters. For example:
nopat apparmor=1 security=apparmor

Once you started the VM, you can check if AppArmor is now active.

sudo aa-status --enabled ; echo $?

It should show:
0

For Whonix-Workstation, complete the following:

In dom0 terminal.

Get a list of current kernel parameters.

qvm-prefs -l whonix-ws kernelopts

As of Qubes Q3 RC1, this will show:
nopat

Keep those existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-ws kernelopts "nopat apparmor=1 security=apparmor"

When running the command to get a list of current kernel parameters again (just hit the arrow up key twice, so you don't have to type the command again).

qvm-prefs -l whonix-ws kernelopts

It should show the old and the new kernel parameters. For example:
nopat apparmor=1 security=apparmor

Once you started the VM, you can check if AppArmor is now active.

sudo aa-status --enabled ; echo $?

It should show:
0

See also Whonix's general documentation on AppArmor.


Random News:

Want to get involved with Whonix? Check out our Contribute page.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.
  1. Since Qubes Q3, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.