Qubes AppArmor
Introduction[edit]
Qubes-Whonix ™ some users require some extra instructions for setting up AppArmor.
- Qubes R4.0: Opt-in. If you are interested, click on Expand on the right.
- Qubes R4.1: Default. No extra steps required.
AppArmor[edit]
- Qubes R4.0: Opt-in. If you are interested, follow the steps below.
- Qubes R4.1: Default. No extra steps required.
The following steps should be completed in dom0 for both whonix-gw-16 and whonix-ws-16 Templates. [1] After these settings are applied to the Whonix ™ templates, the sys-whonix (ProxyVM) and anon-whonix (App Qube) will inherit the AppArmor kernel settings.
It is unnecessary to recreate the sys-whonix and anon-whonix App Qubes to benefit from the new kernel parameters. [2] It is also important to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.
Whonix-Gateway ™[edit]
1. Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") → System Tools → Xfce Terminal
2. List the current kernel parameters.
Qubes R4 and later releases will show.
nopat
3. Keep the existing kernel parameters and add apparmor=1 security=apparmor.
For example.
4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
5. Start the sys-whonix ProxyVM and confirm AppArmor is now active.
The output should show.
0
Whonix-Workstation ™[edit]
1. Open a dom0 terminal.
Qubes App Launcher (blue/grey "Q") → System Tools → Xfce Terminal
2. List the current kernel parameters.
Qubes R4 and later releases will show.
nopat
3. Keep the existing kernel parameters and add apparmor=1 security=apparmor.
For example.
4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
5. Start the anon-whonix App Qube and confirm AppArmor is now active.
The output should show.
0
Debugging[edit]
If you see any of the following messages that means the instructions above have not been applied.
Dec 21 06:57:56 host systemd[1]: Starting Load AppArmor profiles… Dec 21 06:57:56 host apparmor.systemd[483]: Error: Loading AppArmor profiles - failed, Do you have the correct privileges? Dec 21 06:57:56 host systemd[1]: apparmor.service: Main process exited, code=exited, status=4/NOPERMISSION Dec 21 06:57:56 host systemd[1]: apparmor.service: Failed with result ‘exit-code’. Dec 21 06:57:56 host systemd[1]: Failed to start Load AppArmor profiles.
Error: Loading AppArmor profiles - failed, Do you have the correct privileges?
See Also[edit]
It is recommended to also read the general Whonix ™ AppArmor chapter.
Footnotes[edit]
- ↑
Debian has enabled AppArmor by default since the
busterrelease, but Fedora has not. This matters because Qubes is Fedora-based and therefore uses thedom0(not VM) kernel by default. Therefore this step is still required even though Whonix ™ is based on a recent enough Debian version. - ↑ Since Qubes R3.0, App Qubes inherit the kernelopts setting of their Template
.
At Whonix we believe in freedom and trust. That's why we fully support Open Source and Freedom Software.
Learn more.
Whonix ™ is supported by Evolution Host DDoS Protected VPS.
Scan the QR code or use the wallet address below.
Host or VM can be booted into Live Mode using Host Live Mode or VM Live Mode