The following steps should be completed in dom0 for both
whonix-ws-15 TemplateVMs.  After these settings have been applied to the Whonix templates, the
sys-whonix (ProxyVM) and
anon-whonix (AppVM) will inherit the AppArmor kernel settings.
It is unnecessary to recreate the
anon-whonix TemplateBasedVMs to benefit from the new kernel parameters. It is also important for users to verify AppArmor is active in the
anon-whonix VMs after making these changes.
If you see any of the following messages that means the instructions above have not been applied.
sudo systemctl status apparmor
Dec 21 06:57:56 host systemd: Starting Load AppArmor profiles… Dec 21 06:57:56 host apparmor.systemd: Error: Loading AppArmor profiles - failed, Do you have the correct privileges? Dec 21 06:57:56 host systemd: apparmor.service: Main process exited, code=exited, status=4/NOPERMISSION Dec 21 06:57:56 host systemd: apparmor.service: Failed with result ‘exit-code’. Dec 21 06:57:56 host systemd: Failed to start Load AppArmor profiles.
sudo /lib/apparmor/apparmor.systemd reload
Error: Loading AppArmor profiles - failed, Do you have the correct privileges?
See also Whonix ™ general documentation on AppArmor.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)
- While Debian enabled AppArmor by default since Debian buster, Fedora does not. This matters since Qubes, which is Fedora based, by default uses dom0, not VM kernel. Therefore this is still required even though Whonix 15 is Debian buster based.
- Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM [archive].