Actions

Qubes AppArmor

From Whonix

< Qubes



Qubesapparmor123123123.png

Introduction[edit]

Qubes-Whonix ™ users require some extra instructions for setting up AppArmor.

AppArmor[edit]

The following steps should be completed in dom0 for both whonix-gw-15 and whonix-ws-15 TemplateVMs. [1] After these settings are applied to the Whonix ™ templates, the sys-whonix (ProxyVM) and anon-whonix (AppVM) will inherit the AppArmor kernel settings.

It is unnecessary to recreate the sys-whonix and anon-whonix TemplateBasedVMs to benefit from the new kernel parameters.[2] It is also important to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.

Whonix-Gateway ™[edit]

1. Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q")System ToolsXfce Terminal

2. List the current kernel parameters. 

qvm-prefs -g whonix-gw-15 kernelopts

Qubes R4 and later releases will show.

nopat

3. Keep the existing kernel parameters and add apparmor=1 security=apparmor.

For example. 

qvm-prefs -s whonix-gw-15 kernelopts "nopat apparmor=1 security=apparmor"

qvm-prefs -s sys-whonix kernelopts "nopat apparmor=1 security=apparmor"

4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again). 

qvm-prefs -g whonix-gw-15 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

5. Start the sys-whonix ProxyVM and confirm AppArmor is now active. 

sudo aa-status --enabled ; echo $?

The output should show.

0

Whonix-Workstation ™[edit]

1. Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q")System ToolsXfce Terminal

2. List the current kernel parameters. 

qvm-prefs -g whonix-ws-15 kernelopts

Qubes R4 and later releases will show.

nopat

3. Keep the existing kernel parameters and add apparmor=1 security=apparmor.

For example. 

qvm-prefs -s whonix-ws-15 kernelopts "nopat apparmor=1 security=apparmor"

qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"

4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again). 

qvm-prefs -g whonix-ws-15 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

5. Start the anon-whonix AppVM and confirm AppArmor is now active. 

sudo aa-status --enabled ; echo $?

The output should show.

0

Debugging[edit]

If you see any of the following messages that means the instructions above have not been applied. 

sudo systemctl status apparmor

Dec 21 06:57:56 host systemd[1]: Starting Load AppArmor profiles…
Dec 21 06:57:56 host apparmor.systemd[483]: Error: Loading AppArmor profiles - failed, Do you have the correct privileges?
Dec 21 06:57:56 host systemd[1]: apparmor.service: Main process exited, code=exited, status=4/NOPERMISSION
Dec 21 06:57:56 host systemd[1]: apparmor.service: Failed with result ‘exit-code’.
Dec 21 06:57:56 host systemd[1]: Failed to start Load AppArmor profiles.


sudo /lib/apparmor/apparmor.systemd reload

Error: Loading AppArmor profiles - failed, Do you have the correct privileges?

See Also[edit]

Also refer to the general Whonix ™ wiki entry concerning AppArmor.

Footnotes[edit]

  1. While Debian has enabled AppArmor by default since the buster release, Fedora has not. This matters since Qubes, which is Fedora based, by default uses the dom0 (not VM) kernel. Therefore this is still required even though Whonix ™ is based on a recent enough Debian version.
  2. Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM [archive].
Fosshost is sponsors Kicksecure stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png Iconfinder Apple Mail 2697658.png Reddit.jpg Hacker.news.jpg 200px-Mastodon Logotype (Simple).svg.png

Want to make Whonix ™ safer and more usable? We're looking for helping hands. Check out the Open Issues and development forum.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Retrieved from "https://www.whonix.org/w/index.php?title=Qubes/AppArmor&oldid=61587"
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
More information