Jump to: navigation, search

Template:Qubes AppArmor

If you are interested, click on Expand on the right.

Do this at your own risk!
Note, if you want to use Tor bridges, AppArmor has been known in the past to cause problems with obfsproxy. [1]

You will want to complete the following directions in both the Whonix-Gateway (commonly called whonix-gw) and the Whonix-Workstation (commonly called whonix-ws). You only need to apply these settings to the TemplateVMs before creating any TemplateBasedVMs based on Whonix templates. [2]

For Whonix-Gateway, complete the following:

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Konsole

Get a list of current kernel parameters.

qvm-prefs -l whonix-gw kernelopts

As of Qubes Q3 RC1, this will show:
nopat

Keep those existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-gw kernelopts "nopat apparmor=1 security=apparmor"

When running the command to get a list of current kernel parameters again (just hit the arrow up key twice, so you don't have to type the command again).

qvm-prefs -l whonix-gw kernelopts

It should show the old and the new kernel parameters. For example:
nopat apparmor=1 security=apparmor

Once you started the VM, you can check if AppArmor is now active.

sudo aa-status --enabled ; echo $?

It should show:
0

For Whonix-Workstation, complete the following:

In dom0 terminal.

Get a list of current kernel parameters.

qvm-prefs -l whonix-ws kernelopts

As of Qubes Q3 RC1, this will show:
nopat

Keep those existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-ws kernelopts "nopat apparmor=1 security=apparmor"

When running the command to get a list of current kernel parameters again (just hit the arrow up key twice, so you don't have to type the command again).

qvm-prefs -l whonix-ws kernelopts

It should show the old and the new kernel parameters. For example:
nopat apparmor=1 security=apparmor

Once you started the VM, you can check if AppArmor is now active.

sudo aa-status --enabled ; echo $?

It should show:
0

  1. Since Qubes Q3, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.