Jump to: navigation, search

Template:Qubes AppArmor

If you are interested, click on Expand on the right.

Proceed at your own risk!


The following steps should be completed in dom0 for both whonix-gw and whonix-ws TemplateVMs. After these settings have been applied to the Whonix templates, the sys-whonix (ProxyVM) and anon-whonix (AppVM) will inherit the AppArmor kernel settings. It is unnecessary for users to recreate the sys-whonix and anon-whonix TemplateBasedVMs to benefit from these new kernel parameters.[2] It is also important for users to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.

Whonix-Gateway

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal

List the current kernel parameters.

qvm-prefs -g whonix-gw kernelopts

For Qubes R3.2, and later releases this will show.

nopat

Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-gw kernelopts "nopat apparmor=1 security=apparmor"

List the current kernel parameters again (hit the up arrow key twice; you don't have to type the command again).

qvm-prefs -g whonix-gw kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

Start the sys-whonix ProxyVM and confirm AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.

0

Whonix-Workstation

Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") -> System Tools -> Xfce Terminal

List the current kernel parameters.

qvm-prefs -g whonix-ws kernelopts

For Qubes R3.2, and later releases this will show.

nopat

Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'. For example.

qvm-prefs -s whonix-ws kernelopts "nopat apparmor=1 security=apparmor"

List the current kernel parameters again (hit the up arrow key twice; you don't have to type the command again).

qvm-prefs -g whonix-ws kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

Start the anon-whonix AppVM and confirm AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.

0

  1. https://github.com/Whonix/Whonix/issues/67
  2. Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.