Actions

Template

Qubes AppArmor

From Whonix

If you are interested, click on Expand on the right.

The following steps should be completed in dom0 for both whonix-gw-15 and whonix-ws-15 TemplateVMs. [1] After these settings have been applied to the Whonix templates, the sys-whonix (ProxyVM) and anon-whonix (AppVM) will inherit the AppArmor kernel settings.

It is unnecessary to recreate the sys-whonix and anon-whonix TemplateBasedVMs to benefit from the new kernel parameters.[2] It is also important for users to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.

Whonix-Gateway ™

1. Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q")System ToolsXfce Terminal

2. List the current kernel parameters.

qvm-prefs -g whonix-gw-15 kernelopts

Qubes R4 and later releases will show.

nopat

3. Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'.

For example.

qvm-prefs -s whonix-gw-15 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s sys-whonix kernelopts "nopat apparmor=1 security=apparmor"

4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).

qvm-prefs -g whonix-gw-15 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

5. Start the sys-whonix ProxyVM and confirm AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.

0

Whonix-Workstation ™

1. Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q")System ToolsXfce Terminal

2. List the current kernel parameters.

qvm-prefs -g whonix-ws-15 kernelopts

Qubes R4 and later releases will show.

nopat

3. Keep the existing kernel parameters and add 'apparmor=1 security=apparmor'.

For example.

qvm-prefs -s whonix-ws-15 kernelopts "nopat apparmor=1 security=apparmor"
qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"

4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).

qvm-prefs -g whonix-ws-15 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

5. Start the anon-whonix AppVM and confirm AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.

0

  1. While Debian enabled AppArmor by default since Debian buster, Fedora does not. This matters since Qubes, which is Fedora based, by default uses dom0, not VM kernel. Therefore this is still required even though Whonix 15 is Debian buster based.
  2. Since Qubes R3.0, TemplateBasedVMs inherit the kernelopts setting of their TemplateVM.