Qubes AppArmor

From Whonix

< Qubes

Introduction[edit]

Qubes-Whonix ™ users require some extra instructions for setting up AppArmor.

AppArmor[edit]

The following steps should be completed in dom0 for both whonix-gw-16 and whonix-ws-16 Templates. ^[1] After these settings are applied to the Whonix ™ templates, the sys-whonix (ProxyVM) and anon-whonix (App Qube) will inherit the AppArmor kernel settings.

It is unnecessary to recreate the sys-whonix and anon-whonix App Qubes to benefit from the new kernel parameters. ^[2] It is also important to verify AppArmor is active in the sys-whonix and anon-whonix VMs after making these changes.

Whonix-Gateway ™[edit]

1. Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") → System Tools → Xfce Terminal

2. List the current kernel parameters.

qvm-prefs -g whonix-gw-16 kernelopts

qvm-prefs -g whonix-gw-16 kernelopts

Qubes R4 and later releases will show.

nopat

3. Keep the existing kernel parameters and add apparmor=1 security=apparmor.

For example.

qvm-prefs -s whonix-gw-16 kernelopts "nopat apparmor=1 security=apparmor"

qvm-prefs -s whonix-gw-16 kernelopts "nopat apparmor=1 security=apparmor"

qvm-prefs -s sys-whonix kernelopts "nopat apparmor=1 security=apparmor"

qvm-prefs -s sys-whonix kernelopts "nopat apparmor=1 security=apparmor"

4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).

qvm-prefs -g whonix-gw-16 kernelopts

qvm-prefs -g whonix-gw-16 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

5. Start the sys-whonix ProxyVM and confirm AppArmor is now active.

sudo aa-status --enabled ; echo $?

sudo aa-status --enabled ; echo $?

The output should show.

0

Whonix-Workstation ™[edit]

1. Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") → System Tools → Xfce Terminal

2. List the current kernel parameters.

qvm-prefs -g whonix-ws-16 kernelopts

qvm-prefs -g whonix-ws-16 kernelopts

Qubes R4 and later releases will show.

nopat

3. Keep the existing kernel parameters and add apparmor=1 security=apparmor.

For example.

qvm-prefs -s whonix-ws-16 kernelopts "nopat apparmor=1 security=apparmor"

qvm-prefs -s whonix-ws-16 kernelopts "nopat apparmor=1 security=apparmor"

qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"

qvm-prefs -s anon-whonix kernelopts "nopat apparmor=1 security=apparmor"

4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).

qvm-prefs -g whonix-ws-16 kernelopts

qvm-prefs -g whonix-ws-16 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

5. Start the anon-whonix App Qube and confirm AppArmor is now active.

sudo aa-status --enabled ; echo $?

sudo aa-status --enabled ; echo $?

The output should show.

0

Debugging[edit]

If you see any of the following messages that means the instructions above have not been applied.

sudo systemctl status apparmor

sudo systemctl status apparmor

Dec 21 06:57:56 host systemd[1]: Starting Load AppArmor profiles…
Dec 21 06:57:56 host apparmor.systemd[483]: Error: Loading AppArmor profiles - failed, Do you have the correct privileges?
Dec 21 06:57:56 host systemd[1]: apparmor.service: Main process exited, code=exited, status=4/NOPERMISSION
Dec 21 06:57:56 host systemd[1]: apparmor.service: Failed with result ‘exit-code’.
Dec 21 06:57:56 host systemd[1]: Failed to start Load AppArmor profiles.

sudo /lib/apparmor/apparmor.systemd reload

sudo /lib/apparmor/apparmor.systemd reload

Error: Loading AppArmor profiles - failed, Do you have the correct privileges?

See Also[edit]

It is recommended to also read the general Whonix ™ AppArmor chapter.

Footnotes[edit]

↑ Debian has enabled AppArmor by default since the buster release, but Fedora has not. This matters because Qubes is Fedora-based and therefore uses the dom0 (not VM) kernel by default. Therefore this step is still required even though Whonix ™ is based on a recent enough Debian version.
↑ Since Qubes R3.0, App Qubes inherit the kernelopts setting of their Template ^[archive].

Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.

	100px
Fosshost	About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Have you read our Documentation, Design and Developer Portal links yet?

Priority Support | Investors | Professional Support

Whonix ™ | © ENCRYPTED SUPPORT LP | Freedom Software / Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Retrieved from "https://www.whonix.org/w/index.php?title=Qubes/AppArmor&oldid=68066"

Pages with broken file links

Hidden category:

Documentation

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.