Introduction[edit]

Kicksecure ™ for Qubes users require some extra instructions for setting up AppArmor.

AppArmor[edit]

The following steps should be completed in dom0 for Kicksecure ™. ^[1] After these settings are applied to the Kicksecure ™ template, the Kicksecure ™ (App Qube) will inherit the AppArmor kernel settings. It is unnecessary to recreate the kicksecure App Qubes to benefit from the new kernel parameters. ^[2] It is also important to verify AppArmor is active in the Kicksecure ™ VM after making these changes.

Kicksecure ™[edit]

1. Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q") → System Tools → Xfce Terminal

2. List the current kernel parameters.

qvm-prefs -g kicksecure-16 kernelopts

Qubes R4 and later releases will show.

nopat

3. Keep the existing kernel parameters and add apparmor=1 security=apparmor.

For example.

qvm-prefs -s kicksecure-16 kernelopts "nopat apparmor=1 security=apparmor"

4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).

qvm-prefs -g kicksecure-16 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

5. Start the kicksecure App Qube and confirm AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.

0

Debugging[edit]

If you see any of the following messages that means the instructions above have not been applied.

sudo systemctl status apparmor

Dec 21 06:57:56 host systemd[1]: Starting Load AppArmor profiles…
Dec 21 06:57:56 host apparmor.systemd[483]: Error: Loading AppArmor profiles - failed, Do you have the correct privileges?
Dec 21 06:57:56 host systemd[1]: apparmor.service: Main process exited, code=exited, status=4/NOPERMISSION
Dec 21 06:57:56 host systemd[1]: apparmor.service: Failed with result ‘exit-code’.
Dec 21 06:57:56 host systemd[1]: Failed to start Load AppArmor profiles.

sudo /lib/apparmor/apparmor.systemd reload

Error: Loading AppArmor profiles - failed, Do you have the correct privileges?

Footnotes[edit]

↑ Debian has enabled AppArmor by default since the buster release, but Fedora has not. This matters because Qubes is Fedora-based and therefore uses the dom0 (not VM) kernel by default. Therefore this step is still required even though Kicksecure ™ is based on a recent enough Debian version.
↑ Since Qubes R3.0, App Qubes inherit the kernelopts setting of their Template.

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

Kicksecure ™ ...

Donate

FREE · PLUS · PREMIUM Support

At Kicksecure we believe in freedom and trust. That's why we fully support Open Source and Freedom Software. Learn more.

Kicksecure ™ is supported by Evolution Host DDoS Protected VPS.

Kicksecure ...

The personal opinions of moderators or contributors to the Kicksecure ™ project do not represent the project as a whole. By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service , Privacy Policy , Cookie Policy , E-Sign Consent , DMCA , Imprint Kicksecure ™ © ENCRYPTED SUPPORT LP, 2022

Please help in testing new features and bug fixes in Kicksecure.

[1] Debian has enabled AppArmor by default since the buster release, but Fedora has not. This matters because Qubes is Fedora-based and therefore uses the dom0 (not VM) kernel by default. Therefore this step is still required even though Kicksecure ™ is based on a recent enough Debian version.

[2] Since Qubes R3.0, App Qubes inherit the kernelopts setting of their Template.

[1]

[2]

Qubes AppArmor

Contents

Introduction[edit]

AppArmor[edit]

Kicksecure ™[edit]

Debugging[edit]

See Also[edit]

Footnotes[edit]

Navigation menu