Qubes AppArmor

From Kicksecure

Qubesapparmor123123123.png

Introduction[edit]

Kicksecure ™ for Qubes users require some extra instructions for setting up AppArmor.

AppArmor[edit]

The following steps should be completed in dom0 for Kicksecure ™. [1] After these settings are applied to the Kicksecure ™ template, the Kicksecure ™ (App Qube) will inherit the AppArmor kernel settings. It is unnecessary to recreate the kicksecure App Qubes to benefit from the new kernel parameters. [2] It is also important to verify AppArmor is active in the Kicksecure ™ VM after making these changes.

1. Open a dom0 terminal.

Qubes App Launcher (blue/grey "Q")System ToolsXfce Terminal

2. List the current kernel parameters.

qvm-prefs -g kicksecure-16 kernelopts

Qubes R4 and later releases will show.

nopat

3. Keep the existing kernel parameters and add apparmor=1 security=apparmor.

For example.

qvm-prefs -s kicksecure-16 kernelopts "nopat apparmor=1 security=apparmor"

4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).

qvm-prefs -g kicksecure-16 kernelopts

The output should show AppArmor is part of the new kernel parameters. For example.

nopat apparmor=1 security=apparmor

5. Start the kicksecure App Qube and confirm AppArmor is now active.

sudo aa-status --enabled ; echo $?

The output should show.

0

Debugging[edit]

If you see any of the following messages that means the instructions above have not been applied.

sudo systemctl status apparmor

Dec 21 06:57:56 host systemd[1]: Starting Load AppArmor profiles…
Dec 21 06:57:56 host apparmor.systemd[483]: Error: Loading AppArmor profiles - failed, Do you have the correct privileges?
Dec 21 06:57:56 host systemd[1]: apparmor.service: Main process exited, code=exited, status=4/NOPERMISSION
Dec 21 06:57:56 host systemd[1]: apparmor.service: Failed with result ‘exit-code’.
Dec 21 06:57:56 host systemd[1]: Failed to start Load AppArmor profiles.

sudo /lib/apparmor/apparmor.systemd reload

Error: Loading AppArmor profiles - failed, Do you have the correct privileges?

See Also[edit]

It is recommended to also read the general Kicksecure ™ AppArmor chapter.

Footnotes[edit]

  1. Debian has enabled AppArmor by default since the buster release, but Fedora has not. This matters because Qubes is Fedora-based and therefore uses the dom0 (not VM) kernel by default. Therefore this step is still required even though Kicksecure ™ is based on a recent enough Debian version.
  2. Since Qubes R3.0, App Qubes inherit the kernelopts setting of their Template.


Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.