Qubes AppArmor
Introduction[edit]
Kicksecure ™ for Qubes users require some extra instructions for setting up AppArmor.
AppArmor[edit]
The following steps should be completed in dom0
for Kicksecure ™. [1] After these settings are applied to the Kicksecure ™ template, the Kicksecure ™ (App Qube) will inherit the AppArmor kernel settings.
It is unnecessary to recreate the kicksecure App Qubes to benefit from the new kernel parameters. [2] It is also important to verify AppArmor is active in the Kicksecure ™
VM after making these changes.
Kicksecure ™[edit]
1. Open a dom0
terminal.
Qubes App Launcher (blue/grey "Q")
→ System Tools
→ Xfce Terminal
2. List the current kernel parameters.
Qubes R4 and later releases will show.
nopat
3. Keep the existing kernel parameters and add apparmor=1 security=apparmor
.
For example.
4. List the current kernel parameters again (hit the up arrow key twice; it is unnecessary to type the command again).
The output should show AppArmor is part of the new kernel parameters. For example.
nopat apparmor=1 security=apparmor
5. Start the kicksecure
App Qube and confirm AppArmor is now active.
The output should show.
0
Debugging[edit]
If you see any of the following messages that means the instructions above have not been applied.
Dec 21 06:57:56 host systemd[1]: Starting Load AppArmor profiles… Dec 21 06:57:56 host apparmor.systemd[483]: Error: Loading AppArmor profiles - failed, Do you have the correct privileges? Dec 21 06:57:56 host systemd[1]: apparmor.service: Main process exited, code=exited, status=4/NOPERMISSION Dec 21 06:57:56 host systemd[1]: apparmor.service: Failed with result ‘exit-code’. Dec 21 06:57:56 host systemd[1]: Failed to start Load AppArmor profiles.
Error: Loading AppArmor profiles - failed, Do you have the correct privileges?
See Also[edit]
It is recommended to also read the general Kicksecure ™ AppArmor chapter.
Footnotes[edit]
- ↑
Debian has enabled AppArmor by default since the
buster
release, but Fedora has not. This matters because Qubes is Fedora-based and therefore uses thedom0
(not VM) kernel by default. Therefore this step is still required even though Kicksecure ™ is based on a recent enough Debian version. - ↑ Since Qubes R3.0, App Qubes inherit the kernelopts setting of their Template
.
Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.