The following steps should be completed in
dom0 for Kicksecure ™.  After these settings are applied to the Kicksecure ™ template, the Kicksecure ™ (App Qube) will inherit the AppArmor kernel settings.
It is unnecessary to recreate the kicksecure App Qubes to benefit from the new kernel parameters.  It is also important to verify AppArmor is active in the
Kicksecure ™ VM after making these changes.
If you see any of the following messages that means the instructions above have not been applied.
Dec 21 06:57:56 host systemd: Starting Load AppArmor profiles… Dec 21 06:57:56 host apparmor.systemd: Error: Loading AppArmor profiles - failed, Do you have the correct privileges? Dec 21 06:57:56 host systemd: apparmor.service: Main process exited, code=exited, status=4/NOPERMISSION Dec 21 06:57:56 host systemd: apparmor.service: Failed with result ‘exit-code’. Dec 21 06:57:56 host systemd: Failed to start Load AppArmor profiles.
Error: Loading AppArmor profiles - failed, Do you have the correct privileges?
It is recommended to also read the general Kicksecure ™ AppArmor chapter.
Debian has enabled AppArmor by default since the
busterrelease, but Fedora has not. This matters because Qubes is Fedora-based and therefore uses the
dom0(not VM) kernel by default. Therefore this step is still required even though Kicksecure ™ is based on a recent enough Debian version.
- Since Qubes R3.0, App Qubes inherit the kernelopts setting of their Template.