Qubes-Whonix AppArmor instructions with dom0 upgraded to 4.14 kernel breaks AppArmor

torjunkie · January 19, 2018, 10:38am

Patrick, have you tested the Qubes-Whonix AppArmor instructions with dom0 upgraded to 4.14 kernel?

Even though kernelopts are set correctly as per:

http://kkkkkkkkkk63ava6.onion/wiki/AppArmor

The manual check in sys-whonix and Whonix-Workstation AppVM shows:

1

Not 0 as expected.

sudo aa-status shows “apparmor module is not loaded” in those AppVMs.

No evidence of AppArmor loading or profiles being enforced in logs as expected.

If this is a bug, this could affect a bunch of Whonix users when Qubes pushes 14.4 kernel, like I believe they intend to in the near term as it is next stable.

troubadour · January 19, 2018, 10:09pm

Nice to pick that, I did not notice.

There has been a lot of discussions about an issue with kernel 4.14 and apparmor. Watch Out Upgrading To Linux 4.14 If You Use AppArmor - Phoronix is one of them, with a link to a patch in debian.

But it concerns some profiles not working. In Qubes sys-whonix and anon-whonix, apparmor fails to load entirely.

sudo systemctl status apparmor.service reports

ConditionSecurity=apparmor was not met

torjunkie · January 26, 2018, 3:23am

This is a critical problem / security regression which should be reported as a bug to Qubes and/or Linux kernel and/or Xen and/or AppArmor mob, since it is clearly not Whonix-specific.

It’s probably best to report to Qubes Issues tracker in the first instance, since it’s the only platform where this happens(?). @adw

Couldn’t find any other reference for it from Internet searches i.e. apparmor module completely failing to load in 4.14 kernel (only the profiles issue which is already resolved in Debian etc).

adw · January 26, 2018, 3:40am

Please file an issue in qubes-issues about this.

torjunkie · February 1, 2018, 11:03am

Someone posted (thankfully):

github.com/QubesOS/qubes-issues

Apparmor initialization failed

opened 09:46AM - 30 Jan 18 UTC

closed 01:14AM - 30 Mar 18 UTC

subproc

T: bug C: templates

#### Qubes OS version:  R3.2 R4.0 #### Affected TemplateVMs:  all templates --- ### Steps to reproduce the behavior: after installing apparmor and related packages, like explained in the whonix wiki, and set kernel parameters to "nopat apparmor=1 security=apparmor", there's a working apparmor module with the kernel 4.9.56-21, but switching to the 4.14.13-1 or 4.14.13-2 it's not working at all... ### Expected behavior: having a working apparmor module ### Actual behavior: with the 4.14 kernel if i call "sudo aa-status": apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: inactive (dead) Condition: start condition failed └─ ConditionSecurity=apparmor was not met ### General notes: it seems that there's only support for selinux (disabled) and yama (enabled) --- #### Related issues: in R3.2 if i want a working apparmor i've to switch back to the 4.9 kernel, but in R4.0 is not an option, so no apparmor at all