Is it good practise to install app armor profiles on gateway ? Doest it make any sense ? As per whonix documentation what i underetand is apparmor is benificial for host and workstation
2nd question is which whonix repo has up to date profiles of apparmor
Stable
Purposed or
tester
Thanks
If you mean some of the apparmor profiles that come pre-installed, then yes, it’s always a good idea. Keep in mind that some are active, like the one for Tor, and others are shipped in “complain mode.” That is a helper mode that AppArmor offers so that you can run the app and then after a session or two, check the logs:
sudo cat /var/log/syslog | grep “DENIED”
That will give you a stdout printing of all the logged denials. Review them and edit the parent profile as necessary.
If you do not review and edit the profiles in complain mode and instead enforce them outright, it will cause breakage.
Also, you can develop profiles for anything that runs on the Workstation also. Profiles are stored in /etc/apparmor.d