AppArmor (“Application Armor”) for better security.
Current status of AppArmor and Whonix:
– Non-Qubes-Whonix: We do enable apparmor by default for a while now. (https://github.com/Whonix/grub-enable-apparmor)
– Qubes-Whonix: requires some extra instructions to enable AppArmor, see: https://www.whonix.org/wiki/Qubes/AppArmor
– Therefore The Tor Project’s apparmor profile for Tor is in use on Whonix-Gateway.
– We tweak that one a bit to make it work with Whonix and obfsproxy. (https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/etc/apparmor.d/local/system_tor.anondist)
– We don’t install any apparmor profiles by default as of Whonix 11.
– We do not install any longer the profiles from Debian (packages apparmor-profiles, apparmor-profiles-extra) since Whonix 10 because of the noise they generate in the forums.
– We do not plan on installing apparmor profiles by default for packages that are not developed under the Whonix umbrella such as for Tor Browser, pidgin, xchat, etc. (list: https://github.com/Whonix?utf8=%E2%9C%93&query=apparmor) – Package upgrades that we don’t control by upstream could make it impossible to start the application, lead to eventual fingerprinting issues, therefore installation of such apparmor profiles is manual for testers and advanced users.
– Upstreaming such profiles is a very time consuming process, also a slow process (requires a new stable debian release). Help welcome.
– For apparmor profiles developed under the Whonix such as sdwdate, whonixcheck, we plan in future for Whonix 13 or so on deprecating the separate apparmor profiles and installing those profiles by default, that is doable, because we control package upgrades.
The Whonix profiles can be installed with:
sudo apt-get install apparmor-profiles-whonix
AppArmor Whonix Forum:
Apparmor Whonix Phabricator TODO List:
Comments / Forum Discussion: