Apparmor: is it necessary?

The official Whonix tutorial for KVM instructs to install and enable AppArmor:

I have used Whonix with KVM with and without AppArmor and I don’t see any differences.

Maybe the documentation exists somewhere and I overlooked it, but I don’t see what is the purpose of AppArmor in this context? What are the risks of using KVM without AppArmor?

That’s good. Security should be transparent to the user and not interfere with their workflow. The only person who should see a difference is an attack looking to break out of the VM.


Thanks, I completely agree, I understand there is AppArmor running in the guests, but my question was on installing and enabling AppArmor on a debian host when running Whonix in KVM as per the official documentation (see link in above post).

Documentation on Whonix and AppArmor only refers to the guest VMs, so it was not useful in my case.

I still don’t understand what is the purpose of installing and enabling AppArmor on the host while running Whonix guests with KVM. I see no differences at all. What are the advantages? What does it change? How is it configured. What are the risks of running Whonix with KVM without AppArmor?

Yes I know and my answer applies accordingly.

Its configured automatically by the security extension of libvirt called sVirt. The advnatage is it wraps the entire guest with its arbitrary programs in a protective apparmor layer. There is no performance penalty and no conflicts with configured shared folders. I don’t uderstand why you wouldn’t want it. Do as you like, this is free software and your own system. no one’s holding a gun to your head to use it and I don’t get an commission if you do :wink:

1 Like

OK, I know close to nothing about AppArmor, I’ll try to read up on that. In the meantime I may just install it.