According to document in whonix wiki i have installed maximum apparmor profiles in both GATEWAY and WORKSTATION
sudo apt-get install apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure
and then as per documentation recommendation i have enforced all profiles in /etc/apparmor.d/
sudo aa-enforce /etc/apparmor.d/*
now upon checking denied logs i have seen some denied entries from Whonix firewall …
is it safe ?
The Whonix firewall profile isn’t meant to be enforced yet.
Run:
sudo aa-complain /etc/apparmor.d/whonix-firewall
1 Like
Thanks you so much for you kind reply
here is my aa-status
user@host:~$ sudo aa-status
[sudo] password for user:
apparmor module is loaded.
45 profiles are loaded.
45 profiles are in enforce mode.
//*-browser/Browser/firefox
/usr/bin/gwenview
/usr/bin/hexchat
/usr/bin/irssi
/usr/bin/man
/usr/bin/okular
/usr/bin/onioncircuits
/usr/bin/pidgin
/usr/bin/pidgin//sanitized_helper
/usr/bin/sdwdate
/usr/bin/totem
/usr/bin/totem-audio-preview
/usr/bin/totem-video-thumbnailer
/usr/bin/totem//sanitized_helper
/usr/bin/whonix_firewall
/usr/bin/whonixcheck
/usr/bin/xchat
/usr/lib/onion-grater
/usr/lib/sdwdate/url_to_unixtime
/usr/lib/whonix-firewall/
/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session
/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session//chromium
/usr/sbin/apt-cacher-ng
/usr/sbin/dnsmasq
/usr/sbin/dnsmasq//libvirt_leaseshelper
/usr/sbin/haveged
avahi-daemon
bootclockrandomization
identd
klogd
man_filter
man_groff
mdnsd
nmbd
nscd
nvidia_modprobe
nvidia_modprobe//kmod
ping
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
system_tor
traceroute
0 profiles are in complain mode.
9 processes have profiles defined.
9 processes are in enforce mode.
/usr/bin/python3.7 (889) /usr/bin/sdwdate
/bin/dash (2136) /usr/bin/sdwdate
/bin/sleep (2137) /usr/bin/sdwdate
/usr/bin/python3.7 (2308) /usr/lib/onion-grater
/bin/bash (781) /usr/lib/whonix-firewall/**
/bin/bash (796) /usr/lib/whonix-firewall/**
/usr/bin/inotifywait (797) /usr/lib/whonix-firewall/**
/usr/sbin/haveged (414)
/usr/bin/tor (884) system_tor
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
kindly help me which profiles i have to set in complain mode
noted about whonix firewall
regards
I’ve fixed and otherwise improved documentation just now:
AppArmor: Difference between revisions - Whonix
See:
2 Likes
Thanks you so much patrick for your kind time
It might not be advisable or useful to enable all available AppArmor profiles.
Now i will disable profiles which i enabled before
Thanks again