Whonix Wiki Download Docs News Support Tips Issues Contribute DONATE

install apparmor-profiles apparmor-profiles-extra apparmor-profiles-kicksecure by default

Installing apparmor-profiles apparmor-profiles-extra kicksecure-profiles by default wont loose anything, Been using these packages as default since like 2 years or more no real/major/dysfunctional problem came out of it.

So i think its a good idea to have them installed.

1 Like

What do we do in strange crash issues most likely caused by upstream?
Such as this recent example:
Tor Browser crashing

If package apparmor-profile-torbrowser was installed by default, it becomes more difficult to point at Generic Bug Reproduction as it is done in Attempt to Debug the Issue.

1 Like

very easy to test something with and without apparmor specially apparmor is something separated from the running packages, so if its not working without apparmor then its not. (assuming the issue is not/cant be identifiable and need further investigations)

Added to https://www.whonix.org/wiki/AppArmor#Install_all_AppArmor_Profiles just now:

Note written on 29 June 2022: In a future Whonix ™ version (unreleased at time of writing), the following packages will be installed by default. (forum discussion)


  • The above git commits only abolish need for the user to run the Installation steps.
  • The Enabling part is not implemented by default for all AppArmor profiles.

In other words… This results in some AppArmor profiles enabled by default. These are:

  • Those AppArmor profiles by the Debian apparmor-profiles package where the Debian maintainers decided to put those into enforce mode by default.
    • Profiles where Debian maintainers decided to put those into complain mode by default are not set to enforce by Kicksecure / Whonix yet and it is yet to be tested and decided if that will be a good idea. A call for testers will come soon.
  • apparmor-profile-thunderbird
  • apparmor-profile-torbrowser
  • apparmor-profile-hexchat

No profiles from the Debian apparmor-profiles-extra package are copied from the /usr/share/apparmor/extra-profiles folder to the /etc/apparmor.d by default yet.

  • Copying might be the wrong approach anyhow because then improvements/fixes by Debian maintainers are not applied when the package is updated.
  • Symlinks would be better in theory but I haven’t tested yet if AppArmor accepts symlinks in folder /etc/apparmor.d. Help welcome.
1 Like

yes i think better to leave debian profile in complain or enforce mode according to debian decision, but only enforce kicksecure profiles by default.

yep either symlink or keep out of use until upstream push it to /etc/apparmor.d

1 Like

This is done and now in the stable repository.

1 Like

One issue which was caused by this:
Tor Browser Save Download to shared folder access on Whonix-Workstation-XFCE AppArmor Issue