Qubes-Whonix AppArmor instructions with dom0 upgraded to 4.14 kernel breaks AppArmor

Patrick, have you tested the Qubes-Whonix AppArmor instructions with dom0 upgraded to 4.14 kernel?

Even though kernelopts are set correctly as per:


The manual check in sys-whonix and Whonix-Workstation AppVM shows:


Not 0 as expected.

sudo aa-status shows “apparmor module is not loaded” in those AppVMs.

No evidence of AppArmor loading or profiles being enforced in logs as expected.

If this is a bug, this could affect a bunch of Whonix users when Qubes pushes 14.4 kernel, like I believe they intend to in the near term as it is next stable.


Nice to pick that, I did not notice.

There has been a lot of discussions about an issue with kernel 4.14 and apparmor. https://www.phoronix.com/scan.php?page=news_item&px=AppArmor-Linux-4.14 is one of them, with a link to a patch in debian.

But it concerns some profiles not working. In Qubes sys-whonix and anon-whonix, apparmor fails to load entirely.

sudo systemctl status apparmor.service reports

ConditionSecurity=apparmor was not met


This is a critical problem / security regression which should be reported as a bug to Qubes and/or Linux kernel and/or Xen and/or AppArmor mob, since it is clearly not Whonix-specific.

It’s probably best to report to Qubes Issues tracker in the first instance, since it’s the only platform where this happens(?). @adw

Couldn’t find any other reference for it from Internet searches i.e. apparmor module completely failing to load in 4.14 kernel (only the profiles issue which is already resolved in Debian etc).

1 Like

Please file an issue in qubes-issues about this.


Someone posted (thankfully):


1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]