Template Troubles with Qubes 4.0

Fresh install of Qubes 4.0. The wiki’s Security Guide appears to be outdated when it comes to Qubes 4.0. AppArmor for the Whonix TemplateVMs (different attempts using both fresh and restored) produced persistent AppArmor violation popups, along with no changes to kernelopts in the TemplateVM’s settings pages. Qubes 4.0 uses PVH virtualization wherever possible, and the qvm-pref man page states VM kernel parameters (–kernelopts) are available only for PV VMs.

So I assume AppArmor is currently unusable in this version of Qubes? I looked for any recent posts about this but saw nothing.

Hi 9jnc7

This has to do with the kernel upgrade. This is a common issue for which a solution has been realized in this thread.

https://forums.whonix.org/t/apparmor-and-kernel-4-14-18-1-creates-tons-of-kern-log-pop-ups/4811

Yes, I am running kernel 4.14.18.1 but let me repeat that adding kernelopts with qvm-prefs is only supported on PV VMs in Qubes 4.0. Qubes offers a red warning about PV VMs, clearly it should no longer be used. Apparmor fails on VM start without the needed kernel parameters. I think AppArmor is unusable at the moment with this release, but maybe I’m missing something?

1 Like

Thanks 9jnc7 for the report. Wiki instructions to be updated shortly by 0brand with correct parameters for AppArmor.

1 Like

My comment about qvm-prefs and kernelopts was moot. Patrick’s pointer to Github cleared it up.

1 Like

Not so.

If you hadn’t brought that up other users may encounter the same issue. The Apparmor wiki page will be updated so that won’t happen.

Thanks for the report!!

2 Likes