I have been keeping up with @madaidan’s and @Patrick’s ongoing development of
apparmor-profile-everything. So far, their efforts have led to a system of total confinement aptly named
This is not simply a single profile but a series of profiles, system files, and related scripting. Together these elements work as one to confine the user’s system starting from
init onward. The confinements include: the systemd init process and any children it spawns, the
apt-get processes through a wrapper named
rapt, and a lockdown of files and directories that could pose significant security risks if they were to be exploited.
initramfs is made aware through a hook so that the
init-systemd AppArmor profile is executed right before systemd starts parsing. This is proven through simple examination of the boot log information (
This was tested on a Debian Buster host with kernel
4.19.0-6-amd64 fully updated. Since Debian ships AppArmor as default, and it is already active, no kernel boot parameter is necessary. There is a very convenient way to add this profile to your system by simply obtaining it from the official Whonix repository.
sudo apt-get install apparmor-profile-everything
That will install the package onto your machine.
rapt application was very interesting because it completely confined
apt-get while at the same time allowing for normal use. It acts as a wrapper for
apt, similar in function to how
uwt acts as a wrapper for
torsocks in Whonix.
rapt protects your system and a review of the code shows that it specifically works with and for
apparmor-profile-everything to make sure an attacker or malicious script cannot simply remove packages to bypass protections.
initramfs-tools hook is simple enough to understand. Its purpose is to make sure that the
initramfs knows to initiate the
init-systemd AppArmor profile before systemd. The log confirms this:
Dec 19 00:16:08 host kernel: audit: type=1400 audit(1576714567.608:2): apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name=“init-systemd” pid=211 comm=“apparmor_parser”
then immediately after:
Dec 19 00:16:08 host systemd: systemd 241 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP
/usr/bin/rapt profile parses as well:
Dec 19 00:16:08 host kernel: audit: type=1400 audit(1576714568.800:4): apparmor=“STATUS” operation=“profile_load” profile=“unconfined” name="/usr/bin/rapt" pid=308 comm=“apparmor_parser”
Now, it is important to note that this particular system is a torified and hardened workstation. No clearnet allowed. My permissions are not identical to those of Whonix, but they are similar. I can only report on my own system, so your mileage may vary. That would not be a problem though, because (if you know what you are doing) AppArmor is very flexible and still very secure. If my testing continues as smoothly as it has so far, my plan is to implement
apparmor-profile-everything on all my systems.
There are no errors with System Tor (
4.1.6) or the Tor Browser (
I have not tested UDP, but TCP is fine OpenVPN works. Both as
openvpn@server and as a client connecting to that server. No interruptions or permissions issues found. Performance is as expected. OpenVPN works both with TCP and UDP, and ports are flexible. Used in TCP mode, no errors are experienced.
Monero cli wallet works. Electrum works.
Normal day to day tasks also work with no issue. Specifically: browsing, coding and compiling (with minor tweaks),
There was an error regarding GPG that wanted access to
/proc/sys/crypto/fips_enabled. It was not an impediment however. I did not adjust any permissions, and the error proved harmless. (This error was generated by the
/usr/bin/rapt profile and recorded by audit in
Other than that, there have been no issues!
Apparmor is a versatile and powerful system that can provide formidable protections and be a substantial if not insurmountable obstacle to any misbehaving program or malware. Profiles are straightforward and rely on absolute paths. Some commands to get you started in AppArmor:
shows you the list of profiles on the system. Shows you how many are loaded, being enforced, are complaining, active processes and associated profiles, and unconfined but with a profile.
make a new profile go into “enforce” mode right away
This command needs the
sudo systemctl status apparmor
shows if AppArmor is active, when it was started and its process ID number
sudo systemctl restart apparmor
restarts AppArmor and its profiles.
Edit by Patrick: