Whonix AppArmor Profiles Development Discussion


In Whonix 14, this

+++ cat /var/run/msgcollector/user/msgdispatcher_pidx
++ pid=1323
++ ps -p 1323

is causing

type=AVC msg=audit(1518277651.459:418): apparmor="DENIED" operation="ptrace" profile="/usr/bin/whonixcheck" pid=12582 comm="ps" requested_mask="trace" denied_mask="trace" peer="/usr/bin/whonixcheck"

How can we fix it?


Is that showing in VirtualBox/KVM ?

I could not reproduce it in VBox. The commands complete without error .

Cannot try in Qubes, no apparmor for the time being.



After last kernel upgrade kernel will have apparmor support. (Using dom0 testing repository. Might need a while until it moves to Qubes dom0 stable. dom0 testing may not be advisable. I update another installation on USB always first to see if nothing breaks.)


Updating frequently from dom0 testing repository. No new kernel.

After the thread http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/t/apparmor-and-kernel-4-14-18-1-creates-tons-of-kern-log-pop-ups/4811/5

I tried dom0 unstable, no change. The only available kernel is


Some Qubes issue, most likely.

I did not reboot the Qubes machine for a few days. In the mean time, I did update many times from dom0 testing.

Just rebooted, the latest kernel is installed.


This should be fixed in



This should be fixed in

Merged! :slight_smile:

Great, would have taken me ages to figure out. Didn’t look easy. Neither
was easy to research.


VirtualBox AppArmor profile warning (Whonix 14)

From the Whonix 14 testing thread, note that the apparmor profile for VirtualBox (when installing apparmor-profiles-whonix) warns:

Warning from /etc/apparmor.d/usr/lib/virtualbox.VirtualBox (/etc/apparmor.d/usr.lib.virtualbox.VirtualBox line 50): Unconfined exec qualifer (ux) allows some dangerous environment variables to be passed to the unconfined process; ‘man 5 apparmor.d’ for details.

Probably low priority, but worthy of investigation.


From http://forums.kkkkkkkkkk63ava6.onion/t/long-wiki-edits-thread/3477/569

How about implementing this OnionShare AppArmor profile in Whonix?



Already has upstream.



I think we should remove the VirtualBox profile from apparmor-profiles-whonix. This is a very early one, and it was meant to be used in the host.

If someone feels like installing AppArmor in their host, enforce the profile and start Whonix, they are welcome.


Good idea. Done.





Why is alias / -> /rw/, not enough?

Why is explicitly…

alias /var/lib/ -> /rw/var/lib/,
alias /var/lib/tor/ -> /rw/var/lib/tor/,

additionally required?

In doubt, could you ask upstream apparmor developer mailing list please?

I think it belongs here https://github.com/Whonix/apparmor-profile-anondist/blob/master/etc/apparmor.d/tunables/home.d/qubes-whonix-anondist?

//cc @Algernon

Whonix live mode

These are known issues of apparmor + overlayfs. Some other examples:


Just using “alias / -> /rw/,” will still lead to denied messages in some cases. The easy workaround is to also add the denied path as an alias.
If the live mode gets tested more some more denied messages could maybe be expected.At least every denied message with “/rw/” in the path would be related to overlayfs.


Can you please move to apparmor-profile-anondist, remove from your other two packages and reference https://bugs.launchpad.net/apparmor/+bug/888077 in the comment?


I opened some pull request for this.


All merged.