[Whonix-devel] AppArmor and Whonix

Whonix | Privacy and Anonymity OS newblogpost at whonix.org
Sun May 17 22:38:23 CEST 2015


AppArmor ("Application Armor") for better security.

Current status of AppArmor and Whonix:

- We do enable apparmor by default for a while now. (https://github.com/Whonix/grub-enable-apparmor)
- Therefore The Tor Project's apparmor profile for Tor is in use on Whonix-Gateway.
- We tweak that one a bit to make it work with Whonix and obfsproxy. (https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/etc/apparmor.d/local/system_tor.anondist)
- We don't install any apparmor profiles by default as of Whonix 10.
- We do not install any longer the profiles from Debian (packages apparmor-profiles, apparmor-profiles-extra) since Whonix 10 because of the noise they generate in the forums.
- We do not plan on installing apparmor profiles by default for packages that are not developed under the Whonix umbrella such as for Tor Browser, pidgin, xchat, etc. (list: https://github.com/Whonix?utf8=%E2%9C%93&query=apparmor) - Package upgrades that we don't control by upstream could make it impossible to start the application, lead to eventual fingerprinting issues, therefore installation of such apparmor profiles is manual for testers and advanced users.
- Upstreaming such profiles is a very time consuming process, also a slow process (requires a new stable debian release). Help welcome.
- For apparmor profiles developed under the Whonix such as sdwdate, whonixcheck, we plan in future for Whonix 12 or so on deprecating the separate apparmor profiles and installing those profiles by default, that is doable, because we control package upgrades.

The Whonix profiles can be installed with:

sudo apt-get install apparmor-profiles-whonix

AppArmor Whonix Wiki Page:
https://www.whonix.org/wiki/AppArmor

AppArmor Whonix Forum:
https://www.whonix.org/forum/index.php/board,18.0.html

This post has been automatically cross-posted by whonix.org/blog To see the original (including links), go to https://www.whonix.org/blog/apparmor-and-whonix



More information about the Whonix-devel mailing list