/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

enable AppArmor by default #4088

Open
adrelanos opened this Issue Jul 16, 2018 · 3 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.1
4 participants
@adrelanos @marmarek @lunarthegrey @andrewdavidwong
@adrelanos
Member

adrelanos commented Jul 16, 2018

Technically, add apparmor=1 security=apparmor to kernelopts.

qvm-prefs -s vmname kernelopts "nopat apparmor=1 security=apparmor"

For Debian templates I don't foresee any issues. For Whonix templates I foresee even less issues. Other templates, no idea.

What is the plan regarding 'VM kernel by default'?
(I am not advocating either dom0 or VM kernel. Just asking.)
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Jul 16, 2018

Member

In case this is a no or inconclusive I would back up to a separate ticket enable AppArmor by default for Qubes-Whonix.

For Whonix it's sane to enable AppArmor by default since we don't ship AppArmor profiles by default which have potential to break in bad ways. (Such as for Tor Browser which has its own updater so Tor Browser might rush ahead and do things which are not covered by apparmor-profile-torbrowser.) We only ship AppArmor profiles for packages which are upgraded through Debian apt package management which undergo testing before flowing into the stable repository (such as for Tor, sdwdate, ...).

AppArmor enabled by default in Non-Qubes-Whonix for many releases.

Package https://github.com/Whonix/grub-enable-apparmor only works when using VM kernel.

Related:
Member

adrelanos commented Jul 16, 2018

In case this is a no or inconclusive I would back up to a separate ticket enable AppArmor by default for Qubes-Whonix.

For Whonix it's sane to enable AppArmor by default since we don't ship AppArmor profiles by default which have potential to break in bad ways. (Such as for Tor Browser which has its own updater so Tor Browser might rush ahead and do things which are not covered by apparmor-profile-torbrowser.) We only ship AppArmor profiles for packages which are upgraded through Debian apt package management which undergo testing before flowing into the stable repository (such as for Tor, sdwdate, ...).

AppArmor enabled by default in Non-Qubes-Whonix for many releases.

Package https://github.com/Whonix/grub-enable-apparmor only works when using VM kernel.

Related:
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jul 16, 2018

Member

What is the plan regarding 'VM kernel by default'?

For now it is blocked by being incompatible with PVH :/
Member

marmarek commented Jul 16, 2018

What is the plan regarding 'VM kernel by default'?

For now it is blocked by being incompatible with PVH :/

@andrewdavidwong andrewdavidwong added enhancement C: templates security labels Jul 17, 2018

@andrewdavidwong andrewdavidwong added this to the Release 4.1 milestone Jul 17, 2018

@lunarthegrey

This comment has been minimized.

Show comment
Hide comment
@lunarthegrey

lunarthegrey Jul 19, 2018

AppArmor works good in my PVH VMs, been using it for a while now. I don't think it's installed by default in the Debian template if I can remember correctly.

lunarthegrey commented Jul 19, 2018

AppArmor works good in my PVH VMs, been using it for a while now. I don't think it's installed by default in the Debian template if I can remember correctly.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment