Enabling Apparmor in Debian-10 Fedora-30 Templates

[ronpunz]

Is it recommended to enable Apparmor in TemplateVM's? I note from whonix
docs that this can be achieved in dom0 using qvm-prefs -s templatename
kernelopts "nopat apparmor=1 security=apparmor".

[Chris Laprise]

I personally recommend doing this for Debian 10 (and Whonix 15, which is
based on it) because that OS enables it by default.

Qubes developers seem to agree, and have an issue for discussing the
best way to make this a default in Qubes:

https://github.com/QubesOS/qubes-issues/issues/4088

Users can manually add those settings to their template VMs, which will
propagate to template-based VMs as long as the latter don't have custom
kernelopts.

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[ronpunz]

On 8/17/19 5:30 PM, Chris Laprise wrote:
> On 8/17/19 6:27 AM, ronpunz wrote:
>> Is it recommended to enable Apparmor in TemplateVM's? I note from whonix
>> docs that this can be achieved in dom0 using qvm-prefs -s templatename
>> kernelopts "nopat apparmor=1 security=apparmor".
>>
>
> I personally recommend doing this for Debian 10 (and Whonix 15, which
> is based on it) because that OS enables it by default.
>
> Qubes developers seem to agree, and have an issue for discussing the
> best way to make this a default in Qubes:
>
> https://github.com/QubesOS/qubes-issues/issues/4088
>
> Users can manually add those settings to their template VMs, which
> will propagate to template-based VMs as long as the latter don't have
> custom kernelopts.
>

The debian wiki https://wiki.debian.org/AppArmor/HowToUse suggests
installing apparmor-utils; which isn't installed by default in
debian-10. Is this necessary in Qubes?

[Chris Laprise]

I'd recommend it if you want to see what profiles are being enforced, or
to create new profiles.