diff --git a/nixos/doc/manual/release-notes/rl-2105.xml b/nixos/doc/manual/release-notes/rl-2105.xml
index 6a7382140964e..0384727ac252d 100644
--- a/nixos/doc/manual/release-notes/rl-2105.xml
+++ b/nixos/doc/manual/release-notes/rl-2105.xml
@@ -869,10 +869,9 @@ environment.systemPackages = [
to provide a way to disable a profile
and to select whether to confine in enforce mode (default)
or in complain mode (see journalctl -b --grep apparmor).
- Before enabling this module, either directly
- or by importing <nixpkgs/nixos/modules/profiles/hardened.nix>,
- please be sure to read the documentation of security.apparmor.enable,
- and especially the part about .
+ Security-minded users may also want to enable ,
+ at the cost of having some of their processes killed
+ when updating to a NixOS version introducing new AppArmor profiles.
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index 00aafc6831b25..3f8f78f012a70 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -36,6 +36,7 @@ with lib;
security.virtualisation.flushL1DataCache = mkDefault "always";
security.apparmor.enable = mkDefault true;
+ security.apparmor.killUnconfinedConfinables = mkDefault true;
boot.kernelParams = [
# Slab/slub sanity checks, redzoning, and poisoning
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
index 68bc3f126cb99..9bd909aa50bc4 100644
--- a/nixos/modules/security/apparmor.nix
+++ b/nixos/modules/security/apparmor.nix
@@ -30,16 +30,17 @@ in
If you're enabling this module on a running system,
note that a reboot will be required to activate AppArmor in the kernel.
- Also, beware that enabling this module will by default
- try to kill unconfined but confinable running processes,
- in order to obtain a confinement matching what is declared in the NixOS configuration.
- This will happen when upgrading to a NixOS revision
- introducing an AppArmor profile for the executable of a running process.
- This is because enabling an AppArmor profile for an executable
- can only confine new or already confined processes of that executable,
- but leaves already running processes unconfined.
- Set killUnconfinedConfinables
- to false if you prefer to leave those processes running'';
+ Also, beware that enabling this module privileges stability over security
+ by not trying to kill unconfined but newly confinable running processes by default,
+ though it would be needed because AppArmor can only confine new
+ or already confined processes of an executable.
+ This killing would for instance be necessary when upgrading to a NixOS revision
+ introducing for the first time an AppArmor profile for the executable
+ of a running process.
+
+ Enable
+ if you want this service to do such killing
+ by sending a SIGTERM to those running processes'';
policies = mkOption {
description = ''
AppArmor policies.
@@ -78,10 +79,14 @@ in
Beware that AppArmor policies almost always contain Nix store paths,
and thus produce at each change of these paths
a new cached version accumulating in the cache'';
- killUnconfinedConfinables = mkDisableOption ''
+ killUnconfinedConfinables = mkEnableOption ''
killing of processes which have an AppArmor profile enabled
- (in policies)
+ (in )
but are not confined (because AppArmor can only confine new processes).
+
+ This is only sending a gracious SIGTERM signal to the processes,
+ not a SIGKILL.
+
Beware that due to a current limitation of AppArmor,
only profiles with exact paths (and no name) can enable such kills'';
};