nixos/apparmor: disable killUnconfinedConfinables by default

nixos/doc/manual/release-notes/rl-2105.xml

@@ -869,10 +869,9 @@ environment.systemPackages = [
      to provide a way to disable a profile
      and to select whether to confine in enforce mode (default)
      or in complain mode (see <literal>journalctl -b --grep apparmor</literal>).
-     Before enabling this module, either directly
+     Security-minded users may also want to enable <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>,
-     or by importing <literal>&lt;nixpkgs/nixos/modules/profiles/hardened.nix&gt;</literal>,
+     at the cost of having some of their processes killed
-     please be sure to read the documentation of <link linkend="opt-security.apparmor.enable">security.apparmor.enable</link>,
+     when updating to a NixOS version introducing new AppArmor profiles.
-     and especially the part about <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>.
     </para>
    </listitem>
    <listitem>

nixos/modules/profiles/hardened.nix

@@ -36,6 +36,7 @@ with lib;
   security.virtualisation.flushL1DataCache = mkDefault "always";
 
   security.apparmor.enable = mkDefault true;
+  security.apparmor.killUnconfinedConfinables = mkDefault true;
 
   boot.kernelParams = [
     # Slab/slub sanity checks, redzoning, and poisoning

nixos/modules/security/apparmor.nix

@@ -30,16 +30,17 @@ in
         If you're enabling this module on a running system,
         note that a reboot will be required to activate AppArmor in the kernel.
 
-        Also, beware that enabling this module will by default
+        Also, beware that enabling this module privileges stability over security
-        try to kill unconfined but confinable running processes,
+        by not trying to kill unconfined but newly confinable running processes by default,
-        in order to obtain a confinement matching what is declared in the NixOS configuration.
+        though it would be needed because AppArmor can only confine new
-        This will happen when upgrading to a NixOS revision
+        or already confined processes of an executable.
-        introducing an AppArmor profile for the executable of a running process.
+        This killing would for instance be necessary when upgrading to a NixOS revision
-        This is because enabling an AppArmor profile for an executable
+        introducing for the first time an AppArmor profile for the executable
-        can only confine new or already confined processes of that executable,
+        of a running process.
-        but leaves already running processes unconfined.
+
-        Set <link linkend="opt-security.apparmor.killUnconfinedConfinables">killUnconfinedConfinables</link>
+        Enable <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>
-        to <literal>false</literal> if you prefer to leave those processes running'';
+        if you want this service to do such killing
+        by sending a <literal>SIGTERM</literal> to those running processes'';
       policies = mkOption {
         description = ''
           AppArmor policies.
@@ -78,10 +79,14 @@ in
         Beware that AppArmor policies almost always contain Nix store paths,
         and thus produce at each change of these paths
         a new cached version accumulating in the cache'';
-      killUnconfinedConfinables = mkDisableOption ''
+      killUnconfinedConfinables = mkEnableOption ''
         killing of processes which have an AppArmor profile enabled
-        (in <link linkend="opt-security.apparmor.policies">policies</link>)
+        (in <xref linkend="opt-security.apparmor.policies"/>)
         but are not confined (because AppArmor can only confine new processes).
+
+        This is only sending a gracious <literal>SIGTERM</literal> signal to the processes,
+        not a <literal>SIGKILL</literal>.
+
         Beware that due to a current limitation of AppArmor,
         only profiles with exact paths (and no name) can enable such kills'';
     };