security.apparmor.killUnconfinedConfinables

Whether to enable killing of processes which have an AppArmor profile enabled (in security.apparmor.policies) but are not confined (because AppArmor can only confine new processes).

This is only sending a gracious SIGTERM signal to the processes, not a SIGKILL.

Beware that due to a current limitation of AppArmor, only profiles with exact paths (and no name) can enable such kills.

Type

boolean

Default

false

Example

true

Declared

<nixpkgs/nixos/modules/security/apparmor.nix>