Merge pull request #10123 from woky/apparmor-runc

apparmor: Allow confined runc to kill containers
2024-04-24 22:01:12 +00:00 · 2024-04-24 22:01:12 +00:00 · 01ed3ff123
commit 01ed3ff123
parent c4c3c6ea56 094bafe2a3
1 changed files with 4 additions and 0 deletions
--- a/contrib/apparmor/template.go
+++ b/contrib/apparmor/template.go
@ -55,6 +55,10 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
  umount,
  # Host (privileged) processes may send signals to container processes.
  signal (receive) peer=unconfined,
+  # runc may send signals to container processes.
+  signal (receive) peer=runc,
+  # crun may send signals to container processes.
+  signal (receive) peer=crun,
  # Manager may send signals to container processes.
  signal (receive) peer={{.DaemonProfile}},
  # Container processes may send signals amongst themselves.