From 1aedc12e356cfd29a5bb54d94e9b2e09da3649ca Mon Sep 17 00:00:00 2001 From: Neil Wilson Date: Fri, 17 May 2024 10:38:26 +0100 Subject: [PATCH] Update apparmor profile to support v4.0.0 AppArmor v4.0.0 introduced podman, runc and crun profiles for /usr/bin/podman, /usr/sbin/runc and /usr/bin/crun respectively[1]. This change breaks the stopping of containers, because the built-in profile assigned to containers doesn't accept signals from podman, runc and crun peers. This commit extends the default profile with rules that allow receiving signals from processes that run confined with the podman, runc or crun profiles. It is backward compatible because the peer value is a regular expression (AARE) so the referenced profile doesn't have to exist for this profile to successfully compile and load. The signal set from runc or crun remains unconstrained as the user can issue any signal via the kill sub-command of podman. Signals from podman itself are restricted to the common interrupt and termination signals. Closes #1898 [1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936 Signed-off-by: Neil Wilson --- pkg/apparmor/apparmor_linux_template.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/apparmor/apparmor_linux_template.go b/pkg/apparmor/apparmor_linux_template.go index b8212542d..48707521f 100644 --- a/pkg/apparmor/apparmor_linux_template.go +++ b/pkg/apparmor/apparmor_linux_template.go @@ -21,6 +21,10 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) { # Allow signals from privileged profiles and from within the same profile signal (receive) peer=unconfined, signal (send,receive) peer={{.Name}}, + # Allow certain signals from OCI runtimes (podman, runc and crun) + signal (receive) peer={/usr/bin/,/usr/sbin/,}runc, + signal (receive) peer={/usr/bin/,/usr/sbin/,}crun*, + signal (receive) set=(int, quit, kill, term) peer={/usr/bin/,/usr/sbin/,}podman, {{end}} deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)