This change updates the default apparmor profile to allow podman to send
any signal rather than the allow listed "SIGINT", "SIGQUIT", "SIGKILL",
and "SIGTERM". This fixes podman with signal proxying turned on
(``--sig-proxy``) not being able to forward signals from the terminal
such as "SIGWINCH" when attached to a TTY.
Signed-off-by: Terence D. Honles <terence@honles.com>
AppArmor v4.0.0 introduced podman, runc and crun profiles for
/usr/bin/podman, /usr/sbin/runc and /usr/bin/crun respectively[1]. This
change breaks the stopping of containers, because the built-in profile
assigned to containers doesn't accept signals from podman, runc and
crun peers.
This commit extends the default profile with rules that allow receiving
signals from processes that run confined with the podman, runc or crun
profiles. It is backward compatible because the peer value is a regular
expression (AARE) so the referenced profile doesn't have to exist for
this profile to successfully compile and load.
The signal set from runc or crun remains unconstrained as the user can
issue any signal via the kill sub-command of podman.
Signals from podman itself are restricted to the common interrupt and
termination signals.
Closes#1898
[1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936
Signed-off-by: Neil Wilson <neil@aldur.co.uk>
Move pkg/sysinfo and pkg/apparmor out of libpod into containers/common.
This will allow other packages to use these libraries without requiring all of libpod.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Terence D. Honles
Neil Wilson
Oleksandr Redko
Valentin Rothberg
Daniel J Walsh