-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Containers can no longer receive signals from crun #1898
Comments
Please open a PR to add this rule. No one in the core team knows or uses AppArmor. |
hswong3i
added a commit
to alvistack/ansible-role-cri_o
that referenced
this issue
Apr 20, 2024
See containers/common#1898 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
hswong3i
added a commit
to alvistack/ansible-role-containers_common
that referenced
this issue
Apr 20, 2024
See containers/common#1898 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
NeilW
added a commit
to NeilW/common
that referenced
this issue
May 17, 2024
AppArmor v4.0.0 introduced podman, runc and crun profiles for /usr/bin/podman, /usr/sbin/runc and /usr/bin/crun respectively[1]. This change breaks the stopping of containers, because the built-in profile assigned to containers doesn't accept signals from podman, runc and crun peers. This change extends the default profile with rules that allow receiving signals from processes that run confined with the podman, runc or crun profile. It is backward compatible because the peer value is a regular expression (AARE) so the referenced profile doesn't have to exist for this profile to successfully compile and load. The signal set from runc or crun remains unconstrained as the user can issue any signal via the kill sub-command of podman. Signals from podman itself are restricted to the common interrupt and termination signals. Closes containers#1898 [1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936 Signed-off-by: Neil Wilson <neil@aldur.co.uk>
NeilW
added a commit
to NeilW/common
that referenced
this issue
May 17, 2024
AppArmor v4.0.0 introduced podman, runc and crun profiles for /usr/bin/podman, /usr/sbin/runc and /usr/bin/crun respectively[1]. This change breaks the stopping of containers, because the built-in profile assigned to containers doesn't accept signals from podman, runc and crun peers. This commit extends the default profile with rules that allow receiving signals from processes that run confined with the podman, runc or crun profile. It is backward compatible because the peer value is a regular expression (AARE) so the referenced profile doesn't have to exist for this profile to successfully compile and load. The signal set from runc or crun remains unconstrained as the user can issue any signal via the kill sub-command of podman. Signals from podman itself are restricted to the common interrupt and termination signals. Closes containers#1898 [1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936 Signed-off-by: Neil Wilson <neil@aldur.co.uk>
NeilW
added a commit
to NeilW/common
that referenced
this issue
May 18, 2024
AppArmor v4.0.0 introduced podman, runc and crun profiles for /usr/bin/podman, /usr/sbin/runc and /usr/bin/crun respectively[1]. This change breaks the stopping of containers, because the built-in profile assigned to containers doesn't accept signals from podman, runc and crun peers. This commit extends the default profile with rules that allow receiving signals from processes that run confined with the podman, runc or crun profiles. It is backward compatible because the peer value is a regular expression (AARE) so the referenced profile doesn't have to exist for this profile to successfully compile and load. The signal set from runc or crun remains unconstrained as the user can issue any signal via the kill sub-command of podman. Signals from podman itself are restricted to the common interrupt and termination signals. Closes containers#1898 [1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936 Signed-off-by: Neil Wilson <neil@aldur.co.uk>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The current AppArmor policy allows receiving signals from unconfined peers.
Due to a change in Ubuntu to restrict unprivileged uses of user namespaces, a profile for crun was added in apparmor 4.0.0~alpha2-0ubuntu1
That means that when the container tries to receive a signal from crun, it is no longer allowed because crun is not "unconfined" anymore.
An AppArmor rule like the following is required for it to work with a confined crun:
This bug was originally reported in https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483
There are more details there on how to reproduce the issue.
The text was updated successfully, but these errors were encountered: