Skip to content

Commit

Permalink
Merge pull request #47830 from vvoland/v25.0-47749
Browse files Browse the repository at this point in the history 
[25.0 backport] apparmor: Allow confined runc to kill containers
  • Loading branch information
@thaJeztah
thaJeztah committed May 15, 2024
2 parents 03ecc6f + 98ddccb commit 577ca9b
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions profiles/apparmor/template.go
View file
Expand Up @@ -25,6 +25,10 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
umount,
# Host (privileged) processes may send signals to container processes.
signal (receive) peer=unconfined,
# runc may send signals to container processes (for "docker stop").
signal (receive) peer=runc,
# crun may send signals to container processes (for "docker stop" when used with crun OCI runtime).
signal (receive) peer=crun,
# dockerd may send signals to container processes (for "docker kill").
signal (receive) peer={{.DaemonProfile}},
# Container processes may send signals amongst themselves.
Expand Down

0 comments on commit 577ca9b

Please sign in to comment.