Skip to content

Commit

Permalink
update apparmor profile to allow podman to send any signal
Browse files Browse the repository at this point in the history
This change updates the default apparmor profile to allow podman to send
any signal rather than the allow listed "SIGINT", "SIGQUIT", "SIGKILL",
and "SIGTERM". This fixes podman with signal proxying turned on
(``--sig-proxy``) not being able to forward signals from the terminal
such as "SIGWINCH" when attached to a TTY.

Signed-off-by: Terence Honles <[email protected]>
  • Loading branch information
terencehonles committed Nov 4, 2024
1 parent cf8f587 commit 50f04f6
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion pkg/apparmor/apparmor_linux_template.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
# Allow certain signals from OCI runtimes (podman, runc and crun)
signal (receive) peer={/usr/bin/,/usr/sbin/,}runc,
signal (receive) peer={/usr/bin/,/usr/sbin/,}crun*,
signal (receive) set=(int, quit, kill, term) peer={/usr/bin/,/usr/sbin/,}podman,
signal (receive) peer={/usr/bin/,/usr/sbin/,}podman,
{{end}}
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
Expand Down

0 comments on commit 50f04f6

Please sign in to comment.