From 79321a462b6ace6868caca2fb6b15f5b3c3fccfe Mon Sep 17 00:00:00 2001
From: "Terence D. Honles" <terence@honles.com>
Date: Mon, 4 Nov 2024 16:33:14 +0100
Subject: [PATCH] update apparmor profile to allow podman to send any signal

This change updates the default apparmor profile to allow podman to send
any signal rather than the allow listed "SIGINT", "SIGQUIT", "SIGKILL",
and "SIGTERM". This fixes podman with signal proxying turned on
(``--sig-proxy``) not being able to forward signals from the terminal
such as "SIGWINCH" when attached to a TTY.

Signed-off-by: Terence D. Honles <terence@honles.com>
---
 pkg/apparmor/apparmor_linux_template.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/apparmor/apparmor_linux_template.go b/pkg/apparmor/apparmor_linux_template.go
index 48707521f..8f2baa72e 100644
--- a/pkg/apparmor/apparmor_linux_template.go
+++ b/pkg/apparmor/apparmor_linux_template.go
@@ -24,7 +24,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   # Allow certain signals from OCI runtimes (podman, runc and crun)
   signal (receive) peer={/usr/bin/,/usr/sbin/,}runc,
   signal (receive) peer={/usr/bin/,/usr/sbin/,}crun*,
-  signal (receive) set=(int, quit, kill, term) peer={/usr/bin/,/usr/sbin/,}podman,
+  signal (receive) peer={/usr/bin/,/usr/sbin/,}podman,
 {{end}}
 
   deny @{PROC}/* w,   # deny write for all files directly in /proc (not in a subdir)