Merge pull request #10129 from k8s-infra-cherrypick-robot/cherry-pick…

…-10123-to-release/1.7 [release/1.7] Update AppArmor template to allow confined runc to kill containers
containerd · Apr 25, 2024 · fb2d43a · fb2d43a
2 parents ae97657 + 18a2c36
commit fb2d43a
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go
@@ -55,6 +55,10 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   umount,
   # Host (privileged) processes may send signals to container processes.
   signal (receive) peer=unconfined,
+  # runc may send signals to container processes.
+  signal (receive) peer=runc,
+  # crun may send signals to container processes.
+  signal (receive) peer=crun,
   # Manager may send signals to container processes.
   signal (receive) peer={{.DaemonProfile}},
   # Container processes may send signals amongst themselves.