Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Containers can no longer receive signals from crun #1898

Open
gegarcia opened this issue Mar 11, 2024 · 1 comment · May be fixed by #2004
Open

Containers can no longer receive signals from crun #1898

gegarcia opened this issue Mar 11, 2024 · 1 comment · May be fixed by #2004

Comments

@gegarcia
Copy link

The current AppArmor policy allows receiving signals from unconfined peers.
Due to a change in Ubuntu to restrict unprivileged uses of user namespaces, a profile for crun was added in apparmor 4.0.0~alpha2-0ubuntu1
That means that when the container tries to receive a signal from crun, it is no longer allowed because crun is not "unconfined" anymore.

An AppArmor rule like the following is required for it to work with a confined crun:

signal (receive) peer={/usr/bin/,}crun,

This bug was originally reported in https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483
There are more details there on how to reproduce the issue.
@rhatdan
Copy link
Member

rhatdan commented Mar 11, 2024

Please open a PR to add this rule. No one in the core team knows or uses AppArmor.

hswong3i added a commit to alvistack/ansible-role-cri_o that referenced this issue Apr 20, 2024
@hswong3i
https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483/comments/5
0bc366f 
See containers/common#1898

Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
hswong3i added a commit to alvistack/ansible-role-containers_common that referenced this issue Apr 20, 2024
@hswong3i
https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483/comments/5
97aa2b8 
See containers/common#1898

Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
NeilW added a commit to NeilW/common that referenced this issue May 17, 2024
@NeilW
Update apparmor profile to support v4.0.0
b924b9d 
AppArmor v4.0.0 introduced podman, runc and crun profiles for
/usr/bin/podman, /usr/sbin/runc and /usr/bin/crun respectively[1]. This
change breaks the stopping of containers, because the built-in profile
assigned to containers doesn't accept signals from podman, runc and
crun peers.

This change extends the default profile with rules that allow receiving
signals from processes that run confined with the podman, runc or crun
profile. It is backward compatible because the peer value is a regular
expression (AARE) so the referenced profile doesn't have to exist for
this profile to successfully compile and load.

The signal set from runc or crun remains unconstrained as the user can
issue any signal via the kill sub-command of podman.

Signals from podman itself are restricted to the common interrupt and
termination signals.

Closes containers#1898

[1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936

Signed-off-by: Neil Wilson <neil@aldur.co.uk>
@NeilW NeilW linked a pull request May 17, 2024 that will close this issue
Open
NeilW added a commit to NeilW/common that referenced this issue May 17, 2024
@NeilW
Update apparmor profile to support v4.0.0
20e81c3 
AppArmor v4.0.0 introduced podman, runc and crun profiles for
/usr/bin/podman, /usr/sbin/runc and /usr/bin/crun respectively[1]. This
change breaks the stopping of containers, because the built-in profile
assigned to containers doesn't accept signals from podman, runc and
crun peers.

This commit extends the default profile with rules that allow receiving
signals from processes that run confined with the podman, runc or crun
profile. It is backward compatible because the peer value is a regular
expression (AARE) so the referenced profile doesn't have to exist for
this profile to successfully compile and load.

The signal set from runc or crun remains unconstrained as the user can
issue any signal via the kill sub-command of podman.

Signals from podman itself are restricted to the common interrupt and
termination signals.

Closes containers#1898

[1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936

Signed-off-by: Neil Wilson <neil@aldur.co.uk>
NeilW added a commit to NeilW/common that referenced this issue May 18, 2024
@NeilW
Update apparmor profile to support v4.0.0
1aedc12 
AppArmor v4.0.0 introduced podman, runc and crun profiles for
/usr/bin/podman, /usr/sbin/runc and /usr/bin/crun respectively[1]. This
change breaks the stopping of containers, because the built-in profile
assigned to containers doesn't accept signals from podman, runc and
crun peers.

This commit extends the default profile with rules that allow receiving
signals from processes that run confined with the podman, runc or crun
profiles. It is backward compatible because the peer value is a regular
expression (AARE) so the referenced profile doesn't have to exist for
this profile to successfully compile and load.

The signal set from runc or crun remains unconstrained as the user can
issue any signal via the kill sub-command of podman.

Signals from podman itself are restricted to the common interrupt and
termination signals.

Closes containers#1898

[1] https://gitlab.com/apparmor/apparmor/-/commit/2594d936

Signed-off-by: Neil Wilson <neil@aldur.co.uk>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update apparmor profile to support v4.0.0 NeilW/common
2 participants
@rhatdan @gegarcia