Public bug reported:
When sending a signal other than ``SIG{INT,QUIT,KILL,TERM}`` the default
AppArmor policy denies sending the signal.
Rather than allow-listing specific signals I am proposing removing the
signal set in ``signal (receive) set=(int, quit, kill, term)
peer={/usr/bin/,/usr/sbin/,}podman,``. This allows sending a signal via
systemd such as ``ExecReload=/usr/bin/podman kill -sHUP
--cidfile=%t/%N.cid``
I have proposed this change in the upstream repository
https://github.com/containers/common/pull/2228, but there is not
sufficient AppArmor experience to verify the change request, and the
local patch will also need to be updated to match the change.
I agree with the maintainers that the current ``runc`` permissions
appear like they should cover this, but it seems like AppArmor is
actually using the ``podman`` rules (possibly because that's the top
level executable?)
$ lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04.1 LTS
Release: 24.04
$ apt-cache policy podman
podman:
Installed: 4.9.3+ds1-1ubuntu0.2
Candidate: 4.9.3+ds1-1ubuntu0.2
Version table:
*** 4.9.3+ds1-1ubuntu0.2 500
500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu
noble-updates/universe amd64 Packages
100 /var/lib/dpkg/status
4.9.3+ds1-1ubuntu0.1 500
500 http://security.ubuntu.com/ubuntu noble-security/universe amd64
Packages
4.9.3+ds1-1build2 500
500 http://eu-central-1.ec2.archive.ubuntu.com/ubuntu noble/universe
amd64 Packages
what happened:
The HUP signal was blocked and the journal shows:
systemd[1]: Reloading example.service - Podman example service...
example[3934]: time="2024-11-26T08:21:12Z" level=error msg="unable to signal
init: permission denied"
example[3926]: Error: sending signal to container
e4970325aad516029110c3af31d58961c2b1bd8a051e2b41a144f211b883cec3:
`/usr/bin/runc kill
e4970325aad516029110c3af31d58961c2b1bd8a051e2b41a144f211b883cec3 1` failed:
exit status 1
systemd[1]: example.service: Control process exited, code=exited, status=125/n/a
systemd[1]: Reload failed for example.service - Podman example service.
what is expected:
The HUP signal is sent to the container so it can gracefully reload
** Affects: libpod (Ubuntu)
Importance: Undecided
Status: New
** Tags: regression-release
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2089664
Title:
podman AppArmor policy still too restrictive
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2089664/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
