I have added docker to this report, and we will need to report this to
upstream docker, it likely for the time look at distro patching docker.
Locally you should be able to add the rule you need and use
apparmor_parser -r to replace the profile until the bug is fixed. To
allow all signals you can just do
signal receive peer="/usr/sbin/runc",
or for the set currently encountered
signal receive signal=(usr1 term kill int) peer="/usr/sbin/runc",
** Also affects: docker
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2039294
Title:
apparmor docker
Status in docker:
New
Status in apparmor package in Ubuntu:
Incomplete
Bug description:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 23.10
Release: 23.10
Codename: mantic
Docker version 24.0.5, build 24.0.5-0ubuntu1
Graceful shutdown doesn't work anymore due to SIGTERM and SIGKILL (maybe all
signals?) doesn't reach the target process. Works when apparmor is uninstalled.
[17990.085295] audit: type=1400 audit(1697213244.019:981): apparmor="DENIED"
operation="signal" class="signal" profile="docker-default" pid=172626
comm="runc" requested_mask="receive" denied_mask="receive" signal=term
peer="/usr/sbin/runc"
[17992.112517] audit: type=1400 audit(1697213246.043:982): apparmor="DENIED"
operation="signal" class="signal" profile="docker-default" pid=172633
comm="runc" requested_mask="receive" denied_mask="receive" signal=kill
peer="/usr/sbin/runc"
To manage notifications about this bug go to:
https://bugs.launchpad.net/docker/+bug/2039294/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
