Containers can no longer receive signals from crun

[gegarcia]

The current AppArmor policy allows receiving signals from unconfined peers. Due to a change in Ubuntu to restrict unprivileged uses of user namespaces, a profile for crun was added in apparmor 4.0.0~alpha2-0ubuntu1 That means that when the container tries to receive a signal from crun, it is no longer allowed because crun is not "unconfined" anymore.

An AppArmor rule like the following is required for it to work with a confined crun:

signal (receive) peer={/usr/bin/,}crun,

This bug was originally reported in https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483 There are more details there on how to reproduce the issue.

[rhatdan]

Please open a PR to add this rule. No one in the core team knows or uses AppArmor.