The current AppArmor policy allows receiving signals from unconfined peers.
Due to a change in Ubuntu to restrict unprivileged uses of user namespaces, a profile for crun was added in apparmor 4.0.0~alpha2-0ubuntu1
That means that when the container tries to receive a signal from crun, it is no longer allowed because crun is not "unconfined" anymore.
An AppArmor rule like the following is required for it to work with a confined crun:
signal (receive) peer={/usr/bin/,}crun,
This bug was originally reported in https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483
There are more details there on how to reproduce the issue.
The current AppArmor policy allows receiving signals from unconfined peers.
Due to a change in Ubuntu to restrict unprivileged uses of user namespaces, a profile for crun was added in apparmor 4.0.0~alpha2-0ubuntu1
That means that when the container tries to receive a signal from crun, it is no longer allowed because crun is not "unconfined" anymore.
An AppArmor rule like the following is required for it to work with a confined crun:
This bug was originally reported in https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2040483
There are more details there on how to reproduce the issue.