Comment 12 for bug 2039294

As a temporary workaround, put the file I have attached to /etc/apparmor.d/docker-default and load it with "apparmor_parser -Kr /etc/apparmor.d/docker-default". This will make dockerd skip loading its builtin profile and use this one instead. The only difference between the builtin one and this one is the following rule:

  # runc may send signals to container processes
  signal (receive) peer=runc,

I've opened PRs upstream:
- https://github.com/containerd/containerd/pull/10123
- https://github.com/moby/moby/pull/47749

I think I'll need to work a little bit more on them to add rules only for profiles that exist. (It works even if they don't exist though.)