Comment 16 for bug 2040483

The debdiff I've put together for oracular updates the patch to be a bit more general and cover all the signals I've seen so far in testing. (As well as dropping the other patch that has been incorporated upstream).

  # Allow certain signals from OCI runtimes (podman, runc and crun)
    signal (receive) set=(int, quit, kill, term) peer={/usr/bin/,/usr/sbin/,}runc,
    signal (receive) set=(int, quit, kill, term) peer={/usr/bin/,/usr/sbin/,}crun,
    signal (receive) set=(int, quit, kill, term) peer={/usr/bin/,/usr/sbin/,}podman,

Upstream have said they have no apparmor experience, so I suspect they will take a PR. See https://github.com/containers/common/issues/1898