© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
According to the AppArmor policy [1], the following rule is allowed
signal (receive) peer=unconfined,
And when there was no policy for /usr/bin/crun, the signal that is now being denied would fall under this rule, because crun was unconfined.
A profile for crun was added in Bug 2035315 because applications that make use of unprivileged user namespaces must be confined by an AppArmor profile, so to properly fix this bug the following rule must be added
signal (receive) peer=/usr/bin/crun,
or better yet, because of the AppArmor upstream commit that renames the profile [2]
signal (receive) peer={/
[1] https:/
[2] https:/