From af91f3fc3eb3c63aaee64364084bd0d19e9a43ae Mon Sep 17 00:00:00 2001
From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Date: Wed, 28 Aug 2024 11:23:07 +0200
Subject: [PATCH] lxd/apparmor: allow signals receiving

This is a workaround for AppArmor 4.0+ and new
unconfined profile feature. It was found [1]
that the new unconfined profile mode is not fully
permissive. Some things are forbidden for no reason.

We need this change to prevent breakage of LXD
when we eventually enable a new unconfined mode for
lxd-support plug in snapd.

This change is absolutely safe in general and there is
no reason to put it under "if" condition. [2]

[1] https://bugs.launchpad.net/apparmor/+bug/2077413
[2] https://gitlab.com/apparmor/apparmor/-/merge_requests/1310

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
---
 lxd/apparmor/instance_forkproxy.go | 3 +++
 lxd/apparmor/instance_qemu.go      | 3 +++
 lxd/apparmor/network_dnsmasq.go    | 3 +++
 lxd/apparmor/network_forkdns.go    | 3 +++
 lxd/apparmor/pyuefivars.go         | 3 +++
 lxd/apparmor/qemuimg.go            | 3 +++
 lxd/apparmor/rsync.go              | 3 +++
 7 files changed, 21 insertions(+)

diff --git a/lxd/apparmor/instance_forkproxy.go b/lxd/apparmor/instance_forkproxy.go
index 72bdc4b8f6fb..919a34537990 100644
--- a/lxd/apparmor/instance_forkproxy.go
+++ b/lxd/apparmor/instance_forkproxy.go
@@ -24,6 +24,9 @@ var forkproxyProfileTpl = template.Must(template.New("forkproxyProfile").Parse(`
 profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   #include <abstractions/base>
 
+  # Allow processes to send us signals by default
+  signal (receive),
+
   # Capabilities
   capability chown,
   capability dac_read_search,
diff --git a/lxd/apparmor/instance_qemu.go b/lxd/apparmor/instance_qemu.go
index ae7d2916c3db..1d7b9bed5073 100644
--- a/lxd/apparmor/instance_qemu.go
+++ b/lxd/apparmor/instance_qemu.go
@@ -10,6 +10,9 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   #include <abstractions/consoles>
   #include <abstractions/nameservice>
 
+  # Allow processes to send us signals by default
+  signal (receive),
+
   capability dac_override,
   capability dac_read_search,
   capability ipc_lock,
diff --git a/lxd/apparmor/network_dnsmasq.go b/lxd/apparmor/network_dnsmasq.go
index 90da44c238a9..dfc64087606f 100644
--- a/lxd/apparmor/network_dnsmasq.go
+++ b/lxd/apparmor/network_dnsmasq.go
@@ -14,6 +14,9 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   #include <abstractions/dbus>
   #include <abstractions/nameservice>
 
+  # Allow processes to send us signals by default
+  signal (receive),
+
   # Capabilities
   capability chown,
   capability net_bind_service,
diff --git a/lxd/apparmor/network_forkdns.go b/lxd/apparmor/network_forkdns.go
index 7388cf7b3d43..45e14d88329d 100644
--- a/lxd/apparmor/network_forkdns.go
+++ b/lxd/apparmor/network_forkdns.go
@@ -15,6 +15,9 @@ var forkdnsProfileTpl = template.Must(template.New("forkdnsProfile").Parse(`#inc
 profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   #include <abstractions/base>
 
+  # Allow processes to send us signals by default
+  signal (receive),
+
   # Network access
   network inet dgram,
   network inet6 dgram,
diff --git a/lxd/apparmor/pyuefivars.go b/lxd/apparmor/pyuefivars.go
index 957dbc43712b..1a04b14a07aa 100644
--- a/lxd/apparmor/pyuefivars.go
+++ b/lxd/apparmor/pyuefivars.go
@@ -19,6 +19,9 @@ var pythonUEFIVarsProfileTpl = template.Must(template.New("pythonUEFIVarsProfile
 profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   #include <abstractions/base>
 
+  # Allow processes to send us signals by default
+  signal (receive),
+
   # Python locations
   /usr/bin/python* mixr,
   /bin**/*.py r,
diff --git a/lxd/apparmor/qemuimg.go b/lxd/apparmor/qemuimg.go
index bf357ec14103..d3abc8b826d8 100644
--- a/lxd/apparmor/qemuimg.go
+++ b/lxd/apparmor/qemuimg.go
@@ -22,6 +22,9 @@ var qemuImgProfileTpl = template.Must(template.New("qemuImgProfile").Parse(`#inc
 profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   #include <abstractions/base>
 
+  # Allow processes to send us signals by default
+  signal (receive),
+
   capability dac_override,
   capability dac_read_search,
   capability ipc_lock,
diff --git a/lxd/apparmor/rsync.go b/lxd/apparmor/rsync.go
index 346551dfee31..2f4786ebcea1 100644
--- a/lxd/apparmor/rsync.go
+++ b/lxd/apparmor/rsync.go
@@ -19,6 +19,9 @@ var rsyncProfileTpl = template.Must(template.New("rsyncProfile").Parse(`#include
 profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
   #include <abstractions/base>
 
+  # Allow processes to send us signals by default
+  signal (receive),
+
   capability chown,
   capability dac_override,
   capability dac_read_search,