apparmor: permit signals from unconfined programs

Otherwise if you try to kill a container process from the host directly,
you get EACCES. Also add a comment to make sure that the profile code
(which has been replicated by several projects) doesn't get out of sync.

Signed-off-by: Aleksa Sarai <asarai@suse.de>

profiles/apparmor/template.go

@@ -2,6 +2,12 @@
 
 package apparmor // import "github.com/docker/docker/profiles/apparmor"
 
+// NOTE: This profile is replicated in containerd and libpod. If you make a
+//       change to this profile, please make follow-up PRs to those projects so
+//       that these rules can be synchronised (because any issue with this
+//       profile will likely affect libpod and containerd).
+// TODO: Move this to a common project so we can maintain it in one spot.
+
 // baseTemplate defines the default apparmor profile for containers.
 const baseTemplate = `
 {{range $value := .Imports}}
@@ -18,9 +24,11 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
   file,
   umount,
 {{if ge .Version 208096}}
-{{/* Allow 'docker kill' to actually send signals to container processes. */}}
+  # Host (privileged) processes may send signals to container processes.
+  signal (receive) peer=unconfined,
+  # dockerd may send signals to container processes (for "docker kill").
   signal (receive) peer={{.DaemonProfile}},
-{{/* Allow container processes to send signals amongst themselves. */}}
+  # Container processes may send signals amongst themselves.
   signal (send,receive) peer={{.Name}},
 {{end}}