General update

apparmor.d/groups/virt/containerd

@@ -20,7 +20,9 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   capability dac_override,
   capability fsetid,
   capability fowner,
+  capability mknod,
   capability net_admin,
+  capability setfcap,
   capability sys_admin,
 
   network inet dgram,

apparmor.d/groups/virt/k3s

@@ -27,7 +27,7 @@ profile k3s @{exec_path} {
   capability sys_resource,
 
   ptrace peer=@{profile_name},
-  ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,kubernetes-pause,mount,unconfined},
+  ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,ip,kubernetes-pause,mount,unconfined},
 
   # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
   # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.