Fix for calico unable to create network namespace.

apparmor.d/groups/virt/cni-calico

@@ -7,13 +7,14 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /opt/cni/bin/calico
-profile cni-calico @{exec_path} {
+profile cni-calico @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   network inet dgram,
   network inet6 dgram,
   network inet stream,
   network inet6 stream,
+  network netlink raw,
 
   @{exec_path} mr,
   @{exec_path}-ipam rix,
@@ -26,6 +27,7 @@ profile cni-calico @{exec_path} {
   
   @{run}/calico/ rw,
   @{run}/calico/ipam.lock rwk,
+  @{run}/netns/cni-@{uuid} r,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 

apparmor.d/groups/virt/cni-loopback

@@ -10,8 +10,12 @@ include <tunables/global>
 profile cni-loopback @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
+  network netlink raw,
+
   @{exec_path} mr,
 
+  / r,
+
   @{run}/netns/ r,
   @{run}/netns/cni-@{uuid} rw,
   

apparmor.d/groups/virt/containerd

@@ -44,6 +44,8 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/unpigz rPUx,
   /{usr/,}{local/,}{s,}bin/zfs rPx,
 
+  / r,
+
   /etc/cni/ rw,
   /etc/cni/{,**} r,
   /etc/cni/net.d/ rw,
@@ -57,6 +59,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   /opt/containerd/{,**} rw,
 
   /var/lib/cni/results/cni-loopback-@{uuid}-lo wl,
+  /var/lib/cni/results/cni-loopback-[0-9a-f]*-lo wl,
   /var/lib/containerd/{,**} rwk,
   /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l,
   /var/lib/docker/containerd/{,**} rwk,

apparmor.d/groups/virt/k3s

@@ -131,6 +131,7 @@ profile k3s @{exec_path} flags=(complain) {
   @{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r,
   @{sys}/devices/system/cpu/present{,/} r,
 
+  @{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r,
   @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r,
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node[0-9]*/ r,