General update

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>

apparmor.d/groups/virt/containerd-shim-runc-v2

@@ -22,6 +22,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
   ptrace (read) peer=containerd,
   ptrace (read) peer=unconfined,
 
+  signal (send) set=kill peer=cri-containerd.apparmor.d,
+
   mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
   umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
 

apparmor.d/groups/virt/k3s

@@ -28,12 +28,15 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
   ptrace peer=@{profile_name},
   ptrace (read) peer={cni-calico-node,cri-containerd.apparmor.d,cni-xtables-nft,ip,kmod,kubernetes-pause,mount,unconfined},
 
-  # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
+  # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes.
   # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.
   ptrace (read) peer=container-*,
   ptrace (read) peer=docker-*,
   ptrace (read) peer=k3s-*,
   ptrace (read) peer=kubernetes-*,
+  # When using ZFS as storage provider instead of the default overlay2.
+  ptrace (read) peer=zfs,
+  ptrace (read) peer=zpool,
 
   network inet dgram,
   network inet6 dgram,