From 90e98b6b56c5ceb5ee40fa6bf15c2f1fc7dfb609 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sun, 6 Aug 2023 16:50:49 +0200
Subject: [PATCH] containerd and KDE updates

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
---
 apparmor.d/groups/kde/ksmserver                | 1 +
 apparmor.d/groups/virt/containerd              | 3 ++-
 apparmor.d/groups/virt/containerd-shim-runc-v2 | 1 +
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver
index 3e0866551..1c110db61 100644
--- a/apparmor.d/groups/kde/ksmserver
+++ b/apparmor.d/groups/kde/ksmserver
@@ -20,6 +20,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/X-strict>
 
   signal (send) set=(usr1,term) peer=kscreenlocker-greet,
+  signal (connect, send, receive, accept) peer=(addr=@/tmp/.ICE-unix/[0-9]*),
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index e83afcbf2..f4b4929bd 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -42,7 +42,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   umount @{run}/netns/cni-@{uuid},
 
   signal (receive) set=term peer={dockerd,k3s},
-  signal (send) set=kill peer=cni-calico,
+  signal (send) set=kill peer={containerd-shim-runc-v2,cni-calico},
 
   @{exec_path} mr,
 
@@ -91,6 +91,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
         /tmp/cri-containerd.apparmor.d[0-9]* rwl,
         /tmp/ctd-volume[0-9]*/{,**} rw,
 
+  @{sys}/fs/cgroup/kubepods/** r,
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
   @{sys}/kernel/security/apparmor/profiles r,
   @{sys}/module/apparmor/parameters/enabled r,
diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2
index c9f3ce12d..dd5fb2636 100644
--- a/apparmor.d/groups/virt/containerd-shim-runc-v2
+++ b/apparmor.d/groups/virt/containerd-shim-runc-v2
@@ -23,6 +23,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
   ptrace (read) peer=unconfined,
 
   signal (send) set=kill peer=cri-containerd.apparmor.d,
+  signal (receive) set=kill peer=containerd,
 
   mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
   umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,