diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index 95ae9b073..cf653b4d9 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -10,6 +10,9 @@ include profile cni-calico @{exec_path} flags=(attach_disconnected) { include + capability sys_admin, + capability net_admin, + network inet dgram, network inet6 dgram, network inet stream, @@ -18,6 +21,8 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{exec_path}-ipam rix, + + / r, /etc/cni/net.d/{,**} r, @@ -29,6 +34,8 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { @{run}/calico/ipam.lock rwk, @{run}/netns/cni-@{uuid} r, + /proc/sys/net/ipv4/ip_forward rw, + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, include if exists diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback index 8567a2769..5e432a946 100644 --- a/apparmor.d/groups/virt/cni-loopback +++ b/apparmor.d/groups/virt/cni-loopback @@ -10,6 +10,9 @@ include profile cni-loopback @{exec_path} flags=(attach_disconnected) { include + capability sys_admin, + capability net_admin, + network netlink raw, @{exec_path} mr, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 0de0b7b33..83101f904 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -18,6 +18,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability dac_override, capability fsetid, + capability fowner, capability net_admin, capability sys_admin, @@ -58,8 +59,10 @@ profile containerd @{exec_path} flags=(attach_disconnected) { /opt/containerd/{,**} rw, + /var/lib/cni/{,**/} w, /var/lib/cni/results/cni-loopback-@{uuid}-lo wl, /var/lib/cni/results/cni-loopback-[0-9a-f]*-lo wl, + /var/lib/cni/results/k8s-pod-network-[0-9a-f]*-eth0 /var/lib/containerd/{,**} rwk, /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l, /var/lib/docker/containerd/{,**} rwk,