# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi
profile cni-xtables-nft {
    include <abstractions/base>
    include <abstractions/nameservice-strict>

    capability net_admin,
    capability net_raw,

    network inet dgram,
    network inet6 dgram,
    network inet raw,
    network inet6 raw,
    network inet stream,
    network inet6 stream,
    network netlink raw,

    @{exec_path} mr,
    /{usr/,}{s,}bin/xtables-legacy-multi mr,
  
    /etc/libnl/classid r,
    /etc/iptables/{,**} rw,
    /etc/nftables.conf rw,

    @{PROC}/@{pids}/net/ip_tables_names r,

    /dev/pts/[0-9]* rw,
}