# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /opt/cni/bin/calico
profile cni-calico @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  @{exec_path} mr,
  @{exec_path}-ipam rix,
  
  /etc/cni/net.d/{,**}  r,
  
  /var/lib/calico/{,**} r,
  /var/log/calico/cni/ r,
  /var/log/calico/cni/cni.log rw,
  
  @{run}/calico/ rw,
  @{run}/calico/ipam.lock rwk,
  @{run}/netns/cni-@{uuid} r,

  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

  include if exists <local/cni-calico>
}