From 02ad72b024937445e1186683a9427111767ad018 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sun, 10 Jul 2022 15:10:34 +0200
Subject: [PATCH] Allow containerd to (u)mount cni devices, and loopback to
 access them.

---
 apparmor.d/groups/virt/cni-loopback | 3 +++
 apparmor.d/groups/virt/containerd   | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback
index 7e618fe6..da2cd4a0 100644
--- a/apparmor.d/groups/virt/cni-loopback
+++ b/apparmor.d/groups/virt/cni-loopback
@@ -11,6 +11,9 @@ profile cni-loopback @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} mr,
+
+  @{run}/netns/            r,
+  @{run}/netns/cni-@{uuid} rw,
   
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index a07de445..6c6746dd 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -26,8 +26,10 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
 
   mount fstype=tmpfs options in (rw, nosuid, nodev, noexec) -> @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
   mount fstype=zfs -> /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
+  mount options in (rw, bind, nosuid, nodev, noexec) -> @{run}/netns/cni-@{uuid},
 
   umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
+  umount @{run}/netns/cni-@{uuid},
 
   signal (receive) set=term peer=dockerd,