From 3e006e3c763cdfb192651dce94b0e91a6b26875c Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Tue, 19 Jul 2022 14:34:31 +0200
Subject: [PATCH] Fix for calico unable to create network namespace.

---
 apparmor.d/groups/virt/cni-calico   |  4 +-
 apparmor.d/groups/virt/cni-loopback |  6 ++-
 apparmor.d/groups/virt/containerd   | 75 +++++++++++++++--------------
 apparmor.d/groups/virt/k3s          |  1 +
 4 files changed, 48 insertions(+), 38 deletions(-)

diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico
index 0f1e060e..95ae9b07 100644
--- a/apparmor.d/groups/virt/cni-calico
+++ b/apparmor.d/groups/virt/cni-calico
@@ -7,13 +7,14 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /opt/cni/bin/calico
-profile cni-calico @{exec_path} {
+profile cni-calico @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   network inet dgram,
   network inet6 dgram,
   network inet stream,
   network inet6 stream,
+  network netlink raw,
 
   @{exec_path} mr,
   @{exec_path}-ipam rix,
@@ -26,6 +27,7 @@ profile cni-calico @{exec_path} {
   
   @{run}/calico/ rw,
   @{run}/calico/ipam.lock rwk,
+  @{run}/netns/cni-@{uuid} r,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback
index f1e29c59..8567a276 100644
--- a/apparmor.d/groups/virt/cni-loopback
+++ b/apparmor.d/groups/virt/cni-loopback
@@ -10,9 +10,13 @@ include <tunables/global>
 profile cni-loopback @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
+  network netlink raw,
+
   @{exec_path} mr,
 
-  @{run}/netns/            r,
+  / r,
+
+  @{run}/netns/ r,
   @{run}/netns/cni-@{uuid} rw,
   
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index db5899a6..0de0b7b3 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -37,37 +37,40 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
 
   signal (receive) set=term peer=dockerd,
 
-  @{exec_path}                        mr,
-  /{usr/,}{s,}bin/apparmor_parser     rPx,
+  @{exec_path} mr,
+  /{usr/,}{s,}bin/apparmor_parser rPx,
   /{usr/,}bin/containerd-shim-runc-v2 rPUx,
-  /{usr/,}bin/kmod                    rPx,
-  /{usr/,}bin/unpigz                  rPUx,
-  /{usr/,}{local/,}{s,}bin/zfs        rPx,
+  /{usr/,}bin/kmod rPx,
+  /{usr/,}bin/unpigz rPUx,
+  /{usr/,}{local/,}{s,}bin/zfs rPx,
 
-  /etc/cni/              rw,
-  /etc/cni/{,**}         r,
-  /etc/cni/net.d/        rw,
+  / r,
+
+  /etc/cni/ rw,
+  /etc/cni/{,**} r,
+  /etc/cni/net.d/ rw,
   /etc/containerd/*.toml r,
 
-  /opt/cni/bin/loopback  rPx,
-  /opt/cni/bin/portmap   rPx,
+  /opt/cni/bin/loopback rPx,
+  /opt/cni/bin/portmap rPx,
   /opt/cni/bin/bandwidth rPx,
-  /opt/cni/bin/calico    rPx,
+  /opt/cni/bin/calico rPx,
 
   /opt/containerd/{,**} rw,
 
   /var/lib/cni/results/cni-loopback-@{uuid}-lo wl,
+  /var/lib/cni/results/cni-loopback-[0-9a-f]*-lo wl,
   /var/lib/containerd/{,**} rwk,
   /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l,
   /var/lib/docker/containerd/{,**} rwk,
   /var/log/pods/**/[0-9]*.log w,
 
-  @{run}/calico/                 w,
-  @{run}/containerd/{,**}        rwk,
+  @{run}/calico/ w,
+  @{run}/containerd/{,**} rwk,
   @{run}/docker/containerd/{,**} rwk,
-  @{run}/netns/                  w,
-  @{run}/netns/cni-@{uuid}       rw,
-  @{run}/systemd/notify          w,
+  @{run}/netns/ w,
+  @{run}/netns/cni-@{uuid} rw,
+  @{run}/systemd/notify w,
 
   /tmp/cri-containerd.apparmor.d[0-9]* rwl,
 
@@ -76,27 +79,27 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   @{sys}/module/apparmor/parameters/enabled r,
 
         @{PROC}/@{pid}/task/@{tid}/ns/net rw,
-  owner @{PROC}/@{pids}/attr/current      r,
-  owner @{PROC}/@{pids}/uid_map           r,
-  owner @{PROC}/@{pids}/mountinfo         r,
-        @{PROC}/sys/net/core/somaxconn    r,
+  owner @{PROC}/@{pids}/attr/current r,
+  owner @{PROC}/@{pids}/uid_map r,
+  owner @{PROC}/@{pids}/mountinfo r,
+        @{PROC}/sys/net/core/somaxconn r,
 
-  /dev/bsg/            r,
-  /dev/bus/            r,
-  /dev/char/           r,
-  /dev/cpu/            r,
-  /dev/cpu/[0-9]*/     r,
-  /dev/dma_heap/       r,
-  /dev/dri/            r,
-  /dev/dri/by-path/    r,
-  /dev/hugepages/      r,
-  /dev/input/          r,
-  /dev/input/by-id/    r,
-  /dev/input/by-path/  r,
-  /dev/net/            r,
-  /dev/snd/            r,
-  /dev/snd/by-path/    r,
-  /dev/vfio/           r,
+  /dev/bsg/ r,
+  /dev/bus/ r,
+  /dev/char/ r,
+  /dev/cpu/ r,
+  /dev/cpu/[0-9]*/ r,
+  /dev/dma_heap/ r,
+  /dev/dri/ r,
+  /dev/dri/by-path/ r,
+  /dev/hugepages/ r,
+  /dev/input/ r,
+  /dev/input/by-id/ r,
+  /dev/input/by-path/ r,
+  /dev/net/ r,
+  /dev/snd/ r,
+  /dev/snd/by-path/ r,
+  /dev/vfio/ r,
 
   include if exists <local/containerd>
 }
diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s
index 4ef82b9c..8b56278a 100644
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@@ -131,6 +131,7 @@ profile k3s @{exec_path} flags=(complain) {
   @{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r,
   @{sys}/devices/system/cpu/present{,/} r,
 
+  @{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r,
   @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r,
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node[0-9]*/ r,