diff --git a/apparmor.d/groups/virt/cni-xtables-nft b/apparmor.d/groups/virt/cni-xtables-nft
index d562f044..e6a24a41 100644
--- a/apparmor.d/groups/virt/cni-xtables-nft
+++ b/apparmor.d/groups/virt/cni-xtables-nft
@@ -23,6 +23,7 @@ profile cni-xtables-nft {
     network netlink raw,
 
     @{exec_path} mr,
+    /{usr/,}{s,}bin/xtables-legacy-multi mr,
   
     /etc/libnl/classid r,
     /etc/iptables/{,**} rw,
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index d373416c..c700d8ef 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -48,13 +48,13 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/unpigz rPUx,
   /{usr/,}{local/,}{s,}bin/zfs rPx,
 
+  / r,
+
   /opt/cni/bin/loopback rPx,
   /opt/cni/bin/portmap rPx,
   /opt/cni/bin/bandwidth rPx,
   /opt/cni/bin/calico rPx,
 
-  / r,
-
   /etc/cni/              rw,
   /etc/cni/{,**}         r,
   /etc/cni/net.d/        rw,
@@ -70,8 +70,9 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l,
   /var/lib/docker/containerd/{,**} rwk,
   /var/lib/kubelet/seccomp/{,**} r,
+  /var/lib/security-profiles-operator/{,**} r,
+
   /var/log/pods/**/[0-9]*.log{,*} w,
-  /var/lib/security-profiles-operator/{,**/*.json} r,
 
   @{run}/calico/ w,
   @{run}/containerd/{,**} rwk,
diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip
index ec164180..ed7a3340 100644
--- a/apparmor.d/profiles-g-l/ip
+++ b/apparmor.d/profiles-g-l/ip
@@ -7,11 +7,12 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/ip
+@{exec_path} = /{usr/,}{s,}bin/ip
 profile ip @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
 
+  capability bpf,
   capability net_admin,
   capability sys_admin,
   capability sys_module,