From 61eab33cd8d8a34902e3d8d5c0bbefa2d2036dca Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Thu, 21 Jul 2022 16:03:54 +0200
Subject: [PATCH] Add ptrace subprofile

---
 apparmor.d/groups/virt/k3s | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s
index d8d5180c..293e24d8 100644
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@@ -24,8 +24,7 @@ profile k3s @{exec_path} flags=(complain) {
   capability sys_resource,
 
   ptrace peer=@{profile_name},
-  ptrace (read) peer=unconfined,
-  ptrace (read) peer=cri-containerd.apparmor.d,
+  ptrace (read) peer={cri-containerd.apparmor.d,k3s//xtables-nft-multi,unconfined},
 
   network inet dgram,
   network inet6 dgram,
@@ -149,6 +148,7 @@ profile k3s @{exec_path} flags=(complain) {
   @{sys}/module/apparmor/parameters/enabled r,
 
   /dev/kmsg r,
+  /dev/pts/[0-9]* rw,
 
   profile xtables-nft-multi flags=(complain) {
     include <abstractions/base>