Update CNI path, set containerd to attach_disconnected, cleanups.

apparmor.d/groups/virt/calico

@@ -6,8 +6,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{opt/,}{cni/,}bin/calico
+@{exec_path} = /opt/cni/bin/calico
-profile calico @{exec_path} flags=(complain) {
+profile calico @{exec_path} {
   include <abstractions/base>
 
   network inet,

apparmor.d/groups/virt/cni-bandwidth

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{opt/,}{cni/,}bin/bandwidth
+@{exec_path} = /opt/cni/bin/bandwidth
 profile bandwidth @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/virt/cni-loopback

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{opt/,}{cni/,}bin/loopback
+@{exec_path} = /opt/cni/bin/loopback
 profile loopback @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/virt/cni-portmap

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{opt/,}{cni/,}bin/portmap
+@{exec_path} = /opt/cni/bin/portmap
 profile portmap @{exec_path} {
   include <abstractions/base>
 

apparmor.d/groups/virt/containerd

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/containerd
-profile containerd @{exec_path} {
+profile containerd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/ssl_certs>
   include <abstractions/nameservice-strict>