containerd and KDE updates

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>

apparmor.d/groups/kde/ksmserver

@@ -20,6 +20,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/X-strict>
 
   signal (send) set=(usr1,term) peer=kscreenlocker-greet,
+  signal (connect, send, receive, accept) peer=(addr=@/tmp/.ICE-unix/[0-9]*),
 
   @{exec_path} mr,
 

apparmor.d/groups/virt/containerd

@@ -42,7 +42,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   umount @{run}/netns/cni-@{uuid},
 
   signal (receive) set=term peer={dockerd,k3s},
-  signal (send) set=kill peer=cni-calico,
+  signal (send) set=kill peer={containerd-shim-runc-v2,cni-calico},
 
   @{exec_path} mr,
 
@@ -91,6 +91,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
         /tmp/cri-containerd.apparmor.d[0-9]* rwl,
         /tmp/ctd-volume[0-9]*/{,**} rw,
 
+  @{sys}/fs/cgroup/kubepods/** r,
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
   @{sys}/kernel/security/apparmor/profiles r,
   @{sys}/module/apparmor/parameters/enabled r,

apparmor.d/groups/virt/containerd-shim-runc-v2

@@ -23,6 +23,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
   ptrace (read) peer=unconfined,
 
   signal (send) set=kill peer=cri-containerd.apparmor.d,
+  signal (receive) set=kill peer=containerd,
 
   mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
   umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,