diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index a79fe660..68467671 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -36,9 +36,8 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { @{run}/calico/ipam.lock rwk, @{run}/netns/cni-@{uuid} r, - @{PROC}/sys/net/ipv4/ip_forward rw, - @{PROC}/sys/net/ipv4/{conf,neigh}/cali[0-9a-z]*/* rw, - @{PROC}/sys/net/ipv6/{conf,neigh}/cali[0-9a-z]*/* rw, + @{PROC}/sys/net/ipv{4,6}/ip_forward rw, + @{PROC}/sys/net/ipv{4,6}/{conf,neigh}/cali[0-9a-z]*/* rw, @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 38a8f46f..fa2d75be 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -80,9 +80,7 @@ profile k3s @{exec_path} flags=(complain) { /var/log/pods/{,**/} rw, /var/log/pods/**/[0-9]*.log rw, - owner @{HOME}/.kube/cache/discovery/{,**} rw, - owner @{HOME}/.kube/cache/http/[0-9a-z]* rw, - owner @{HOME}/.kube/cache/http/.diskv-temp/[0-9]* rw, + owner @{HOME}/.kube/** rw, @{run}/containerd/containerd.sock rw, @{run}/systemd/notify w, @@ -109,8 +107,8 @@ profile k3s @{exec_path} flags=(complain) { @{PROC}/modules r, @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/net/core/somaxconn r, - @{PROC}/sys/net/ipv4/conf/all/* rw, - @{PROC}/sys/net/ipv4/conf/default/* rw, + @{PROC}/sys/net/ipv{4,6}/conf/all/* rw, + @{PROC}/sys/net/ipv{4,6}/conf/default/* rw, @{PROC}/sys/net/bridge/bridge-nf-call-iptables r, @{PROC}/sys/net/netfilter/* rw, @{PROC}/sys/kernel/keys/* r,