From c03c6244723f5919118b11b68acbd5af4dcd6750 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Tue, 19 Jul 2022 17:14:32 +0200
Subject: [PATCH] Allow signals from containerd to calico

---
 apparmor.d/groups/virt/cni-calico | 2 ++
 apparmor.d/groups/virt/containerd | 1 +
 2 files changed, 3 insertions(+)

diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico
index 7e5b0b73..a79fe660 100644
--- a/apparmor.d/groups/virt/cni-calico
+++ b/apparmor.d/groups/virt/cni-calico
@@ -19,6 +19,8 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
   network inet6 stream,
   network netlink raw,
 
+  signal (receive) set=kill peer=containerd,
+
   @{exec_path} mr,
   @{exec_path}-ipam rix,
 
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index 99b9f738..79806613 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -37,6 +37,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   umount @{run}/netns/cni-@{uuid},
 
   signal (receive) set=term peer=dockerd,
+  signal (send) set=kill peer=cni-calico,
 
   @{exec_path} mr,
   /{usr/,}{s,}bin/apparmor_parser rPx,