From c84455cca4c28e2527ed40be8ea0777778bbdb40 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Tue, 19 Jul 2022 14:48:57 +0200
Subject: [PATCH] Fixes for container network creation.

---
 apparmor.d/groups/virt/cni-calico   | 7 +++++++
 apparmor.d/groups/virt/cni-loopback | 3 +++
 apparmor.d/groups/virt/containerd   | 3 +++
 3 files changed, 13 insertions(+)

diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico
index 95ae9b07..cf653b4d 100644
--- a/apparmor.d/groups/virt/cni-calico
+++ b/apparmor.d/groups/virt/cni-calico
@@ -10,6 +10,9 @@ include <tunables/global>
 profile cni-calico @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
+  capability sys_admin,
+  capability net_admin,
+
   network inet dgram,
   network inet6 dgram,
   network inet stream,
@@ -18,6 +21,8 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
   @{exec_path}-ipam rix,
+
+  / r,
   
   /etc/cni/net.d/{,**}  r,
   
@@ -29,6 +34,8 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
   @{run}/calico/ipam.lock rwk,
   @{run}/netns/cni-@{uuid} r,
 
+  /proc/sys/net/ipv4/ip_forward rw,
+
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
   include if exists <local/cni-calico>
diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback
index 8567a276..5e432a94 100644
--- a/apparmor.d/groups/virt/cni-loopback
+++ b/apparmor.d/groups/virt/cni-loopback
@@ -10,6 +10,9 @@ include <tunables/global>
 profile cni-loopback @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
+  capability sys_admin,
+  capability net_admin,
+
   network netlink raw,
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index 0de0b7b3..83101f90 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -18,6 +18,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   capability dac_read_search,
   capability dac_override,
   capability fsetid,
+  capability fowner,
   capability net_admin,
   capability sys_admin,
 
@@ -58,8 +59,10 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
 
   /opt/containerd/{,**} rw,
 
+  /var/lib/cni/{,**/} w,
   /var/lib/cni/results/cni-loopback-@{uuid}-lo wl,
   /var/lib/cni/results/cni-loopback-[0-9a-f]*-lo wl,
+  /var/lib/cni/results/k8s-pod-network-[0-9a-f]*-eth0
   /var/lib/containerd/{,**} rwk,
   /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/** l,
   /var/lib/docker/containerd/{,**} rwk,