diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico
index fbbb304a..0f1e060e 100644
--- a/apparmor.d/groups/virt/cni-calico
+++ b/apparmor.d/groups/virt/cni-calico
@@ -24,6 +24,7 @@ profile cni-calico @{exec_path} {
   /var/log/calico/cni/ r,
   /var/log/calico/cni/cni.log rw,
   
+  @{run}/calico/ rw,
   @{run}/calico/ipam.lock rwk,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index db5899a6..cb470771 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -98,5 +98,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   /dev/snd/by-path/    r,
   /dev/vfio/           r,
 
+  deny / r,
+
   include if exists <local/containerd>
 }