From 5b29f874ede7ba207d7a9b1347171ca6e4bf7e63 Mon Sep 17 00:00:00 2001
From: Sergey Kolekonov <skolekonov@mirantis.com>
Date: Tue, 11 Sep 2018 11:58:26 +0400
Subject: [PATCH] Update apparmor profiles

---
 deploy/apparmor/README.md |  2 +-
 deploy/apparmor/virtlet   | 16 +++++++++++++++-
 deploy/apparmor/vms       |  2 +-
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/deploy/apparmor/README.md b/deploy/apparmor/README.md
index c53d2350d..94f83d552 100644
--- a/deploy/apparmor/README.md
+++ b/deploy/apparmor/README.md
@@ -5,7 +5,7 @@ an [apparmor](https://gitlab.com/apparmor/apparmor/wikis/home) enabled environme
 
 * install the profiles located in this directory into the corresponding directory (/etc/apparmor.d/ if you use Debian or its derivatives)
 ```bash
-sudo install -m 0644 libvirt virtlet vms -t /etc/apparmor.d/
+sudo install -m 0644 libvirtd virtlet vms -t /etc/apparmor.d/
 ```
 * apply them by
   * restarting the apparmor service
diff --git a/deploy/apparmor/virtlet b/deploy/apparmor/virtlet
index e652a2a02..01132994e 100644
--- a/deploy/apparmor/virtlet
+++ b/deploy/apparmor/virtlet
@@ -12,15 +12,19 @@ profile virtlet flags=(attach_disconnected) {
   capability net_raw,
   capability sys_admin,
   capability sys_chroot,
+  capability sys_ptrace,
   network inet raw,
   network inet6 raw,
 
   / r,
+  /bin/sleep ix,
   /etc/ethertypes r,
   /etc/cni/net.d/ r,
   /etc/cni/net.d/* r,
   /etc/kubernetes/kubelet.kubeconfig r,
   /etc/kubernetes/ssl/* r,
+  /etc/virtlet/images/ r,
+  /etc/virtlet/images/** r,
   /{usr/,}bin/genisoimage rix,
   /{usr/,}bin/socat rix,
   /{usr/,}bin/ip rix,
@@ -28,10 +32,17 @@ profile virtlet flags=(attach_disconnected) {
   /{usr/,}bin/qemu-img rix,
   /{usr/,}sbin/ebtables rix,
   /{usr/,}sbin/brctl rix,
+  /opt/cni/bin/bridge rix,
   /opt/cni/bin/calico* rix,
+  /opt/cni/bin/flannel rix,
+  /opt/cni/bin/genie rix,
+  /opt/cni/bin/host-local rix,
   /usr{/local,}/bin/virtlet mrix,
   /usr{/local,}/lib/lib{virt,guest}*.so* rm,
+  /var/lib/cni/networks/* r,
   /var/lib/etcd/*.pem r,
+  /var/lib/calico/nodename r,
+  /var/lib/docker/overlay2/** r,
   /var/lib/libvirt/virtd* ixr,
   /var/lib/libvirt/*.sock rw,
   /var/lib/virtlet/** rwk,
@@ -47,10 +58,13 @@ profile virtlet flags=(attach_disconnected) {
   @{PROC}/sys/net/core/somaxconn r,
   @{PROC}/sys/net/ipv4/conf/cali*/* w,
   @{PROC}/sys/net/ipv4/neigh/cali*/* w,
+  @{PROC}/sys/net/ipv4/ip_forward w,
 
+  /run/flannel/* r,
   /run/libvirt/libvirt-sock rw,
   /run/virtlet.sock rw,
-  /run/netns/ r,
+  /run/virtlet-diag.sock rw,
+  /run/netns/ rw,
   /run/netns/* rw,
 
   /sys/class/net/ r,
diff --git a/deploy/apparmor/vms b/deploy/apparmor/vms
index d3e2a99af..7893e72f5 100644
--- a/deploy/apparmor/vms
+++ b/deploy/apparmor/vms
@@ -1,6 +1,6 @@
 #include <tunables/global>
 
-profile vms {
+profile vms flags=(attach_disconnected) {
   #include <abstractions/libvirt-qemu>
 
   ptrace trace peer=@{profile_name},