Skip to content

fix: Relax cri-containerd AppArmor restrictions to permit network and signal syscalls#5239

Merged
ktsakalozos merged 3 commits intocanonical:masterfrom
jadams:master
Oct 10, 2025
Merged

fix: Relax cri-containerd AppArmor restrictions to permit network and signal syscalls#5239
ktsakalozos merged 3 commits intocanonical:masterfrom
jadams:master

Conversation

@jadams
Copy link
Contributor

@jadams jadams commented Sep 18, 2025
edited
Loading

Summary

Add network raw to apparmor profile for metallb
Closes #5238

Changes

Add network raw to apparmor profile

Testing

Makes metallb work

Possible Regressions

Possibly security risk

Checklist

  • Read the contributions page.
  • Submitted the CLA form, if you are a first time contributor.
  • The introduced changes are covered by unit and/or integration tests.

Notes

Fixes broken metallb on v1.34.1

@ryanbutterfield
Copy link

ryanbutterfield commented Oct 10, 2025
edited
Loading

This will also fix v1.32.9 which is broken as well (v1.32.8 works).

@HomayoonAlimohammadi
fix: Add network to containerd Apparmor profile
f8a3bbd 
Signed-off-by: Homayoon Alimohammadi <homayoonalimohammadi@gmail.com>
@HomayoonAlimohammadi
fix: Add signal send and receive to containerd Apparmor profile
960fd90 
Signed-off-by: Homayoon Alimohammadi <homayoonalimohammadi@gmail.com>
@HomayoonAlimohammadi
Copy link
Contributor

HomayoonAlimohammadi commented Oct 10, 2025

Hey @jadams and thank you so much for raising this PR to fix the issue. We've discussed this in the team internally and I've pushed two more commits to this PR in order to get rid of some other dmesg DENIED lines as well.
CC @ktsakalozos @bschimke95 @berkayoz @rapour

@HomayoonAlimohammadi HomayoonAlimohammadi changed the title Add: network raw for metallb fix: Relax cri-containerd AppArmor restrictions to permit network and signal syscalls Oct 10, 2025
@HomayoonAlimohammadi HomayoonAlimohammadi mentioned this pull request Oct 10, 2025
Closed
rapour
rapour approved these changes Oct 10, 2025
View reviewed changes
Copy link
Contributor

@rapour rapour left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ktsakalozos ktsakalozos merged commit 55ed679 into canonical:master Oct 10, 2025
23 checks passed
This was referenced Oct 10, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@rapour rapour rapour approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Metallb denied by apparmor on v1.34.1

5 participants

@jadams @ryanbutterfield @HomayoonAlimohammadi @rapour @ktsakalozos