# AppArmor profile for containerd
# Start in complain mode to log without blocking

#include <tunables/global>

profile containerd /usr/bin/containerd flags=(complain) {
  #include <abstractions/base>

  # Binary and shared libraries
  /usr/bin/containerd                   mr,
  /usr/lib/**                           mr,
  /lib/**                               mr,

  # Containerd runtime state
  /var/lib/containerd/**                rw,
  /run/containerd/**                    rw,

  # Container image layers and snapshots
  /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/** rw,

  # CNI networking
  /etc/cni/**                           r,
  /opt/cni/bin/**                       ix,

  # Proc and sys access for containers
  @{PROC}/**                            r,
  /sys/**                               r,

  # Device access for containers
  /dev/**                               rw,

  # Network access
  network,

  # Container runtime needs broad capabilities
  capability,

  # Allow executing container runtimes
  /usr/bin/containerd-shim-runc-v2      ix,
  /usr/bin/runc                         ix,
  /usr/sbin/runc                        ix,

  # Temp files
  /tmp/**                               rw,

  # Log files
  /var/log/**                           rw,

  # Signal handling for child processes
  signal,
  ptrace,
}
