# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/xtables-nft-multi
profile cni-xtables-nft flags=(complain) {
    include <abstractions/base>
    include <abstractions/consoles>
    include <abstractions/nameservice-strict>

    capability net_admin,
    capability net_raw,

    network inet dgram,
    network inet6 dgram,
    network inet raw,
    network inet6 raw,
    network inet stream,
    network inet6 stream,
    network netlink raw,

    @{exec_path} mr,
    @{bin}/xtables-legacy-multi mr,
  
    /etc/libnl/classid r,
    /etc/iptables/{,**} rw,
    /etc/nftables.conf rw,

    @{PROC}/@{pids}/net/ip_tables_names r,
}
