https://bugzilla.suse.com/show_bug.cgi?id=1221840 https://bugzilla.suse.com/show_bug.cgi?id=1221840#c24 --- Comment #24 from Stefano Brivio <sbrivio@redhat.com> --- (In reply to Christian Boltz from comment #23)
(In reply to Stefano Brivio from comment #22)
By the way, pasta(1) doesn't ptrace() anything and isn't ptrace()d by anybody, it just needs to open namespace entries in procfs.
Namespaces can be interesting[tm], and IIRC yo don't need to do explicit ptrace() calls to trigger ptrace events. (I'll need to ask someone who does the kernel-side work if you are interested in the details.)
Ah, don't worry, it actually makes sense, and it turns out I didn't hit this on Debian simply because I didn't check that AppArmor profile together with Buildah.
That said - the only ptrace event in your audit.log is:
type=AVC msg=audit(04/02/2024 12:49:39.412:101237) : apparmor=DENIED operation=ptrace profile=passt pid=8042 comm=passt.avx2 requested_mask=read denied_mask=read peer="unconfined"
which translates to
ptrace read peer=unconfined,
If passt also needs to open namespace entries of confined processes, remove the "peer=unconfined" part.
Thanks, added read ('r' for consistency with the rest of the file), but I didn't specify anything about the peer, because we don't actually know. Posting patchset upstream in a bit. -- You are receiving this mail because: You are on the CC list for the bug.