Comment # 24 on bug 1221840 from Stefano Brivio

(In reply to Christian Boltz from comment #23)
> (In reply to Stefano Brivio from comment #22)
> > By the way, pasta(1) doesn't ptrace() anything and isn't ptrace()d by
> > anybody, it just needs to open namespace entries in procfs.
> 
> Namespaces can be interesting[tm], and IIRC yo don't need to do explicit
> ptrace() calls to trigger ptrace events. (I'll need to ask someone who does
> the kernel-side work if you are interested in the details.)

Ah, don't worry, it actually makes sense, and it turns out I didn't hit this on
Debian simply because I didn't check that AppArmor profile together with
Buildah.

> That said - the only ptrace event in your audit.log is:
> 
> type=AVC msg=audit(04/02/2024 12:49:39.412:101237) : apparmor=DENIED
> operation=ptrace profile=passt pid=8042 comm=passt.avx2 requested_mask=read
> denied_mask=read peer="unconfined"
> 
> which translates to
> 
>     ptrace read peer=unconfined,
> 
> If passt also needs to open namespace entries of confined processes, remove
> the "peer=unconfined" part.

Thanks, added read ('r' for consistency with the rest of the file), but I
didn't specify anything about the peer, because we don't actually know.

Posting patchset upstream in a bit.