Comment # 17 on bug 1221840 from Stefano Brivio

(In reply to Danish Prakash from comment #16)
> Created attachment 873985 [details]
> apparmor profile fix for pasta

Thanks for the patch! A couple of comments:

> The following patch should do the job. For starters, the permission denied
> error was coming from `ptrace` invocation being denied by apparmor.

I'm still confused as to why AppArmor doesn't seem to deny this on Debian, but
I might simply have tested a slightly older combination of kernel and AppArmor
components than what you're using on openSUSE Tumbleweed.

Anyway, we need the CAP_SYS_PTRACE capability (within our detached user
namespace) to open /proc/<pid>/ns/net (see also passt commit 594dce66d3bb), so
I guess this is reasonable. The comment should refer to pasta_open_ns() for
this -- that's the function which needs it.

> Secondly, there are denials in accessing `/proc/<pid>/ns/` which, if added
> to abstractions/pasta, results in pasta(buildah bud in extension) running as
> expected with no issues.

Same for this one, I'm not sure why I can't reproduce this with Debian. But
anyway, this seems to fit with the usage we need in pasta_netns_quit_init()
(the comment should also be updated accordingly).