Comment # 23 on bug 1221840 from Christian Boltz 
(In reply to Stefano Brivio from comment #22)
> By the way, pasta(1) doesn't ptrace() anything and isn't ptrace()d by
> anybody, it just needs to open namespace entries in procfs.

Namespaces can be interesting[tm], and IIRC yo don't need to do explicit
ptrace() calls to trigger ptrace events. (I'll need to ask someone who does the
kernel-side work if you are interested in the details.)


That said - the only ptrace event in your audit.log is:

type=AVC msg=audit(04/02/2024 12:49:39.412:101237) : apparmor=DENIED
operation=ptrace profile=passt pid=8042 comm=passt.avx2 requested_mask=read
denied_mask=read peer="unconfined"

which translates to

    ptrace read peer=unconfined,

If passt also needs to open namespace entries of confined processes, remove the
"peer=unconfined" part.

You are receiving this mail because: