(In reply to Danish Prakash from comment #14) > Thanks for the patch, even though I can invoke `pasta` without any errors, > I'm still getting the same permission denied error on the netns: > > > Couldn't open network namespace /proc/9080/ns/net: Permission denied > > Adding the following rule to usr.bin.passt doesn't help either: > > > /proc/@{pid}/ns/ r, That should be '/proc/@{pid}/ns/**', but anyway that's already covered by abstractions/pasta: @{PROC}/[0-9]*/ns/net r, # pasta_wait_for_ns(), @{PROC}/[0-9]*/ns/user r, # conf_pasta_ns() ...you should make sure that those rules are taken into account, though. > On the contrary, setting the two usr.bin.pas* profiles to complain mode, > things are back to normal so perhaps the rules are still not right? Definitely, it's an issue with AppArmor rules. Can you tail -f /var/log/audit/audit.log while you run 'pasta' and check what AppArmor is denying as you do that?