strace does not seem to be the tool to figure out the info you are asking for. Considering that the pid of the involved processes would be unknown at the time of starting strace. And executing the process(es) from the cli along with strace will not bear fruit for the case.
Going back to the log message I would reckon that MOUNT_NAMESPACES is in play, in particular recursive MS_SLAVE. Would be that be supported by AA in general and with the profile in particular? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1811248 Title: systemd--networkd mounts denied for lxc guest Status in apparmor package in Ubuntu: New Bug description: Host unbuntu cosmic | lxc 3.0.3 | aa 2.12 | systemd 239-7 Guest Arch Linux | systemd 240.0 After having upgraded in the guest systemd from 239.370 to 240.0 the host's AA is exhibiting > audit: type=1400 audit(1547125168.853:722): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc- container-default-cgns" name="/" pid=8426 comm="(networkd)" flags="rw, rslave" and the guest > systemd-networkd.service: Failed to set up mount namespacing: Permission denied > systemd-networkd.service: Failed at step NAMESPACE spawning /usr/lib/systemd/systemd-networkd: Permission denied According to lxc bug tracker https://github.com/lxc/lxc/issues/2778 > While we'd like to allow such mounts we cannot do so until the apparmor_parser is fixed to handle them correctly. other cross references https://github.com/systemd/systemd/issues/11371 https://bugs.archlinux.org/task/61313 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1811248/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp