I've done some testing with a little test program and basic AppArmor confinement. When an unconfined and unprivileged process enters a new user and pid namespace, it picks up all capabilities. When a confined and unprivileged process enters a new user and pid namespace, it only picks up the capabilities that are listed in the AppArmor profile.
I've done some testing with a little test program and basic AppArmor confinement. When an unconfined and unprivileged process enters a new user and pid namespace, it picks up all capabilities. When a confined and unprivileged process enters a new user and pid namespace, it only picks up the capabilities that are listed in the AppArmor profile.