ktag often needs to execute helper binaries from /sys/kernel/security or /proc/self/fd . If mounted noexec , execution is denied, resulting in "operation not allowed."
ausearch -m avc -ts recent | grep ktag
sudo ktag --test Symptoms: You see kernel: Lockdown: ktag: restricted operation in dmesg . ktag operation not allowed
ktag --trace-enable sys_call and receive ktag: operation not allowed , the kernel is responding with the EPERM error code (Error PERMission denied). Unlike EACCES (permission denied due to file system attributes), EPERM means: The operation you attempted is fundamentally not permitted by the kernel's current security policy or internal state. ktag often needs to execute helper binaries from
Recent kernels restrict unprivileged eBPF. ktag might rely on eBPF for certain tag operations. Unlike EACCES (permission denied due to file system
SELinux contexts or AppArmor profiles may label ktag as a confined application with no permission to access /sys/kernel/debug , /proc/sys/kernel , or perform ioctl on kernel file descriptors.
getenforce If Enforcing , check denials: