I followed guide on .md#filtering-by-mount-namespace and got it working on VM. But running on a different host, I am getting mismatched mount namespace ID.

Create new mount namespace,

$ sudo unshare -m bash
# stat -L -c %i /proc/self/ns/mnt
4026533296

Ran the script (*), and I get this line for running tail -f /dev/null

$ sudo cat /sys/kernel/debug/tracing/trace_pipe 
    <...>-1337178 [007] d...1 33726962.631140: bpf_trace_printk: Outside the namespace; 1824653312

Somehow eBPF sees different mount namespace ID of 1824653312, but running stat on PID shows the ID of the unshared mount namespace,

$ ps aux | grep 'dev/null'
root     1337178  0.0  0.0   5804  1920 pts/83   S+   18:32   0:00 tail -f /dev/null
nalma    1338345  0.0  0.0   6612  2560 pts/240  S+   18:32   0:00 grep --color=auto dev/null
$ sudo stat -L -c %i /proc/1337178/ns/mnt
4026533296

So, I am kinda scratching my head now...

(*) script:

from bcc import BPF

program = """
int syscall__hello(void *ctx) {
    u64 uid = 0;
    u64 pid = 0;
    u64 *p;
    uid = bpf_get_current_uid_gid() & 0xFFFFFFFF;
    pid = bpf_get_current_pid_tgid() & 0xFFFFFFFF;

    struct task_struct *current_task;
    current_task = (struct task_struct *)bpf_get_current_task();
    u64 ns_id = current_task->nsproxy->mnt_ns->ns.inum;

    if(!(uid == 0 || uid == 1000)) return 0; // to reduce noise
    if (container_should_be_filtered()) {
        bpf_trace_printk("Outside the namespace; %u", ns_id);
        return 0;
    } else {
        bpf_trace_printk("Inside the namespace; %u", ns_id);
    }
    return 0;
}
"""
from argparse import Namespace
from bcc.containers import filter_by_containers

program = filter_by_containers(Namespace(cgroupmap=None, mntnsmap="/sys/fs/bpf/namespaces")) + program
b = BPF(text=program)
syscall = b.get_syscall_fnname("execve")

b.attach_kprobe(event=syscall, fn_name="syscall__hello")

from time import sleep
sleep(6000) # to keep program attached