Hiding /etc/shadow from psql

psql Debian wrapper of psql (see this update), at least in version 15.12, really likes /etc/shadow file. To such a degree that it tries to read it upon each invocation:

$ strace psql 2>&1 | grep /etc/shadow
openat(AT_FDCWD, "/etc/shadow", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)

On this particular host, such event is logged by auditd (output edited for brevity):

type=SYSCALL syscall=257 success=no exit=-13 comm="psql" exe="/usr/bin/perl" SYSCALL=openat

As you can see, this read attempt failed. Actually, that's the reason it got logged. And it failed because this specific user calling psql does not have read access to /etc/shadow. This is not some weird custom setup, just standard Debian 12 system, where shadow is readable only by root and the shadow group - it's a small club and we ain't in it.

But, in a parallel incarnation, we are also root here and thus recipients of alerting from this system. And it just so happens that just as psql likes to read /etc/shadow, auditd is set such that it doesn't like shadow being read by unworthy souls - and it pages us if that happens. And it does happen frequently, because non-root users on this host like to run psql.

So, how could we solve this conundrum? We could add appropriate users to the shadow group, sure. But let's say we deem this excessive. In this particular case bwrap became a cure of choice:

bwrap \
    --ro-bind /usr /usr \
    --ro-bind /lib /lib \
    --ro-bind /lib64 /lib64 \
    --ro-bind /etc/hosts /etc/hosts \
    --bind /home /home \
    --proc /proc \
    --dev /dev \
psql

This hides shadow file from psql and eliminates the issue. Of course this works only if we can otherwise ensure that all calls to psql will go via such wrapping script.

Also note that psql reads a few more files from /etc than just shadow, so this specific invocation as above may be little too restrictive - e.g. we block /etc/nsswitch.conf. But in this particular setup it was good enough.

Is there a simpler way?