Okay, so lets split this between upstream and ubuntu kernels previous upstream kernels did not have socket mediation and could NOT have generated the denial message being seen.
Jul 04 15:11:11 host audit[28404]: AVC apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=28404 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none 4.17 has socket mediation code but there is no released userspace that supports it. It requires apparmor 3 dev, so in all existing userspaces the 4.17 socket mediation is not being enforced. The ubuntu kernels Xenial and Bionic carry a variant of the socket mediation patch that is in 4.17 but with a different abi. The ubuntu 4.17 kernel carries a compatibility patch and will have the Bionic and Xenial behavior under current 2.x apparmor userspaces. The correct solution looks to be patching the current 2.x userspace to support locking on abstract and anonymous sockets -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
