Okay, so lets split this between upstream and ubuntu kernels previous upstream kernels did not have socket mediation and could NOT have generated the denial message being seen.
Jul 04 15:11:11 host audit[28404]: AVC apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=28404 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none 4.17 has socket mediation code but there is no released userspace that supports it. It requires apparmor 3 dev, so in all existing userspaces the 4.17 socket mediation is not being enforced. The ubuntu kernels Xenial and Bionic carry a variant of the socket mediation patch that is in 4.17 but with a different abi. The ubuntu 4.17 kernel carries a compatibility patch and will have the Bionic and Xenial behavior under current 2.x apparmor userspaces. The correct solution looks to be patching the current 2.x userspace to support locking on abstract and anonymous sockets -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1780227 Title: locking sockets broken due to missing AppArmor socket mediation patches Status in linux package in Ubuntu: Triaged Status in linux source package in Xenial: Triaged Status in linux source package in Bionic: Triaged Bug description: Hey, Newer systemd makes use of locks placed on AF_UNIX sockets created with the socketpair() syscall to synchronize various bits and pieces when isolating services. On kernels prior to 4.18 that do not have backported the AppArmor socket mediation patchset this will cause the locks to be denied with EACCESS. This causes systemd to be broken in LXC and LXD containers that do not run unconfined which is a pretty big deal. We have seen various bug reports related to this. See for example [1] and [2]. If feasible it would be excellent if we could backport the socket mediation patchset to all LTS kernels. Afaict, this should be 4.4 and 4.15. This will unbreak a whole range of use-cases. The socket mediation patchset is available here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=80a17a5f501ea048d86f81d629c94062b76610d4 [1]: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1575779 [2]: https://github.com/systemd/systemd/issues/9493 Thanks! Christian To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1780227/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
