Comment 4 for bug 1780227

Okay, so lets split this between upstream and ubuntu kernels

previous upstream kernels did not have socket mediation and could NOT have generated the denial message being seen.

Jul 04 15:11:11 host audit[28404]: AVC apparmor="DENIED" operation="file_lock" profile="lxc-container-default-cgns" pid=28404 comm="(true)" family="unix" sock_type="dgram" protocol=0 addr=none

4.17 has socket mediation code but there is no released userspace that supports it. It requires apparmor 3 dev, so in all existing userspaces the 4.17 socket mediation is not being enforced.

The ubuntu kernels Xenial and Bionic carry a variant of the socket mediation patch that is in 4.17 but with a different abi. The ubuntu 4.17 kernel carries a compatibility patch and will have the Bionic and Xenial behavior under current 2.x apparmor userspaces.

The correct solution looks to be patching the current 2.x userspace to support locking on abstract and anonymous sockets