AppArmor denied errors for a proxy device opened as raw network socket


I used LXD to setup the Unifi Controller and things mostly work well. It is a default install with the bridge networking.

I used lxc config to add a proxy device for all the ports I needed exposed. For the one port that is an issue here is the command I used:

lxc config device add unifi unifi10001 proxy listen=udp: connect=udp: proxy_protocol=true

The problem is that the app is trying to open the socket in raw mode and the AppArmor profile does not allow it:

Nov 18 01:09:03 alpha kernel: [ 142.496256] audit: type=1400 audit(1637215743.511:188): apparmor=“DENIED” operation=“create” profile=“lxd_forkproxy-unifi10001_unifi_</var/snap/lxd/common/lxd>” pid=4863 comm=“lxd” family=“netlink” sock_type=“raw” protocol=0 requested_mask=“create” denied_mask=“create”

In the AppArmor profile it has lines such as “network dgram” but not “network raw”. I tried to update this file and reboot but it looks like the config is regenerated to its original state.

I can solve the problem by using “apparmor_parser -r -C” on the rule to turn it off but I have to do that after each reboot and would like to learn how to solve it permanently.

Is there a way to allow raw network sockets or to disable the AppArmor profile for just the specific proxy device?


What kernel are you running?

It is Ubuntu 21.10 on a Raspberry Pi 4 with kernel 5.13.0-1010-raspi.

I just upgraded the kernel but it has been happening for a while.