Comment 88 for bug 1160372

Ubuntu bug on this also: https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/1160372

The issue is occurring because it seems vsftp has changed it's pid namespace.

Probably from sysdeputil.c::vsf_sysutil_fork_isolate_failok()
"syscall(__NR_clone, CLONE_NEWPID)"

There is a specific prohibition in the kernel on this:

-----------------------------------------------------------------------------
commit 34e36d8ecbd958bc15f8e63deade1227de337eb1
Author: Eric W. Biederman <email address hidden>
Date: Mon Sep 10 23:20:20 2012 -0700

    audit: Limit audit requests to processes in the initial pid and user namespaces.

    This allows the code to safely make the assumption that all of the
    uids gids and pids that need to be send in audit messages are in the
    initial namespaces.

    If someone cares we may lift this restriction someday but start with
    limiting access so at least the code is always correct.
-----------------------------------------------------------------------------

Regarding audit=0. I imagine it would solve the issue, rather extreme. Also if I boot with audit=0 then client side ftp fails with "500 OOPS: priv_sock_get_cmd" (seccomp_sandbox=NO in /etc/vsftpd.conf).

Can you verify if the above vsftp codepath is indeed being executed and see what happens if VSF_SYSDEP_HAVE_LINUX_CLONE is disabled.