Package: ntpsec Version: 1.2.3+dfsg1-8 Severity: normal Tags: patch Dear Maintainer,
using ntpsec on proxmox, after upgrading to 9/trixie, apparmor started complaining about ntpd, rejecting creation of unix/udp sockets with what i'd consider a pretty standard config (eg querying a single server, and providing ntp service to guests via 'interface listen') apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="/usr/sbin/ntpd" pid=1848 comm="ntpd" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none per https://forum.proxmox.com/threads/apparmor-logs-pve9.169422/#post-813375 i've found that declaring the apparmor config as 'abi <abi/3.0>,' was enough to stop the dmesg spam. ive looked on https://salsa.debian.org/debian/ntpsec/-/blob/debian/unstable/debian/apparmor-profile?ref_type=heads and saw that it wasnt there, so i guess this is still an issue. even if the bug is found in proxmox's use of apparmor, the version of apparmor shipped in trixie is more or less the same, so i guess it applies there too. -- System Information: Debian Release: 13.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.17.13-1-pve (SMP w/64 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ntpsec depends on: ii adduser 3.152 ii init-system-helpers 1.69~deb13u1 ii libbsd0 0.12.2-2 ii libc6 2.41-12+deb13u1 ii libcap2 1:2.75-10+b3 ii libssl3t64 3.5.4-1~deb13u2 ii netbase 6.5 ii python3 3.13.5-1 ii python3-ntp 1.2.3+dfsg1-8 ii tzdata 2025b-4+deb13u1 Versions of packages ntpsec recommends: ii cron [cron-daemon] 3.0pl1-197 ii systemd 257.9-1~deb13u1 Versions of packages ntpsec suggests: ii apparmor 4.1.1-pmx1 pn certbot <none> pn ntpsec-doc <none> pn ntpsec-ntpviz <none> -- Configuration Files: /etc/apparmor.d/usr.sbin.ntpd changed: abi <abi/3.0>, /usr/sbin/ntpd flags=(attach_disconnected) { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/openssl> #include <abstractions/user-tmp> capability ipc_lock, capability net_admin, capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, capability sys_resource, capability sys_time, capability sys_nice, # ntp uses AF_INET, AF_INET6 and AF_UNSPEC network dgram, network stream, @{PROC}/net/if_inet6 r, @{PROC}/*/net/if_inet6 r, @{NTPD_DEVICE} rw, # pps devices are almost exclusively used with NTP /dev/pps[0-9]* rw, /{,s}bin/ r, /usr/{,s}bin/ r, /usr/local/{,s}bin/ r, /usr/sbin/ntpd rmix, /etc/ntpsec/ntp.conf r, /etc/ntpsec/ntp.d/ r, /etc/ntpsec/ntp.d/*.conf r, /run/ntpsec/ntp.conf.dhcp r, /etc/ntpsec/cert-chain.pem r, /etc/ntpsec/key.pem r, /etc/ntpsec/ntp.keys r, /var/lib/ntpsec/ntp.drift rw, /var/lib/ntpsec/ntp.drift-tmp rw, /var/lib/ntpsec/nts-keys rw, /var/lib/ntpsec/nts-keys-tmp rw, /usr/share/zoneinfo/leap-seconds.list r, /var/log/ntp w, /var/log/ntp.log w, /var/log/ntpd w, /var/log/ntpsec/clockstats* rwl, /var/log/ntpsec/loopstats* rwl, /var/log/ntpsec/peerstats* rwl, /var/log/ntpsec/protostats* rwl, /var/log/ntpsec/rawstats* rwl, /var/log/ntpsec/sysstats* rwl, /var/log/ntpsec/usestats* rwl, /{,var/}run/ntpd.pid w, # to be able to check for running ntpdate /run/lock/ntpsec-ntpdate wk, # To sign replies to MS-SNTP clients by the smbd daemon /var/lib/samba /var/lib/samba/ntp_signd/socket rw, # For use with clocks that report via shared memory (e.g. gpsd), # you may need to give ntpd access to all of shared memory, though # this can be considered dangerous. See https://launchpad.net/bugs/722815 # for details. To enable, add this to local/usr.sbin.ntpd: # capability ipc_owner, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.ntpd> } /etc/ntpsec/ntp.conf changed: driftfile /var/lib/ntpsec/ntp.drift statsdir /var/log/ntpsec/ statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable server xxx.xxx.xxx.xxx restrict 127.0.0.1 restrict ::1 interface listen lo interface listen bond0 -- no debconf information
