AF_UNSPEC is used in calls to getaddrinfo(3) to request either ipv4 or ipv6 addresses. In the parser, we've been filtering out AF_UNSPEC as an option. It's a simple enough patch to enable it:
Index: b/common/Make.rules =================================================================== --- a/common/Make.rules +++ b/common/Make.rules @@ -98,7 +98,7 @@ list_capabilities: /usr/include/linux/ca # to mediate. We use PF_ here since that is what is required in # bits/socket.h, but we will rewrite these as AF_. -FILTER_FAMILIES=PF_UNSPEC PF_UNIX +FILTER_FAMILIES=PF_UNIX __FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g') However, there's some concern that because the value of AF_UNSPEC is 0, there might be some special handling of that case, or other unexpected issues. That said, I'm able to reproduce the issue, and adding a rule 'network unspec dgram,' eliminated the rejections that ntpd was creating (whereas adding a rule 'network unspec raw,' as expected, did not). -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1546455 Title: Many instances of 'apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=15139 comm="ntpd" family="unspec" sock_type="dgram" protocol=0' in syslog To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1546455/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs