Thanks for tracking this down! Unfortunately, ipc_owner is a rather strong capability (allows access to all shared memory), and it looks like ntpd expects to actually write to the memory region (e.g. "shm->valid = 0" is in the code), so SHM_RDONLY doesn't seem viable either. Instead, I've added a note to the AppArmor profile itself pointing people to the right option if they want to enable it for their local system (since it doesn't seem appropriate to do this by default for all ntpd users).
** Changed in: ntp (Ubuntu) Status: Confirmed => Fix Committed ** Changed in: ntp (Ubuntu) Assignee: (unassigned) => Kees Cook (kees) ** Changed in: ntp (Ubuntu) Importance: Low => Wishlist -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in ubuntu. https://bugs.launchpad.net/bugs/722815 Title: apparmor prevents ntp from reading gpsd -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs