#1130487 ntpsec: Update apparmor policy for 4.0/allow unix dgram sockets

Package:
ntpsec
Source:
ntpsec
Description:
Network Time Protocol daemon and utility programs
Submitter:
Landry Breuil
Date:
2026-03-12 12:53:02 UTC
Severity:
normal
Tags:
#1130487#5
Date:
2026-03-12 12:45:26 UTC
From:
To:
Dear Maintainer,

using ntpsec on proxmox, after upgrading to 9/trixie, apparmor started
complaining about ntpd, rejecting creation of unix/udp sockets with what i'd
consider a pretty standard config (eg querying a single server, and providing
ntp service to guests via 'interface listen')

apparmor="DENIED" operation="create" class="net" info="failed protocol match" error=-13 profile="/usr/sbin/ntpd" pid=1848 comm="ntpd" family="unix" sock_type="dgram" protocol=0 requested="create" denied="create" addr=none

per https://forum.proxmox.com/threads/apparmor-logs-pve9.169422/#post-813375
i've found that declaring the apparmor config as 'abi <abi/3.0>,' was enough to
stop the dmesg spam.  ive looked on
https://salsa.debian.org/debian/ntpsec/-/blob/debian/unstable/debian/apparmor-profile?ref_type=heads
and saw that it wasnt there, so i guess this is still an issue.

even if the bug is found in proxmox's use of apparmor, the version of apparmor
shipped in trixie is more or less the same, so i guess it applies there too.