Comment # 4 on bug 1076247 from Christian Boltz

(In reply to Achim Gratz from comment #3)
> Yes, I have
>  statsdir /var/log/ntpstats
> as is standard.

Good to know, thanks!

> (In reply to Christian Boltz from comment #2)
> > One of the upstream developers doubts the 'l' (link) permission is really
> > needed, and since I don't have a stratum-0 refclock, I'd like to ask you to
> > test this ;-)
> 
> Huh?  What upstream developer was that?  

An upstream AppArmor developer with the goal to keep the profile as restrictive
as possible ;-)

> If you care to look, the *stat
> files in that directory are always hardlinked to the *stat20180123 files for
> the same date and unlinked/relinked on date rollover.  So you do need to be
> able to create hardlinks.

Thanks for the explanation and the additional testing. That makes it obvious
that 'l' permissions are really needed.

> If you want to simplify the rules you might use a glob there and require
> that everything is owned by ntp/ntp, that should have the same effect.

That would mean to prefix those rules with the owner keyword:

  owner /var/log/ntpstats/clockstats* lrw,
  owner /var/log/ntpstats/loopstats* lrw,
  owner /var/log/ntpstats/peerstats* lrw,

Can you please test if ntpd still works with the owner keyword added?

> Another thing to add as comment to ntp.conf: mention NTPD_DEVICE and how to
> add any devices configured for refclocks in /etc/apparmor.d/tunables/ntpd.

Indeed, that makes sense.