Comment 2 for bug 2032805

Thanks for the ping on this @ahresse !
Yes, this should be very similar to thew old fix in bug 1771028

It is essentially yet another "chrony works with something else" use case.
There is a section for that in the chrony apparmor rules and we should indeed add the known default paths (like this) to be allowed.

And this is such a default path, from the man page:
rundir - Specify the directory where should be generated chronyd, ntpd and ptp4l configuration files and sockets. The directory will be created if it doesn't exist. The default value is /var/run/timemaster.
So on this we might even want to allow to read all sub-elements, including the generated config.
But RW for the socket.

But furthermore while touching it, in addition to the one reported I also see in the ptp4l
refclock_sock_address - The address of the UNIX domain socket to be used by the refclock_sock servo. The default is /var/run/refclock.ptp.sock
So we should allow that path as well.

For chrony my proposal that - once agreed - we need to pick up would seem like

diff --git a/debian/usr.sbin.chronyd b/debian/usr.sbin.chronyd
index bc52d4f7..e64edc90 100644
--- a/debian/usr.sbin.chronyd
+++ b/debian/usr.sbin.chronyd
@@ -62,6 +62,13 @@ abi <abi/3.0>,
   @{run}/chrony.*.sock rw,
   # To sign replies to MS-SNTP clients by the smbd daemon
   /var/lib/samba/ntp_signd/socket rw,
+ # default path of the sock to sync with ptp4l
+ @{run}/refclock.ptp.sock rw,
+ # timemaster directory of chronyd, ... configuration files and sockets.
+ # read for all configs
+ @{run}/timemaster/* r,
+ # rw for coodination via the default socket path
+ @{run}/timemaster/chrony.SOCK0 rw,

   # rtc
   /etc/adjtime r,