Comment 4 for bug 722815

Thanks for tracking this down! Unfortunately, ipc_owner is a rather strong capability (allows access to all shared memory), and it looks like ntpd expects to actually write to the memory region (e.g. "shm->valid = 0" is in the code), so SHM_RDONLY doesn't seem viable either. Instead, I've added a note to the AppArmor profile itself pointing people to the right option if they want to enable it for their local system (since it doesn't seem appropriate to do this by default for all ntpd users).