I'm not sure is this problem with ntp or hardened-sources or permissions. In sequnece: While box is running on gentoo-sources, ntpd works correctly, both started as root and started as ntp. I can run "ntpdate [address ipv6]" from other host. I can run ntpq -p ::1 on localhost . Ntpd receives ipv6 udp packets and responses for them. Let start box using hardened-sources. I start ntpd as root: "ntpd -n" , everything is OK. ntpq -p ::1 shows connected peers, i can query from other host. I'm using ntp with "caps" use flag, so normally ntpd is running as ntp user. Let's start ntpd as nntp: ntp -u ntp -n . Now ntpq -p ::1 can't get informations about peers. I can't completly connect to ntpd using ipv6. So, problem appers when i use hardened-sources, ntp with USE="caps". Reproducible: Always Steps to Reproduce: 1.emerge hardened-sources, reboot 2.USE="caps" emerge ntp 3.ntpq -p ::1 Actual Results: ntpq -p ::1 ::1: timed out, nothing received ***Request timed out Expected Results: ntpq -p ::1 remote refid st t when poll reach delay offset jitter ============================================================================== cxd3.internetds .PPSa. 1 u 2 64 1 26.766 66.352 0.001 riget.nette.pl 212.244.36.227 2 u 1 64 1 10.458 70.714 0.001 # emerge --info Portage 2.1.8.3 (default/linux/x86/10.0/server, gcc-4.4.4, glibc-2.11.2-r0, 2.6.32-hardened-r9 i686) ================================================================= System uname: Linux-2.6.32-hardened-r9-i686-Intel-R-_Core-TM-2_CPU_4300_@_1.80GHz-with-gentoo-2.0.1 Timestamp of tree: Tue, 29 Jun 2010 15:15:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 4.1_p7 dev-lang/python: 2.6.5-r2, 3.1.2-r3 dev-util/ccache: 2.4-r8 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.1-r1 sys-apps/sandbox: 2.2 sys-devel/autoconf: 2.65-r1 sys-devel/automake: 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.3.5, 4.4.4-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 virtual/os-headers: 2.6.34 ACCEPT_KEYWORDS="x86 ~x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=native -mfpmath=sse -fpeel-loops -pipe -ftracer -floop-block -ftree-loop-distribution -floop-interchange -floop-strip-mine -floop-strip-mine -fprefetch-loop-arrays" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /home/mythtv/ /usr/share/X11/xkb /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=native -mfpmath=sse -fpeel-loops -pipe -ftracer -floop-block -ftree-loop-distribution -floop-interchange -floop-strip-mine -floop-strip-mine -fprefetch-loop-arrays" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests ccache collision-protect distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://trumpetti.atm.tut.fi/gentoo" LANG="pl_PL" LC_ALL="pl_PL.ISO-8859-2" LDFLAGS="-Wl,-O1" LINGUAS="en pl" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="--inplace -6" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise /usr/local/portage/miro-overlay/staging /usr/local/portage/miro-overlay/portage /usr/local/SUNRISE/maintainer-wanted" SYNC="rsync://trumpetti.atm.tut.fi/gentoo-portage/" USE="a52 aac acl acpi adns aio apache2 ares aspell async audiofile automount bash-completion bcmath berkdb bittorrent bzip2 caps cgi chroot clamav clamdtop cli cracklib crypt curl cxx daemon dhcp domainkeys dri dts dvd embedded exif exiscan exiscan-acl extras faac faad fam flac fortran ftp gdbm gmp gnutls gpm graphite hash iconv idn ieee1394 iproute2 ipv6 javascript jpeg justify logrotate logwatch loop-aes lzo maildir mmap mmx mmxext modules mouse mp3 mp4 mpeg mudflap nagios-dns nagios-ntp nagios-ping nagios-ssh ncurses netpbm network-cron nls nntp nptl nptlonly ogg openmp openssl optimization optimized-qmake pam pcre perl png pop3d posix pppd prelude profile python quotas rar readline reflection samba session sharedmem shorten slang smp sockets spell spf spl sse sse2 sse3 ssl ssse3 stats subtitles svg swat sysfs syslog theora threads tiff tokenizer tools tordns tos transcode unicode unzip urandom usb uudeview vcd vdpau vhosts vim vim-pager vim-syntax visibility vorbis wifi x86 xattr xfs xml xmlreader xmlrpc xmlwriter xorg xsl xvid xvmc zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="worker" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en pl" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="tarpit" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
Created attachment 236965 [details] kernel config
With ipv4, in every case ntpd works correctly.
I can't reproduce this. Here's the system I'm using and ntpd: uname -mr 2.6.32-hardened-r9 i686 ps aux | grep ntp ntp 13075 0.0 0.3 4556 3076 pts/0 S 16:17 0:00 ntpd -u ntp -n In one terminal I run do the query: ntpq -p ::1 remote refid st t when poll reach delay offset jitter ============================================================================== splenda.rustyte 18.26.4.105 2 u 29 64 17 55.373 1439746 46.670 quandary.cross- 132.239.1.6 2 u 29 64 17 91.398 1439747 43.455 ds3-us.zagbot.c 209.51.161.238 2 u 31 64 17 30.724 1439746 41.037 dev1-c.lax009.i 209.81.9.7 2 u 29 64 17 103.616 1439747 42.748 While in another I sniff: tcpdump -i lo ip6 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes 16:21:02.174725 IP6 localhost.40371 > localhost.ntp: NTPv2, Reserved, length 12 16:21:02.174883 IP6 localhost.ntp > localhost.40371: NTPv2, Reserved, length 28 16:21:02.174944 IP6 localhost.40371 > localhost.ntp: NTPv2, Reserved, length 12 16:21:02.174990 IP6 localhost.ntp > localhost.40371: NTPv2, Reserved, length 444 16:21:02.175005 IP6 localhost.ntp > localhost.40371: NTPv2, Reserved, length 220 16:21:02.176288 IP6 localhost.40371 > localhost.ntp: NTPv2, Reserved, length 12 16:21:02.176345 IP6 localhost.ntp > localhost.40371: NTPv2, Reserved, length 448 16:21:02.176361 IP6 localhost.ntp > localhost.40371: NTPv2, Reserved, length 220 16:21:02.177215 IP6 localhost.40371 > localhost.ntp: NTPv2, Reserved, length 12 16:21:02.177269 IP6 localhost.ntp > localhost.40371: NTPv2, Reserved, length 452 16:21:02.177284 IP6 localhost.ntp > localhost.40371: NTPv2, Reserved, length 220 16:21:02.178162 IP6 localhost.40371 > localhost.ntp: NTPv2, Reserved, length 12 16:21:02.178217 IP6 localhost.ntp > localhost.40371: NTPv2, Reserved, length 444 16:21:02.178232 IP6 localhost.ntp > localhost.40371: NTPv2, Reserved, length 224 Looks okay. I'm going to compare .configs and see if there's something there.
You set CONFIG_GRKERNSEC_SOCKET=y which restricts socket access. Please unselect it and your problem should clear. I've tested and it clears for me. Although you selected CONFIG_GRKERNSEC_SOCKET, you really don't make use of it because you didn't select either CONFIG_GRKERNSEC_SOCKET_ALL, CONFIG_GRKERNSEC_SOCKET_CLIENT or CONFIG_GRKERNSEC_SOCKET_SERVER. So CONFIG_GRKERNSEC_SOCKET=y is useless, except to introduce this problem. I'm not sure why it doesn't affect ipv4 as ipv6. It may be related to a minor bug in the grsec patch where a symbol wasn't exported. See Bug 326443 Comment 2. This is just a guess, I did not explore further. When I get the patchset for grsecurity-2.2.0-2.6.32.15-201006271253 out, I'll check this point. I'm closing the bug for now. If you still have problems after this workaround, feel free to reopen it.
Reopening it temporarily to reassign it properly to hardened-kernel.
(In reply to comment #4) > You set CONFIG_GRKERNSEC_SOCKET=y which restricts socket access. Please > unselect it and your problem should clear. I've tested and it clears for me. [...] > I'm closing the bug for now. If you still have problems after this workaround, > feel free to reopen it. Unfortunally i have to reopen bug. I've unselect this option and it doesn't help for me: zgrep _SOCKET /proc/config.gz CONFIG_NETFILTER_XT_MATCH_SOCKET=m # CONFIG_GRKERNSEC_SOCKET is not set $ uname -r 2.6.32-hardened-r10 I'm getting the same problem on second host, there is "# CONFIG_GRKERNSEC_SOCKET is not set", and kernel: 2.6.32-hardened-r9 .
Created attachment 237729 [details] current .config
I confirmed the bug using your config file. This is not a networking issue, at least not directly. If you start a udp server on port 123 with 'nc6 -6 -l -u -p 123' and you use 'nc6 -6 -u ::1 123' to communicate with it, there is no problem. But with ntpd there is. strace doesn't give anything except to confirm the connection did not occur. It is also a hardened-kernel issue because I tested your config with a vanilla 2.6.32.15 and the bug did not show up. I'm continuing to narrow it down in the config file. If its not too much trouble, can you confirm if this problem persists for 2.6.32-r11 that just hit the tree.
reproducible using hardened 2.6.32-11, ntp-4.2.4_p7 # PaX CONFIG_PAX=y # PaX Control CONFIG_PAX_SOFTMODE=y CONFIG_PAX_EI_PAX=y CONFIG_PAX_PT_PAX_FLAGS=y # CONFIG_PAX_NO_ACL_FLAGS is not set CONFIG_PAX_HAVE_ACL_FLAGS=y # CONFIG_PAX_HOOK_ACL_FLAGS is not set CONFIG_PAX_NOEXEC=y CONFIG_PAX_PAGEEXEC=y CONFIG_PAX_SEGMEXEC=y CONFIG_PAX_EMUTRAMP=y CONFIG_PAX_MPROTECT=y CONFIG_PAX_NOELFRELOCS=y CONFIG_PAX_KERNEXEC=y CONFIG_PAX_KERNEXEC_MODULE_TEXT=8 CONFIG_PAX_ASLR=y CONFIG_PAX_RANDKSTACK=y CONFIG_PAX_RANDUSTACK=y CONFIG_PAX_RANDMMAP=y # CONFIG_PAX_MEMORY_SANITIZE is not set CONFIG_PAX_MEMORY_UDEREF=y CONFIG_PAX_REFCOUNT=y CONFIG_PAX_USERCOPY=y CONFIG_GRKERNSEC=y # CONFIG_GRKERNSEC_LOW is not set # CONFIG_GRKERNSEC_MEDIUM is not set # CONFIG_GRKERNSEC_HIGH is not set CONFIG_GRKERNSEC_CUSTOM=y CONFIG_GRKERNSEC_KMEM=y CONFIG_GRKERNSEC_VM86=y CONFIG_GRKERNSEC_IO=y CONFIG_GRKERNSEC_PROC_MEMMAP=y CONFIG_GRKERNSEC_BRUTE=y CONFIG_GRKERNSEC_MODHARDEN=y CONFIG_GRKERNSEC_HIDESYM=y # CONFIG_GRKERNSEC_NO_RBAC is not set CONFIG_GRKERNSEC_ACL_HIDEKERN=y CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 CONFIG_GRKERNSEC_PROC=y CONFIG_GRKERNSEC_PROC_USER=y CONFIG_GRKERNSEC_PROC_ADD=y CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_FIFO=y # CONFIG_GRKERNSEC_ROFS is not set CONFIG_GRKERNSEC_CHROOT=y CONFIG_GRKERNSEC_CHROOT_MOUNT=y CONFIG_GRKERNSEC_CHROOT_DOUBLE=y CONFIG_GRKERNSEC_CHROOT_PIVOT=y CONFIG_GRKERNSEC_CHROOT_CHDIR=y CONFIG_GRKERNSEC_CHROOT_CHMOD=y CONFIG_GRKERNSEC_CHROOT_FCHDIR=y CONFIG_GRKERNSEC_CHROOT_MKNOD=y CONFIG_GRKERNSEC_CHROOT_SHMAT=y CONFIG_GRKERNSEC_CHROOT_UNIX=y CONFIG_GRKERNSEC_CHROOT_FINDTASK=y CONFIG_GRKERNSEC_CHROOT_NICE=y CONFIG_GRKERNSEC_CHROOT_SYSCTL=y CONFIG_GRKERNSEC_CHROOT_CAPS=y CONFIG_GRKERNSEC_AUDIT_GROUP=y CONFIG_GRKERNSEC_AUDIT_GID=100 CONFIG_GRKERNSEC_EXECLOG=y CONFIG_GRKERNSEC_RESLOG=y CONFIG_GRKERNSEC_CHROOT_EXECLOG=y CONFIG_GRKERNSEC_AUDIT_PTRACE=y # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set CONFIG_GRKERNSEC_AUDIT_MOUNT=y CONFIG_GRKERNSEC_SIGNAL=y CONFIG_GRKERNSEC_FORKFAIL=y # CONFIG_GRKERNSEC_TIME is not set CONFIG_GRKERNSEC_PROC_IPADDR=y CONFIG_GRKERNSEC_AUDIT_TEXTREL=y CONFIG_GRKERNSEC_EXECVE=y CONFIG_GRKERNSEC_DMESG=y CONFIG_GRKERNSEC_HARDEN_PTRACE=y CONFIG_GRKERNSEC_TPE=y CONFIG_GRKERNSEC_TPE_ALL=y CONFIG_GRKERNSEC_TPE_INVERT=y CONFIG_GRKERNSEC_TPE_GID=10 CONFIG_GRKERNSEC_RANDNET=y CONFIG_GRKERNSEC_BLACKHOLE=y # CONFIG_GRKERNSEC_SOCKET is not set CONFIG_GRKERNSEC_SYSCTL=y # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set CONFIG_GRKERNSEC_SYSCTL_ON=y CONFIG_GRKERNSEC_FLOODTIME=10 CONFIG_GRKERNSEC_FLOODBURST=4
In one, two days i'll try to test kernel (2.6.32-r11 is tested - middle air collision;) ) 2.6.34. BTW and OT: thank you for taking care about hardened-sources.
Although I don't understand it, I've narrowed it down. Can you try to turn off just CONFIG_GRKERNSEC_PROC_USER in your config file. With this option set, I get the bug, with it off, I do not.
I can confirm, when i turn off PROC_USER ntpq -p ::1 works.
Confirmed: ntp run as root: /usr/sbin/ntpd -p /var/run/ntpd.pid 14:19:20 pluto ~ # ntpq -p ::1 remote refid st t when poll reach delay offset jitter ============================================================================== ptbtime1.ptb.de .PTB. 1 u 4 64 1 33.121 84.169 0.001 ptbtime2.ptb.de .PTB. 1 u 3 64 1 33.864 66.455 0.001 LOCAL(1) .LOCL. 10 l 2 64 1 0.000 0.000 0.001 and it works. CONFIG_GRKERNSEC_PROC_USER=y is set.
If run as ntp user, this will show up in logs: Jul 19 14:20:54 pluto ntpd[14907]: Deleting interface #2 lo, ::1#123, interface stats: received=0, sent=0, dropped=0, active_time=1 secs Jul 19 14:20:54 pluto ntpd[14907]: Deleting interface #3 br0, fe80::240:63ff:feed:17de#123, interface stats: received=0, sent=0, dropped=0, active_time=1 secs Jul 19 14:20:54 pluto ntpd[14907]: Deleting interface #4 eth1.8, fe80::240:63ff:feed:17dd#123, interface stats: received=0, sent=0, dropped=0, active_time=1 secs So IPv6 interfaces are removed by ntpd.
So ntpd needs to have its group added to that set by PROC_USERGROUP, which should be enabled instead of PROC_USER. Can you obtain an strace -f -e open ntpd so I can see what in /proc it was attempting to access? -Brad (In reply to comment #14) > If run as ntp user, this will show up in logs: > > Jul 19 14:20:54 pluto ntpd[14907]: Deleting interface #2 lo, ::1#123, interface > stats: received=0, sent=0, dropped=0, active_time=1 secs > Jul 19 14:20:54 pluto ntpd[14907]: Deleting interface #3 br0, > fe80::240:63ff:feed:17de#123, interface stats: received=0, sent=0, dropped=0, > active_time=1 secs > Jul 19 14:20:54 pluto ntpd[14907]: Deleting interface #4 eth1.8, > fe80::240:63ff:feed:17dd#123, interface stats: received=0, sent=0, dropped=0, > active_time=1 secs > > So IPv6 interfaces are removed by ntpd. >
From the strace below, looks like a read-only open of /proc/net/if_inet6 sixtyfour ~ # strace -f -e open /usr/sbin/ntpd -u ntp:ntp open("/etc/ld.so.cache", O_RDONLY) = 3 open("/lib/libm.so.6", O_RDONLY) = 3 open("/usr/lib/libcrypto.so.0.9.8", O_RDONLY) = 3 open("/lib/libcap.so.2", O_RDONLY) = 3 open("/lib/libc.so.6", O_RDONLY) = 3 open("/lib/libdl.so.2", O_RDONLY) = 3 open("/lib/libz.so.1", O_RDONLY) = 3 open("/lib/libattr.so.1", O_RDONLY) = 3 open("/etc/localtime", O_RDONLY) = 4 Process 17846 attached open("/dev/null", O_RDWR) = 4 open("/proc/net/if_inet6", O_RDONLY) = 5 open("/etc/ntp.conf", O_RDONLY) = 4 open("/etc/nsswitch.conf", O_RDONLY) = 5 open("/etc/ld.so.cache", O_RDONLY) = 5 open("/lib64/tls/x86_64/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) open("/lib64/tls/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) open("/lib64/x86_64/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) open("/lib64/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib64/tls/x86_64/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib64/tls/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib64/x86_64/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/lib64/libnss_db.so.2", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 5 open("/lib/libnss_files.so.2", O_RDONLY) = 5 open("/etc/services", O_RDONLY|O_CLOEXEC) = 5 open("/etc/host.conf", O_RDONLY) = 5 open("/etc/resolv.conf", O_RDONLY) = 5 open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 5 open("/etc/ld.so.cache", O_RDONLY) = 5 open("/lib/libnss_dns.so.2", O_RDONLY) = 5 open("/lib/libresolv.so.2", O_RDONLY) = 5 open("/etc/resolv.conf", O_RDONLY) = 5 open("/etc/gai.conf", O_RDONLY) = 5 open("/etc/services", O_RDONLY|O_CLOEXEC) = 5 open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 5 open("/etc/services", O_RDONLY|O_CLOEXEC) = 5 open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 5 open("/etc/services", O_RDONLY|O_CLOEXEC) = 5 open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 5 open("/var/lib/ntp/ntp.drift", O_RDONLY) = 5 open("/etc/services", O_RDONLY|O_CLOEXEC) = 5 open("/etc/ld.so.cache", O_RDONLY) = 4 open("/lib/libnss_compat.so.2", O_RDONLY) = 4 open("/lib/libnsl.so.1", O_RDONLY) = 4 open("/etc/ld.so.cache", O_RDONLY) = 4 open("/lib/libnss_nis.so.2", O_RDONLY) = 4 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4 open("/etc/group", O_RDONLY|O_CLOEXEC) = 4 --- SIGALRM (Alarm clock) @ 0 (0) --- open("/proc/net/if_inet6", O_RDONLY) = -1 ENOENT (No such file or directory) --- SIGALRM (Alarm clock) @ 0 (0) --- --- SIGALRM (Alarm clock) @ 0 (0) --- --- SIGALRM (Alarm clock) @ 0 (0) --- --- SIGALRM (Alarm clock) @ 0 (0) --- --- SIGALRM (Alarm clock) @ 0 (0) --- --- SIGALRM (Alarm clock) @ 0 (0) --- --- SIGALRM (Alarm clock) @ 0 (0) --- --- SIGALRM (Alarm clock) @ 0 (0) ---
This problem occurs because ntpd does not have the needed privileges to access /proc/net/if_inet6 when not run as root (USE=caps). You can reconfigure to get the same level of security by deselecting CONFIG_GRKERNSEC_PROC_USER and selecting CONFIG_GRKERNSEC_PROC_USERGROUP instead. You can then add the ntp user to the GID for the special group to get it to read the needed info from /proc. I tested and it works for me. This is actually working as expected, so it is not a valid bug. Closing for now.
Sorry for huge delay, i couldn't upgrade hardened-kernel earlier. It's good news it't not a bug in soft, bad news it was my fault. With configured GRKERNSEC_PROC_USERGROUP ntp works on ipv6 correctly. Thank you.