From 1aee62f52cb02cbdb054c233a350f4f07d828e48 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 21 Jun 2025 21:07:02 +0200
Subject: [PATCH] feat(abs): mappings: add support for role from the
 sshd-session profile.

---
 apparmor.d/abstractions/mapping/sshd | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/apparmor.d/abstractions/mapping/sshd b/apparmor.d/abstractions/mapping/sshd
index 97f0b077e..0f7512710 100644
--- a/apparmor.d/abstractions/mapping/sshd
+++ b/apparmor.d/abstractions/mapping/sshd
@@ -15,6 +15,8 @@
   capability audit_write,
   capability chown,
   capability dac_read_search,
+  capability fowner,
+  capability fsetid,
   capability kill,
   capability setgid,
   capability setuid,
@@ -25,12 +27,14 @@
   # but will fall back to a non-privileged version if it fails.
   deny capability net_admin,
 
+  network inet stream,
   network inet6 stream,
   network netlink raw,
 
   signal receive set=exists peer=@{p_systemd_journald},
   signal receive set=hup peer=@{p_systemd},
 
+  unix bind type=stream addr=@@{udbus}/bus/sshd-session/system,
   unix bind type=stream addr=@@{udbus}/bus/sshd/system,
 
   dbus send bus=system path=/org/freedesktop/login1