From 4660b7d49ce9b9f15a229348fa171894d0d5d7f7 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Sun, 15 Sep 2024 13:22:12 +0200
Subject: [PATCH] add ssh-sk-helper

---
 apparmor.d/groups/ssh/ssh           |  2 ++
 apparmor.d/groups/ssh/ssh-sk-helper | 26 ++++++++++++++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 apparmor.d/groups/ssh/ssh-sk-helper

diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh
index 296074f5f..a1046dbb5 100644
--- a/apparmor.d/groups/ssh/ssh
+++ b/apparmor.d/groups/ssh/ssh
@@ -25,6 +25,8 @@ profile ssh @{exec_path} {
 
   @{bin}/@{shells}     rUx,
 
+  @{lib}/ssh/ssh-sk-helper rix -> ssh//null-@{lib}/ssh/ssh-sk-helper,
+
   @{etc_ro}/ssh/ssh_config r,
   @{etc_ro}/ssh/ssh_config.d/{,*} r,
   @{etc_ro}/ssh/sshd_config r,
diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper
new file mode 100644
index 000000000..915086e9c
--- /dev/null
+++ b/apparmor.d/groups/ssh/ssh-sk-helper
@@ -0,0 +1,26 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+profile ssh//null-@{lib}/ssh/ssh-sk-helper {
+  / r,
+
+  @{lib}/ssh/ssh-sk-helper r,
+
+  /etc/ssl/openssl.cnf r,
+
+  @{sys}/ r,
+  @{sys}/bus/ r,
+  @{sys}/class/ r,
+  @{sys}/class/hidraw/ r,
+  @{sys}/class/hidraw/hidraw@{int} r,
+  @{sys}/devices/ r,
+  @{sys}/devices/@{pci_bus}/ r,
+  @{sys}/devices/@{pci_bus}/{,**} r,
+
+  /dev/hidraw@{int} rwk,
+
+  include if exists <local/ssh-sk-helper>
+}
+
+# vim:syntax=apparmor