feat(profile): ssh: cleanup.

2025-08-28 21:27:58 +02:00 · 2025-08-28 21:27:58 +02:00 · 61d8cee932
commit 61d8cee932
parent c9813dc34f
4 changed files with 5 additions and 3 deletions
--- a/apparmor.d/groups/ssh/ssh-agent
+++ b/apparmor.d/groups/ssh/ssh-agent
@ -13,6 +13,7 @@ profile ssh-agent @{exec_path} {
  include <abstractions/nameservice-strict>

  signal receive set=term peer=cockpit-bridge,
+  signal receive set=term peer=cockpit-session,
  signal receive set=term peer=gnome-keyring-daemon,

  @{exec_path} mr,
--- a/apparmor.d/groups/ssh/ssh-keygen
+++ b/apparmor.d/groups/ssh/ssh-keygen
@ -18,7 +18,8 @@ profile ssh-keygen @{exec_path} {
  /etc/ssh/moduli rw,
  /etc/ssh/ssh_host_*_key* rw,

-  owner @{HOME}/@{XDG_SSH_DIR}/{,*} rw,
+  owner @{HOME}/@{XDG_SSH_DIR}/ rw,
+  owner @{HOME}/@{XDG_SSH_DIR}/* rwl -> @{HOME}/@{XDG_SSH_DIR}/*,

  owner /tmp/snapd@{int}/*_*{,.pub} w,
  owner /tmp/snapd@{int}/*.key{,.pub} w,
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -102,7 +102,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
  owner @{user_download_dirs}/{,**} rwl,
  owner @{user_sync_dirs}/{,**} rwl,

-  @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r,
+  @{HOME}/@{XDG_SSH_DIR}/authorized_keys* r,
  owner @{user_cache_dirs}/{,motd*} rw,

  @{att}/@{run}/systemd/sessions/@{int}.ref rw,
--- a/apparmor.d/groups/ssh/sshfs
+++ b/apparmor.d/groups/ssh/sshfs
@ -18,7 +18,7 @@ profile sshfs @{exec_path} flags=(complain) {
  mount fstype=fuse.sshfs -> @{MOUNTS}/*/,
  mount fstype=fuse.sshfs -> @{MOUNTS}/*/*/,

-  unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none),
+  unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount"),

  @{exec_path} mr,