From e9fbc3503636273f0d36697a38f4f061049a38d4 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 10 Jul 2025 00:52:26 +0200
Subject: [PATCH] feat(profile): minor sshd improvement.

---
 apparmor.d/groups/ssh/sshd-auth    | 2 ++
 apparmor.d/groups/ssh/sshd-session | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/apparmor.d/groups/ssh/sshd-auth b/apparmor.d/groups/ssh/sshd-auth
index cb4defc0f..c1601b813 100644
--- a/apparmor.d/groups/ssh/sshd-auth
+++ b/apparmor.d/groups/ssh/sshd-auth
@@ -24,6 +24,8 @@ profile sshd-auth @{exec_path} {
   @{exec_path} mr,
   @{sbin}/sshd.hmac r,
 
+  /etc/gss/mech.d/{,*} r,
+
   include if exists <local/sshd-auth>
 }
 
diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session
index e74696334..5f09af5cc 100644
--- a/apparmor.d/groups/ssh/sshd-session
+++ b/apparmor.d/groups/ssh/sshd-session
@@ -47,6 +47,11 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) {
        member={CreateSession,ReleaseSession,CreateSessionWithPIDFD}
        peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
 
+  dbus send bus=system path=/org/freedesktop/home1
+       interface=org.freedesktop.home1.Manager
+       member=GetUserRecordByName
+       peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"),
+
   @{exec_path} mr,
 
   @{bin}/@{shells}                   Ux, #aa:exclude RBAC