# vim: ft=apparmor
#------------------------------------------------------------------
#    Copyright (C) 2024 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#------------------------------------------------------------------
#
abi <abi/4.0>,

include <tunables/global>

profile ssh-keygen /usr/bin/ssh-keygen {
  include <abstractions/base>

  file mr /usr/bin/ssh-keygen,

  file r /etc/passwd,
  file r /etc/nsswitch.conf,

  # Terminal for the current process
  file rw /dev/tty,

  # Common SSH file locations
  file rw @{etc_rw}/ssh/{,**},
  owner @{HOME}/.ssh/{,**} rw,

  # Restrict access to config file
  audit deny @{HOME}/.ssh/config w,

  # Needed path for snap
  owner /tmp/snapd*/{,**} rw,

  include if exists <local/ssh-keygen>
 }
