abi <abi/4.0>,

include <tunables/global>

profile sshd /{usr/,}sbin/sshd flags=(attach_disconnected) {
  include <abstractions/openssh-common>

  capability net_bind_service,
  capability sys_chroot,
  capability kill,

  /{usr/,}sbin/sshd px -> sshd_child,
  /{usr/,}sbin/sshd.hmac r,

  /usr/libexec/ssh/sshd-session px,

  include if exists <local/sshd>
}

profile sshd_child flags=(attach_disconnected) {
  include <abstractions/openssh-common>
  include <abstractions/openssh-auth>
  include <abstractions/openssl>

  /{usr/,}sbin/sshd px -> sshd_child,
  /usr/libexec/ssh/sshd-session px -> sshd-session,

  include if exists <local/sshd_child>
}

profile sshd-session /usr/libexec/ssh/sshd-session {
  include <abstractions/openssh-common>
  include <abstractions/openssh-auth>

  /usr/libexec/ssh/sshd-session rm,

  include if exists <local/sshd_child>
}