abi <abi/4.0>,

include <tunables/global>

profile sshd /{usr/,}sbin/sshd flags=(attach_disconnected) {
  include <abstractions/openssh-common>

  capability net_bind_service,
  capability sys_chroot,
  capability kill,

  /{usr/,}sbin/sshd px -> sshd_child,

  /usr/libexec/ssh/sshd-session px,

  include if exists <local/sshd>
}

profile sshd_child flags=(attach_disconnected) {
  include <abstractions/openssh-common>
  include <abstractions/openssh-auth>
  include <abstractions/openssl>

  /{usr/,}sbin/sshd px -> sshd_child,
  /usr/libexec/ssh/sshd-session px -> sshd-session,

  include if exists <local/sshd_child>
}

profile sshd-session /usr/libexec/ssh/sshd-session {
  include <abstractions/openssh-common>
  include <abstractions/openssh-auth>

  /usr/libexec/ssh/sshd-session rm,
  /usr/libexec/ssh/sshd-auth px,

  include if exists <local/sshd_child>
}

profile sshd-auth /usr/libexec/ssh/sshd-auth {
  include <abstractions/openssh-common>
  include <abstractions/openssh-auth>

  /usr/libexec/ssh/sshd-auth rm,

  include if exists <local/sshd_child>
}