From 260ef98a959a46c9a090fdcb334a96df79eb44b3 Mon Sep 17 00:00:00 2001
From: Evan Caville <evan.caville@canonical.com>
Date: Thu, 27 Mar 2025 16:19:54 +1000
Subject: [PATCH] profiles/apparmor.d: add ssh-keyscan profile

Signed-off-by: Evan Caville <evan.caville@canonical.com>
---
 profiles/apparmor.d/ssh-keyscan | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 profiles/apparmor.d/ssh-keyscan

diff --git a/profiles/apparmor.d/ssh-keyscan b/profiles/apparmor.d/ssh-keyscan
new file mode 100644
index 000000000..a71012c05
--- /dev/null
+++ b/profiles/apparmor.d/ssh-keyscan
@@ -0,0 +1,33 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2025 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+#
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile ssh-keyscan /usr/bin/ssh-keyscan {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  # By default, limit file options to the following dirs
+  file r @{HOME}/.ssh/{,**},
+
+  # Allow executable mapping and read for the binary
+  file mr /usr/bin/ssh-keyscan,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/ssh-keyscan>
+}
+