From 437043c9ddb812d6c4c31b9d373443ec003f7dc4 Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Wed, 10 Nov 2021 10:24:15 +0000
Subject: [PATCH 1/5] fixes for ssh

After seeing https://github.com/netblue30/firejail/commit/9a81078ddbbb4215d06f7d1861481ece05ebda99 it dawned on me that Arch Linux doesn't have /usr/lib/openssh, but uses /usr/lib/ssh instead. That's a different path than what's referenced in our current {allow-ssh,disable-common}.inc files. Some very superficial checks revealed that OpenSSH seems to be packaged quite differently, at least on Debian/Ubuntu and Arch Linux. And then there's version differences on non-rolling distro's to consider. All in all IMO it makes more sense to (no)blacklist /usr/lib/openssh and /usr/lib/ssh instead of referencing all the possible individual files that live under those paths.
---
 etc/inc/allow-ssh.inc | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
index a78798a181b..8995e5a7403 100644
--- a/etc/inc/allow-ssh.inc
+++ b/etc/inc/allow-ssh.inc
@@ -5,6 +5,9 @@ include allow-ssh.local
 noblacklist ${HOME}/.ssh
 noblacklist /etc/ssh
 noblacklist /etc/ssh/ssh_config
-noblacklist /tmp/ssh-*
 noblacklist ${PATH}/ssh
-noblacklist /usr/lib/openssh/ssh-keysign
+noblacklist /tmp/ssh-*
+# Debian/Ubuntu and derivatives
+noblacklist /usr/lib/openssh
+# Arch Linux and derivatives
+noblacklist /usr/lib/ssh

From a3836acad5d1531867ac558a4ce15399ad43e8ba Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Wed, 10 Nov 2021 10:27:23 +0000
Subject: [PATCH 2/5] fixes for ssh

Counterpart fix for changes in allow-ssh.inc.
---
 etc/inc/disable-common.inc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 1a4de9b26a2..6a8ad68944c 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -495,7 +495,8 @@ blacklist ${PATH}/xev
 blacklist ${PATH}/xinput
 # from 0.9.67
 blacklist ${PATH}/ssh
-blacklist /usr/lib/openssh/ssh-keysign
+blacklist /usr/lib/openssh
+blacklist /usr/lib/ssh
 blacklist ${PATH}/passwd
 blacklist /usr/lib/xorg/Xorg.wrap
 blacklist /usr/lib/policykit-1/polkit-agent-helper-1

From 4240274169b2810ed3dcb1b8e768fb2aceea4c7a Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Wed, 10 Nov 2021 11:19:48 +0000
Subject: [PATCH 3/5] add Fedora fixes

Added Fedora path as per https://github.com/netblue30/firejail/pull/4675#pullrequestreview-802438767.
---
 etc/inc/allow-ssh.inc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/etc/inc/allow-ssh.inc b/etc/inc/allow-ssh.inc
index 8995e5a7403..5d41e66077e 100644
--- a/etc/inc/allow-ssh.inc
+++ b/etc/inc/allow-ssh.inc
@@ -7,7 +7,9 @@ noblacklist /etc/ssh
 noblacklist /etc/ssh/ssh_config
 noblacklist ${PATH}/ssh
 noblacklist /tmp/ssh-*
-# Debian/Ubuntu and derivatives
-noblacklist /usr/lib/openssh
 # Arch Linux and derivatives
 noblacklist /usr/lib/ssh
+# Debian/Ubuntu and derivatives
+noblacklist /usr/lib/openssh
+# Fedora and derivatives
+noblacklist /usr/libexec/openssh

From 6ec4028c11e772adaf9fc2c68e1f0df18f65bb97 Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Wed, 10 Nov 2021 11:26:31 +0000
Subject: [PATCH 4/5] add Fedora fix

Added Fedora path as per https://github.com/netblue30/firejail/pull/4675#pullrequestreview-802438767.
NOTE: there are several other profiles touching /usr/libexec, so untill someone on Fedora can shed some light on what files are installed under /usr/libexec, I only blacklisted ssh-keysign. I'll pick this up tomorrow, a bit pressed for time in the non-digital worlds...
---
 etc/inc/disable-common.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 6a8ad68944c..9fc4ae0dc85 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -497,6 +497,7 @@ blacklist ${PATH}/xinput
 blacklist ${PATH}/ssh
 blacklist /usr/lib/openssh
 blacklist /usr/lib/ssh
+blacklist /usr/libexec/openssh/ssh-keysign
 blacklist ${PATH}/passwd
 blacklist /usr/lib/xorg/Xorg.wrap
 blacklist /usr/lib/policykit-1/polkit-agent-helper-1

From 4e3145fb574f4b58b9654394f12f80e465677582 Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Wed, 10 Nov 2021 11:55:49 +0000
Subject: [PATCH 5/5] change Fedora ssh fix

Suggested in https://github.com/netblue30/firejail/pull/4675#discussion_r746510840. Makes sense!
---
 etc/inc/disable-common.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 9fc4ae0dc85..bdc5ff6b288 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -497,7 +497,7 @@ blacklist ${PATH}/xinput
 blacklist ${PATH}/ssh
 blacklist /usr/lib/openssh
 blacklist /usr/lib/ssh
-blacklist /usr/libexec/openssh/ssh-keysign
+blacklist /usr/libexec/openssh
 blacklist ${PATH}/passwd
 blacklist /usr/lib/xorg/Xorg.wrap
 blacklist /usr/lib/policykit-1/polkit-agent-helper-1