Change from exactwhitelist to matchwhitelist. Discussion revealed that
there's a good reason to leave setgid in here, which is essentially
defense-in-depth (sometimes users may want to revert Kicksecure's
default of kernel.yama.ptrace_scope=2, e.g. to debug a program, and
Kicksecure should not be less secure than vanilla Debian in that
situation).
Replace the commented-out matchwhitelist entry for ssh-agent with an
explicit permission entry (755) for /usr/bin/ssh-agent.
When ssh-agent's matchwhitelist entry was commented out in commit
7a5f8b87af, permission-hardener began resetting it to restrictive
defaults (744), preventing non-root users from executing ssh-agent. This
broke split SSH functionality in Qubes OS for me because I was using
Kicksecure in the vault qube, and ssh-agent runs under a non-root user in
that configuration (see https://forum.qubes-os.org/t/split-ssh/19060).
As noted in the comment, Debian installs with 2755 permissions as a way
to mitigate ptrace attacks, but this rationale doesn't apply due to
kernel.yama.ptrace_scope=2 being set in Kicksecure.
