From 043dc3fc0589d3c361dd9e4a1cdf543fab8284df Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 17 May 2025 15:23:24 +0200
Subject: [PATCH] feat(profile): add paperspecs to cups backend.

---
 apparmor.d/groups/cups/cups-backend-beh           | 1 +
 apparmor.d/groups/cups/cups-backend-bluetooth     | 1 +
 apparmor.d/groups/cups/cups-backend-brf           | 1 +
 apparmor.d/groups/cups/cups-backend-dnssd         | 1 +
 apparmor.d/groups/cups/cups-backend-hp            | 1 +
 apparmor.d/groups/cups/cups-backend-implicitclass | 1 +
 apparmor.d/groups/cups/cups-backend-ipp           | 1 +
 apparmor.d/groups/cups/cups-backend-lpd           | 1 +
 apparmor.d/groups/cups/cups-backend-mdns          | 1 +
 apparmor.d/groups/cups/cups-backend-parallel      | 1 +
 apparmor.d/groups/cups/cups-backend-pdf           | 6 ++++--
 apparmor.d/groups/cups/cups-backend-serial        | 1 +
 apparmor.d/groups/cups/cups-backend-snmp          | 1 +
 apparmor.d/groups/cups/cups-backend-socket        | 1 +
 apparmor.d/groups/cups/cups-backend-usb           | 1 +
 15 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/groups/cups/cups-backend-beh b/apparmor.d/groups/cups/cups-backend-beh
index e2dbc1b51..1e9fe5b78 100644
--- a/apparmor.d/groups/cups/cups-backend-beh
+++ b/apparmor.d/groups/cups/cups-backend-beh
@@ -13,6 +13,7 @@ profile cups-backend-beh @{exec_path} {
   @{exec_path} mr,
 
   /etc/papersize r,
+  /etc/paperspecs r,
 
   include if exists <local/cups-backend-beh>
 }
diff --git a/apparmor.d/groups/cups/cups-backend-bluetooth b/apparmor.d/groups/cups/cups-backend-bluetooth
index ada4926ce..78ffbac77 100644
--- a/apparmor.d/groups/cups/cups-backend-bluetooth
+++ b/apparmor.d/groups/cups/cups-backend-bluetooth
@@ -13,6 +13,7 @@ profile cups-backend-bluetooth @{exec_path} {
   @{exec_path} mr,
 
   /etc/papersize r,
+  /etc/paperspecs r,
 
   include if exists <local/cups-backend-bluetooth>
 }
diff --git a/apparmor.d/groups/cups/cups-backend-brf b/apparmor.d/groups/cups/cups-backend-brf
index 27e98efc3..6d50b284f 100644
--- a/apparmor.d/groups/cups/cups-backend-brf
+++ b/apparmor.d/groups/cups/cups-backend-brf
@@ -15,6 +15,7 @@ profile cups-backend-brf @{exec_path} {
   @{exec_path} mr,
 
   /etc/papersize r,
+  /etc/paperspecs r,
 
   include if exists <local/cups-backend-brf>
 }
diff --git a/apparmor.d/groups/cups/cups-backend-dnssd b/apparmor.d/groups/cups/cups-backend-dnssd
index f45b99216..1009a0ef2 100644
--- a/apparmor.d/groups/cups/cups-backend-dnssd
+++ b/apparmor.d/groups/cups/cups-backend-dnssd
@@ -14,6 +14,7 @@ profile cups-backend-dnssd @{exec_path} {
   @{exec_path} mr,
 
   /etc/papersize r,
+  /etc/paperspecs r,
 
   include if exists <local/cups-backend-dnssd>
 }
diff --git a/apparmor.d/groups/cups/cups-backend-hp b/apparmor.d/groups/cups/cups-backend-hp
index 636121553..cd9af3d7f 100644
--- a/apparmor.d/groups/cups/cups-backend-hp
+++ b/apparmor.d/groups/cups/cups-backend-hp
@@ -13,6 +13,7 @@ profile cups-backend-hp @{exec_path} {
   @{exec_path} mr,
 
   /etc/papersize r,
+  /etc/paperspecs r,
 
   include if exists <local/cups-backend-hp>
 }
diff --git a/apparmor.d/groups/cups/cups-backend-implicitclass b/apparmor.d/groups/cups/cups-backend-implicitclass
index ba85c62fa..c71295f83 100644
--- a/apparmor.d/groups/cups/cups-backend-implicitclass
+++ b/apparmor.d/groups/cups/cups-backend-implicitclass
@@ -13,6 +13,7 @@ profile cups-backend-implicitclass @{exec_path} {
   @{exec_path} mr,
 
   /etc/papersize r,
+  /etc/paperspecs r,
 
   include if exists <local/cups-backend-implicitclass>
 }
diff --git a/apparmor.d/groups/cups/cups-backend-ipp b/apparmor.d/groups/cups/cups-backend-ipp
index b473ecaa3..8d61f4072 100644
--- a/apparmor.d/groups/cups/cups-backend-ipp
+++ b/apparmor.d/groups/cups/cups-backend-ipp
@@ -13,6 +13,7 @@ profile cups-backend-ipp @{exec_path} {
   @{exec_path} mr,
 
   /etc/papersize r,
+  /etc/paperspecs r,
 
   include if exists <local/cups-backend-ipp>
 }
diff --git a/apparmor.d/groups/cups/cups-backend-lpd b/apparmor.d/groups/cups/cups-backend-lpd
index af2901be0..89b62b569 100644
--- a/apparmor.d/groups/cups/cups-backend-lpd
+++ b/apparmor.d/groups/cups/cups-backend-lpd
@@ -13,6 +13,7 @@ profile cups-backend-lpd @{exec_path} {
   @{exec_path} mr,
 
   /etc/papersize r,
+  /etc/paperspecs r,
 
   include if exists <local/cups-backend-lpd>
 }
diff --git a/apparmor.d/groups/cups/cups-backend-mdns b/apparmor.d/groups/cups/cups-backend-mdns
index 0b9cce0da..9e5dfbe0f 100644
--- a/apparmor.d/groups/cups/cups-backend-mdns
+++ b/apparmor.d/groups/cups/cups-backend-mdns
@@ -13,6 +13,7 @@ profile cups-backend-mdns @{exec_path} {
   @{exec_path} mr,
 
   /etc/papersize r,
+  /etc/paperspecs r,
 
   include if exists <local/cups-backend-mdns>
 }
diff --git a/apparmor.d/groups/cups/cups-backend-parallel b/apparmor.d/groups/cups/cups-backend-parallel
index a985e5042..b4340b2ed 100644
--- a/apparmor.d/groups/cups/cups-backend-parallel
+++ b/apparmor.d/groups/cups/cups-backend-parallel
@@ -13,6 +13,7 @@ profile cups-backend-parallel @{exec_path} {
   @{exec_path} mr,
 
   /etc/papersize r,
+  /etc/paperspecs r,
 
   include if exists <local/cups-backend-parallel>
 }
diff --git a/apparmor.d/groups/cups/cups-backend-pdf b/apparmor.d/groups/cups/cups-backend-pdf
index 7782ecb11..6f658b064 100644
--- a/apparmor.d/groups/cups/cups-backend-pdf
+++ b/apparmor.d/groups/cups/cups-backend-pdf
@@ -14,9 +14,10 @@ profile cups-backend-pdf @{exec_path} {
   include <abstractions/user-download-strict>
 
   capability chown,
+  capability dac_override,
+  capability dac_read_search,
   capability setgid,
   capability setuid,
-  capability dac_override,
 
   unix peer=(label=cupsd),
 
@@ -30,10 +31,11 @@ profile cups-backend-pdf @{exec_path} {
 
   /usr/share/ghostscript/{,**} r,
 
-  /etc/papersize r,
   /etc/cups/ r,
   /etc/cups/cups-pdf.conf r,
   /etc/cups/ppd/*.ppd r,
+  /etc/papersize r,
+  /etc/paperspecs r,
 
   /var/log/cups/cups-pdf*_log w,
   /var/spool/cups-pdf/{,**} rw,
diff --git a/apparmor.d/groups/cups/cups-backend-serial b/apparmor.d/groups/cups/cups-backend-serial
index 3959a091d..26811ab59 100644
--- a/apparmor.d/groups/cups/cups-backend-serial
+++ b/apparmor.d/groups/cups/cups-backend-serial
@@ -13,6 +13,7 @@ profile cups-backend-serial @{exec_path} {
   @{exec_path} mr,
 
   /etc/papersize r,
+  /etc/paperspecs r,
 
   /dev/ttyS@{int} w,
 
diff --git a/apparmor.d/groups/cups/cups-backend-snmp b/apparmor.d/groups/cups/cups-backend-snmp
index 5badd529a..816f6c25b 100644
--- a/apparmor.d/groups/cups/cups-backend-snmp
+++ b/apparmor.d/groups/cups/cups-backend-snmp
@@ -19,6 +19,7 @@ profile cups-backend-snmp @{exec_path} {
 
   /etc/cups/snmp.conf r,
   /etc/papersize r,
+  /etc/paperspecs r,
 
   include if exists <local/cups-backend-snmp>
 }
diff --git a/apparmor.d/groups/cups/cups-backend-socket b/apparmor.d/groups/cups/cups-backend-socket
index 3efcf183b..f8f36a056 100644
--- a/apparmor.d/groups/cups/cups-backend-socket
+++ b/apparmor.d/groups/cups/cups-backend-socket
@@ -13,6 +13,7 @@ profile cups-backend-socket @{exec_path} {
   @{exec_path} mr,
 
   /etc/papersize r,
+  /etc/paperspecs r,
 
   include if exists <local/cups-backend-socket>
 }
diff --git a/apparmor.d/groups/cups/cups-backend-usb b/apparmor.d/groups/cups/cups-backend-usb
index fa21e0204..7d9dbd237 100644
--- a/apparmor.d/groups/cups/cups-backend-usb
+++ b/apparmor.d/groups/cups/cups-backend-usb
@@ -21,6 +21,7 @@ profile cups-backend-usb @{exec_path} {
 
   /etc/cups/ppd/*.ppd r,
   /etc/papersize r,
+  /etc/paperspecs r,
 
   include if exists <local/cups-backend-usb>
 }