From 79f0848b77dc5b33f381564b987fc88896f15d56 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Tue, 9 Sep 2025 22:15:25 +0200
Subject: [PATCH 1/5] add poppler tools

---
 apparmor.d/profiles-m-r/pdfattach   | 22 ++++++++++++++++++++++
 apparmor.d/profiles-m-r/pdfdetach   | 22 ++++++++++++++++++++++
 apparmor.d/profiles-m-r/pdffonts    | 21 +++++++++++++++++++++
 apparmor.d/profiles-m-r/pdfimages   | 22 ++++++++++++++++++++++
 apparmor.d/profiles-m-r/pdfinfo     | 21 +++++++++++++++++++++
 apparmor.d/profiles-m-r/pdfseparate | 22 ++++++++++++++++++++++
 apparmor.d/profiles-m-r/pdfsig      | 23 +++++++++++++++++++++++
 apparmor.d/profiles-m-r/pdftocairo  | 22 ++++++++++++++++++++++
 apparmor.d/profiles-m-r/pdftohtml   | 22 ++++++++++++++++++++++
 apparmor.d/profiles-m-r/pdftoppm    | 22 ++++++++++++++++++++++
 apparmor.d/profiles-m-r/pdftops     | 22 ++++++++++++++++++++++
 apparmor.d/profiles-m-r/pdftotext   |  2 +-
 apparmor.d/profiles-m-r/pdfunite    | 22 ++++++++++++++++++++++
 13 files changed, 264 insertions(+), 1 deletion(-)
 create mode 100644 apparmor.d/profiles-m-r/pdfattach
 create mode 100644 apparmor.d/profiles-m-r/pdfdetach
 create mode 100644 apparmor.d/profiles-m-r/pdffonts
 create mode 100644 apparmor.d/profiles-m-r/pdfimages
 create mode 100644 apparmor.d/profiles-m-r/pdfinfo
 create mode 100644 apparmor.d/profiles-m-r/pdfseparate
 create mode 100644 apparmor.d/profiles-m-r/pdfsig
 create mode 100644 apparmor.d/profiles-m-r/pdftocairo
 create mode 100644 apparmor.d/profiles-m-r/pdftohtml
 create mode 100644 apparmor.d/profiles-m-r/pdftoppm
 create mode 100644 apparmor.d/profiles-m-r/pdftops
 create mode 100644 apparmor.d/profiles-m-r/pdfunite

diff --git a/apparmor.d/profiles-m-r/pdfattach b/apparmor.d/profiles-m-r/pdfattach
new file mode 100644
index 000000000..5a063422e
--- /dev/null
+++ b/apparmor.d/profiles-m-r/pdfattach
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pdfattach
+profile pdfattach @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/user-read-strict>
+  include <abstractions/user-write-strict>
+
+  @{exec_path} mr,
+
+  /usr/share/poppler/{,**} r,
+
+  include if exists <local/pdfattach>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-m-r/pdfdetach b/apparmor.d/profiles-m-r/pdfdetach
new file mode 100644
index 000000000..bf6e589cc
--- /dev/null
+++ b/apparmor.d/profiles-m-r/pdfdetach
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pdfdetach
+profile pdfdetach @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/user-read-strict>
+  include <abstractions/user-write-strict>
+
+  @{exec_path} mr,
+
+  /usr/share/poppler/{,**} r,
+
+  include if exists <local/pdfdetach>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-m-r/pdffonts b/apparmor.d/profiles-m-r/pdffonts
new file mode 100644
index 000000000..8cc71b246
--- /dev/null
+++ b/apparmor.d/profiles-m-r/pdffonts
@@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pdffonts
+profile pdffonts @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/user-read-strict>
+
+  @{exec_path} mr,
+
+  /usr/share/poppler/{,**} r,
+
+  include if exists <local/pdffonts>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-m-r/pdfimages b/apparmor.d/profiles-m-r/pdfimages
new file mode 100644
index 000000000..0f3a6681b
--- /dev/null
+++ b/apparmor.d/profiles-m-r/pdfimages
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pdfimages
+profile pdfimages @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/user-read-strict>
+  include <abstractions/user-write-strict>
+
+  @{exec_path} mr,
+
+  /usr/share/poppler/{,**} r,
+
+  include if exists <local/pdfimages>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-m-r/pdfinfo b/apparmor.d/profiles-m-r/pdfinfo
new file mode 100644
index 000000000..a481ad323
--- /dev/null
+++ b/apparmor.d/profiles-m-r/pdfinfo
@@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pdfinfo
+profile pdfinfo @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/user-read-strict>
+
+  @{exec_path} mr,
+
+  /usr/share/poppler/{,**} r,
+
+  include if exists <local/pdfinfo>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-m-r/pdfseparate b/apparmor.d/profiles-m-r/pdfseparate
new file mode 100644
index 000000000..1026719f8
--- /dev/null
+++ b/apparmor.d/profiles-m-r/pdfseparate
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pdfseparate
+profile pdfseparate @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/user-read-strict>
+  include <abstractions/user-write-strict>
+
+  @{exec_path} mr,
+
+  /usr/share/poppler/{,**} r,
+
+  include if exists <local/pdfseparate>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-m-r/pdfsig b/apparmor.d/profiles-m-r/pdfsig
new file mode 100644
index 000000000..5f4cb3ce7
--- /dev/null
+++ b/apparmor.d/profiles-m-r/pdfsig
@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pdfsig
+profile pdfsig @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/ssl_certs>
+  include <abstractions/user-read-strict>
+  include <abstractions/user-write-strict>
+
+  @{exec_path} mr,
+
+  /usr/share/poppler/{,**} r,
+
+  include if exists <local/pdfsig>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-m-r/pdftocairo b/apparmor.d/profiles-m-r/pdftocairo
new file mode 100644
index 000000000..65a880057
--- /dev/null
+++ b/apparmor.d/profiles-m-r/pdftocairo
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pdftocairo
+profile pdftocairo @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/user-read-strict>
+  include <abstractions/user-write-strict>
+
+  @{exec_path} mr,
+
+  /usr/share/poppler/{,**} r,
+
+  include if exists <local/pdftocairo>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-m-r/pdftohtml b/apparmor.d/profiles-m-r/pdftohtml
new file mode 100644
index 000000000..3c44be2f5
--- /dev/null
+++ b/apparmor.d/profiles-m-r/pdftohtml
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pdftohtml
+profile pdftohtml @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/user-read-strict>
+  include <abstractions/user-write-strict>
+
+  @{exec_path} mr,
+
+  /usr/share/poppler/{,**} r,
+
+  include if exists <local/pdftohtml>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-m-r/pdftoppm b/apparmor.d/profiles-m-r/pdftoppm
new file mode 100644
index 000000000..4924a91d8
--- /dev/null
+++ b/apparmor.d/profiles-m-r/pdftoppm
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pdftoppm
+profile pdftoppm @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/user-read-strict>
+  include <abstractions/user-write-strict>
+
+  @{exec_path} mr,
+
+  /usr/share/poppler/{,**} r,
+
+  include if exists <local/pdftoppm>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-m-r/pdftops b/apparmor.d/profiles-m-r/pdftops
new file mode 100644
index 000000000..1a390c576
--- /dev/null
+++ b/apparmor.d/profiles-m-r/pdftops
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pdftops
+profile pdftops @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/user-read-strict>
+  include <abstractions/user-write-strict>
+
+  @{exec_path} mr,
+
+  /usr/share/poppler/{,**} r,
+
+  include if exists <local/pdftops>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-m-r/pdftotext b/apparmor.d/profiles-m-r/pdftotext
index 0394687f7..7fb2bed7b 100644
--- a/apparmor.d/profiles-m-r/pdftotext
+++ b/apparmor.d/profiles-m-r/pdftotext
@@ -1,5 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2024 valoq <valoq@mailbox.org>
+# Copyright (C) 2025 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/4.0>,
diff --git a/apparmor.d/profiles-m-r/pdfunite b/apparmor.d/profiles-m-r/pdfunite
new file mode 100644
index 000000000..ea2b776ae
--- /dev/null
+++ b/apparmor.d/profiles-m-r/pdfunite
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pdfunite
+profile pdfunite @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/user-read-strict>
+  include <abstractions/user-write-strict>
+  
+  @{exec_path} mr,
+
+  /usr/share/poppler/{,**} r,
+
+  include if exists <local/pdfunite>
+}
+
+# vim:syntax=apparmor

From 7c20ab258868803904a76020a3607f0b71e578f4 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Tue, 9 Sep 2025 22:59:35 +0200
Subject: [PATCH 2/5] remove whitespace

---
 apparmor.d/profiles-m-r/pdfunite | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-m-r/pdfunite b/apparmor.d/profiles-m-r/pdfunite
index ea2b776ae..7b2019af5 100644
--- a/apparmor.d/profiles-m-r/pdfunite
+++ b/apparmor.d/profiles-m-r/pdfunite
@@ -11,7 +11,7 @@ profile pdfunite @{exec_path} {
   include <abstractions/base>
   include <abstractions/user-read-strict>
   include <abstractions/user-write-strict>
-  
+
   @{exec_path} mr,
 
   /usr/share/poppler/{,**} r,

From 3faffd5d23ea76cf32194366987561f226266414 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Wed, 10 Sep 2025 11:42:13 +0200
Subject: [PATCH 3/5] fix pdftoppm

---
 apparmor.d/profiles-m-r/pdftoppm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apparmor.d/profiles-m-r/pdftoppm b/apparmor.d/profiles-m-r/pdftoppm
index 4924a91d8..86953b8b9 100644
--- a/apparmor.d/profiles-m-r/pdftoppm
+++ b/apparmor.d/profiles-m-r/pdftoppm
@@ -9,8 +9,10 @@ include <tunables/global>
 @{exec_path} = @{bin}/pdftoppm
 profile pdftoppm @{exec_path} {
   include <abstractions/base>
+  include <abstractions/fonts>
   include <abstractions/user-read-strict>
   include <abstractions/user-write-strict>
+  include <abstractions/user-tmp>
 
   @{exec_path} mr,
 

From f07609bb371f34ff18fe7ce5731f608c715a3c0e Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Wed, 10 Sep 2025 11:50:56 +0200
Subject: [PATCH 4/5] fix pdftoppm

---
 apparmor.d/profiles-m-r/pdftoppm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-m-r/pdftoppm b/apparmor.d/profiles-m-r/pdftoppm
index 86953b8b9..3ae603bf1 100644
--- a/apparmor.d/profiles-m-r/pdftoppm
+++ b/apparmor.d/profiles-m-r/pdftoppm
@@ -12,12 +12,13 @@ profile pdftoppm @{exec_path} {
   include <abstractions/fonts>
   include <abstractions/user-read-strict>
   include <abstractions/user-write-strict>
-  include <abstractions/user-tmp>
 
   @{exec_path} mr,
 
   /usr/share/poppler/{,**} r,
 
+  owner /tmp/{,**} rw,
+
   include if exists <local/pdftoppm>
 }
 

From b816d33b931b719cd6945bca14696fd2a39be71c Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Wed, 10 Sep 2025 14:47:49 +0200
Subject: [PATCH 5/5] restrict tmp writes

---
 apparmor.d/profiles-m-r/pdftoppm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-m-r/pdftoppm b/apparmor.d/profiles-m-r/pdftoppm
index 3ae603bf1..4be131bd3 100644
--- a/apparmor.d/profiles-m-r/pdftoppm
+++ b/apparmor.d/profiles-m-r/pdftoppm
@@ -17,7 +17,11 @@ profile pdftoppm @{exec_path} {
 
   /usr/share/poppler/{,**} r,
 
-  owner /tmp/{,**} rw,
+  owner /tmp/{,**}.ppm w,
+  owner /tmp/{,**}.png w,
+  owner /tmp/{,**}.jpg w,
+  owner /tmp/{,**}.jpeg w,
+  owner /tmp/{,**}.tiff w,
 
   include if exists <local/pdftoppm>
 }