From b816d33b931b719cd6945bca14696fd2a39be71c Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Wed, 10 Sep 2025 14:47:49 +0200
Subject: [PATCH] restrict tmp writes

---
 apparmor.d/profiles-m-r/pdftoppm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-m-r/pdftoppm b/apparmor.d/profiles-m-r/pdftoppm
index 3ae603bf1..4be131bd3 100644
--- a/apparmor.d/profiles-m-r/pdftoppm
+++ b/apparmor.d/profiles-m-r/pdftoppm
@@ -17,7 +17,11 @@ profile pdftoppm @{exec_path} {
 
   /usr/share/poppler/{,**} r,
 
-  owner /tmp/{,**} rw,
+  owner /tmp/{,**}.ppm w,
+  owner /tmp/{,**}.png w,
+  owner /tmp/{,**}.jpg w,
+  owner /tmp/{,**}.jpeg w,
+  owner /tmp/{,**}.tiff w,
 
   include if exists <local/pdftoppm>
 }