restrict tmp writes

2025-09-10 14:47:49 +02:00 · 2025-09-10 14:47:49 +02:00 · b816d33b93
commit b816d33b93
parent f07609bb37
1 changed files with 5 additions and 1 deletions
--- a/apparmor.d/profiles-m-r/pdftoppm
+++ b/apparmor.d/profiles-m-r/pdftoppm
@ -17,7 +17,11 @@ profile pdftoppm @{exec_path} {

  /usr/share/poppler/{,**} r,

-  owner /tmp/{,**} rw,
+  owner /tmp/{,**}.ppm w,
+  owner /tmp/{,**}.png w,
+  owner /tmp/{,**}.jpg w,
+  owner /tmp/{,**}.jpeg w,
+  owner /tmp/{,**}.tiff w,

  include if exists <local/pdftoppm>
 }