From d7ffb13e4e2b736d46e159bd02625bb8e4bd63a4 Mon Sep 17 00:00:00 2001
From: Allen Huang <allen.huang@canonical.com>
Date: Thu, 1 May 2025 09:49:49 +0100
Subject: [PATCH 1/3] Add profile for qpdf

Signed-off-by: Allen Huang <allen.huang@canonical.com>
---
 profiles/apparmor.d/qpdf | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 profiles/apparmor.d/qpdf

diff --git a/profiles/apparmor.d/qpdf b/profiles/apparmor.d/qpdf
new file mode 100644
index 000000000..cdd297e13
--- /dev/null
+++ b/profiles/apparmor.d/qpdf
@@ -0,0 +1,13 @@
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile qpdf /usr/bin/qpdf {
+  include <abstractions/base>
+
+  /usr/bin/qpdf mr,
+  owner @{HOME}/** rw,
+
+  include if exists <local/qpdf>
+}
+

From ca8619313abc316f5e0a5bc32d2d506ab61d816b Mon Sep 17 00:00:00 2001
From: Allen Huang <allen.huang@canonical.com>
Date: Fri, 2 May 2025 10:53:20 +0100
Subject: [PATCH 2/3] Limit access to common formats, allow more paths

- common file formats that qpdf works with: .pdf, .json and .qdf
- .in and .out are also allowed in user's home directories as they
  are sometimes used
- other paths are added, including mounts and system locations

Signed-off-by: Allen Huang <allen.huang@canonical.com>
---
 profiles/apparmor.d/qpdf | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/profiles/apparmor.d/qpdf b/profiles/apparmor.d/qpdf
index cdd297e13..bdbe0ea21 100644
--- a/profiles/apparmor.d/qpdf
+++ b/profiles/apparmor.d/qpdf
@@ -6,7 +6,36 @@ profile qpdf /usr/bin/qpdf {
   include <abstractions/base>
 
   /usr/bin/qpdf mr,
-  owner @{HOME}/** rw,
+
+  # common file formats for qpdf are included: .pdf, .json and .qdf
+  # user's home directories
+  owner @{HOME}/**.[qQpP][dD][fF] rw,
+  owner @{HOME}/**.[jJ][sS][oO][nN] rw,
+  # allow less common .in and .out files within user's directories
+  owner @{HOME}/**.[iI][nN] rw,
+  owner @{HOME}/**.[oO][uU][tT] rw,
+
+  # tmp directories
+  owner /tmp/**.[qQpP][dD][fF] rw,
+  owner /tmp/**.[jJ][sS][oO][nN] rw,
+  owner /var/tmp/**.[qQpP][dD][fF] rw,
+  owner /var/tmp/**.[jJ][sS][oO][nN] rw,
+
+  # mounts
+  owner /mnt/**.[qQpP][dD][fF] rw,
+  owner /mnt/**.[jJ][sS][oO][nN] rw,
+  owner /media/**.[qQpP][dD][fF] rw,
+  owner /media/**.[jJ][sS][oO][nN] rw,
+  /mnt/**.[qQpP][dD][fF] r,
+  /mnt/**.[jJ][sS][oO][nN] r,
+  /media/**.[qQpP][dD][fF] r,
+  /media/**.[jJ][sS][oO][nN] r,
+
+  # system locations
+  /usr/**.[qQpP][dD][fF] r,
+  /usr/**.[jJ][sS][oO][nN] r,
+  /opt/**.[qQpP][dD][fF] r,
+  /opt/**.[jJ][sS][oO][nN] r,
 
   include if exists <local/qpdf>
 }

From 0e28172ca68be6f4f0313a3a58bac82c066309aa Mon Sep 17 00:00:00 2001
From: Allen Huang <allen.huang@canonical.com>
Date: Fri, 2 May 2025 14:16:53 +0100
Subject: [PATCH 3/3] Exclude hidden locations in home directories

Signed-off-by: Allen Huang <allen.huang@canonical.com>
---
 profiles/apparmor.d/qpdf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/profiles/apparmor.d/qpdf b/profiles/apparmor.d/qpdf
index bdbe0ea21..db9f97540 100644
--- a/profiles/apparmor.d/qpdf
+++ b/profiles/apparmor.d/qpdf
@@ -9,11 +9,11 @@ profile qpdf /usr/bin/qpdf {
 
   # common file formats for qpdf are included: .pdf, .json and .qdf
   # user's home directories
-  owner @{HOME}/**.[qQpP][dD][fF] rw,
-  owner @{HOME}/**.[jJ][sS][oO][nN] rw,
+  owner @{HOME}/[^.]**.[qQpP][dD][fF] rw,
+  owner @{HOME}/[^.]**.[jJ][sS][oO][nN] rw,
   # allow less common .in and .out files within user's directories
-  owner @{HOME}/**.[iI][nN] rw,
-  owner @{HOME}/**.[oO][uU][tT] rw,
+  owner @{HOME}/[^.]**.[iI][nN] rw,
+  owner @{HOME}/[^.]**.[oO][uU][tT] rw,
 
   # tmp directories
   owner /tmp/**.[qQpP][dD][fF] rw,