From acc0811c37e53d5fc9013449ef2c5429c451bd3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maxime=20B=C3=A9lair?= <maxime.belair@canonical.com>
Date: Mon, 12 May 2025 16:11:13 +0200
Subject: [PATCH] profiles: small fix for gs profile
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Allow gs to run from confined environment by explicitly allowing access
to @{exec_path}.

Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
---
 profiles/apparmor.d/gs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/profiles/apparmor.d/gs b/profiles/apparmor.d/gs
index 43d7057aa..bac614965 100644
--- a/profiles/apparmor.d/gs
+++ b/profiles/apparmor.d/gs
@@ -36,5 +36,7 @@ profile gs /usr/bin/gs {
   # allow access to local printer devices
   file rw @{print_devices},
 
+  file mr @{exec_path},
+
   include if exists <local/gs>
 }