apparmor.d: add gs profile

profiles/apparmor.d/gs

@@ -0,0 +1,40 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2025 Canonical Ltd.
+#
+#    Author: Giampaolo Fresi Roglia (gianz)
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+
+abi <abi/4.0>,
+
+include <tunables/global>
+include <tunables/gs>
+include <tunables/print-devices>
+
+profile gs /usr/bin/gs {
+  include <abstractions/base>
+  include <abstractions/private-files-strict>
+  include <abstractions/user-tmp>
+  include <abstractions/fonts>
+
+  # allow read access to anything in /usr/share, for plugins and input
+  # methods
+  file r /usr/local/share/**,
+  file r /usr/share/**,
+  file r /var/lib/ghostscript/**,
+
+  # allow read access to paperspec
+  file r /etc/paperspecs,
+
+  # allow access to files with selected extensions under HOME
+  owner file rw @{HOME}/**.@{gs_file_ext},
+
+  # allow access to local printer devices
+  file rw @{print_devices},
+
+  include if exists <local/gs>
+}

profiles/apparmor.d/tunables/gs

@@ -0,0 +1,14 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2025 Canonical Ltd.
+#
+#    Author: Giampaolo Fresi Roglia (gianz)
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+
+@{gs_file_ext}=[pP][dD][fF] [pP][sS] [eE][pP][sS] [eE][pP][sS][iI] [pP][nN][gG] [jJ][pP][gG] [jJ][pP][eE][gG] [pP][nN][mM] [tT][iI][fF] [tT][iI][fF][fF] [bB][mM][pP] [pP][cC][xX] [pP][sS][dD] [tT][xX][tT] [pP][xX][lL] [dD][oO][cC][xX] [xX][pP][sS]
+
+include if exists <tunables/gs.d>

profiles/apparmor.d/tunables/print-devices

@@ -0,0 +1,17 @@
+#------------------------------------------------------------------
+#    Copyright (C) 2025 Canonical Ltd.
+#
+#    Author: Giampaolo Fresi Roglia (gianz)
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#------------------------------------------------------------------
+# vim: ft=apparmor
+
+# @{print_devices} is a space-separated list of all devices
+# representing locally connected printers
+
+@{print_devices}=/dev/lp* /dev/ttyS* /dev/ttyUSB* /dev/usb/lp* /dev/parport*
+
+include if exists <tunables/print-devices.d>