Comment # 20 on bug 1134327 from 
Offhandedly I see the issues:

(A)
I know basically nothing about Ghostscript internals
but I think in general a library can be considered
as a program with many "entry points" where each function
that is provided by the library is such an "entry point".

Accordingly to limit what inside a library can be done
the limitation must happen at all its "entry points"
i.e. for all its functions that can be called "from outside".

(B)
I know absolutely nothing about programming with libapparmor.
I wonder how to switch back to the AppArmor profile before
i.e. I think things should happen basically like this:

1. save current AppArmor profile
2. add Ghostscript restrictions to the current AppArmor profile
3. do the actual Ghostscript functionality
4. restore the saved AppArmor profile

(C)
When the Ghostscript library calls functions in libapparmor
there would be a hard requirement of AppArmor by Ghostscript
but some users do not like to have any AppArmor stuff,
see bug #1134289

You are receiving this mail because: