Offhandedly I see the issues: (A) I know basically nothing about Ghostscript internals but I think in general a library can be considered as a program with many "entry points" where each function that is provided by the library is such an "entry point". Accordingly to limit what inside a library can be done the limitation must happen at all its "entry points" i.e. for all its functions that can be called "from outside". (B) I know absolutely nothing about programming with libapparmor. I wonder how to switch back to the AppArmor profile before i.e. I think things should happen basically like this: 1. save current AppArmor profile 2. add Ghostscript restrictions to the current AppArmor profile 3. do the actual Ghostscript functionality 4. restore the saved AppArmor profile (C) When the Ghostscript library calls functions in libapparmor there would be a hard requirement of AppArmor by Ghostscript but some users do not like to have any AppArmor stuff, see bug #1134289