#include <tunables/global>

# this profile is mainly intended to prevent easy exploitation of
# issues in ghostscript. This is mainly intended as a hardening
# measure and doesn't alleviate the need for regular updates
profile /usr/bin/{dvipdf,eps2eps,gs,gsbj,gsdj,gsdj500,gslj,gslp,gsnd,ps2ascii,ps2epsi,ps2pdf,ps2pdf12,ps2pdf13,ps2pdf14,ps2pdfwr,ps2ps,ps2ps2} {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>
  #include <abstractions/X>

  # needed to read gc/write pdfs/eps/.. everywhere
  /** wr,

  /usr/lib64/ghostscript/** m,
  /usr/lib64/libgs.so.* m,
  /usr/lib64/libijs-* m,
}