Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Printing
gswrap
gswrap
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gswrap of Package gswrap
#!/bin/bash # # Copyright (c) 2019 SUSE GmbH Nuernberg, Germany. # Copyright (c) 2021 SUSE Software Solutions Germany GmbH. # Copyright (c) 2023 SUSE Software Solutions Germany GmbH. # Copyright (c) 2019,2021,2023 Werner Fink # # Wrapper script for ghostscript based on bwrap, the container setup # utility, which does use e.g. unshare(2) system call to create a # safe container environment. # # Please report bugfixes or comments at https://www.suse.com/feedback/ # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # ghostscript=@@GS@@ for prog in fuser realpath do type $prog >& /dev/null && continue echo "GS: No $prog found in path" 1>&2 exit 1 done user=nobody home="/home/$user" uid=$(id -u "$user") gid=$(id -g "$user") lock=$(mktemp "${TMPDIR:-/tmp}/.gswrap-XXXXXXXXXX") || exit 1 unlock () { test -e "$lock" || return fuser -TERM "$lock" rm -f "$lock" } finish () { # Used with trap to copy output files back to original cwd or directory # to be able to hide the original cwd or directory from ghostscript process local dir="$1" local tmp="$2" if test -d "$tmp" then for ps in "$tmp/"* do test -e "$ps" || continue test -p "$ps" && continue test -d "$dir" || continue mv -f "$ps" "$dir" done rm -rf "$tmp" fi unlock } trap 'unlock' EXIT SIGINT SIGHUP typeset -i safer=0 typeset pipecmd="" typeset -i pipepos typeset -a opts=() typeset -i o=0 for lib in $(ldd $ghostscript | sed -rn 's|.*=>[[:blank:]]+||;s|[[:blank:]]*(/[^[:blank:]]+)[[:blank:]]+.*|\1|p') do opts[o++]=--ro-bind opts[o++]="$lib" opts[o++]="$lib" done arch=$(uname -i) for dir in /lib/tls /lib64/tls /lib64/${arch} /usr/lib/ghostscript /usr/lib64/ghostscript /etc/ghostscript /lib64/glibc-hwcaps/${arch/_/[_-]}-v* do test -d "$dir" || continue opts[o++]=--ro-bind opts[o++]="$dir" opts[o++]="$dir" done typeset -a argv=("$@") typeset -i c=0 argc=${#argv[@]} for ((c=0; c < argc; c++)) do arg="${argv[c]}" case "$arg" in -dSAFER) let safer++ ;; -o) if ((c+1 >= argc)) then echo "GS: found -o without argument" 1>&2 exit 1 else unset argv[c] argv[c+1]=-sOutputFile="${argv[c+1]}" fi ;; -sOutputFile=*) case "${arg#-sOutputFile=}" in %stdout%|%stderr%|%stdout|%stderr|-|"") continue ;; %pipe%*) pipecmd="${arg#-sOutputFile=%pipe%}" let pipepos=c ;; esac file="${arg#-sOutputFile=}" dir="${file%/*}" file="${file##*/}" if test -n "$file" then if test -n "$dir" -a "$dir" = "/dev" then # Only /dev/null or /dev/zero allowed if test "$file" != null -a "$file" != zero then echo "GS: only /dev/null or /dev/zero allowed" 1>&2 exit 1 fi opts[o++]=--dir opts[o++]="$home/out" elif test -n "$dir" -a -d "$dir" then tmp=$(mktemp -d "$dir/.gswrap-XXXXXXXXXX") || exit 1 trap "finish '$dir' '$tmp'" EXIT SIGINT SIGHUP opts[o++]=--bind opts[o++]="${tmp+"$tmp"}" opts[o++]="$home/out" else tmp=$(mktemp -d "$PWD/.gswrap-XXXXXXXXXX") || exit 1 trap "finish '$PWD' '$tmp'" EXIT SIGINT SIGHUP opts[o++]=--bind opts[o++]="${tmp+"$tmp"}" opts[o++]="$home/out" fi fi argv[c]="-sOutputFile=$home/out/${file}" continue ;; -sDEVICE=*) case "${arg#-sDEVICE=}" in x11*) ;; *) unset DISPLAY ;; esac continue ;; @*) opts[o++]=--ro-bind opts[o++]="${arg#@}" opts[o++]="$home/${arg#@}" continue ;; -*) continue ;; esac test -e "$arg" || continue if test "${arg##*/}" = "$arg" then opts[o++]=--ro-bind opts[o++]="$arg" opts[o++]="$home/$arg" else arg="$(realpath "$arg")" || exit 1 argv[c]="$arg" test "$arg" != / || continue test "$arg" != /home || continue test "$arg" != $home || continue opts[o++]=--ro-bind opts[o++]="$arg" opts[o++]="$arg" fi done # If no -dSAFER then execute the orignal ghostscript program now if ((safer == 0)) then exec -a ${0} $ghostscript ${1+"$@"} fi if test -n "$pipecmd" then mkfifo -m 666 "${tmp}/fd" fd="${tmp}/fd" exec "$pipecmd" < $fd & argv[pipepos]="-sOutputFile=$home/fifo" opts[o++]=--bind opts[o++]="$fd" opts[o++]="$home/fifo" fi # User might have some own font configurations as well if test -d /var/cache/fontconfig then opts[o++]=--ro-bind opts[o++]="/var/cache/fontconfig" opts[o++]="/var/cache/fontconfig" fi if test -s "$HOME/.fonts.conf" then opts[o++]=--ro-bind opts[o++]="${HOME+"$HOME"}/.fonts.conf" opts[o++]="$home/.fonts.conf" fi for dir in "$HOME/.fontconfig" "$HOME/.config/fontconfig" "$HOME/.cache/fontconfig" do test -d "$dir" || continue opts[o++]=--ro-bind opts[o++]="$dir" opts[o++]="${home}${dir#$HOME}" done # Display if test -n "$DISPLAY" then : ${XAUTHORITY:="$HOME/.Xauthority"} for dir in /usr/lib/ghostscript /usr/lib64/ghostscript do test -d "$dir" || continue for x11 in $dir/*/X11.so do test -e "$x11" || continue for lib in $(ldd "$x11" | sed -rn 's|.*=>[[:blank:]]+||;s|[[:blank:]]*(/[^[:blank:]]+)[[:blank:]]+.*|\1|p') do case "${opts[@]}" in *[:blank:]${lib}[:blank:]*) continue ;; esac opts[o++]=--ro-bind opts[o++]="$lib" opts[o++]="$lib" done done done # for x11 in /tmp/.X11-unix /tmp/.XIM-unix /tmp/.ICE-unix /tmp/.font-unix /tmp/.X${DISPLAY##*:}-lock for x11 in /tmp/.X11-unix do test -e "${x11}" || continue opts[o++]=--ro-bind opts[o++]="${x11}" opts[o++]="${x11}" done opts[o++]=--ro-bind opts[o++]="${XAUTHORITY+"$XAUTHORITY"}" opts[o++]="$home/.Xauthority" opts[o++]=--setenv opts[o++]=XAUTHORITY opts[o++]="$home/.Xauthority" opts[o++]=--setenv opts[o++]=DISPLAY opts[o++]="${DISPLAY+"$DISPLAY"}" if test -n "${DISPLAY%:*}" then # For display over e.g. local network as with slogin -X skip --unshare-net # and allow hostname resolution via running nscd (that is nscd should be up) opts[o++]=--ro-bind opts[o++]="/var/run/nscd/socket" opts[o++]="/var/run/nscd/socket" opts[o++]=--unshare-user-try opts[o++]=--unshare-ipc opts[o++]=--unshare-pid opts[o++]=--unshare-uts opts[o++]=--unshare-cgroup-try else opts[o++]=--unshare-all fi for so in /tmp/.X11-unix/* do test -s $so && continue # Abstract sockets only opts[o++]=--share-net done if test -n "${WAYLAND_DISPLAY}" then opts[o++]=--ro-bind opts[o++]="$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY" opts[o++]="/run/user/$uid/$WAYLAND_DISPLAY" fi if test -n "${GHOSTVIEW}" then opts[o++]=--setenv opts[o++]=GHOSTVIEW opts[o++]="{GHOSTVIEW+"$GHOSTVIEW"}" fi if test -n "${GHOSTVIEW_COLORS}" then opts[o++]=--setenv opts[o++]=GHOSTVIEW_COLORS opts[o++]="${GHOSTVIEW+"$GHOSTVIEW_COLORS"}" fi else opts[o++]=--unshare-all fi if test -e /proc/$$/uid_map then opts[o++]=--uid opts[o++]="$uid" fi if test -e /proc/$$/gid_map then opts[o++]=--gid opts[o++]="$gid" fi # This is for debugging only # add you binary like /bin/ls or /usr/bin/strace for further usage # as replacement or prefix of ghostscript in the last line. # Clearly the `false´ should then changed to `true´ if false then for bin in /usr/bin/strace /bin/ls do opts[o++]=--ro-bind opts[o++]="$bin" opts[o++]="$bin" for lib in $(ldd "$bin" | sed -rn 's|.*=>[[:blank:]]+||;s|[[:blank:]]*(/[^[:blank:]]+)[[:blank:]]+.*|\1|p') do case "${opts[@]}" in *[:blank:]${lib}[:blank:]*) continue ;; esac opts[o++]=--ro-bind opts[o++]="$lib" opts[o++]="$lib" done done fi unset o c argc arg set -- "${argv[@]}" set -euo pipefail (exec -c -a gs /usr/bin/bwrap \ --dev /dev \ --proc /proc \ --tmpfs /run \ --tmpfs /tmp \ --dir /var \ --ro-bind /bin/false /bin/false \ --ro-bind $ghostscript /usr/bin/gs \ --ro-bind /usr/share/ghostscript /usr/share/ghostscript \ --ro-bind /usr/share/xml/fontconfig /usr/share/xml/fontconfig \ --ro-bind /usr/share/fontconfig /usr/share/fontconfig \ --ro-bind /usr/share/fonts /usr/share/fonts \ --ro-bind /var/cache/fontconfig /var/cache/fontconfig \ --ro-bind /etc/fonts /etc/fonts \ --ro-bind "$lock" /tmp/.lock \ --lock-file /tmp/.lock \ --dir "/run/user/$uid" \ --symlink ../run var/run \ --symlink ../tmp var/tmp \ --dir "$home" \ --chdir "$home" \ "${opts[@]}" \ --new-session \ --sync-fd 2 \ --setenv XDG_RUNTIME_DIR "/run/user/$uid" \ --setenv USER "$user" \ --setenv LOGNAME "$user" \ --setenv SHELL /bin/false \ --setenv HOME "$home" \ --setenv PATH /bin:/usr/bin \ --setenv MAIL /dev/null \ --die-with-parent \ /usr/bin/gs ${1+"$@"}) rm -f "$lock"
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor