Let bwrap terminate all namespace processes

OBS-URL: https://build.opensuse.org/package/show/Printing/gswrap?expand=0&rev=15

gswrap

@@ -1,7 +1,8 @@
 #!/bin/bash
 #
 # Copyright (c) 2019 SuSE GmbH Nuernberg, Germany.
-# Copyright (c) 2019 Werner Fink
+# Copyright (c) 2021 SuSE SUSE Software Solutions Germany GmbH.
+# Copyright (c) 2019,2021 Werner Fink
 #
 # Wrapper script for ghostscript based on bwrap, the container setup
 # utility, which does use e.g. unshare(2) system call to create a
@@ -30,6 +31,14 @@ user=nobody
 home=/home/$user
 uid=$(id -u $user)
 gid=$(id -g $user)
+lock=$(mktemp "${TMPDIR:-/tmp}/.gswrap-XXXXXXXXXX") || exit 1
+
+unlock ()
+{
+    test -e $lock || return
+    fuser -TERM $lock
+    rm -f $lock
+}
 
 finish ()
 {
@@ -37,17 +46,22 @@ finish ()
     # to be able to hide the original cwd or directory from ghostscript process
     local dir="$1"
     local tmp="$2"
-    test -d "$dir" || return
+    if test -d "$tmp"
-    test -d "$tmp" || return
+    then
-    for ps in "$tmp/"*
+	for ps in "$tmp/"*
-    do
+	do
-	test -e "$ps" || continue
+	    test -e "$ps"  || continue
-	test -p "$ps" && continue
+	    test -p "$ps"  && continue
-	mv -f "$ps" "$dir"
+	    test -d "$dir" || continue
-    done
+	    mv -f "$ps" "$dir"
-    rm -rf "$tmp"
+	done
+	rm -rf "$tmp"
+    fi
+    unlock
 }
 
+trap 'unlock' EXIT SIGINT SIGHUP
+
 typeset -i safer=0
 typeset    pipecmd=""
 typeset -i pipepos
@@ -255,16 +269,17 @@ unset o argc arg
 set -- "${argv[@]}"
 set -euo pipefail
 (exec -c -a gs /usr/bin/bwrap \
-      --as-pid-1 \
+      --dev /dev \
+      --proc /proc \
+      --tmpfs /run \
+      --tmpfs /tmp \
       --ro-bind /bin/false /bin/false \
       --ro-bind $ghostscript /usr/bin/gs \
       --ro-bind /usr/share/ghostscript /usr/share/ghostscript \
       --ro-bind /usr/share/fonts /usr/share/fonts \
       --ro-bind /etc/fonts /etc/fonts \
-      --dev /dev \
+      --ro-bind $lock /tmp/.lock \
-      --proc /proc \
+      --lock-file /tmp/.lock \
-      --tmpfs /run \
-      --tmpfs /tmp \
       --dir /run/user/$uid \
       --dir /var \
       --symlink ../run var/run \
@@ -276,7 +291,6 @@ set -euo pipefail
       --sync-fd 0 \
       --sync-fd 1 \
       --sync-fd 2 \
-      --die-with-parent \
       --setenv XDG_RUNTIME_DIR "/run/user/$uid" \
       --setenv USER $user \
       --setenv LOGNAME $user \
@@ -284,4 +298,6 @@ set -euo pipefail
       --setenv HOME $home \
       --setenv PATH /bin:/usr/bin \
       --setenv MAIL /dev/null \
+      --die-with-parent \
       /usr/bin/gs ${1+"$@"})
+rm -f $lock

gswrap.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Oct 12 13:26:59 UTC 2021 - Dr. Werner Fink <werner@suse.de>
+
+- Use TERM instead of KILL to let bwrap do its work
+- Enable bwrap to execute its option --die-with-parent
+
 -------------------------------------------------------------------
 Mon Sep 20 07:40:46 UTC 2021 - Dr. Werner Fink <werner@suse.de>