fix(docker): Avoid tripping on new Ghostscript safety restrictions

Dockerfile

@@ -73,6 +73,14 @@ ENV LANG=en_US.UTF-8
 # root permissions anyway so we're not really adding insecure surface area here.
 RUN git config --system --add safe.directory '*'
 
+# ImageMagick has started aggressively adding -dSAFER (also the default since
+# Ghostscript 9.5) to callouts to `gs`. This works if the processes inside
+# Docker are running as root, but we're often using setpriv to match file
+# ownerships. Postscript files can read and write arbitrary files in this
+# configuration so this would be unsafe to use on unknown content, but in our
+# case the only content on the entire system (in the container) is our project.
+RUN sed -i -e 's/dSAFER/dNOSAFER/g' /etc/ImageMagick-7/delegates.xml
+
 LABEL org.opencontainers.image.title="CaSILE"
 LABEL org.opencontainers.image.description="A containerized version of the CaSILE toolkit, a book publishing workflow employing SILE and other wizardry"
 LABEL org.opencontainers.image.authors="Caleb Maclennan <caleb@alerque.com>"

rules/rules.mk

@@ -152,6 +152,10 @@ FCCONFIG := $(BUILDDIR)/fontconfig.conf
 # BUILDDIR would otherwise get created by other rules anyway, but we're dodging race conditions
 export FONTCONFIG_FILE := $(shell test -d "$(BUILDDIR)" || $(MKDIR_P) "$(BUILDDIR)" && cd "$(BUILDDIR)" && pwd)/fontconfig.conf
 
+# ImageMagick security policy steps on Ghostscript's toes when running under
+# setpriv (which we do in Docker), so just keep it all local.
+export MAGICK_TEMPORARY_PATH := $(shell test -d "$(BUILDDIR)" || $(MKDIR_P) "$(BUILDDIR)" && cd "$(BUILDDIR)" && pwd)
+
 # Extensible list of files for git to ignore
 IGNORES += $(PROJECTCONFIGS)
 IGNORES += $(BUILDDIR)