diff options
author | netblue30 <netblue30@protonmail.com> | 2022-02-08 10:30:22 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2022-02-08 10:30:22 -0500 |
commit | 86a57917aa2ef664cc27865a235860412a0a381d (patch) | |
tree | 1187f5385d2cf2f4b2bee9af2bc30f906f519b20 | |
parent | Merge pull request #4912 from netblue30/ci_centos (diff) | |
download | firejail-86a57917aa2ef664cc27865a235860412a0a381d.tar.gz firejail-86a57917aa2ef664cc27865a235860412a0a381d.tar.zst firejail-86a57917aa2ef664cc27865a235860412a0a381d.zip |
fix --private-cwd, issue #4910
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 14 | ||||
-rwxr-xr-x | test/fs/private-cwd.exp | 48 | ||||
-rw-r--r-- | test/fs/private-cwd.profile | 1 |
4 files changed, 39 insertions, 25 deletions
@@ -1,5 +1,6 @@ | |||
1 | firejail (0.9.69) baseline; urgency=low | 1 | firejail (0.9.69) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | * bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910) | ||
3 | -- netblue30 <netblue30@yahoo.com> Mon, 7 Feb 2022 09:00:00 -0500 | 4 | -- netblue30 <netblue30@yahoo.com> Mon, 7 Feb 2022 09:00:00 -0500 |
4 | 5 | ||
5 | firejail (0.9.68) baseline; urgency=low | 6 | firejail (0.9.68) baseline; urgency=low |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index b1cb9d927..6a554dc89 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -453,17 +453,27 @@ void fs_check_private_dir(void) { | |||
453 | } | 453 | } |
454 | 454 | ||
455 | // check new private working directory (--private-cwd= option) - exit if it fails | 455 | // check new private working directory (--private-cwd= option) - exit if it fails |
456 | // for testing: | ||
457 | // $ firejail --private --private-cwd=. --noprofile ls | ||
458 | // issue #4780: exposes full home directory, not the --private one | ||
459 | // $ firejail --private-cwd=.. --noprofile ls -> error: full dir path required | ||
460 | // $ firejail --private-cwd=/etc --noprofile ls -> OK | ||
461 | // $ firejail --private-cwd=FULL-SYMLINK-PATH --noprofile ls -> error: no symlinks | ||
462 | // $ firejail --private --private-cwd="${HOME}" --noprofile ls -al --> OK | ||
463 | // $ firejail --private --private-cwd='${HOME}' --noprofile ls -al --> OK | ||
464 | // $ firejail --private-cwd --> OK: should go in top of the home dir | ||
465 | // profile with "private-cwd ${HOME} | ||
456 | void fs_check_private_cwd(const char *dir) { | 466 | void fs_check_private_cwd(const char *dir) { |
457 | EUID_ASSERT(); | 467 | EUID_ASSERT(); |
458 | invalid_filename(dir, 0); // no globbing | 468 | invalid_filename(dir, 0); // no globbing |
459 | if (strcmp(dir, ".") == 0 || *dir != '/') | 469 | if (strcmp(dir, ".") == 0) |
460 | goto errout; | 470 | goto errout; |
461 | 471 | ||
462 | // Expand the working directory | 472 | // Expand the working directory |
463 | cfg.cwd = expand_macros(dir); | 473 | cfg.cwd = expand_macros(dir); |
464 | 474 | ||
465 | // realpath/is_dir not used because path may not exist outside of jail | 475 | // realpath/is_dir not used because path may not exist outside of jail |
466 | if (strstr(cfg.cwd, "..")) | 476 | if (strstr(cfg.cwd, "..") || *cfg.cwd != '/') |
467 | goto errout; | 477 | goto errout; |
468 | 478 | ||
469 | return; | 479 | return; |
diff --git a/test/fs/private-cwd.exp b/test/fs/private-cwd.exp index e9c4bdacd..77374e086 100755 --- a/test/fs/private-cwd.exp +++ b/test/fs/private-cwd.exp | |||
@@ -7,46 +7,48 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "cd /tmp\r" | 10 | send -- "firejail --private-cwd pwd\r" |
11 | after 100 | ||
12 | |||
13 | # testing profile and private | ||
14 | send -- "firejail --private-cwd\r" | ||
15 | expect { | 11 | expect { |
16 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
17 | "Child process initialized" | 13 | "$env(HOME)" |
18 | } | 14 | } |
19 | sleep 1 | 15 | sleep 1 |
20 | 16 | ||
21 | send -- "pwd\r" | 17 | send -- "firejail --private-cwd=/etc pwd\r" |
22 | expect { | 18 | expect { |
23 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 2\n";exit} |
24 | "$env(HOME)" | 20 | "/etc" |
25 | } | 21 | } |
26 | after 100 | ||
27 | |||
28 | send -- "exit\r" | ||
29 | sleep 1 | 22 | sleep 1 |
30 | 23 | ||
31 | send -- "cd /\r" | 24 | send -- "firejail --private --private-cwd=. pwd\r" |
32 | after 100 | ||
33 | |||
34 | # testing profile and private | ||
35 | send -- "firejail --private-cwd=/tmp\r" | ||
36 | expect { | 25 | expect { |
37 | timeout {puts "TESTING ERROR 3\n";exit} | 26 | timeout {puts "TESTING ERROR 3\n";exit} |
38 | "Child process initialized" | 27 | "invalid private working directory" |
39 | } | 28 | } |
40 | sleep 1 | 29 | sleep 1 |
41 | 30 | ||
42 | send -- "pwd\r" | 31 | after 100 |
32 | send -- "firejail --private-cwd='\${HOME}' pwd\r" | ||
43 | expect { | 33 | expect { |
44 | timeout {puts "TESTING ERROR 4\n";exit} | 34 | timeout {puts "TESTING ERROR 4\n";exit} |
45 | "/tmp" | 35 | "$env(HOME)" |
46 | } | 36 | } |
47 | after 100 | 37 | sleep 1 |
48 | 38 | ||
49 | send -- "exit\r" | 39 | after 100 |
40 | send -- "firejail --private-cwd=\"\${HOME}\" pwd\r" | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 5\n";exit} | ||
43 | "$env(HOME)" | ||
44 | } | ||
50 | sleep 1 | 45 | sleep 1 |
51 | 46 | ||
47 | send -- "firejail --profile=private-cwd.profile pwd\r" | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 6\n";exit} | ||
50 | "$env(HOME)" | ||
51 | } | ||
52 | after 100 | ||
53 | |||
52 | puts "all done\n" | 54 | puts "all done\n" |
diff --git a/test/fs/private-cwd.profile b/test/fs/private-cwd.profile new file mode 100644 index 000000000..9dd97a8ac --- /dev/null +++ b/test/fs/private-cwd.profile | |||
@@ -0,0 +1 @@ | |||
private-cwd ${HOME} | |||