fix --private-cwd, issue #4910

4 files changed, 39 insertions, 25 deletions

diff --git a/RELNOTES b/RELNOTES
index 136bd46e6..f023c0290 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,5 +1,6 @@
 firejail (0.9.69) baseline; urgency=low
   * work in progress
+  * bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910)
  -- netblue30 <netblue30@yahoo.com>  Mon, 7 Feb 2022 09:00:00 -0500
 
 firejail (0.9.68) baseline; urgency=low
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index b1cb9d927..6a554dc89 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -453,17 +453,27 @@ void fs_check_private_dir(void) {
 }
 
 // check new private working directory (--private-cwd= option) - exit if it fails
+// for testing:
+//    $ firejail --private --private-cwd=. --noprofile ls
+//      issue #4780: exposes full home directory, not the --private one
+//   $ firejail --private-cwd=.. --noprofile ls  -> error: full dir path required
+//   $ firejail --private-cwd=/etc --noprofile ls  -> OK
+//   $ firejail --private-cwd=FULL-SYMLINK-PATH  --noprofile ls  -> error: no symlinks
+//   $ firejail --private --private-cwd="${HOME}" --noprofile ls -al  --> OK
+//   $ firejail --private --private-cwd='${HOME}' --noprofile ls -al  --> OK
+//   $ firejail --private-cwd  --> OK: should go in top of the home dir
+//   profile with "private-cwd ${HOME}
 void fs_check_private_cwd(const char *dir) {
         EUID_ASSERT();
         invalid_filename(dir, 0); // no globbing
-        if (strcmp(dir, ".") == 0 || *dir != '/')
+        if (strcmp(dir, ".") == 0)
                 goto errout;
 
         // Expand the working directory
         cfg.cwd = expand_macros(dir);
 
         // realpath/is_dir not used because path may not exist outside of jail
-        if (strstr(cfg.cwd, ".."))
+        if (strstr(cfg.cwd, "..") || *cfg.cwd != '/')
                 goto errout;
 
         return;
diff --git a/test/fs/private-cwd.exp b/test/fs/private-cwd.exp
index e9c4bdacd..77374e086 100755
--- a/test/fs/private-cwd.exp
+++ b/test/fs/private-cwd.exp
@@ -7,46 +7,48 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "cd /tmp\r"
-after 100
-
-# testing profile and private
-send -- "firejail --private-cwd\r"
+send -- "firejail --private-cwd pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
-        "Child process initialized"
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "$env(HOME)"
 }
 sleep 1
 
-send -- "pwd\r"
+send -- "firejail --private-cwd=/etc pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
-        "$env(HOME)"
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "/etc"
 }
-after 100
-
-send -- "exit\r"
 sleep 1
 
-send -- "cd /\r"
-after 100
-
-# testing profile and private
-send -- "firejail --private-cwd=/tmp\r"
+send -- "firejail --private --private-cwd=. pwd\r"
 expect {
         timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        "invalid private working directory"
 }
 sleep 1
 
-send -- "pwd\r"
+after 100
+send -- "firejail  --private-cwd='\${HOME}' pwd\r"
 expect {
         timeout {puts "TESTING ERROR 4\n";exit}
-        "/tmp"
+        "$env(HOME)"
 }
-after 100
+sleep 1
 
-send -- "exit\r"
+after 100
+send -- "firejail  --private-cwd=\"\${HOME}\" pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "$env(HOME)"
+}
 sleep 1
 
+send -- "firejail  --profile=private-cwd.profile pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "$env(HOME)"
+}
+after 100
+
 puts "all done\n"
diff --git a/test/fs/private-cwd.profile b/test/fs/private-cwd.profile
new file mode 100644
index 000000000..9dd97a8ac
--- /dev/null
+++ b/test/fs/private-cwd.profile
@@ -0,0 +1 @@
+private-cwd ${HOME}