diff options
| author |  netblue30 <netblue30@protonmail.com> | 2021-12-19 14:49:35 -0500 |
|---|---|---|
| committer | netblue30 <netblue30@protonmail.com> | 2021-12-19 14:49:35 -0500 |
| commit | d2e10f8b728eb83f05c1c57cf06a28a6cd48f58f (patch) | |
| tree | 5296957c4fa8ee5036e862bb36e46d8c01fc4b0d | |
| parent | Merge branch 'master' of ssh://github.com/netblue30/firejail (diff) | |
| download | firejail-d2e10f8b7.tar.gz firejail-d2e10f8b7.tar.zst firejail-d2e10f8b7.zip | |
fix --private-cwd problem
| -rw-r--r-- | src/firejail/fs_home.c | 13 | ||||
| -rw-r--r-- | src/firejail/sandbox.c | 5 |
2 files changed, 14 insertions, 4 deletions
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 4558934da..b410ba68e 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
| @@ -456,15 +456,20 @@ void fs_check_private_dir(void) { | |||
| 456 | void fs_check_private_cwd(const char *dir) { | 456 | void fs_check_private_cwd(const char *dir) { |
| 457 | EUID_ASSERT(); | 457 | EUID_ASSERT(); |
| 458 | invalid_filename(dir, 0); // no globbing | 458 | invalid_filename(dir, 0); // no globbing |
| 459 | if (strcmp(dir, ".") == 0 || *dir != '/') | ||
| 460 | goto errout; | ||
| 459 | 461 | ||
| 460 | // Expand the working directory | 462 | // Expand the working directory |
| 461 | cfg.cwd = expand_macros(dir); | 463 | cfg.cwd = expand_macros(dir); |
| 462 | 464 | ||
| 463 | // realpath/is_dir not used because path may not exist outside of jail | 465 | // realpath/is_dir not used because path may not exist outside of jail |
| 464 | if (strstr(cfg.cwd, "..")) { | 466 | if (strstr(cfg.cwd, "..")) |
| 465 | fprintf(stderr, "Error: invalid private working directory\n"); | 467 | goto errout; |
| 466 | exit(1); | 468 | |
| 467 | } | 469 | return; |
| 470 | errout: | ||
| 471 | fprintf(stderr, "Error: invalid private working directory\n"); | ||
| 472 | exit(1); | ||
| 468 | } | 473 | } |
| 469 | 474 | ||
| 470 | //*********************************************************************************** | 475 | //*********************************************************************************** |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 96fa4c81a..53b1e6914 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
| @@ -1058,6 +1058,11 @@ int sandbox(void* sandbox_arg) { | |||
| 1058 | EUID_USER(); | 1058 | EUID_USER(); |
| 1059 | int cwd = 0; | 1059 | int cwd = 0; |
| 1060 | if (cfg.cwd) { | 1060 | if (cfg.cwd) { |
| 1061 | if (is_link(cfg.cwd)) { | ||
| 1062 | fprintf(stderr, "Error: unable to enter private working directory: %s\n", cfg.cwd); | ||
| 1063 | exit(1); | ||
| 1064 | } | ||
| 1065 | |||
| 1061 | if (chdir(cfg.cwd) == 0) | 1066 | if (chdir(cfg.cwd) == 0) |
| 1062 | cwd = 1; | 1067 | cwd = 1; |
| 1063 | else if (arg_private_cwd) { | 1068 | else if (arg_private_cwd) { |