11 files changed, 76 insertions, 188 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 27f6aed77..d6fc903f3 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -47,7 +47,7 @@ jobs:
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@8b37404d562d866ad6a65d0ecb4fa5131e047ca4
+      uses: github/codeql-action/init@1a927e9307bc11970b2c679922ebc4d03a5bd980
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@8b37404d562d866ad6a65d0ecb4fa5131e047ca4
+      uses: github/codeql-action/autobuild@1a927e9307bc11970b2c679922ebc4d03a5bd980
    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -72,4 +72,4 @@ jobs:
    #   make release
    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@8b37404d562d866ad6a65d0ecb4fa5131e047ca4
+      uses: github/codeql-action/analyze@1a927e9307bc11970b2c679922ebc4d03a5bd980
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d9fe768ff..e79028c4f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -21,7 +21,7 @@ build_debian_package:
        - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb
 build_redhat_package:
-    image: centos:latest
+    image: almalinux:latest
    script:
        - dnf update -y
        - dnf install -y rpm-build gcc make
@@ -67,8 +67,6 @@ debian_ci:
        - cd $CI_PROJECT_DIR/.. && (apt-get source --download-only -t experimental firejail || apt-get source --download-only firejail)
        - cd $CI_PROJECT_DIR && tar xf ../firejail_*.debian.tar.*
        - rm -rf debian/patches/
-        # /etc/firejail/hostnames is no longer installed
-        - sed '/etc\/firejail\/hostnames/d' -i debian/firejail.install
        - VERSION=$(grep ^PACKAGE_VERSION= configure | cut -d"'" -f2) && dch -v ${VERSION}-0.1~ci "Non-maintainer upload." && git archive -o ../firejail_${VERSION}.orig.tar.gz HEAD && pristine-tar commit ../firejail_${VERSION}.orig.tar.gz ci_build && git branch -m pristine-tar origin/pristine-tar
        - git add debian && git commit -m "add debian/"
        - export CI_COMMIT_SHA=$(git rev-parse HEAD)
diff --git a/Makefile.in b/Makefile.in
index 29bd53d21..f38191880 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -120,6 +120,7 @@ endif
        install -m 0755 -d $(DESTDIR)$(libdir)/firejail
        install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS)
        install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
+        install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats
        # plugins w/o read permission (non-dumpable)
        install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE)
        install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh
diff --git a/README.md b/README.md
index e3e578523..a9c41cfc4 100644
--- a/README.md
+++ b/README.md
@@ -207,133 +207,11 @@ You can also use this tool to get a list of syscalls needed by a program: [contr
 We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory.
-## Latest released version: 0.9.66
+## Latest released version: 0.9.68
-## Current development version: 0.9.67
+## Current development version: 0.9.69
 Milestone page: https://github.com/netblue30/firejail/milestone/1
-Release discussion: https://github.com/netblue30/firejail/issues/3696
-Moving from whitelist/blacklist to allow/deny is under way! We are still open to other options, so it might change!
-The old whitelist/blacklist will remain as aliasses for the next one or two releases
-in order to give users a chance to switch their local profiles.
-The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379
-### Intrusion Detection System ###
-`````
-      --ids-check
-              Check  file  hashes previously generated by --ids-check. See IN‐
-              TRUSION DETECTION SYSTEM section for more details.
-              Example:
-              $ firejail --ids-check
-       --ids-init
-              Initialize file hashes. See INTRUSION DETECTION  SYSTEM  section
-              for more details.
-              Example:
-              $ firejail --ids-init
-INTRUSION DETECTION SYSTEM (IDS)
-       The  host-based  intrusion detection system tracks down and audits user
-       and  system  file  modifications.   The  feature  is  configured  using
-       /etc/firejail/ids.config    file,   the   checksums   are   stored   in
-       /var/lib/firejail/USERNAME.ids, where USERNAME is the name of the  cur‐
-       rent user. We use BLAKE2 cryptographic function for hashing.
-       As a regular user, initialize the database:
-       $ firejail --ids-init
-       Opening config file /etc/firejail/ids.config
-       Loading config file /etc/firejail/ids.config
-       Opening config file /etc/firejail/ids.config.local
-       500 1000 1500 2000
-       2466 files scanned
-       IDS database initialized
-       The  default configuration targets several system executables in direc‐
-       tories such as /bin, /sbin, /usr/bin, /usr/sbin, and  several  critical
-       config  files in user home directory such as ~/.bashrc, ~/.xinitrc, and
-       ~/.config/autostart. Several system config files in /etc directory  are
-       also hashed.
-       Run --ids-check to audit the system:
-       $ firejail --ids-check
-       Opening config file /etc/firejail/ids.config
-       Loading config file /etc/firejail/ids.config
-       Opening config file /etc/firejail/ids.config.local
-       500 1000 1500
-       Warning: modified /home/netblue/.bashrc
-       2000
-       2466 files scanned: modified 1, permissions 0, new 0, removed 0
-       The  program  will  print  the  files that have been modified since the
-       database was created, or the files with different  access  permissions.
-       New files and deleted files are also flagged.
-       Currently  while  scanning  the file system symbolic links are not fol‐
-       lowed, and files the user doesn't have  read  access  to  are  silently
-       dropped.   The  program  can  also be run as root (sudo firejail --ids-
-       init/--ids-check).
-`````
-### File descriptors
-`````
-       --keep-fd=all
-              Inherit all open file descriptors to  the  sandbox.  By  default
-              only  file  descriptors 0, 1 and 2 are inherited to the sandbox,
-              and all other file descriptors are closed.
-              Example:
-              $ firejail --keep-fd=all
-       --keep-fd=file_descriptor
-              Don't close specified open file  descriptors.  By  default  only
-              file  descriptors  0,  1 and 2 are inherited to the sandbox, and
-              all other file descriptors are closed.
-              Example:
-              $ firejail --keep-fd=3,4,5
-`````
-### Deteministic Shutdown
-`````
-      --deterministic-exit-code
-              Always exit firejail with the first child's exit status. The de‐
-              fault  behavior  is to use the exit status of the final child to
-              exit, which can be nondeterministic.
-       --deterministic-shutdown
-              Always shut down the sandbox after the first  child  has  termi‐
-              nated. The default behavior is to keep the sandbox alive as long
-              as it contains running processes.
-`````
-### Network Monitor
-`````
-       --nettrace=name|pid
-              Monitor TCP and UDP traffic coming into the sandbox specified by
-              name or pid. Only networked sandboxes  created  with  --net  are
-              supported.
-              $ firejail --nettrace=browser
-                 86 KB/s *********           64.222.84.207:443 United States
-                 76 KB/s ********            192.229.210.163:443 MCI
-                111 B/s                      9.9.9.9:53 Quad9 DNS
-                 32 KB/s ***                 142.250.179.182:443 Google
-              If  /usr/bin/geoiplookup  is  installed (geoip-bin packet in De‐
-              bian), the country the IP address originates from  is  added  to
-              the trace.  We also use the static IP map in /etc/firejail/host‐
-              names to print the domain names for some of the more common web‐
-              sites  and  cloud platforms.  No external services are contacted
-              for reverse IP lookup.
-`````
 ### Profile Statistics
@@ -345,34 +223,31 @@ No include .local found in /etc/firejail/noprofile.profile
 Warning: multiple caps in /etc/firejail/transmission-daemon.profile
 Stats:
-    profiles                    1176
+    profiles                    1184
-    include local profile       1175   (include profile-name.local)
+    include local profile       1183   (include profile-name.local)
-    include globals             1144   (include globals.local)
+    include globals             1152   (include globals.local)
-    blacklist ~/.ssh            1050   (include disable-common.inc)
+    blacklist ~/.ssh            1057   (include disable-common.inc)
-    seccomp                     1070
+    seccomp                     1076
-    capabilities                1171
+    capabilities                1178
-    noexec                      1057   (include disable-exec.inc)
+    noexec                      1064   (include disable-exec.inc)
-    noroot                      979
+    noroot                      985
-    memory-deny-write-execute   258
+    memory-deny-write-execute   259
-    apparmor                    700
+    apparmor                    707
-    private-bin                 681
+    private-bin                 686
-    private-dev                 1033
+    private-dev                 1040
-    private-etc                 533
+    private-etc                 537
-    private-tmp                 905
+    private-tmp                 911
-    whitelist home directory    562
+    whitelist home directory    567
-    whitelist var               842   (include whitelist-var-common.inc)
+    whitelist var               849   (include whitelist-var-common.inc)
-    whitelist run/user          1145   (include whitelist-runuser-common.inc
+    whitelist run/user          1153   (include whitelist-runuser-common.inc
                                        or blacklist ${RUNUSER})
-    whitelist usr/share         614   (include whitelist-usr-share-common.inc
+    whitelist usr/share         621   (include whitelist-usr-share-common.inc
-    net none                    399
+    net none                    403
-    dbus-user none              662
+    dbus-user none              670
-    dbus-user filter            113
+    dbus-user filter            114
-    dbus-system none            816
+    dbus-system none            824
    dbus-system filter          10
 ```
 ### New profiles:
-clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle,
-cmake, make, meson, pip, codium, telnet, ftp, OpenStego, imv, retroarch, torbrowser, CachyBrowser, notable, RPCS3, wget2, raincat,
-cointop, 1password, Seafile, neowim
diff --git a/RELNOTES b/RELNOTES
index df7086313..f023c0290 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -1,6 +1,7 @@
 firejail (0.9.69) baseline; urgency=low
  * work in progress
- -- netblue30 <netblue30@yahoo.com>  Sun, 6 Feb 2022 09:00:00 -0500
+  * bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910)
+ -- netblue30 <netblue30@yahoo.com>  Mon, 7 Feb 2022 09:00:00 -0500
 firejail (0.9.68) baseline; urgency=low
  * security: on Ubuntu, the PPA is now recommended over the distro package
diff --git a/configure b/configure
index 1f22ecbec..716418785 100755
--- a/configure
+++ b/configure
@@ -1380,7 +1380,7 @@ Optional Features:
  --disable-firetunnel    disable firetunnel
  --disable-private-home  disable private home feature
  --disable-chroot        disable chroot
-  --disable-globalcfg     if the global config file firejail.cfg is not
+  --disable-globalcfg     if the global config file firejail.config is not
                          present, continue the program using defaults
  --disable-network       disable network
  --disable-userns        disable user namespace
@@ -3659,7 +3659,7 @@ if test "x$enable_firetunnel" != "xno"; then :
 fi
-HAVE_PRIVATEHOME=""
+HAVE_PRIVATE_HOME=""
 # Check whether --enable-private-home was given.
 if test "${enable_private_home+set}" = set; then :
@@ -3846,7 +3846,7 @@ if test "x$enable_lts" = "xyes"; then :
        HAVE_USERTMPFS=""
        HAVE_MAN="-DHAVE_MAN"
        HAVE_FIRETUNNEL=""
-        HAVE_PRIVATEHOME=""
+        HAVE_PRIVATE_HOME=""
        HAVE_CHROOT=""
        HAVE_GLOBALCFG=""
        HAVE_USERNS=""
diff --git a/configure.ac b/configure.ac
index 3fd300970..0ae9362cc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -130,7 +130,7 @@ AS_IF([test "x$enable_firetunnel" != "xno"], [
        HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL"
 ])
-HAVE_PRIVATEHOME=""
+HAVE_PRIVATE_HOME=""
 AC_SUBST([HAVE_PRIVATE_HOME])
 AC_ARG_ENABLE([private-home],
    [AS_HELP_STRING([--disable-private-home], [disable private home feature])])
@@ -150,7 +150,7 @@ HAVE_GLOBALCFG=""
 AC_SUBST([HAVE_GLOBALCFG])
 AC_ARG_ENABLE([globalcfg],
    [AS_HELP_STRING([--disable-globalcfg],
-        [if the global config file firejail.cfg is not present, continue the program using defaults])])
+        [if the global config file firejail.config is not present, continue the program using defaults])])
 AS_IF([test "x$enable_globalcfg" != "xno"], [
        HAVE_GLOBALCFG="-DHAVE_GLOBALCFG"
 ])
@@ -249,7 +249,7 @@ AS_IF([test "x$enable_lts" = "xyes"], [
        HAVE_USERTMPFS=""
        HAVE_MAN="-DHAVE_MAN"
        HAVE_FIRETUNNEL=""
-        HAVE_PRIVATEHOME=""
+        HAVE_PRIVATE_HOME=""
        HAVE_CHROOT=""
        HAVE_GLOBALCFG=""
        HAVE_USERNS=""
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile
index 74e0faa7f..498853b5d 100644
--- a/etc/profile-a-l/hyperrogue.profile
+++ b/etc/profile-a-l/hyperrogue.profile
@@ -42,7 +42,7 @@ tracelog
 disable-mnt
 private-bin hyperrogue
 private-cache
-private-cwd ${HOME}
+private-cwd
 private-dev
 private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
 private-tmp
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c
index b1cb9d927..6a554dc89 100644
--- a/src/firejail/fs_home.c
+++ b/src/firejail/fs_home.c
@@ -453,17 +453,27 @@ void fs_check_private_dir(void) {
 }
 // check new private working directory (--private-cwd= option) - exit if it fails
+// for testing:
+//    $ firejail --private --private-cwd=. --noprofile ls
+//      issue #4780: exposes full home directory, not the --private one
+//   $ firejail --private-cwd=.. --noprofile ls  -> error: full dir path required
+//   $ firejail --private-cwd=/etc --noprofile ls  -> OK
+//   $ firejail --private-cwd=FULL-SYMLINK-PATH  --noprofile ls  -> error: no symlinks
+//   $ firejail --private --private-cwd="${HOME}" --noprofile ls -al  --> OK
+//   $ firejail --private --private-cwd='${HOME}' --noprofile ls -al  --> OK
+//   $ firejail --private-cwd  --> OK: should go in top of the home dir
+//   profile with "private-cwd ${HOME}
 void fs_check_private_cwd(const char *dir) {
        EUID_ASSERT();
        invalid_filename(dir, 0); // no globbing
-        if (strcmp(dir, ".") == 0 || *dir != '/')
+        if (strcmp(dir, ".") == 0)
                goto errout;
        // Expand the working directory
        cfg.cwd = expand_macros(dir);
        // realpath/is_dir not used because path may not exist outside of jail
-        if (strstr(cfg.cwd, ".."))
+        if (strstr(cfg.cwd, "..") || *cfg.cwd != '/')
                goto errout;
        return;
diff --git a/test/fs/private-cwd.exp b/test/fs/private-cwd.exp
index e9c4bdacd..77374e086 100755
--- a/test/fs/private-cwd.exp
+++ b/test/fs/private-cwd.exp
@@ -7,46 +7,48 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
-send -- "cd /tmp\r"
+send -- "firejail --private-cwd pwd\r"
-after 100
-# testing profile and private
-send -- "firejail --private-cwd\r"
 expect {
-        timeout {puts "TESTING ERROR 0\n";exit}
+        timeout {puts "TESTING ERROR 1\n";exit}
-        "Child process initialized"
+        "$env(HOME)"
 }
 sleep 1
-send -- "pwd\r"
+send -- "firejail --private-cwd=/etc pwd\r"
 expect {
-        timeout {puts "TESTING ERROR 1\n";exit}
+        timeout {puts "TESTING ERROR 2\n";exit}
-        "$env(HOME)"
+        "/etc"
 }
-after 100
-send -- "exit\r"
 sleep 1
-send -- "cd /\r"
+send -- "firejail --private --private-cwd=. pwd\r"
-after 100
-# testing profile and private
-send -- "firejail --private-cwd=/tmp\r"
 expect {
        timeout {puts "TESTING ERROR 3\n";exit}
-        "Child process initialized"
+        "invalid private working directory"
 }
 sleep 1
-send -- "pwd\r"
+after 100
+send -- "firejail  --private-cwd='\${HOME}' pwd\r"
 expect {
        timeout {puts "TESTING ERROR 4\n";exit}
-        "/tmp"
+        "$env(HOME)"
 }
-after 100
+sleep 1
-send -- "exit\r"
+after 100
+send -- "firejail  --private-cwd=\"\${HOME}\" pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "$env(HOME)"
+}
 sleep 1
+send -- "firejail  --profile=private-cwd.profile pwd\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "$env(HOME)"
+}
+after 100
 puts "all done\n"
diff --git a/test/fs/private-cwd.profile b/test/fs/private-cwd.profile
new file mode 100644
index 000000000..9dd97a8ac
--- /dev/null
+++ b/test/fs/private-cwd.profile
@@ -0,0 +1 @@
+private-cwd ${HOME}