diff options
-rw-r--r-- | src/firejail/fs_home.c | 13 | ||||
-rw-r--r-- | src/firejail/sandbox.c | 5 |
2 files changed, 14 insertions, 4 deletions
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index 4558934da..b410ba68e 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -456,15 +456,20 @@ void fs_check_private_dir(void) { | |||
456 | void fs_check_private_cwd(const char *dir) { | 456 | void fs_check_private_cwd(const char *dir) { |
457 | EUID_ASSERT(); | 457 | EUID_ASSERT(); |
458 | invalid_filename(dir, 0); // no globbing | 458 | invalid_filename(dir, 0); // no globbing |
459 | if (strcmp(dir, ".") == 0 || *dir != '/') | ||
460 | goto errout; | ||
459 | 461 | ||
460 | // Expand the working directory | 462 | // Expand the working directory |
461 | cfg.cwd = expand_macros(dir); | 463 | cfg.cwd = expand_macros(dir); |
462 | 464 | ||
463 | // realpath/is_dir not used because path may not exist outside of jail | 465 | // realpath/is_dir not used because path may not exist outside of jail |
464 | if (strstr(cfg.cwd, "..")) { | 466 | if (strstr(cfg.cwd, "..")) |
465 | fprintf(stderr, "Error: invalid private working directory\n"); | 467 | goto errout; |
466 | exit(1); | 468 | |
467 | } | 469 | return; |
470 | errout: | ||
471 | fprintf(stderr, "Error: invalid private working directory\n"); | ||
472 | exit(1); | ||
468 | } | 473 | } |
469 | 474 | ||
470 | //*********************************************************************************** | 475 | //*********************************************************************************** |
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 96fa4c81a..53b1e6914 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c | |||
@@ -1058,6 +1058,11 @@ int sandbox(void* sandbox_arg) { | |||
1058 | EUID_USER(); | 1058 | EUID_USER(); |
1059 | int cwd = 0; | 1059 | int cwd = 0; |
1060 | if (cfg.cwd) { | 1060 | if (cfg.cwd) { |
1061 | if (is_link(cfg.cwd)) { | ||
1062 | fprintf(stderr, "Error: unable to enter private working directory: %s\n", cfg.cwd); | ||
1063 | exit(1); | ||
1064 | } | ||
1065 | |||
1061 | if (chdir(cfg.cwd) == 0) | 1066 | if (chdir(cfg.cwd) == 0) |
1062 | cwd = 1; | 1067 | cwd = 1; |
1063 | else if (arg_private_cwd) { | 1068 | else if (arg_private_cwd) { |