diff options
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 6 | ||||
-rw-r--r-- | .gitlab-ci.yml | 4 | ||||
-rw-r--r-- | Makefile.in | 1 | ||||
-rw-r--r-- | README.md | 173 | ||||
-rw-r--r-- | RELNOTES | 3 | ||||
-rwxr-xr-x | configure | 6 | ||||
-rw-r--r-- | configure.ac | 6 | ||||
-rw-r--r-- | etc/profile-a-l/hyperrogue.profile | 2 | ||||
-rw-r--r-- | src/firejail/fs_home.c | 14 | ||||
-rwxr-xr-x | test/fs/private-cwd.exp | 48 | ||||
-rw-r--r-- | test/fs/private-cwd.profile | 1 |
11 files changed, 76 insertions, 188 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 27f6aed77..d6fc903f3 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -47,7 +47,7 @@ jobs: | |||
47 | 47 | ||
48 | # Initializes the CodeQL tools for scanning. | 48 | # Initializes the CodeQL tools for scanning. |
49 | - name: Initialize CodeQL | 49 | - name: Initialize CodeQL |
50 | uses: github/codeql-action/init@8b37404d562d866ad6a65d0ecb4fa5131e047ca4 | 50 | uses: github/codeql-action/init@1a927e9307bc11970b2c679922ebc4d03a5bd980 |
51 | with: | 51 | with: |
52 | languages: ${{ matrix.language }} | 52 | languages: ${{ matrix.language }} |
53 | # If you wish to specify custom queries, you can do so here or in a config file. | 53 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -58,7 +58,7 @@ jobs: | |||
58 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 58 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
59 | # If this step fails, then you should remove it and run the build manually (see below) | 59 | # If this step fails, then you should remove it and run the build manually (see below) |
60 | - name: Autobuild | 60 | - name: Autobuild |
61 | uses: github/codeql-action/autobuild@8b37404d562d866ad6a65d0ecb4fa5131e047ca4 | 61 | uses: github/codeql-action/autobuild@1a927e9307bc11970b2c679922ebc4d03a5bd980 |
62 | 62 | ||
63 | # ℹ️ Command-line programs to run using the OS shell. | 63 | # ℹ️ Command-line programs to run using the OS shell. |
64 | # 📚 https://git.io/JvXDl | 64 | # 📚 https://git.io/JvXDl |
@@ -72,4 +72,4 @@ jobs: | |||
72 | # make release | 72 | # make release |
73 | 73 | ||
74 | - name: Perform CodeQL Analysis | 74 | - name: Perform CodeQL Analysis |
75 | uses: github/codeql-action/analyze@8b37404d562d866ad6a65d0ecb4fa5131e047ca4 | 75 | uses: github/codeql-action/analyze@1a927e9307bc11970b2c679922ebc4d03a5bd980 |
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d9fe768ff..e79028c4f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml | |||
@@ -21,7 +21,7 @@ build_debian_package: | |||
21 | - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb | 21 | - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb |
22 | 22 | ||
23 | build_redhat_package: | 23 | build_redhat_package: |
24 | image: centos:latest | 24 | image: almalinux:latest |
25 | script: | 25 | script: |
26 | - dnf update -y | 26 | - dnf update -y |
27 | - dnf install -y rpm-build gcc make | 27 | - dnf install -y rpm-build gcc make |
@@ -67,8 +67,6 @@ debian_ci: | |||
67 | - cd $CI_PROJECT_DIR/.. && (apt-get source --download-only -t experimental firejail || apt-get source --download-only firejail) | 67 | - cd $CI_PROJECT_DIR/.. && (apt-get source --download-only -t experimental firejail || apt-get source --download-only firejail) |
68 | - cd $CI_PROJECT_DIR && tar xf ../firejail_*.debian.tar.* | 68 | - cd $CI_PROJECT_DIR && tar xf ../firejail_*.debian.tar.* |
69 | - rm -rf debian/patches/ | 69 | - rm -rf debian/patches/ |
70 | # /etc/firejail/hostnames is no longer installed | ||
71 | - sed '/etc\/firejail\/hostnames/d' -i debian/firejail.install | ||
72 | - VERSION=$(grep ^PACKAGE_VERSION= configure | cut -d"'" -f2) && dch -v ${VERSION}-0.1~ci "Non-maintainer upload." && git archive -o ../firejail_${VERSION}.orig.tar.gz HEAD && pristine-tar commit ../firejail_${VERSION}.orig.tar.gz ci_build && git branch -m pristine-tar origin/pristine-tar | 70 | - VERSION=$(grep ^PACKAGE_VERSION= configure | cut -d"'" -f2) && dch -v ${VERSION}-0.1~ci "Non-maintainer upload." && git archive -o ../firejail_${VERSION}.orig.tar.gz HEAD && pristine-tar commit ../firejail_${VERSION}.orig.tar.gz ci_build && git branch -m pristine-tar origin/pristine-tar |
73 | - git add debian && git commit -m "add debian/" | 71 | - git add debian && git commit -m "add debian/" |
74 | - export CI_COMMIT_SHA=$(git rev-parse HEAD) | 72 | - export CI_COMMIT_SHA=$(git rev-parse HEAD) |
diff --git a/Makefile.in b/Makefile.in index 29bd53d21..f38191880 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -120,6 +120,7 @@ endif | |||
120 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail | 120 | install -m 0755 -d $(DESTDIR)$(libdir)/firejail |
121 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) | 121 | install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) |
122 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) | 122 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) |
123 | install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats | ||
123 | # plugins w/o read permission (non-dumpable) | 124 | # plugins w/o read permission (non-dumpable) |
124 | install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) | 125 | install -m 0711 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS_NON_DUMPABLE) |
125 | install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh | 126 | install -m 0711 -t $(DESTDIR)$(libdir)/firejail src/fshaper/fshaper.sh |
@@ -207,133 +207,11 @@ You can also use this tool to get a list of syscalls needed by a program: [contr | |||
207 | 207 | ||
208 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. | 208 | We also keep a list of profile fixes for previous released versions in [etc-fixes](https://github.com/netblue30/firejail/tree/master/etc-fixes) directory. |
209 | 209 | ||
210 | ## Latest released version: 0.9.66 | 210 | ## Latest released version: 0.9.68 |
211 | 211 | ||
212 | ## Current development version: 0.9.67 | 212 | ## Current development version: 0.9.69 |
213 | 213 | ||
214 | Milestone page: https://github.com/netblue30/firejail/milestone/1 | 214 | Milestone page: https://github.com/netblue30/firejail/milestone/1 |
215 | Release discussion: https://github.com/netblue30/firejail/issues/3696 | ||
216 | |||
217 | Moving from whitelist/blacklist to allow/deny is under way! We are still open to other options, so it might change! | ||
218 | |||
219 | The old whitelist/blacklist will remain as aliasses for the next one or two releases | ||
220 | in order to give users a chance to switch their local profiles. | ||
221 | The latest discussion on this issue is here: https://github.com/netblue30/firejail/issues/4379 | ||
222 | |||
223 | ### Intrusion Detection System ### | ||
224 | ````` | ||
225 | --ids-check | ||
226 | Check file hashes previously generated by --ids-check. See IN‐ | ||
227 | TRUSION DETECTION SYSTEM section for more details. | ||
228 | |||
229 | Example: | ||
230 | $ firejail --ids-check | ||
231 | |||
232 | --ids-init | ||
233 | Initialize file hashes. See INTRUSION DETECTION SYSTEM section | ||
234 | for more details. | ||
235 | |||
236 | Example: | ||
237 | $ firejail --ids-init | ||
238 | |||
239 | INTRUSION DETECTION SYSTEM (IDS) | ||
240 | The host-based intrusion detection system tracks down and audits user | ||
241 | and system file modifications. The feature is configured using | ||
242 | /etc/firejail/ids.config file, the checksums are stored in | ||
243 | /var/lib/firejail/USERNAME.ids, where USERNAME is the name of the cur‐ | ||
244 | rent user. We use BLAKE2 cryptographic function for hashing. | ||
245 | |||
246 | As a regular user, initialize the database: | ||
247 | |||
248 | $ firejail --ids-init | ||
249 | Opening config file /etc/firejail/ids.config | ||
250 | Loading config file /etc/firejail/ids.config | ||
251 | Opening config file /etc/firejail/ids.config.local | ||
252 | 500 1000 1500 2000 | ||
253 | 2466 files scanned | ||
254 | IDS database initialized | ||
255 | |||
256 | The default configuration targets several system executables in direc‐ | ||
257 | tories such as /bin, /sbin, /usr/bin, /usr/sbin, and several critical | ||
258 | config files in user home directory such as ~/.bashrc, ~/.xinitrc, and | ||
259 | ~/.config/autostart. Several system config files in /etc directory are | ||
260 | also hashed. | ||
261 | |||
262 | Run --ids-check to audit the system: | ||
263 | |||
264 | $ firejail --ids-check | ||
265 | Opening config file /etc/firejail/ids.config | ||
266 | Loading config file /etc/firejail/ids.config | ||
267 | Opening config file /etc/firejail/ids.config.local | ||
268 | 500 1000 1500 | ||
269 | Warning: modified /home/netblue/.bashrc | ||
270 | 2000 | ||
271 | 2466 files scanned: modified 1, permissions 0, new 0, removed 0 | ||
272 | |||
273 | The program will print the files that have been modified since the | ||
274 | database was created, or the files with different access permissions. | ||
275 | New files and deleted files are also flagged. | ||
276 | |||
277 | Currently while scanning the file system symbolic links are not fol‐ | ||
278 | lowed, and files the user doesn't have read access to are silently | ||
279 | dropped. The program can also be run as root (sudo firejail --ids- | ||
280 | init/--ids-check). | ||
281 | |||
282 | ````` | ||
283 | |||
284 | ### File descriptors | ||
285 | ````` | ||
286 | --keep-fd=all | ||
287 | Inherit all open file descriptors to the sandbox. By default | ||
288 | only file descriptors 0, 1 and 2 are inherited to the sandbox, | ||
289 | and all other file descriptors are closed. | ||
290 | |||
291 | Example: | ||
292 | $ firejail --keep-fd=all | ||
293 | |||
294 | --keep-fd=file_descriptor | ||
295 | Don't close specified open file descriptors. By default only | ||
296 | file descriptors 0, 1 and 2 are inherited to the sandbox, and | ||
297 | all other file descriptors are closed. | ||
298 | |||
299 | Example: | ||
300 | $ firejail --keep-fd=3,4,5 | ||
301 | ````` | ||
302 | |||
303 | ### Deteministic Shutdown | ||
304 | ````` | ||
305 | --deterministic-exit-code | ||
306 | Always exit firejail with the first child's exit status. The de‐ | ||
307 | fault behavior is to use the exit status of the final child to | ||
308 | exit, which can be nondeterministic. | ||
309 | |||
310 | --deterministic-shutdown | ||
311 | Always shut down the sandbox after the first child has termi‐ | ||
312 | nated. The default behavior is to keep the sandbox alive as long | ||
313 | as it contains running processes. | ||
314 | ````` | ||
315 | |||
316 | ### Network Monitor | ||
317 | ````` | ||
318 | --nettrace=name|pid | ||
319 | Monitor TCP and UDP traffic coming into the sandbox specified by | ||
320 | name or pid. Only networked sandboxes created with --net are | ||
321 | supported. | ||
322 | |||
323 | $ firejail --nettrace=browser | ||
324 | 86 KB/s ********* 64.222.84.207:443 United States | ||
325 | 76 KB/s ******** 192.229.210.163:443 MCI | ||
326 | 111 B/s 9.9.9.9:53 Quad9 DNS | ||
327 | 32 KB/s *** 142.250.179.182:443 Google | ||
328 | |||
329 | If /usr/bin/geoiplookup is installed (geoip-bin packet in De‐ | ||
330 | bian), the country the IP address originates from is added to | ||
331 | the trace. We also use the static IP map in /etc/firejail/host‐ | ||
332 | names to print the domain names for some of the more common web‐ | ||
333 | sites and cloud platforms. No external services are contacted | ||
334 | for reverse IP lookup. | ||
335 | |||
336 | ````` | ||
337 | 215 | ||
338 | ### Profile Statistics | 216 | ### Profile Statistics |
339 | 217 | ||
@@ -345,34 +223,31 @@ No include .local found in /etc/firejail/noprofile.profile | |||
345 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile | 223 | Warning: multiple caps in /etc/firejail/transmission-daemon.profile |
346 | 224 | ||
347 | Stats: | 225 | Stats: |
348 | profiles 1176 | 226 | profiles 1184 |
349 | include local profile 1175 (include profile-name.local) | 227 | include local profile 1183 (include profile-name.local) |
350 | include globals 1144 (include globals.local) | 228 | include globals 1152 (include globals.local) |
351 | blacklist ~/.ssh 1050 (include disable-common.inc) | 229 | blacklist ~/.ssh 1057 (include disable-common.inc) |
352 | seccomp 1070 | 230 | seccomp 1076 |
353 | capabilities 1171 | 231 | capabilities 1178 |
354 | noexec 1057 (include disable-exec.inc) | 232 | noexec 1064 (include disable-exec.inc) |
355 | noroot 979 | 233 | noroot 985 |
356 | memory-deny-write-execute 258 | 234 | memory-deny-write-execute 259 |
357 | apparmor 700 | 235 | apparmor 707 |
358 | private-bin 681 | 236 | private-bin 686 |
359 | private-dev 1033 | 237 | private-dev 1040 |
360 | private-etc 533 | 238 | private-etc 537 |
361 | private-tmp 905 | 239 | private-tmp 911 |
362 | whitelist home directory 562 | 240 | whitelist home directory 567 |
363 | whitelist var 842 (include whitelist-var-common.inc) | 241 | whitelist var 849 (include whitelist-var-common.inc) |
364 | whitelist run/user 1145 (include whitelist-runuser-common.inc | 242 | whitelist run/user 1153 (include whitelist-runuser-common.inc |
365 | or blacklist ${RUNUSER}) | 243 | or blacklist ${RUNUSER}) |
366 | whitelist usr/share 614 (include whitelist-usr-share-common.inc | 244 | whitelist usr/share 621 (include whitelist-usr-share-common.inc |
367 | net none 399 | 245 | net none 403 |
368 | dbus-user none 662 | 246 | dbus-user none 670 |
369 | dbus-user filter 113 | 247 | dbus-user filter 114 |
370 | dbus-system none 816 | 248 | dbus-system none 824 |
371 | dbus-system filter 10 | 249 | dbus-system filter 10 |
372 | ``` | 250 | ``` |
373 | 251 | ||
374 | ### New profiles: | 252 | ### New profiles: |
375 | 253 | ||
376 | clion-eap, lifeograph, io.github.lainsce.Notejot, rednotebook, zim, microsoft-edge-beta, ncdu2, gallery-dl, yt-dlp, goldendict, bundle, | ||
377 | cmake, make, meson, pip, codium, telnet, ftp, OpenStego, imv, retroarch, torbrowser, CachyBrowser, notable, RPCS3, wget2, raincat, | ||
378 | cointop, 1password, Seafile, neowim | ||
@@ -1,6 +1,7 @@ | |||
1 | firejail (0.9.69) baseline; urgency=low | 1 | firejail (0.9.69) baseline; urgency=low |
2 | * work in progress | 2 | * work in progress |
3 | -- netblue30 <netblue30@yahoo.com> Sun, 6 Feb 2022 09:00:00 -0500 | 3 | * bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910) |
4 | -- netblue30 <netblue30@yahoo.com> Mon, 7 Feb 2022 09:00:00 -0500 | ||
4 | 5 | ||
5 | firejail (0.9.68) baseline; urgency=low | 6 | firejail (0.9.68) baseline; urgency=low |
6 | * security: on Ubuntu, the PPA is now recommended over the distro package | 7 | * security: on Ubuntu, the PPA is now recommended over the distro package |
@@ -1380,7 +1380,7 @@ Optional Features: | |||
1380 | --disable-firetunnel disable firetunnel | 1380 | --disable-firetunnel disable firetunnel |
1381 | --disable-private-home disable private home feature | 1381 | --disable-private-home disable private home feature |
1382 | --disable-chroot disable chroot | 1382 | --disable-chroot disable chroot |
1383 | --disable-globalcfg if the global config file firejail.cfg is not | 1383 | --disable-globalcfg if the global config file firejail.config is not |
1384 | present, continue the program using defaults | 1384 | present, continue the program using defaults |
1385 | --disable-network disable network | 1385 | --disable-network disable network |
1386 | --disable-userns disable user namespace | 1386 | --disable-userns disable user namespace |
@@ -3659,7 +3659,7 @@ if test "x$enable_firetunnel" != "xno"; then : | |||
3659 | 3659 | ||
3660 | fi | 3660 | fi |
3661 | 3661 | ||
3662 | HAVE_PRIVATEHOME="" | 3662 | HAVE_PRIVATE_HOME="" |
3663 | 3663 | ||
3664 | # Check whether --enable-private-home was given. | 3664 | # Check whether --enable-private-home was given. |
3665 | if test "${enable_private_home+set}" = set; then : | 3665 | if test "${enable_private_home+set}" = set; then : |
@@ -3846,7 +3846,7 @@ if test "x$enable_lts" = "xyes"; then : | |||
3846 | HAVE_USERTMPFS="" | 3846 | HAVE_USERTMPFS="" |
3847 | HAVE_MAN="-DHAVE_MAN" | 3847 | HAVE_MAN="-DHAVE_MAN" |
3848 | HAVE_FIRETUNNEL="" | 3848 | HAVE_FIRETUNNEL="" |
3849 | HAVE_PRIVATEHOME="" | 3849 | HAVE_PRIVATE_HOME="" |
3850 | HAVE_CHROOT="" | 3850 | HAVE_CHROOT="" |
3851 | HAVE_GLOBALCFG="" | 3851 | HAVE_GLOBALCFG="" |
3852 | HAVE_USERNS="" | 3852 | HAVE_USERNS="" |
diff --git a/configure.ac b/configure.ac index 3fd300970..0ae9362cc 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -130,7 +130,7 @@ AS_IF([test "x$enable_firetunnel" != "xno"], [ | |||
130 | HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL" | 130 | HAVE_FIRETUNNEL="-DHAVE_FIRETUNNEL" |
131 | ]) | 131 | ]) |
132 | 132 | ||
133 | HAVE_PRIVATEHOME="" | 133 | HAVE_PRIVATE_HOME="" |
134 | AC_SUBST([HAVE_PRIVATE_HOME]) | 134 | AC_SUBST([HAVE_PRIVATE_HOME]) |
135 | AC_ARG_ENABLE([private-home], | 135 | AC_ARG_ENABLE([private-home], |
136 | [AS_HELP_STRING([--disable-private-home], [disable private home feature])]) | 136 | [AS_HELP_STRING([--disable-private-home], [disable private home feature])]) |
@@ -150,7 +150,7 @@ HAVE_GLOBALCFG="" | |||
150 | AC_SUBST([HAVE_GLOBALCFG]) | 150 | AC_SUBST([HAVE_GLOBALCFG]) |
151 | AC_ARG_ENABLE([globalcfg], | 151 | AC_ARG_ENABLE([globalcfg], |
152 | [AS_HELP_STRING([--disable-globalcfg], | 152 | [AS_HELP_STRING([--disable-globalcfg], |
153 | [if the global config file firejail.cfg is not present, continue the program using defaults])]) | 153 | [if the global config file firejail.config is not present, continue the program using defaults])]) |
154 | AS_IF([test "x$enable_globalcfg" != "xno"], [ | 154 | AS_IF([test "x$enable_globalcfg" != "xno"], [ |
155 | HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" | 155 | HAVE_GLOBALCFG="-DHAVE_GLOBALCFG" |
156 | ]) | 156 | ]) |
@@ -249,7 +249,7 @@ AS_IF([test "x$enable_lts" = "xyes"], [ | |||
249 | HAVE_USERTMPFS="" | 249 | HAVE_USERTMPFS="" |
250 | HAVE_MAN="-DHAVE_MAN" | 250 | HAVE_MAN="-DHAVE_MAN" |
251 | HAVE_FIRETUNNEL="" | 251 | HAVE_FIRETUNNEL="" |
252 | HAVE_PRIVATEHOME="" | 252 | HAVE_PRIVATE_HOME="" |
253 | HAVE_CHROOT="" | 253 | HAVE_CHROOT="" |
254 | HAVE_GLOBALCFG="" | 254 | HAVE_GLOBALCFG="" |
255 | HAVE_USERNS="" | 255 | HAVE_USERNS="" |
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile index 74e0faa7f..498853b5d 100644 --- a/etc/profile-a-l/hyperrogue.profile +++ b/etc/profile-a-l/hyperrogue.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | disable-mnt | 42 | disable-mnt |
43 | private-bin hyperrogue | 43 | private-bin hyperrogue |
44 | private-cache | 44 | private-cache |
45 | private-cwd ${HOME} | 45 | private-cwd |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id | 47 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
48 | private-tmp | 48 | private-tmp |
diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index b1cb9d927..6a554dc89 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c | |||
@@ -453,17 +453,27 @@ void fs_check_private_dir(void) { | |||
453 | } | 453 | } |
454 | 454 | ||
455 | // check new private working directory (--private-cwd= option) - exit if it fails | 455 | // check new private working directory (--private-cwd= option) - exit if it fails |
456 | // for testing: | ||
457 | // $ firejail --private --private-cwd=. --noprofile ls | ||
458 | // issue #4780: exposes full home directory, not the --private one | ||
459 | // $ firejail --private-cwd=.. --noprofile ls -> error: full dir path required | ||
460 | // $ firejail --private-cwd=/etc --noprofile ls -> OK | ||
461 | // $ firejail --private-cwd=FULL-SYMLINK-PATH --noprofile ls -> error: no symlinks | ||
462 | // $ firejail --private --private-cwd="${HOME}" --noprofile ls -al --> OK | ||
463 | // $ firejail --private --private-cwd='${HOME}' --noprofile ls -al --> OK | ||
464 | // $ firejail --private-cwd --> OK: should go in top of the home dir | ||
465 | // profile with "private-cwd ${HOME} | ||
456 | void fs_check_private_cwd(const char *dir) { | 466 | void fs_check_private_cwd(const char *dir) { |
457 | EUID_ASSERT(); | 467 | EUID_ASSERT(); |
458 | invalid_filename(dir, 0); // no globbing | 468 | invalid_filename(dir, 0); // no globbing |
459 | if (strcmp(dir, ".") == 0 || *dir != '/') | 469 | if (strcmp(dir, ".") == 0) |
460 | goto errout; | 470 | goto errout; |
461 | 471 | ||
462 | // Expand the working directory | 472 | // Expand the working directory |
463 | cfg.cwd = expand_macros(dir); | 473 | cfg.cwd = expand_macros(dir); |
464 | 474 | ||
465 | // realpath/is_dir not used because path may not exist outside of jail | 475 | // realpath/is_dir not used because path may not exist outside of jail |
466 | if (strstr(cfg.cwd, "..")) | 476 | if (strstr(cfg.cwd, "..") || *cfg.cwd != '/') |
467 | goto errout; | 477 | goto errout; |
468 | 478 | ||
469 | return; | 479 | return; |
diff --git a/test/fs/private-cwd.exp b/test/fs/private-cwd.exp index e9c4bdacd..77374e086 100755 --- a/test/fs/private-cwd.exp +++ b/test/fs/private-cwd.exp | |||
@@ -7,46 +7,48 @@ set timeout 10 | |||
7 | spawn $env(SHELL) | 7 | spawn $env(SHELL) |
8 | match_max 100000 | 8 | match_max 100000 |
9 | 9 | ||
10 | send -- "cd /tmp\r" | 10 | send -- "firejail --private-cwd pwd\r" |
11 | after 100 | ||
12 | |||
13 | # testing profile and private | ||
14 | send -- "firejail --private-cwd\r" | ||
15 | expect { | 11 | expect { |
16 | timeout {puts "TESTING ERROR 0\n";exit} | 12 | timeout {puts "TESTING ERROR 1\n";exit} |
17 | "Child process initialized" | 13 | "$env(HOME)" |
18 | } | 14 | } |
19 | sleep 1 | 15 | sleep 1 |
20 | 16 | ||
21 | send -- "pwd\r" | 17 | send -- "firejail --private-cwd=/etc pwd\r" |
22 | expect { | 18 | expect { |
23 | timeout {puts "TESTING ERROR 1\n";exit} | 19 | timeout {puts "TESTING ERROR 2\n";exit} |
24 | "$env(HOME)" | 20 | "/etc" |
25 | } | 21 | } |
26 | after 100 | ||
27 | |||
28 | send -- "exit\r" | ||
29 | sleep 1 | 22 | sleep 1 |
30 | 23 | ||
31 | send -- "cd /\r" | 24 | send -- "firejail --private --private-cwd=. pwd\r" |
32 | after 100 | ||
33 | |||
34 | # testing profile and private | ||
35 | send -- "firejail --private-cwd=/tmp\r" | ||
36 | expect { | 25 | expect { |
37 | timeout {puts "TESTING ERROR 3\n";exit} | 26 | timeout {puts "TESTING ERROR 3\n";exit} |
38 | "Child process initialized" | 27 | "invalid private working directory" |
39 | } | 28 | } |
40 | sleep 1 | 29 | sleep 1 |
41 | 30 | ||
42 | send -- "pwd\r" | 31 | after 100 |
32 | send -- "firejail --private-cwd='\${HOME}' pwd\r" | ||
43 | expect { | 33 | expect { |
44 | timeout {puts "TESTING ERROR 4\n";exit} | 34 | timeout {puts "TESTING ERROR 4\n";exit} |
45 | "/tmp" | 35 | "$env(HOME)" |
46 | } | 36 | } |
47 | after 100 | 37 | sleep 1 |
48 | 38 | ||
49 | send -- "exit\r" | 39 | after 100 |
40 | send -- "firejail --private-cwd=\"\${HOME}\" pwd\r" | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 5\n";exit} | ||
43 | "$env(HOME)" | ||
44 | } | ||
50 | sleep 1 | 45 | sleep 1 |
51 | 46 | ||
47 | send -- "firejail --profile=private-cwd.profile pwd\r" | ||
48 | expect { | ||
49 | timeout {puts "TESTING ERROR 6\n";exit} | ||
50 | "$env(HOME)" | ||
51 | } | ||
52 | after 100 | ||
53 | |||
52 | puts "all done\n" | 54 | puts "all done\n" |
diff --git a/test/fs/private-cwd.profile b/test/fs/private-cwd.profile new file mode 100644 index 000000000..9dd97a8ac --- /dev/null +++ b/test/fs/private-cwd.profile | |||
@@ -0,0 +1 @@ | |||
private-cwd ${HOME} | |||