From 86a57917aa2ef664cc27865a235860412a0a381d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 8 Feb 2022 10:30:22 -0500 Subject: fix --private-cwd, issue #4910 --- RELNOTES | 1 + src/firejail/fs_home.c | 14 +++++++++++-- test/fs/private-cwd.exp | 48 +++++++++++++++++++++++---------------------- test/fs/private-cwd.profile | 1 + 4 files changed, 39 insertions(+), 25 deletions(-) create mode 100644 test/fs/private-cwd.profile diff --git a/RELNOTES b/RELNOTES index 136bd46e6..f023c0290 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,5 +1,6 @@ firejail (0.9.69) baseline; urgency=low * work in progress + * bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910) -- netblue30 Mon, 7 Feb 2022 09:00:00 -0500 firejail (0.9.68) baseline; urgency=low diff --git a/src/firejail/fs_home.c b/src/firejail/fs_home.c index b1cb9d927..6a554dc89 100644 --- a/src/firejail/fs_home.c +++ b/src/firejail/fs_home.c @@ -453,17 +453,27 @@ void fs_check_private_dir(void) { } // check new private working directory (--private-cwd= option) - exit if it fails +// for testing: +// $ firejail --private --private-cwd=. --noprofile ls +// issue #4780: exposes full home directory, not the --private one +// $ firejail --private-cwd=.. --noprofile ls -> error: full dir path required +// $ firejail --private-cwd=/etc --noprofile ls -> OK +// $ firejail --private-cwd=FULL-SYMLINK-PATH --noprofile ls -> error: no symlinks +// $ firejail --private --private-cwd="${HOME}" --noprofile ls -al --> OK +// $ firejail --private --private-cwd='${HOME}' --noprofile ls -al --> OK +// $ firejail --private-cwd --> OK: should go in top of the home dir +// profile with "private-cwd ${HOME} void fs_check_private_cwd(const char *dir) { EUID_ASSERT(); invalid_filename(dir, 0); // no globbing - if (strcmp(dir, ".") == 0 || *dir != '/') + if (strcmp(dir, ".") == 0) goto errout; // Expand the working directory cfg.cwd = expand_macros(dir); // realpath/is_dir not used because path may not exist outside of jail - if (strstr(cfg.cwd, "..")) + if (strstr(cfg.cwd, "..") || *cfg.cwd != '/') goto errout; return; diff --git a/test/fs/private-cwd.exp b/test/fs/private-cwd.exp index e9c4bdacd..77374e086 100755 --- a/test/fs/private-cwd.exp +++ b/test/fs/private-cwd.exp @@ -7,46 +7,48 @@ set timeout 10 spawn $env(SHELL) match_max 100000 -send -- "cd /tmp\r" -after 100 - -# testing profile and private -send -- "firejail --private-cwd\r" +send -- "firejail --private-cwd pwd\r" expect { - timeout {puts "TESTING ERROR 0\n";exit} - "Child process initialized" + timeout {puts "TESTING ERROR 1\n";exit} + "$env(HOME)" } sleep 1 -send -- "pwd\r" +send -- "firejail --private-cwd=/etc pwd\r" expect { - timeout {puts "TESTING ERROR 1\n";exit} - "$env(HOME)" + timeout {puts "TESTING ERROR 2\n";exit} + "/etc" } -after 100 - -send -- "exit\r" sleep 1 -send -- "cd /\r" -after 100 - -# testing profile and private -send -- "firejail --private-cwd=/tmp\r" +send -- "firejail --private --private-cwd=. pwd\r" expect { timeout {puts "TESTING ERROR 3\n";exit} - "Child process initialized" + "invalid private working directory" } sleep 1 -send -- "pwd\r" +after 100 +send -- "firejail --private-cwd='\${HOME}' pwd\r" expect { timeout {puts "TESTING ERROR 4\n";exit} - "/tmp" + "$env(HOME)" } -after 100 +sleep 1 -send -- "exit\r" +after 100 +send -- "firejail --private-cwd=\"\${HOME}\" pwd\r" +expect { + timeout {puts "TESTING ERROR 5\n";exit} + "$env(HOME)" +} sleep 1 +send -- "firejail --profile=private-cwd.profile pwd\r" +expect { + timeout {puts "TESTING ERROR 6\n";exit} + "$env(HOME)" +} +after 100 + puts "all done\n" diff --git a/test/fs/private-cwd.profile b/test/fs/private-cwd.profile new file mode 100644 index 000000000..9dd97a8ac --- /dev/null +++ b/test/fs/private-cwd.profile @@ -0,0 +1 @@ +private-cwd ${HOME} -- cgit v1.2.3-54-g00ecf