fix --private-cwd, issue #4910

RELNOTES

@@ -1,5 +1,6 @@
 firejail (0.9.69) baseline; urgency=low
   * work in progress
+  * bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910)
  -- netblue30 <netblue30@yahoo.com>  Mon, 7 Feb 2022 09:00:00 -0500
 
 firejail (0.9.68) baseline; urgency=low

src/firejail/fs_home.c

@@ -453,17 +453,27 @@ void fs_check_private_dir(void) {
 }
 
 // check new private working directory (--private-cwd= option) - exit if it fails
+// for testing:
+//    $ firejail --private --private-cwd=. --noprofile ls
+//	issue #4780: exposes full home directory, not the --private one
+//   $ firejail --private-cwd=.. --noprofile ls  -> error: full dir path required
+//   $ firejail --private-cwd=/etc --noprofile ls  -> OK
+//   $ firejail --private-cwd=FULL-SYMLINK-PATH  --noprofile ls  -> error: no symlinks
+//   $ firejail --private --private-cwd="${HOME}" --noprofile ls -al  --> OK
+//   $ firejail --private --private-cwd='${HOME}' --noprofile ls -al  --> OK
+//   $ firejail --private-cwd  --> OK: should go in top of the home dir
+//   profile with "private-cwd ${HOME}
 void fs_check_private_cwd(const char *dir) {
 	EUID_ASSERT();
 	invalid_filename(dir, 0); // no globbing
-	if (strcmp(dir, ".") == 0 || *dir != '/')
+	if (strcmp(dir, ".") == 0)
 		goto errout;
 
 	// Expand the working directory
 	cfg.cwd = expand_macros(dir);
 
 	// realpath/is_dir not used because path may not exist outside of jail
-	if (strstr(cfg.cwd, ".."))
+	if (strstr(cfg.cwd, "..") || *cfg.cwd != '/')
 		goto errout;
 
 	return;

test/fs/private-cwd.exp

@@ -7,46 +7,48 @@ set timeout 10
 spawn $env(SHELL)
 match_max 100000
 
-send -- "cd /tmp\r"
-after 100
-
-# testing profile and private
-send -- "firejail --private-cwd\r"
-expect {
-	timeout {puts "TESTING ERROR 0\n";exit}
-	"Child process initialized"
-}
-sleep 1
-
-send -- "pwd\r"
+send -- "firejail --private-cwd pwd\r"
 expect {
 	timeout {puts "TESTING ERROR 1\n";exit}
 	"$env(HOME)"
 }
-after 100
-
-send -- "exit\r"
 sleep 1
 
-send -- "cd /\r"
-after 100
+send -- "firejail --private-cwd=/etc pwd\r"
+expect {
+	timeout {puts "TESTING ERROR 2\n";exit}
+	"/etc"
+}
+sleep 1
 
-# testing profile and private
-send -- "firejail --private-cwd=/tmp\r"
+send -- "firejail --private --private-cwd=. pwd\r"
 expect {
 	timeout {puts "TESTING ERROR 3\n";exit}
-	"Child process initialized"
+	"invalid private working directory"
 }
 sleep 1
 
-send -- "pwd\r"
+after 100
+send -- "firejail  --private-cwd='\${HOME}' pwd\r"
 expect {
 	timeout {puts "TESTING ERROR 4\n";exit}
-	"/tmp"
+	"$env(HOME)"
+}
+sleep 1
+
+after 100
+send -- "firejail  --private-cwd=\"\${HOME}\" pwd\r"
+expect {
+	timeout {puts "TESTING ERROR 5\n";exit}
+	"$env(HOME)"
+}
+sleep 1
+
+send -- "firejail  --profile=private-cwd.profile pwd\r"
+expect {
+	timeout {puts "TESTING ERROR 6\n";exit}
+	"$env(HOME)"
 }
 after 100
 
-send -- "exit\r"
-sleep 1
-
 puts "all done\n"

test/fs/private-cwd.profile

@@ -0,0 +1 @@
+private-cwd ${HOME}