github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1

fix --private-cwd, issue #4910

Browse source
This commit is contained in:
netblue30 2022-02-08 10:30:22 -05:00
parent 918fa1ea9e
commit 86a57917aa
4 changed files with 41 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

1
RELNOTES
View file

@ -1,5 +1,6 @@
firejail (0.9.69) baseline; urgency=low firejail (0.9.69) baseline; urgency=low
* work in progress * work in progress
* bugfix: --private-cwd not expanding macros, broken hyperrogue (#4910)
-- netblue30 <netblue30@yahoo.com> Mon, 7 Feb 2022 09:00:00 -0500 -- netblue30 <netblue30@yahoo.com> Mon, 7 Feb 2022 09:00:00 -0500
firejail (0.9.68) baseline; urgency=low firejail (0.9.68) baseline; urgency=low

14
src/firejail/fs_home.c
View file

@ -453,17 +453,27 @@ void fs_check_private_dir(void) {
} }
// check new private working directory (--private-cwd= option) - exit if it fails // check new private working directory (--private-cwd= option) - exit if it fails
// for testing:
// $ firejail --private --private-cwd=. --noprofile ls
// issue #4780: exposes full home directory, not the --private one
// $ firejail --private-cwd=.. --noprofile ls -> error: full dir path required
// $ firejail --private-cwd=/etc --noprofile ls -> OK
// $ firejail --private-cwd=FULL-SYMLINK-PATH --noprofile ls -> error: no symlinks
// $ firejail --private --private-cwd="${HOME}" --noprofile ls -al --> OK
// $ firejail --private --private-cwd='${HOME}' --noprofile ls -al --> OK
// $ firejail --private-cwd --> OK: should go in top of the home dir
// profile with "private-cwd ${HOME}
void fs_check_private_cwd(const char *dir) { void fs_check_private_cwd(const char *dir) {
EUID_ASSERT(); EUID_ASSERT();
invalid_filename(dir, 0); // no globbing invalid_filename(dir, 0); // no globbing
if (strcmp(dir, ".") == 0 || *dir != '/') if (strcmp(dir, ".") == 0)
goto errout; goto errout;
// Expand the working directory // Expand the working directory
cfg.cwd = expand_macros(dir); cfg.cwd = expand_macros(dir);
// realpath/is_dir not used because path may not exist outside of jail // realpath/is_dir not used because path may not exist outside of jail
if (strstr(cfg.cwd, "..")) if (strstr(cfg.cwd, "..") || *cfg.cwd != '/')
goto errout; goto errout;
return; return;

52
test/fs/private-cwd.exp
View file

@ -7,46 +7,48 @@ set timeout 10
spawn $env(SHELL) spawn $env(SHELL)
match_max 100000 match_max 100000
send -- "cd /tmp\r" send -- "firejail --private-cwd pwd\r"
after 100
# testing profile and private
send -- "firejail --private-cwd\r"
expect {
timeout {puts "TESTING ERROR 0\n";exit}
"Child process initialized"
}
sleep 1
send -- "pwd\r"
expect { expect {
timeout {puts "TESTING ERROR 1\n";exit} timeout {puts "TESTING ERROR 1\n";exit}
"$env(HOME)" "$env(HOME)"
} }
after 100
send -- "exit\r"
sleep 1 sleep 1
send -- "cd /\r" send -- "firejail --private-cwd=/etc pwd\r"
after 100 expect {
timeout {puts "TESTING ERROR 2\n";exit}
"/etc"
}
sleep 1
# testing profile and private send -- "firejail --private --private-cwd=. pwd\r"
send -- "firejail --private-cwd=/tmp\r"
expect { expect {
timeout {puts "TESTING ERROR 3\n";exit} timeout {puts "TESTING ERROR 3\n";exit}
"Child process initialized" "invalid private working directory"
} }
sleep 1 sleep 1
send -- "pwd\r" after 100
send -- "firejail --private-cwd='\${HOME}' pwd\r"
expect { expect {
timeout {puts "TESTING ERROR 4\n";exit} timeout {puts "TESTING ERROR 4\n";exit}
"/tmp" "$env(HOME)"
}
sleep 1
after 100
send -- "firejail --private-cwd=\"\${HOME}\" pwd\r"
expect {
timeout {puts "TESTING ERROR 5\n";exit}
"$env(HOME)"
}
sleep 1
send -- "firejail --profile=private-cwd.profile pwd\r"
expect {
timeout {puts "TESTING ERROR 6\n";exit}
"$env(HOME)"
} }
after 100 after 100
send -- "exit\r"
sleep 1
puts "all done\n" puts "all done\n"

1
test/fs/private-cwd.profile Normal file
View file

@ -0,0 +1 @@
private-cwd ${HOME}