Allow chrooting the application

2026-04-14 10:07:39 +08:00 · 2015-12-22 09:48:11 +01:00 · 2015-12-22 09:48:11 +01:00 · 23e9693641
commit 23e9693641
parent e1597c2aa9
2 changed files with 46 additions and 4 deletions
--- a/Tools/sitl_run.sh
+++ b/Tools/sitl_run.sh
@ -14,6 +14,15 @@ echo program: $program
 echo model: $model
 echo build_path: $build_path

+if [ "$chroot" == "1" ]
+then
+	chroot_enabled=-c
+	sudo_enabled=sudo
+else
+	chroot_enabled=""
+	sudo_enabled=""
+fi
+
 if [ "$model" == "" ] || [ "$model" == "none" ]
 then
 	echo "empty model, setting iris as default"
@ -48,7 +57,7 @@ if [ "$program" == "jmavsim" ] && [ "$no_sim" == "" ]
 then
 	cd Tools/jMAVSim
 	ant
-	nice -n -10 java -Djava.ext.dirs= -cp lib/*:out/production/jmavsim.jar me.drton.jmavsim.Simulator -udp 127.0.0.1:14560 &
+	java -Djava.ext.dirs= -cp lib/*:out/production/jmavsim.jar me.drton.jmavsim.Simulator -udp 127.0.0.1:14560 &
 	SIM_PID=`echo $!`
 elif [ "$program" == "gazebo" ] && [ "$no_sim" == "" ]
 then
@ -65,7 +74,7 @@ then
 		cd Tools/sitl_gazebo/Build
 		cmake -Wno-dev ..
 		make -j4
-		nice -n -10 gzserver --verbose ../worlds/${model}.world &
+		gzserver --verbose ../worlds/${model}.world &
 		SIM_PID=`echo $!`
 		gzclient --verbose &
 		GUI_PID=`echo $!`
@ -96,7 +105,7 @@ elif [ "$debugger" == "valgrind" ]
 then
 	valgrind ./mainapp ../../../../${rc_script}_${program}_${model}
 else
-	nice -n -10 ./mainapp ../../../../${rc_script}_${program}_${model}
+	$sudo_enabled ./mainapp $chroot_enabled ../../../../${rc_script}_${program}_${model}
 fi

 if [ "$program" == "jmavsim" ]
--- a/src/platforms/posix/main.cpp
+++ b/src/platforms/posix/main.cpp
@ -44,6 +44,7 @@
 #include <sstream>
 #include <vector>
 #include <signal.h>
+#include <unistd.h>
 #include "apps.h"
 #include "px4_middleware.h"
 #include "DriverFramework.hpp"
@ -157,6 +158,7 @@ static void process_line(string &line, bool exit_on_fail)
 int main(int argc, char **argv)
 {
 	bool daemon_mode = false;
+	bool chroot_on = false;
 	signal(SIGINT, _SigIntHandler);
 	signal(SIGFPE, _SigFpeHandler);

@ -174,6 +176,9 @@ int main(int argc, char **argv)
 				usage();
 				return 0;

+			} else if (strcmp(argv[index], "-c") == 0) {
+				chroot_on = true;
+
 			} else {
 				PX4_WARN("Unknown/unhandled parameter: %s", argv[index]);
 				return 1;
@ -203,7 +208,7 @@ int main(int argc, char **argv)

 		px4::init(argc, argv, "mainapp");

-		//if commandfile is present, process the commands from the file
+		// if commandfile is present, process the commands from the file
 		if (commands_file != nullptr) {
 			ifstream infile(commands_file);

@ -217,6 +222,34 @@ int main(int argc, char **argv)
 			}
 		}

+		if (chroot_on) {
+			// Lock this application in the current working dir
+			// this is not an attempt to secure the environment,
+			// rather, to replicate a deployed file system.
+			char pwd_path[PATH_MAX];
+			const char *folderpath = "/rootfs/";
+
+			if (nullptr == getcwd(pwd_path, sizeof(pwd_path))) {
+				PX4_ERR("Failed aquiring working dir, abort.");
+				exit(1);
+			}
+
+			if (nullptr == strcat(pwd_path, folderpath)) {
+				PX4_ERR("Failed completing path, abort.");
+				exit(1);
+			}
+
+			if (chroot(pwd_path)) {
+				PX4_ERR("Failed chrooting application, path: %s, error: %s.", pwd_path, strerror(errno));
+				exit(1);
+			}
+
+			if (chdir("/")) {
+				PX4_ERR("Failed changing to root dir, path: %s, error: %s.", pwd_path, strerror(errno));
+				exit(1);
+			}
+		}
+
 		if (!daemon_mode) {
 			string mystr = "";
 			string string_buffer[CMD_BUFF_SIZE];