Android 11编译第三弹 ADB开启ROOT权限
问题:Relese版本,默认adb访问会降级到shell权限,一些敏感操作不能进行,远程调试比较麻烦。-DALLOW_PERMISSIVE_SELINUX=0修改为 -DALLOW_PERMISSIVE_SELINUX=1。ro.secure表示root权限,要开启Root权限,系统配置ro.secure=0 开启ROOT权限。user版本就是Releae版本,userdebug版本就是debug
一、为什么需要adb root权限
问题:Relese版本,默认adb访问会降级到shell权限,一些敏感操作不能进行,远程调试比较麻烦。且Release版本没有su模块,不能切换Root用户。
开启adb调试以后,默认进入adb是system权限,不能切换到root(因为Release没有集成su).
有两种方式切换Root:
1) Release也集成su模块
2)默认Release版本adb 开启Root权限
二、开启adb ROOT权限
开启Root权限
ro.secure表示root权限,要开启Root权限,系统配置ro.secure=0 开启ROOT权限
2.1 编译时默认开启ROOT权限
build/make/core/main.mk
ifneq (,$(user_variant))
# ==== modify begin ====
# fix: zhouronghua default as root
# Target is secure in user builds.
ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0
# ==== modify end ====
ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1
ifeq ($(user_variant),user)
# ==== modify begin ==== fix: default as root
ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0
# ==== modify end ====
endif
user版本就是Releae版本,userdebug版本就是debug版本。
2.2 Zygote关闭权限降级
frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
static void DropCapabilitiesBoundingSet(fail_fn_t fail_fn) {
// ==== modify begin ==== zhouronghua
#if 0
for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {;
if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) == -1) {
if (errno == EINVAL) {
ALOGE("prctl(PR_CAPBSET_DROP) failed with EINVAL. Please verify "
"your kernel is compiled with file capabilities support");
} else {
fail_fn(CREATE_ERROR("prctl(PR_CAPBSET_DROP, %d) failed: %s", i, strerror(errno)));
}
}
}
#endif
// ==== modify end ====
}2.3 Android.bp允许暴力修改selinux权限
system/core/init/Android.bp
-DALLOW_PERMISSIVE_SELINUX=0 修改为 -DALLOW_PERMISSIVE_SELINUX=1
cc_defaults {
name: "init_defaults",
cpp_std: "experimental",
sanitize: {
misc_undefined: ["signed-integer-overflow"],
},
cflags: [
"-DLOG_UEVENTS=0",
"-Wall",
"-Wextra",
"-Wno-unused-parameter",
"-Werror",
"-Wthread-safety",
"-DALLOW_FIRST_STAGE_CONSOLE=0",
"-DALLOW_LOCAL_PROP_OVERRIDE=0",
"-DALLOW_PERMISSIVE_SELINUX=1",
"-DREBOOT_BOOTLOADER_ON_PANIC=0",
"-DWORLD_WRITABLE_KMSG=0",
"-DDUMP_ON_UMOUNT_FAILURE=0",
2.4 init程序允许暴力修改selinux权限
system/core/init/Android.mk
ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
init_options += \
-DALLOW_FIRST_STAGE_CONSOLE=1 \
-DALLOW_LOCAL_PROP_OVERRIDE=1 \
-DALLOW_PERMISSIVE_SELINUX=1 \
-DREBOOT_BOOTLOADER_ON_PANIC=1 \
-DWORLD_WRITABLE_KMSG=1 \
-DDUMP_ON_UMOUNT_FAILURE=1
else
# ==== modify begin ==== zhouronghua allow permissive
init_options += \
-DALLOW_FIRST_STAGE_CONSOLE=0 \
-DALLOW_LOCAL_PROP_OVERRIDE=0 \
-DALLOW_PERMISSIVE_SELINUX=1 \
-DREBOOT_BOOTLOADER_ON_PANIC=0 \
-DWORLD_WRITABLE_KMSG=0 \
-DDUMP_ON_UMOUNT_FAILURE=0
# ==== modify end ====
endif
2.5 su程序权限提级
system/core/libcutils/fs_config.cpp
// the following two files are INTENTIONALLY set-uid, but they
// are NOT included on user builds.
{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procmem" },
// ==== modify begin ==== zhouronghua su right improve
{ 06755, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
2.6 修改su程序权限
system/core/rootdir/init.rc
chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
# ==== modify begin ==== zhouronghua su right
chmod 6755 /system/xbin/su
# ==== modify end ====
2.7 su程序构建
system/extras/su/Android.mk
LOCAL_MODULE_PATH := $(TARGET_OUT_OPTIONAL_EXECUTABLES)
# ==== modify begin ==== zhouronghua su as common module
LOCAL_MODULE_TAGS := optional
# ==== modify end ====
2.8 su程序去掉Root用户检测
system/extras/su/su.cpp
int main(int argc, char** argv) {
// ==== modify begin ==== zhouronghua delete root shell check
#if 0
uid_t current_uid = getuid();
if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
#endif
// ==== modify end ====
2.9 关闭selinux.cpp强制安全检测
system/core/init/selinux.cpp
bool IsEnforcing() {
// ==== modify start ==== zhouronghua 不需要强制安全检测
return false;
// ==== modify end
if (ALLOW_PERMISSIVE_SELINUX) {
return StatusFromCmdline() == SELINUX_ENFORCING;
}
return true;
}2.10 adb不降级采用ROOT访问
adbd启动时检查属性,决定是否进行权限降级到AID_SHELL
system/core/adb/daemon/main.cpp
static bool should_drop_privileges() {
// ==== modify begin ====
// fix: zhouronghua "adb root" not allowed, always drop privileges.
if (!ALLOW_ADBD_ROOT && !is_device_unlocked()) return false;
// ==== modifu end ====adb Root权限访问不需要降级。
2.11 安卓内核默认开启selLinux
kernel/configs/o-mr1/android-3.18/android-base.config
kernel/configs/o-mr1/android-4.4/android-base.config
kernel/configs/o-mr1/android-4.9/android-base.config
kernel/configs/o/android-3.18/android-base.config
kernel/configs/o/android-3.18/android-base.config
kernel/configs/o/android-4.4/android-base.config
kernel/configs/o/android-4.9/android-base.config
kernel/configs/p/android-4.14/android-base.config
kernel/configs/p/android-4.4/android-base.config
kernel/configs/p/android-4.9/android-base.config
kernel/configs/q/android-4.14/android-base.config
kernel/configs/q/android-4.19/android-base.config
kernel/configs/q/android-4.9/android-base.config
kernel/configs/r/android-4.14/android-base.config
kernel/configs/r/android-4.19/android-base.config
kernel/configs/r/android-5.4/android-base.config
CONFIG_XFRM_USER=y
# ==== modify begin ==== zhouronghua selinux
CONFIG_SECURITY_SELINUX_DEVELOP=y
# # ==== modify end ====
开放原子开发者工作坊旨在鼓励更多人参与开源活动,与志同道合的开发者们相互交流开发经验、分享开发心得、获取前沿技术趋势。工作坊有多种形式的开发者活动,如meetup、训练营等,主打技术交流,干货满满,真诚地邀请各位开发者共同参与!
更多推荐
2
0- 0
已为社区贡献2条内容
所有评论(0)