android 9.0user版本如何开启root，打开su|电子爱好者-九游会真人第一品牌

admin管理员组

文章数量:1559101

在默认情况下，adbd是以uid root的权限启动的。不过它确实还会通过函数drop_privileges()主动把自己降到uid shell : shell，如下：

# /system/core/adb/daemon/main.cpp
static void drop_privileges(int server_port) {
    scopedminijail jail(minijail_new());
    // add extra groups:
    // aid_adb to access the usb driver
    // aid_log to read system logs (adb logcat)
    // aid_input to diagnose input issues (getevent)
    // aid_inet to diagnose network issues (ping)
    // aid_net_bt and aid_net_bt_admin to diagnose bluetooth (hcidump)
    // aid_sdcard_r to allow reading from the sd card
    // aid_sdcard_rw to allow writing to the sd card
    // aid_net_bw_stats to read out qtaguid statistics
    // aid_readproc for reading /proc entries across uid boundaries
    // aid_uhid for using 'hid' command to read/write to /dev/uhid
    gid_t groups[] = {aid_adb,          aid_log,          aid_input,    aid_inet,
                      aid_net_bt,       aid_net_bt_admin, aid_sdcard_r, aid_sdcard_rw,
                      aid_net_bw_stats, aid_readproc,     aid_uhid};
    minijail_set_supplementary_gids(jail.get(), arraysize(groups), groups);
    // don't listen on a port (default 5037) if running in secure mode.
    // don't run as root if running in secure mode.
    if (should_drop_privileges()) {
        const bool should_drop_caps = should_drop_capabilities_bounding_set();
        if (should_drop_caps) {
            minijail_use_caps(jail.get(), cap_to_mask(cap_setuid) | cap_to_mask(cap_setgid));
        }
        minijail_change_gid(jail.get(), aid_shell);
        minijail_change_uid(jail.get(), aid_shell);
        // minijail_enter() will abort if any priv-dropping step fails.
        minijail_enter(jail.get());
        ...
}        

再看下should_drop_privileges()方法，这个函数来判断是否要降级，返回false就是使用root权限

# /system/core/adb/daemon/main.cpp
static bool should_drop_privileges() {
#if defined(allow_adbd_root)
    // the properties that affect `adb root` and `adb unroot` are ro.secure and
    // ro.debuggable. in this context the names don't make the expected behavior
    // particularly obvious.
    //
    // ro.debuggable:
    //   allowed to become root, but not necessarily the default. set to 1 on
    //   eng and userdebug builds.
    //
    // ro.secure:
    //   drop privileges by default. set to 1 on userdebug and user builds.
    bool ro_secure = android::base::getboolproperty("ro.secure", true);
    bool ro_debuggable = __android_log_is_debuggable();
     // drop privileges if ro.secure is set...
    bool drop = ro_secure;
    // ... except "adb root" lets you keep privileges in a debuggable build.
    std::string prop = android::base::getproperty("service.adb.root", "");
    bool adb_root = (prop == "1");
    bool adb_unroot = (prop == "0");
    if (ro_debuggable && adb_root) {
        drop = false;
    }
    // ... and "adb unroot" lets you explicitly drop privileges.
    if (adb_unroot) {
        drop = true;
    }
    return drop;
#else
    return true; // "adb root" not allowed, always drop privileges.
#endif // allow_adbd_root
}

1.开启adbd的root的权限

第一种方式
①.修改 /system/core/adb/daemon/main.cpp

static bool should_drop_privileges() {
  // 注释方法内代码,添加如下代码
  std::string prop = android::base::getproperty("service.adb.root", "");
  if (prop == "1"){
 	  return false;
  }
  return true;
}

第二种方式
①修改 /build/core/main.mk

## user/userdebug ##
user_variant := $(filter user userdebug,$(target_build_variant))
enable_target_debugging := true
tags_to_install :=
ifneq (,$(user_variant))
  # target is secure in user builds.
  additional_default_properties  = ro.secure=1
  additional_default_properties  = security.perf_harden=1
    ...
将·ro.secure=1 修改为ro.secure=0

②修改 /system/core/adb/android.mk

- ifneq (,$(filter userdebug eng,$(target_build_variant)))
 ifneq (,$(filter user userdebug eng,$(target_build_variant)))
  local_cflags  = -dallow_adbd_disable_verity=1
  local_cflags  = -dallow_adbd_root=1
  endif

2.添加su

①去掉root，shell的判断

# /system/extras/su/su.cpp
int main(int argc, char** argv) {
    #if 0
     uid_t current_uid = getuid();
     if (current_uid != aid_root && current_uid != aid_shell) error(1, 0, "not allowed");
    #endif
     // handle -h and --help.

②修改su权限

# /system/core/rootdir/init.rc
    chmod 6755 /system/xbin/su
 
     # assume smp uses shared cpufreq policy for all cpus
     
# /system/core/libcutils/fs_config.cpp 
-    { 04750, aid_root,      aid_shell,     0, "system/xbin/su" },
    { 06755, aid_root,      aid_shell,     0, "system/xbin/su" },

③修改su模块在所有模式下都编译

# /system/extras/su/android.mk
- local_module_tags := debug
 local_module_tags := optional

④修改 /frameworks/base/core/jni/com_android_internal_os_zygote.cpp

 static bool dropcapabilitiesboundingset(std::string* error_msg) {
  #if 0
   for (int i = 0; prctl(pr_capbset_read, i, 0, 0, 0) >= 0; i) {
    int rc = prctl(pr_capbset_drop, i, 0, 0, 0);
    if (rc == -1) {
      if (errno == einval) {
        aloge("prctl(pr_capbset_drop) failed with einval. please verify "
              "your kernel is compiled with file capabilities support");
      } else {
        *error_msg = create_error("prctl(pr_capbset_drop, %d) failed: %s", i, strerror(errno));
        return false;
      }
    }
  }
 #endif
   return true;
 }

⑤在device.mk下添加su模块

# /device/mediatek/common/device.mk
product_packages  = su

3.关闭selinux

① android 8.1

  # /system/core/init/init.cpp
 static bool selinux_is_enforcing(void){   
    return false; //add to close selinux
    if (allow_permissive_selinux) {
        return selinux_status_from_cmdline() == selinux_enforcing;
    }
    return true;
 }

② android 9.0

  # /system/core/init/selinux.cpp
 bool isenforcing() {
 	return false; //add to close selinux
  	if (allow_permissive_selinux) {
    	return statusfromcmdline() == selinux_enforcing;
   	}
  	return true;
 }

最后，app验证su功能

private boolean silentinstall(file apkpath){
        boolean result = false;
        dataoutputstream dataoutputstream = null;
        bufferedreader errorstream = null;
        try {
            process process = runtime.getruntime().exec("su");
            dataoutputstream = new dataoutputstream(process.getoutputstream());
            // 执行pm install命令
            string command = "pm install -r "  apkpath  "\n";
            dataoutputstream.write(command.getbytes(charset.forname("utf-8")));
            dataoutputstream.flush();
            dataoutputstream.writebytes("exit\n");
            dataoutputstream.flush();
            process.waitfor();
            errorstream = new bufferedreader(new inputstreamreader(process.geterrorstream()));
            string msg = "";
            string line;
             while ((line = errorstream.readline()) != null) {
                msg  = line;
            }
           
            if (!msg.contains("failure")) {
                result = true;
            }
        } catch (exception e) {
            logutil.e(" " e.getmessage());
        } finally {
        	try {
                if (dataoutputstream != null) {
                    dataoutputstream.close();
                }
                if (errorstream != null) {
                    errorstream.close();
                }
            } catch (ioexception e) {
                logutil.d("  "e.getmessage());
            }
        }
        return result;
    }

本文标签： 版本root