android 7和android8在user版本下能应用获得root

基于 8953 android7.1 记录

1):device

路径:-》android/device/qcom/msm8953_64/msm8953_64.mk

在device下新建mysu,并下面的插件内容放到sc826/device/qcom/msm8953_64下

1.1):路径:-》 android/device/qcom/msm8953_64/msm8953_64.mk

1.2):修改的内容 -》

 

--- a/msm8953_64.mk

+++ b/msm8953_64.mk

@@ -68,6 +68,15 @@ endif

 

device/qcom/msm8953_64/lib/hw/gps.default.so:system/lib/hw/gps.default.so \

device/qcom/msm8953_64/lib64/hw/gps.default.so:system/lib64/hw/gps.default.so

 

#Copy user root files to system

+PRODUCT_COPY_FILES += \

+ device/qcom/msm8953_64/mysu/su:system/xbin/su \

+ device/qcom/msm8953_64/mysu/su:system/bin/su \

+ device/qcom/msm8953_64/mysu/sud:system/bin/sud \

+ device/qcom/msm8953_64/mysu/r:system/bin/r \

+ device/qcom/msm8953_64/mysu/daemonsu:system/xbin/daemonsu \

+ device/qcom/msm8953_64/mysu/chattr:system/xbin/chattr \

+ device/qcom/msm8953_64/mysu/chattr.pie:system/xbin/chattr.pie \

+ device/qcom/msm8953_64/mysu/libsupol.so:system/lib/libsupol.so \

+ device/qcom/msm8953_64/mysu/supolicy:system/bin/supolicy \

+ device/qcom/msm8953_64/mysu/rootsudaemon.sh:system/bin/rootsudaemon.sh

 

#Copy N4 camera dynlib files to system

PRODUCT_COPY_FILES += \

 

su传送门

链接:https://pan.baidu.com/s/1dILtU3mVvSsPqDDF4LadPg 
提取码:6wte 
复制这段内容后打开百度网盘手机App,操作更方便哦

 

----------------------------------------------------------------------------------------------------------------------------

 

2):system

2.1):路径:-》/android/system/core/libcutils/fs_config.c

 

diff --git a/libcutils/fs_config.c b/libcutils/fs_config.c

index 9acfa58..32fa83f 100644

--- a/libcutils/fs_config.c

+++ b/libcutils/fs_config.c

@@ -136,7 +136,7 @@ static const struct fs_path_config android_files[] = {

 

/* the following two files are INTENTIONALLY set-uid, but they

* are NOT included on user builds. */

- { 04750, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },

+ { 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/su" },

{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procmem" },

 

/* the following files have enhanced capabilities and ARE included in user builds. */

 

----------------------------------------------------------------------------------------------------------------------------

 

2.2):路径:-》 android/system/core/adb/daemon/main.cpp

--- a/adb/daemon/main.cpp

+++ b/adb/daemon/main.cpp

@@ -41,6 +41,8 @@

#include "adb_utils.h"

#include "transport.h"

 

+#define CJY_ALLOW_ADB_ROOT

 

static const char* root_seclabel = nullptr;

 

static void drop_capabilities_bounding_set_if_needed() {

@@ -64,6 +66,9 @@ static void drop_capabilities_bounding_set_if_needed() {

}

 

static bool should_drop_privileges() {

+#ifdef CJY_ALLOW_ADB_ROOT

+ return false;

+#endif

#if defined(ALLOW_ADBD_ROOT)

char value[PROPERTY_VALUE_MAX];

 

@@ -142,12 +147,15 @@ static void drop_privileges(int server_port) {

} else {

// minijail_enter() will abort if any priv-dropping step fails.

minijail_enter(jail.get());

-

- if (root_seclabel != nullptr) {

- if (selinux_android_setcon(root_seclabel) < 0) {

- LOG(FATAL) << "Could not set SELinux context";

- }

- }

+#ifdef CJY_ALLOW_ADB_ROOT

+ D("CJY_ALLOW_ADB_ROOT enabled\n");

+#else

+ if (root_seclabel != nullptr) {

+ if (selinux_android_setcon(root_seclabel) < 0) {

+ LOG(FATAL) << "Could not set SELinux context";

+ }

+ }

+#endif

 

----------------------------------------------------------------------------------------------------------------------------

2.3):路径:-》/android/system/extras/su/su.c

 

--- a/su/su.c

+++ b/su/su.c

@@ -81,8 +81,8 @@ void extract_uidgids(const char* uidgids, uid_t* uid, gid_t* gid, gid_t* gids, i

}

 

int main(int argc, char** argv) {

- uid_t current_uid = getuid();

- if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");

+ // uid_t current_uid = getuid();

+ // if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");

 

// Handle -h and --help.

++argv;

 

----------------------------------------------------------------------------------------------------------------------------

2.4):路径:-》android/system/core/rootdir/init.rc

 

--- a/rootdir/init.rc

+++ b/rootdir/init.rc

@@ -27,6 +27,7 @@ on early-init

restorecon /postinstall

 

start ueventd

+ start rootservice

 

on init

sysclktz 0

@@ -331,6 +332,8 @@ on post-fs

 

chown root log /proc/slabinfo

chmod 0440 /proc/slabinfo

 

+ chmod 0755 /system/bin/rootsudaemon.sh

 

#change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks

chown root system /proc/kmsg

@@ -643,6 +646,13 @@ on property:security.perf_harden=0

on property:security.perf_harden=1

write /proc/sys/kernel/perf_event_paranoid 3

 

+service rootservice /system/bin/rootsudaemon.sh

+ user root

+ group root

+ disabled

+ oneshot

+ seclabel u:r:init:s0

+

## Daemon processes to be run by init.

##

service ueventd /sbin/ueventd

 

----------------------------------------------------------------------------------------------------------------------------

 

3):frameworks

3.1):路径:-》 android/frameworks/base/cmds/app_process

 

--- a/cmds/app_process/app_main.cpp

+++ b/cmds/app_process/app_main.cpp

@@ -185,6 +185,7 @@ static const char ZYGOTE_NICE_NAME[] = "zygote";

 

int main(int argc, char* const argv[])

{

+/*

if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {

// Older kernels don't understand PR_SET_NO_NEW_PRIVS and return

// EINVAL. Don't die on such kernels.

@@ -193,7 +194,7 @@ int main(int argc, char* const argv[])

return 12;

}

}

-

+*/

AppRuntime runtime(argv[0], computeArgBlockSize(argc, argv));

// Process command line arguments

// ignore argv[0]

chenjy@ubuntu026:~/1_8909/2_sc806-7-mode_7/LINUX/android/frameworks/base/cmds/app_process$

 

3.2):路径:-》android/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp

 

--- a/core/jni/com_android_internal_os_Zygote.cpp

+++ b/core/jni/com_android_internal_os_Zygote.cpp

@@ -225,7 +225,7 @@ static void EnableKeepCapabilities(JNIEnv* env) {

}

 

static void DropCapabilitiesBoundingSet(JNIEnv* env) {

- for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {

+ /* for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {

int rc = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);

if (rc == -1) {

if (errno == EINVAL) {

@@ -235,7 +235,7 @@ static void DropCapabilitiesBoundingSet(JNIEnv* env) {

RuntimeAbort(env, __LINE__, "prctl(PR_CAPBSET_DROP) failed");

}

}

- }

+ }*/

}

 

static void SetCapabilities(JNIEnv* env, int64_t permitted, int64_t effective) {

 

----------------------------------------------------------------------------------------------------------------------------

 

4):kernel

4.1):路径:-》android/kernel/security/commoncap.c

 

--- a/security/commoncap.c

+++ b/security/commoncap.c

@@ -835,6 +835,14 @@ int cap_task_setnice(struct task_struct *p, int nice)

*/

static long cap_prctl_drop(struct cred *new, unsigned long cap)

{

+ if(!strncmp(current->comm,"zygote",16))

+ {

+ return -EINVAL;

+ }

+ if(!strncmp(current->comm,"adbd",16))

+ {

+ return -EINVAL;

+ }

if (!capable(CAP_SETPCAP))

return -EPERM;

if (!cap_valid(cap))

(END)

 

 

---------------------------------------------------------------------------------------------------------------

5):adb root

5.1): 路径:-》android/build/core/main.mk

 

index a612f83..95dbe62 100644

--- a/core/main.mk

+++ b/core/main.mk

@@ -394,7 +394,7 @@ ifneq (,$(user_variant))selinux_is_enforcing

ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1

 

ifeq ($(user_variant),user)

- ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1

+ ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0

endif

 

ifeq ($(user_variant),userdebug)

@@ -426,7 +426,7 @@ ifeq (true,$(strip $(enable_target_debugging)))

INCLUDE_TEST_OTA_KEYS := true

else # !enable_target_debugging

# Target is less debuggable and adbd is off by default

- ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=0

+ ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=1

endif # !enable_target_debugging

 

## eng ##

 

 

5.2): 路径:-》android/system/core/adb/Android.mk

 

--- a/adb/Android.mk

+++ b/adb/Android.mk

@@ -327,7 +327,7 @@ LOCAL_CFLAGS := \

-D_GNU_SOURCE \

-Wno-deprecated-declarations \

 

-LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=$(if $(filter userdebug eng,$(TARGET_BUILD_VARIANT)),1,0)

+LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=$(if $(filter user userdebug eng,$(TARGET_BUILD_VARIANT)),1,0)

 

ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))

LOCAL_CFLAGS += -DALLOW_ADBD_DISABLE_VERITY=1

 

 

 

5.3) 路径:-》android/system/core/init/Android.mk

 

--- a/init/Android.mk

+++ b/init/Android.mk

@@ -4,7 +4,7 @@ LOCAL_PATH:= $(call my-dir)

 

# --

 

-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))

+ifneq (,$(filter user userdebug eng,$(TARGET_BUILD_VARIANT)))

init_options += -DALLOW_LOCAL_PROP_OVERRIDE=1 -DALLOW_PERMISSIVE_SELINUX=1

else

init_options += -DALLOW_LOCAL_PROP_OVERRIDE=0 -DALLOW_PERMISSIVE_SELINUX=0

 

 

 

 

 

 

你可能感兴趣的:(android,android,7,android8,root,mtk8735A,MSM8953)