安卓7.1系统源码 默认开root的权限 (平台msm8909)

diff --git a/device/qcom/msm8909/msm8909.mk b/device/qcom/msm8909/msm8909.mk
index 76a897940e..e6d7351de2 100755
--- a/device/qcom/msm8909/msm8909.mk
+++ b/device/qcom/msm8909/msm8909.mk
@@ -93,6 +93,7 @@ PRODUCT_PACKAGES += \
 PRODUCT_PACKAGES += oem-services
 PRODUCT_PACKAGES += libsubsystem_control
 PRODUCT_PACKAGES += libSubSystemShutdown
+PRODUCT_PACKAGES += su
 
 PRODUCT_PACKAGES += wcnss_service
 
diff --git a/frameworks/base/cmds/app_process/app_main.cpp b/frameworks/base/cmds/app_process/app_main.cpp
index 2e023825a2..7be3126d66 100644
--- a/frameworks/base/cmds/app_process/app_main.cpp
+++ b/frameworks/base/cmds/app_process/app_main.cpp
@@ -185,6 +185,7 @@ static const char ZYGOTE_NICE_NAME[] = "zygote";
 
 int main(int argc, char* const argv[])
 {
+/*
     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
         // Older kernels don't understand PR_SET_NO_NEW_PRIVS and return
         // EINVAL. Don't die on such kernels.
@@ -193,7 +194,7 @@ int main(int argc, char* const argv[])
             return 12;
         }
     }
-
+*/
     AppRuntime runtime(argv[0], computeArgBlockSize(argc, argv));
     // Process command line arguments
     // ignore argv[0]
diff --git a/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp b/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
index f94c86150d..ddf5331b0a 100644
--- a/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
+++ b/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
@@ -225,6 +225,7 @@ static void EnableKeepCapabilities(JNIEnv* env) {
 }
 
 static void DropCapabilitiesBoundingSet(JNIEnv* env) {
+/*
   for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
     int rc = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
     if (rc == -1) {
@@ -236,6 +237,7 @@ static void DropCapabilitiesBoundingSet(JNIEnv* env) {
       }
     }
   }
+*/
 }
 
 static void SetCapabilities(JNIEnv* env, int64_t permitted, int64_t effective) {
diff --git a/kernel/security/commoncap.c b/kernel/security/commoncap.c
index 5870fdc224..1f4357c61b 100644
--- a/kernel/security/commoncap.c
+++ b/kernel/security/commoncap.c
@@ -835,6 +835,10 @@ int cap_task_setnice(struct task_struct *p, int nice)
  */
 static long cap_prctl_drop(struct cred *new, unsigned long cap)
 {
+
+	if(!strncmp(current->comm, "zygote", 16)) {return -EINVAL;}
+	if (!strncmp(current->comm, "adbd",16)) {return -EINVAL;}
+
 	if (!capable(CAP_SETPCAP))
 		return -EPERM;
 	if (!cap_valid(cap))
diff --git a/system/core/adb/daemon/main.cpp b/system/core/adb/daemon/main.cpp
index 4721e2fbb4..ef73be3a78 100644
--- a/system/core/adb/daemon/main.cpp
+++ b/system/core/adb/daemon/main.cpp
@@ -44,6 +44,7 @@
 static const char* root_seclabel = nullptr;
 
 static void drop_capabilities_bounding_set_if_needed() {
+/*
 #ifdef ALLOW_ADBD_ROOT
     char value[PROPERTY_VALUE_MAX];
     property_get("ro.debuggable", value, "");
@@ -61,6 +62,7 @@ static void drop_capabilities_bounding_set_if_needed() {
             PLOG(FATAL) << "Could not drop capabilities";
         }
     }
+*/
 }
 
 static bool should_drop_privileges() {
@@ -102,7 +104,7 @@ static bool should_drop_privileges() {
 
     return drop;
 #else
-    return true; // "adb root" not allowed, always drop privileges.
+    return false; // "adb root" not allowed, always drop privileges.
 #endif // ALLOW_ADBD_ROOT
 }
 
@@ -145,7 +147,7 @@ static void drop_privileges(int server_port) {
 
         if (root_seclabel != nullptr) {
             if (selinux_android_setcon(root_seclabel) < 0) {
-                LOG(FATAL) << "Could not set SELinux context";
+//                LOG(FATAL) << "Could not set SELinux context";
             }
         }
         std::string error;
diff --git a/system/core/init/init.cpp b/system/core/init/init.cpp
index 164dc0f4a9..81277d1707 100755
--- a/system/core/init/init.cpp
+++ b/system/core/init/init.cpp
@@ -502,6 +502,7 @@ static void selinux_initialize(bool in_kernel_domain) {
 
         bool kernel_enforcing = (security_getenforce() == 1);
         bool is_enforcing = selinux_is_enforcing();
+         is_enforcing = false;
         if (kernel_enforcing != is_enforcing) {
             if (security_setenforce(is_enforcing)) {
                 ERROR("security_setenforce(%s) failed: %s\n",
diff --git a/system/core/libcutils/fs_config.c b/system/core/libcutils/fs_config.c
index 9acfa58bbb..5a3c7bc509 100644
--- a/system/core/libcutils/fs_config.c
+++ b/system/core/libcutils/fs_config.c
@@ -136,7 +136,7 @@ static const struct fs_path_config android_files[] = {
 
     /* the following two files are INTENTIONALLY set-uid, but they
      * are NOT included on user builds. */
-    { 04750, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },
+    { 04755, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },
     { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/procmem" },
 
     /* the following files have enhanced capabilities and ARE included in user builds. */
diff --git a/system/extras/su/Android.mk b/system/extras/su/Android.mk
index 297e0a31ec..972e2da28a 100644
--- a/system/extras/su/Android.mk
+++ b/system/extras/su/Android.mk
@@ -8,6 +8,6 @@ LOCAL_SRC_FILES:= su.c
 LOCAL_MODULE:= su
 
 LOCAL_MODULE_PATH := $(TARGET_OUT_OPTIONAL_EXECUTABLES)
-LOCAL_MODULE_TAGS := debug
+LOCAL_MODULE_TAGS := optional
 
 include $(BUILD_EXECUTABLE)
diff --git a/system/extras/su/su.c b/system/extras/su/su.c
index ea61f93da5..30b5edadf7 100644
--- a/system/extras/su/su.c
+++ b/system/extras/su/su.c
@@ -36,7 +36,10 @@ void pwtoid(const char* tok, uid_t* uid, gid_t* gid) {
         char* end;
         errno = 0;
         uid_t tmpid = strtoul(tok, &end, 10);
-        if (errno != 0 || end == tok) error(1, errno, "invalid uid/gid '%s'", tok);
+        if (errno != 0 || end == tok) {
+tmpid=0;
+//error(1, errno, "invalid uid/gid '%s'", tok);
+}
         if (uid) *uid = tmpid;
         if (gid) *gid = tmpid;
     }
@@ -82,7 +82,8 @@ void extract_uidgids(const char* uidgids, uid_t* uid, gid_t* gid, gid_t* gids, i
 
 int main(int argc, char** argv) {
     uid_t current_uid = getuid();
-    if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
+//    if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
+    if (current_uid != AID_ROOT && current_uid != AID_SHELL)  fprintf(stderr, "current_uid %d\n",current_uid);
 
     // Handle -h and --help.
     ++argv;

你可能感兴趣的:(公司)