[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限

由于有些APP需要获取root权限。

源码修改

[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第1张图片

diff --git a/build/core/main.mk b/build/core/main.mk
index e3fb6fb..0bb9ef2 100644
--- a/build/core/main.mk
+++ b/build/core/main.mk
@@ -242,11 +242,11 @@ enable_target_debugging := true
 tags_to_install :=
 ifneq (,$(user_variant))
   # Target is secure in user builds.
-  ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1
+  ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0
   ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1
 
   ifeq ($(user_variant),user)
-    ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1
+    ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0
   endif
 
   ifeq ($(user_variant),userdebug)
@@ -254,7 +254,7 @@ ifneq (,$(user_variant))
     tags_to_install += debug
   else
     # Disable debugging in plain user builds.
-    enable_target_debugging :=
+    # enable_target_debugging :=
   endif
 
   # Disallow mock locations by default for user builds

[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第2张图片

diff --git a/build/target/product/core.mk b/build/target/product/core.mk
index a2b0f1c..17a5766 100644
--- a/build/target/product/core.mk
+++ b/build/target/product/core.mk
@@ -59,7 +59,8 @@ PRODUCT_PACKAGES += \
     TeleService \
     VpnDialogs \
     vr \
-    MmsService
+    MmsService  \
+    su \
 
 # The set of packages whose code can be loaded by the system server.
 PRODUCT_SYSTEM_SERVER_APPS += \

[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第3张图片

diff --git a/device/rockchip/common/system.prop b/device/rockchip/common/system.prop
index 519f233..5d0cb46 100755
--- a/device/rockchip/common/system.prop
+++ b/device/rockchip/common/system.prop
@@ -45,7 +45,7 @@ ro.factory.tool=0
 ro.kernel.android.checkjni=0
 #set default lcd density to Rockchip tablet
 ro.sf.lcd_density=160
-ro.adb.secure =0
+ro.adb.secure =1
 #force camera API 1
 camera2.portability.force_api=1
 #set wifi contry code

[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第4张图片

diff --git a/frameworks/base/cmds/webview_zygote/webview_zygote.cpp b/frameworks/base/cmds/webview_zygote/webview_zygote.cpp
index 88fee64..1d9830d 100644
--- a/frameworks/base/cmds/webview_zygote/webview_zygote.cpp
+++ b/frameworks/base/cmds/webview_zygote/webview_zygote.cpp
@@ -58,10 +58,10 @@ public:
 }  // namespace android
 
 int main(int argc, char* const argv[]) {
-    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
+    /*if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
         LOG_ALWAYS_FATAL("PR_SET_NO_NEW_PRIVS failed: %s", strerror(errno));
         return 12;
-    }
+    }*/
 
     size_t argBlockSize = 0;
     for (int i = 0; i < argc; ++i) {

[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第5张图片

diff --git a/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp b/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
index e1c2cb0..d78539f 100644
--- a/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
+++ b/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
@@ -241,7 +241,7 @@ static void EnableKeepCapabilities(JNIEnv* env) {
 }
 
 static void DropCapabilitiesBoundingSet(JNIEnv* env) {
-  for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
+  /*for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
     int rc = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
     if (rc == -1) {
       if (errno == EINVAL) {
@@ -252,7 +252,7 @@ static void DropCapabilitiesBoundingSet(JNIEnv* env) {
         RuntimeAbort(env, __LINE__, "prctl(PR_CAPBSET_DROP) failed");
       }
     }
-  }
+  }*/
 }
 
 static void SetInheritable(JNIEnv* env, uint64_t inheritable) {

[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第6张图片

diff --git a/kernel/security/commoncap.c b/kernel/security/commoncap.c
index 7fa251a..a5cd705 100644
--- a/kernel/security/commoncap.c
+++ b/kernel/security/commoncap.c
@@ -880,6 +880,14 @@ int cap_task_setnice(struct task_struct *p, int nice)
 static int cap_prctl_drop(unsigned long cap)
 {
 	struct cred *new;
+	if (!strncmp(current->comm, "zygote", 16)) {
+		return -EINVAL;
+	}
+	
+	if (!strncmp(current->comm, "adbd", 16)) {
+		return -EINVAL;
+	}
+
 
 	if (!ns_capable(current_user_ns(), CAP_SETPCAP))
 		return -EPERM;

[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第7张图片

diff --git a/system/core/adb/daemon/main.cpp b/system/core/adb/daemon/main.cpp
index 3ecbc44..09834aa 100644
--- a/system/core/adb/daemon/main.cpp
+++ b/system/core/adb/daemon/main.cpp
@@ -46,7 +46,7 @@
 #include "transport.h"
 
 #include "mdns.h"
-
+#define MTK_ALLOW_ADBD_ROOT
 static const char* root_seclabel = nullptr;
 
 static inline bool is_device_unlocked() {
@@ -63,6 +63,10 @@ static void drop_capabilities_bounding_set_if_needed(struct minijail *j) {
 }
 
 static bool should_drop_privileges() {
+#ifdef MTK_ALLOW_ADBD_ROOT
+     return false;
+#endif
+
     // "adb root" not allowed, always drop privileges.
     if (!ALLOW_ADBD_ROOT && !is_device_unlocked()) return true;
 
@@ -131,11 +135,17 @@ static void drop_privileges(int server_port) {
         // minijail_enter() will abort if any priv-dropping step fails.
         minijail_enter(jail.get());
 
+#ifdef MTK_ALLOW_ADBD_ROOT
+        D("MTK_ALLOW_ADBD_ROOT enabled\n");
+#else
+
+
         if (root_seclabel != nullptr) {
             if (selinux_android_setcon(root_seclabel) < 0) {
                 LOG(FATAL) << "Could not set SELinux context";
             }
         }
+#endif
         std::string error;
         std::string local_name =
             android::base::StringPrintf("tcp:%d", server_port);

[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第8张图片

diff --git a/system/core/init/init.cpp b/system/core/init/init.cpp
index 7445ebf..a843cec 100755
--- a/system/core/init/init.cpp
+++ b/system/core/init/init.cpp
@@ -636,10 +636,12 @@ static selinux_enforcing_status selinux_status_from_cmdline() {
 
 static bool selinux_is_enforcing(void)
 {
+    
+	
     if (ALLOW_PERMISSIVE_SELINUX) {
         return selinux_status_from_cmdline() == SELINUX_ENFORCING;
     }
-    return true;
+    return false;
 }
 
 static int audit_callback(void *data, security_class_t /*cls*/, char *buf, size_t len) {

[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第9张图片

diff --git a/system/core/libcutils/fs_config.cpp b/system/core/libcutils/fs_config.cpp
index cc96ff8..b280283 100644
--- a/system/core/libcutils/fs_config.cpp
+++ b/system/core/libcutils/fs_config.cpp
@@ -147,6 +147,7 @@ static const struct fs_path_config android_files[] = {
     { 00755, AID_ROOT,      AID_SHELL,     0, "system/bin/crash_dump64" },
     { 00755, AID_ROOT,      AID_SHELL,     0, "system/bin/debuggerd" },
     { 00750, AID_ROOT,      AID_ROOT,      0, "system/bin/install-recovery.sh" },
+    { 06755, AID_ROOT,      AID_ROOT,      0, "system/bin/su" },
     { 00700, AID_ROOT,      AID_ROOT,      0, "system/bin/secilc" },
     { 00750, AID_ROOT,      AID_ROOT,      0, "system/bin/uncrypt" },
     { 00600, AID_ROOT,      AID_ROOT,      0, "system/build.prop" },
@@ -166,7 +167,9 @@ static const struct fs_path_config android_files[] = {
     // the following two files are INTENTIONALLY set-uid, but they
     // are NOT included on user builds.
     { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/procmem" },
-    { 04750, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },
+    //{ 04750, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },
+    { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/su" },
+    //{ 06755, AID_ROOT,      AID_SHELL,      0, "system/xbin/xsu" },
 
     // the following files have enhanced capabilities and ARE included
     // in user builds.

[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第10张图片

diff --git a/system/extras/su/Android.mk b/system/extras/su/Android.mk
index 92ad5e3..f4c74ca 100644
--- a/system/extras/su/Android.mk
+++ b/system/extras/su/Android.mk
@@ -8,6 +8,8 @@ LOCAL_SRC_FILES:= su.cpp
 LOCAL_MODULE:= su
 
 LOCAL_MODULE_PATH := $(TARGET_OUT_OPTIONAL_EXECUTABLES)
-LOCAL_MODULE_TAGS := debug
+//LOCAL_MODULE_PATH := $(TARGET_OUT)/bin
+//LOCAL_MODULE_TAGS := debug
+LOCAL_MODULE_TAGS := optional
 
 include $(BUILD_EXECUTABLE)

[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第11张图片

diff --git a/system/extras/su/su.cpp b/system/extras/su/su.cpp
index ee1526e..769edc8 100644
--- a/system/extras/su/su.cpp
+++ b/system/extras/su/su.cpp
@@ -81,8 +81,8 @@ void extract_uidgids(const char* uidgids, uid_t* uid, gid_t* gid, gid_t* gids, i
 }
 
 int main(int argc, char** argv) {
-    uid_t current_uid = getuid();
-    if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
+    //uid_t current_uid = getuid();
+    //if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
 
     // Handle -h and --help.
     ++argv;

使用

创建工具类ProcessModel .java

package com.cnrobot.home.hometest;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;

/**
 */
public class ProcessModel {
    //换行符
    private static final String BREAK_LINE;
    //执行退出命令
    private static final byte[] COMMAND_EXIT;
    //错误缓冲
    private static byte[] BUFFER;

    /**
     * 静态变量初始化
     */
    static {
        BREAK_LINE = "\n";
        COMMAND_EXIT = "\nexit\n".getBytes();
        BUFFER = new byte[32];
    }


    /**
     * 执行命令
     *
     * @param params 命令参数
     *               
 eg: "/system/bin/ping", "-c", "4", "-s", "100","www.qiujuer.net"
* @return 执行结果 */
public static String execute(String cmd, String... params) { Process process = null; StringBuilder sbReader = null; BufferedReader bReader = null; InputStreamReader isReader = null; InputStream in = null; InputStream err = null; OutputStream out = null; try { process = new ProcessBuilder() .command(params) .start(); out = process.getOutputStream(); in = process.getInputStream(); err = process.getErrorStream(); out.write(cmd.getBytes()); out.write(COMMAND_EXIT); out.flush(); process.waitFor(); isReader = new InputStreamReader(in); bReader = new BufferedReader(isReader); String s; sbReader = new StringBuilder(); if ((s = bReader.readLine()) != null) { sbReader.append(s); sbReader.append(BREAK_LINE); while ((s = bReader.readLine()) != null) { sbReader.append(s); sbReader.append(BREAK_LINE); } } while ((err.read(BUFFER)) > 0) { sbReader.append(new String(BUFFER)); } } catch (IOException e) { e.printStackTrace(); } catch (Exception e) { e.printStackTrace(); } finally { closeAllStream(out, err, in, isReader, bReader); if (process != null) { processDestroy(process); process = null; } } if (sbReader == null) return null; else return sbReader.toString(); } /** * 关闭所有流 * * @param out 输出流 * @param err 错误流 * @param in 输入流 * @param isReader 输入流封装 * @param bReader 输入流封装 */ private static void closeAllStream(OutputStream out, InputStream err, InputStream in, InputStreamReader isReader, BufferedReader bReader) { if (out != null) try { out.close(); } catch (IOException e) { e.printStackTrace(); } if (err != null) try { err.close(); } catch (IOException e) { e.printStackTrace(); } if (in != null) try { in.close(); } catch (IOException e) { e.printStackTrace(); } if (isReader != null) try { isReader.close(); } catch (IOException e) { e.printStackTrace(); } if (bReader != null) try { bReader.close(); } catch (IOException e) { e.printStackTrace(); } } /** * 通过Android底层实现进程关闭 * * @param process 进程 */ private static void killProcess(Process process) { int pid = getProcessId(process); if (pid != 0) { try { //android kill process android.os.Process.killProcess(pid); } catch (Exception e) { try { process.destroy(); } catch (Exception ex) { } } } } /** * 获取进程的ID * * @param process 进程 * @return */ private static int getProcessId(Process process) { String str = process.toString(); try { int i = str.indexOf("=") + 1; int j = str.indexOf("]"); str = str.substring(i, j); return Integer.parseInt(str); } catch (Exception e) { return 0; } } /** * 销毁进程 * * @param process 进程 */ private static void processDestroy(Process process) { if (process != null) { try { //判断是否正常退出 if (process.exitValue() != 0) { killProcess(process); } } catch (IllegalThreadStateException e) { killProcess(process); } } } }

代码调用

String cmd = "touch "+file.getAbsolutePath()+"\n"+
                    "chmod 777 "+file.getAbsolutePath()+"\n"+
                    "exit\n";
ProcessModel.execute(cmd,"/system/xbin/su");

你可能感兴趣的:(Android,root)