[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限
由于有些APP需要获取root权限。
源码修改
![[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第1张图片](http://img.e-com-net.com/image/info8/a7ca78690e4341d7aa8132ae582e720f.jpg)
diff --git a/build/core/main.mk b/build/core/main.mk
index e3fb6fb..0bb9ef2 100644
--- a/build/core/main.mk
+++ b/build/core/main.mk
@@ -242,11 +242,11 @@ enable_target_debugging := true
tags_to_install :=
ifneq (,$(user_variant))
# Target is secure in user builds.
- ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0
ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1
ifeq ($(user_variant),user)
- ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0
endif
ifeq ($(user_variant),userdebug)
@@ -254,7 +254,7 @@ ifneq (,$(user_variant))
tags_to_install += debug
else
# Disable debugging in plain user builds.
- enable_target_debugging :=
+ # enable_target_debugging :=
endif
# Disallow mock locations by default for user builds
![[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第2张图片](http://img.e-com-net.com/image/info8/45ef8ae57fc3414598b3fcbc674d4ad8.jpg)
diff --git a/build/target/product/core.mk b/build/target/product/core.mk
index a2b0f1c..17a5766 100644
--- a/build/target/product/core.mk
+++ b/build/target/product/core.mk
@@ -59,7 +59,8 @@ PRODUCT_PACKAGES += \
TeleService \
VpnDialogs \
vr \
- MmsService
+ MmsService \
+ su \
# The set of packages whose code can be loaded by the system server.
PRODUCT_SYSTEM_SERVER_APPS += \
![[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第3张图片](http://img.e-com-net.com/image/info8/39b73a0c8a2e43649d9e71a130a64177.jpg)
diff --git a/device/rockchip/common/system.prop b/device/rockchip/common/system.prop
index 519f233..5d0cb46 100755
--- a/device/rockchip/common/system.prop
+++ b/device/rockchip/common/system.prop
@@ -45,7 +45,7 @@ ro.factory.tool=0
ro.kernel.android.checkjni=0
#set default lcd density to Rockchip tablet
ro.sf.lcd_density=160
-ro.adb.secure =0
+ro.adb.secure =1
#force camera API 1
camera2.portability.force_api=1
#set wifi contry code
![[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第4张图片](http://img.e-com-net.com/image/info8/18481e98a70b4efcae710a6523e3a58e.jpg)
diff --git a/frameworks/base/cmds/webview_zygote/webview_zygote.cpp b/frameworks/base/cmds/webview_zygote/webview_zygote.cpp
index 88fee64..1d9830d 100644
--- a/frameworks/base/cmds/webview_zygote/webview_zygote.cpp
+++ b/frameworks/base/cmds/webview_zygote/webview_zygote.cpp
@@ -58,10 +58,10 @@ public:
} // namespace android
int main(int argc, char* const argv[]) {
- if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
+ /*if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
LOG_ALWAYS_FATAL("PR_SET_NO_NEW_PRIVS failed: %s", strerror(errno));
return 12;
- }
+ }*/
size_t argBlockSize = 0;
for (int i = 0; i < argc; ++i) {
![[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第5张图片](http://img.e-com-net.com/image/info8/f3e8e3d518294e7c811b3982f909d411.jpg)
diff --git a/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp b/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
index e1c2cb0..d78539f 100644
--- a/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
+++ b/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
@@ -241,7 +241,7 @@ static void EnableKeepCapabilities(JNIEnv* env) {
}
static void DropCapabilitiesBoundingSet(JNIEnv* env) {
- for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
+ /*for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
int rc = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
if (rc == -1) {
if (errno == EINVAL) {
@@ -252,7 +252,7 @@ static void DropCapabilitiesBoundingSet(JNIEnv* env) {
RuntimeAbort(env, __LINE__, "prctl(PR_CAPBSET_DROP) failed");
}
}
- }
+ }*/
}
static void SetInheritable(JNIEnv* env, uint64_t inheritable) {
![[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第6张图片](http://img.e-com-net.com/image/info8/2ad0b9008d914fbaac964a1d52e774ed.jpg)
diff --git a/kernel/security/commoncap.c b/kernel/security/commoncap.c
index 7fa251a..a5cd705 100644
--- a/kernel/security/commoncap.c
+++ b/kernel/security/commoncap.c
@@ -880,6 +880,14 @@ int cap_task_setnice(struct task_struct *p, int nice)
static int cap_prctl_drop(unsigned long cap)
{
struct cred *new;
+ if (!strncmp(current->comm, "zygote", 16)) {
+ return -EINVAL;
+ }
+
+ if (!strncmp(current->comm, "adbd", 16)) {
+ return -EINVAL;
+ }
+
if (!ns_capable(current_user_ns(), CAP_SETPCAP))
return -EPERM;
![[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第7张图片](http://img.e-com-net.com/image/info8/5ac005e3c1434fa3818dab6e54a6cf05.jpg)
diff --git a/system/core/adb/daemon/main.cpp b/system/core/adb/daemon/main.cpp
index 3ecbc44..09834aa 100644
--- a/system/core/adb/daemon/main.cpp
+++ b/system/core/adb/daemon/main.cpp
@@ -46,7 +46,7 @@
#include "transport.h"
#include "mdns.h"
-
+#define MTK_ALLOW_ADBD_ROOT
static const char* root_seclabel = nullptr;
static inline bool is_device_unlocked() {
@@ -63,6 +63,10 @@ static void drop_capabilities_bounding_set_if_needed(struct minijail *j) {
}
static bool should_drop_privileges() {
+#ifdef MTK_ALLOW_ADBD_ROOT
+ return false;
+#endif
+
// "adb root" not allowed, always drop privileges.
if (!ALLOW_ADBD_ROOT && !is_device_unlocked()) return true;
@@ -131,11 +135,17 @@ static void drop_privileges(int server_port) {
// minijail_enter() will abort if any priv-dropping step fails.
minijail_enter(jail.get());
+#ifdef MTK_ALLOW_ADBD_ROOT
+ D("MTK_ALLOW_ADBD_ROOT enabled\n");
+#else
+
+
if (root_seclabel != nullptr) {
if (selinux_android_setcon(root_seclabel) < 0) {
LOG(FATAL) << "Could not set SELinux context";
}
}
+#endif
std::string error;
std::string local_name =
android::base::StringPrintf("tcp:%d", server_port);
![[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第8张图片](http://img.e-com-net.com/image/info8/7259db4940f04b76bc984486253ab375.jpg)
diff --git a/system/core/init/init.cpp b/system/core/init/init.cpp
index 7445ebf..a843cec 100755
--- a/system/core/init/init.cpp
+++ b/system/core/init/init.cpp
@@ -636,10 +636,12 @@ static selinux_enforcing_status selinux_status_from_cmdline() {
static bool selinux_is_enforcing(void)
{
+
+
if (ALLOW_PERMISSIVE_SELINUX) {
return selinux_status_from_cmdline() == SELINUX_ENFORCING;
}
- return true;
+ return false;
}
static int audit_callback(void *data, security_class_t /*cls*/, char *buf, size_t len) {
![[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第9张图片](http://img.e-com-net.com/image/info8/1a400993a93442c193a1d4ba0cec9a20.jpg)
diff --git a/system/core/libcutils/fs_config.cpp b/system/core/libcutils/fs_config.cpp
index cc96ff8..b280283 100644
--- a/system/core/libcutils/fs_config.cpp
+++ b/system/core/libcutils/fs_config.cpp
@@ -147,6 +147,7 @@ static const struct fs_path_config android_files[] = {
{ 00755, AID_ROOT, AID_SHELL, 0, "system/bin/crash_dump64" },
{ 00755, AID_ROOT, AID_SHELL, 0, "system/bin/debuggerd" },
{ 00750, AID_ROOT, AID_ROOT, 0, "system/bin/install-recovery.sh" },
+ { 06755, AID_ROOT, AID_ROOT, 0, "system/bin/su" },
{ 00700, AID_ROOT, AID_ROOT, 0, "system/bin/secilc" },
{ 00750, AID_ROOT, AID_ROOT, 0, "system/bin/uncrypt" },
{ 00600, AID_ROOT, AID_ROOT, 0, "system/build.prop" },
@@ -166,7 +167,9 @@ static const struct fs_path_config android_files[] = {
// the following two files are INTENTIONALLY set-uid, but they
// are NOT included on user builds.
{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procmem" },
- { 04750, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
+ //{ 04750, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
+ { 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/su" },
+ //{ 06755, AID_ROOT, AID_SHELL, 0, "system/xbin/xsu" },
// the following files have enhanced capabilities and ARE included
// in user builds.
![[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第10张图片](http://img.e-com-net.com/image/info8/38707c7c52e24905badaad448d249c0e.jpg)
diff --git a/system/extras/su/Android.mk b/system/extras/su/Android.mk
index 92ad5e3..f4c74ca 100644
--- a/system/extras/su/Android.mk
+++ b/system/extras/su/Android.mk
@@ -8,6 +8,8 @@ LOCAL_SRC_FILES:= su.cpp
LOCAL_MODULE:= su
LOCAL_MODULE_PATH := $(TARGET_OUT_OPTIONAL_EXECUTABLES)
-LOCAL_MODULE_TAGS := debug
+//LOCAL_MODULE_PATH := $(TARGET_OUT)/bin
+//LOCAL_MODULE_TAGS := debug
+LOCAL_MODULE_TAGS := optional
include $(BUILD_EXECUTABLE)
![[九鼎RK3399Pro] Android 8.1 系统定制给用户root权限_第11张图片](http://img.e-com-net.com/image/info8/d8177a39076240f190b12cafeb176df8.jpg)
diff --git a/system/extras/su/su.cpp b/system/extras/su/su.cpp
index ee1526e..769edc8 100644
--- a/system/extras/su/su.cpp
+++ b/system/extras/su/su.cpp
@@ -81,8 +81,8 @@ void extract_uidgids(const char* uidgids, uid_t* uid, gid_t* gid, gid_t* gids, i
}
int main(int argc, char** argv) {
- uid_t current_uid = getuid();
- if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
+ //uid_t current_uid = getuid();
+ //if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
// Handle -h and --help.
++argv;
使用
创建工具类ProcessModel .java
package com.cnrobot.home.hometest;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
/**
*/
public class ProcessModel {
//换行符
private static final String BREAK_LINE;
//执行退出命令
private static final byte[] COMMAND_EXIT;
//错误缓冲
private static byte[] BUFFER;
/**
* 静态变量初始化
*/
static {
BREAK_LINE = "\n";
COMMAND_EXIT = "\nexit\n".getBytes();
BUFFER = new byte[32];
}
/**
* 执行命令
*
* @param params 命令参数
* eg: "/system/bin/ping", "-c", "4", "-s", "100","www.qiujuer.net"
* @return 执行结果
*/
public static String execute(String cmd, String... params) {
Process process = null;
StringBuilder sbReader = null;
BufferedReader bReader = null;
InputStreamReader isReader = null;
InputStream in = null;
InputStream err = null;
OutputStream out = null;
try {
process = new ProcessBuilder()
.command(params)
.start();
out = process.getOutputStream();
in = process.getInputStream();
err = process.getErrorStream();
out.write(cmd.getBytes());
out.write(COMMAND_EXIT);
out.flush();
process.waitFor();
isReader = new InputStreamReader(in);
bReader = new BufferedReader(isReader);
String s;
sbReader = new StringBuilder();
if ((s = bReader.readLine()) != null) {
sbReader.append(s);
sbReader.append(BREAK_LINE);
while ((s = bReader.readLine()) != null) {
sbReader.append(s);
sbReader.append(BREAK_LINE);
}
}
while ((err.read(BUFFER)) > 0) {
sbReader.append(new String(BUFFER));
}
} catch (IOException e) {
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
} finally {
closeAllStream(out, err, in, isReader, bReader);
if (process != null) {
processDestroy(process);
process = null;
}
}
if (sbReader == null)
return null;
else
return sbReader.toString();
}
/**
* 关闭所有流
*
* @param out 输出流
* @param err 错误流
* @param in 输入流
* @param isReader 输入流封装
* @param bReader 输入流封装
*/
private static void closeAllStream(OutputStream out, InputStream err, InputStream in, InputStreamReader isReader, BufferedReader bReader) {
if (out != null)
try {
out.close();
} catch (IOException e) {
e.printStackTrace();
}
if (err != null)
try {
err.close();
} catch (IOException e) {
e.printStackTrace();
}
if (in != null)
try {
in.close();
} catch (IOException e) {
e.printStackTrace();
}
if (isReader != null)
try {
isReader.close();
} catch (IOException e) {
e.printStackTrace();
}
if (bReader != null)
try {
bReader.close();
} catch (IOException e) {
e.printStackTrace();
}
}
/**
* 通过Android底层实现进程关闭
*
* @param process 进程
*/
private static void killProcess(Process process) {
int pid = getProcessId(process);
if (pid != 0) {
try {
//android kill process
android.os.Process.killProcess(pid);
} catch (Exception e) {
try {
process.destroy();
} catch (Exception ex) {
}
}
}
}
/**
* 获取进程的ID
*
* @param process 进程
* @return
*/
private static int getProcessId(Process process) {
String str = process.toString();
try {
int i = str.indexOf("=") + 1;
int j = str.indexOf("]");
str = str.substring(i, j);
return Integer.parseInt(str);
} catch (Exception e) {
return 0;
}
}
/**
* 销毁进程
*
* @param process 进程
*/
private static void processDestroy(Process process) {
if (process != null) {
try {
//判断是否正常退出
if (process.exitValue() != 0) {
killProcess(process);
}
} catch (IllegalThreadStateException e) {
killProcess(process);
}
}
}
}
代码调用
String cmd = "touch "+file.getAbsolutePath()+"\n"+
"chmod 777 "+file.getAbsolutePath()+"\n"+
"exit\n";
ProcessModel.execute(cmd,"/system/xbin/su");