modified:device/qcom/qssi/BoardConfig.mk
modified:device/qcom/trinket/BoardConfig.mk
modified:system/core/init/Android.bp
modified:system/core/init/Android.mk
modified:system/core/init/selinux.cpp
modified:system/core/fs_mgr/Android.bp
modified:system/core/adb/Android.bp
modified:system/core/adb/daemon/main.cpp
modified:system/sepolicy/Android.mk
modified:build/core/main.mk
modified:system/sepolicy/definitions.mk
modified:device/qcom/sepolicy/Android.mk
由于sm6125 找的是qssi 和trinket,所以找到qssi 和trinket 下面的BoardConfig.mk修改BOARD_KERNEL_CMDLINE
1、BOARD_KERNEL_CMDLINE默认添加androidboot.selinux=permissive
device/qcom/qssi/BoardConfig.mk
diff --git a/BoardConfig.mk b/BoardConfig.mk
index 3fbc788..03a8e16 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -98,7 +98,7 @@ endif
TARGET_USES_ION := true
TARGET_USES_NEW_ION_API :=true
TARGET_USES_QCOM_BSP := false
-BOARD_KERNEL_CMDLINE := console=ttyMSM0,115200n8 earlycon=msm_geni_serial,0xa90000 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 service_locator.enable=1 swiotlb=2048 loop.max_part=7 androidboot.usbcontroller=a600000.dwc3
+BOARD_KERNEL_CMDLINE := console=ttyMSM0,115200n8 earlycon=msm_geni_serial,0xa90000 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 service_locator.enable=1 swiotlb=2048 loop.max_part=7 androidboot.usbcontroller=a600000.dwc3 androidboot.selinux=permissive
BOARD_EGL_CFG := device/qcom/$(TARGET_BOARD_PLATFORM)/egl.cfg
2、BOARD_KERNEL_CMDLINE默认添加androidboot.selinux=permissive
device/qcom/trinket/BoardConfig.mk
diff --git a/BoardConfig.mk b/BoardConfig.mk
index e041c85..76b76a4 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -223,9 +223,9 @@ ifeq (FACTORY, $(LCT_BUILD_TYPE))
else
ifeq (user, $(TARGET_BUILD_VARIANT))
- BOARD_KERNEL_CMDLINE := console=ttyMSM0,115200n8 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 service_locator.enable=1 swiotlb=1 earlycon=msm_geni_serial,0x4a90000 loop.max_part=7 cgroup.memory=nokmem,nosocket
+ BOARD_KERNEL_CMDLINE := console=ttyMSM0,115200n8 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 service_locator.enable=1 swiotlb=1 earlycon=msm_geni_serial,0x4a90000 loop.max_part=7 cgroup.memory=nokmem,nosocket androidboot.selinux=permissive
else
- BOARD_KERNEL_CMDLINE := console=ttyMSM0,115200n8 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 video=vfb:640x400,printk.devkmsg=on,bpp=32,memsize=3072000 msm_rtb.filter=0x237 service_locator.enable=1 swiotlb=1 earlycon=msm_geni_serial,0x4a90000 loop.max_part=7 cgroup.memory=nokmem,nosocket
+ BOARD_KERNEL_CMDLINE := console=ttyMSM0,115200n8 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 video=vfb:640x400,printk.devkmsg=on,bpp=32,memsize=3072000 msm_rtb.filter=0x237 service_locator.enable=1 swiotlb=1 earlycon=msm_geni_serial,0x4a90000 loop.max_part=7 cgroup.memory=nokmem,nosocket androidboot.selinux=permissive
endif
endif
3、修改 SELinux权限为 Permissive
SELinux 常用状态有两个 Permissive 和 Enforcing,通过 adb shell getenforce 可查看当前所处模式
10.0 改到了 selinux.cpp 中
3.1 system/core/init/Android.bp
diff --git a/init/Android.bp b/init/Android.bp
index 6be7290..189ddd6 100644
--- a/init/Android.bp
+++ b/init/Android.bp
@@ -26,11 +26,11 @@ cc_defaults {
"-Wextra",
"-Wno-unused-parameter",
"-Werror",
- "-DALLOW_LOCAL_PROP_OVERRIDE=0",
- "-DALLOW_PERMISSIVE_SELINUX=0",
- "-DREBOOT_BOOTLOADER_ON_PANIC=0",
- "-DWORLD_WRITABLE_KMSG=0",
- "-DDUMP_ON_UMOUNT_FAILURE=0",
+ "-DALLOW_LOCAL_PROP_OVERRIDE=1",
+ "-DALLOW_PERMISSIVE_SELINUX=1",
+ "-DREBOOT_BOOTLOADER_ON_PANIC=1",
+ "-DWORLD_WRITABLE_KMSG=1",
+ "-DDUMP_ON_UMOUNT_FAILURE=1",
"-DSHUTDOWN_ZERO_TIMEOUT=0",
],
product_variables: {
3.2 system/core/init/Android.mk
diff --git a/init/Android.mk b/init/Android.mk
index cca57a9..494c654 100644
--- a/init/Android.mk
+++ b/init/Android.mk
@@ -6,7 +6,7 @@ LOCAL_PATH:= $(call my-dir)
# --
-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+ifneq (,$(filter user userdebug eng,$(TARGET_BUILD_VARIANT)))
init_options += \
-DALLOW_LOCAL_PROP_OVERRIDE=1 \
-DALLOW_PERMISSIVE_SELINUX=1 \
3.3 system/core/init/selinux.cpp
diff --git a/init/selinux.cpp b/init/selinux.cpp
index 86238b4..9cd3f1e 100644
--- a/init/selinux.cpp
+++ b/init/selinux.cpp
@@ -97,10 +97,12 @@ EnforcingStatus StatusFromCmdline() {
}
bool IsEnforcing() {
+ return false;
if (ALLOW_PERMISSIVE_SELINUX) {
return StatusFromCmdline() == SELINUX_ENFORCING;
}
return true;
+
}
4、解锁 fastboot,并关闭 verity 按需操作
4.1 system/core/adb/Android.bp
diff --git a/adb/Android.bp b/adb/Android.bp
index 01e00dd..b6b117c 100644
--- a/adb/Android.bp
+++ b/adb/Android.bp
@@ -24,7 +24,7 @@ cc_defaults {
"-Wno-missing-field-initializers",
"-Wthread-safety",
"-Wvla",
"-DADB_HOST=1", // overridden by adbd_defaults
- "-DALLOW_ADBD_ROOT=0", // overridden by adbd_defaults
+ "-DALLOW_ADBD_ROOT=1", // overridden by adbd_defaults
],
cpp_std: "experimental",
@@ -76,7 +76,14 @@ cc_defaults {
name: "adbd_defaults",
defaults: ["adb_defaults"],
- cflags: ["-UADB_HOST", "-DADB_HOST=0"],
+ cflags: [
+ "-UADB_HOST",
+ "-DADB_HOST=0"
+ "-UALLOW_ADBD_ROOT",
+ "-DALLOW_ADBD_ROOT=1",
+ "-DALLOW_ADBD_DISABLE_VERITY",
+ "-DALLOW_ADBD_NO_AUTH",
+ ],
product_variables: {
debuggable: {
cflags: [
@@ -403,6 +410,8 @@ cc_library {
"libcutils",
"liblog",
],
+
+ required: [ "remount",],
product_variables: {
debuggable: {
4.2 system/core/adb/daemon/main.cpp
diff --git a/adb/daemon/main.cpp b/adb/daemon/main.cpp
index e5a4917..5f8de1b 100644
--- a/adb/daemon/main.cpp
+++ b/adb/daemon/main.cpp
@@ -63,6 +63,7 @@ static inline bool is_device_unlocked() {
}
static bool should_drop_capabilities_bounding_set() {
+ return false;
if (ALLOW_ADBD_ROOT || is_device_unlocked()) {
if (__android_log_is_debuggable()) {
return false;
@@ -73,6 +74,7 @@ static bool should_drop_capabilities_bounding_set() {
static bool should_drop_privileges() {
// "adb root" not allowed, always drop privileges.
+ return false;
if (!ALLOW_ADBD_ROOT && !is_device_unlocked()) return true;
// The properties that affect `adb root` and `adb unroot` are ro.secure and
5、修改 adb root 权限,user 和 userdebug 区别在于 remount 时走的地方不一样,userdebug remount 时打印的日志来自 system\core\fs_mgr\fs_mgr_remount.cpp
diff --git a/fs_mgr/Android.bp b/fs_mgr/Android.bp
index 4ee9624..ebaa390 100644
--- a/fs_mgr/Android.bp
+++ b/fs_mgr/Android.bp
@@ -75,7 +75,8 @@ cc_library {
"libfstab",
],
cppflags: [
- "-DALLOW_ADBD_DISABLE_VERITY=0",
+ "-UALLOW_ADBD_DISABLE_VERITY",
+ "-DALLOW_ADBD_DISABLE_VERITY=1",
],
product_variables: {
debuggable: {
@@ -132,7 +133,8 @@ cc_binary {
"fs_mgr_remount.cpp",
],
cppflags: [
- "-DALLOW_ADBD_DISABLE_VERITY=0",
+ "-UALLOW_ADBD_DISABLE_VERITY",
+ "-DALLOW_ADBD_DISABLE_VERITY=1",
],
product_variables: {
debuggable: {
6、user 版本启用 overlayfs 来装载 remount 对应分区 user 版本不允许 permissive domains
system/sepolicy/Android.mk
diff --git a/Android.mk b/Android.mk
index dadd7b0..24278d5 100644
--- a/Android.mk
+++ b/Android.mk
@@ -309,7 +309,7 @@ LOCAL_REQUIRED_MODULES += \
endif
-ifneq ($(TARGET_BUILD_VARIANT), user)
+ifneq ($(TARGET_BUILD_VARIANT), eng)
LOCAL_REQUIRED_MODULES += \
selinux_denial_metadata \
@@ -978,7 +978,7 @@ $(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
$(hide) $< -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_CIL_FILES) -o [email protected] -f /dev/null
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze [email protected] permissive > [email protected]
- $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s [email protected] ]; then \
+ $(hide) if [ "eng" = "user" -a -s [email protected] ]; then \
echo "==========" 1>&2; \
echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
echo "List of invalid domains:" 1>&2; \
@@ -1032,7 +1032,7 @@ $(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpo
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
$(POLICYVERS) -o [email protected] $<
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze [email protected] permissive > [email protected]
- $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s [email protected] ]; then \
+ $(hide) if [ "eng" = "user" -a -s [email protected] ]; then \
echo "==========" 1>&2; \
echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
echo "List of invalid domains:" 1>&2; \
@@ -1104,7 +1104,7 @@ endif
ifneq ($(filter address,$(SANITIZE_TARGET)),)
local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
endif
-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+ifneq (,$(filter user userdebug eng,$(TARGET_BUILD_VARIANT)))
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
ifeq ($(TARGET_FLATTEN_APEX),true)
@@ -1166,7 +1166,7 @@ file_contexts.device.tmp :=
file_contexts.local.tmp :=
##################################
-ifneq ($(TARGET_BUILD_VARIANT), user)
+ifneq ($(TARGET_BUILD_VARIANT), eng)
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_denial_metadata
system/sepolicy/definitions.mk
diff --git a/definitions.mk b/definitions.mk
index 16c8bd6..d64ea4c 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -4,7 +4,7 @@ define transform-policy-to-conf
@mkdir -p $(dir $@)
$(hide) m4 --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \
+ -D target_build_variant=eng \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
7、打开 USB 调试时默认授权,不再弹授权框 打开deug
build/core/main.mk
diff --git a/core/main.mk b/core/main.mk
index c2206db..bc2996d 100644
--- a/core/main.mk
+++ b/core/main.mk
@@ -293,7 +293,7 @@ ifneq (,$(user_variant))
ifeq (FACTORY, $(LCT_BUILD_TYPE))
ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0
else
- ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0
endif
#add NHK-M528-A01-137 -factory open root default modify by mafei 20191021-end
ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1
@@ -304,7 +304,7 @@ ifneq (,$(user_variant))
ifeq (FACTORY, $(LCT_BUILD_TYPE))
ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0
else
- ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0
endif
#add NHK-M528-A01-137 -factory open root default modify by mafei 20191021-end
endif
@@ -341,7 +341,7 @@ else # !enable_target_debugging
ifeq (FACTORY, $(LCT_BUILD_TYPE))
ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=1
else
- ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=0
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=1
endif
#add NHK-M528-A01-137 -factory open root default modify by mafei 20191021-end
endif # !enable_target_debugging
7、修改导致selinux报错问题
device/qcom/sepolicy/Android.mk
diff --git a/Android.mk b/Android.mk
index c490fba..873b15b 100644
--- a/Android.mk
+++ b/Android.mk
@@ -45,7 +45,7 @@ ifeq (,$(filter sdm845 sdm710, $(TARGET_BOARD_PLATFORM)))
BOARD_SEPOLICY_DIRS += $(LOCAL_PATH)/qva/vendor/$(TARGET_SEPOLICY_DIR)
endif
- ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
+ ifneq (,$(filter user userdebug eng, $(TARGET_BUILD_VARIANT)))
BOARD_SEPOLICY_DIRS += $(LOCAL_PATH)/generic/vendor/test
BOARD_SEPOLICY_DIRS += $(LOCAL_PATH)/qva/vendor/test
endif
@@ -65,7 +65,7 @@ ifneq (,$(filter sdm845 sdm710, $(TARGET_BOARD_PLATFORM)))
else
BOARD_SEPOLICY_DIRS += $(LOCAL_PATH)/legacy/vendor/$(TARGET_SEPOLICY_DIR)
endif
- ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
+ ifneq (,$(filter user userdebug eng, $(TARGET_BUILD_VARIANT)))
BOARD_SEPOLICY_DIRS += $(LOCAL_PATH)/legacy/vendor/test
endif
endif
patch汇总
一、device/qcom/trinket/
diff --git a/device/qcom/trinket/BoardConfig.mk b/device/qcom/trinket/BoardConfig.mk
index e041c85..76b76a4 100644
--- a/device/qcom/trinket/BoardConfig.mk
+++ b/device/qcom/trinket/BoardConfig.mk
@@ -223,9 +223,9 @@
else
ifeq (user, $(TARGET_BUILD_VARIANT))
- BOARD_KERNEL_CMDLINE := console=ttyMSM0,115200n8 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 service_locator.enable=1 swiotlb=1 earlycon=msm_geni_serial,0x4a90000 loop.max_part=7 cgroup.memory=nokmem,nosocket
+ BOARD_KERNEL_CMDLINE := console=ttyMSM0,115200n8 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 service_locator.enable=1 swiotlb=1 earlycon=msm_geni_serial,0x4a90000 loop.max_part=7 cgroup.memory=nokmem,nosocket androidboot.selinux=permissive
else
- BOARD_KERNEL_CMDLINE := console=ttyMSM0,115200n8 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 video=vfb:640x400,printk.devkmsg=on,bpp=32,memsize=3072000 msm_rtb.filter=0x237 service_locator.enable=1 swiotlb=1 earlycon=msm_geni_serial,0x4a90000 loop.max_part=7 cgroup.memory=nokmem,nosocket
+ BOARD_KERNEL_CMDLINE := console=ttyMSM0,115200n8 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 video=vfb:640x400,printk.devkmsg=on,bpp=32,memsize=3072000 msm_rtb.filter=0x237 service_locator.enable=1 swiotlb=1 earlycon=msm_geni_serial,0x4a90000 loop.max_part=7 cgroup.memory=nokmem,nosocket androidboot.selinux=permissive
endif
endif
二、device/qcom/qssi/
diff --git a/device/qcom/qssi/BoardConfig.mk b/device/qcom/qssi/BoardConfig.mk
index 3fbc788..03a8e16 100644
--- a/device/qcom/qssi/BoardConfig.mk
+++ b/device/qcom/qssi/BoardConfig.mk
@@ -98,7 +98,7 @@
TARGET_USES_ION := true
TARGET_USES_NEW_ION_API :=true
TARGET_USES_QCOM_BSP := false
-BOARD_KERNEL_CMDLINE := console=ttyMSM0,115200n8 earlycon=msm_geni_serial,0xa90000 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 service_locator.enable=1 swiotlb=2048 loop.max_part=7 androidboot.usbcontroller=a600000.dwc3
+BOARD_KERNEL_CMDLINE := console=ttyMSM0,115200n8 earlycon=msm_geni_serial,0xa90000 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 service_locator.enable=1 swiotlb=2048 loop.max_part=7 androidboot.usbcontroller=a600000.dwc3 androidboot.selinux=permissive
BOARD_EGL_CFG := device/qcom/$(TARGET_BOARD_PLATFORM)/egl.cfg
三、system/core/
diff --git a/system/core/init/Android.bp b/system/core/init/Android.bp
index 6be7290..189ddd6 100644
--- a/system/core/init/Android.bp
+++ b/system/core/init/Android.bp
@@ -26,11 +26,11 @@
"-Wextra",
"-Wno-unused-parameter",
"-Werror",
- "-DALLOW_LOCAL_PROP_OVERRIDE=0",
- "-DALLOW_PERMISSIVE_SELINUX=0",
- "-DREBOOT_BOOTLOADER_ON_PANIC=0",
- "-DWORLD_WRITABLE_KMSG=0",
- "-DDUMP_ON_UMOUNT_FAILURE=0",
+ "-DALLOW_LOCAL_PROP_OVERRIDE=1",
+ "-DALLOW_PERMISSIVE_SELINUX=1",
+ "-DREBOOT_BOOTLOADER_ON_PANIC=1",
+ "-DWORLD_WRITABLE_KMSG=1",
+ "-DDUMP_ON_UMOUNT_FAILURE=1",
"-DSHUTDOWN_ZERO_TIMEOUT=0",
],
product_variables: {
diff --git a/system/core/init/Android.mk b/system/core/init/Android.mk
index cca57a9..494c654 100644
--- a/system/core/init/Android.mk
+++ b/system/core/init/Android.mk
@@ -6,7 +6,7 @@
# --
-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+ifneq (,$(filter user userdebug eng,$(TARGET_BUILD_VARIANT)))
init_options += \
-DALLOW_LOCAL_PROP_OVERRIDE=1 \
-DALLOW_PERMISSIVE_SELINUX=1 \
diff --git a/system/core/init/selinux.cpp b/system/core/init/selinux.cpp
index 86238b4..9cd3f1e 100644
--- a/init/selinux.cpp
+++ b/init/selinux.cpp
@@ -97,10 +97,12 @@
}
bool IsEnforcing() {
+ return false;
if (ALLOW_PERMISSIVE_SELINUX) {
return StatusFromCmdline() == SELINUX_ENFORCING;
}
return true;
+
}
// Forks, executes the provided program in the child, and waits for the completion in the parent.
diff --git a/system/core/adb/Android.bp b/system/core/adb/Android.bp
index 01e00dd..0854dd1 100644
--- a/system/core/adb/Android.bp
+++ b/system/core/adb/Android.bp
@@ -25,7 +25,7 @@
"-Wthread-safety",
"-Wvla",
"-DADB_HOST=1", // overridden by adbd_defaults
- "-DALLOW_ADBD_ROOT=0", // overridden by adbd_defaults
+ "-DALLOW_ADBD_ROOT=1", // overridden by adbd_defaults
],
cpp_std: "experimental",
@@ -76,7 +76,14 @@
name: "adbd_defaults",
defaults: ["adb_defaults"],
- cflags: ["-UADB_HOST", "-DADB_HOST=0"],
+ cflags: [
+ "-UADB_HOST",
+ "-DADB_HOST=0",
+ "-UALLOW_ADBD_ROOT",
+ "-DALLOW_ADBD_ROOT=1",
+ "-DALLOW_ADBD_DISABLE_VERITY",
+ "-DALLOW_ADBD_NO_AUTH",
+ ],
product_variables: {
debuggable: {
cflags: [
@@ -404,6 +411,8 @@
"liblog",
],
+ required: [ "remount",],
+
product_variables: {
debuggable: {
required: [
diff --git a/system/core/adb/daemon/main.cpp b/system/core/adb/daemon/main.cpp
index e5a4917..5f8de1b 100644
--- a/system/core/adb/daemon/main.cpp
+++ b/system/core/adb/daemon/main.cpp
@@ -63,6 +63,7 @@
}
static bool should_drop_capabilities_bounding_set() {
+ return false;
if (ALLOW_ADBD_ROOT || is_device_unlocked()) {
if (__android_log_is_debuggable()) {
return false;
@@ -73,6 +74,7 @@
static bool should_drop_privileges() {
// "adb root" not allowed, always drop privileges.
+ return false;
if (!ALLOW_ADBD_ROOT && !is_device_unlocked()) return true;
// The properties that affect `adb root` and `adb unroot` are ro.secure and
diff --git a/system/core/fs_mgr/Android.bp b/system/core/fs_mgr/Android.bp
index 4ee9624..ebaa390 100644
--- a/system/core/fs_mgr/Android.bp
+++ b/system/core/fs_mgr/Android.bp
@@ -75,7 +75,8 @@
"libfstab",
],
cppflags: [
- "-DALLOW_ADBD_DISABLE_VERITY=0",
+ "-UALLOW_ADBD_DISABLE_VERITY",
+ "-DALLOW_ADBD_DISABLE_VERITY=1",
],
product_variables: {
debuggable: {
@@ -132,7 +133,8 @@
"fs_mgr_remount.cpp",
],
cppflags: [
- "-DALLOW_ADBD_DISABLE_VERITY=0",
+ "-UALLOW_ADBD_DISABLE_VERITY",
+ "-DALLOW_ADBD_DISABLE_VERITY=1",
],
product_variables: {
debuggable: {
四、system/sepolicy
diff --git a/system/sepolicy/Android.mk b/system/sepolicy/Android.mk
index dadd7b0..24278d5 100644
--- a/system/sepolicy/Android.mk
+++ b/system/sepolicy/Android.mk
@@ -309,7 +309,7 @@
endif
-ifneq ($(TARGET_BUILD_VARIANT), user)
+ifneq ($(TARGET_BUILD_VARIANT), eng)
LOCAL_REQUIRED_MODULES += \
selinux_denial_metadata \
@@ -978,7 +978,7 @@
@mkdir -p $(dir $@)
$(hide) $< -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_CIL_FILES) -o [email protected] -f /dev/null
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze [email protected] permissive > [email protected]
- $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s [email protected] ]; then \
+ $(hide) if [ "eng" = "user" -a -s [email protected] ]; then \
echo "==========" 1>&2; \
echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
echo "List of invalid domains:" 1>&2; \
@@ -1032,7 +1032,7 @@
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
$(POLICYVERS) -o [email protected] $<
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze [email protected] permissive > [email protected]
- $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s [email protected] ]; then \
+ $(hide) if [ "eng" = "user" -a -s [email protected] ]; then \
echo "==========" 1>&2; \
echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
echo "List of invalid domains:" 1>&2; \
@@ -1104,7 +1104,7 @@
ifneq ($(filter address,$(SANITIZE_TARGET)),)
local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY)))
endif
-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+ifneq (,$(filter user userdebug eng,$(TARGET_BUILD_VARIANT)))
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
ifeq ($(TARGET_FLATTEN_APEX),true)
@@ -1166,7 +1166,7 @@
file_contexts.local.tmp :=
##################################
-ifneq ($(TARGET_BUILD_VARIANT), user)
+ifneq ($(TARGET_BUILD_VARIANT), eng)
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_denial_metadata
diff --git a/system/sepolicy/definitions.mk b/system/sepolicy/definitions.mk
index 16c8bd6..d64ea4c 100644
--- a/system/sepolicy/definitions.mk
+++ b/system/sepolicy/definitions.mk
@@ -4,7 +4,7 @@
@mkdir -p $(dir $@)
$(hide) m4 --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \
+ -D target_build_variant=eng \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
五、/build
diff --git a/build/core/main.mk b/build/core/main.mk
index c2206db..bc2996d 100644
--- a/build/core/main.mk
+++ b/build/core/main.mk
@@ -293,7 +293,7 @@
ifeq (FACTORY, $(LCT_BUILD_TYPE))
ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0
else
- ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=1
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0
endif
#add NHK-M528-A01-137 -factory open root default modify by mafei 20191021-end
ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1
@@ -304,7 +304,7 @@
ifeq (FACTORY, $(LCT_BUILD_TYPE))
ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0
else
- ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0
endif
#add NHK-M528-A01-137 -factory open root default modify by mafei 20191021-end
endif
@@ -341,7 +341,7 @@
ifeq (FACTORY, $(LCT_BUILD_TYPE))
ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=1
else
- ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=0
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=1
endif
#add NHK-M528-A01-137 -factory open root default modify by mafei 20191021-end
endif # !enable_target_debugging
六、/device/qcom/sepolicy
diff --git a/device/qcom/sepolicy/Android.mk b/device/qcom/sepolicy/Android.mk
index c490fba..873b15b 100644
--- a/device/qcom/sepolicy/Android.mk
+++ b/device/qcom/sepolicy/Android.mk
@@ -45,7 +45,7 @@
BOARD_SEPOLICY_DIRS += $(LOCAL_PATH)/qva/vendor/$(TARGET_SEPOLICY_DIR)
endif
- ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
+ ifneq (,$(filter user userdebug eng, $(TARGET_BUILD_VARIANT)))
BOARD_SEPOLICY_DIRS += $(LOCAL_PATH)/generic/vendor/test
BOARD_SEPOLICY_DIRS += $(LOCAL_PATH)/qva/vendor/test
endif
@@ -65,7 +65,7 @@
else
BOARD_SEPOLICY_DIRS += $(LOCAL_PATH)/legacy/vendor/$(TARGET_SEPOLICY_DIR)
endif
- ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
+ ifneq (,$(filter user userdebug eng, $(TARGET_BUILD_VARIANT)))
BOARD_SEPOLICY_DIRS += $(LOCAL_PATH)/legacy/vendor/test
endif
endif