Android 11编译第三弹 ADB开启ROOT权限-Toy模板网

这篇具有很好参考价值的文章主要介绍了Android 11编译第三弹 ADB开启ROOT权限。希望对大家有所帮助。如果存在错误或未考虑完全的地方，请大家不吝赐教，您也可以点击"举报违法"按钮提交疑问。

一、为什么需要adb root权限

问题：Relese版本，默认adb访问会降级到shell权限，一些敏感操作不能进行，远程调试比较麻烦。且Release版本没有su模块，不能切换Root用户。

开启adb调试以后，默认进入adb是system权限，不能切换到root（因为Release没有集成su）.

有两种方式切换Root:

1) Release也集成su模块

2）默认Release版本adb 开启Root权限

二、开启adb ROOT权限

开启Root权限

ro.secure表示root权限，要开启Root权限，系统配置ro.secure=0 开启ROOT权限

2.1 编译时默认开启ROOT权限

build/make/core/main.mk

ifneq (,$(user_variant))
  # ==== modify begin ====
  # fix: zhouronghua default as root
  # Target is secure in user builds.
  ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0
  # ==== modify end ====
  ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1

  ifeq ($(user_variant),user)
    # ==== modify begin ==== fix: default as root
    ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0
    # ==== modify end ====
  endif

user版本就是Releae版本，userdebug版本就是debug版本。

2.2 Zygote关闭权限降级

frameworks/base/core/jni/com_android_internal_os_Zygote.cpp

static void DropCapabilitiesBoundingSet(fail_fn_t fail_fn) {

  // ==== modify begin ==== zhouronghua 
  #if 0
  for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {;
    if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) == -1) {
      if (errno == EINVAL) {
        ALOGE("prctl(PR_CAPBSET_DROP) failed with EINVAL. Please verify "
              "your kernel is compiled with file capabilities support");
      } else {
        fail_fn(CREATE_ERROR("prctl(PR_CAPBSET_DROP, %d) failed: %s", i, strerror(errno)));
      }
    }
  }
  #endif
  // ==== modify end ====

}

2.3 Android.bp允许暴力修改selinux权限

system/core/init/Android.bp

-DALLOW_PERMISSIVE_SELINUX=0 修改为 -DALLOW_PERMISSIVE_SELINUX=1

cc_defaults {
    name: "init_defaults",
    cpp_std: "experimental",
    sanitize: {
        misc_undefined: ["signed-integer-overflow"],
    },
    cflags: [
        "-DLOG_UEVENTS=0",
        "-Wall",
        "-Wextra",
        "-Wno-unused-parameter",
        "-Werror",
        "-Wthread-safety",
        "-DALLOW_FIRST_STAGE_CONSOLE=0",
        "-DALLOW_LOCAL_PROP_OVERRIDE=0",
        "-DALLOW_PERMISSIVE_SELINUX=1",
        "-DREBOOT_BOOTLOADER_ON_PANIC=0",
        "-DWORLD_WRITABLE_KMSG=0",
        "-DDUMP_ON_UMOUNT_FAILURE=0",

2.4 init程序允许暴力修改selinux权限

system/core/init/Android.mk

ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
init_options += \
    -DALLOW_FIRST_STAGE_CONSOLE=1 \
    -DALLOW_LOCAL_PROP_OVERRIDE=1 \
    -DALLOW_PERMISSIVE_SELINUX=1 \
    -DREBOOT_BOOTLOADER_ON_PANIC=1 \
    -DWORLD_WRITABLE_KMSG=1 \
    -DDUMP_ON_UMOUNT_FAILURE=1
else
# ==== modify begin ==== zhouronghua allow permissive
init_options += \
    -DALLOW_FIRST_STAGE_CONSOLE=0 \
    -DALLOW_LOCAL_PROP_OVERRIDE=0 \
    -DALLOW_PERMISSIVE_SELINUX=1 \
    -DREBOOT_BOOTLOADER_ON_PANIC=0 \
    -DWORLD_WRITABLE_KMSG=0 \
    -DDUMP_ON_UMOUNT_FAILURE=0
# ==== modify end ====
endif

2.5 su程序权限提级

system/core/libcutils/fs_config.cpp

    // the following two files are INTENTIONALLY set-uid, but they
    // are NOT included on user builds.
    { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/procmem" },
    // ==== modify begin ==== zhouronghua su right improve
    { 06755, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },

2.6 修改su程序权限

system/core/rootdir/init.rc

    chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy

    # ==== modify begin ==== zhouronghua su right
    chmod 6755 /system/xbin/su
    # ==== modify end ====

2.7 su程序构建

system/extras/su/Android.mk

LOCAL_MODULE_PATH := $(TARGET_OUT_OPTIONAL_EXECUTABLES)

# ==== modify begin ==== zhouronghua su as common module
LOCAL_MODULE_TAGS := optional
# ==== modify end ====

2.8 su程序去掉Root用户检测

system/extras/su/su.cpp

int main(int argc, char** argv) {
    // ==== modify begin ==== zhouronghua delete root shell check
    #if 0
    uid_t current_uid = getuid();
    if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
    #endif
    // ==== modify end ====

2.9 关闭selinux.cpp强制安全检测

system/core/init/selinux.cpp

bool IsEnforcing() {
    // ==== modify start ==== zhouronghua 不需要强制安全检测
	return false;
    // ==== modify end
    if (ALLOW_PERMISSIVE_SELINUX) {
        return StatusFromCmdline() == SELINUX_ENFORCING;
    }
    return true;
}

2.10 adb不降级采用ROOT访问

adbd启动时检查属性，决定是否进行权限降级到AID_SHELL

system/core/adb/daemon/main.cpp

static bool should_drop_privileges() {
    // ==== modify begin ====
    // fix: zhouronghua "adb root" not allowed, always drop privileges.
    if (!ALLOW_ADBD_ROOT && !is_device_unlocked()) return false;
    // ==== modifu end ====

adb Root权限访问不需要降级。

2.11 安卓内核默认开启selLinux

kernel/configs/o-mr1/android-3.18/android-base.config

kernel/configs/o-mr1/android-4.4/android-base.config

kernel/configs/o-mr1/android-4.9/android-base.config

kernel/configs/o/android-3.18/android-base.config

kernel/configs/o/android-4.4/android-base.config

kernel/configs/o/android-4.9/android-base.config

kernel/configs/p/android-4.14/android-base.config

kernel/configs/p/android-4.4/android-base.config

kernel/configs/p/android-4.9/android-base.config

kernel/configs/q/android-4.14/android-base.config

kernel/configs/q/android-4.19/android-base.config

kernel/configs/q/android-4.9/android-base.config

kernel/configs/r/android-4.14/android-base.config

kernel/configs/r/android-4.19/android-base.config

kernel/configs/r/android-5.4/android-base.config文章来源地址https://www.toymoban.com/news/detail-706457.html

CONFIG_XFRM_USER=y
# ==== modify begin ==== zhouronghua selinux
CONFIG_SECURITY_SELINUX_DEVELOP=y
# # ==== modify end ====

到了这里，关于Android 11编译第三弹 ADB开启ROOT权限的文章就介绍完了。如果您还想了解更多内容，请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章，希望大家以后多多支持TOY模板网！

Android 11编译第三弹 ADB开启ROOT权限

一、为什么需要adb root权限

二、开启adb ROOT权限

2.1 编译时默认开启ROOT权限

2.2 Zygote关闭权限降级

2.3 Android.bp允许暴力修改selinux权限

2.4 init程序允许暴力修改selinux权限

2.5 su程序权限提级

2.6 修改su程序权限

2.7 su程序构建

2.8 su程序去掉Root用户检测

2.9 关闭selinux.cpp强制安全检测

2.10 adb不降级采用ROOT访问

2.11 安卓内核默认开启selLinux

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏

支付宝扫一扫领取红包，优惠每天领

二维码1

二维码2