Android 11编译第三弹 ADB开启ROOT权限

一、为什么需要adb root权限

问题：Relese版本，默认adb访问会降级到shell权限，一些敏感操作不能进行，远程调试比较麻烦。且Release版本没有su模块，不能切换Root用户。

开启adb调试以后，默认进入adb是system权限，不能切换到root（因为Release没有集成su）.

有两种方式切换Root:

1) Release也集成su模块

2）默认Release版本adb 开启Root权限

二、开启adb ROOT权限

开启Root权限

ro.secure表示root权限，要开启Root权限，系统配置ro.secure=0 开启ROOT权限

2.1 编译时默认开启ROOT权限

build/make/core/main.mk

ifneq (,$(user_variant))  # ==== modify begin ====  # fix: zhouronghua default as root  # Target is secure in user builds.  ADDITioNAL_DEFAULT_PROPERTIES += ro.secure=0  # ==== modify end ====  ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1  ifeq ($(user_variant),user)    # ==== modify begin ==== fix: default as root    ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0    # ==== modify end ====  endif

user版本就是Releae版本，userdebug版本就是debug版本。

2.2 ZyGote关闭权限降级

frameworks/base/core/jni/com_Android_internal_os_Zygote.cpp

static void DropCapabilitiesBoundingSet(fail_fn_t fail_fn) {  // ==== modify begin ==== zhouronghua   #if 0  for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {;    if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) == -1) {      if (errno == EINVAL) {        ALOGE("prctl(PR_CAPBSET_DROP) failed with EINVAL. Please verify "              "your kernel is compiled with file capabilities support");      } else {        fail_fn(CREATE_ERROR("prctl(PR_CAPBSET_DROP, %d) failed: %s", i, strerror(errno)));      }    }  }  #endif  // ==== modify end ====}

2.3 Android.bp允许暴力修改selinux权限

system/core/init/Android.bp

-DALLOW_PERMISSIVE_SELINUX=0  修改为 -DALLOW_PERMISSIVE_SELINUX=1

cc_defaults {    name: "init_defaults",    cpp_std: "experimental",    sanitize: {        misc_undefined: ["signed-integer-overflow"],    },    cflags: [        "-DLOG_UEVENTS=0",        "-Wall",        "-Wextra",        "-Wno-unused-parameter",        "-Werror",        "-Wthread-safety",        "-DALLOW_FIRST_STAGE_CONSOLE=0",        "-DALLOW_LOCAL_PROP_OVERRIDE=0",        "-DALLOW_PERMISSIVE_SELINUX=1",        "-DREBOOT_BOOTLOADER_ON_PANIC=0",        "-DWORLD_WRITABLE_KMSG=0",        "-DDUMP_ON_UMOUNT_FAILURE=0",

2.4 init程序允许暴力修改selinux权限

system/core/init/Android.mk

ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))init_options += \    -DALLOW_FIRST_STAGE_CONSOLE=1 \    -DALLOW_LOCAL_PROP_OVERRIDE=1 \    -DALLOW_PERMISSIVE_SELINUX=1 \    -DREBOOT_BOOTLOADER_ON_PANIC=1 \    -DWORLD_WRITABLE_KMSG=1 \    -DDUMP_ON_UMOUNT_FAILURE=1else# ==== modify begin ==== zhouronghua allow permissiveinit_options += \    -DALLOW_FIRST_STAGE_CONSOLE=0 \    -DALLOW_LOCAL_PROP_OVERRIDE=0 \    -DALLOW_PERMISSIVE_SELINUX=1 \    -DREBOOT_BOOTLOADER_ON_PANIC=0 \    -DWORLD_WRITABLE_KMSG=0 \    -DDUMP_ON_UMOUNT_FAILURE=0# ==== modify end ====endif

2.5 su程序权限提级

system/core/libcutils/fs_config.cpp

    // the following two files are INTENTIONALLY set-uid, but they    // are NOT included on user builds.    { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/procmem" },    // ==== modify begin ==== zhouronghua su right improve    { 06755, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },

2.6 修改su程序权限

system/core/rootdir/init.rc

    chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy    # ==== modify begin ==== zhouronghua su right    chmod 6755 /system/xbin/su    # ==== modify end ====

2.7 su程序构建

system/extras/su/Android.mk

LOCAL_MODULE_PATH := $(TARGET_OUT_OPTIONAL_EXECUTABLES)# ==== modify begin ==== zhouronghua su as common moduleLOCAL_MODULE_TAGS := optional# ==== modify end ====

2.8 su程序去掉Root用户检测

system/extras/su/su.cpp

int main(int arGC, char** argv) {    // ==== modify begin ==== zhouronghua delete root shell check    #if 0    uid_t current_uid = getuid();    if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");    #endif    // ==== modify end ====

2.9 关闭selinux.cpp强制安全检测

system/core/init/selinux.cpp

bool IsEnforcing() {    // ==== modify start ==== zhouronghua 不需要强制安全检测return false;    // ==== modify end    if (ALLOW_PERMISSIVE_SELINUX) {        return StatusFromCmdline() == SELINUX_ENFORCING;    }    return true;}

2.10 adb不降级采用ROOT访问

adbd启动时检查属性，决定是否进行权限降级到AID_SHELL

system/core/adb/daemon/main.cpp

static bool should_drop_privileges() {    // ==== modify begin ====    // fix: zhouronghua "adb root" not allowed, always drop privileges.    if (!ALLOW_ADBD_ROOT && !is_device_unlocked()) return false;    // ==== modifu end ====

adb Root权限访问不需要降级。 

2.11 安卓内核默认开启selLinux

kernel/configs/o-mr1/android-3.18/android-base.config

kernel/configs/o-mr1/android-4.4/android-base.config

kernel/configs/o-mr1/android-4.9/android-base.config

kernel/configs/o/android-3.18/android-base.config

kernel/configs/o/android-3.18/android-base.config

kernel/configs/o/android-4.4/android-base.config

kernel/configs/o/android-4.9/android-base.config

kernel/configs/p/android-4.14/android-base.config

kernel/configs/p/android-4.4/android-base.config

kernel/configs/p/android-4.9/android-base.config

kernel/configs/q/android-4.14/android-base.config

kernel/configs/q/android-4.19/android-base.config

kernel/configs/q/android-4.9/android-base.config

kernel/configs/r/android-4.14/android-base.config

kernel/configs/r/android-4.19/android-base.config

kernel/configs/r/android-5.4/android-base.config

CONFIG_XFRM_USER=y# ==== modify begin ==== zhouronghua selinuxCONFIG_SECURITY_SELINUX_DEVELOP=y# # ==== modify end ====

来源地址：https://blog.csdn.net/joedan0104/article/details/132650597