[SM6225][Android13]user版本默认允许root和remount

开发平台基本信息

芯片: 高通SM6225
版本: Android 13
kernel: msm-5.15

问题描述

       刚刚从Framework踏入性能的小殿堂，User版本默认是不会开启root权限的，而且一般调试需要设置一下CPU GPU DDR perfORMance模式或者修改一些schedule util等调核调频节点去对比复测，userdebug版本的话本身整机性能就比user卡很多，有时候使用userdebug去复测会对测试结果有较大影响，与user测试结果存在很大差距。

      基于以上，user+root闪亮登场，性能与user一致，而且还有root和remount权限，可以自主执行修改节点或者push等操作。话不多说，让我们进入整体，看看如何实现user+root+remount.

基线代码判断逻辑：

1.adb代码会检测相关属性

ro.secure
ro.debuggable (通过调用__Android_log_is_debuggable()获取返回值)

2.代码path

1 adbd启动时检查属性，决定是否进行权限降级到aiD_shell
path：system/adb/core/daemon/main.cpp line:121
if (should_drop_privileges()){
… …

2 system/adb/core/下搜索__android_log_is_debuggable()

3.修改思路

1 should_drop_privileges() 修改强制返回false，保持adb root用户级别
3.2 __android_log_is_debuggable() 返回true
 

packages/modules/adb/daemon/main.cppstatic bool should_drop_privileges() {    // The properties that affect `adb root` and `adb unroot` are ro.secure and    // ro.debuggable. In this context the names don't make the expected behavior    // particularly obvious.    //    // ro.debuggable:    //   Allowed to become root, but not necessarily the default. Set to 1 on    //   eng and userdebug builds.    //    // ro.secure:    //   Drop privileges by default. Set to 1 on userdebug and user builds.    bool ro_secure = android::base::GetBoolProperty("ro.secure", true);    bool ro_debuggable = __android_log_is_debuggable();     // Drop privileges if ro.secure is set...    bool drop = ro_secure;     std::string build_prop = android::base::GetProperty("ro.build.type", "");    bool adb_build_root = (build_prop == "userdebug");    if (adb_build_root) {    return false;    }     // ... except "adb root" lets you keep privileges in a debuggable build.    std::string prop = android::base::GetProperty("service.adb.root", "");    bool adb_root = (prop == "1");    bool adb_unroot = (prop == "0");    if (ro_debuggable && adb_root) {        drop = false;    }    // ... and "adb unroot" lets you explicitly drop privileges.    if (adb_unroot) {        drop = true;    }     return drop;}

解决方案：

1.注释掉DropCapabilitiesBoundingSet

说明：这个文件负责创建应用程序进程，并设置它们的权限和能力。需要注释掉DropCapabilitiesBoundingSet函数中的代码，以防止它删除adbd进程的任何能力。

文件路径：qssi/frameworks/base/core/jni/com_android_internal_os_ZyGote.cpp
详细修改：

--- a/core/jni/com_android_internal_os_Zygote.cpp+++ b/core/jni/com_android_internal_os_Zygote.cpp@@ -681,7 +681,7 @@ }  static void DropCapabilitiesBoundingSet(fail_fn_t fail_fn) {-  for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {;+   }  static void SetInheritable(uint64_t inheritable, fail_fn_t fail_fn) {

2.启用abdb root模式添加remount，保持adb root用户级别

2.1 启用adbd进程的root模式，并添加remount到required中

说明：这个文件定义了adbd模块的编译选项和依赖项。需要添加-DALLOW_ADBD_ROOT=1到cflags中，以启用adbd进程的root模式，并添加remount到required中，以允许adbd进程重新挂载系统分区。

文件路径：qssi/packages/modules/adb/Android.bp
详细修改：

--- a/Android.bp+++ b/Android.bp@@ -50,6 +50,7 @@         "-Wvla",         "-DADB_HOST=1",         // overridden by adbd_defaults         "-DANDROID_BASE_UNIQUE_FD_DISABLE_IMPLICIT_CONVERSION=1",+        "-DALLOW_ADBD_ROOT=1",     ],     cpp_std: "experimental", @@ -112,7 +113,14 @@     name: "adbd_defaults",     defaults: ["adb_defaults"], -    cflags: ["-UADB_HOST", "-DADB_HOST=0"],+    cflags: [+        "-UADB_HOST",+        "-DADB_HOST=0",+        "-UALLOW_ADBD_ROOT",+        "-DALLOW_ADBD_ROOT=1",+        "-DALLOW_ADBD_DISABLE_VERITY",+        "-DALLOW_ADBD_NO_AUTH",+    ], }cc_defaults {    name: "host_adbd_supported",    host_supported: true,    target: {        linux: {            enabled: true,            host_ldlibs: [ @@ -606,6 +614,8 @@        "libcrypto_utils",        "libcutils_Sockets",        // APEX dependencies.        "libadbd_auth",        "libadbd_fs",        "libcrypto",        "liblog",    ], +    required: ["remount",],    target: {        android: {            srcs: [                "daemon/abb_service.cpp",                "daemon/framebuffer_service.cpp",                "daemon/mdns.cpp",                "daemon/restart_service.cpp",            ],            shared_libs: [                "libmdnssd",

2.2 保持adb root用户级别

说明：这个文件是adbd进程的主要入口点。我们需要修改should_drop_privileges函数，让它总是返回false，以防止它降低adbd进程的权限。should_drop_privileges() 修改强制返回false，保持adb root用户级别

文件路径：qssi/packages/modules/adb/daemon/main.cpp
详细修改：

--- a/daemon/main.cpp+++ b/daemon/main.cpp@@ -74,6 +74,7 @@     //     // ro.secure:     //   Drop privileges by default. Set to 1 on userdebug and user builds.+    return false;     bool ro_secure = android::base::GetBoolProperty("ro.secure", true);     bool ro_debuggable = __android_log_is_debuggable();

3.允许adbd进程关闭Verity检查,关闭selinux

3.1 允许adbd进程关闭Verity检查

说明：这个文件定义了fs_mgr模块的编译选项和依赖项。fs_mgr模块负责管理设备上的文件系统。我们需要修改-DALLOW_ADBD_DISABLE_VERITY=0为-DALLOW_ADBD_DISABLE_VERITY=1，以允许adbd进程关闭Verity检查。

文件路径：qssi/system/core/fs_mgr/Android.bp
详细修改：

--- a/fs_mgr/Android.bp+++ b/fs_mgr/Android.bp@@ -109,7 +109,8 @@         "libfstab",     ],     cppflags: [-        "-DALLOW_ADBD_DISABLE_VERITY=0",+        "-UALLOW_ADBD_DISABLE_VERITY",+        "-DALLOW_ADBD_DISABLE_VERITY=1",     ],     product_variables: {         debuggable: {@@ -237,7 +238,8 @@         "fs_mgr_remount.cpp",     ],     cppflags: [-        "-DALLOW_ADBD_DISABLE_VERITY=0",+        "-UALLOW_ADBD_DISABLE_VERITY",+        "-DALLOW_ADBD_DISABLE_VERITY=1",     ],     product_variables: {         debuggable: {

3.2 允许init进程编译方式

说明：这个文件定义了init模块的编译选项和依赖项。init模块是设备启动时运行的第一个进程，负责初始化系统服务和属性。

-DALLOW_FIRST_STAGE_CONSOLE=1：允许init进程在第一阶段打开控制台输出
-DALLOW_LOCAL_PROP_OVERRIDE=1：允许init进程覆盖本地属性
-DALLOW_PERMISSIVE_SELINUX=1：允许init进程设置SELinux为permissive模式
-DREBOOT_BOOTLOADER_ON_PANIC=1：允许init进程在发生内核崩溃时重启到bootloader模式
-DWORLD_WRITABLE_KMSG=1：允许init进程设置kmsg文件为可写
-DDUMP_ON_UMOUNT_FAILURE=1：允许init进程在卸载分区失败时生成内存转储
-DSHUTDOWN_ZERO_TIMEOUT=1：允许init进程在收到关机命令时立即执行

文件路径：qssi/system/core/init/Android.bp

详细修改：

--- a/init/Android.bp+++ b/init/Android.bp@@ -136,13 +136,20 @@         "-Wno-unused-parameter",         "-Werror",         "-Wthread-safety",-        "-DALLOW_FIRST_STAGE_CONSOLE=0",-        "-DALLOW_LOCAL_PROP_OVERRIDE=0",-        "-DALLOW_PERMISSIVE_SELINUX=0",-        "-DREBOOT_BOOTLOADER_ON_PANIC=0",-        "-DWORLD_WRITABLE_KMSG=0",-        "-DDUMP_ON_UMOUNT_FAILURE=0",-        "-DSHUTDOWN_ZERO_TIMEOUT=0",+        "-UALLOW_FIRST_STAGE_CONSOLE",+        "-DALLOW_FIRST_STAGE_CONSOLE=1",+        "-UALLOW_LOCAL_PROP_OVERRIDE",+        "-DALLOW_LOCAL_PROP_OVERRIDE=1",+        "-UALLOW_PERMISSIVE_SELINUX",+        "-DALLOW_PERMISSIVE_SELINUX=1",+        "-UREBOOT_BOOTLOADER_ON_PANIC",+        "-DREBOOT_BOOTLOADER_ON_PANIC=1",+        "-UWORLD_WRITABLE_KMSG",+        "-DWORLD_WRITABLE_KMSG=1",+        "-UDUMP_ON_UMOUNT_FAILURE",+        "-DDUMP_ON_UMOUNT_FAILURE=1",+        "-USHUTDOWN_ZERO_TIMEOUT",+        "-DSHUTDOWN_ZERO_TIMEOUT=1",         "-DINIT_FULL_SOURCES",         "-DINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT=0",     ],@@ -394,13 +401,20 @@         "-Wextra",         "-Wno-unused-parameter",         "-Werror",-        "-DALLOW_FIRST_STAGE_CONSOLE=0",-        "-DALLOW_LOCAL_PROP_OVERRIDE=0",-        "-DALLOW_PERMISSIVE_SELINUX=0",-        "-DREBOOT_BOOTLOADER_ON_PANIC=0",-        "-DWORLD_WRITABLE_KMSG=0",-        "-DDUMP_ON_UMOUNT_FAILURE=0",-        "-DSHUTDOWN_ZERO_TIMEOUT=0",+        "-UALLOW_FIRST_STAGE_CONSOLE",+        "-DALLOW_FIRST_STAGE_CONSOLE=1",+        "-UALLOW_LOCAL_PROP_OVERRIDE",+        "-DALLOW_LOCAL_PROP_OVERRIDE=1",+        "-UALLOW_PERMISSIVE_SELINUX",+        "-DALLOW_PERMISSIVE_SELINUX=1",+        "-UREBOOT_BOOTLOADER_ON_PANIC",+        "-DREBOOT_BOOTLOADER_ON_PANIC=1",+        "-UWORLD_WRITABLE_KMSG",+        "-DWORLD_WRITABLE_KMSG=1",+        "-UDUMP_ON_UMOUNT_FAILURE",+        "-DDUMP_ON_UMOUNT_FAILURE=1",+        "-USHUTDOWN_ZERO_TIMEOUT",+        "-DSHUTDOWN_ZERO_TIMEOUT=1",         "-DLOG_UEVENTS=0",         "-DSEPOLICY_VERSION=30", // TODO(jiyong): externalize the version number     ],

3.3 关闭selinux 将enforce置为Permissive

说明：这个文件实现了一些与SELinux相关的函数。我们需要修改IsEnforcing函数，让它总是返回false，以防止它检查系统属性或内核参数是否设置了SELinux的强制执行。

文件路径：qssi/system/core/init/selinux.cpp
详细修改：

--- a/init/selinux.cpp+++ b/init/selinux.cpp@@ -123,6 +123,7 @@ }  bool IsEnforcing() {+    return false;     // close selinux for user version with root     #if defined(LCT_BUILD_TYPE_FACTORY)     return false;

4.user 版本不允许 permissive domains

说明：user 版本启用 overlayfs 来装载 remount 对应分区 user 版本不允许 permissive domains

文件路径：system/sepolicy/Android.mk
详细修改：

--- a/Android.mk+++ b/Android.mk@@ -613,7 +613,7 @@ ifneq ($(filter address,$(SANITIZE_TARGET)),)   local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY))) endif-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))+ifneq (,$(filter user userdebug eng,$(TARGET_BUILD_VARIANT)))   local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY))) endif

5.打开 USB 调试时默认授权，默认user版本编译remount。

5.1 默认开启usb调试

说明：默认开启usb调试。

文件路径：build/make//core/main.mk
详细修改：

--- a/core/main.mk+++ b/core/main.mk@@ -365,11 +365,11 @@ tags_to_install := ifneq (,$(user_variant))   # Target is secure in user builds.-  ADDITIONAL_SYSTEM_PROPERTIES += ro.secure=1+  ADDITIONAL_SYSTEM_PROPERTIES += ro.secure=0   ADDITIONAL_SYSTEM_PROPERTIES += security.perf_harden=1    ifeq ($(user_variant),user)-    ADDITIONAL_SYSTEM_PROPERTIES += ro.adb.secure=1+    ADDITIONAL_SYSTEM_PROPERTIES += ro.adb.secure=0   endif    ifeq ($(user_variant),userdebug)@@ -377,7 +377,7 @@     tags_to_install += debug   else     # Disable debugging in plain user builds.-    enable_target_debugging :=+    enable_target_debugging := true   endif    # Disallow mock locations by default for user builds@@ -399,7 +399,7 @@   ADDITIONAL_SYSTEM_PROPERTIES += dalvik.vm.lockprof.threshold=500 else # !enable_target_debugging   # Target is less debuggable and adbd is off by default-  ADDITIONAL_SYSTEM_PROPERTIES += ro.debuggable=0+  ADDITIONAL_SYSTEM_PROPERTIES += ro.debuggable=1 endif # !enable_target_debugging  ## eng ##

5.2 添加remount

说明：user版本默认不会编译remount,即system/bin/remount不存在，需要将remount添加到默认编译列表里面。

文件路径：build/make/target/product/base_system.mk
详细修改：

--- a/target/product/base_system.mk+++ b/target/product/base_system.mk@@ -287,6 +287,7 @@     wificond \     wifi.rc \     wm \+    remount \  ifneq ($(TARGET_HAS_LOW_RAM), true) PRODUCT_PACKAGES += \@@ -388,7 +389,6 @@     procrank \     profcollectd \     profcollectctl \-    remount \     servicedispatcher \     showmap \     sqlite3 \

总结

通过以上的修改，我们可以在Android 13上实现root功能。

希望这篇博客能对你有所帮助，如果你有任何问题或建议，欢迎留言讨论。谢谢！

来源地址：https://blog.csdn.net/mafei852213034/article/details/132765910