开发平台基本信息 芯片: 高通SM6225版本: Android 13kernel: msm-5.15 问题描述 刚刚从Framework踏入性能的小殿堂,User版本默认是不会开启root权限的,而且一般调试需要设置一下CP
芯片: 高通SM6225
版本: Android 13
kernel: msm-5.15
刚刚从Framework踏入性能的小殿堂,User版本默认是不会开启root权限的,而且一般调试需要设置一下CPU GPU DDR perfORMance模式或者修改一些schedule util等调核调频节点去对比复测,userdebug版本的话本身整机性能就比user卡很多,有时候使用userdebug去复测会对测试结果有较大影响,与user测试结果存在很大差距。
基于以上,user+root闪亮登场,性能与user一致,而且还有root和remount权限,可以自主执行修改节点或者push等操作。话不多说,让我们进入整体,看看如何实现user+root+remount.
ro.secure
ro.debuggable (通过调用__Android_log_is_debuggable()获取返回值)
1 adbd启动时检查属性,决定是否进行权限降级到aiD_shell
path:system/adb/core/daemon/main.cpp line:121
if (should_drop_privileges()){
… …
2 system/adb/core/下搜索__android_log_is_debuggable()
1 should_drop_privileges() 修改强制返回false,保持adb root用户级别
3.2 __android_log_is_debuggable() 返回true
packages/modules/adb/daemon/main.cppstatic bool should_drop_privileges() { // The properties that affect `adb root` and `adb unroot` are ro.secure and // ro.debuggable. In this context the names don't make the expected behavior // particularly obvious. // // ro.debuggable: // Allowed to become root, but not necessarily the default. Set to 1 on // eng and userdebug builds. // // ro.secure: // Drop privileges by default. Set to 1 on userdebug and user builds. bool ro_secure = android::base::GetBoolProperty("ro.secure", true); bool ro_debuggable = __android_log_is_debuggable(); // Drop privileges if ro.secure is set... bool drop = ro_secure; std::string build_prop = android::base::GetProperty("ro.build.type", ""); bool adb_build_root = (build_prop == "userdebug"); if (adb_build_root) { return false; } // ... except "adb root" lets you keep privileges in a debuggable build. std::string prop = android::base::GetProperty("service.adb.root", ""); bool adb_root = (prop == "1"); bool adb_unroot = (prop == "0"); if (ro_debuggable && adb_root) { drop = false; } // ... and "adb unroot" lets you explicitly drop privileges. if (adb_unroot) { drop = true; } return drop;}
DropCapabilitiesBoundingSet
说明:这个文件负责创建应用程序进程,并设置它们的权限和能力。需要注释掉DropCapabilitiesBoundingSet
函数中的代码,以防止它删除adbd进程的任何能力。
文件路径:qssi/frameworks/base/core/jni/com_android_internal_os_ZyGote.cpp
详细修改:
--- a/core/jni/com_android_internal_os_Zygote.cpp+++ b/core/jni/com_android_internal_os_Zygote.cpp@@ -681,7 +681,7 @@ } static void DropCapabilitiesBoundingSet(fail_fn_t fail_fn) {- for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {;+ } static void SetInheritable(uint64_t inheritable, fail_fn_t fail_fn) {
remount
到required中说明:这个文件定义了adbd模块的编译选项和依赖项。需要添加-DALLOW_ADBD_ROOT=1
到cflags中,以启用adbd进程的root模式,并添加remount
到required中,以允许adbd进程重新挂载系统分区。
文件路径:qssi/packages/modules/adb/Android.bp
详细修改:
--- a/Android.bp+++ b/Android.bp@@ -50,6 +50,7 @@ "-Wvla", "-DADB_HOST=1", // overridden by adbd_defaults "-DANDROID_BASE_UNIQUE_FD_DISABLE_IMPLICIT_CONVERSION=1",+ "-DALLOW_ADBD_ROOT=1", ], cpp_std: "experimental", @@ -112,7 +113,14 @@ name: "adbd_defaults", defaults: ["adb_defaults"], - cflags: ["-UADB_HOST", "-DADB_HOST=0"],+ cflags: [+ "-UADB_HOST",+ "-DADB_HOST=0",+ "-UALLOW_ADBD_ROOT",+ "-DALLOW_ADBD_ROOT=1",+ "-DALLOW_ADBD_DISABLE_VERITY",+ "-DALLOW_ADBD_NO_AUTH",+ ], }cc_defaults { name: "host_adbd_supported", host_supported: true, target: { linux: { enabled: true, host_ldlibs: [ @@ -606,6 +614,8 @@ "libcrypto_utils", "libcutils_Sockets", // APEX dependencies. "libadbd_auth", "libadbd_fs", "libcrypto", "liblog", ], + required: ["remount",], target: { android: { srcs: [ "daemon/abb_service.cpp", "daemon/framebuffer_service.cpp", "daemon/mdns.cpp", "daemon/restart_service.cpp", ], shared_libs: [ "libmdnssd",
说明:这个文件是adbd进程的主要入口点。我们需要修改should_drop_privileges
函数,让它总是返回false,以防止它降低adbd进程的权限。should_drop_privileges() 修改强制返回false,保持adb root用户级别
文件路径:qssi/packages/modules/adb/daemon/main.cpp
详细修改:
--- a/daemon/main.cpp+++ b/daemon/main.cpp@@ -74,6 +74,7 @@ // // ro.secure: // Drop privileges by default. Set to 1 on userdebug and user builds.+ return false; bool ro_secure = android::base::GetBoolProperty("ro.secure", true); bool ro_debuggable = __android_log_is_debuggable();
说明:这个文件定义了fs_mgr模块的编译选项和依赖项。fs_mgr模块负责管理设备上的文件系统。我们需要修改-DALLOW_ADBD_DISABLE_VERITY=0
为-DALLOW_ADBD_DISABLE_VERITY=1
,以允许adbd进程关闭Verity检查。
文件路径:qssi/system/core/fs_mgr/Android.bp
详细修改:
--- a/fs_mgr/Android.bp+++ b/fs_mgr/Android.bp@@ -109,7 +109,8 @@ "libfstab", ], cppflags: [- "-DALLOW_ADBD_DISABLE_VERITY=0",+ "-UALLOW_ADBD_DISABLE_VERITY",+ "-DALLOW_ADBD_DISABLE_VERITY=1", ], product_variables: { debuggable: {@@ -237,7 +238,8 @@ "fs_mgr_remount.cpp", ], cppflags: [- "-DALLOW_ADBD_DISABLE_VERITY=0",+ "-UALLOW_ADBD_DISABLE_VERITY",+ "-DALLOW_ADBD_DISABLE_VERITY=1", ], product_variables: { debuggable: {
说明:这个文件定义了init模块的编译选项和依赖项。init模块是设备启动时运行的第一个进程,负责初始化系统服务和属性。
-DALLOW_FIRST_STAGE_CONSOLE=1:允许init进程在第一阶段打开控制台输出
-DALLOW_LOCAL_PROP_OVERRIDE=1:允许init进程覆盖本地属性
-DALLOW_PERMISSIVE_SELINUX=1:允许init进程设置SELinux为permissive模式
-DREBOOT_BOOTLOADER_ON_PANIC=1:允许init进程在发生内核崩溃时重启到bootloader模式
-DWORLD_WRITABLE_KMSG=1:允许init进程设置kmsg文件为可写
-DDUMP_ON_UMOUNT_FAILURE=1:允许init进程在卸载分区失败时生成内存转储
-DSHUTDOWN_ZERO_TIMEOUT=1:允许init进程在收到关机命令时立即执行
文件路径:qssi/system/core/init/Android.bp
详细修改:
--- a/init/Android.bp+++ b/init/Android.bp@@ -136,13 +136,20 @@ "-Wno-unused-parameter", "-Werror", "-Wthread-safety",- "-DALLOW_FIRST_STAGE_CONSOLE=0",- "-DALLOW_LOCAL_PROP_OVERRIDE=0",- "-DALLOW_PERMISSIVE_SELINUX=0",- "-DREBOOT_BOOTLOADER_ON_PANIC=0",- "-DWORLD_WRITABLE_KMSG=0",- "-DDUMP_ON_UMOUNT_FAILURE=0",- "-DSHUTDOWN_ZERO_TIMEOUT=0",+ "-UALLOW_FIRST_STAGE_CONSOLE",+ "-DALLOW_FIRST_STAGE_CONSOLE=1",+ "-UALLOW_LOCAL_PROP_OVERRIDE",+ "-DALLOW_LOCAL_PROP_OVERRIDE=1",+ "-UALLOW_PERMISSIVE_SELINUX",+ "-DALLOW_PERMISSIVE_SELINUX=1",+ "-UREBOOT_BOOTLOADER_ON_PANIC",+ "-DREBOOT_BOOTLOADER_ON_PANIC=1",+ "-UWORLD_WRITABLE_KMSG",+ "-DWORLD_WRITABLE_KMSG=1",+ "-UDUMP_ON_UMOUNT_FAILURE",+ "-DDUMP_ON_UMOUNT_FAILURE=1",+ "-USHUTDOWN_ZERO_TIMEOUT",+ "-DSHUTDOWN_ZERO_TIMEOUT=1", "-DINIT_FULL_SOURCES", "-DINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT=0", ],@@ -394,13 +401,20 @@ "-Wextra", "-Wno-unused-parameter", "-Werror",- "-DALLOW_FIRST_STAGE_CONSOLE=0",- "-DALLOW_LOCAL_PROP_OVERRIDE=0",- "-DALLOW_PERMISSIVE_SELINUX=0",- "-DREBOOT_BOOTLOADER_ON_PANIC=0",- "-DWORLD_WRITABLE_KMSG=0",- "-DDUMP_ON_UMOUNT_FAILURE=0",- "-DSHUTDOWN_ZERO_TIMEOUT=0",+ "-UALLOW_FIRST_STAGE_CONSOLE",+ "-DALLOW_FIRST_STAGE_CONSOLE=1",+ "-UALLOW_LOCAL_PROP_OVERRIDE",+ "-DALLOW_LOCAL_PROP_OVERRIDE=1",+ "-UALLOW_PERMISSIVE_SELINUX",+ "-DALLOW_PERMISSIVE_SELINUX=1",+ "-UREBOOT_BOOTLOADER_ON_PANIC",+ "-DREBOOT_BOOTLOADER_ON_PANIC=1",+ "-UWORLD_WRITABLE_KMSG",+ "-DWORLD_WRITABLE_KMSG=1",+ "-UDUMP_ON_UMOUNT_FAILURE",+ "-DDUMP_ON_UMOUNT_FAILURE=1",+ "-USHUTDOWN_ZERO_TIMEOUT",+ "-DSHUTDOWN_ZERO_TIMEOUT=1", "-DLOG_UEVENTS=0", "-DSEPOLICY_VERSION=30", // TODO(jiyong): externalize the version number ],
说明:这个文件实现了一些与SELinux相关的函数。我们需要修改IsEnforcing
函数,让它总是返回false,以防止它检查系统属性或内核参数是否设置了SELinux的强制执行。
文件路径:qssi/system/core/init/selinux.cpp
详细修改:
--- a/init/selinux.cpp+++ b/init/selinux.cpp@@ -123,6 +123,7 @@ } bool IsEnforcing() {+ return false; // close selinux for user version with root #if defined(LCT_BUILD_TYPE_FACTORY) return false;
说明:user 版本启用 overlayfs 来装载 remount 对应分区 user 版本不允许 permissive domains
文件路径:system/sepolicy/Android.mk
详细修改:
--- a/Android.mk+++ b/Android.mk@@ -613,7 +613,7 @@ ifneq ($(filter address,$(SANITIZE_TARGET)),) local_fc_files += $(wildcard $(addsuffix /file_contexts_asan, $(PLAT_PRIVATE_POLICY))) endif-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))+ifneq (,$(filter user userdebug eng,$(TARGET_BUILD_VARIANT))) local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY))) endif
说明:默认开启usb调试。
文件路径:build/make//core/main.mk
详细修改:
--- a/core/main.mk+++ b/core/main.mk@@ -365,11 +365,11 @@ tags_to_install := ifneq (,$(user_variant)) # Target is secure in user builds.- ADDITIONAL_SYSTEM_PROPERTIES += ro.secure=1+ ADDITIONAL_SYSTEM_PROPERTIES += ro.secure=0 ADDITIONAL_SYSTEM_PROPERTIES += security.perf_harden=1 ifeq ($(user_variant),user)- ADDITIONAL_SYSTEM_PROPERTIES += ro.adb.secure=1+ ADDITIONAL_SYSTEM_PROPERTIES += ro.adb.secure=0 endif ifeq ($(user_variant),userdebug)@@ -377,7 +377,7 @@ tags_to_install += debug else # Disable debugging in plain user builds.- enable_target_debugging :=+ enable_target_debugging := true endif # Disallow mock locations by default for user builds@@ -399,7 +399,7 @@ ADDITIONAL_SYSTEM_PROPERTIES += dalvik.vm.lockprof.threshold=500 else # !enable_target_debugging # Target is less debuggable and adbd is off by default- ADDITIONAL_SYSTEM_PROPERTIES += ro.debuggable=0+ ADDITIONAL_SYSTEM_PROPERTIES += ro.debuggable=1 endif # !enable_target_debugging ## eng ##
说明:user版本默认不会编译remount,即system/bin/remount不存在,需要将remount添加到默认编译列表里面。
文件路径:build/make/target/product/base_system.mk
详细修改:
--- a/target/product/base_system.mk+++ b/target/product/base_system.mk@@ -287,6 +287,7 @@ wificond \ wifi.rc \ wm \+ remount \ ifneq ($(TARGET_HAS_LOW_RAM), true) PRODUCT_PACKAGES += \@@ -388,7 +389,6 @@ procrank \ profcollectd \ profcollectctl \- remount \ servicedispatcher \ showmap \ sqlite3 \
通过以上的修改,我们可以在Android 13上实现root功能。
希望这篇博客能对你有所帮助,如果你有任何问题或建议,欢迎留言讨论。谢谢!
来源地址:https://blog.csdn.net/mafei852213034/article/details/132765910
--结束END--
本文标题: [SM6225][Android13]user版本默认允许root和remount
本文链接: https://www.lsjlt.com/news/468984.html(转载时请注明来源链接)
有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341
下载Word文档到电脑,方便收藏和打印~
2024-01-21
2023-10-28
2023-10-28
2023-10-27
2023-10-27
2023-10-27
2023-10-27
回答
回答
回答
回答
回答
回答
回答
回答
回答
回答
0