android 7和android8在user版本下能应用获得root
基于 8953 android7.1 记录
1):device
路径:-》android/device/qcom/msm8953_64/msm8953_64.mk
在device下新建mysu,并下面的插件内容放到sc826/device/qcom/msm8953_64下
1.1):路径:-》 android/device/qcom/msm8953_64/msm8953_64.mk
1.2):修改的内容 -》
--- a/msm8953_64.mk
+++ b/msm8953_64.mk
@@ -68,6 +68,15 @@ endif
device/qcom/msm8953_64/lib/hw/gps.default.so:system/lib/hw/gps.default.so \
device/qcom/msm8953_64/lib64/hw/gps.default.so:system/lib64/hw/gps.default.so
#Copy user root files to system
+PRODUCT_COPY_FILES += \
+ device/qcom/msm8953_64/mysu/su:system/xbin/su \
+ device/qcom/msm8953_64/mysu/su:system/bin/su \
+ device/qcom/msm8953_64/mysu/sud:system/bin/sud \
+ device/qcom/msm8953_64/mysu/r:system/bin/r \
+ device/qcom/msm8953_64/mysu/daemonsu:system/xbin/daemonsu \
+ device/qcom/msm8953_64/mysu/chattr:system/xbin/chattr \
+ device/qcom/msm8953_64/mysu/chattr.pie:system/xbin/chattr.pie \
+ device/qcom/msm8953_64/mysu/libsupol.so:system/lib/libsupol.so \
+ device/qcom/msm8953_64/mysu/supolicy:system/bin/supolicy \
+ device/qcom/msm8953_64/mysu/rootsudaemon.sh:system/bin/rootsudaemon.sh
#Copy N4 camera dynlib files to system
PRODUCT_COPY_FILES += \
su传送门
链接:https://pan.baidu.com/s/1dILtU3mVvSsPqDDF4LadPg
提取码:6wte
复制这段内容后打开百度网盘手机App,操作更方便哦
----------------------------------------------------------------------------------------------------------------------------
2):system
2.1):路径:-》/android/system/core/libcutils/fs_config.c
diff --git a/libcutils/fs_config.c b/libcutils/fs_config.c
index 9acfa58..32fa83f 100644
--- a/libcutils/fs_config.c
+++ b/libcutils/fs_config.c
@@ -136,7 +136,7 @@ static const struct fs_path_config android_files[] = {
/* the following two files are INTENTIONALLY set-uid, but they
* are NOT included on user builds. */
- { 04750, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
+ { 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/su" },
{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procmem" },
/* the following files have enhanced capabilities and ARE included in user builds. */
----------------------------------------------------------------------------------------------------------------------------
2.2):路径:-》 android/system/core/adb/daemon/main.cpp
--- a/adb/daemon/main.cpp
+++ b/adb/daemon/main.cpp
@@ -41,6 +41,8 @@
#include "adb_utils.h"
#include "transport.h"
+#define CJY_ALLOW_ADB_ROOT
static const char* root_seclabel = nullptr;
static void drop_capabilities_bounding_set_if_needed() {
@@ -64,6 +66,9 @@ static void drop_capabilities_bounding_set_if_needed() {
}
static bool should_drop_privileges() {
+#ifdef CJY_ALLOW_ADB_ROOT
+ return false;
+#endif
#if defined(ALLOW_ADBD_ROOT)
char value[PROPERTY_VALUE_MAX];
@@ -142,12 +147,15 @@ static void drop_privileges(int server_port) {
} else {
// minijail_enter() will abort if any priv-dropping step fails.
minijail_enter(jail.get());
-
- if (root_seclabel != nullptr) {
- if (selinux_android_setcon(root_seclabel) < 0) {
- LOG(FATAL) << "Could not set SELinux context";
- }
- }
+#ifdef CJY_ALLOW_ADB_ROOT
+ D("CJY_ALLOW_ADB_ROOT enabled\n");
+#else
+ if (root_seclabel != nullptr) {
+ if (selinux_android_setcon(root_seclabel) < 0) {
+ LOG(FATAL) << "Could not set SELinux context";
+ }
+ }
+#endif
----------------------------------------------------------------------------------------------------------------------------
2.3):路径:-》/android/system/extras/su/su.c
--- a/su/su.c
+++ b/su/su.c
@@ -81,8 +81,8 @@ void extract_uidgids(const char* uidgids, uid_t* uid, gid_t* gid, gid_t* gids, i
}
int main(int argc, char** argv) {
- uid_t current_uid = getuid();
- if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
+ // uid_t current_uid = getuid();
+ // if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
// Handle -h and --help.
++argv;
----------------------------------------------------------------------------------------------------------------------------
2.4):路径:-》android/system/core/rootdir/init.rc
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -27,6 +27,7 @@ on early-init
restorecon /postinstall
start ueventd
+ start rootservice
on init
sysclktz 0
@@ -331,6 +332,8 @@ on post-fs
chown root log /proc/slabinfo
chmod 0440 /proc/slabinfo
+ chmod 0755 /system/bin/rootsudaemon.sh
#change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
chown root system /proc/kmsg
@@ -643,6 +646,13 @@ on property:security.perf_harden=0
on property:security.perf_harden=1
write /proc/sys/kernel/perf_event_paranoid 3
+service rootservice /system/bin/rootsudaemon.sh
+ user root
+ group root
+ disabled
+ oneshot
+ seclabel u:r:init:s0
+
## Daemon processes to be run by init.
##
service ueventd /sbin/ueventd
----------------------------------------------------------------------------------------------------------------------------
3):frameworks
3.1):路径:-》 android/frameworks/base/cmds/app_process
--- a/cmds/app_process/app_main.cpp
+++ b/cmds/app_process/app_main.cpp
@@ -185,6 +185,7 @@ static const char ZYGOTE_NICE_NAME[] = "zygote";
int main(int argc, char* const argv[])
{
+/*
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
// Older kernels don't understand PR_SET_NO_NEW_PRIVS and return
// EINVAL. Don't die on such kernels.
@@ -193,7 +194,7 @@ int main(int argc, char* const argv[])
return 12;
}
}
-
+*/
AppRuntime runtime(argv[0], computeArgBlockSize(argc, argv));
// Process command line arguments
// ignore argv[0]
chenjy@ubuntu026:~/1_8909/2_sc806-7-mode_7/LINUX/android/frameworks/base/cmds/app_process$
3.2):路径:-》android/frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
--- a/core/jni/com_android_internal_os_Zygote.cpp
+++ b/core/jni/com_android_internal_os_Zygote.cpp
@@ -225,7 +225,7 @@ static void EnableKeepCapabilities(JNIEnv* env) {
}
static void DropCapabilitiesBoundingSet(JNIEnv* env) {
- for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
+ /* for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
int rc = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
if (rc == -1) {
if (errno == EINVAL) {
@@ -235,7 +235,7 @@ static void DropCapabilitiesBoundingSet(JNIEnv* env) {
RuntimeAbort(env, __LINE__, "prctl(PR_CAPBSET_DROP) failed");
}
}
- }
+ }*/
}
static void SetCapabilities(JNIEnv* env, int64_t permitted, int64_t effective) {
----------------------------------------------------------------------------------------------------------------------------
4):kernel
4.1):路径:-》android/kernel/security/commoncap.c
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -835,6 +835,14 @@ int cap_task_setnice(struct task_struct *p, int nice)
*/
static long cap_prctl_drop(struct cred *new, unsigned long cap)
{
+ if(!strncmp(current->comm,"zygote",16))
+ {
+ return -EINVAL;
+ }
+ if(!strncmp(current->comm,"adbd",16))
+ {
+ return -EINVAL;
+ }
if (!capable(CAP_SETPCAP))
return -EPERM;
if (!cap_valid(cap))
(END)
---------------------------------------------------------------------------------------------------------------
5):adb root
5.1): 路径:-》android/build/core/main.mk
index a612f83..95dbe62 100644
--- a/core/main.mk
+++ b/core/main.mk
@@ -394,7 +394,7 @@ ifneq (,$(user_variant))selinux_is_enforcing
ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1
ifeq ($(user_variant),user)
- ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=1
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0
endif
ifeq ($(user_variant),userdebug)
@@ -426,7 +426,7 @@ ifeq (true,$(strip $(enable_target_debugging)))
INCLUDE_TEST_OTA_KEYS := true
else # !enable_target_debugging
# Target is less debuggable and adbd is off by default
- ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=0
+ ADDITIONAL_DEFAULT_PROPERTIES += ro.debuggable=1
endif # !enable_target_debugging
## eng ##
5.2): 路径:-》android/system/core/adb/Android.mk
--- a/adb/Android.mk
+++ b/adb/Android.mk
@@ -327,7 +327,7 @@ LOCAL_CFLAGS := \
-D_GNU_SOURCE \
-Wno-deprecated-declarations \
-LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=$(if $(filter userdebug eng,$(TARGET_BUILD_VARIANT)),1,0)
+LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=$(if $(filter user userdebug eng,$(TARGET_BUILD_VARIANT)),1,0)
ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
LOCAL_CFLAGS += -DALLOW_ADBD_DISABLE_VERITY=1
5.3) 路径:-》android/system/core/init/Android.mk
--- a/init/Android.mk
+++ b/init/Android.mk
@@ -4,7 +4,7 @@ LOCAL_PATH:= $(call my-dir)
# --
-ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
+ifneq (,$(filter user userdebug eng,$(TARGET_BUILD_VARIANT)))
init_options += -DALLOW_LOCAL_PROP_OVERRIDE=1 -DALLOW_PERMISSIVE_SELINUX=1
else
init_options += -DALLOW_LOCAL_PROP_OVERRIDE=0 -DALLOW_PERMISSIVE_SELINUX=0
更多相关文章
- Android Studio App设置TextView文字内容大小颜色
- 值得学习的博客内容
- 修改android virtual device路径
- Android调用系统自带的文件管理器进行文件选择并获得路径,android
- android中根据控件宽度,实现展示文本内容,解决中英文自动换行