Android7.1 ROOT权限的获取

修改文件：

system/extras/su/su.c

system/core/include/private/android_filesystem_config.h

system/core/libcutils/fs_config.c

frameworks/base/core/jni/com_android_internal_os_Zygote.cpp

frameworks/base/cmds/app_process/app_main.cpp

device/qcom/msm8909/BoardConfig.mk

目的:为了在应用层App中可以通过调用su来获取root权限，进而执行一些命令。

system/extras/su/su.c

在“main”函数中，注释掉uid的验证条件：

 
    //uid_t current_uid = getuid();
    //if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");

system/core/libcutils/fs_config.c

修改su程序的权限配置相关的内容：

    /* the following two files are INTENTIONALLY set-uid, but they
     * are NOT included on user builds. */
    { 06755, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },

/system/core/init/init.cpp

直接return false

static bool selinux_is_enforcing(void)
{
    return false;
    if (ALLOW_PERMISSIVE_SELINUX) {
        return selinux_status_from_cmdline() == SELINUX_ENFORCING;
    }
    return true;
}

/system/core/adb/daemon/main.cpp

should_drop_privileges直接return false

static bool should_drop_privileges() {
    return false;
    // "adb root" not allowed, always drop privileges.
    if (!ALLOW_ADBD_ROOT && !is_device_unlocked()) return true;
 
    // The properties that affect `adb root` and `adb unroot` are ro.secure and
    // ro.debuggable. In this context the names don't make the expected behavior
    // particularly obvious.
    //
    // ro.debuggable:
    //   Allowed to become root, but not necessarily the default. Set to 1 on
    //   eng and userdebug builds.
    //
    // ro.secure:
    //   Drop privileges by default. Set to 1 on userdebug and user builds.
    bool ro_secure = android::base::GetBoolProperty("ro.secure", true);
    bool ro_debuggable = __android_log_is_debuggable();
 
    // Drop privileges if ro.secure is set...
    bool drop = ro_secure;
 
    // ... except "adb root" lets you keep privileges in a debuggable build.
    std::string prop = android::base::GetProperty("service.adb.root", "");
    bool adb_root = (prop == "1");
    bool adb_unroot = (prop == "0");
    if (ro_debuggable && adb_root) {
        drop = false;
    }
    // ... and "adb unroot" lets you explicitly drop privileges.
    if (adb_unroot) {
        drop = true;
    }
 
    return drop;
}

frameworks/base/core/jni/com_android_internal_os_Zygote.cpp

注释掉如下内容：

static void DropCapabilitiesBoundingSet(JNIEnv* env) {
/*
  for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
    int rc = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
    if (rc == -1) {
      if (errno == EINVAL) {
        ALOGE("prctl(PR_CAPBSET_DROP) failed with EINVAL. Please verify "
              "your kernel is compiled with file capabilities support");
      } else {
        RuntimeAbort(env, __LINE__, "prctl(PR_CAPBSET_DROP) failed");
      }
    }
  }
*/
}

frameworks/base/cmds/app_process/app_main.cpp

注释“main”函数中的如下内容：

/*  
    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
        // Older kernels don't understand PR_SET_NO_NEW_PRIVS and return
        // EINVAL. Don't die on such kernels.
        if (errno != EINVAL) {
            LOG_ALWAYS_FATAL("PR_SET_NO_NEW_PRIVS failed: %s", strerror(errno));
            return 12;
        }
    }
*/

device/qcom/msm8909/BoardConfig.mk

在启动参数“BOARD_KERNEL_CMDLINE”中加入对SELinux的设置“androidboot.selinux=permissive”，放宽权限：

BOARD_KERNEL_CMDLINE := console=ttyHSL0,115200,n8 androidboot.selinux=permissive androidboot.console=ttyHSL0 androidboot.hardware=qcom msm_rtb.filter=0x237 ehci-hcd.park=3 androidboot.bootdevice=7824900.sdhci lpm_levels.sleep_disabled=1 earlyprintk

或者

BOARD_KERNEL_CMDLINE := androidboot.selinux=permissive

添加px30-android.dts

androidboot.selinux=permissive

	chosen: chosen {
		bootargs = "earlycon=uart8250,mmio32,0xff160000 swiotlb=1 console=ttyFIQ0 androidboot.baseband=N/A androidboot.selinux=permissive androidboot.veritymode=enforcing androidboot.hardware=rk30board androidboot.console=ttyFIQ0 init=/init kpti=0";
	};