Android 11编译第三弹 ADB开启ROOT权限

一、为什么需要adb root权限

问题：Relese版本，默认adb访问会降级到shell权限，一些敏感操作不能进行，远程调试比较麻烦。且Release版本没有su模块，不能切换Root用户。

开启adb调试以后，默认进入adb是system权限，不能切换到root（因为Release没有集成su）.

有两种方式切换Root:

1) Release也集成su模块

2）默认Release版本adb 开启Root权限

二、开启adb ROOT权限

开启Root权限

ro.secure表示root权限，要开启Root权限，系统配置ro.secure=0 开启ROOT权限

2.1 编译时默认开启ROOT权限

build/make/core/main.mk

ifneq (,$(user_variant))
  # ==== modify begin ====
  # fix: zhouronghua default as root
  # Target is secure in user builds.
  ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0
  # ==== modify end ====
  ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1
 
  ifeq ($(user_variant),user)
    # ==== modify begin ==== fix: default as root
    ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0
    # ==== modify end ====
  endif

user版本就是Releae版本，userdebug版本就是debug版本。

2.2 Zygote关闭权限降级

frameworks/base/core/jni/com_android_internal_os_Zygote.cpp

static void DropCapabilitiesBoundingSet(fail_fn_t fail_fn) {
 
  // ==== modify begin ==== zhouronghua 
  #if 0
  for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {;
    if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) == -1) {
      if (errno == EINVAL) {
        ALOGE("prctl(PR_CAPBSET_DROP) failed with EINVAL. Please verify "
              "your kernel is compiled with file capabilities support");
      } else {
        fail_fn(CREATE_ERROR("prctl(PR_CAPBSET_DROP, %d) failed: %s", i, strerror(errno)));
      }
    }
  }
  #endif
  // ==== modify end ====
 
}

2.3 Android.bp允许暴力修改selinux权限

system/core/init/Android.bp

-DALLOW_PERMISSIVE_SELINUX=0  修改为 -DALLOW_PERMISSIVE_SELINUX=1

cc_defaults {
    name: "init_defaults",
    cpp_std: "experimental",
    sanitize: {
        misc_undefined: ["signed-integer-overflow"],
    },
    cflags: [
        "-DLOG_UEVENTS=0",
        "-Wall",
        "-Wextra",
        "-Wno-unused-parameter",
        "-Werror",
        "-Wthread-safety",
        "-DALLOW_FIRST_STAGE_CONSOLE=0",
        "-DALLOW_LOCAL_PROP_OVERRIDE=0",
        "-DALLOW_PERMISSIVE_SELINUX=1",
        "-DREBOOT_BOOTLOADER_ON_PANIC=0",
        "-DWORLD_WRITABLE_KMSG=0",
        "-DDUMP_ON_UMOUNT_FAILURE=0",

2.4 init程序允许暴力修改selinux权限

system/core/init/Android.mk

ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
init_options += \
    -DALLOW_FIRST_STAGE_CONSOLE=1 \
    -DALLOW_LOCAL_PROP_OVERRIDE=1 \
    -DALLOW_PERMISSIVE_SELINUX=1 \
    -DREBOOT_BOOTLOADER_ON_PANIC=1 \
    -DWORLD_WRITABLE_KMSG=1 \
    -DDUMP_ON_UMOUNT_FAILURE=1
else
# ==== modify begin ==== zhouronghua allow permissive
init_options += \
    -DALLOW_FIRST_STAGE_CONSOLE=0 \
    -DALLOW_LOCAL_PROP_OVERRIDE=0 \
    -DALLOW_PERMISSIVE_SELINUX=1 \
    -DREBOOT_BOOTLOADER_ON_PANIC=0 \
    -DWORLD_WRITABLE_KMSG=0 \
    -DDUMP_ON_UMOUNT_FAILURE=0
# ==== modify end ====
endif

2.5 su程序权限提级

system/core/libcutils/fs_config.cpp

    // the following two files are INTENTIONALLY set-uid, but they
    // are NOT included on user builds.
    { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/procmem" },
    // ==== modify begin ==== zhouronghua su right improve
    { 06755, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },

2.6 修改su程序权限

system/core/rootdir/init.rc

    chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
 
    # ==== modify begin ==== zhouronghua su right
    chmod 6755 /system/xbin/su
    # ==== modify end ====
 

2.7 su程序构建

system/extras/su/Android.mk

LOCAL_MODULE_PATH := $(TARGET_OUT_OPTIONAL_EXECUTABLES)
 
# ==== modify begin ==== zhouronghua su as common module
LOCAL_MODULE_TAGS := optional
# ==== modify end ====

2.8 su程序去掉Root用户检测

system/extras/su/su.cpp

int main(int argc, char** argv) {
    // ==== modify begin ==== zhouronghua delete root shell check
    #if 0
    uid_t current_uid = getuid();
    if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
    #endif
    // ==== modify end ====

2.9 关闭selinux.cpp强制安全检测

system/core/init/selinux.cpp

bool IsEnforcing() {
    // ==== modify start ==== zhouronghua 不需要强制安全检测
	return false;
    // ==== modify end
    if (ALLOW_PERMISSIVE_SELINUX) {
        return StatusFromCmdline() == SELINUX_ENFORCING;
    }
    return true;
}

2.10 adb不降级采用ROOT访问

adbd启动时检查属性，决定是否进行权限降级到AID_SHELL

system/core/adb/daemon/main.cpp

static bool should_drop_privileges() {
    // ==== modify begin ====
    // fix: zhouronghua "adb root" not allowed, always drop privileges.
    if (!ALLOW_ADBD_ROOT && !is_device_unlocked()) return false;
    // ==== modifu end ====

adb Root权限访问不需要降级。 

2.11 安卓内核默认开启selLinux

kernel/configs/o-mr1/android-3.18/android-base.config

kernel/configs/o-mr1/android-4.4/android-base.config

kernel/configs/o-mr1/android-4.9/android-base.config

kernel/configs/o/android-3.18/android-base.config

kernel/configs/o/android-3.18/android-base.config

kernel/configs/o/android-4.4/android-base.config

kernel/configs/o/android-4.9/android-base.config

kernel/configs/p/android-4.14/android-base.config

kernel/configs/p/android-4.4/android-base.config

kernel/configs/p/android-4.9/android-base.config

kernel/configs/q/android-4.14/android-base.config

kernel/configs/q/android-4.19/android-base.config

kernel/configs/q/android-4.9/android-base.config

kernel/configs/r/android-4.14/android-base.config

kernel/configs/r/android-4.19/android-base.config

kernel/configs/r/android-5.4/android-base.config

CONFIG_XFRM_USER=y
# ==== modify begin ==== zhouronghua selinux
CONFIG_SECURITY_SELINUX_DEVELOP=y
# # ==== modify end ====