1. Why do you need adb root permissions?
Problem: In the Release version, adb access will be downgraded to shell permissions by default, and some sensitive operations cannot be performed, making remote debugging troublesome. And the Release version does not have the su module, so the Root user cannot be switched.
After turning on adb debugging, the default access to adb is system permission, and you cannot switch to root (because Release does not integrate su).
There are two ways to switch Root:
1) Release also integrates the su module
2) The default Release version adb turns on Root permissions
2. Enable adb ROOT permissions
Turn on Root permissions
ro.secure represents root authority. To enable Root authority, configure the system with ro.secure=0 to enable ROOT authority.
2.1 ROOT permission is enabled by default when compiling
build/make/core/main.mk
ifneq (,$(user_variant))
# ==== modify begin ====
# fix: zhouronghua default as root
# Target is secure in user builds.
ADDITIONAL_DEFAULT_PROPERTIES += ro.secure=0
# ==== modify end ====
ADDITIONAL_DEFAULT_PROPERTIES += security.perf_harden=1
ifeq ($(user_variant),user)
# ==== modify begin ==== fix: default as root
ADDITIONAL_DEFAULT_PROPERTIES += ro.adb.secure=0
# ==== modify end ====
endif
The user version is the Release version, and the userdebug version is the Debug version.
2.2 Zygote closes permission downgrade
frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
static void DropCapabilitiesBoundingSet(fail_fn_t fail_fn) {
// ==== modify begin ==== zhouronghua
#if 0
for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {;
if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) == -1) {
if (errno == EINVAL) {
ALOGE("prctl(PR_CAPBSET_DROP) failed with EINVAL. Please verify "
"your kernel is compiled with file capabilities support");
} else {
fail_fn(CREATE_ERROR("prctl(PR_CAPBSET_DROP, %d) failed: %s", i, strerror(errno)));
}
}
}
#endif
// ==== modify end ====
}
2.3 Android.bp allows violent modification of selinux permissions
system/core/init/Android.bp
-DALLOW_PERMISSIVE_SELINUX=0 changed to -DALLOW_PERMISSIVE_SELINUX=1
cc_defaults {
name: "init_defaults",
cpp_std: "experimental",
sanitize: {
misc_undefined: ["signed-integer-overflow"],
},
cflags: [
"-DLOG_UEVENTS=0",
"-Wall",
"-Wextra",
"-Wno-unused-parameter",
"-Werror",
"-Wthread-safety",
"-DALLOW_FIRST_STAGE_CONSOLE=0",
"-DALLOW_LOCAL_PROP_OVERRIDE=0",
"-DALLOW_PERMISSIVE_SELINUX=1",
"-DREBOOT_BOOTLOADER_ON_PANIC=0",
"-DWORLD_WRITABLE_KMSG=0",
"-DDUMP_ON_UMOUNT_FAILURE=0",
2.4 The init program allows violent modification of selinux permissions
system/core/init/Android.mk
ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
init_options += \
-DALLOW_FIRST_STAGE_CONSOLE=1 \
-DALLOW_LOCAL_PROP_OVERRIDE=1 \
-DALLOW_PERMISSIVE_SELINUX=1 \
-DREBOOT_BOOTLOADER_ON_PANIC=1 \
-DWORLD_WRITABLE_KMSG=1 \
-DDUMP_ON_UMOUNT_FAILURE=1
else
# ==== modify begin ==== zhouronghua allow permissive
init_options += \
-DALLOW_FIRST_STAGE_CONSOLE=0 \
-DALLOW_LOCAL_PROP_OVERRIDE=0 \
-DALLOW_PERMISSIVE_SELINUX=1 \
-DREBOOT_BOOTLOADER_ON_PANIC=0 \
-DWORLD_WRITABLE_KMSG=0 \
-DDUMP_ON_UMOUNT_FAILURE=0
# ==== modify end ====
endif
2.5 Su program permission upgrade
system/core/libcutils/fs_config.cpp
// the following two files are INTENTIONALLY set-uid, but they
// are NOT included on user builds.
{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procmem" },
// ==== modify begin ==== zhouronghua su right improve
{ 06755, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
2.6 Modify su program permissions
system/core/rootdir/init.rc
chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
# ==== modify begin ==== zhouronghua su right
chmod 6755 /system/xbin/su
# ==== modify end ====
2.7 su program construction
system/extras/su/Android.mk
LOCAL_MODULE_PATH := $(TARGET_OUT_OPTIONAL_EXECUTABLES)
# ==== modify begin ==== zhouronghua su as common module
LOCAL_MODULE_TAGS := optional
# ==== modify end ====
2.8 The su program removes Root user detection
system/extras/su/su.cpp
int main(int argc, char** argv) {
// ==== modify begin ==== zhouronghua delete root shell check
#if 0
uid_t current_uid = getuid();
if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
#endif
// ==== modify end ====
2.9 Turn off selinux.cpp forced security detection
system/core/init/selinux.cpp
bool IsEnforcing() {
// ==== modify start ==== zhouronghua 不需要强制安全检测
return false;
// ==== modify end
if (ALLOW_PERMISSIVE_SELINUX) {
return StatusFromCmdline() == SELINUX_ENFORCING;
}
return true;
}
2.10 adb does not downgrade and uses ROOT access
Check the attributes when adbd starts to decide whether to downgrade the permissions to AID_SHELL
system/core/adb/daemon/main.cpp
static bool should_drop_privileges() {
// ==== modify begin ====
// fix: zhouronghua "adb root" not allowed, always drop privileges.
if (!ALLOW_ADBD_ROOT && !is_device_unlocked()) return false;
// ==== modifu end ====
Adb Root access does not require downgrading.
2.11 Android kernel enables selLinux by default
kernel/configs/o-mr1/android-3.18/android-base.config
kernel/configs/o-mr1/android-4.4/android-base.config
kernel/configs/o-mr1/android-4.9/android-base.config
kernel/configs/o/android-3.18/android-base.config
kernel/configs/o/android-3.18/android-base.config
kernel/configs/o/android-4.4/android-base.config
kernel/configs/o/android-4.9/android-base.config
kernel/configs/p/android-4.14/android-base.config
kernel/configs/p/android-4.4/android-base.config
kernel/configs/p/android-4.9/android-base.config
kernel/configs/q/android-4.14/android-base.config
kernel/configs/q/android-4.19/android-base.config
kernel/configs/q/android-4.9/android-base.config
kernel/configs/r/android-4.14/android-base.config
kernel/configs/r/android-4.19/android-base.config
kernel/configs/r/android-5.4/android-base.config
CONFIG_XFRM_USER=y
# ==== modify begin ==== zhouronghua selinux
CONFIG_SECURITY_SELINUX_DEVELOP=y
# # ==== modify end ====