android 9.x/8.x/7.x 源码修改su ，获取root权限

最新推荐文章于 2024-08-05 09:42:39 发布

小新110

最新推荐文章于 2024-08-05 09:42:39 发布

阅读量4.6k

点赞数 2

分类专栏： android1

本文链接：https://blog.csdn.net/cau_eric/article/details/103086233

版权

android1 专栏收录该内容

104 篇文章 3 订阅

订阅专栏

1、位置：

system\extras\su\su.cpp
android 7.1
system\extras\su\su.c

int main(int argc, char** argv) {
    -//uid_t current_uid = getuid();
    -//if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");

3、这一步不改不知道行不行，还没时间测试

android9\system\core\libcutils\fs_config.cpp

// the following two files are INTENTIONALLY set-uid, but they
    // are NOT included on user builds.
    { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/procmem" },
   - //{ 04750, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },
   + { 06755, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },

4、可能需要修改，frameworks\base\core\jni\com_android_internal_os_Zygote.cpp

static void DropCapabilitiesBoundingSet(JNIEnv* env) {
+/*	
  for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
    int rc = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
    if (rc == -1) {
      if (errno == EINVAL) {
        ALOGE("prctl(PR_CAPBSET_DROP) failed with EINVAL. Please verify "
              "your kernel is compiled with file capabilities support");
      } else {
        ALOGE("prctl(PR_CAPBSET_DROP) failed");
        RuntimeAbort(env);
      }
    }
  }
+*/  
}

5、system\core\init\ selinux.cpp

bool IsEnforcing() {
    + return false;
    if (ALLOW_PERMISSIVE_SELINUX) {
        return StatusFromCmdline() == SELINUX_ENFORCING;
    }
    return true;
}

android 8.0 / 7.1

system\core\init\init.cpp

static bool selinux_is_enforcing(void)
{
		return false;
    if (ALLOW_PERMISSIVE_SELINUX) {
        return selinux_status_from_cmdline() == SELINUX_ENFORCING;
    }
    return true;
}

android 7.1 （有的系统需要改）

frameworks\base\cmds\app_process\app_main.cpp

int main(int argc, char* const argv[])
{
    +/*
    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
        // Older kernels don't understand PR_SET_NO_NEW_PRIVS and return
        // EINVAL. Don't die on such kernels.
        if (errno != EINVAL) {
            LOG_ALWAYS_FATAL("PR_SET_NO_NEW_PRIVS failed: %s", strerror(errno));
            return 12;
        }
    }
   +*/ 
 
    AppRuntime runtime(argv[0], computeArgBlockSize(argc, argv));
    // Process command line arguments
    // ignore argv[0]
    argc--;
    argv++;

2、路径 (这个好像不用改，如果改下面文件的话)

android9\out\target\product\evk_8mm\obj\KERNEL_OBJ\source\security\commoncap.c

	for (;;) {
		/* Do we have the necessary capabilities? */
		if (ns == cred->user_ns)
			-//return cap_raised(cred->cap_effective, cap) ? 0 : -EPERM;
			+return 0;

参考：

https://blog.csdn.net/liuhongbin2011net/article/details/83536367