RK3399 Android10 ROOT方法（已验证）

1. 本文采用方法是rk给的文档修改后实测验证。

2. 只测试了userdebug版本，未测试user版本。

3. 关闭selinux

目录：
~/rk3399_android10/system/core$
修改：
diff --git a/init/selinux.cpp b/init/selinux.cpp
index 86238b430..8532dfa3c 100644
--- a/init/selinux.cpp
+++ b/init/selinux.cpp
@@ -97,6 +97,7 @@ EnforcingStatus StatusFromCmdline() {
 }
 
 bool IsEnforcing() {
+    return false;
     if (ALLOW_PERMISSIVE_SELINUX) {
         return StatusFromCmdline() == SELINUX_ENFORCING;
     }

4. 修改su.cpp，注释用户组权限检测

目录：
~/rk3399_android10/system/extras/su$
修改：
diff --git a/su/su.cpp b/su/su.cpp
index 1a1ab6bf..c2a30c84 100644
--- a/su/su.cpp
+++ b/su/su.cpp
@@ -80,8 +80,8 @@ void extract_uidgids(const char* uidgids, uid_t* uid, gid_t* gid, gid_t* gids, i
 }
 
 int main(int argc, char** argv) {
-    uid_t current_uid = getuid();
-    if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
+//    uid_t current_uid = getuid();
+//    if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
 
     // Handle -h and --help.
     ++argv;

5. 修改su文件默认权限

目录：
~/rk3399_android10/system/core$ 
修改：
diff --git a/libcutils/fs_config.cpp b/libcutils/fs_config.cpp
index a5f4f0e55..a44845ff7 100644
--- a/libcutils/fs_config.cpp
+++ b/libcutils/fs_config.cpp
@@ -197,7 +197,7 @@ static const struct fs_path_config android_files[] = {
     // the following two files are INTENTIONALLY set-uid, but they
     // are NOT included on user builds.
     { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/procmem" },
-    { 04750, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },
+    { 06755, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },
 
     // the following files have enhanced capabilities and ARE included
     // in user builds.

目录：
~/rk3399_android10/frameworks/base/core/jni$ 
修改：
diff --git a/core/jni/com_android_internal_os_Zygote.cpp b/core/jni/com_android_internal_os_Zygote.cpp
index 82c27f02ba8..8dadfada5f8 100644
--- a/core/jni/com_android_internal_os_Zygote.cpp
+++ b/core/jni/com_android_internal_os_Zygote.cpp
@@ -540,6 +540,7 @@ static void EnableKeepCapabilities(fail_fn_t fail_fn) {
 }
 
 static void DropCapabilitiesBoundingSet(fail_fn_t fail_fn) {
+/*     
   for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {;
     if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) == -1) {
       if (errno == EINVAL) {
@@ -550,6 +551,7 @@ static void DropCapabilitiesBoundingSet(fail_fn_t fail_fn) {
       }
     }
   }
+  */
 }

目录：
~/rk3399_android10/kernel$
修改：
diff --git a/security/commoncap.c b/security/commoncap.c
index 3023b4ad38a7..66acff91756d 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1146,12 +1146,12 @@ int cap_task_setnice(struct task_struct *p, int nice)
 static int cap_prctl_drop(unsigned long cap)
 {
        struct cred *new;
-
+/*
        if (!ns_capable(current_user_ns(), CAP_SETPCAP))
                return -EPERM;
        if (!cap_valid(cap))
                return -EINVAL;
-
+*/
        new = prepare_creds();
        if (!new)
                return -ENOMEM;

6. user编译su到系统(userdebug默认编译，所以未验证)

build/make/target/product/base_system.mk
diff --git a/target/product/base_system.mk b/target/product/base_system.mk
index 4569bceff9..5c8eaaa87c 100644
--- a/target/product/base_system.mk
+++ b/target/product/base_system.mk
@@ -273,6 +273,7 @@ PRODUCT_PACKAGES += \
wificond \
wifi.rc \
wm \
+ su \
# VINTF data for system image
PRODUCT_PACKAGES += \
@@ -378,7 +379,6 @@ PRODUCT_PACKAGES_DEBUG := \
ss \
start_with_lockagent \
strace \
- su \
sanitizer-status \
tracepath \
tracepath6 \