平台:RK3568
系统:Android 13
源代码:rk3568_android13.0_r01
禁止su命令获取root权限
安卓主板通常可通过数据线连接电脑,使用ADB来访问操作系统。在系统中,默认是可以通过su指令来获取系统权限,当前需求禁止su命令获取root权限,避免用户一些操作,导致系统问题。
关于su命令在系统中main.mk中控制是否可用,决定adb权限的几个变量为:
ro.secure=1 // 1:安全模式下,设备无root权限;0:设备有root权限。
ro.debuggable = 1 // 1=可su使能root权限,0=禁止su打开root权限
代码中可看到通过判断enable_target_debugging是否使能ro.debuggable。
只需要修改:
enable_target_debugging := false
源代码路径:/build/make/core/main.mk
## user/userdebug ##
user_variant := $(filter user userdebug,$(TARGET_BUILD_VARIANT))
enable_target_debugging := true
tags_to_install :=
ifneq (,$(user_variant))
# Target is secure in user builds.
ADDITIONAL_SYSTEM_PROPERTIES += ro.secure=1
ADDITIONAL_SYSTEM_PROPERTIES += security.perf_harden=1
ifeq ($(user_variant),user)
ADDITIONAL_SYSTEM_PROPERTIES += ro.adb.secure=1
endif
ifeq ($(user_variant),userdebug)
# Pick up some extra useful tools
tags_to_install += debug
else
# Disable debugging in plain user builds.
enable_target_debugging :=
endif
# Disallow mock locations by default for user builds
ADDITIONAL_SYSTEM_PROPERTIES += ro.allow.mock.location=0
else # !user_variant
# Turn on checkjni for non-user builds.
ADDITIONAL_SYSTEM_PROPERTIES += ro.kernel.android.checkjni=1
# Set device insecure for non-user builds.
ADDITIONAL_SYSTEM_PROPERTIES += ro.secure=0
# Allow mock locations by default for non user builds
ADDITIONAL_SYSTEM_PROPERTIES += ro.allow.mock.location=1
endif # !user_variant
ifeq (true,$(strip $(enable_target_debugging)))
# Target is more debuggable and adbd is on by default
ADDITIONAL_SYSTEM_PROPERTIES += ro.debuggable=1
# Enable Dalvik lock contention logging.
ADDITIONAL_SYSTEM_PROPERTIES += dalvik.vm.lockprof.threshold=500
else # !enable_target_debugging
# Target is less debuggable and adbd is off by default
ADDITIONAL_SYSTEM_PROPERTIES += ro.debuggable=0
endif # !enable_target_debugging