首先声明是小白,只是记录一下遇到过的一些问题,欢迎指正。
是否能获取root权限由system/core/adb/daemon/main.cpp中的should_drop_privileges函数决定,在下面把源码贴出来了,当should_drop_privileges函数返回false时为root,返回true时是非root的,这主要由ro.debuggable和service.adb.root这两个属性决定,ro.secure这个属性感觉不重要,不知道有什么用,知道的大哥可以教教我, __android_log_is_debuggable这个函数(源码在下面)就是ro.debuggable这个属性相关的,当ro.debuggable和service.adb.root都为真的时候,drop为false,should_drop_privileges函数返回的也是false,就获取到root权限了。
should_drop_privileges函数
static bool should_drop_privileges() {
bool ro_secure = android::base::GetBoolProperty("ro.secure", true);
bool ro_debuggable = __android_log_is_debuggable();
// Drop privileges if ro.secure is set...
bool drop = ro_secure;
// ... except "adb root" lets you keep privileges in a debuggable build.
std::string prop = android::base::GetProperty("service.adb.root", "");
bool adb_root = (prop == "1");
bool adb_unroot = (prop == "0");
if (ro_debuggable && adb_root) {
drop = false;
}
// ... and "adb unroot" lets you explicitly drop privileges.
if (adb_unroot) {
drop = true;
}
return drop;
}
__android_log_is_debuggable函数
int __android_log_is_debuggable() {
static uint32_t serial;
static struct cache_char tag_cache;
static const char key[] = "ro.debuggable";
int ret;
if (tag_cache.c) { /* ro property does not change after set */
ret = tag_cache.c == '1';
} else if (lock()) {
struct cache_char temp_cache = {{NULL, 0xFFFFFFFF}, '\0'};
refresh_cache(&temp_cache, key);
ret = temp_cache.c == '1';
} else {
int change_detected = check_cache(&tag_cache.cache);
uint32_t current_serial = __system_property_area_serial();
if (current_serial != serial) {
change_detected = 1;
}
if (change_detected) {
refresh_cache(&tag_cache, key);
serial = current_serial;
}
ret = tag_cache.c == '1';
unlock();
}
return ret;
}
然后就是service.adb.root在哪儿被设置,当我们执行adb root时,会调用system/core/adb/daemon/restart_service.cpp中的restart_root_service函数,源码在下面贴出来,首先它会判断当前的模式是不是root,如果是就直接返回了,然后再会判断ro.debuggable这个属性的值,如果是0,也返回了,如果不是,接着就会设置service.adb.root为"1",这也就和上面函数should_drop_privileges中的判断对应上了
restart_root_service函数
void restart_root_service(unique_fd fd) {
if (getuid() == 0) {
WriteFdExactly(fd.get(), "adbd is already running as root\n");
return;
}
if (!__android_log_is_debuggable()) {
WriteFdExactly(fd.get(), "adbd cannot run as root in production builds\n");
return;
}
LOG(INFO) << "adbd restarting as root";
android::base::SetProperty("service.adb.root", "1");
WriteFdExactly(fd.get(), "restarting adbd as root\n");
}