RK android14 第三方app获取su权限

需要修改的地方如下
 

frameworks/base/core/jni/com_android_internal_os_Zygote.cpp
kernel-6.1/security/commoncap.c
system/core/init/selinux.cpp
system/core/libcutils/fs_config.cpp
system/extras/su/su.cpp
device/rockchip/common/BoardConfig.mk
device/rockchip/common/sepolicy/vendor/untrusted_app.te
system/sepolicy/prebuilts/api/34.0/public/app.te
system/sepolicy/prebuilts/api/34.0/public/domain.te
system/sepolicy/public/app.te
system/sepolicy/public/domain.te

frameworks/base

diff --git a/core/jni/com_android_internal_os_Zygote.cpp b/core/jni/com_android_internal_os_Zygote.cpp
index 56066b2d813c..0c587a2c0580 100644
--- a/core/jni/com_android_internal_os_Zygote.cpp
+++ b/core/jni/com_android_internal_os_Zygote.cpp
@@ -666,7 +666,7 @@ static void EnableKeepCapabilities(fail_fn_t fail_fn) {
 }
 
 static void DropCapabilitiesBoundingSet(fail_fn_t fail_fn) {
-  for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {;
+ /* for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {;
     if (prctl(PR_CAPBSET_DROP, i, 0, 0, 0) == -1) {
       if (errno == EINVAL) {
         ALOGE("prctl(PR_CAPBSET_DROP) failed with EINVAL. Please verify "
@@ -675,7 +675,7 @@ static void DropCapabilitiesBoundingSet(fail_fn_t fail_fn) {
         fail_fn(CREATE_ERROR("prctl(PR_CAPBSET_DROP, %d) failed: %s", i, strerror(errno)));
       }
     }
-  }
+  }*/
 }
 
 static void SetInheritable(uint64_t inheritable, fail_fn_t fail_fn) {
 

 
kernel-6.1  

 diff --git a/security/commoncap.c b/security/commoncap.c
index bc751fa5adad..bad53a9b8ac0 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1243,11 +1243,11 @@ static int cap_prctl_drop(unsigned long cap)
 {
        struct cred *new;
 
-       if (!ns_capable(current_user_ns(), CAP_SETPCAP))
+       /*if (!ns_capable(current_user_ns(), CAP_SETPCAP))
                return -EPERM;
        if (!cap_valid(cap))
                return -EINVAL;
-
+*/
        new = prepare_creds();
        if (!new)
                return -ENOMEM;
                

system/core
                
 

diff --git a/libcutils/fs_config.cpp b/libcutils/fs_config.cpp
index f90a1bc3c..6fb44ec63 100644
--- a/libcutils/fs_config.cpp
+++ b/libcutils/fs_config.cpp
@@ -87,7 +87,7 @@ static const struct fs_path_config android_dirs[] = {
     { 00751, AID_ROOT,         AID_SHELL,        0, "system/bin" },
     { 00755, AID_ROOT,         AID_ROOT,         0, "system/etc/ppp" },
     { 00755, AID_ROOT,         AID_SHELL,        0, "system/vendor" },
-    { 00750, AID_ROOT,         AID_SHELL,        0, "system/xbin" },
+    { 00751, AID_ROOT,         AID_SHELL,        0, "system/xbin" },
     { 00751, AID_ROOT,         AID_SHELL,        0, "system/apex/*/bin" },
     { 00750, AID_ROOT,         AID_SYSTEM,       0, "system_ext/apex/com.android.tethering/bin/for-system" },
     { 00751, AID_ROOT,         AID_SHELL,        0, "system_ext/bin" },
@@ -192,7 +192,7 @@ static const struct fs_path_config android_files[] = {
     // the following two files are INTENTIONALLY set-uid, but they
     // are NOT included on user builds.
     { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/procmem" },
-    { 04750, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },
+    { 06755, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },
 
     // the following files have enhanced capabilities and ARE included
     // in user builds.

 diff --git a/init/selinux.cpp b/init/selinux.cpp
index 907eb80e3..1d4fe492b 100644
--- a/init/selinux.cpp
+++ b/init/selinux.cpp
@@ -102,7 +102,7 @@ namespace {
 
 enum EnforcingStatus { SELINUX_PERMISSIVE, SELINUX_ENFORCING };
 
-EnforcingStatus StatusFromProperty() {
+/*EnforcingStatus StatusFromProperty() {
     EnforcingStatus status = SELINUX_ENFORCING;
 
     ImportKernelCmdline([&](const std::string& key, const std::string& value) {
@@ -120,13 +120,14 @@ EnforcingStatus StatusFromProperty() {
     }
 
     return status;
-}
+}*/
 
 bool IsEnforcing() {
-    if (ALLOW_PERMISSIVE_SELINUX) {
+return false ;
+    /*if (ALLOW_PERMISSIVE_SELINUX) {
         return StatusFromProperty() == SELINUX_ENFORCING;
     }
-    return true;
+    return true;*/
 }
 
 // Forks, executes the provided program in the child, and waits for the completion in the parent.

     
     
     
system/extras

diff --git a/su/su.cpp b/su/su.cpp
index 1a1ab6bf..fb067ec8 100644
--- a/su/su.cpp
+++ b/su/su.cpp
@@ -80,8 +80,8 @@ void extract_uidgids(const char* uidgids, uid_t* uid, gid_t* gid, gid_t* gids, i
 }
 
 int main(int argc, char** argv) {
-    uid_t current_uid = getuid();
-    if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
+   // uid_t current_uid = getuid();
+    //if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
 
     // Handle -h and --help.
     ++argv;

device/rockchip/common

diff --git a/BoardConfig.mk b/BoardConfig.mk
index 52e518a..35b9f11 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -52,7 +52,7 @@ BOARD_BOOT_HEADER_VERSION ?= 2
 BOARD_MKBOOTIMG_ARGS :=
 BOARD_PREBUILT_DTBOIMAGE ?= $(TARGET_DEVICE_DIR)/dtbo.img
 BOARD_ROCKCHIP_VIRTUAL_AB_ENABLE ?= false
-BOARD_SELINUX_ENFORCING ?= true
+BOARD_SELINUX_ENFORCING ?= false
 PRODUCT_KERNEL_ARCH ?= arm
 BOARD_ROCKCHIP_PKVM ?= false

根据运行时log   avc日志加相应的权限
 

diff --git a/sepolicy/vendor/untrusted_app.te b/sepolicy/vendor/untrusted_app.te
index 3868f47..bb77f57 100644
--- a/sepolicy/vendor/untrusted_app.te
+++ b/sepolicy/vendor/untrusted_app.te
@@ -3,6 +3,8 @@ allow untrusted_app  ota_data_file:dir rw_dir_perms;
 allow untrusted_app  ota_data_file:file rw_file_perms;
 allow untrusted_app  userdata_block_device:blk_file { getattr };
 allow untrusted_app  oemfs:file {execmod};
+allow untrusted_app  su_exec:file {execute read open execute_no_trans map getattr};
+allow untrusted_app  untrusted_app:capability {setuid setgid };
 
 dontaudit untrusted_app mnt_vendor_file:dir { search };

system/sepolicy

diff --git a/prebuilts/api/34.0/public/app.te b/prebuilts/api/34.0/public/app.te
index da59f3214..6cdc81c15 100644
--- a/prebuilts/api/34.0/public/app.te
+++ b/prebuilts/api/34.0/public/app.te
@@ -16,7 +16,7 @@ type appdomain_tmpfs, file_type;
 
 # Superuser capabilities.
 # bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
-neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
+#neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
 
 # Block device access.
 neverallow appdomain dev_type:blk_file { read write };

diff --git a/prebuilts/api/34.0/public/domain.te b/prebuilts/api/34.0/public/domain.te
index 1da3f51a9..bed442f0d 100644
--- a/prebuilts/api/34.0/public/domain.te
+++ b/prebuilts/api/34.0/public/domain.te
@@ -1029,7 +1029,7 @@ neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mou
 # Nobody should be able to execute su on user builds.
 # On userdebug/eng builds, only dumpstate, shell, and
 # su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
+#neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
 
 # Do not allow the introduction of new execmod rules. Text relocations
 # and modification of executable pages are unsafe.

diff --git a/public/app.te b/public/app.te
index da59f3214..6cdc81c15 100644
--- a/public/app.te
+++ b/public/app.te
@@ -16,7 +16,7 @@ type appdomain_tmpfs, file_type;
 
 # Superuser capabilities.
 # bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
-neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
+#neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
 
 # Block device access.
 neverallow appdomain dev_type:blk_file { read write };

diff --git a/public/domain.te b/public/domain.te
index 1da3f51a9..bed442f0d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1029,7 +1029,7 @@ neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mou
 # Nobody should be able to execute su on user builds.
 # On userdebug/eng builds, only dumpstate, shell, and
 # su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
+#neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
 
 # Do not allow the introduction of new execmod rules. Text relocations
 # and modification of executable pages are unsafe.

 
 
 测试代码如下

  /**
    * 判断机器Android是否已经root，即是否获取root权限
     */
    private  boolean haveRoot() {
        // 通过执行测试命令来检测
        int ret = execRootCmdSilent("echo test");
        if (ret != -1) {
            Log.i("test", "have root!");
            return true;
        } else {
            Log.i("test", "not root!");
            return false;
        }
    }
    // cmd="chmod 777 /dev/ttyACM"
    public  int execRootCmdSilent(String cmd) {
        int result = -1;
        DataOutputStream dos = null;

        try {
            Process p = Runtime.getRuntime().exec("su");
            dos = new DataOutputStream(p.getOutputStream());
            Log.i("test", cmd);
            dos.writeBytes(cmd + "\n");
            dos.flush();
            dos.writeBytes("exit\n");
            dos.flush();
            p.waitFor();
            result = p.exitValue();
        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            if (dos != null) {
                try {
                    dos.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
        }
        return result;
    }

原文地址：https://blog.csdn.net/m0_71008721/article/details/143693818

免责声明：本站文章内容转载自网络资源，如本站内容侵犯了原著者的合法权益，可联系本站删除。更多内容请关注自学内容网（zxcms.com）！