开启adb root 选项后,执行如下代码:
packages/apps/Settings/src/com/android/settings/development/AdbRootPreferenceController.java
mADBRootService = new ADBRootService();
@Override
public boolean onPreferenceChange(Preference preference, Object newValue) {
final boolean rootEnabled = (Boolean) newValue;
mADBRootService.setEnabled(rootEnabled);
return true;
}
ADBRootService类位于 frameworks/base/core/java/android/adb/ADBRootService.java
public void setEnabled(boolean enable) {
try {
final IADBRootService svc = getService();
if (svc != null) {
svc.setEnabled(enable);
}
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
}
}
实际调用 IADBRootService 服务的 setEnabled
adb_root服务的入口函数位于 system/core/adb/root/main.cpp
void ADBRootService::Register() {
auto service = ndk::SharedRefBase::make<ADBRootService>();
binder_status_t status = AServiceManager_addService(
service->asBinder().get(), getServiceName());
if (status != STATUS_OK) {
LOG(FATAL) << "Could not register adbroot service: " << status;
}
}
ndk::ScopedAStatus ADBRootService::setEnabled(bool enabled) {
uid_t uid = AIBinder_getCallingUid();
if (uid != AID_SYSTEM) {
return SecurityException("Caller must be system");
}
AutoMutex _l(lock_);
if (enabled_ != enabled) {
enabled_ = enabled;
WriteStringToFile(std::to_string(enabled), kStoragePath + kEnabled);
// Turning off adb root, restart adbd.
if (!enabled) {
SetProperty("service.adb.root", "0");
SetProperty("ctl.restart", "adbd");
}
}
return ndk::ScopedAStatus::ok();
}
mian函数执行时,调用 Register 将native层的 ADBRootService 注册到名为 adbroot_service 的系统服务
执行 adb root命令时, 调用 restart_root_service
void restart_root_service(unique_fd fd) {
if (getuid() == 0) {
WriteFdExactly(fd.get(), "adbd is already running as root\n");
return;
}
#if defined(__ANDROID__) && !defined(__ANDROID_RECOVERY__)
ndk::SpAIBinder binder = ndk::SpAIBinder(AServiceManager_getService("adbroot_service"));
std::shared_ptr<aidl::android::adbroot::IADBRootService> service =
aidl::android::adbroot::IADBRootService::fromBinder(binder);
if (!service) {
LOG(ERROR) << "Failed to get adbroot_service interface";
return;
}
#endif
#if defined(__ANDROID__) && !defined(__ANDROID_RECOVERY__)
bool enabled = false;
if (auto status = service->getEnabled(&enabled); !status.isOk()) {
#endif
if (!__android_log_is_debuggable()) {
WriteFdExactly(fd.get(), "adbd cannot run as root in production builds\n");
return;
}
#if defined(__ANDROID__) && !defined(__ANDROID_RECOVERY__)
}
if (!enabled) {
WriteFdExactly(fd, "ADB Root access is disabled by system setting - "
"enable in Settings -> System -> Developer options\n");
return;
}
#endif
LOG(INFO) << "adbd restarting as root";
android::base::SetProperty("service.adb.root", "1");
WriteFdExactly(fd.get(), "restarting adbd as root\n");
}
主要作用 设置属性 service.adb.root = 1
ADB ROOT必要条件分析
开发者选项: development_settings_enabled
adb调试:adb_enabled
上述字段通过 getString 获取
1、开发者选项中adb root是否显示取决于 ro.debuggable属性:
当 ro.debuggable = 0 时, 开发者选项界面不显示开启adb root 选项
2、adb始终以root权限运行
adb 服务被 init进程拉起时,是以root权限运行,拉起后会进行降权操作。
system/core/adb/daemon/main.cpp
static bool should_drop_privileges() {
// The properties that affect `adb root` and `adb unroot` are ro.secure and
// ro.debuggable. In this context the names don't make the expected behavior
// particularly obvious.
//
// ro.debuggable:
// Allowed to become root, but not necessarily the default. Set to 1 on
// eng and userdebug builds.
//
// ro.secure:
// Drop privileges by default. Set to 1 on userdebug and user builds.
bool ro_secure = android::base::GetBoolProperty("ro.secure", true);
bool ro_debuggable = __android_log_is_debuggable();
// Drop privileges if ro.secure is set...
bool drop = ro_secure;
// ... except "adb root" lets you keep privileges in a debuggable build.
std::string prop = android::base::GetProperty("service.adb.root", "");
bool adb_root = (prop == "1");
bool adb_unroot = (prop == "0");
if (ro_debuggable && adb_root) {
drop = false;
}
// ... and "adb unroot" lets you explicitly drop privileges.
if (adb_unroot) {
drop = true;
}
return false; //不降权,始终以root权限运行
}
当 service.adb.root 属性为 1 且 ro.debuggable = 1 时,会继续保持root权限运行