我们知道,在system/bin下面有很多可执行文件,包括但不限于iptables等需要root权限才可以操作,我们不可能为了部分需求将整机root处理,这时就需要单独为我们特定的APP建立一个获取root权限的通道。
那么在一台普通user版本的手机上谁有root权限呢?答案是init.rc里的service!所以我们优先考虑从这里打开突破口。同时想一想为什么install这种就不需要root权限呢?从源码中我们发现了两个很重要的文件Installd.cpp与InstallerConnection.java,第一感觉是系统使用了LocalSocket实现了跨进程?没错,APP所在的进程肯定是没有root权限的,它必然需要将自己的需求告知一个已经拥有root权限的进程,所以跨进程是必须的。再看init.rc,这里也有install的想关配置,我们看到它在这里配置了socket,那么流程也就明白了,init.rc启动了一个service同时配置了一个socket,然后在installd.cpp中进行socket的监听,当客户端向该socket发送信息后,这个拥有root权限的服务端将得到客户端的请求。
根据如上分析,我们参照源码实现让app可以执行iptables -L这条简单的但却需要root权限的命令
frameworks\native\cmds\mysocketservice添加我们的模块
mysocket_service.cpp
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <string>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/un.h>
#include <cutils/sockets.h>
#include <utils/Log.h>
#include <android/log.h>
#include <fcntl.h>
#define LOG_TAG "SOCKET_SERVER"
#define SOCKET_PATH "mysocket"
#define BUFFER_MAX 1024
using namespace std;
static int readx(int s, void *_buf, int count)
{
char *buf = (char *)_buf;
int n = 0, r;
if (count < 0) return -1;
while (n < count) {
r = read(s, buf + n, count - n);
if (r < 0) {
if (errno == EINTR) continue;
ALOGE("read error: %s\n", strerror(errno));
return -1;
}
if (r == 0) {
ALOGE("eof\n");
return -1; /* EOF */
}
n += r;
}
return 0;
}
static int writex(int s, const void *_buf, int count)
{
const char *buf = (const char *) _buf;
int n = 0, r;
if (count < 0) return -1;
while (n < count) {
r = write(s, buf + n, count - n);
if (r < 0) {
if (errno == EINTR) continue;
ALOGE("write error: %s\n", strerror(errno));
return -1;
}
n += r;
}
return 0;
}
static string execCMD(char* command)
{
string result="";
FILE *fpRead;
strcat(command," 2>&1");
fpRead = popen(command, "r");
ALOGI("command = %s\n", command);
char buf[1024];
while(fgets(buf,sizeof(buf),fpRead)!=NULL)
{
result+=buf;
ALOGI("buf = %s\n", buf);
}
if(fpRead!=NULL)
pclose(fpRead);
return result;
}
int main(const int argc, const char *argv[]) {
char buf[BUFFER_MAX];
struct sockaddr addr;
socklen_t alen;
int lsocket, s;
ALOGI("socketserver firing up\n");
lsocket = android_get_control_socket(SOCKET_PATH);
if (lsocket < 0) {
ALOGE("Failed to get socket from environment: %s\n", strerror(errno));
exit(1);
}
if (listen(lsocket, 5)) {
ALOGE("Listen on socket failed: %s\n", strerror(errno));
exit(1);
}
fcntl(lsocket, F_SETFD, FD_CLOEXEC);
for (;;) {
alen = sizeof(addr);
s = accept(lsocket, &addr, &alen);
if (s < 0) {
ALOGE("Accept failed: %s\n", strerror(errno));
continue;
}
fcntl(s, F_SETFD, FD_CLOEXEC);
ALOGI("new connection\n");
for (;;) {
unsigned short count;
if (readx(s, &count, sizeof(count))) {
ALOGE("failed to read size\n");
break;
}
if ((count < 1) || (count >= BUFFER_MAX)) {
ALOGE("invalid size %d\n", count);
break;
}
if (readx(s, buf, count)) {
ALOGE("failed to read command\n");
break;
}
buf[count] = 0;
ALOGI("buf = %s count = %d\n", buf, count);
string result=execCMD(buf);
count=result.length();
if (writex(s, &count, sizeof(count))) return -1;
if (writex(s, result.c_str(), count)) return -1;
}
ALOGI("closing connection\n");
close(s);
}
return 0;
}
当socket配置好后,开机后将在/dev/socket此目录下生成相应的socket节点,我们看到这里使用了read和write函数对此节点进行读写,因为这个socket实现跨进程的本质就是上层客户端发指令写这个节点,而服务端先读取节点即可知道客户端发来的消息具体是什么。读取出消息指令后,我们这里使用popen函数执行这个shell命令。需要注意的是读取到客户端消息后,我们在其后追回一个字符串:" 2>&1",目的是将标准错误同时重定向到文件,否则popen只能得到一个标准输出。
配置Android.mk
LOCAL_PATH:= $(call my-dir)
svc_c_flags = \
-Wall -Wextra \
include $(CLEAR_VARS)
LOCAL_SHARED_LIBRARIES := liblog libselinux
LOCAL_SRC_FILES := mysocket_service.cpp
LOCAL_CFLAGS += $(svc_c_flags)
LOCAL_MODULE := mysocket
LOCAL_MODULE_TAGS := optional
LOCAL_CLANG := true
include $(BUILD_EXECUTABLE)
build\target\product\base.mk加入项目编译
PRODUCT_PACKAGES += mysocket
system\core\rootdir\init.rc配置socket
service mysocket /system/bin/mysocket
class main
socket mysocket stream 0666 root system
oneshot
external\sepolicy配置SELinux权限
file_contexts
/dev/socket/mysocket u:object_r:mysocket_st:s0
mysocket.te
allow mysocket_st mysocket_st:sock_file create_file_perms;
type_transition mysocket_st socket_device:sock_file mysocket_st;
system_server.te
allow system_server mysocket_st:sock_file rw_file_perms;
init.te
neverallow init {fs_type }:file execute_no_trans;
allow init system_file:file execute_no_trans;
allow init shell_exec:file execute_no_trans;
allow init init:rawip_socket {create getopt};
system_app.te
allow system_app mysocket_st:sock_file rw_file_perms;
file.te
type mysocket_st, file_type;
需要注意的是:不同的指令所需要的SELinux权限不同,我这里仅仅针对iptables的相关命令配置了权限,当执行ip等其它指令时依然可能显示permission denied,所以具体问题还需要具体分析。另外在配置权限时要注意系统添加的neverallow语句,避免权限冲突。
客户端的调用
import android.net.LocalSocket;
import android.net.LocalSocketAddress;
import android.os.SystemClock;
import android.util.Slog;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
/**
* Represents a connection to {@code installd}. Allows multiple connect and
* disconnect cycles.
*
* @hide for internal use only
*/
public class SocketClient {
private static final String TAG = "MySocketClient";
private static final boolean LOCAL_DEBUG = true;
private InputStream mIn;
private OutputStream mOut;
private LocalSocket mSocket;
private byte buf[] = new byte[1024];//初始大小,如果返回的结果超出大小则重新初始化
public SocketClient() {
}
public synchronized String transact(String cmd) {
String result=null;
if (LOCAL_DEBUG) {
Slog.i(TAG, "send: '" + cmd + "'");
}
if (connect()&&writeCommand(cmd)) {
final int replyLength = readReply();
if (replyLength > 0) {
result = new String(buf, 0, replyLength);
if (LOCAL_DEBUG) {
Slog.i(TAG, "recv: '" + result + "'");
}
} else {
if (LOCAL_DEBUG) {
Slog.i(TAG, "fail");
}
}
}else{
if (LOCAL_DEBUG) {
Slog.i(TAG, "connect or write command failed!");
}
}
return result;
}
public String execute(String cmd) {
return transact(cmd);
}
private boolean connect() {
if (mSocket != null) {
return true;
}
Slog.i(TAG, "connecting...");
try {
mSocket = new LocalSocket();
LocalSocketAddress address = new LocalSocketAddress("mysocket",
LocalSocketAddress.Namespace.RESERVED);
mSocket.connect(address);
mIn = mSocket.getInputStream();
mOut = mSocket.getOutputStream();
} catch (IOException ex) {
disconnect();
return false;
}
return true;
}
public void disconnect() {
Slog.i(TAG, "disconnecting...");
try {
if (mSocket != null)
mSocket.close();
} catch (IOException ex) {
}
try {
if (mIn != null)
mIn.close();
} catch (IOException ex) {
}
try {
if (mOut != null)
mOut.close();
} catch (IOException ex) {
}
mSocket = null;
mIn = null;
mOut = null;
}
private boolean readFully(byte[] buffer, int len) {
int off = 0, count;
if (len < 0)
return false;
while (off != len) {
try {
count = mIn.read(buffer, off, len - off);
if (count <= 0) {
Slog.i(TAG, "read error " + count);
break;
}
off += count;
} catch (IOException ex) {
Slog.i(TAG, "read exception");
break;
}
}
Slog.i(TAG, "read " + len + " bytes");
if (off == len)
return true;
disconnect();
return false;
}
private int readReply() {
if (!readFully(buf, 2)) {
return -1;
}
final int len = (((int) buf[0]) & 0xff) | ((((int) buf[1]) & 0xff) << 8);
if ((len < 1)) {
Slog.i(TAG, "invalid reply length (" + len + ")");
disconnect();
return -1;
}
if(len > buf.length){
buf = new byte[len]; //重新扩容
}
if (!readFully(buf, len)) {
return -1;
}
return len;
}
private boolean writeCommand(String cmdString) {
final byte[] cmd = cmdString.getBytes();
final int len = cmd.length;
if ((len < 1) || (len > buf.length)) {
return false;
}
buf[0] = (byte) (len & 0xff);
buf[1] = (byte) ((len >> 8) & 0xff);
try {
mOut.write(buf, 0, 2);
mOut.write(cmd, 0, len);
} catch (IOException ex) {
Slog.i(TAG, "write error");
disconnect();
return false;
}
return true;
}
}
import android.app.Activity;
import android.os.Bundle;
import android.text.method.ScrollingMovementMethod;
import android.util.Log;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.Button;
import android.widget.EditText;
import android.widget.TextView;
public class MainActivity extends Activity {
private TextView tv_result;
private EditText et_cmd;
private Button bt_exec;
private String cmd=null;
private SocketClient client;
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
tv_result=(TextView) findViewById(R.id.textview);
et_cmd= (EditText)findViewById(R.id.editText);
bt_exec=(Button)findViewById(R.id.button);
tv_result.setMovementMethod(ScrollingMovementMethod.getInstance());
client=new SocketClient();
bt_exec.setOnClickListener(new OnClickListener() {
@Override
public void onClick(View v) {
// TODO Auto-generated method stub
cmd=et_cmd.getText().toString();
final String result=client.execute(cmd);
if(result!=null)
tv_result.setText(result);
else
tv_result.setText("null");
}
});
}
@Override
protected void onDestroy() {
// TODO Auto-generated method stub
super.onDestroy();
if(client!=null)
client.disconnect();
}
}
运行结果如下图所求: