Permission escalation for devices in/dev for Android applications (1)

Permission escalation for devices in/dev for Android applications (1)
If the application needs to perform read/write operations on/dev/XXX, it needs to improve its permissions. The permission escalation method is not unique and needs to be selected based on specific requirements. In the final analysis, chmod 777/dev/XXX is applied. The difference is that the CHMOD operation is executed at the time and place, so here is an analysis summary.
After the kernel is started, it will execute/system/init, the legendary system process 1. The initial task of the INIT program is initialization, including various mkdir to build the file system and obtain hardware information to build the device node, install the sigchld signal to recycle resources of botnets and parse init. RC start scripts and so on, and then the INIT program becomes property_service to manage system permissions. There are two points to start: device_init and init. RC.

Invalid init. RC

This solution is widely used. It is easy to add chmod operations in it.

Invalid device. c

This solution is rarely used. Learn about device. C first.
In/system/CORE/init/device. C, device_init is analyzed as follows:

// Traverse/sys/class/sys/block/sys/devicesdevice_init () {coldboot (FD, "/sys/class"); coldboot (FD, "/sys/block"); coldboot (FD, "/sys/devices");} // a device generated by the kernel under recursive/sys, this is equivalent to the role of udev do_coldboot () {If (FD> = 0) {write (FD, "add \ n", 4); close (FD ); handle_device_fd (event_fd) ;}// read the add statement from the socket to process handle_device_fd () {If (! Strcmp (uevent-> action, "add") {make_device (devpath, block, uevent-> major, uevent-> minor); return ;}} // obtain information about the device. Create the device node make_device () {mode = get_device_perm (path, & uid, & gid) | (Block? S_ifblk: s_ifchr); Dev = (Major <8) | minor; mknod (path, mode, Dev); chown (path, uid, GID);} get_device_perm () {If (get_device_perm_inner (qemu_perms, path, uid, GID, & perm) = 0) {returnperm;} elseif (get_device_perm_inner (devperms, path, uid, GID) = 0) {returnperm;} else {.......} // Obtain the devperms struct information get_device_perm_inner {for (I = 0; perms [I]. name; I ++) {If (perms [I]. prefix) {If (strncmp (path, perms [I]. name, strlen (perms [I]. name) continue;} else {If (strcmp (path, perms [I]. name) continue;} * uid = perms [I]. UID; * gid = perms [I]. GID; * perm = perms [I]. perm; // permission bit return0 ;}} this is the specific content of devperms structperms _ {char * Name; mode_tperm; unsignedintuid; unsignedintgid; unsigned#prefix ;}; staticstructperms _ devperms [] = {"/dev/null", 0666, aid_root, aid_root, 0}, {"/dev/Zero", 0666, aid_root, aid_root, 0 },{ "/dev/full", 0666, aid_root, aid_root, 0 },{ "/dev/ptmx", 0666, aid_root, aid_root, 0 }, {"/dev/tty", 0666, aid_root, aid_root, 0 },{ "/dev/random", 0666, aid_root, aid_root, 0 }, {"/dev/urandom", 0666, aid_root, aid_root, 0 },{ "/dev/ashmem", 0666, aid_root, aid_root, 0 }, {& quot;/dev/binder & quot;, 0666, aid_root, aid_root, 0},/* logger shoshould be world writable (for logging) but not readable */{"/dev/log/", 0662, aid_root, aid_log, 1 }, /* These shoshould not be world writable */{"/dev/android_adb", 0660, aid_adb, aid_adb, 0 },{ "/dev/android_adb_enable", 0660, aid_adb, aid_adb, 0 },{ "/dev/ttymsm0", 0660, aid_bluetooth, aid_bluetooth, 0 },{ "/dev/alarm", 0664, aid_system, aid_radio, 0 }, {"/dev/tty0", 0666, aid_root, aid_system, 0 },{ "/dev/graphics/", 0660, aid_root, aid_graphics, 1 }, {"/dev/hw3d", 0660, aid_system, aid_graphics, 0 },{ "/dev/input/", 0660, aid_root, aid_input, 1 }, {"/dev/EAC", 0660, aid_root, aid_audio, 0 },{ "/dev/CAM", 0660, aid_root, aid_camera, 0 }, {"/dev/pmem", 0660, aid_system, aid_graphics, 0 },{ "/dev/pmem_gpu", 0660, aid_system, aid_graphics, 1 }, {"/dev/pmem_adsp", 0660, aid_system, aid_audio, 1 },{ "/dev/pmem_camera", 0660, aid_system, aid_camera, 1 }, {"/dev/oncrpc/", 0660, aid_root, aid_system, 1 },{ "/dev/adsp/", 0660, aid_system, aid_audio, 1 }, {"/dev/mt9t013", 0660, aid_system, aid_system, 0 },{ "/dev/akm8976_daemon", 0640, aid_compass, aid_system, 0 }, {"/dev/akm8976_aot", 0640, aid_compass, aid_system, 0 },{ "/dev/akm8976_pffd", 0640, aid_compass, aid_system, 0 }, {"/dev/msm_pcm_out", 0660, aid_system, aid_audio, 1 },{ "/dev/msm_pcm_in", 0660, aid_system, aid_audio, 1 }, {"/dev/msm_pcm_ctl", 0660, aid_system, aid_audio, 1 },{ "/dev/msm_mp3", 0660, aid_system, aid_audio, 1 }, {"/dev/smd0", 0640, aid_radio, aid_radio, 0 },{ "/dev/qmi", 0640, aid_radio, aid_radio, 0 }, {"/dev/qmi0", 0640, aid_radio, aid_radio, 0 },{ "/dev/qmi1", 0640, aid_radio, aid_radio, 0 }, {"/dev/qmi2", 0640, aid_radio, aid_radio, 0 },{ "/dev/HTC-acoustic", 0640, aid_radio, aid_radio, 0 },{ null, 0, 0, 0, 0 },};

✿ Init. c

Init. RC Script and init. goldfish. the RC Script has long been parsed by the parse_config_file () function to divide the script content into several sections: Early-init, init, early-boot, boot, and various services. Then execute commands of different segments or enable various services at different time points.

An excerpt from init. C:

Int main (intargc, char ** argv ){...... Mkdir ("/dev", 0755); mkdir ("/proc", 0755); mkdir ("/sys", 0755); mount ("tmpfs ", "/dev", "tmpfs", 0, "mode = 0755"); mkdir ("/dev/PTS", 0755); mkdir ("/dev/socket ", 0755); mount ("devpts", "/dev/PTS", "devpts", 0, null); mount ("proc", "/proc", "proc ", 0, null); mount ("sysfs", "/sys", "sysfs", 0, null );...... Info ("readingconfig file \ n"); parse_config_file ("/init. RC "); // call parse_config to parse init. RC Script // parsed, init. the RC content is divided into several segments, which are listed in the action_list linked list. // On starts with an action-type segment, such as the init segment. The init segment is represented by a struct action, where name is INIT, // All commands in this segment, are all strings in the commands linked list. Action_for_each_trigger ("early-init", action_add_queue_tail); // traverse the action_list linked list to find the action whose name is early-init and put the node at the end of action_queue. Drain_action_queue (); // traverses the node at the end of action_queue and deletes it. // It is equivalent to traversing the commands linked list in the Action node whose name is early-init. // All the commands in the onearly-init section in the init. RC Script are executed ....... Info ("deviceinit \ n"); device_fd = device_init (); // you can call property_init () to call proper_service action_for_each_trigger ("init ", action_add_queue_tail); // Add the init segment to action_queue drain_action_queue (); // execute the init segment command... ...}

Summary

Device_init is a simple replacement of udev in Linux. Install all the devices provided by the kernel in/sys/to create a device node in/dev. If you want to change the permissions of/dev/devices, you can write chmod 777 in init. RC, but pay attention to the write location. It cannot be executed too early or written in the early-init segment because the device nodes under/dev/are not created yet.
The method modified in devices. C is not easy to hide. However, if it is modified again in init. RC, the previous modification may be overwritten.