Android applications get root permissions

In my blog post "android program Security System", I mentioned two ways to grant root permissions. I recently found many friends on the Internet reposted the article, but I am not very clear about how to implement the first method mentioned in the article. This document uses an example to demonstrate how to grant root permissions to an Android Application.

Problem

The problem I encountered was that I wanted to dynamically mount an NFS system in a Java application, but to execute the mount command, the root permission is required. Generally, the Java layer of Android cannot obtain the root permission.

Ideas

I mentioned two ideas in my blog post "android program security system:

1. Implement an init to implement a service to help Android applications execute commands with root permissions.
2. Implement a virtual device that helps Android applications execute commands with root permissions.

This article will select the first option to solve the problem of mounting the NFS file system for Android applications.

Init. RC Service

Many services are defined in Android system init. Rc. For specific definition formats, refer to "android init language" in Android platform developer's guide ". The service defined in init. RC will be created by the INIT process to obtain the root permission.

Now the question is, how does the Android Application start to let the INIT process know which process we want to run? The answer is to set the system property "CTL. Start ",
"CTL. Start" is set to the service you want to run. Assuming it is "XXX", the android system will help you run
Service. The running result of the INIT process will be written to the attribute "init. SVC. + service name", that is, "init. SVC. XXX"
Application can refer to this value to determine the Service Execution status. For more information about the android property system, see the blog post "(translation) Android Property System".

Android property permission

Can the "CTL. Start" attribute of Android be set by all processes? The world will not be messy. Anyone can execute the service in init. Rc. View
In property_service.c, set the Android system property function to handle_property_set_fd:

   1: void handle_property_set_fd(int fd)

   2: {

   3:     ......

   4:     switch(msg.cmd) {

   5:     case PROP_MSG_SETPROP:

   6:         msg.name[PROP_NAME_MAX-1] = 0;

   7:         msg.value[PROP_VALUE_MAX-1] = 0;

   8:  

   9:         if(memcmp(msg.name,"ctl.",4) == 0) {

  10:             if (check_control_perms(msg.value, cr.uid, cr.gid)) {

  11:                 handle_control_message((char*) msg.name + 4, (char*) msg.value);

  12:             } else {

  13:                 ERROR("sys_prop: Unable to %s service ctl [%s] uid: %d pid:%d\n",

  14:                         msg.name + 4, msg.value, cr.uid, cr.pid);

  15:             }

  16:         }

  17:         ......

  18:     }

  19: }

From the source code, we find that if the Android system property starting with "CTL." is set, the check_control_perms function will be called to check the caller's permissions. Its definition is as follows:

   1: static int check_control_perms(const char *name, int uid, int gid) {

   2:     int i;

   3:     if (uid == AID_SYSTEM || uid == AID_ROOT)

   4:         return 1;

   5:  

   6:     /* Search the ACL */

   7:     for (i = 0; control_perms[i].service; i++) {

   8:         if (strcmp(control_perms[i].service, name) == 0) {

   9:             if ((uid && control_perms[i].uid == uid) ||

  10:                 (gid && control_perms[i].gid == gid)) {

  11:                 return 1;

  12:             }

  13:         }

  14:     }

  15:     return 0;

  16: }

We found that applications with root and system permissions will be authorized to modify the Android system attributes starting with "CTL. Otherwise, the system checks the definition permission and service in the control_perms global variable.

For more information about the permission control of the android INIT process and Android property, see Android permission.

Instance

Through the above introduction, we already have some ideas. The following example shows how to mount the NFS file system:

1. First define a script for executing mount. I will place it in/system/etc/mount_nfs.sh, which is defined as follows:

   1: #！/system/bin/sh

   2:  

   3: /system/bin/busybox mount -o rw,nolock -t nfs 192.168.1.6:/nfs_srv /data/mnt

Do not forget to add executable permissions to it.

2. Add a service definition to init. Rc. The definition is as follows:

   1: service mount_nfs /system/etc/mount_nfs.sh

   2:     oneshot

   3:     disabled

3. grant system permissions to your applications. For details about how to obtain system permissions, see the android program security system.

4. Set the system attribute "CTL. Start" to "mount_nfs" in your application, so that the Android system will run the mount_nfs system attribute. It should be emphasized that system. getproperty cannot be called,
This function only modifies the system attributes in the JVM. The Android system attributes cannot be modified. Yes
Android. OS. systemproperties (Android 2.1
The eclair system can call this API). If your Android version cannot call this class, you can only call the C/C ++ layer API through JNI.
Property_get and property_set functions. For more information, see Android property system. The Code is as follows:

   1: SystemProperties.set("ctl.start", "mount_nfs");

5. Finally, read the property of the Android system "init. SVC. mount_nfs" in your application and check the execution result. The Code is as follows:

   1: while(true)

   2: {

   3:     mount_rt = SystemProperties.get("init.svc.mount_nfs", "");

   4:     if(mount_rt != null && mount_rt.equals("stopped"))

   5:     {

   6:         return true;

   7:     }

   8:     

   9:     try

  10:     {

  11:         Thread.sleep(1000);

  12:     }catch(Exception ex){

  13:         Log.e(TAG, "Exception: " + ex.getMessage());

  14:     }

  15: }

The INIT process maintains a service queue, so we need to perform round training to query the service execution result.

Through the above steps, the android application can call the service defined in init. RC. In this way, your android application obtains the root permission.

Summary

We can see from the above that it is necessary to obtain the root permission in Android, for example:

1. You must be an Android system developer; otherwise, you cannot modify files such as init. RC. 2. Your application must have system permissions.

In this way, the root permission can be prevented from being used by the application without restrictions, and the security of the Android system is finally compromised.

I hope this article will be helpful to you. please correct me if you have any errors.

Original