Android bypasses permission authentication and fork Process privilege elevation

When you write patches when shelling native code does not have too high permissions, such as file io, network IO and other basic C functions can not be used, prompting insufficient permissions. The following are some attempts to search for data on the Internet:

1, the APK will be installed in the/data/system/packages.xml record the current app needs to apply for permissions, as follows:

 <package name= "Com.example.unpacker"  codepath= "/data/app/com.example.unpacker-1.apk"   Nativelibrarypath= "/data/app-lib/com.example.unpacker-1"  flags= "572998"  ft= "1504bc58f90"  it= " 1504bad7c65 " ut=" 1504bc5913e " version=" 1 " userid=" 10078 ">         <sigs count= "1" >             <cert index= "9"  key= "XXX"  />         </sigs>        <perms>             <item name= "Android.permission.ACCESS_WIFI_STATE"  />             <item name= " Android.permission.CHANGE_NETWORK_STATE " />             <item name= "Android.permissIon. Access_network_state " />            < Item name= "Android.permission.INTERNET"  />             <item name= "Android.permission.CHANGE_WIFI_STATE"  />         </perms>        <signing-keyset  Identifier= "1"  />    </package>

Attempts to add all permissions to this packages.xml have no effect, the test failed, the specific reason to see later

2, directly bypass permission verification to modify the framework code, the relevant reference http://www.cnblogs.com/GnagWang/archive/2011/03/21/1990507.html

Activitymanagerservice.java (FRAMEWORKS\BASE\SERVICES\JAVA\COM\ANDROID\SERVER\AM) will checkpermission, Checkcallingpermission, Enforcecallingpermission function return value modified to permission_granted, modified after compiling Framework.jar, Framework2.jar, Services.jar then brush into the machine test found that this modification is easy to cause the system does not come, unstable, specific reasons to see later;

3, modify the zygote fork of the process after the permissions, zygote fork process will eventually call Forkandspecializecommon function, The Forkandspecializecommon will determine whether to start the systemserver process or other app processes, Other process words permittedcapabilities and effectivecapabilities will be set to 0

if  (Issystemserver)  {        /*          * don ' t use get_arg_long here for now.   gcc is generating code         * that  Uses register d8 as a temporary, and that ' s coming out          * scrambled in the child process.   b/3138621         */         //permittedcapabilities = get_arg_long (args, 5);         //effectivecapabilities = get_arg_long (args, 7);         permittedCapabilities = args[5] |  (int64_t)  args[6]  << 32;        effectivecapabilities = args[7] |  (int64_t)  args[8]  << 32;}  else {        mountMode = args[5];         permittedCapabilities = effectiveCapabilities = 0;    //other app processes allow permission and have permission to clear o        //change the previous line to   permittedcapabilities = effectivecapabilities = 125910048;         StringObject* seInfoObj =  (stringobject*) args[6];         if  (seinfoobj)  {             seinfo = dvmcreatecstrfromstring (seinfoobj);             if  (!seinfo)  {                  aloge ("seinfo dvmcreatecstrfromstring failed");                 dvmabort ();             }        }         StringObject* niceNameObj =  (stringobject*) args[7];         if  (nicenameobj)  {             nicename = dvmcreatecstrfromstring (NICENAMEOBJ);             if  (!nicename)  {                 aloge ("niceName  Dvmcreatecstrfromstring failed ");                 dvmabort ();             }         }    }

As a result, permission bypass can be implemented by directly forcing the Allow and effective permissions of the app to be set to fixed when the process is started:

Compile libdvm.so Copy to phone discovery now that the process permission is the same as the System_server permission.

Android bypasses permission authentication and fork Process privilege elevation