Android App調用su

最近在做一個項目，客戶需要在應用成獲取臨時root權限，剛開始覺得很簡單，Android就自帶有su命令，只是沒編譯進去，想著直接編譯進去就行，就一口答應客戶１天搞好，各種加班悲劇就是這樣開始的。
　　先在Android源碼下找了一下，２分鐘找到su源代碼system/extras/su。修改了一下Ａndroid.mk，ｍｍm編譯後push到系統，（我們做系統，所以很多東西可以直接改源碼），然後adb shell進入系統執行ｓｕ，提示沒有權限，沒權限咱們就給權限被，於是adb root,adb remount 後再adb shell進入系統，chmod 777 /system/xbin/su,在執行su，還是提示permission denied，查看了一下su權限的確是-rwxrwxrwx沒錯，查看su源碼，其實核心就是setuid(0),了解了，su就是切換ｕｉｄ，所以ｓｕ還得加上s位，chmod 6777 su。在執行，成功了，以為大工告成。ｓｕ源碼如下：

/*
**
** Copyright 2008, The Android Open Source Project
**
** Licensed under the Apache License, Version 2.0 (the "License"); 
** you may not use this file except in compliance with the License. 
** You may obtain a copy of the License at 
**
**     http://www.apache.org/licenses/LICENSE-2.0 
**
** Unless required by applicable law or agreed to in writing, software 
** distributed under the License is distributed on an "AS IS" BASIS, 
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
** See the License for the specific language governing permissions and 
** limitations under the License.
*/

#define LOG_TAG "su"

#include 
#include 
#include 
#include 
#include 
#include 

#include 
#include 

#include 

#include 


void pwtoid(const char *tok, uid_t *uid, gid_t *gid)
{
    struct passwd *pw;
    pw = getpwnam(tok);
    if (pw) {
        if (uid) *uid = pw->pw_uid;
        if (gid) *gid = pw->pw_gid;
    } else {
        uid_t tmpid = atoi(tok);
        if (uid) *uid = tmpid;
        if (gid) *gid = tmpid;
    }
}

void extract_uidgids(const char *uidgids, uid_t *uid, gid_t *gid, gid_t *gids,
                     int *gids_count)
{
    char *clobberablegids;
    char *nexttok;
    char *tok;
    int gids_found;

    if (!uidgids || !*uidgids) {
        *gid = *uid = 0;
        *gids_count = 0;
        return;
    }
    clobberablegids = strdup(uidgids);
    strcpy(clobberablegids, uidgids);
    nexttok = clobberablegids;
    tok = strsep(&nexttok, ",");
    pwtoid(tok, uid, gid);
    tok = strsep(&nexttok, ",");
    if (!tok) {
        /* gid is already set above */
        *gids_count = 0;
        free(clobberablegids);
        return;
    }
    pwtoid(tok, NULL, gid);
    gids_found = 0;
    while ((gids_found < *gids_count) && (tok = strsep(&nexttok, ","))) {
        pwtoid(tok, NULL, gids);
        gids_found++;
        gids++;
    }
    if (nexttok && gids_found == *gids_count) {
        fprintf(stderr, "too many group ids\n");
    }
    *gids_count = gids_found;
    free(clobberablegids);
}

/*
 * SU can be given a specific command to exec. UID _must_ be
 * specified for this (ie argc => 3).
 *
 * Usage:
 *   su 1000
 *   su 1000 ls -l
 *  or
 *   su [uid[,gid[,group1]...] [cmd]]
 *  E.g.
 *  su 1000,shell,net_bw_acct,net_bw_stats id
 * will return
 *  uid=1000(system) gid=2000(shell) groups=3006(net_bw_stats),3007(net_bw_acct)
 */
int main(int argc, char **argv)
{
    struct passwd *pw;
    uid_t uid, myuid;
    gid_t gid, gids[10];

    /* Until we have something better, only root and the shell can use su. */
    myuid = getuid();
    if (myuid != AID_ROOT && myuid != AID_SHELL) {
        fprintf(stderr,"su: uid %d not allowed to su\n", myuid);
        return 1;
    }

    if(argc < 2) {
        uid = gid = 0;
    } else {
        int gids_count = sizeof(gids)/sizeof(gids[0]);
        extract_uidgids(argv[1], &uid, &gid, gids, &gids_count);
        if(gids_count) {
            if(setgroups(gids_count, gids)) {
                fprintf(stderr, "su: failed to set groups\n");
                return 1;
            }
        }
    }

    if(setgid(gid) || setuid(uid)) {
        fprintf(stderr,"su: permission denied\n");
        return 1;
    }

    /* User specified command for exec. */
    if (argc == 3 ) {
        if (execlp(argv[2], argv[2], NULL) < 0) {
            int saved_errno = errno;
            fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2],
                    strerror(errno));
            return -saved_errno;
        }
    } else if (argc > 3) {
        /* Copy the rest of the args from main. */
        char *exec_args[argc - 1];
        memset(exec_args, 0, sizeof(exec_args));
        memcpy(exec_args, &argv[2], sizeof(exec_args));
        if (execvp(argv[2], exec_args) < 0) {
            int saved_errno = errno;
            fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2],
                    strerror(errno));
            return -saved_errno;
        }
    }

    /* Default exec shell. */
    execlp("/system/bin/sh", "sh", NULL);

    fprintf(stderr, "su: exec failed\n");
    return 1;
}

　　　嘗試在ａｐｐ中調用
Runtime.getRuntime().exec(“su”);,居然返回錯誤su:uid5542 not allowed to su，查看ｓｕ源碼

    if (myuid != AID_ROOT && myuid != AID_SHELL) {
        fprintf(stderr,"su: uid %d not allowed to su\n", myuid);
        return 1;
    }
原來是不是ＲＯＯＴ和ＳＨＥＥＬ用戶不讓調用ｓｕ，把這段話注釋掉，然後還是出錯，su:permission denied.這就奇怪了，明明adb shell是可以執行的，ａｐｐ提示還是沒有權限，查找了一些博客，說selnux權限設置問題，花了好長時間修改了還是不行，直接把ｓｅｌｉｎｕｘ關掉還不行，郁悶呀，後來在發現SANSUNG還做了band，郁悶呀，z最後放棄了這種方法。

　　　因為ｉｎｉｔ進程肯定是有權限的，所以就想著寫一個ｓｅｒｖｉｃｅｓ通過init啟動，這樣就有權限，ａｐｐ通過ｓｏｃｋｅｔ通信創建鏈接，花了兩天，編譯到系統，初見成效，決定分享下，將serivce在init.rc中啟動

services suserver /system/xbin/suserver

classs main

ＡＰＰ　調用方式　Runtime.getRuntime().exec(“suclient”)代碼如下：

目前還有個問題，執行ls等輸出比較多的命令時，如果頻繁執行的話，會造層service 掛掉，init要很久才能重啟這個service,原因是輸出比較多時outpuustream卡死，所以ｓｅｒｖｉｃｅ掛了如果不執行這種命令的話目前還沒發現其他問題，因為目前也不會一直執行這種命令，所以想著以後有機會再改！

 


Client:

#include 
#include 
#include 
#include 
#include 
#include 
#include 

int main(int argc, char *argv[]) {
int client_sockfd;
int len;
int i;
char sendline[17824];
struct sockaddr_in remote_addr; //服務器端網絡地址結構體
char buf[17824] = { '\0' }; //數據傳送的緩沖區

for (i = 1; i < argc; i++) {
strcat(buf, argv[i]);
printf("%s\n", buf);
strcat(buf, " ");
}
strcat(buf, " 2>&1\0");
//printf("%s\n", buf);

memset(&remote_addr, 0, sizeof(remote_addr)); //數據初始化--清零
remote_addr.sin_family = AF_INET; //設置為IP通信
remote_addr.sin_addr.s_addr = inet_addr("127.0.0.1"); //服務器IP地址
remote_addr.sin_port = htons(40000); //服務器端口號

if((argc < 2 )||(strncmp(buf,"cct",3)==0)||(strncmp(buf,"su",2)==0)){
while(1){
fgets(sendline, 17824, stdin);
if(sendline[0]==10)
continue;
for(i=0;i<17824;i++){
if(sendline[i]==10){
sendline[i]=32;
break;
}
}
strcat(sendline," 2>&1\0");
//printf("sendline :%s\n", sendline);
if(strncmp(sendline,"exit",4)==0){
return 0;
}
if ((client_sockfd = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
return 1;
}
/*將套接字綁定到服務器的網絡地址上*/
if (connect(client_sockfd, (struct sockaddr *) &remote_addr,
sizeof(struct sockaddr)) < 0) {
perror("connect");
return 1;
}

len = send(client_sockfd, sendline, strlen(sendline), 0);
len = recv(client_sockfd, buf, 17824, 0);
buf[len] = '\0';
if(strstr(buf,"not found")!=NULL){
write(2,buf,len);
}
else
printf("received:\n%s\n", buf);
close(client_sockfd);
}
return 0;
}
/*創建客戶端套接字--IPv4協議，面向連接通信，TCP協議*/
if ((client_sockfd = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
return 1;
}
/*將套接字綁定到服務器的網絡地址上*/
if (connect(client_sockfd, (struct sockaddr *) &remote_addr,
sizeof(struct sockaddr)) < 0) {
perror("connect");
return 1;
}
len = send(client_sockfd, buf, strlen(buf), 0);
len = recv(client_sockfd, buf, 17824, 0);
buf[len] = '\0';
printf("received:\n%s\n", buf);
close(client_sockfd); //關閉套接字


return 0;
}



Service :


#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#define MAXFILE 65535 // 最大的文件描述符
char* result;
long lenght = 8192;

void executeCMD(const char *cmd) {

char buf_ps[8192];
char ps[8192] = { 0 };
int i = 1;
char *result2 = NULL;
FILE *ptr = NULL;
strcpy(ps, cmd);
if ((ptr = popen(ps, "r")) != NULL) {
result = (char *) malloc(lenght * sizeof(char));
char *result2 = (char *) malloc(lenght * sizeof(char));

while (fgets(buf_ps, 8192, ptr) != NULL) {
result = (char *) malloc(lenght * i * sizeof(char));
if (result2 != NULL)
strcpy(result, result2);
strcat(result, buf_ps);
i++;
result2 = (char *) malloc(lenght * (i - 1) * sizeof(char));
strcpy(result2, result);
}
pclose(ptr);
ptr = NULL;
} else {
printf("popen %s error\n", ps);
}

}

int main() {
pid_t pc;
int i, fd;
/*
pc = fork();

if (pc < 0) {
printf("error fork/n");
exit(1);
} else if (pc > 0)
exit(0); // 父進程退出 , 這個子進程變成孤兒進程 , 由 init 進程接管 ,
*/
setsid(); // 變為後台程序
chdir("/");
umask(0); // 對所有的權限開放
for (i = 0; i < MAXFILE; i++)
close(i); // 關閉所有的不需要的文件描述符

int server_sockfd; //服務器端套接字
int client_sockfd; //客戶端套接字
int len;
struct sockaddr_in my_addr; //服務器網絡地址結構體
struct sockaddr_in remote_addr; //客戶端網絡地址結構體
int sin_size;
char buf[8192]; //數據傳送的緩沖區
memset(&my_addr, 0, sizeof(my_addr)); //數據初始化--清零
my_addr.sin_family = AF_INET; //設置為IP通信
my_addr.sin_addr.s_addr = INADDR_ANY; //服務器IP地址--允許連接到所有本地地址上
my_addr.sin_port = htons(40000); //服務器端口號

/*創建服務器端套接字--IPv4協議，面向連接通信，TCP協議*/
if ((server_sockfd = socket(PF_INET, SOCK_STREAM, 0)) < 0) {
perror("socket");
return 1;
}

/*將套接字綁定到服務器的網絡地址上*/
if (bind(server_sockfd, (struct sockaddr *) &my_addr,
sizeof(struct sockaddr)) < 0) {
perror("bind");
return 1;
}

/*監聽連接請求--監聽隊列長度為5*/
listen(server_sockfd, 5);

sin_size = sizeof(struct sockaddr_in);

while (1) // 守護進程實現的服務
{

//printf("等待連接...\n");

if ((client_sockfd = accept(server_sockfd,
(struct sockaddr *) &remote_addr, &sin_size)) < 0) {
perror("accept");
//return 1;
}
//printf("接受到一個連接：%s \r\n", inet_ntoa(remote_addr.sin_addr));

if ((len = recv(client_sockfd, buf, 8192, 0)) > 0) {
buf[len] = '\0';
//printf("%s\n", buf);
executeCMD(buf);
if (strlen(result) == 0) {
strcpy(result, "Returing is null!");
}
if (send(client_sockfd, result, strlen(result), 0) < 0) {
perror("write");
//return 1;
}
}
close(client_sockfd);
}

close(server_sockfd);
return 0;
}