adb root/adb reboot/adb remount实现简易剖析

元始天尊

/system/core/adb/commandline.c

1. 
   
2. int adb_commandline(int argc, char **argv){
   
3. ...............//总分支
   
4.     if(!strcmp(argv[0], "remount") || !strcmp(argv[0], "reboot")
   
5.             || !strcmp(argv[0], "reboot-bootloader")
   
6.             || !strcmp(argv[0], "tcpip") || !strcmp(argv[0], "usb")
   
7.             || !strcmp(argv[0], "root")) {
   
8.         char command[100];
   
9.         if (!strcmp(argv[0], "reboot-bootloader"))
   
10.             snprintf(command, sizeof(command), "reboot:bootloader");
    
11.         else if (argc > 1)
    
12.             snprintf(command, sizeof(command), "%s:%s", argv[0], argv[1]);
    
13.         else
    
14.             snprintf(command, sizeof(command), "%s:", argv[0]);
    
15.         int fd = adb_connect(command);
    
16.         if(fd >= 0) {
    
17.             read_and_dump(fd);
    
18.             adb_close(fd);
    
19.             return 0;
    
20.         }
    
21.         fprintf(stderr,"error: %s\n", adb_error());
    
22.         return 1;
    
23.     }
    
24. }
    
25. 
    
26. //service.c
    
27. int service_to_fd(const char *name)
    
28. else if(!strncmp(name, "remount:", 8)) {
    
29.         ret = create_service_thread(remount_service, NULL);
    
30.     } else if(!strncmp(name, "reboot:", 7)) {
    
31.         void* arg = strdup(name + 7);
    
32.         if(arg == 0) return -1;
    
33.         ret = create_service_thread(reboot_service, arg);
    
34.     } else if(!strncmp(name, "root:", 5)) {
    
35.         ret = create_service_thread(restart_root_service, NULL);
    
36.     }
    
37. 
    

复制代码

/remount_service.c

1. 
   
2. static int remount_system()
   
3. {
   
4.     char *dev;
   
5. 
   
6.     if (system_ro == 0) {
   
7.         return 0;
   
8.     }
   
9. 
   
10.     dev = find_mount("/system");
    
11. 
    
12.     if (!dev)
    
13.         return -1;
    
14. 
    
15.     system_ro = mount(dev, "/system", "none", MS_REMOUNT, NULL);
    
16. 
    
17.     free(dev);
    
18. 
    
19.     return system_ro;
    
20. }
    

复制代码

/reboot_service

1. 
   
2. void reboot_service(int fd, void *arg)
   
3. {
   
4.     char buf[100];
   
5.     int pid, ret;
   
6. 
   
7.     sync();
   
8. 
   
9.     /* Attempt to unmount the SD card first.
   
10.      * No need to bother checking for errors.
    
11.      */
    
12.     pid = fork();
    
13.     if (pid == 0) {
    
14.         /* ask vdc to unmount it */
    
15.         execl("/system/bin/vdc", "/system/bin/vdc", "volume", "unmount",
    
16.                 getenv("EXTERNAL_STORAGE"), "force", NULL);
    
17.     } else if (pid > 0) {
    
18.         /* wait until vdc succeeds or fails */
    
19.         waitpid(pid, &ret, 0);
    
20.     }
    
21. 
    
22.     ret = android_reboot(ANDROID_RB_RESTART2, 0, (char *) arg);
    
23.     if (ret < 0) {
    
24.         snprintf(buf, sizeof(buf), "reboot failed: %s\n", strerror(errno));
    
25.         writex(fd, buf, strlen(buf));
    
26.     }
    
27.     free(arg);
    
28.     adb_close(fd);
    
29. }
    
30. 
    
31. //system/core/libcutils/android_reboot.c
    
32. int android_reboot(int cmd, int flags, char *arg)
    
33. {
    
34.     int ret;
    
35. 
    
36.     if (!(flags & ANDROID_RB_FLAG_NO_SYNC))
    
37.         sync();
    
38. 
    
39.     if (!(flags & ANDROID_RB_FLAG_NO_REMOUNT_RO))
    
40.         remount_ro();
    
41. 
    
42.     switch (cmd) {
    
43.         case ANDROID_RB_RESTART:
    
44.             ret = reboot(RB_AUTOBOOT);
    
45.             break;
    
46. 
    
47.         case ANDROID_RB_POWEROFF:
    
48.             ret = reboot(RB_POWER_OFF);
    
49.             break;
    
50. 
    
51.         case ANDROID_RB_RESTART2:
    
52.             ret = __reboot(LINUX_REBOOT_MAGIC1, LINUX_REBOOT_MAGIC2,
    
53.                            LINUX_REBOOT_CMD_RESTART2, arg);
    
54.             break;
    
55. 
    
56.         default:
    
57.             ret = -1;
    
58.     }
    
59. 
    
60.     return ret;
    
61. }
    
62. //bionic/libc/arch-arm/syscalls/__reboot.S
    
63. ENTRY(__reboot)
    
64.     mov     ip, r7
    
65.     ldr     r7, =__NR_reboot
    
66.     swi     #0
    
67.     mov     r7, ip
    
68.     cmn     r0, #(MAX_ERRNO + 1)
    
69.     bxls    lr
    
70.     neg     r0, r0
    
71.     b       __set_errno_internal
    
72. END(__reboot)
    
73. 
    

复制代码

/root

1. 
   
2. void restart_root_service(int fd, void *cookie)
   
3. {
   
4.     char buf[100];
   
5.     char value[PROPERTY_VALUE_MAX];
   
6. 
   
7.     if (getuid() == 0) {
   
8.         snprintf(buf, sizeof(buf), "adbd is already running as root\n");
   
9.         writex(fd, buf, strlen(buf));
   
10.         adb_close(fd);
    
11.     } else {
    
12.         property_get("ro.debuggable", value, "");
    
13.         if (strcmp(value, "1") != 0) {
    
14.             snprintf(buf, sizeof(buf), "adbd cannot run as root in production builds\n");
    
15.             writex(fd, buf, strlen(buf));
    
16.             adb_close(fd);
    
17.             return;
    
18.         }
    
19. 
    
20.         property_set("service.adb.root", "1");
    
21.         snprintf(buf, sizeof(buf), "restarting adbd as root\n");
    
22.         writex(fd, buf, strlen(buf));
    
23.         adb_close(fd);
    
24.     }
    
25. }
    
26. static int should_drop_privileges() {
    
27. #ifndef ALLOW_ADBD_ROOT
    
28.     return 1;
    
29. #else /* ALLOW_ADBD_ROOT */
    
30.     int secure = 0;
    
31.     char value[PROPERTY_VALUE_MAX];
    
32. 
    
33.    /* run adbd in secure mode if ro.secure is set and
    
34.     ** we are not in the emulator
    
35.     */
    
36.     property_get("ro.kernel.qemu", value, "");
    
37.     if (strcmp(value, "1") != 0) {
    
38.         property_get("ro.secure", value, "1");
    
39.         if (strcmp(value, "1") == 0) {
    
40.             // don't run as root if ro.secure is set...
    
41.             secure = 1;
    
42. 
    
43.             // ... except we allow running as root in userdebug builds if the
    
44.             // service.adb.root property has been set by the "adb root" command
    
45.             property_get("ro.debuggable", value, "");
    
46.             if (strcmp(value, "1") == 0) {
    
47.                 property_get("service.adb.root", value, "");
    
48.                 if (strcmp(value, "1") == 0) {
    
49.                     secure = 0;
    
50.                 }
    
51.             }
    
52.         }
    
53.     }
    
54.     return secure;
    
55. #endif /* ALLOW_ADBD_ROOT */
    
56. }
    
57. int adb_main(int is_daemon, int server_port){
    
58. .....................
    
59.     if (should_drop_privileges()) {
    
60.         struct __user_cap_header_struct header;
    
61.         struct __user_cap_data_struct cap;
    
62. 
    
63.         if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) != 0) {
    
64.             exit(1);
    
65.         }
    
66. 
    
67.         /* add extra groups:
    
68.         ** AID_ADB to access the USB driver
    
69.         ** AID_LOG to read system logs (adb logcat)
    
70.         ** AID_INPUT to diagnose input issues (getevent)
    
71.         ** AID_INET to diagnose network issues (netcfg, ping)
    
72.         ** AID_GRAPHICS to access the frame buffer
    
73.         ** AID_NET_BT and AID_NET_BT_ADMIN to diagnose bluetooth (hcidump)
    
74.         ** AID_SDCARD_R to allow reading from the SD card
    
75.         ** AID_SDCARD_RW to allow writing to the SD card
    
76.         ** AID_MOUNT to allow unmounting the SD card before rebooting
    
77.         ** AID_NET_BW_STATS to read out qtaguid statistics
    
78.         */
    
79.         gid_t groups[] = { AID_ADB, AID_LOG, AID_INPUT, AID_INET, AID_GRAPHICS,
    
80.                            AID_NET_BT, AID_NET_BT_ADMIN, AID_SDCARD_R, AID_SDCARD_RW,
    
81.                            AID_MOUNT, AID_NET_BW_STATS };
    
82.         if (setgroups(sizeof(groups)/sizeof(groups[0]), groups) != 0) {
    
83.             exit(1);
    
84.         }
    
85. 
    
86.         /* then switch user and group to "shell" */
    
87.         if (setgid(AID_SHELL) != 0) {
    
88.             exit(1);
    
89.         }
    
90.         if (setuid(AID_SHELL) != 0) {
    
91.             exit(1);
    
92.         }
    
93. 
    
94.         /* set CAP_SYS_BOOT capability, so "adb reboot" will succeed */
    
95.         header.version = _LINUX_CAPABILITY_VERSION;
    
96.         header.pid = 0;
    
97.         cap.effective = cap.permitted = (1 << CAP_SYS_BOOT);
    
98.         cap.inheritable = 0;
    
99.         capset(&header, &cap);
    
100. 
     
101.         D("Local port disabled\n");
     
102.     } else {
     
103.         char local_name[30];
     
104.         build_local_name(local_name, sizeof(local_name), server_port);
     
105.         if(install_listener(local_name, "*smartsocket*", NULL)) {
     
106.             exit(1);
     
107.         }
     
108.     }
     
109. 
     
110. }
     
111. 
     
112. 
     

复制代码