Android Root
本文记录一些Android Root相关的内容
标准的Linux安全策略被称为DAC(自主访问控制)。主要的策略是根据UID和GID去配置文件的读、写和可执行状态。如:-rwxr-xr-x
S
如:-rwsr-xr-x
如果一个文件被标记为了s,那就意味着任何执行这个文件的人都会以文件所有者的身份去执行。
核心策略
Android的root其实说白了就是把su这个二进制文件复制到/system/bin或者/system/xbin当中,从而让用户能执行它。
1 | cp /data/tmp/su /system/bin/ #copy su 到/system/分区 |
执行这三步均需要Root权限,所以接下来最重要的是就是找到系统进程存在的漏洞getShell并执行以上的三步操作。
绕过SELinux
Android 4.3及以下SELinux默认为permissive状态,部分4.4及5.0为全量开启。在这种情况下,再调用su就不一定有权限了。
绕过它有两种策略:
- 注入SELinux的安全管理策略:安全管理策略在系统启动时就已固化,无法直接修改
- 关闭SELinux
第一种的最终目的是:安全管理策略中加入permissive su
第二种:
- Open the /proc/filesystems file, search for the string “selinuxfs”, if the string exists, SELinux is running on this device.
- If SELinux is running, open the /proc/mounts file, read the line that contains “selinuxfs”. In this line, we can extract the absolute path of SELinux directory.
- Find a file named “enforce” in the SELinux directory, overwrite this file with a single “0”.
其他的一些介绍:
Since the SELinux Policy restricts full access to the device in order to achieve root some of those restrictions need to be bypassed. How this is performed varies, but the end goal is the same : inject new permissions into the SELinux Policy to allow the root implementation full access to the device. If the root implementation is ethical then it should only inject permissions related to providing root access. Since root apps will likely require permissions not included in a device’s Stock SELinux Policy most root implementations provide tools for injecting permissions into the SELinux Policy at runtime (selinux-inject, supolicy & magiskpolicy). Most root implementations also provide locations for startup scripts which are executed in a root context. These tools and scripts are used legitimately by the root implementation to maintain root access and by root apps to maintain stable functionality.
