Loading adb/Android.mk +1 −1 Original line number Original line Diff line number Diff line Loading @@ -345,11 +345,11 @@ LOCAL_CFLAGS := \ -D_GNU_SOURCE \ -D_GNU_SOURCE \ -Wno-deprecated-declarations \ -Wno-deprecated-declarations \ LOCAL_CFLAGS += -DALLOW_ADBD_ROOT=$(if $(filter userdebug eng,$(TARGET_BUILD_VARIANT)),1,0) LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=$(if $(filter userdebug eng,$(TARGET_BUILD_VARIANT)),1,0) LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=$(if $(filter userdebug eng,$(TARGET_BUILD_VARIANT)),1,0) ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT))) ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT))) LOCAL_CFLAGS += -DALLOW_ADBD_DISABLE_VERITY=1 LOCAL_CFLAGS += -DALLOW_ADBD_DISABLE_VERITY=1 LOCAL_CFLAGS += -DALLOW_ADBD_ROOT=1 endif endif LOCAL_MODULE := adbd LOCAL_MODULE := adbd Loading adb/daemon/main.cpp +9 −15 Original line number Original line Diff line number Diff line Loading @@ -49,23 +49,17 @@ static const char* root_seclabel = nullptr; static const char* root_seclabel = nullptr; static inline bool is_device_unlocked() { return "orange" == android::base::GetProperty("ro.boot.verifiedbootstate", ""); } static void drop_capabilities_bounding_set_if_needed(struct minijail *j) { static void drop_capabilities_bounding_set_if_needed(struct minijail *j) { if (ALLOW_ADBD_ROOT || is_device_unlocked()) { #if defined(ALLOW_ADBD_ROOT) if (__android_log_is_debuggable()) { if (__android_log_is_debuggable()) { return; return; } } } #endif minijail_capbset_drop(j, CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID)); minijail_capbset_drop(j, CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID)); } } static bool should_drop_privileges() { static bool should_drop_privileges() { // "adb root" not allowed, always drop privileges. #if defined(ALLOW_ADBD_ROOT) if (!ALLOW_ADBD_ROOT && !is_device_unlocked()) return true; // The properties that affect `adb root` and `adb unroot` are ro.secure and // The properties that affect `adb root` and `adb unroot` are ro.secure and // ro.debuggable. In this context the names don't make the expected behavior // ro.debuggable. In this context the names don't make the expected behavior // particularly obvious. // particularly obvious. Loading Loading @@ -95,6 +89,9 @@ static bool should_drop_privileges() { } } return drop; return drop; #else return true; // "adb root" not allowed, always drop privileges. #endif // ALLOW_ADBD_ROOT } } static void drop_privileges(int server_port) { static void drop_privileges(int server_port) { Loading Loading @@ -161,10 +158,7 @@ int adbd_main(int server_port) { // descriptor will always be open. // descriptor will always be open. adbd_cloexec_auth_socket(); adbd_cloexec_auth_socket(); // Respect ro.adb.secure in userdebug/eng builds (ALLOW_ADBD_NO_AUTH), or when the if (ALLOW_ADBD_NO_AUTH && !android::base::GetBoolProperty("ro.adb.secure", false)) { // device is unlocked. if ((ALLOW_ADBD_NO_AUTH || is_device_unlocked()) && !android::base::GetBoolProperty("ro.adb.secure", false)) { auth_required = false; auth_required = false; } } Loading Loading
adb/Android.mk +1 −1 Original line number Original line Diff line number Diff line Loading @@ -345,11 +345,11 @@ LOCAL_CFLAGS := \ -D_GNU_SOURCE \ -D_GNU_SOURCE \ -Wno-deprecated-declarations \ -Wno-deprecated-declarations \ LOCAL_CFLAGS += -DALLOW_ADBD_ROOT=$(if $(filter userdebug eng,$(TARGET_BUILD_VARIANT)),1,0) LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=$(if $(filter userdebug eng,$(TARGET_BUILD_VARIANT)),1,0) LOCAL_CFLAGS += -DALLOW_ADBD_NO_AUTH=$(if $(filter userdebug eng,$(TARGET_BUILD_VARIANT)),1,0) ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT))) ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT))) LOCAL_CFLAGS += -DALLOW_ADBD_DISABLE_VERITY=1 LOCAL_CFLAGS += -DALLOW_ADBD_DISABLE_VERITY=1 LOCAL_CFLAGS += -DALLOW_ADBD_ROOT=1 endif endif LOCAL_MODULE := adbd LOCAL_MODULE := adbd Loading
adb/daemon/main.cpp +9 −15 Original line number Original line Diff line number Diff line Loading @@ -49,23 +49,17 @@ static const char* root_seclabel = nullptr; static const char* root_seclabel = nullptr; static inline bool is_device_unlocked() { return "orange" == android::base::GetProperty("ro.boot.verifiedbootstate", ""); } static void drop_capabilities_bounding_set_if_needed(struct minijail *j) { static void drop_capabilities_bounding_set_if_needed(struct minijail *j) { if (ALLOW_ADBD_ROOT || is_device_unlocked()) { #if defined(ALLOW_ADBD_ROOT) if (__android_log_is_debuggable()) { if (__android_log_is_debuggable()) { return; return; } } } #endif minijail_capbset_drop(j, CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID)); minijail_capbset_drop(j, CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID)); } } static bool should_drop_privileges() { static bool should_drop_privileges() { // "adb root" not allowed, always drop privileges. #if defined(ALLOW_ADBD_ROOT) if (!ALLOW_ADBD_ROOT && !is_device_unlocked()) return true; // The properties that affect `adb root` and `adb unroot` are ro.secure and // The properties that affect `adb root` and `adb unroot` are ro.secure and // ro.debuggable. In this context the names don't make the expected behavior // ro.debuggable. In this context the names don't make the expected behavior // particularly obvious. // particularly obvious. Loading Loading @@ -95,6 +89,9 @@ static bool should_drop_privileges() { } } return drop; return drop; #else return true; // "adb root" not allowed, always drop privileges. #endif // ALLOW_ADBD_ROOT } } static void drop_privileges(int server_port) { static void drop_privileges(int server_port) { Loading Loading @@ -161,10 +158,7 @@ int adbd_main(int server_port) { // descriptor will always be open. // descriptor will always be open. adbd_cloexec_auth_socket(); adbd_cloexec_auth_socket(); // Respect ro.adb.secure in userdebug/eng builds (ALLOW_ADBD_NO_AUTH), or when the if (ALLOW_ADBD_NO_AUTH && !android::base::GetBoolProperty("ro.adb.secure", false)) { // device is unlocked. if ((ALLOW_ADBD_NO_AUTH || is_device_unlocked()) && !android::base::GetBoolProperty("ro.adb.secure", false)) { auth_required = false; auth_required = false; } } Loading
