

    su命令的源码在android中的\system\extras\su目录下面,研究代码我们发现,su命令最后其实调用的就是execvp函数,只不过他自己的权限要求是6755,有s位,所以在调用的时候会变成root,顺带着execvp函数执行的命令也变成root了,原理简单,那么接下来我们就要思考如何才能使客户的apk获得root权限,其他未经授权的不允许呢,答案也简单,那就是通过包名,每个apk的包名是不一样的。我们允许客户的apk能够执行su命令,而其他的则不行。 那么我们怎么才能在C代码中获取包名呢,我们研究Linux发现,在su命令中,可以通过getppid函数获取父进程的pid,也就是apk的进程pid,如果你用adb进入android系统,在proc目录下,你会发现这么一堆东西,

** Copyright 2008, The Android Open Source Project
** Licensed under the Apache License, Version 2.0 (the "License"); 
** you may not use this file except in compliance with the License. 
** You may obtain a copy of the License at 
** Unless required by applicable law or agreed to in writing, software 
** distributed under the License is distributed on an "AS IS" BASIS, 
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
** See the License for the specific language governing permissions and 
** limitations under the License.

#define LOG_TAG "su"

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <dirent.h>
#include <errno.h>

#include <unistd.h>
#include <time.h>

#include <pwd.h>

// cxj add
#include <fcntl.h>

#include <private/android_filesystem_config.h>

 * SU can be given a specific command to exec. UID _must_ be
 * specified for this (ie argc => 3).
 * Usage:
 * su 1000
 * su 1000 ls -l
int main(int argc, char **argv)
    struct passwd *pw;
    int uid, gid, myuid;

	// cxj modify
	#if 0
	/* Until we have something better, only root and the shell can use su. */
    myuid = getuid();
    if (myuid != AID_ROOT && myuid != AID_SHELL) {
        fprintf(stderr,"su: uid %d not allowed to su\n", myuid);
        return 1;
	char *delim = " ";
	char *p = NULL;
	char cmdline[512];
	int myfd;
    sprintf(cmdline, "/proc/%d/cmdline", getppid());
	myfd = open(cmdline, O_RDONLY);
    if (myfd >= 0)
		memset(cmdline, 0x00, 512);
		read(myfd, cmdline, 512);
		p = strtok(cmdline, delim);
		if (p != NULL)
			if (0 == strcmp(p, "com.redphx.markethelper"))
				// su allow, now to exe ...
				return 1;

    if(argc < 2) {
        uid = gid = 0;
    } else {
        pw = getpwnam(argv[1]);

        if(pw == 0) {
            uid = gid = atoi(argv[1]);
        } else {
            uid = pw->pw_uid;
            gid = pw->pw_gid;

    if(setgid(gid) || setuid(uid)) {
        fprintf(stderr,"su: permission denied\n");
        return 1;

    /* User specified command for exec. */
    if (argc == 3 ) {
        if (execlp(argv[2], argv[2], NULL) < 0) {
            fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2],
            return -errno;
    } else if (argc > 3) {
        /* Copy the rest of the args from main. */
        char *exec_args[argc - 1];
        memset(exec_args, 0, sizeof(exec_args));
        memcpy(exec_args, &argv[2], sizeof(exec_args));
        if (execvp(argv[2], exec_args) < 0) {
            fprintf(stderr, "su: exec failed for %s Error:%s\n", argv[2],
            return -errno;

    /* Default exec shell. */
    execlp("/system/bin/sh", "sh", NULL);

    fprintf(stderr, "su: exec failed\n");
    return 1;



su命令中启动android activity的方法为调用shell命令:

am start -a android.intent.action.MAIN -n com.koushikdutta.superuser/com.koushikdutta.superuser.SuperuserRequestActivity


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <dirent.h>
#include <errno.h>
#include <sys/stat.h>

#include <unistd.h>
#include <time.h>

#include <pwd.h>

#include <sqlite3.h>

#define DBPATH "/data/data/com.koushikdutta.superuser/databases/superuser.sqlite"

static int g_puid;

static void printRow(int argc, char** argv, char** azColName)
	int i;
	for (i = 0; i < argc; i++)
		printf("%s: %s\n", azColName[i], argv[i]);

typedef struct whitelistCallInfo whitelistCallInfo;
struct whitelistCallInfo
	sqlite3* db;
	int count;

static int whitelistCallback(void *data, int argc, char **argv, char **azColName)
	whitelistCallInfo* callInfo = (whitelistCallInfo*)data;
	// note the count
	int count = atoi(argv[2]);
	callInfo->count = count;
	// remove whitelist entries that are expired
	if (count - 1 <= 0)
		char remove[1024];
		sprintf(remove, "delete from whitelist where _id='%s';", argv[0]);
		sqlite3_exec(callInfo->db, remove, NULL, NULL, NULL);
		return 0;

	char update[1024];
	sprintf(update, "update whitelist set count=%d where _id='%s';", count, argv[0]);
	sqlite3_exec(callInfo->db, update, NULL, NULL, NULL);
	return 0;

static int checkWhitelist()
	sqlite3 *db;
	int rc = sqlite3_open_v2(DBPATH, &db, SQLITE_OPEN_READWRITE, NULL);
	if (!rc)
		char *errorMessage;
		char query[1024];
		sprintf(query, "select * from whitelist where _id=%d limit 1;", g_puid);
		struct whitelistCallInfo callInfo;
		callInfo.count = 0;
		callInfo.db = db;
		rc = sqlite3_exec(db, query, whitelistCallback, &callInfo, &errorMessage);
		if (rc != SQLITE_OK)
			return 0;
		return callInfo.count;
	return 0;

static int executionFailure(char *context)
	fprintf(stderr, "su: %s. Error:%s\n", context, strerror(errno));
	return -errno;

static int permissionDenied()
	// the superuser activity couldn't be started
	printf("su: permission denied\n");
	return 1;

int main(int argc, char **argv)
	struct stat stats;
	struct passwd *pw;
	int uid = 0;
	int gid = 0;

	int ppid = getppid();
	char szppid[256];
	sprintf(szppid, "/proc/%d", ppid);
	stat(szppid, &stats);
	g_puid = stats.st_uid;

	// lets make sure the caller is allowed to execute this
	if (!checkWhitelist())
		char sysCmd[1024];
		sprintf(sysCmd, "am start -a android.intent.action.MAIN -n com.koushikdutta.superuser/com.koushikdutta.superuser.SuperuserRequestActivity --ei uid %d --ei pid %d > /dev/null", g_puid, ppid);
		if (system(sysCmd))
			return executionFailure("am.");

		int found = 0;
		int i;
		for (i = 0; i < 10; i++)
			// 0 means waiting for user input
			// > 0 means yes/always
			// < 0 means no
			int checkResult = checkWhitelist();
			if (checkResult > 0)
				found = 1;
			else if (checkResult < 0)
				// user hit no
				return permissionDenied();

		if (!found)
			return permissionDenied();

	if(setgid(gid) || setuid(uid)) 
		return permissionDenied();

	char *exec_args[argc + 1];
	exec_args[argc] = NULL;
	exec_args[0] = "sh";
	int i;
	for (i = 1; i < argc; i++)
		exec_args[i] = argv[i];
	execv("/system/bin/sh", exec_args);
	return executionFailure("sh");