| # Copyright (C) 2012 The Android Open Source Project |
| # |
| # IMPORTANT: Do not create world writable files or directories. |
| # This is a common source of Android security bugs. |
| # |
| |
| import /init.environ.rc |
| import /system/etc/init/hw/init.usb.rc |
| import /init.${ro.hardware}.rc |
| import /vendor/etc/init/hw/init.${ro.hardware}.rc |
| import /system/etc/init/hw/init.usb.configfs.rc |
| import /system/etc/init/hw/init.${ro.zygote}.rc |
| |
| # Cgroups are mounted right before early-init using list from /etc/cgroups.json |
| on early-init |
| # Disable sysrq from keyboard |
| write /proc/sys/kernel/sysrq 0 |
| |
| # Android doesn't need kernel module autoloading, and it causes SELinux |
| # denials. So disable it by setting modprobe to the empty string. Note: to |
| # explicitly set a sysctl to an empty string, a trailing newline is needed. |
| write /proc/sys/kernel/modprobe \n |
| |
| # Set the security context of /adb_keys if present. |
| restorecon /adb_keys |
| |
| # Set the security context of /postinstall if present. |
| restorecon /postinstall |
| |
| mkdir /acct/uid |
| |
| # memory.pressure_level used by lmkd |
| chown root system /dev/memcg/memory.pressure_level |
| chmod 0040 /dev/memcg/memory.pressure_level |
| # app mem cgroups, used by activity manager, lmkd and zygote |
| mkdir /dev/memcg/apps/ 0755 system system |
| # cgroup for system_server and surfaceflinger |
| mkdir /dev/memcg/system 0550 system system |
| |
| # symlink the Android specific /dev/tun to Linux expected /dev/net/tun |
| mkdir /dev/net 0755 root root |
| symlink ../tun /dev/net/tun |
| |
| # set RLIMIT_NICE to allow priorities from 19 to -20 |
| setrlimit nice 40 40 |
| |
| # Allow up to 32K FDs per process |
| setrlimit nofile 32768 32768 |
| |
| # set RLIMIT_MEMLOCK to 64KB |
| setrlimit memlock 65536 65536 |
| |
| # Set up linker config subdirectories based on mount namespaces |
| mkdir /linkerconfig/bootstrap 0755 |
| mkdir /linkerconfig/default 0755 |
| |
| # Disable dm-verity hash prefetching, since it doesn't help performance |
| # Read more in b/136247322 |
| write /sys/module/dm_verity/parameters/prefetch_cluster 0 |
| |
| # Generate empty ld.config.txt for early executed processes which rely on |
| # /system/lib libraries. |
| write /linkerconfig/bootstrap/ld.config.txt \# |
| write /linkerconfig/default/ld.config.txt \# |
| chmod 644 /linkerconfig/bootstrap/ld.config.txt |
| chmod 644 /linkerconfig/default/ld.config.txt |
| |
| # Mount bootstrap linker configuration as current |
| mount none /linkerconfig/bootstrap /linkerconfig bind rec |
| |
| start ueventd |
| |
| # Run apexd-bootstrap so that APEXes that provide critical libraries |
| # become available. Note that this is executed as exec_start to ensure that |
| # the libraries are available to the processes started after this statement. |
| exec_start apexd-bootstrap |
| |
| # Generate linker config based on apex mounted in bootstrap namespace |
| update_linker_config |
| |
| # These must already exist by the time boringssl_self_test32 / boringssl_self_test64 run. |
| mkdir /dev/boringssl 0755 root root |
| mkdir /dev/boringssl/selftest 0755 root root |
| |
| # Mount tracefs (with GID=AID_READTRACEFS) |
| mount tracefs tracefs /sys/kernel/tracing gid=3012 |
| |
| # create sys dirctory |
| mkdir /dev/sys 0755 system system |
| mkdir /dev/sys/fs 0755 system system |
| mkdir /dev/sys/block 0755 system system |
| |
| # Create location for fs_mgr to store abbreviated output from filesystem |
| # checker programs. |
| mkdir /dev/fscklogs 0770 root system |
| |
| on init |
| sysclktz 0 |
| |
| # Mix device-specific information into the entropy pool |
| copy /proc/cmdline /dev/urandom |
| copy /system/etc/prop.default /dev/urandom |
| |
| symlink /proc/self/fd/0 /dev/stdin |
| symlink /proc/self/fd/1 /dev/stdout |
| symlink /proc/self/fd/2 /dev/stderr |
| |
| # Create energy-aware scheduler tuning nodes |
| mkdir /dev/stune/foreground |
| mkdir /dev/stune/background |
| mkdir /dev/stune/top-app |
| mkdir /dev/stune/rt |
| chown system system /dev/stune |
| chown system system /dev/stune/foreground |
| chown system system /dev/stune/background |
| chown system system /dev/stune/top-app |
| chown system system /dev/stune/rt |
| chown system system /dev/stune/tasks |
| chown system system /dev/stune/foreground/tasks |
| chown system system /dev/stune/background/tasks |
| chown system system /dev/stune/top-app/tasks |
| chown system system /dev/stune/rt/tasks |
| chown system system /dev/stune/cgroup.procs |
| chown system system /dev/stune/foreground/cgroup.procs |
| chown system system /dev/stune/background/cgroup.procs |
| chown system system /dev/stune/top-app/cgroup.procs |
| chown system system /dev/stune/rt/cgroup.procs |
| chmod 0664 /dev/stune/tasks |
| chmod 0664 /dev/stune/foreground/tasks |
| chmod 0664 /dev/stune/background/tasks |
| chmod 0664 /dev/stune/top-app/tasks |
| chmod 0664 /dev/stune/rt/tasks |
| chmod 0664 /dev/stune/cgroup.procs |
| chmod 0664 /dev/stune/foreground/cgroup.procs |
| chmod 0664 /dev/stune/background/cgroup.procs |
| chmod 0664 /dev/stune/top-app/cgroup.procs |
| chmod 0664 /dev/stune/rt/cgroup.procs |
| |
| # cpuctl hierarchy for devices using utilclamp |
| mkdir /dev/cpuctl/foreground |
| mkdir /dev/cpuctl/background |
| mkdir /dev/cpuctl/top-app |
| mkdir /dev/cpuctl/rt |
| mkdir /dev/cpuctl/system |
| mkdir /dev/cpuctl/system-background |
| mkdir /dev/cpuctl/dex2oat |
| chown system system /dev/cpuctl |
| chown system system /dev/cpuctl/foreground |
| chown system system /dev/cpuctl/background |
| chown system system /dev/cpuctl/top-app |
| chown system system /dev/cpuctl/rt |
| chown system system /dev/cpuctl/system |
| chown system system /dev/cpuctl/system-background |
| chown system system /dev/cpuctl/dex2oat |
| chown system system /dev/cpuctl/tasks |
| chown system system /dev/cpuctl/foreground/tasks |
| chown system system /dev/cpuctl/background/tasks |
| chown system system /dev/cpuctl/top-app/tasks |
| chown system system /dev/cpuctl/rt/tasks |
| chown system system /dev/cpuctl/system/tasks |
| chown system system /dev/cpuctl/system-background/tasks |
| chown system system /dev/cpuctl/dex2oat/tasks |
| chown system system /dev/cpuctl/cgroup.procs |
| chown system system /dev/cpuctl/foreground/cgroup.procs |
| chown system system /dev/cpuctl/background/cgroup.procs |
| chown system system /dev/cpuctl/top-app/cgroup.procs |
| chown system system /dev/cpuctl/rt/cgroup.procs |
| chown system system /dev/cpuctl/system/cgroup.procs |
| chown system system /dev/cpuctl/system-background/cgroup.procs |
| chown system system /dev/cpuctl/dex2oat/cgroup.procs |
| chmod 0664 /dev/cpuctl/tasks |
| chmod 0664 /dev/cpuctl/foreground/tasks |
| chmod 0664 /dev/cpuctl/background/tasks |
| chmod 0664 /dev/cpuctl/top-app/tasks |
| chmod 0664 /dev/cpuctl/rt/tasks |
| chmod 0664 /dev/cpuctl/system/tasks |
| chmod 0664 /dev/cpuctl/system-background/tasks |
| chmod 0664 /dev/cpuctl/dex2oat/tasks |
| chmod 0664 /dev/cpuctl/cgroup.procs |
| chmod 0664 /dev/cpuctl/foreground/cgroup.procs |
| chmod 0664 /dev/cpuctl/background/cgroup.procs |
| chmod 0664 /dev/cpuctl/top-app/cgroup.procs |
| chmod 0664 /dev/cpuctl/rt/cgroup.procs |
| chmod 0664 /dev/cpuctl/system/cgroup.procs |
| chmod 0664 /dev/cpuctl/system-background/cgroup.procs |
| chmod 0664 /dev/cpuctl/dex2oat/cgroup.procs |
| |
| # Create a cpu group for NNAPI HAL processes |
| mkdir /dev/cpuctl/nnapi-hal |
| chown system system /dev/cpuctl/nnapi-hal |
| chown system system /dev/cpuctl/nnapi-hal/tasks |
| chown system system /dev/cpuctl/nnapi-hal/cgroup.procs |
| chmod 0664 /dev/cpuctl/nnapi-hal/tasks |
| chmod 0664 /dev/cpuctl/nnapi-hal/cgroup.procs |
| write /dev/cpuctl/nnapi-hal/cpu.uclamp.min 1 |
| write /dev/cpuctl/nnapi-hal/cpu.uclamp.latency_sensitive 1 |
| |
| # Create a cpu group for camera daemon processes |
| mkdir /dev/cpuctl/camera-daemon |
| chown system system /dev/cpuctl/camera-daemon |
| chown system system /dev/cpuctl/camera-daemon/tasks |
| chown system system /dev/cpuctl/camera-daemon/cgroup.procs |
| chmod 0664 /dev/cpuctl/camera-daemon/tasks |
| chmod 0664 /dev/cpuctl/camera-daemon/cgroup.procs |
| |
| # Create an stune group for camera-specific processes |
| mkdir /dev/stune/camera-daemon |
| chown system system /dev/stune/camera-daemon |
| chown system system /dev/stune/camera-daemon/tasks |
| chown system system /dev/stune/camera-daemon/cgroup.procs |
| chmod 0664 /dev/stune/camera-daemon/tasks |
| chmod 0664 /dev/stune/camera-daemon/cgroup.procs |
| |
| # Create an stune group for NNAPI HAL processes |
| mkdir /dev/stune/nnapi-hal |
| chown system system /dev/stune/nnapi-hal |
| chown system system /dev/stune/nnapi-hal/tasks |
| chown system system /dev/stune/nnapi-hal/cgroup.procs |
| chmod 0664 /dev/stune/nnapi-hal/tasks |
| chmod 0664 /dev/stune/nnapi-hal/cgroup.procs |
| write /dev/stune/nnapi-hal/schedtune.boost 1 |
| write /dev/stune/nnapi-hal/schedtune.prefer_idle 1 |
| |
| # Create blkio group and apply initial settings. |
| # This feature needs kernel to support it, and the |
| # device's init.rc must actually set the correct values. |
| mkdir /dev/blkio/background |
| chown system system /dev/blkio |
| chown system system /dev/blkio/background |
| chown system system /dev/blkio/tasks |
| chown system system /dev/blkio/background/tasks |
| chown system system /dev/blkio/cgroup.procs |
| chown system system /dev/blkio/background/cgroup.procs |
| chmod 0664 /dev/blkio/tasks |
| chmod 0664 /dev/blkio/background/tasks |
| chmod 0664 /dev/blkio/cgroup.procs |
| chmod 0664 /dev/blkio/background/cgroup.procs |
| write /dev/blkio/blkio.weight 1000 |
| write /dev/blkio/background/blkio.weight 200 |
| write /dev/blkio/background/blkio.bfq.weight 10 |
| write /dev/blkio/blkio.group_idle 0 |
| write /dev/blkio/background/blkio.group_idle 0 |
| |
| restorecon_recursive /mnt |
| |
| mount configfs none /config nodev noexec nosuid |
| chmod 0770 /config/sdcardfs |
| chown system package_info /config/sdcardfs |
| |
| # Mount binderfs |
| mkdir /dev/binderfs |
| mount binder binder /dev/binderfs stats=global |
| chmod 0755 /dev/binderfs |
| |
| # Mount fusectl |
| mount fusectl none /sys/fs/fuse/connections |
| |
| symlink /dev/binderfs/binder /dev/binder |
| symlink /dev/binderfs/hwbinder /dev/hwbinder |
| symlink /dev/binderfs/vndbinder /dev/vndbinder |
| |
| chmod 0666 /dev/binderfs/hwbinder |
| chmod 0666 /dev/binderfs/binder |
| chmod 0666 /dev/binderfs/vndbinder |
| |
| mkdir /mnt/secure 0700 root root |
| mkdir /mnt/secure/asec 0700 root root |
| mkdir /mnt/asec 0755 root system |
| mkdir /mnt/obb 0755 root system |
| mkdir /mnt/media_rw 0750 root external_storage |
| mkdir /mnt/user 0755 root root |
| mkdir /mnt/user/0 0755 root root |
| mkdir /mnt/user/0/self 0755 root root |
| mkdir /mnt/user/0/emulated 0755 root root |
| mkdir /mnt/user/0/emulated/0 0755 root root |
| |
| # Prepare directories for pass through processes |
| mkdir /mnt/pass_through 0700 root root |
| mkdir /mnt/pass_through/0 0710 root media_rw |
| mkdir /mnt/pass_through/0/self 0710 root media_rw |
| mkdir /mnt/pass_through/0/emulated 0710 root media_rw |
| mkdir /mnt/pass_through/0/emulated/0 0710 root media_rw |
| |
| mkdir /mnt/expand 0771 system system |
| mkdir /mnt/appfuse 0711 root root |
| |
| # Storage views to support runtime permissions |
| mkdir /mnt/runtime 0700 root root |
| mkdir /mnt/runtime/default 0755 root root |
| mkdir /mnt/runtime/default/self 0755 root root |
| mkdir /mnt/runtime/read 0755 root root |
| mkdir /mnt/runtime/read/self 0755 root root |
| mkdir /mnt/runtime/write 0755 root root |
| mkdir /mnt/runtime/write/self 0755 root root |
| mkdir /mnt/runtime/full 0755 root root |
| mkdir /mnt/runtime/full/self 0755 root root |
| |
| # Symlink to keep legacy apps working in multi-user world |
| symlink /storage/self/primary /mnt/sdcard |
| symlink /mnt/user/0/primary /mnt/runtime/default/self/primary |
| |
| write /proc/sys/kernel/panic_on_oops 1 |
| write /proc/sys/kernel/hung_task_timeout_secs 0 |
| write /proc/cpu/alignment 4 |
| |
| # scheduler tunables |
| # Disable auto-scaling of scheduler tunables with hotplug. The tunables |
| # will vary across devices in unpredictable ways if allowed to scale with |
| # cpu cores. |
| write /proc/sys/kernel/sched_tunable_scaling 0 |
| write /proc/sys/kernel/sched_latency_ns 10000000 |
| write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 |
| write /proc/sys/kernel/sched_child_runs_first 0 |
| |
| write /proc/sys/kernel/randomize_va_space 2 |
| write /proc/sys/vm/mmap_min_addr 32768 |
| write /proc/sys/net/ipv4/ping_group_range "0 2147483647" |
| write /proc/sys/net/unix/max_dgram_qlen 2400 |
| |
| # Assign reasonable ceiling values for socket rcv/snd buffers. |
| # These should almost always be overridden by the target per the |
| # the corresponding technology maximums. |
| write /proc/sys/net/core/rmem_max 262144 |
| write /proc/sys/net/core/wmem_max 262144 |
| |
| # reflect fwmark from incoming packets onto generated replies |
| write /proc/sys/net/ipv4/fwmark_reflect 1 |
| write /proc/sys/net/ipv6/fwmark_reflect 1 |
| |
| # set fwmark on accepted sockets |
| write /proc/sys/net/ipv4/tcp_fwmark_accept 1 |
| |
| # disable icmp redirects |
| write /proc/sys/net/ipv4/conf/all/accept_redirects 0 |
| write /proc/sys/net/ipv6/conf/all/accept_redirects 0 |
| |
| # /proc/net/fib_trie leaks interface IP addresses |
| chmod 0400 /proc/net/fib_trie |
| |
| # sets up initial cpusets for ActivityManager |
| # this ensures that the cpusets are present and usable, but the device's |
| # init.rc must actually set the correct cpus |
| mkdir /dev/cpuset/foreground |
| copy /dev/cpuset/cpus /dev/cpuset/foreground/cpus |
| copy /dev/cpuset/mems /dev/cpuset/foreground/mems |
| mkdir /dev/cpuset/background |
| copy /dev/cpuset/cpus /dev/cpuset/background/cpus |
| copy /dev/cpuset/mems /dev/cpuset/background/mems |
| |
| # system-background is for system tasks that should only run on |
| # little cores, not on bigs |
| mkdir /dev/cpuset/system-background |
| copy /dev/cpuset/cpus /dev/cpuset/system-background/cpus |
| copy /dev/cpuset/mems /dev/cpuset/system-background/mems |
| |
| # restricted is for system tasks that are being throttled |
| # due to screen off. |
| mkdir /dev/cpuset/restricted |
| copy /dev/cpuset/cpus /dev/cpuset/restricted/cpus |
| copy /dev/cpuset/mems /dev/cpuset/restricted/mems |
| |
| mkdir /dev/cpuset/top-app |
| copy /dev/cpuset/cpus /dev/cpuset/top-app/cpus |
| copy /dev/cpuset/mems /dev/cpuset/top-app/mems |
| |
| # create a cpuset for camera daemon processes |
| mkdir /dev/cpuset/camera-daemon |
| copy /dev/cpuset/cpus /dev/cpuset/camera-daemon/cpus |
| copy /dev/cpuset/mems /dev/cpuset/camera-daemon/mems |
| |
| # change permissions for all cpusets we'll touch at runtime |
| chown system system /dev/cpuset |
| chown system system /dev/cpuset/foreground |
| chown system system /dev/cpuset/background |
| chown system system /dev/cpuset/system-background |
| chown system system /dev/cpuset/top-app |
| chown system system /dev/cpuset/restricted |
| chown system system /dev/cpuset/camera-daemon |
| chown system system /dev/cpuset/tasks |
| chown system system /dev/cpuset/foreground/tasks |
| chown system system /dev/cpuset/background/tasks |
| chown system system /dev/cpuset/system-background/tasks |
| chown system system /dev/cpuset/top-app/tasks |
| chown system system /dev/cpuset/restricted/tasks |
| chown system system /dev/cpuset/camera-daemon/tasks |
| chown system system /dev/cpuset/cgroup.procs |
| chown system system /dev/cpuset/foreground/cgroup.procs |
| chown system system /dev/cpuset/background/cgroup.procs |
| chown system system /dev/cpuset/system-background/cgroup.procs |
| chown system system /dev/cpuset/top-app/cgroup.procs |
| chown system system /dev/cpuset/restricted/cgroup.procs |
| chown system system /dev/cpuset/camera-daemon/cgroup.procs |
| |
| # set system-background to 0775 so SurfaceFlinger can touch it |
| chmod 0775 /dev/cpuset/system-background |
| |
| chmod 0664 /dev/cpuset/foreground/tasks |
| chmod 0664 /dev/cpuset/background/tasks |
| chmod 0664 /dev/cpuset/system-background/tasks |
| chmod 0664 /dev/cpuset/top-app/tasks |
| chmod 0664 /dev/cpuset/restricted/tasks |
| chmod 0664 /dev/cpuset/tasks |
| chmod 0664 /dev/cpuset/camera-daemon/tasks |
| chmod 0664 /dev/cpuset/foreground/cgroup.procs |
| chmod 0664 /dev/cpuset/background/cgroup.procs |
| chmod 0664 /dev/cpuset/system-background/cgroup.procs |
| chmod 0664 /dev/cpuset/top-app/cgroup.procs |
| chmod 0664 /dev/cpuset/restricted/cgroup.procs |
| chmod 0664 /dev/cpuset/cgroup.procs |
| chmod 0664 /dev/cpuset/camera-daemon/cgroup.procs |
| |
| # make the PSI monitor accessible to others |
| chown system system /proc/pressure/memory |
| chmod 0664 /proc/pressure/memory |
| |
| # qtaguid will limit access to specific data based on group memberships. |
| # net_bw_acct grants impersonation of socket owners. |
| # net_bw_stats grants access to other apps' detailed tagged-socket stats. |
| chown root net_bw_acct /proc/net/xt_qtaguid/ctrl |
| chown root net_bw_stats /proc/net/xt_qtaguid/stats |
| |
| # Allow everybody to read the xt_qtaguid resource tracking misc dev. |
| # This is needed by any process that uses socket tagging. |
| chmod 0644 /dev/xt_qtaguid |
| |
| mount bpf bpf /sys/fs/bpf nodev noexec nosuid |
| |
| # pstore/ramoops previous console log |
| mount pstore pstore /sys/fs/pstore nodev noexec nosuid |
| chown system log /sys/fs/pstore |
| chmod 0550 /sys/fs/pstore |
| chown system log /sys/fs/pstore/console-ramoops |
| chmod 0440 /sys/fs/pstore/console-ramoops |
| chown system log /sys/fs/pstore/console-ramoops-0 |
| chmod 0440 /sys/fs/pstore/console-ramoops-0 |
| chown system log /sys/fs/pstore/pmsg-ramoops-0 |
| chmod 0440 /sys/fs/pstore/pmsg-ramoops-0 |
| |
| # enable armv8_deprecated instruction hooks |
| write /proc/sys/abi/swp 1 |
| |
| # Linux's execveat() syscall may construct paths containing /dev/fd |
| # expecting it to point to /proc/self/fd |
| symlink /proc/self/fd /dev/fd |
| |
| export DOWNLOAD_CACHE /data/cache |
| |
| # This allows the ledtrig-transient properties to be created here so |
| # that they can be chown'd to system:system later on boot |
| write /sys/class/leds/vibrator/trigger "transient" |
| |
| # This is used by Bionic to select optimized routines. |
| write /dev/cpu_variant:${ro.bionic.arch} ${ro.bionic.cpu_variant} |
| chmod 0444 /dev/cpu_variant:${ro.bionic.arch} |
| write /dev/cpu_variant:${ro.bionic.2nd_arch} ${ro.bionic.2nd_cpu_variant} |
| chmod 0444 /dev/cpu_variant:${ro.bionic.2nd_arch} |
| |
| # Allow system processes to read / write power state. |
| chown system system /sys/power/state |
| chown system system /sys/power/wakeup_count |
| chmod 0660 /sys/power/state |
| |
| chown radio wakelock /sys/power/wake_lock |
| chown radio wakelock /sys/power/wake_unlock |
| chmod 0660 /sys/power/wake_lock |
| chmod 0660 /sys/power/wake_unlock |
| |
| # Start logd before any other services run to ensure we capture all of their logs. |
| start logd |
| # Start lmkd before any other services run so that it can register them |
| write /proc/sys/vm/watermark_boost_factor 0 |
| chown root system /sys/module/lowmemorykiller/parameters/adj |
| chmod 0664 /sys/module/lowmemorykiller/parameters/adj |
| chown root system /sys/module/lowmemorykiller/parameters/minfree |
| chmod 0664 /sys/module/lowmemorykiller/parameters/minfree |
| start lmkd |
| |
| # Start essential services. |
| start servicemanager |
| start hwservicemanager |
| start vndservicemanager |
| |
| # Run boringssl self test for each ABI. Any failures trigger reboot to firmware. |
| on init && property:ro.product.cpu.abilist32=* |
| exec_start boringssl_self_test32 |
| on init && property:ro.product.cpu.abilist64=* |
| exec_start boringssl_self_test64 |
| on property:apexd.status=ready && property:ro.product.cpu.abilist32=* |
| exec_start boringssl_self_test_apex32 |
| on property:apexd.status=ready && property:ro.product.cpu.abilist64=* |
| exec_start boringssl_self_test_apex64 |
| |
| service boringssl_self_test32 /system/bin/boringssl_self_test32 |
| reboot_on_failure reboot,boringssl-self-check-failed |
| stdio_to_kmsg |
| # Explicitly specify that boringssl_self_test32 doesn't require any capabilities |
| capabilities |
| user nobody |
| |
| service boringssl_self_test64 /system/bin/boringssl_self_test64 |
| reboot_on_failure reboot,boringssl-self-check-failed |
| stdio_to_kmsg |
| # Explicitly specify that boringssl_self_test64 doesn't require any capabilities |
| capabilities |
| user nobody |
| |
| service boringssl_self_test_apex32 /apex/com.android.conscrypt/bin/boringssl_self_test32 |
| reboot_on_failure reboot,boringssl-self-check-failed |
| stdio_to_kmsg |
| # Explicitly specify that boringssl_self_test_apex32 doesn't require any capabilities |
| capabilities |
| user nobody |
| |
| service boringssl_self_test_apex64 /apex/com.android.conscrypt/bin/boringssl_self_test64 |
| reboot_on_failure reboot,boringssl-self-check-failed |
| stdio_to_kmsg |
| # Explicitly specify that boringssl_self_test_apex64 doesn't require any capabilities |
| capabilities |
| user nobody |
| |
| # Healthd can trigger a full boot from charger mode by signaling this |
| # property when the power button is held. |
| on property:sys.boot_from_charger_mode=1 |
| class_stop charger |
| trigger late-init |
| |
| # Indicate to fw loaders that the relevant mounts are up. |
| on firmware_mounts_complete |
| rm /dev/.booting |
| |
| # Mount filesystems and start core system services. |
| on late-init |
| trigger early-fs |
| |
| # Mount fstab in init.{$device}.rc by mount_all command. Optional parameter |
| # '--early' can be specified to skip entries with 'latemount'. |
| # /system and /vendor must be mounted by the end of the fs stage, |
| # while /data is optional. |
| trigger fs |
| trigger post-fs |
| |
| # Mount fstab in init.{$device}.rc by mount_all with '--late' parameter |
| # to only mount entries with 'latemount'. This is needed if '--early' is |
| # specified in the previous mount_all command on the fs stage. |
| # With /system mounted and properties form /system + /factory available, |
| # some services can be started. |
| trigger late-fs |
| |
| # Now we can mount /data. File encryption requires keymaster to decrypt |
| # /data, which in turn can only be loaded when system properties are present. |
| trigger post-fs-data |
| |
| # Should be before netd, but after apex, properties and logging is available. |
| trigger load_bpf_programs |
| |
| # Now we can start zygote for devices with file based encryption |
| trigger zygote-start |
| |
| # Remove a file to wake up anything waiting for firmware. |
| trigger firmware_mounts_complete |
| |
| trigger early-boot |
| trigger boot |
| |
| on early-fs |
| # Once metadata has been mounted, we'll need vold to deal with userdata checkpointing |
| start vold |
| |
| on post-fs |
| exec - system system -- /system/bin/vdc checkpoint markBootAttempt |
| |
| # Once everything is setup, no need to modify /. |
| # The bind+remount combination allows this to work in containers. |
| mount rootfs rootfs / remount bind ro nodev |
| |
| # Mount default storage into root namespace |
| mount none /mnt/user/0 /storage bind rec |
| mount none none /storage slave rec |
| |
| # Make sure /sys/kernel/debug (if present) is labeled properly |
| # Note that tracefs may be mounted under debug, so we need to cross filesystems |
| restorecon --recursive --cross-filesystems /sys/kernel/debug |
| |
| # We chown/chmod /cache again so because mount is run as root + defaults |
| chown system cache /cache |
| chmod 0770 /cache |
| # We restorecon /cache in case the cache partition has been reset. |
| restorecon_recursive /cache |
| |
| # Create /cache/recovery in case it's not there. It'll also fix the odd |
| # permissions if created by the recovery system. |
| mkdir /cache/recovery 0770 system cache |
| |
| # Backup/restore mechanism uses the cache partition |
| mkdir /cache/backup_stage 0700 system system |
| mkdir /cache/backup 0700 system system |
| |
| #change permissions on vmallocinfo so we can grab it from bugreports |
| chown root log /proc/vmallocinfo |
| chmod 0440 /proc/vmallocinfo |
| |
| chown root log /proc/slabinfo |
| chmod 0440 /proc/slabinfo |
| |
| chown root log /proc/pagetypeinfo |
| chmod 0440 /proc/pagetypeinfo |
| |
| #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks |
| chown root system /proc/kmsg |
| chmod 0440 /proc/kmsg |
| chown root system /proc/sysrq-trigger |
| chmod 0220 /proc/sysrq-trigger |
| chown system log /proc/last_kmsg |
| chmod 0440 /proc/last_kmsg |
| |
| # make the selinux kernel policy world-readable |
| chmod 0444 /sys/fs/selinux/policy |
| |
| # create the lost+found directories, so as to enforce our permissions |
| mkdir /cache/lost+found 0770 root root |
| |
| restorecon_recursive /metadata |
| mkdir /metadata/vold |
| chmod 0700 /metadata/vold |
| mkdir /metadata/password_slots 0771 root system |
| mkdir /metadata/bootstat 0750 system log |
| mkdir /metadata/ota 0700 root system |
| mkdir /metadata/ota/snapshots 0700 root system |
| mkdir /metadata/userspacereboot 0770 root system |
| mkdir /metadata/watchdog 0770 root system |
| |
| mkdir /metadata/apex 0700 root system |
| mkdir /metadata/apex/sessions 0700 root system |
| # On some devices we see a weird behaviour in which /metadata/apex doesn't |
| # have a correct label. To workaround this bug, explicitly call restorecon |
| # on /metadata/apex. For most of the boot sequences /metadata/apex will |
| # already have a correct selinux label, meaning that this call will be a |
| # no-op. |
| restorecon_recursive /metadata/apex |
| |
| mkdir /metadata/staged-install 0770 root system |
| mkdir /metadata/sepolicy 0700 root root |
| on late-fs |
| # Ensure that tracefs has the correct permissions. |
| # This does not work correctly if it is called in post-fs. |
| chmod 0755 /sys/kernel/tracing |
| chmod 0755 /sys/kernel/debug/tracing |
| |
| # HALs required before storage encryption can get unlocked (FBE) |
| class_start early_hal |
| |
| # Load trusted keys from dm-verity protected partitions |
| exec -- /system/bin/fsverity_init --load-verified-keys |
| |
| # Only enable the bootreceiver tracing instance for kernels 5.10 and above. |
| on late-fs && property:ro.kernel.version=4.9 |
| setprop bootreceiver.enable 0 |
| on late-fs && property:ro.kernel.version=4.14 |
| setprop bootreceiver.enable 0 |
| on late-fs && property:ro.kernel.version=4.19 |
| setprop bootreceiver.enable 0 |
| on late-fs && property:ro.kernel.version=5.4 |
| setprop bootreceiver.enable 0 |
| on late-fs |
| # Bootreceiver tracing instance is enabled by default. |
| setprop bootreceiver.enable ${bootreceiver.enable:-1} |
| |
| on property:ro.product.cpu.abilist64=* && property:bootreceiver.enable=1 |
| # Set up a tracing instance for system_server to monitor error_report_end events. |
| # These are sent by kernel tools like KASAN and KFENCE when a memory corruption |
| # is detected. This is only needed for 64-bit systems. |
| mkdir /sys/kernel/tracing/instances/bootreceiver 0700 system system |
| restorecon_recursive /sys/kernel/tracing/instances/bootreceiver |
| write /sys/kernel/tracing/instances/bootreceiver/buffer_size_kb 1 |
| write /sys/kernel/tracing/instances/bootreceiver/trace_options disable_on_free |
| write /sys/kernel/tracing/instances/bootreceiver/events/error_report/error_report_end/enable 1 |
| |
| on post-fs-data |
| |
| mark_post_data |
| |
| # Start checkpoint before we touch data |
| exec - system system -- /system/bin/vdc checkpoint prepareCheckpoint |
| |
| # We chown/chmod /data again so because mount is run as root + defaults |
| chown system system /data |
| chmod 0771 /data |
| # We restorecon /data in case the userdata partition has been reset. |
| restorecon /data |
| |
| # Make sure we have the device encryption key. |
| installkey /data |
| |
| # Start bootcharting as soon as possible after the data partition is |
| # mounted to collect more data. |
| mkdir /data/bootchart 0755 shell shell encryption=Require |
| bootchart start |
| |
| # Avoid predictable entropy pool. Carry over entropy from previous boot. |
| copy /data/system/entropy.dat /dev/urandom |
| |
| mkdir /data/vendor 0771 root root encryption=Require |
| mkdir /data/vendor/hardware 0771 root root |
| |
| # Start tombstoned early to be able to store tombstones. |
| mkdir /data/anr 0775 system system encryption=Require |
| mkdir /data/tombstones 0771 system system encryption=Require |
| mkdir /data/vendor/tombstones 0771 root root |
| mkdir /data/vendor/tombstones/wifi 0771 wifi wifi |
| start tombstoned |
| |
| # Make sure that apexd is started in the default namespace |
| enter_default_mount_ns |
| |
| # set up keystore directory structure first so that we can end early boot |
| # and start apexd |
| mkdir /data/misc 01771 system misc encryption=Require |
| mkdir /data/misc/keystore 0700 keystore keystore |
| # work around b/183668221 |
| restorecon /data/misc /data/misc/keystore |
| |
| # Boot level 30 |
| # odsign signing keys have MAX_BOOT_LEVEL=30 |
| # This is currently the earliest boot level, but we start at 30 |
| # to leave room for earlier levels. |
| setprop keystore.boot_level 30 |
| |
| # Now that /data is mounted and we have created /data/misc/keystore, |
| # we can tell keystore to stop allowing use of early-boot keys, |
| # and access its database for the first time to support creation and |
| # use of MAX_BOOT_LEVEL keys. |
| exec - system system -- /system/bin/vdc keymaster earlyBootEnded |
| |
| # Multi-installed APEXes are selected using persist props. |
| # Load persist properties and override properties (if enabled) from /data, |
| # before starting apexd. |
| # /data/property should be created before `load_persist_props` |
| mkdir /data/property 0700 root root encryption=Require |
| load_persist_props |
| |
| start logd |
| start logd-reinit |
| |
| # Some existing vendor rc files use 'on load_persist_props_action' to know |
| # when persist props are ready. These are difficult to change due to GRF, |
| # so continue triggering this action here even though props are already loaded |
| # by the 'load_persist_props' call above. |
| trigger load_persist_props_action |
| |
| # /data/apex is now available. Start apexd to scan and activate APEXes. |
| # |
| # To handle userspace reboots, make sure that apexd is started cleanly here |
| # (set apexd.status="") and that it is restarted if it's already running. |
| # |
| # /data/apex uses encryption=None because direct I/O support is needed on |
| # APEX files, but some devices don't support direct I/O on encrypted files. |
| # Also, APEXes are public information, similar to the system image. |
| # /data/apex/decompressed and /data/apex/ota_reserved override this setting; |
| # they are encrypted so that files in them can be hard-linked into |
| # /data/rollback which is encrypted. |
| mkdir /data/apex 0755 root system encryption=None |
| mkdir /data/apex/active 0755 root system |
| mkdir /data/apex/backup 0700 root system |
| mkdir /data/apex/decompressed 0755 root system encryption=Require |
| mkdir /data/apex/hashtree 0700 root system |
| mkdir /data/apex/sessions 0700 root system |
| mkdir /data/app-staging 0751 system system encryption=DeleteIfNecessary |
| mkdir /data/apex/ota_reserved 0700 root system encryption=Require |
| setprop apexd.status "" |
| restart apexd |
| |
| # create rest of basic filesystem structure |
| mkdir /data/misc/recovery 0770 system log |
| copy /data/misc/recovery/ro.build.fingerprint /data/misc/recovery/ro.build.fingerprint.1 |
| chmod 0440 /data/misc/recovery/ro.build.fingerprint.1 |
| chown system log /data/misc/recovery/ro.build.fingerprint.1 |
| write /data/misc/recovery/ro.build.fingerprint ${ro.build.fingerprint} |
| chmod 0440 /data/misc/recovery/ro.build.fingerprint |
| chown system log /data/misc/recovery/ro.build.fingerprint |
| mkdir /data/misc/recovery/proc 0770 system log |
| copy /data/misc/recovery/proc/version /data/misc/recovery/proc/version.1 |
| chmod 0440 /data/misc/recovery/proc/version.1 |
| chown system log /data/misc/recovery/proc/version.1 |
| copy /proc/version /data/misc/recovery/proc/version |
| chmod 0440 /data/misc/recovery/proc/version |
| chown system log /data/misc/recovery/proc/version |
| mkdir /data/misc/bluedroid 02770 bluetooth bluetooth |
| # Fix the access permissions and group ownership for 'bt_config.conf' |
| chmod 0660 /data/misc/bluedroid/bt_config.conf |
| chown bluetooth bluetooth /data/misc/bluedroid/bt_config.conf |
| mkdir /data/misc/bluetooth 0770 bluetooth bluetooth |
| mkdir /data/misc/bluetooth/logs 0770 bluetooth bluetooth |
| mkdir /data/misc/nfc 0770 nfc nfc |
| mkdir /data/misc/nfc/logs 0770 nfc nfc |
| mkdir /data/misc/credstore 0700 credstore credstore |
| mkdir /data/misc/gatekeeper 0700 system system |
| mkdir /data/misc/keychain 0771 system system |
| mkdir /data/misc/net 0750 root shell |
| mkdir /data/misc/radio 0770 system radio |
| mkdir /data/misc/sms 0770 system radio |
| mkdir /data/misc/carrierid 0770 system radio |
| mkdir /data/misc/apns 0770 system radio |
| mkdir /data/misc/emergencynumberdb 0770 system radio |
| mkdir /data/misc/network_watchlist 0774 system system |
| mkdir /data/misc/textclassifier 0771 system system |
| mkdir /data/misc/vpn 0770 system vpn |
| mkdir /data/misc/shared_relro 0771 shared_relro shared_relro |
| mkdir /data/misc/systemkeys 0700 system system |
| mkdir /data/misc/threadnetwork 0770 thread_network thread_network |
| mkdir /data/misc/wifi 0770 wifi wifi |
| mkdir /data/misc/wifi/sockets 0770 wifi wifi |
| mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi |
| mkdir /data/misc/ethernet 0770 system system |
| mkdir /data/misc/dhcp 0770 dhcp dhcp |
| mkdir /data/misc/user 0771 root root |
| # give system access to wpa_supplicant.conf for backup and restore |
| chmod 0660 /data/misc/wifi/wpa_supplicant.conf |
| mkdir /data/local 0751 root root encryption=Require |
| mkdir /data/misc/media 0700 media media |
| mkdir /data/misc/audioserver 0700 audioserver audioserver |
| mkdir /data/misc/cameraserver 0700 cameraserver cameraserver |
| mkdir /data/misc/vold 0700 root root |
| mkdir /data/misc/boottrace 0771 system shell |
| mkdir /data/misc/update_engine 0700 root root |
| mkdir /data/misc/update_engine_log 02750 root log |
| mkdir /data/misc/trace 0700 root root |
| # create location to store surface and window trace files |
| mkdir /data/misc/wmtrace 0700 system system |
| # create location to store accessibility trace files |
| mkdir /data/misc/a11ytrace 0700 system system |
| # profile file layout |
| mkdir /data/misc/profiles 0771 system system |
| mkdir /data/misc/profiles/cur 0771 system system |
| mkdir /data/misc/profiles/ref 0771 system system |
| mkdir /data/misc/profman 0770 system shell |
| mkdir /data/misc/gcov 0770 root root |
| mkdir /data/misc/installd 0700 root root |
| mkdir /data/misc/apexdata 0711 root root |
| mkdir /data/misc/apexrollback 0700 root root |
| mkdir /data/misc/appcompat/ 0700 system system |
| mkdir /data/misc/snapshotctl_log 0755 root root |
| # create location to store pre-reboot information |
| mkdir /data/misc/prereboot 0700 system system |
| # directory used for on-device refresh metrics file. |
| mkdir /data/misc/odrefresh 0777 system system |
| # directory used for on-device signing key blob |
| mkdir /data/misc/odsign 0710 root system |
| # directory used for odsign metrics |
| mkdir /data/misc/odsign/metrics 0770 root system |
| |
| # Directory for VirtualizationService temporary image files. |
| # Delete any stale files owned by the old virtualizationservice uid (b/230056726). |
| chmod 0770 /data/misc/virtualizationservice |
| exec - virtualizationservice system -- /bin/rm -rf /data/misc/virtualizationservice |
| mkdir /data/misc/virtualizationservice 0771 system system |
| |
| # /data/preloads uses encryption=None because it only contains preloaded |
| # files that are public information, similar to the system image. |
| mkdir /data/preloads 0775 system system encryption=None |
| |
| # For security reasons, /data/local/tmp should always be empty. |
| # Do not place files or directories in /data/local/tmp |
| mkdir /data/local/tmp 0771 shell shell |
| mkdir /data/local/traces 0777 shell shell |
| mkdir /data/app-private 0771 system system encryption=Require |
| mkdir /data/app-ephemeral 0771 system system encryption=Require |
| mkdir /data/app-asec 0700 root root encryption=Require |
| mkdir /data/app-lib 0771 system system encryption=Require |
| mkdir /data/app 0771 system system encryption=Require |
| |
| # create directory for updated font files. |
| mkdir /data/fonts/ 0771 root root encryption=Require |
| mkdir /data/fonts/files 0771 system system |
| mkdir /data/fonts/config 0770 system system |
| |
| # Create directories to push tests to for each linker namespace. |
| # Create the subdirectories in case the first test is run as root |
| # so it doesn't end up owned by root. |
| # Set directories to be executable by any process so that debuggerd, |
| # aka crash_dump, can read any executables/shared libraries. |
| mkdir /data/local/tests 0701 shell shell |
| mkdir /data/local/tests/product 0701 shell shell |
| mkdir /data/local/tests/system 0701 shell shell |
| mkdir /data/local/tests/unrestricted 0701 shell shell |
| mkdir /data/local/tests/vendor 0701 shell shell |
| |
| # create dalvik-cache, so as to enforce our permissions |
| mkdir /data/dalvik-cache 0771 root root encryption=Require |
| # create the A/B OTA directory, so as to enforce our permissions |
| mkdir /data/ota 0771 root root encryption=Require |
| |
| # create the OTA package directory. It will be accessed by GmsCore (cache |
| # group), update_engine and update_verifier. |
| mkdir /data/ota_package 0770 system cache encryption=Require |
| |
| # create resource-cache and double-check the perms |
| mkdir /data/resource-cache 0771 system system encryption=Require |
| chown system system /data/resource-cache |
| chmod 0771 /data/resource-cache |
| |
| # Ensure that lost+found exists and has the correct permissions. Linux |
| # filesystems expect this directory to exist; it's where the fsck tool puts |
| # any recovered files that weren't present in any directory. It must be |
| # unencrypted, as fsck must be able to write to it. |
| mkdir /data/lost+found 0770 root root encryption=None |
| |
| # create directory for DRM plug-ins - give drm the read/write access to |
| # the following directory. |
| mkdir /data/drm 0770 drm drm encryption=Require |
| |
| # create directory for MediaDrm plug-ins - give drm the read/write access to |
| # the following directory. |
| mkdir /data/mediadrm 0770 mediadrm mediadrm encryption=Require |
| |
| # NFC: create data/nfc for nv storage |
| mkdir /data/nfc 0770 nfc nfc encryption=Require |
| mkdir /data/nfc/param 0770 nfc nfc |
| |
| # Create all remaining /data root dirs so that they are made through init |
| # and get proper encryption policy installed |
| mkdir /data/backup 0700 system system encryption=Require |
| mkdir /data/ss 0700 system system encryption=Require |
| |
| mkdir /data/system 0775 system system encryption=Require |
| mkdir /data/system/environ 0700 system system |
| # b/183861600 attempt to fix selinux label before running derive_classpath service |
| restorecon /data/system/environ |
| mkdir /data/system/dropbox 0700 system system |
| mkdir /data/system/heapdump 0700 system system |
| mkdir /data/system/users 0775 system system |
| # Mkdir and set SELinux security contexts for shutdown-checkpoints. |
| # TODO(b/270286197): remove these after couple releases. |
| mkdir /data/system/shutdown-checkpoints 0700 system system |
| restorecon_recursive /data/system/shutdown-checkpoints |
| |
| # Create the parent directories of the user CE and DE storage directories. |
| # These parent directories must use encryption=None, since each of their |
| # subdirectories uses a different encryption policy (a per-user one), and |
| # encryption policies apply recursively. These directories should never |
| # contain any subdirectories other than the per-user ones. /data/media/obb |
| # is an exception that exists for legacy reasons. |
| mkdir /data/media 0770 media_rw media_rw encryption=None |
| mkdir /data/misc_ce 01771 system misc encryption=None |
| mkdir /data/misc_de 01771 system misc encryption=None |
| mkdir /data/system_ce 0770 system system encryption=None |
| mkdir /data/system_de 0770 system system encryption=None |
| mkdir /data/user 0711 system system encryption=None |
| mkdir /data/user_de 0711 system system encryption=None |
| mkdir /data/vendor_ce 0771 root root encryption=None |
| mkdir /data/vendor_de 0771 root root encryption=None |
| |
| # Set the casefold flag on /data/media. For upgrades, a restorecon can be |
| # needed first to relabel the directory from media_rw_data_file. |
| restorecon /data/media |
| exec - media_rw media_rw -- /system/bin/chattr +F /data/media |
| |
| # A tmpfs directory, which will contain all apps and sdk sandbox CE and DE |
| # data directory that bind mount from the original source. |
| mount tmpfs tmpfs /data_mirror nodev noexec nosuid mode=0700,uid=0,gid=1000 |
| restorecon /data_mirror |
| mkdir /data_mirror/data_ce 0700 root root |
| mkdir /data_mirror/data_de 0700 root root |
| mkdir /data_mirror/misc_ce 0700 root root |
| mkdir /data_mirror/misc_de 0700 root root |
| |
| # Create CE and DE data directory for default volume |
| mkdir /data_mirror/data_ce/null 0700 root root |
| mkdir /data_mirror/data_de/null 0700 root root |
| mkdir /data_mirror/misc_ce/null 0700 root root |
| mkdir /data_mirror/misc_de/null 0700 root root |
| |
| # Bind mount CE and DE data directory to mirror's default volume directory. |
| # Note that because the /data mount has the "shared" propagation type, the |
| # later bind mount of /data/data onto /data/user/0 will automatically |
| # propagate to /data_mirror/data_ce/null/0 as well. |
| mount none /data/user /data_mirror/data_ce/null bind rec |
| mount none /data/user_de /data_mirror/data_de/null bind rec |
| mount none /data/misc_ce /data_mirror/misc_ce/null bind rec |
| mount none /data/misc_de /data_mirror/misc_de/null bind rec |
| |
| # Create mirror directory for jit profiles |
| mkdir /data_mirror/cur_profiles 0700 root root |
| mount none /data/misc/profiles/cur /data_mirror/cur_profiles bind rec |
| mkdir /data_mirror/ref_profiles 0700 root root |
| mount none /data/misc/profiles/ref /data_mirror/ref_profiles bind rec |
| |
| mkdir /data/cache 0770 system cache encryption=Require |
| mkdir /data/cache/recovery 0770 system cache |
| mkdir /data/cache/backup_stage 0700 system system |
| mkdir /data/cache/backup 0700 system system |
| |
| # Delete these if need be, per b/139193659 |
| mkdir /data/rollback 0700 system system encryption=DeleteIfNecessary |
| mkdir /data/rollback-observer 0700 system system encryption=DeleteIfNecessary |
| mkdir /data/rollback-history 0700 system system encryption=DeleteIfNecessary |
| |
| # Create root dir for Incremental Service |
| mkdir /data/incremental 0771 system system encryption=Require |
| |
| # Create directories for statsd |
| mkdir /data/misc/stats-active-metric/ 0770 statsd system |
| mkdir /data/misc/stats-data/ 0770 statsd system |
| mkdir /data/misc/stats-data/restricted-data 0770 statsd system |
| mkdir /data/misc/stats-metadata/ 0770 statsd system |
| mkdir /data/misc/stats-service/ 0770 statsd system |
| mkdir /data/misc/train-info/ 0770 statsd system |
| |
| # Wait for apexd to finish activating APEXes before starting more processes. |
| wait_for_prop apexd.status activated |
| perform_apex_config |
| |
| # Create directories for boot animation. |
| mkdir /data/bootanim 0755 system system encryption=DeleteIfNecessary |
| |
| exec_start derive_sdk |
| |
| init_user0 |
| |
| # Set SELinux security contexts on upgrade or policy update. |
| restorecon --recursive --skip-ce /data |
| |
| # Define and export *CLASSPATH variables |
| # Must start before 'odsign', as odsign depends on *CLASSPATH variables |
| exec_start derive_classpath |
| load_exports /data/system/environ/classpath |
| |
| # Start ART's oneshot boot service to propagate boot experiment flags to |
| # dalvik.vm.*. This needs to be done before odsign since odrefresh uses and |
| # validates those properties against the signed cache-info.xml. |
| exec_start art_boot |
| |
| # Start the on-device signing daemon, and wait for it to finish, to ensure |
| # ART artifacts are generated if needed. |
| # Must start after 'derive_classpath' to have *CLASSPATH variables set. |
| start odsign |
| |
| # Before we can lock keys and proceed to the next boot stage, wait for |
| # odsign to be done with the key |
| wait_for_prop odsign.key.done 1 |
| |
| # Lock the fs-verity keyring, so no more keys can be added |
| exec -- /system/bin/fsverity_init --lock |
| |
| # Bump the boot level to 1000000000; this prevents further on-device signing. |
| # This is a special value that shuts down the thread which listens for |
| # further updates. |
| setprop keystore.boot_level 1000000000 |
| |
| # Allow apexd to snapshot and restore device encrypted apex data in the case |
| # of a rollback. This should be done immediately after DE_user data keys |
| # are loaded. APEXes should not access this data until this has been |
| # completed and apexd.status becomes "ready". |
| exec_start apexd-snapshotde |
| |
| # sys.memfd_use set to false by default, which keeps it disabled |
| # until it is confirmed that apps and vendor processes don't make |
| # IOCTLs on ashmem fds any more. |
| setprop sys.use_memfd false |
| |
| # Set fscklog permission |
| chown root system /dev/fscklogs/log |
| chmod 0770 /dev/fscklogs/log |
| |
| # Enable FUSE by default |
| setprop persist.sys.fuse true |
| |
| # Update dm-verity state and set partition.*.verified properties. |
| verity_update_state |
| |
| # It is recommended to put unnecessary data/ initialization from post-fs-data |
| # to start-zygote in device's init.rc to unblock zygote start. |
| on zygote-start && property:ro.crypto.state=unencrypted |
| wait_for_prop odsign.verification.done 1 |
| # A/B update verifier that marks a successful boot. |
| exec_start update_verifier_nonencrypted |
| start statsd |
| start netd |
| start zygote |
| start zygote_secondary |
| |
| on zygote-start && property:ro.crypto.state=unsupported |
| wait_for_prop odsign.verification.done 1 |
| # A/B update verifier that marks a successful boot. |
| exec_start update_verifier_nonencrypted |
| start statsd |
| start netd |
| start zygote |
| start zygote_secondary |
| |
| on zygote-start && property:ro.crypto.state=encrypted && property:ro.crypto.type=file |
| wait_for_prop odsign.verification.done 1 |
| # A/B update verifier that marks a successful boot. |
| exec_start update_verifier_nonencrypted |
| start statsd |
| start netd |
| start zygote |
| start zygote_secondary |
| |
| on boot && property:ro.config.low_ram=true |
| # Tweak background writeout |
| write /proc/sys/vm/dirty_expire_centisecs 200 |
| write /proc/sys/vm/dirty_background_ratio 5 |
| |
| on boot |
| # basic network init |
| ifup lo |
| hostname localhost |
| domainname localdomain |
| |
| # IPsec SA default expiration length |
| write /proc/sys/net/core/xfrm_acq_expires 3600 |
| |
| # Memory management. Basic kernel parameters, and allow the high |
| # level system server to be able to adjust the kernel OOM driver |
| # parameters to match how it is managing things. |
| write /proc/sys/vm/overcommit_memory 1 |
| write /proc/sys/vm/min_free_order_shift 4 |
| |
| # System server manages zram writeback |
| chown root system /sys/block/zram0/idle |
| chmod 0664 /sys/block/zram0/idle |
| chown root system /sys/block/zram0/writeback |
| chmod 0664 /sys/block/zram0/writeback |
| |
| # to access F2FS sysfs on dm-<num> directly |
| mkdir /dev/sys/fs/by-name 0755 system system |
| symlink /sys/fs/f2fs/${dev.mnt.dev.data} /dev/sys/fs/by-name/userdata |
| |
| # dev.mnt.dev.data=dm-N, dev.mnt.blk.data=sdaN/mmcblk0pN, dev.mnt.rootdisk.data=sda/mmcblk0, or |
| # dev.mnt.dev.data=sdaN/mmcblk0pN, dev.mnt.blk.data=sdaN/mmcblk0pN, dev.mnt.rootdisk.data=sda/mmcblk0 |
| mkdir /dev/sys/block/by-name 0755 system system |
| symlink /sys/class/block/${dev.mnt.dev.data} /dev/sys/block/by-name/userdata |
| symlink /sys/class/block/${dev.mnt.rootdisk.data} /dev/sys/block/by-name/rootdisk |
| |
| # F2FS tuning. Set cp_interval larger than dirty_expire_centisecs, 30 secs, |
| # to avoid power consumption when system becomes mostly idle. Be careful |
| # to make it too large, since it may bring userdata loss, if they |
| # are not aware of using fsync()/sync() to prepare sudden power-cut. |
| write /dev/sys/fs/by-name/userdata/cp_interval 200 |
| write /dev/sys/fs/by-name/userdata/gc_urgent_sleep_time 50 |
| write /dev/sys/fs/by-name/userdata/iostat_period_ms 1000 |
| write /dev/sys/fs/by-name/userdata/iostat_enable 1 |
| |
| # set readahead multiplier for POSIX_FADV_SEQUENTIAL files |
| write /dev/sys/fs/by-name/userdata/seq_file_ra_mul 16 |
| |
| # limit discard size to 128MB in order to avoid long IO latency |
| # for filesystem tuning first (dm or sda) |
| # this requires enabling selinux entry for sda/mmcblk0 in vendor side |
| write /dev/sys/block/by-name/userdata/queue/discard_max_bytes 134217728 |
| write /dev/sys/block/by-name/rootdisk/queue/discard_max_bytes 134217728 |
| |
| # Permissions for System Server and daemons. |
| chown system system /sys/power/autosleep |
| |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/boost |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration |
| chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy |
| chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy |
| |
| chown system system /sys/class/leds/vibrator/trigger |
| chown system system /sys/class/leds/vibrator/activate |
| chown system system /sys/class/leds/vibrator/brightness |
| chown system system /sys/class/leds/vibrator/duration |
| chown system system /sys/class/leds/vibrator/state |
| chown system system /sys/class/timed_output/vibrator/enable |
| chown system system /sys/class/leds/keyboard-backlight/brightness |
| chown system system /sys/class/leds/lcd-backlight/brightness |
| chown system system /sys/class/leds/button-backlight/brightness |
| chown system system /sys/class/leds/jogball-backlight/brightness |
| chown system system /sys/class/leds/red/brightness |
| chown system system /sys/class/leds/green/brightness |
| chown system system /sys/class/leds/blue/brightness |
| chown system system /sys/class/leds/red/device/grpfreq |
| chown system system /sys/class/leds/red/device/grppwm |
| chown system system /sys/class/leds/red/device/blink |
| chown system system /sys/module/sco/parameters/disable_esco |
| chown system system /sys/kernel/ipv4/tcp_wmem_min |
| chown system system /sys/kernel/ipv4/tcp_wmem_def |
| chown system system /sys/kernel/ipv4/tcp_wmem_max |
| chown system system /sys/kernel/ipv4/tcp_rmem_min |
| chown system system /sys/kernel/ipv4/tcp_rmem_def |
| chown system system /sys/kernel/ipv4/tcp_rmem_max |
| chown root radio /proc/cmdline |
| chown root system /proc/bootconfig |
| |
| # Define default initial receive window size in segments. |
| setprop net.tcp_def_init_rwnd 60 |
| |
| # Start standard binderized HAL daemons |
| class_start hal |
| |
| class_start core |
| |
| on nonencrypted |
| class_start main |
| class_start late_start |
| |
| on property:sys.init_log_level=* |
| loglevel ${sys.init_log_level} |
| |
| on charger |
| class_start charger |
| |
| on property:sys.boot_completed=1 |
| bootchart stop |
| # Setup per_boot directory so other .rc could start to use it on boot_completed |
| exec - system system -- /bin/rm -rf /data/per_boot |
| mkdir /data/per_boot 0700 system system encryption=Require key=per_boot_ref |
| |
| # system server cannot write to /proc/sys files, |
| # and chown/chmod does not work for /proc/sys/ entries. |
| # So proxy writes through init. |
| on property:sys.sysctl.extra_free_kbytes=* |
| exec -- /system/bin/extra_free_kbytes.sh ${sys.sysctl.extra_free_kbytes} |
| |
| # Allow users to drop caches |
| on property:perf.drop_caches=3 |
| write /proc/sys/vm/drop_caches 3 |
| setprop perf.drop_caches 0 |
| |
| # "tcp_default_init_rwnd" Is too long! |
| on property:net.tcp_def_init_rwnd=* |
| write /proc/sys/net/ipv4/tcp_default_init_rwnd ${net.tcp_def_init_rwnd} |
| |
| # perf_event_open syscall security: |
| # Newer kernels have the ability to control the use of the syscall via SELinux |
| # hooks. init tests for this, and sets sys_init.perf_lsm_hooks to 1 if the |
| # kernel has the hooks. In this case, the system-wide perf_event_paranoid |
| # sysctl is set to -1 (unrestricted use), and the SELinux policy is used for |
| # controlling access. On older kernels, the paranoid value is the only means of |
| # controlling access. It is normally 3 (allow only root), but the shell user |
| # can lower it to 1 (allowing thread-scoped pofiling) via security.perf_harden. |
| on load_bpf_programs && property:sys.init.perf_lsm_hooks=1 |
| write /proc/sys/kernel/perf_event_paranoid -1 |
| on property:security.perf_harden=0 && property:sys.init.perf_lsm_hooks="" |
| write /proc/sys/kernel/perf_event_paranoid 1 |
| on property:security.perf_harden=1 && property:sys.init.perf_lsm_hooks="" |
| write /proc/sys/kernel/perf_event_paranoid 3 |
| |
| # Additionally, simpleperf profiler uses debug.* and security.perf_harden |
| # sysprops to be able to indirectly set these sysctls. |
| on property:security.perf_harden=0 |
| write /proc/sys/kernel/perf_event_max_sample_rate ${debug.perf_event_max_sample_rate:-100000} |
| write /proc/sys/kernel/perf_cpu_time_max_percent ${debug.perf_cpu_time_max_percent:-25} |
| write /proc/sys/kernel/perf_event_mlock_kb ${debug.perf_event_mlock_kb:-516} |
| # Default values. |
| on property:security.perf_harden=1 |
| write /proc/sys/kernel/perf_event_max_sample_rate 100000 |
| write /proc/sys/kernel/perf_cpu_time_max_percent 25 |
| write /proc/sys/kernel/perf_event_mlock_kb 516 |
| |
| # This property can be set only on userdebug/eng. See neverallow rule in |
| # /system/sepolicy/private/property.te . |
| on property:security.lower_kptr_restrict=1 |
| write /proc/sys/kernel/kptr_restrict 0 |
| |
| on property:security.lower_kptr_restrict=0 |
| write /proc/sys/kernel/kptr_restrict 2 |
| |
| |
| # on shutdown |
| # In device's init.rc, this trigger can be used to do device-specific actions |
| # before shutdown. e.g disable watchdog and mask error handling |
| |
| ## Daemon processes to be run by init. |
| ## |
| service ueventd /system/bin/ueventd |
| class core |
| critical |
| seclabel u:r:ueventd:s0 |
| user root |
| shutdown critical |
| |
| service console /system/bin/sh |
| class core |
| console |
| disabled |
| user shell |
| group shell log readproc |
| seclabel u:r:shell:s0 |
| setenv HOSTNAME console |
| shutdown critical |
| |
| on property:ro.debuggable=1 |
| # Give writes to the same group for the trace folder on debug builds, |
| # it's further protected by selinux policy. |
| # The folder is used to store method traces. |
| chmod 0773 /data/misc/trace |
| # Give writes and reads to anyone for the window trace folder on debug builds, |
| # it's further protected by selinux policy. |
| chmod 0777 /data/misc/wmtrace |
| # Give reads to anyone for the accessibility trace folder on debug builds. |
| chmod 0775 /data/misc/a11ytrace |
| |
| on init && property:ro.debuggable=1 |
| start console |
| |
| on userspace-reboot-requested |
| # TODO(b/135984674): reset all necessary properties here. |
| setprop sys.boot_completed "" |
| setprop dev.bootcomplete "" |
| setprop sys.init.updatable_crashing "" |
| setprop sys.init.updatable_crashing_process_name "" |
| setprop sys.user.0.ce_available "" |
| setprop sys.shutdown.requested "" |
| setprop service.bootanim.exit "" |
| setprop service.bootanim.progress "" |
| |
| on userspace-reboot-fs-remount |
| # Make sure that vold is running. |
| # This is mostly a precaution measure in case vold for some reason wasn't running when |
| # userspace reboot was initiated. |
| start vold |
| exec - system system -- /system/bin/vdc checkpoint resetCheckpoint |
| exec - system system -- /system/bin/vdc checkpoint markBootAttempt |
| # Unmount /data_mirror mounts in the reverse order of corresponding mounts. |
| umount /data_mirror/data_ce/null/0 |
| umount /data_mirror/data_ce/null |
| umount /data_mirror/data_de/null |
| umount /data_mirror/cur_profiles |
| umount /data_mirror/ref_profiles |
| umount /data_mirror |
| remount_userdata |
| start bootanim |
| |
| on userspace-reboot-resume |
| trigger userspace-reboot-fs-remount |
| trigger post-fs-data |
| trigger zygote-start |
| trigger early-boot |
| trigger boot |
| |
| on property:sys.boot_completed=1 && property:sys.init.userspace_reboot.in_progress=1 |
| setprop sys.init.userspace_reboot.in_progress "" |
| |
| # Multi-Gen LRU Experiment |
| on property:persist.device_config.mglru_native.lru_gen_config=none |
| write /sys/kernel/mm/lru_gen/enabled 0 |
| on property:persist.device_config.mglru_native.lru_gen_config=core |
| write /sys/kernel/mm/lru_gen/enabled 1 |
| on property:persist.device_config.mglru_native.lru_gen_config=core_and_mm_walk |
| write /sys/kernel/mm/lru_gen/enabled 3 |
| on property:persist.device_config.mglru_native.lru_gen_config=core_and_nonleaf_young |
| write /sys/kernel/mm/lru_gen/enabled 5 |
| on property:persist.device_config.mglru_native.lru_gen_config=all |
| write /sys/kernel/mm/lru_gen/enabled 7 |