init.rc

1. # Copyright (C) 2012 The Android Open Source Project
2. #
3. # IMPORTANT: Do not create world writable files or directories.
4. # This is a common source of Android security bugs.
5. #
6.  
7. import /init.environ.rc
8. # Mer handles usb stuff
9. #import /init.usb.rc
10. import /init.${ro.hardware}.rc
11. import /init.usb.configfs.rc
12. import /init.${ro.zygote}.rc
13. import /init.trace.rc
14. # Include CM's extra init file
15. import /init.cm.rc
16.  
17.  
18. on early-init
19.  
20.     # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
21.     write /sys/fs/selinux/checkreqprot 0
22.  
23.     # Set the security context for the init process.
24.     # This should occur before anything else (e.g. ueventd) is started.
25.     setcon u:r:init:s0
26.  
27. # This is a common source of Android security bugs.
28. #
29.  
30. import /init.environ.rc
31. # Mer handles usb stuff
32. #import /init.usb.rc
33. import /init.${ro.hardware}.rc
34. import /init.usb.configfs.rc
35. import /init.${ro.zygote}.rc
36. import /init.trace.rc
37. # Include CM's extra init file
38. import /init.cm.rc
39.  
40.  
41.  
42. # Healthd can trigger a full boot from charger mode by signaling this
43. # property when the power button is held.
44. on property:sys.boot_from_charger_mode=1
45.     class_stop charger
46.     trigger late-init
47.  
48. # Load properties from /system/ + /factory after fs mount.
49. on load_system_props_action
50.     load_system_props
51.  
52. on load_persist_props_action
53.     load_persist_props
54.     start logd
55.     start logd-reinit
56.  
57. # Indicate to fw loaders that the relevant mounts are up.
58. on firmware_mounts_complete
59.     rm /dev/.booting
60.  
61. # Mount filesystems and start core system services.
62. on late-init
63.     trigger early-fs
64.     trigger fs
65.     trigger post-fs
66.  
67.     # Load properties from /system/ + /factory after fs mount. Place
68.     # this in another action so that the load will be scheduled after the prior
69.     # issued fs triggers have completed.
70.     trigger load_system_props_action
71.  
72.     # Now we can mount /data. File encryption requires keymaster to decrypt
73.     # /data, which in turn can only be loaded when system properties are present
74.     trigger post-fs-data
75.     trigger load_persist_props_action
76.  
77.     # Remove a file to wake up anything waiting for firmware.
78.     trigger firmware_mounts_complete
79.  
80.     trigger early-boot
81.     trigger boot
82.  
83.  
84. on post-fs
85.     start logd
86.     # once everything is setup, no need to modify /
87.  
88.     # mount rootfs rootfs / ro remount
89.     # mount shared so changes propagate into child namespaces
90.     # mount rootfs rootfs / shared rec
91.  
92.     # We chown/chmod /cache again so because mount is run as root + defaults
93.     chown system cache /cache
94.     chmod 0770 /cache
95.     # We restorecon /cache in case the cache partition has been reset.
96.     restorecon_recursive /cache
97.  
98.     # Create /cache/recovery in case it's not there. It'll also fix the odd
99.     # permissions if created by the recovery system.
100.     mkdir /cache/recovery 0770 system cache
101.  
102.     #change permissions on vmallocinfo so we can grab it from bugreports
103.     chown root log /proc/vmallocinfo
104.     chmod 0440 /proc/vmallocinfo
105.  
106.     chown root log /proc/slabinfo
107.     chmod 0440 /proc/slabinfo
108.  
109.     #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
110.     chown root system /proc/kmsg
111.     chmod 0440 /proc/kmsg
112.     chown root system /proc/sysrq-trigger
113.     chmod 0220 /proc/sysrq-trigger
114.     chown system log /proc/last_kmsg
115.     chmod 0440 /proc/last_kmsg
116.  
117.     # make the selinux kernel policy world-readable
118.     chmod 0444 /sys/fs/selinux/policy
119.  
120.     # create the lost+found directories, so as to enforce our permissions
121.     mkdir /cache/lost+found 0770 root root
122.  
123. on post-fs-data
124.     # We chown/chmod /data again so because mount is run as root + defaults
125.     chown system system /data
126.     chmod 0771 /data
127.     # We restorecon /data in case the userdata partition has been reset.
128.     restorecon /data
129.  
130.     # Emulated internal storage area
131.     mkdir /data/media 0770 media_rw media_rw
132.  
133.     # Make sure we have the device encryption key
134.     start logd
135.     #start vold
136.     installkey /data
137.  
138.     # Start bootcharting as soon as possible after the data partition is
139.     # mounted to collect more data.
140.     mkdir /data/bootchart 0755 shell shell
141.     bootchart_init
142.  
143.     # Avoid predictable entropy pool. Carry over entropy from previous boot.
144.     copy /data/system/entropy.dat /dev/urandom
145.  
146.     # create basic filesystem structure
147.     mkdir /data/misc 01771 system misc
148.     mkdir /data/misc/adb 02750 system shell
149.     mkdir /data/misc/bluedroid 02770 bluetooth net_bt_stack
150.     # Fix the access permissions and group ownership for 'bt_config.conf'
151.     chmod 0660 /data/misc/bluedroid/bt_config.conf
152.     chown bluetooth net_bt_stack /data/misc/bluedroid/bt_config.conf
153.     mkdir /data/misc/bluetooth 0770 system system
154.     mkdir /data/misc/keystore 0700 keystore keystore
155.     mkdir /data/misc/gatekeeper 0700 system system
156.     powerctl ${sys.powerctl}
157.  
158. # system server cannot write to /proc/sys files,
159. # and chown/chmod does not work for /proc/sys/ entries.
160. # So proxy writes through init.
161. on property:sys.sysctl.extra_free_kbytes=*
162.     write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes}
163.  
164. # "tcp_default_init_rwnd" Is too long!
165. on property:sys.sysctl.tcp_def_init_rwnd=*
166.     write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd}
167.  
168. on property:security.perf_harden=0
169.     write /proc/sys/kernel/perf_event_paranoid 1
170.  
171. on property:security.perf_harden=1
172.     write /proc/sys/kernel/perf_event_paranoid 3
173.  
174. ## Daemon processes to be run by init.
175. ##
176. service ueventd /sbin/ueventd
177.     class core
178.     critical
179.     seclabel u:r:ueventd:s0
180. # Not used by Mer
181.     disabled
182.  
183. service logd /system/bin/logd
184.     class core
185.     socket logd stream 0666 logd logd
186.     socket logdr seqpacket 0666 logd logd
187.     socket logdw dgram 0222 logd logd
188.     group root system
189.      writepid /dev/cpuset/system-background/tasks
190.  
191. service logd-reinit /system/bin/logd --reinit
192.     oneshot
193.     writepid /dev/cpuset/system-background/tasks
194.     disabled
195.  
196. service healthd /sbin/healthd
197.     class core
198.     critical
199.     seclabel u:r:healthd:s0
200.     group root system
201. # Not used by Mer - spams logs and small battery drain
202.     disabled
203.  
204. service console /system/bin/sh
205.     class core
206.     console
207.     disabled
208.     user shell
209.     group shell log
210.     seclabel u:r:shell:s0
211.  
212. on property:ro.debuggable=1
213.     start console
214.  
215. # adbd is controlled via property triggers in init.<platform>.usb.rc
216. service adbd /sbin/adbd --root_seclabel=u:r:su:s0
217.     class core
218.     socket adbd stream 660 system system
219.     disabled
220.     seclabel u:r:adbd:s0
221.  
222. # adbd on at boot in emulator
223. on property:ro.kernel.qemu=1
224.     start adbd
225.  
226. service lmkd /system/bin/lmkd
227.     class core
228.     socket lmkd seqpacket 0660 system system
229.     writepid /dev/cpuset/system-background/tasks
230.     disabled
231.  
232.  
233. service servicemanager /system/bin/servicemanager
234.     class core
235.     user system
236.     group system
237.     critical
238.     onrestart restart healthd
239.     onrestart restart minimedia
240.     onrestart restart minisf
241.     onrestart restart miniaf
242. #    onrestart restart zygote
243. #    onrestart restart media
244. #    onrestart restart surfaceflinger
245. #    onrestart restart drm
246.  
247. service minimedia /usr/libexec/droid-hybris/system/bin/minimediaservice
248.     class main
249.     user media
250.     group audio camera
251.     ioprio rt 4
252.  
253. service minisf /usr/libexec/droid-hybris/system/bin/minisfservice
254.     class main
255.     user system
256.     group graphics
257.  
258. service miniaf /usr/libexec/droid-hybris/system/bin/miniafservice
259.     class main
260.     user system
261.     group audio
262.  
263. service vold /system/bin/vold \
264.         --blkid_context=u:r:blkid:s0 --blkid_untrusted_context=u:r:blkid_untrusted:s0 \
265.         --fsck_context=u:r:fsck:s0 --fsck_untrusted_context=u:r:fsck_untrusted:s0
266.     class core
267.     socket vold stream 0660 root mount
268.     socket cryptd stream 0660 root mount
269.     ioprio be 2
270.     # Not used in Mer
271.     disabled
272.  
273. # Disabled in Mer: conflicts with connman beyond usability
274. # This will no longer work for mako: `ndc softap fwreload wlan0 AP` to reload mako firmware
275. # mako (and similar fwreload) porters need to seek for alternative solution, see NEMO#793
276. service netd /system/bin/netd
277.     class main
278.     socket netd stream 0660 root system
279.     socket dnsproxyd stream 0660 root inet
280.     socket mdns stream 0660 root system
281.     socket fwmarkd stream 0660 root inet
282.     disabled
283.  
284. service debuggerd /system/bin/debuggerd
285.     class main
286.     writepid /dev/cpuset/system-background/tasks
287.  
288. service debuggerd64 /system/bin/debuggerd64
289.     class main
290.     writepid /dev/cpuset/system-background/tasks
291.  
292. service ril-daemon /system/bin/rild
293.     class main
294.     socket rild stream 660 root radio
295.     socket sap_uim_socket1 stream 660 bluetooth bluetooth
296.     socket rild-debug stream 660 radio system
297.     user root
298.     group radio cache inet misc audio log qcom_diag
299.  
300. # Disabled in Mer - used only during porting atm
301. service surfaceflinger /system/bin/surfaceflinger
302.     class core
303.     user system
304.     group graphics drmrpc
305.     onrestart restart zygote
306.     disabled
307.  
308. service drm /system/bin/drmserver
309.     class main
310.     user drm
311.     group drm system inet drmrpc
312.  
313. # Disabled in Mer
314. service media /system/bin/mediaserver
315.     class main
316.     user media
317.     group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm qcom_diag
318.     ioprio rt 4
319.     disabled
320.  
321. # One shot invocation to deal with encrypted volume.
322. service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted
323.     disabled
324.     oneshot
325.     # vold will set vold.decrypt to trigger_restart_framework (default
326.     # encryption) or trigger_restart_min_framework (other encryption)
327.  
328. # One shot invocation to encrypt unencrypted volumes
329. service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace default noui
330.     disabled
331.     oneshot
332.     # vold will set vold.decrypt to trigger_restart_framework (default
333.     # encryption)
334.  
335. service bootanim /system/bin/bootanimation
336.     class core
337.     user graphics
338.     group graphics audio
339.     disabled
340.     oneshot
341.     writepid /dev/cpuset/system-background/tasks
342.  
343. service gatekeeperd /system/bin/gatekeeperd /data/misc/gatekeeper
344.     class late_start
345.     user system
346.     disabled
347.  
348. service installd /system/bin/installd
349.     class main
350.     socket installd stream 600 system system
351.  
352. service flash_recovery /system/bin/install-recovery.sh
353.     class main
354.     oneshot
355.     disabled
356.  
357. # update recovery if enabled
358. on property:persist.sys.recovery_update=true
359.     start flash_recovery
360.  
361. service racoon /system/bin/racoon
362.     class main
363.     socket racoon stream 600 system system
364.     # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
365.     group vpn net_admin inet
366.     disabled
367.     oneshot
368.  
369. service mtpd /system/bin/mtpd
370.     class main
371.     socket mtpd stream 600 system system
372.     user vpn
373.     group vpn net_admin inet net_raw
374.     disabled
375.     oneshot
376.  
377. # disabled in Mer
378. service keystore /system/bin/keystore /data/misc/keystore
379.     class main
380.     user keystore
381.     group keystore drmrpc
382.     # Not used in Mer
383.     disabled
384.  
385. service dumpstate /system/bin/dumpstate -s
386.     class main
387.     socket dumpstate stream 0660 shell log
388.     disabled
389.     oneshot
390.  
391. service uncrypt /system/bin/uncrypt
392.     class main
393.     disabled
394.  
395. # This trigger is run by our modified init after boot has finished
396. on ready
397.     class_start mer
398.  
399. # Notify Mer's systemd that we're done
400. # This is started at the end of boot after both core and main classes
401. service droid_init_done /bin/sh /usr/bin/droid/droid-init-done.sh
402.     class mer
403.     oneshot
404.  
405. service pre-recovery /system/bin/uncrypt --reboot
406.     class main
407.     disabled
408.     oneshot
409.  
410. service perfprofd /system/xbin/perfprofd
411.     class late_start
412.     user root
413.     oneshot
414.     writepid /dev/cpuset/system-background/tasks
415.  
416. on property:persist.logd.logpersistd=logcatd
417.     # all exec/services are called with umask(077), so no gain beyond 0700
418.     mkdir /data/misc/logd 0700 logd log
419.     # logd for write to /data/misc/logd, log group for read from pstore (-L)
420.     exec - logd log -- /system/bin/logcat -L -b all -v threadtime -v usec -v printable -D -f /data/misc/logd/logcat -r 1024 -n 256
421.     start logcatd
422.  
423. service logcatd /system/bin/logcat -b all -v threadtime -v usec -v printable -D -f /data/misc/logd/logcat -r 1024 -n 256
424.     class late_start
425.     disabled
426.     # logd for write to /data/misc/logd, log group for read from log daemon
427.     user logd
428.     group log
429.     writepid /dev/cpuset/system-background/tasks