Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Copyright (C) 2012 The Android Open Source Project
- #
- # IMPORTANT: Do not create world writable files or directories.
- # This is a common source of Android security bugs.
- #
- # this file is only necessary if your device is 32 bit and it is
- # using the android kernel logger if your device is 64 bit defining
- # LD_LIBRARY_PATH will break some binaries, since you cannot have both
- # 32 bit libraries and 64 bit libraries in your LD_LIBRARY_PATH.
- import /init.extraenv.${ro.product.cpu.abi}.rc
- import /init.environ.rc
- # Mer handles usb stuff
- #import /system/etc/init/hw/init.usb.rc
- import /init.${ro.hardware}.rc
- import /vendor/etc/init/hw/init.${ro.hardware}.rc
- #import /system/etc/init/hw/init.usb.configfs.rc
- import /usr/libexec/droid-hybris/system/etc/init/hw/init.${ro.zygote}.rc
- # Cgroups are mounted right before early-init using list from /etc/cgroups.json
- on early-init
- # Disable sysrq from keyboard
- write /proc/sys/kernel/sysrq 0
- # Android doesn't need kernel module autoloading, and it causes SELinux
- # denials. So disable it by setting modprobe to the empty string. Note: to
- # explicitly set a sysctl to an empty string, a trailing newline is needed.
- write /proc/sys/kernel/modprobe \n
- # Set the security context of /adb_keys if present.
- restorecon /adb_keys
- # Set the security context of /postinstall if present.
- restorecon /postinstall
- mkdir /acct/uid
- # symlink the Android specific /dev/tun to Linux expected /dev/net/tun
- mkdir /dev/net 0755 root root
- symlink ../tun /dev/net/tun
- # set RLIMIT_NICE to allow priorities from 19 to -20
- setrlimit nice 40 40
- # Allow up to 32K FDs per process
- setrlimit nofile 32768 32768
- # Set up linker config subdirectories based on mount namespaces
- mkdir /linkerconfig/bootstrap 0755
- mkdir /linkerconfig/default 0755
- # Disable dm-verity hash prefetching, since it doesn't help performance
- # Read more in b/136247322
- write /sys/module/dm_verity/parameters/prefetch_cluster 0
- # Generate ld.config.txt for early executed processes
- exec -- /system/bin/linkerconfig --target /linkerconfig/bootstrap
- chmod 644 /linkerconfig/bootstrap/ld.config.txt
- copy /linkerconfig/bootstrap/ld.config.txt /linkerconfig/default/ld.config.txt
- chmod 644 /linkerconfig/default/ld.config.txt
- # Mount bootstrap linker configuration as current
- # Removed during droid-hal-device build : mount none /linkerconfig/bootstrap /linkerconfig bind rec
- #start ueventd
- # Run apexd-bootstrap so that APEXes that provide critical libraries
- # become available. Note that this is executed as exec_start to ensure that
- # the libraries are available to the processes started after this statement.
- exec_start apexd-bootstrap
- # Generate linker config based on apex mounted in bootstrap namespace
- update_linker_config
- # These must already exist by the time boringssl_self_test32 / boringssl_self_test64 run.
- mkdir /dev/boringssl 0755 root root
- mkdir /dev/boringssl/selftest 0755 root root
- # Mount tracefs
- # Removed during droid-hal-device build : mount tracefs tracefs /sys/kernel/tracing
- setprop ro.cold_boot_done true
- # Run boringssl self test for each ABI so that later processes can skip it. http://b/139348610
- on early-init && property:ro.product.cpu.abilist32=*
- exec_start boringssl_self_test32
- on early-init && property:ro.product.cpu.abilist64=*
- exec_start boringssl_self_test64
- on property:apexd.status=ready && property:ro.product.cpu.abilist32=*
- exec_start boringssl_self_test_apex32
- on property:apexd.status=ready && property:ro.product.cpu.abilist64=*
- exec_start boringssl_self_test_apex64
- service boringssl_self_test32 /system/bin/boringssl_self_test32
- setenv BORINGSSL_SELF_TEST_CREATE_FLAG true # Any nonempty value counts as true
- reboot_on_failure reboot,boringssl-self-check-failed
- stdio_to_kmsg
- service boringssl_self_test64 /system/bin/boringssl_self_test64
- setenv BORINGSSL_SELF_TEST_CREATE_FLAG true # Any nonempty value counts as true
- reboot_on_failure reboot,boringssl-self-check-failed
- stdio_to_kmsg
- service boringssl_self_test_apex32 /apex/com.android.conscrypt/bin/boringssl_self_test32
- setenv BORINGSSL_SELF_TEST_CREATE_FLAG true # Any nonempty value counts as true
- reboot_on_failure reboot,boringssl-self-check-failed
- stdio_to_kmsg
- service boringssl_self_test_apex64 /apex/com.android.conscrypt/bin/boringssl_self_test64
- setenv BORINGSSL_SELF_TEST_CREATE_FLAG true # Any nonempty value counts as true
- reboot_on_failure reboot,boringssl-self-check-failed
- stdio_to_kmsg
- on init
- sysclktz 0
- # Mix device-specific information into the entropy pool
- copy /proc/cmdline /dev/urandom
- copy /system/etc/prop.default /dev/urandom
- symlink /proc/self/fd/0 /dev/stdin
- symlink /proc/self/fd/1 /dev/stdout
- symlink /proc/self/fd/2 /dev/stderr
- # Create energy-aware scheduler tuning nodes
- mkdir /dev/stune/foreground
- mkdir /dev/stune/background
- mkdir /dev/stune/top-app
- mkdir /dev/stune/rt
- chown system system /dev/stune
- chown system system /dev/stune/foreground
- chown system system /dev/stune/background
- chown system system /dev/stune/top-app
- chown system system /dev/stune/rt
- chown system system /dev/stune/tasks
- chown system system /dev/stune/foreground/tasks
- chown system system /dev/stune/background/tasks
- chown system system /dev/stune/top-app/tasks
- chown system system /dev/stune/rt/tasks
- chmod 0664 /dev/stune/tasks
- chmod 0664 /dev/stune/foreground/tasks
- chmod 0664 /dev/stune/background/tasks
- chmod 0664 /dev/stune/top-app/tasks
- chmod 0664 /dev/stune/rt/tasks
- # Create an stune group for NNAPI HAL processes
- mkdir /dev/stune/nnapi-hal
- chown system system /dev/stune/nnapi-hal
- chown system system /dev/stune/nnapi-hal/tasks
- chmod 0664 /dev/stune/nnapi-hal/tasks
- write /dev/stune/nnapi-hal/schedtune.boost 1
- write /dev/stune/nnapi-hal/schedtune.prefer_idle 1
- # Create blkio group and apply initial settings.
- # This feature needs kernel to support it, and the
- # device's init.rc must actually set the correct values.
- mkdir /dev/blkio/background
- chown system system /dev/blkio
- chown system system /dev/blkio/background
- chown system system /dev/blkio/tasks
- chown system system /dev/blkio/background/tasks
- chmod 0664 /dev/blkio/tasks
- chmod 0664 /dev/blkio/background/tasks
- write /dev/blkio/blkio.weight 1000
- write /dev/blkio/background/blkio.weight 200
- write /dev/blkio/blkio.group_idle 0
- write /dev/blkio/background/blkio.group_idle 0
- restorecon_recursive /mnt
- # Removed during droid-hal-device build : mount configfs none /config nodev noexec nosuid
- chmod 0770 /config/sdcardfs
- chown system package_info /config/sdcardfs
- # Mount binderfs
- mkdir /dev/binderfs
- # Removed during droid-hal-device build : mount binder binder /dev/binderfs stats=global
- chmod 0755 /dev/binderfs
- # Mount fusectl
- # Removed during droid-hal-device build : mount fusectl none /sys/fs/fuse/connections
- symlink /dev/binderfs/binder /dev/binder
- symlink /dev/binderfs/hwbinder /dev/hwbinder
- symlink /dev/binderfs/vndbinder /dev/vndbinder
- chmod 0666 /dev/binderfs/hwbinder
- chmod 0666 /dev/binderfs/binder
- chmod 0666 /dev/binderfs/vndbinder
- mkdir /mnt/secure 0700 root root
- mkdir /mnt/secure/asec 0700 root root
- mkdir /mnt/asec 0755 root system
- mkdir /mnt/obb 0755 root system
- mkdir /mnt/media_rw 0750 root external_storage
- mkdir /mnt/user 0755 root root
- mkdir /mnt/user/0 0755 root root
- mkdir /mnt/user/0/self 0755 root root
- mkdir /mnt/user/0/emulated 0755 root root
- mkdir /mnt/user/0/emulated/0 0755 root root
- # Prepare directories for pass through processes
- mkdir /mnt/pass_through 0700 root root
- mkdir /mnt/pass_through/0 0710 root media_rw
- mkdir /mnt/pass_through/0/self 0710 root media_rw
- mkdir /mnt/pass_through/0/emulated 0710 root media_rw
- mkdir /mnt/pass_through/0/emulated/0 0710 root media_rw
- mkdir /mnt/expand 0771 system system
- mkdir /mnt/appfuse 0711 root root
- # Storage views to support runtime permissions
- mkdir /mnt/runtime 0700 root root
- mkdir /mnt/runtime/default 0755 root root
- mkdir /mnt/runtime/default/self 0755 root root
- mkdir /mnt/runtime/read 0755 root root
- mkdir /mnt/runtime/read/self 0755 root root
- mkdir /mnt/runtime/write 0755 root root
- mkdir /mnt/runtime/write/self 0755 root root
- mkdir /mnt/runtime/full 0755 root root
- mkdir /mnt/runtime/full/self 0755 root root
- # Symlink to keep legacy apps working in multi-user world
- symlink /storage/self/primary /mnt/sdcard
- symlink /mnt/user/0/primary /mnt/runtime/default/self/primary
- write /proc/sys/kernel/panic_on_oops 1
- write /proc/sys/kernel/hung_task_timeout_secs 0
- #write /proc/cpu/alignment 4
- # scheduler tunables
- # Disable auto-scaling of scheduler tunables with hotplug. The tunables
- # will vary across devices in unpredictable ways if allowed to scale with
- # cpu cores.
- write /proc/sys/kernel/sched_tunable_scaling 0
- write /proc/sys/kernel/sched_latency_ns 10000000
- write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
- write /proc/sys/kernel/sched_child_runs_first 0
- write /proc/sys/kernel/randomize_va_space 2
- write /proc/sys/vm/mmap_min_addr 32768
- write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
- write /proc/sys/net/unix/max_dgram_qlen 600
- write /proc/sys/kernel/sched_rt_runtime_us 950000
- write /proc/sys/kernel/sched_rt_period_us 1000000
- # Assign reasonable ceiling values for socket rcv/snd buffers.
- # These should almost always be overridden by the target per the
- # the corresponding technology maximums.
- write /proc/sys/net/core/rmem_max 262144
- write /proc/sys/net/core/wmem_max 262144
- # reflect fwmark from incoming packets onto generated replies
- write /proc/sys/net/ipv4/fwmark_reflect 1
- write /proc/sys/net/ipv6/fwmark_reflect 1
- # set fwmark on accepted sockets
- write /proc/sys/net/ipv4/tcp_fwmark_accept 1
- # disable icmp redirects
- write /proc/sys/net/ipv4/conf/all/accept_redirects 0
- write /proc/sys/net/ipv6/conf/all/accept_redirects 0
- # /proc/net/fib_trie leaks interface IP addresses
- chmod 0400 /proc/net/fib_trie
- # Create cgroup mount points for process groups
- chown system system /dev/cpuctl
- chown system system /dev/cpuctl/tasks
- chmod 0666 /dev/cpuctl/tasks
- write /dev/cpuctl/cpu.rt_period_us 1000000
- write /dev/cpuctl/cpu.rt_runtime_us 950000
- # sets up initial cpusets for ActivityManager
- # this ensures that the cpusets are present and usable, but the device's
- # init.rc must actually set the correct cpus
- mkdir /dev/cpuset/foreground
- copy /dev/cpuset/cpus /dev/cpuset/foreground/cpus
- copy /dev/cpuset/mems /dev/cpuset/foreground/mems
- mkdir /dev/cpuset/background
- copy /dev/cpuset/cpus /dev/cpuset/background/cpus
- copy /dev/cpuset/mems /dev/cpuset/background/mems
- # system-background is for system tasks that should only run on
- # little cores, not on bigs
- # to be used only by init, so don't change system-bg permissions
- mkdir /dev/cpuset/system-background
- copy /dev/cpuset/cpus /dev/cpuset/system-background/cpus
- copy /dev/cpuset/mems /dev/cpuset/system-background/mems
- # restricted is for system tasks that are being throttled
- # due to screen off.
- mkdir /dev/cpuset/restricted
- copy /dev/cpuset/cpus /dev/cpuset/restricted/cpus
- copy /dev/cpuset/mems /dev/cpuset/restricted/mems
- mkdir /dev/cpuset/top-app
- copy /dev/cpuset/cpus /dev/cpuset/top-app/cpus
- copy /dev/cpuset/mems /dev/cpuset/top-app/mems
- # change permissions for all cpusets we'll touch at runtime
- chown system system /dev/cpuset
- chown system system /dev/cpuset/foreground
- chown system system /dev/cpuset/background
- chown system system /dev/cpuset/system-background
- chown system system /dev/cpuset/top-app
- chown system system /dev/cpuset/restricted
- chown system system /dev/cpuset/tasks
- chown system system /dev/cpuset/foreground/tasks
- chown system system /dev/cpuset/background/tasks
- chown system system /dev/cpuset/system-background/tasks
- chown system system /dev/cpuset/top-app/tasks
- chown system system /dev/cpuset/restricted/tasks
- # set system-background to 0775 so SurfaceFlinger can touch it
- chmod 0775 /dev/cpuset/system-background
- chmod 0664 /dev/cpuset/foreground/tasks
- chmod 0664 /dev/cpuset/background/tasks
- chmod 0664 /dev/cpuset/system-background/tasks
- chmod 0664 /dev/cpuset/top-app/tasks
- chmod 0664 /dev/cpuset/restricted/tasks
- chmod 0664 /dev/cpuset/tasks
- # make the PSI monitor accessible to others
- chown system system /proc/pressure/memory
- chmod 0664 /proc/pressure/memory
- # qtaguid will limit access to specific data based on group memberships.
- # net_bw_acct grants impersonation of socket owners.
- # net_bw_stats grants access to other apps' detailed tagged-socket stats.
- chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
- chown root net_bw_stats /proc/net/xt_qtaguid/stats
- # Allow everybody to read the xt_qtaguid resource tracking misc dev.
- # This is needed by any process that uses socket tagging.
- chmod 0644 /dev/xt_qtaguid
- # Removed during droid-hal-device build : mount bpf bpf /sys/fs/bpf nodev noexec nosuid
- # Create location for fs_mgr to store abbreviated output from filesystem
- # checker programs.
- mkdir /dev/fscklogs 0770 root system
- # pstore/ramoops previous console log
- # Removed during droid-hal-device build : mount pstore pstore /sys/fs/pstore nodev noexec nosuid
- chown system log /sys/fs/pstore
- chmod 0550 /sys/fs/pstore
- chown system log /sys/fs/pstore/console-ramoops
- chmod 0440 /sys/fs/pstore/console-ramoops
- chown system log /sys/fs/pstore/console-ramoops-0
- chmod 0440 /sys/fs/pstore/console-ramoops-0
- chown system log /sys/fs/pstore/pmsg-ramoops-0
- chmod 0440 /sys/fs/pstore/pmsg-ramoops-0
- # enable armv8_deprecated instruction hooks
- write /proc/sys/abi/swp 1
- # Linux's execveat() syscall may construct paths containing /dev/fd
- # expecting it to point to /proc/self/fd
- symlink /proc/self/fd /dev/fd
- export DOWNLOAD_CACHE /data/cache
- # This allows the ledtrig-transient properties to be created here so
- # that they can be chown'd to system:system later on boot
- write /sys/class/leds/vibrator/trigger "transient"
- # This is used by Bionic to select optimized routines.
- write /dev/cpu_variant:${ro.bionic.arch} ${ro.bionic.cpu_variant}
- chmod 0444 /dev/cpu_variant:${ro.bionic.arch}
- write /dev/cpu_variant:${ro.bionic.2nd_arch} ${ro.bionic.2nd_cpu_variant}
- chmod 0444 /dev/cpu_variant:${ro.bionic.2nd_arch}
- # Allow system processes to read / write power state.
- chown system system /sys/power/state
- chown system system /sys/power/wakeup_count
- chmod 0660 /sys/power/state
- chown radio wakelock /sys/power/wake_lock
- chown radio wakelock /sys/power/wake_unlock
- chmod 0660 /sys/power/wake_lock
- chmod 0660 /sys/power/wake_unlock
- # Start logd before any other services run to ensure we capture all of their logs.
- start logd
- # Start lmkd before any other services run so that it can register them
- chown root system /sys/module/lowmemorykiller/parameters/adj
- chmod 0664 /sys/module/lowmemorykiller/parameters/adj
- chown root system /sys/module/lowmemorykiller/parameters/minfree
- chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
- start lmkd
- # Start essential services.
- start servicemanager
- start hwservicemanager
- start vndservicemanager
- # Healthd can trigger a full boot from charger mode by signaling this
- # property when the power button is held.
- on property:sys.boot_from_charger_mode=1
- class_stop charger
- trigger late-init
- on load_persist_props_action
- load_persist_props
- start logd
- start logd-reinit
- # Indicate to fw loaders that the relevant mounts are up.
- on firmware_mounts_complete
- rm /dev/.booting
- # Mount filesystems and start core system services.
- on late-init
- trigger early-fs
- # Mount fstab in init.{$device}.rc by mount_all command. Optional parameter
- # '--early' can be specified to skip entries with 'latemount'.
- # /system and /vendor must be mounted by the end of the fs stage,
- # while /data is optional.
- trigger fs
- trigger post-fs
- # Mount fstab in init.{$device}.rc by mount_all with '--late' parameter
- # to only mount entries with 'latemount'. This is needed if '--early' is
- # specified in the previous mount_all command on the fs stage.
- # With /system mounted and properties form /system + /factory available,
- # some services can be started.
- trigger late-fs
- # Now we can mount /data. File encryption requires keymaster to decrypt
- # /data, which in turn can only be loaded when system properties are present.
- trigger post-fs-data
- # Load persist properties and override properties (if enabled) from /data.
- trigger load_persist_props_action
- # Should be before netd, but after apex, properties and logging is available.
- trigger load_bpf_programs
- # Now we can start zygote for devices with file based encryption
- trigger zygote-start
- # Remove a file to wake up anything waiting for firmware.
- trigger firmware_mounts_complete
- trigger early-boot
- trigger boot
- on early-fs
- # Once metadata has been mounted, we'll need vold to deal with userdata checkpointing
- #start vold
- on post-fs
- # exec - system system -- /system/bin/vdc checkpoint markBootAttempt
- # Once everything is setup, no need to modify /.
- # The bind+remount combination allows this to work in containers.
- # mount rootfs rootfs / remount bind ro nodev
- # Make sure /sys/kernel/debug (if present) is labeled properly
- # Note that tracefs may be mounted under debug, so we need to cross filesystems
- restorecon --recursive --cross-filesystems /sys/kernel/debug
- # We chown/chmod /cache again so because mount is run as root + defaults
- chown system cache /cache
- chmod 0770 /cache
- # We restorecon /cache in case the cache partition has been reset.
- restorecon_recursive /cache
- # Create /cache/recovery in case it's not there. It'll also fix the odd
- # permissions if created by the recovery system.
- mkdir /cache/recovery 0770 system cache
- # Backup/restore mechanism uses the cache partition
- mkdir /cache/backup_stage 0700 system system
- mkdir /cache/backup 0700 system system
- #change permissions on vmallocinfo so we can grab it from bugreports
- chown root log /proc/vmallocinfo
- chmod 0440 /proc/vmallocinfo
- chown root log /proc/slabinfo
- chmod 0440 /proc/slabinfo
- #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
- chown root system /proc/kmsg
- chmod 0440 /proc/kmsg
- chown root system /proc/sysrq-trigger
- chmod 0220 /proc/sysrq-trigger
- chown system log /proc/last_kmsg
- chmod 0440 /proc/last_kmsg
- # make the selinux kernel policy world-readable
- chmod 0444 /sys/fs/selinux/policy
- # create the lost+found directories, so as to enforce our permissions
- mkdir /cache/lost+found 0770 root root
- restorecon_recursive /metadata
- mkdir /metadata/vold
- chmod 0700 /metadata/vold
- mkdir /metadata/password_slots 0771 root system
- mkdir /metadata/bootstat 0750 system log
- mkdir /metadata/ota 0700 root system
- mkdir /metadata/ota/snapshots 0700 root system
- mkdir /metadata/apex 0700 root system
- mkdir /metadata/apex/sessions 0700 root system
- # On some devices we see a weird behaviour in which /metadata/apex doesn't
- # have a correct label. To workaround this bug, explicitly call restorecon
- # on /metadata/apex. For most of the boot sequences /metadata/apex will
- # already have a correct selinux label, meaning that this call will be a
- # no-op.
- restorecon_recursive /metadata/apex
- mkdir /metadata/staged-install 0770 root system
- on late-fs
- # Ensure that tracefs has the correct permissions.
- # This does not work correctly if it is called in post-fs.
- chmod 0755 /sys/kernel/tracing
- chmod 0755 /sys/kernel/debug/tracing
- # HALs required before storage encryption can get unlocked (FBE/FDE)
- class_start early_hal
- on post-fs-data
- mark_post_data
- # Start checkpoint before we touch data
- #exec - system system -- /system/bin/vdc checkpoint prepareCheckpoint
- # We chown/chmod /data again so because mount is run as root + defaults
- chown system system /data
- chmod 0771 /data
- # We restorecon /data in case the userdata partition has been reset.
- restorecon /data
- # Make sure we have the device encryption key.
- # hybris continue bootup properly
- setprop vold.decrypt trigger_restart_min_framework
- installkey /data
- # Start bootcharting as soon as possible after the data partition is
- # mounted to collect more data.
- mkdir /data/bootchart 0755 shell shell encryption=Require
- bootchart start
- # Make sure that apexd is started in the default namespace
- enter_default_mount_ns
- # /data/apex is now available. Start apexd to scan and activate APEXes.
- mkdir /data/apex 0755 root system encryption=None
- mkdir /data/apex/active 0755 root system
- mkdir /data/apex/backup 0700 root system
- mkdir /data/apex/hashtree 0700 root system
- mkdir /data/apex/sessions 0700 root system
- mkdir /data/app-staging 0750 system system encryption=None
- start apexd
- # Avoid predictable entropy pool. Carry over entropy from previous boot.
- copy /data/system/entropy.dat /dev/urandom
- # create basic filesystem structure
- mkdir /data/misc 01771 system misc encryption=Require
- mkdir /data/misc/recovery 0770 system log
- copy /data/misc/recovery/ro.build.fingerprint /data/misc/recovery/ro.build.fingerprint.1
- chmod 0440 /data/misc/recovery/ro.build.fingerprint.1
- chown system log /data/misc/recovery/ro.build.fingerprint.1
- write /data/misc/recovery/ro.build.fingerprint ${ro.build.fingerprint}
- chmod 0440 /data/misc/recovery/ro.build.fingerprint
- chown system log /data/misc/recovery/ro.build.fingerprint
- mkdir /data/misc/recovery/proc 0770 system log
- copy /data/misc/recovery/proc/version /data/misc/recovery/proc/version.1
- chmod 0440 /data/misc/recovery/proc/version.1
- chown system log /data/misc/recovery/proc/version.1
- copy /proc/version /data/misc/recovery/proc/version
- chmod 0440 /data/misc/recovery/proc/version
- chown system log /data/misc/recovery/proc/version
- mkdir /data/misc/bluedroid 02770 bluetooth bluetooth
- # Fix the access permissions and group ownership for 'bt_config.conf'
- chmod 0660 /data/misc/bluedroid/bt_config.conf
- chown bluetooth bluetooth /data/misc/bluedroid/bt_config.conf
- mkdir /data/misc/bluetooth 0770 bluetooth bluetooth
- mkdir /data/misc/bluetooth/logs 0770 bluetooth bluetooth
- mkdir /data/misc/credstore 0700 credstore credstore
- mkdir /data/misc/keystore 0700 keystore keystore
- mkdir /data/misc/gatekeeper 0700 system system
- mkdir /data/misc/keychain 0771 system system
- mkdir /data/misc/net 0750 root shell
- mkdir /data/misc/radio 0770 system radio
- mkdir /data/misc/sms 0770 system radio
- mkdir /data/misc/carrierid 0770 system radio
- mkdir /data/misc/apns 0770 system radio
- mkdir /data/misc/emergencynumberdb 0770 system radio
- mkdir /data/misc/zoneinfo 0775 system system
- mkdir /data/misc/network_watchlist 0774 system system
- mkdir /data/misc/textclassifier 0771 system system
- mkdir /data/misc/vpn 0770 system vpn
- mkdir /data/misc/shared_relro 0771 shared_relro shared_relro
- mkdir /data/misc/systemkeys 0700 system system
- mkdir /data/misc/wifi 0770 wifi wifi
- mkdir /data/misc/wifi/sockets 0770 wifi wifi
- mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi
- mkdir /data/misc/ethernet 0770 system system
- mkdir /data/misc/dhcp 0770 dhcp dhcp
- mkdir /data/misc/user 0771 root root
- # give system access to wpa_supplicant.conf for backup and restore
- chmod 0660 /data/misc/wifi/wpa_supplicant.conf
- mkdir /data/local 0751 root root encryption=Require
- mkdir /data/misc/media 0700 media media
- mkdir /data/misc/audioserver 0700 audioserver audioserver
- mkdir /data/misc/cameraserver 0700 cameraserver cameraserver
- mkdir /data/misc/vold 0700 root root
- mkdir /data/misc/boottrace 0771 system shell
- mkdir /data/misc/update_engine 0700 root root
- mkdir /data/misc/update_engine_log 02750 root log
- mkdir /data/misc/trace 0700 root root
- # create location to store surface and window trace files
- mkdir /data/misc/wmtrace 0700 system system
- # profile file layout
- mkdir /data/misc/profiles 0771 system system
- mkdir /data/misc/profiles/cur 0771 system system
- mkdir /data/misc/profiles/ref 0770 system system
- mkdir /data/misc/profman 0770 system shell
- mkdir /data/misc/gcov 0770 root root
- mkdir /data/misc/installd 0700 root root
- mkdir /data/misc/apexdata 0711 root root
- mkdir /data/misc/apexrollback 0700 root root
- mkdir /data/misc/snapshotctl_log 0755 root root
- # create location to store pre-reboot information
- mkdir /data/misc/prereboot 0700 system system
- mkdir /data/preloads 0775 system system encryption=None
- mkdir /data/vendor 0771 root root encryption=Require
- mkdir /data/vendor_ce 0771 root root encryption=None
- mkdir /data/vendor_de 0771 root root encryption=None
- mkdir /data/vendor/hardware 0771 root root
- # For security reasons, /data/local/tmp should always be empty.
- # Do not place files or directories in /data/local/tmp
- mkdir /data/local/tmp 0771 shell shell
- mkdir /data/local/traces 0777 shell shell
- mkdir /data/data 0771 system system encryption=None
- mkdir /data/app-private 0771 system system encryption=Require
- mkdir /data/app-ephemeral 0771 system system encryption=Require
- mkdir /data/app-asec 0700 root root encryption=Require
- mkdir /data/app-lib 0771 system system encryption=Require
- mkdir /data/app 0771 system system encryption=Require
- mkdir /data/property 0700 root root encryption=Require
- mkdir /data/tombstones 0771 system system encryption=Require
- mkdir /data/vendor/tombstones 0771 root root
- mkdir /data/vendor/tombstones/wifi 0771 wifi wifi
- # create dalvik-cache, so as to enforce our permissions
- mkdir /data/dalvik-cache 0771 root root encryption=Require
- # create the A/B OTA directory, so as to enforce our permissions
- mkdir /data/ota 0771 root root encryption=Require
- # create the OTA package directory. It will be accessed by GmsCore (cache
- # group), update_engine and update_verifier.
- mkdir /data/ota_package 0770 system cache encryption=Require
- # create resource-cache and double-check the perms
- mkdir /data/resource-cache 0771 system system encryption=Require
- chown system system /data/resource-cache
- chmod 0771 /data/resource-cache
- # create the lost+found directories, so as to enforce our permissions
- mkdir /data/lost+found 0770 root root encryption=None
- # create directory for DRM plug-ins - give drm the read/write access to
- # the following directory.
- mkdir /data/drm 0770 drm drm encryption=Require
- # create directory for MediaDrm plug-ins - give drm the read/write access to
- # the following directory.
- mkdir /data/mediadrm 0770 mediadrm mediadrm encryption=Require
- mkdir /data/anr 0775 system system encryption=Require
- # NFC: create data/nfc for nv storage
- mkdir /data/nfc 0770 nfc nfc encryption=Require
- mkdir /data/nfc/param 0770 nfc nfc
- # Create all remaining /data root dirs so that they are made through init
- # and get proper encryption policy installed
- mkdir /data/backup 0700 system system encryption=Require
- mkdir /data/ss 0700 system system encryption=Require
- mkdir /data/system 0775 system system encryption=Require
- mkdir /data/system/dropbox 0700 system system
- mkdir /data/system/heapdump 0700 system system
- mkdir /data/system/users 0775 system system
- mkdir /data/system_de 0770 system system encryption=None
- mkdir /data/system_ce 0770 system system encryption=None
- mkdir /data/misc_de 01771 system misc encryption=None
- mkdir /data/misc_ce 01771 system misc encryption=None
- mkdir /data/user 0711 system system encryption=None
- mkdir /data/user_de 0711 system system encryption=None
- # Unlink /data/user/0 if we previously symlink it to /data/data
- rm /data/user/0
- # Bind mount /data/user/0 to /data/data
- mkdir /data/user/0 0700 system system encryption=None
- # Removed during droid-hal-device build : mount none /data/data /data/user/0 bind rec
- # A tmpfs directory, which will contain all apps CE DE data directory that
- # bind mount from the original source.
- # Removed during droid-hal-device build : mount tmpfs tmpfs /data_mirror nodev noexec nosuid mode=0700,uid=0,gid=1000
- restorecon /data_mirror
- mkdir /data_mirror/data_ce 0700 root root
- mkdir /data_mirror/data_de 0700 root root
- # Create CE and DE data directory for default volume
- mkdir /data_mirror/data_ce/null 0700 root root
- mkdir /data_mirror/data_de/null 0700 root root
- # Bind mount CE and DE data directory to mirror's default volume directory
- # Removed during droid-hal-device build : mount none /data/user /data_mirror/data_ce/null bind rec
- # Removed during droid-hal-device build : mount none /data/user_de /data_mirror/data_de/null bind rec
- # Create mirror directory for jit profiles
- mkdir /data_mirror/cur_profiles 0700 root root
- # Removed during droid-hal-device build : mount none /data/misc/profiles/cur /data_mirror/cur_profiles bind rec
- mkdir /data/cache 0770 system cache encryption=Require
- mkdir /data/cache/recovery 0770 system cache
- mkdir /data/cache/backup_stage 0700 system system
- mkdir /data/cache/backup 0700 system system
- # Delete these if need be, per b/139193659
- mkdir /data/rollback 0700 system system encryption=DeleteIfNecessary
- mkdir /data/rollback-observer 0700 system system encryption=DeleteIfNecessary
- # Create root dir for Incremental Service
- mkdir /data/incremental 0771 system system encryption=Require
- # Create directories for statsd
- mkdir /data/misc/stats-active-metric/ 0770 statsd system
- mkdir /data/misc/stats-data/ 0770 statsd system
- mkdir /data/misc/stats-metadata/ 0770 statsd system
- mkdir /data/misc/stats-service/ 0770 statsd system
- mkdir /data/misc/train-info/ 0770 statsd system
- # Wait for apexd to finish activating APEXes before starting more processes.
- wait_for_prop apexd.status activated
- perform_apex_config
- # Special-case /data/media/obb per b/64566063
- mkdir /data/media 0770 media_rw media_rw encryption=None
- exec - media_rw media_rw -- /system/bin/chattr +F /data/media
- mkdir /data/media/obb 0770 media_rw media_rw encryption=Attempt
- exec_start derive_sdk
- #init_user0
- # Allow apexd to snapshot and restore device encrypted apex data in the case
- # of a rollback. This should be done immediately after DE_user data keys
- # are loaded. APEXes should not access this data until this has been
- # completed and apexd.status becomes "ready".
- exec_start apexd-snapshotde
- # Set SELinux security contexts on upgrade or policy update.
- restorecon --recursive --skip-ce /data
- # Check any timezone data in /data is newer than the copy in the time zone data
- # module, delete if not.
- exec - system system -- /system/bin/tzdatacheck /apex/com.android.tzdata/etc/tz /data/misc/zoneinfo
- # If there is no post-fs-data action in the init.<device>.rc file, you
- # must uncomment this line, otherwise encrypted filesystems
- # won't work.
- # Set indication (checked by vold) that we have finished this action
- #setprop vold.post_fs_data_done 1
- # sys.memfd_use set to false by default, which keeps it disabled
- # until it is confirmed that apps and vendor processes don't make
- # IOCTLs on ashmem fds any more.
- setprop sys.use_memfd false
- # Set fscklog permission
- chown root system /dev/fscklogs/log
- chmod 0770 /dev/fscklogs/log
- # Enable FUSE by default
- setprop persist.sys.fuse true
- # Switch between sdcardfs and FUSE depending on persist property
- # TODO: Move this to ro property before launch because FDE devices
- # interact with persistent properties differently during boot
- on zygote-start && property:persist.sys.fuse=true
- # Mount default storage into root namespace
- # Removed during droid-hal-device build : mount none /mnt/user/0 /storage bind rec
- # Removed during droid-hal-device build : mount none none /storage slave rec
- on zygote-start && property:persist.sys.fuse=false
- # Mount default storage into root namespace
- # Removed during droid-hal-device build : mount none /mnt/runtime/default /storage bind rec
- # Removed during droid-hal-device build : mount none none /storage slave rec
- on zygote-start && property:persist.sys.fuse=""
- # Mount default storage into root namespace
- # Removed during droid-hal-device build : mount none /mnt/runtime/default /storage bind rec
- # Removed during droid-hal-device build : mount none none /storage slave rec
- # It is recommended to put unnecessary data/ initialization from post-fs-data
- # to start-zygote in device's init.rc to unblock zygote start.
- on zygote-start && property:ro.crypto.state=unencrypted
- # A/B update verifier that marks a successful boot.
- exec_start update_verifier_nonencrypted
- start statsd
- start netd
- start zygote
- start zygote_secondary
- on zygote-start && property:ro.crypto.state=unsupported
- # A/B update verifier that marks a successful boot.
- exec_start update_verifier_nonencrypted
- start statsd
- start netd
- start zygote
- start zygote_secondary
- on zygote-start && property:ro.crypto.state=encrypted && property:ro.crypto.type=file
- # A/B update verifier that marks a successful boot.
- exec_start update_verifier_nonencrypted
- start statsd
- start netd
- start zygote
- start zygote_secondary
- on boot
- # basic network init
- ifup lo
- # Conflicts with Mer
- #hostname localhost
- #domainname localdomain
- # IPsec SA default expiration length
- write /proc/sys/net/core/xfrm_acq_expires 3600
- # Memory management. Basic kernel parameters, and allow the high
- # level system server to be able to adjust the kernel OOM driver
- # parameters to match how it is managing things.
- write /proc/sys/vm/overcommit_memory 1
- write /proc/sys/vm/min_free_order_shift 4
- # System server manages zram writeback
- chown root system /sys/block/zram0/idle
- chmod 0664 /sys/block/zram0/idle
- chown root system /sys/block/zram0/writeback
- chmod 0664 /sys/block/zram0/writeback
- # Tweak background writeout
- write /proc/sys/vm/dirty_expire_centisecs 200
- write /proc/sys/vm/dirty_background_ratio 5
- # F2FS tuning. Set cp_interval larger than dirty_expire_centisecs
- # to avoid power consumption when system becomes mostly idle. Be careful
- # to make it too large, since it may bring userdata loss, if they
- # are not aware of using fsync()/sync() to prepare sudden power-cut.
- write /sys/fs/f2fs/${dev.mnt.blk.data}/cp_interval 200
- write /sys/fs/f2fs/${dev.mnt.blk.data}/gc_urgent_sleep_time 50
- write /sys/fs/f2fs/${dev.mnt.blk.data}/iostat_enable 1
- # limit discard size to 128MB in order to avoid long IO latency
- # for filesystem tuning first (dm or sda)
- # Note that, if dm-<num> is used, sda/mmcblk0 should be tuned in vendor/init.rc
- write /sys/devices/virtual/block/${dev.mnt.blk.data}/queue/discard_max_bytes 134217728
- # Permissions for System Server and daemons.
- chown system system /sys/power/autosleep
- chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
- chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
- chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
- chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
- chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
- chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
- chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
- chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
- chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
- chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
- chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
- chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
- chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
- chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
- chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
- chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
- chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
- chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
- chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
- chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
- chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
- chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
- chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
- # Assume SMP uses shared cpufreq policy for all CPUs
- chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
- chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
- # SailfishOS: allow input group to use vibrator
- chown system input /sys/class/leds/vibrator/activate
- chown system input /sys/class/leds/vibrator/duration
- chown system system /sys/class/leds/vibrator/trigger
- chown system system /sys/class/leds/vibrator/brightness
- chown system system /sys/class/leds/vibrator/state
- # SailfishOS: allow input group to use vibrator
- chown system input /sys/class/timed_output/vibrator/enable
- chown system system /sys/class/leds/keyboard-backlight/brightness
- chown system system /sys/class/leds/lcd-backlight/brightness
- chown system system /sys/class/leds/button-backlight/brightness
- chown system system /sys/class/leds/jogball-backlight/brightness
- chown system system /sys/class/leds/red/brightness
- chown system system /sys/class/leds/green/brightness
- chown system system /sys/class/leds/blue/brightness
- chown system system /sys/class/leds/red/device/grpfreq
- chown system system /sys/class/leds/red/device/grppwm
- chown system system /sys/class/leds/red/device/blink
- chown system system /sys/module/sco/parameters/disable_esco
- chown system system /sys/kernel/ipv4/tcp_wmem_min
- chown system system /sys/kernel/ipv4/tcp_wmem_def
- chown system system /sys/kernel/ipv4/tcp_wmem_max
- chown system system /sys/kernel/ipv4/tcp_rmem_min
- chown system system /sys/kernel/ipv4/tcp_rmem_def
- chown system system /sys/kernel/ipv4/tcp_rmem_max
- chown root radio /proc/cmdline
- # Define default initial receive window size in segments.
- setprop net.tcp.default_init_rwnd 60
- # Allow system group to trigger vibrator
- chmod 0664 /sys/class/timed_output/vibrator/enable
- # Start standard binderized HAL daemons
- class_start hal
- class_start core
- # Requires keystore (currently a core service) to be ready first.
- exec -- /system/bin/fsverity_init
- # Never gets called, since Mer does its own 'mount_all'
- on nonencrypted
- class_start main
- class_start late_start
- on property:sys.init_log_level=*
- loglevel ${sys.init_log_level}
- # Mer needs to set this property when fs units are mounted
- on property:droid.late_start=trigger_late_start
- class_start late_start
- on charger
- trigger late-init
- on property:vold.decrypt=trigger_load_persist_props
- load_persist_props
- start logd
- start logd-reinit
- on property:vold.decrypt=trigger_post_fs_data
- trigger post-fs-data
- trigger zygote-start
- on property:vold.decrypt=trigger_restart_min_framework
- # A/B update verifier that marks a successful boot.
- exec_start update_verifier
- class_start main
- on property:vold.decrypt=trigger_restart_framework
- # A/B update verifier that marks a successful boot.
- exec_start update_verifier
- class_start_post_data hal
- class_start_post_data core
- class_start main
- class_start late_start
- setprop service.bootanim.exit 0
- start bootanim
- on property:vold.decrypt=trigger_shutdown_framework
- class_reset late_start
- class_reset main
- class_reset_post_data core
- class_reset_post_data hal
- on property:sys.boot_completed=1
- bootchart stop
- # Setup per_boot directory so other .rc could start to use it on boot_completed
- exec - system system -- /bin/rm -rf /data/per_boot
- mkdir /data/per_boot 0700 system system encryption=Require key=per_boot_ref
- # system server cannot write to /proc/sys files,
- # and chown/chmod does not work for /proc/sys/ entries.
- # So proxy writes through init.
- on property:sys.sysctl.extra_free_kbytes=*
- write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes}
- # "tcp_default_init_rwnd" Is too long!
- on property:sys.sysctl.tcp_def_init_rwnd=*
- write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd}
- # perf_event_open syscall security:
- # Newer kernels have the ability to control the use of the syscall via SELinux
- # hooks. init tests for this, and sets sys_init.perf_lsm_hooks to 1 if the
- # kernel has the hooks. In this case, the system-wide perf_event_paranoid
- # sysctl is set to -1 (unrestricted use), and the SELinux policy is used for
- # controlling access. On older kernels, the paranoid value is the only means of
- # controlling access. It is normally 3 (allow only root), but the shell user
- # can lower it to 1 (allowing thread-scoped pofiling) via security.perf_harden.
- on property:sys.init.perf_lsm_hooks=1
- write /proc/sys/kernel/perf_event_paranoid -1
- on property:security.perf_harden=0 && property:sys.init.perf_lsm_hooks=""
- write /proc/sys/kernel/perf_event_paranoid 1
- on property:security.perf_harden=1 && property:sys.init.perf_lsm_hooks=""
- write /proc/sys/kernel/perf_event_paranoid 3
- # Additionally, simpleperf profiler uses debug.* and security.perf_harden
- # sysprops to be able to indirectly set these sysctls.
- on property:security.perf_harden=0
- write /proc/sys/kernel/perf_event_max_sample_rate ${debug.perf_event_max_sample_rate:-100000}
- write /proc/sys/kernel/perf_cpu_time_max_percent ${debug.perf_cpu_time_max_percent:-25}
- write /proc/sys/kernel/perf_event_mlock_kb ${debug.perf_event_mlock_kb:-516}
- # Default values.
- on property:security.perf_harden=1
- write /proc/sys/kernel/perf_event_max_sample_rate 100000
- write /proc/sys/kernel/perf_cpu_time_max_percent 25
- write /proc/sys/kernel/perf_event_mlock_kb 516
- # on shutdown
- # In device's init.rc, this trigger can be used to do device-specific actions
- # before shutdown. e.g disable watchdog and mask error handling
- ## Daemon processes to be run by init.
- ##
- service ueventd /system/bin/ueventd
- class core
- critical
- seclabel u:r:ueventd:s0
- shutdown critical
- #Not used by Mer
- disabled
- service console /system/bin/sh
- class core
- console
- disabled
- user shell
- group shell log readproc
- seclabel u:r:shell:s0
- setenv HOSTNAME console
- on property:ro.debuggable=1
- # Give writes to anyone for the trace folder on debug builds.
- # The folder is used to store method traces.
- chmod 0773 /data/misc/trace
- # Give reads to anyone for the window trace folder on debug builds.
- chmod 0775 /data/misc/wmtrace
- on init && property:ro.debuggable=1
- start console
- on userspace-reboot-requested
- # TODO(b/135984674): reset all necessary properties here.
- setprop sys.boot_completed ""
- setprop dev.bootcomplete ""
- setprop sys.init.updatable_crashing ""
- setprop sys.init.updatable_crashing_process_name ""
- setprop apexd.status ""
- setprop sys.user.0.ce_available ""
- setprop sys.shutdown.requested ""
- setprop service.bootanim.exit ""
- on userspace-reboot-fs-remount
- # Make sure that vold is running.
- # This is mostly a precaution measure in case vold for some reason wasn't running when
- # userspace reboot was initiated.
- #start vold
- #exec - system system -- /system/bin/vdc checkpoint resetCheckpoint
- #exec - system system -- /system/bin/vdc checkpoint markBootAttempt
- # Unmount /data_mirror mounts in the reverse order of corresponding mounts.
- umount /data_mirror/data_ce/null/0
- umount /data_mirror/data_ce/null
- umount /data_mirror/data_de/null
- umount /data_mirror/cur_profiles
- umount /data_mirror
- remount_userdata
- start bootanim
- on userspace-reboot-resume
- trigger userspace-reboot-fs-remount
- trigger post-fs-data
- trigger zygote-start
- trigger early-boot
- trigger boot
- on property:sys.boot_completed=1 && property:sys.init.userspace_reboot.in_progress=1
- setprop sys.init.userspace_reboot.in_progress ""
- # This trigger is run by our modified init after boot has finished
- on ready
- class_start mer
- # Notify Mer's systemd that we're done
- # This is started at the end of boot after both core and main classes
- service droid_init_done /bin/sh /usr/bin/droid/droid-init-done.sh
- class mer
- oneshot
- # Properly handle shutdown from Mer
- on property:hybris.shutdown=*
- class_stop late_start
- class_stop main
- class_stop charger
- class_stop hal
- class_stop early_hal
- class_stop core
- # update recovery if enabled
- on property:persist.sys.recovery_update=true
- start flash_recovery
- / #
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement