init.rc

1. # Copyright (C) 2018 The Android Open Source Project
2. #
3. # Licensed under the Apache License, Version 2.0 (the "License");
4. # you may not use this file except in compliance with the License.
5. # You may obtain a copy of the License at
6. #
7. # http://www.apache.org/licenses/LICENSE-2.0
8. #
9. # Unless required by applicable law or agreed to in writing, software
10. # distributed under the License is distributed on an "AS IS" BASIS,
11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12. # See the License for the specific language governing permissions and
13. # limitations under the License.
14. service heapprofd /system/bin/heapprofd
15. class late_start
16. disabled
17. socket heapprofd stream 0666 root root
18. user nobody
19. group nobody readproc
20. # By default, this daemon is idle. When profiling an app, we should unwind
21. # as fast as possible in the interest of the app being profiled.
22. writepid /dev/cpuset/foreground/tasks
23. onrestart exec_background - nobody shell -- /system/bin/heapprofd --cleanup-after-crash
24. # DAC_READ_SEARCH is denied by SELinux on user builds because the SELinux
25. # permission is userdebug_or_eng only.
26. capabilities KILL DAC_READ_SEARCH
27.  
28. on property:persist.heapprofd.enable=1
29. start heapprofd
30.  
31. on property:traced.lazy.heapprofd=1
32. start heapprofd
33.  
34. on property:persist.heapprofd.enable="" && property:traced.lazy.heapprofd=""
35. stop heapprofd
36.  
37. on property:persist.heapprofd.enable=0
38. setprop persist.heapprofd.enable ""
39. RNN_sprout:/etc/init $ cat hw
40. cat: hw: Is a directory
41. 1|RNN_sprout:/etc/init $ cd hw
42. RNN_sprout:/etc/init/hw $ ls
43. init.rc init.stnfc.rc init.usb.configfs.rc init.usb.rc init.zygote32.rc init.zygote64_32.rc
44. RNN_sprout:/etc/init/hw $ cat init.rc
45. # Copyright (C) 2012 The Android Open Source Project
46. #
47. # IMPORTANT: Do not create world writable files or directories.
48. # This is a common source of Android security bugs.
49. #
50.  
51. import /init.environ.rc
52. import /system/etc/init/hw/init.usb.rc
53. import /init.${ro.hardware}.rc
54. import /vendor/etc/init/hw/init.${ro.hardware}.rc
55. import /system/etc/init/hw/init.usb.configfs.rc
56. import /system/etc/init/hw/init.${ro.zygote}.rc
57.  
58. # Cgroups are mounted right before early-init using list from /etc/cgroups.json
59. on early-init
60. # Disable sysrq from keyboard
61. write /proc/sys/kernel/sysrq 0
62.  
63. # Android doesn't need kernel module autoloading, and it causes SELinux
64. # denials. So disable it by setting modprobe to the empty string. Note: to
65. # explicitly set a sysctl to an empty string, a trailing newline is needed.
66. write /proc/sys/kernel/modprobe \n
67.  
68. # Set the security context of /adb_keys if present.
69. restorecon /adb_keys
70.  
71. # Set the security context of /postinstall if present.
72. restorecon /postinstall
73.  
74. mkdir /acct/uid
75.  
76. # memory.pressure_level used by lmkd
77. chown root system /dev/memcg/memory.pressure_level
78. chmod 0040 /dev/memcg/memory.pressure_level
79. # app mem cgroups, used by activity manager, lmkd and zygote
80. mkdir /dev/memcg/apps/ 0755 system system
81. # cgroup for system_server and surfaceflinger
82. mkdir /dev/memcg/system 0550 system system
83.  
84. # symlink the Android specific /dev/tun to Linux expected /dev/net/tun
85. mkdir /dev/net 0755 root root
86. symlink ../tun /dev/net/tun
87.  
88. # set RLIMIT_NICE to allow priorities from 19 to -20
89. setrlimit nice 40 40
90.  
91. # Allow up to 32K FDs per process
92. setrlimit nofile 32768 32768
93.  
94. # Set up linker config subdirectories based on mount namespaces
95. mkdir /linkerconfig/bootstrap 0755
96. mkdir /linkerconfig/default 0755
97.  
98. # Disable dm-verity hash prefetching, since it doesn't help performance
99. # Read more in b/136247322
100. write /sys/module/dm_verity/parameters/prefetch_cluster 0
101.  
102. # Generate ld.config.txt for early executed processes
103. exec -- /system/bin/linkerconfig --target /linkerconfig/bootstrap
104. chmod 644 /linkerconfig/bootstrap/ld.config.txt
105. copy /linkerconfig/bootstrap/ld.config.txt /linkerconfig/default/ld.config.txt
106. chmod 644 /linkerconfig/default/ld.config.txt
107.  
108. # Mount bootstrap linker configuration as current
109. mount none /linkerconfig/bootstrap /linkerconfig bind rec
110.  
111. start ueventd
112.  
113. # Run apexd-bootstrap so that APEXes that provide critical libraries
114. # become available. Note that this is executed as exec_start to ensure that
115. # the libraries are available to the processes started after this statement.
116. exec_start apexd-bootstrap
117.  
118. # Generate linker config based on apex mounted in bootstrap namespace
119. update_linker_config
120.  
121. # These must already exist by the time boringssl_self_test32 / boringssl_self_test64 run.
122. mkdir /dev/boringssl 0755 root root
123. mkdir /dev/boringssl/selftest 0755 root root
124.  
125. # Mount tracefs
126. mount tracefs tracefs /sys/kernel/tracing
127.  
128. # Run boringssl self test for each ABI so that later processes can skip it. http://b/139348610
129. on early-init && property:ro.product.cpu.abilist32=*
130. exec_start boringssl_self_test32
131. on early-init && property:ro.product.cpu.abilist64=*
132. exec_start boringssl_self_test64
133. on property:apexd.status=ready && property:ro.product.cpu.abilist32=*
134. exec_start boringssl_self_test_apex32
135. on property:apexd.status=ready && property:ro.product.cpu.abilist64=*
136. exec_start boringssl_self_test_apex64
137.  
138. service boringssl_self_test32 /system/bin/boringssl_self_test32
139. setenv BORINGSSL_SELF_TEST_CREATE_FLAG true # Any nonempty value counts as true
140. reboot_on_failure reboot,boringssl-self-check-failed
141. stdio_to_kmsg
142.  
143. service boringssl_self_test64 /system/bin/boringssl_self_test64
144. setenv BORINGSSL_SELF_TEST_CREATE_FLAG true # Any nonempty value counts as true
145. reboot_on_failure reboot,boringssl-self-check-failed
146. stdio_to_kmsg
147.  
148. service boringssl_self_test_apex32 /apex/com.android.conscrypt/bin/boringssl_self_test32
149. setenv BORINGSSL_SELF_TEST_CREATE_FLAG true # Any nonempty value counts as true
150. reboot_on_failure reboot,boringssl-self-check-failed
151. stdio_to_kmsg
152.  
153. service boringssl_self_test_apex64 /apex/com.android.conscrypt/bin/boringssl_self_test64
154. setenv BORINGSSL_SELF_TEST_CREATE_FLAG true # Any nonempty value counts as true
155. reboot_on_failure reboot,boringssl-self-check-failed
156. stdio_to_kmsg
157.  
158. on init
159. sysclktz 0
160.  
161. # Mix device-specific information into the entropy pool
162. copy /proc/cmdline /dev/urandom
163. copy /system/etc/prop.default /dev/urandom
164.  
165. symlink /proc/self/fd/0 /dev/stdin
166. symlink /proc/self/fd/1 /dev/stdout
167. symlink /proc/self/fd/2 /dev/stderr
168.  
169. # Create energy-aware scheduler tuning nodes
170. mkdir /dev/stune/foreground
171. mkdir /dev/stune/background
172. mkdir /dev/stune/top-app
173. mkdir /dev/stune/rt
174. chown system system /dev/stune
175. chown system system /dev/stune/foreground
176. chown system system /dev/stune/background
177. chown system system /dev/stune/top-app
178. chown system system /dev/stune/rt
179. chown system system /dev/stune/tasks
180. chown system system /dev/stune/foreground/tasks
181. chown system system /dev/stune/background/tasks
182. chown system system /dev/stune/top-app/tasks
183. chown system system /dev/stune/rt/tasks
184. chmod 0664 /dev/stune/tasks
185. chmod 0664 /dev/stune/foreground/tasks
186. chmod 0664 /dev/stune/background/tasks
187. chmod 0664 /dev/stune/top-app/tasks
188. chmod 0664 /dev/stune/rt/tasks
189.  
190. # Create an stune group for NNAPI HAL processes
191. mkdir /dev/stune/nnapi-hal
192. chown system system /dev/stune/nnapi-hal
193. chown system system /dev/stune/nnapi-hal/tasks
194. chmod 0664 /dev/stune/nnapi-hal/tasks
195. write /dev/stune/nnapi-hal/schedtune.boost 1
196. write /dev/stune/nnapi-hal/schedtune.prefer_idle 1
197.  
198. # Create blkio group and apply initial settings.
199. # This feature needs kernel to support it, and the
200. # device's init.rc must actually set the correct values.
201. mkdir /dev/blkio/background
202. chown system system /dev/blkio
203. chown system system /dev/blkio/background
204. chown system system /dev/blkio/tasks
205. chown system system /dev/blkio/background/tasks
206. chmod 0664 /dev/blkio/tasks
207. chmod 0664 /dev/blkio/background/tasks
208. write /dev/blkio/blkio.weight 1000
209. write /dev/blkio/background/blkio.weight 200
210. write /dev/blkio/blkio.group_idle 0
211. write /dev/blkio/background/blkio.group_idle 0
212.  
213. restorecon_recursive /mnt
214.  
215. mount configfs none /config nodev noexec nosuid
216. chmod 0770 /config/sdcardfs
217. chown system package_info /config/sdcardfs
218.  
219. # Mount binderfs
220. mkdir /dev/binderfs
221. mount binder binder /dev/binderfs stats=global
222. chmod 0755 /dev/binderfs
223.  
224. # Mount fusectl
225. mount fusectl none /sys/fs/fuse/connections
226.  
227. symlink /dev/binderfs/binder /dev/binder
228. symlink /dev/binderfs/hwbinder /dev/hwbinder
229. symlink /dev/binderfs/vndbinder /dev/vndbinder
230.  
231. chmod 0666 /dev/binderfs/hwbinder
232. chmod 0666 /dev/binderfs/binder
233. chmod 0666 /dev/binderfs/vndbinder
234.  
235. mkdir /mnt/secure 0700 root root
236. mkdir /mnt/secure/asec 0700 root root
237. mkdir /mnt/asec 0755 root system
238. mkdir /mnt/obb 0755 root system
239. mkdir /mnt/media_rw 0750 root external_storage
240. mkdir /mnt/user 0755 root root
241. mkdir /mnt/user/0 0755 root root
242. mkdir /mnt/user/0/self 0755 root root
243. mkdir /mnt/user/0/emulated 0755 root root
244. mkdir /mnt/user/0/emulated/0 0755 root root
245.  
246. # Prepare directories for pass through processes
247. mkdir /mnt/pass_through 0700 root root
248. mkdir /mnt/pass_through/0 0710 root media_rw
249. mkdir /mnt/pass_through/0/self 0710 root media_rw
250. mkdir /mnt/pass_through/0/emulated 0710 root media_rw
251. mkdir /mnt/pass_through/0/emulated/0 0710 root media_rw
252.  
253. mkdir /mnt/expand 0771 system system
254. mkdir /mnt/appfuse 0711 root root
255.  
256. # Storage views to support runtime permissions
257. mkdir /mnt/runtime 0700 root root
258. mkdir /mnt/runtime/default 0755 root root
259. mkdir /mnt/runtime/default/self 0755 root root
260. mkdir /mnt/runtime/read 0755 root root
261. mkdir /mnt/runtime/read/self 0755 root root
262. mkdir /mnt/runtime/write 0755 root root
263. mkdir /mnt/runtime/write/self 0755 root root
264. mkdir /mnt/runtime/full 0755 root root
265. mkdir /mnt/runtime/full/self 0755 root root
266.  
267. # Symlink to keep legacy apps working in multi-user world
268. symlink /storage/self/primary /mnt/sdcard
269. symlink /mnt/user/0/primary /mnt/runtime/default/self/primary
270.  
271. write /proc/sys/kernel/panic_on_oops 1
272. write /proc/sys/kernel/hung_task_timeout_secs 0
273. write /proc/cpu/alignment 4
274.  
275. # scheduler tunables
276. # Disable auto-scaling of scheduler tunables with hotplug. The tunables
277. # will vary across devices in unpredictable ways if allowed to scale with
278. # cpu cores.
279. write /proc/sys/kernel/sched_tunable_scaling 0
280. write /proc/sys/kernel/sched_latency_ns 10000000
281. write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
282. write /proc/sys/kernel/sched_child_runs_first 0
283.  
284. write /proc/sys/kernel/randomize_va_space 2
285. write /proc/sys/vm/mmap_min_addr 32768
286. write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
287. write /proc/sys/net/unix/max_dgram_qlen 600
288. write /proc/sys/kernel/sched_rt_runtime_us 950000
289. write /proc/sys/kernel/sched_rt_period_us 1000000
290.  
291. # Assign reasonable ceiling values for socket rcv/snd buffers.
292. # These should almost always be overridden by the target per the
293. # the corresponding technology maximums.
294. write /proc/sys/net/core/rmem_max 262144
295. write /proc/sys/net/core/wmem_max 262144
296.  
297. # reflect fwmark from incoming packets onto generated replies
298. write /proc/sys/net/ipv4/fwmark_reflect 1
299. write /proc/sys/net/ipv6/fwmark_reflect 1
300.  
301. # set fwmark on accepted sockets
302. write /proc/sys/net/ipv4/tcp_fwmark_accept 1
303.  
304. # disable icmp redirects
305. write /proc/sys/net/ipv4/conf/all/accept_redirects 0
306. write /proc/sys/net/ipv6/conf/all/accept_redirects 0
307.  
308. # /proc/net/fib_trie leaks interface IP addresses
309. chmod 0400 /proc/net/fib_trie
310.  
311. # Create cgroup mount points for process groups
312. chown system system /dev/cpuctl
313. chown system system /dev/cpuctl/tasks
314. chmod 0666 /dev/cpuctl/tasks
315. write /dev/cpuctl/cpu.rt_period_us 1000000
316. write /dev/cpuctl/cpu.rt_runtime_us 950000
317.  
318. # sets up initial cpusets for ActivityManager
319. # this ensures that the cpusets are present and usable, but the device's
320. # init.rc must actually set the correct cpus
321. mkdir /dev/cpuset/foreground
322. copy /dev/cpuset/cpus /dev/cpuset/foreground/cpus
323. copy /dev/cpuset/mems /dev/cpuset/foreground/mems
324. mkdir /dev/cpuset/background
325. copy /dev/cpuset/cpus /dev/cpuset/background/cpus
326. copy /dev/cpuset/mems /dev/cpuset/background/mems
327.  
328. # system-background is for system tasks that should only run on
329. # little cores, not on bigs
330. # to be used only by init, so don't change system-bg permissions
331. mkdir /dev/cpuset/system-background
332. copy /dev/cpuset/cpus /dev/cpuset/system-background/cpus
333. copy /dev/cpuset/mems /dev/cpuset/system-background/mems
334.  
335. # restricted is for system tasks that are being throttled
336. # due to screen off.
337. mkdir /dev/cpuset/restricted
338. copy /dev/cpuset/cpus /dev/cpuset/restricted/cpus
339. copy /dev/cpuset/mems /dev/cpuset/restricted/mems
340.  
341. mkdir /dev/cpuset/top-app
342. copy /dev/cpuset/cpus /dev/cpuset/top-app/cpus
343. copy /dev/cpuset/mems /dev/cpuset/top-app/mems
344.  
345. # change permissions for all cpusets we'll touch at runtime
346. chown system system /dev/cpuset
347. chown system system /dev/cpuset/foreground
348. chown system system /dev/cpuset/background
349. chown system system /dev/cpuset/system-background
350. chown system system /dev/cpuset/top-app
351. chown system system /dev/cpuset/restricted
352. chown system system /dev/cpuset/tasks
353. chown system system /dev/cpuset/foreground/tasks
354. chown system system /dev/cpuset/background/tasks
355. chown system system /dev/cpuset/system-background/tasks
356. chown system system /dev/cpuset/top-app/tasks
357. chown system system /dev/cpuset/restricted/tasks
358.  
359. # set system-background to 0775 so SurfaceFlinger can touch it
360. chmod 0775 /dev/cpuset/system-background
361.  
362. chmod 0664 /dev/cpuset/foreground/tasks
363. chmod 0664 /dev/cpuset/background/tasks
364. chmod 0664 /dev/cpuset/system-background/tasks
365. chmod 0664 /dev/cpuset/top-app/tasks
366. chmod 0664 /dev/cpuset/restricted/tasks
367. chmod 0664 /dev/cpuset/tasks
368.  
369. # freezer cgroup entries
370. mkdir /dev/freezer/frozen
371. write /dev/freezer/frozen/freezer.state FROZEN
372. chown system system /dev/freezer/cgroup.procs
373. chown system system /dev/freezer/frozen
374. chown system system /dev/freezer/frozen/freezer.state
375. chown system system /dev/freezer/frozen/cgroup.procs
376.  
377. chmod 0664 /dev/freezer/frozen/freezer.state
378.  
379. # make the PSI monitor accessible to others
380. chown system system /proc/pressure/memory
381. chmod 0664 /proc/pressure/memory
382.  
383. # qtaguid will limit access to specific data based on group memberships.
384. # net_bw_acct grants impersonation of socket owners.
385. # net_bw_stats grants access to other apps' detailed tagged-socket stats.
386. chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
387. chown root net_bw_stats /proc/net/xt_qtaguid/stats
388.  
389. # Allow everybody to read the xt_qtaguid resource tracking misc dev.
390. # This is needed by any process that uses socket tagging.
391. chmod 0644 /dev/xt_qtaguid
392.  
393. chown root root /dev/cg2_bpf
394. chmod 0600 /dev/cg2_bpf
395. mount bpf bpf /sys/fs/bpf nodev noexec nosuid
396.  
397. # Create location for fs_mgr to store abbreviated output from filesystem
398. # checker programs.
399. mkdir /dev/fscklogs 0770 root system
400.  
401. # pstore/ramoops previous console log
402. mount pstore pstore /sys/fs/pstore nodev noexec nosuid
403. chown system log /sys/fs/pstore
404. chmod 0550 /sys/fs/pstore
405. chown system log /sys/fs/pstore/console-ramoops
406. chmod 0440 /sys/fs/pstore/console-ramoops
407. chown system log /sys/fs/pstore/console-ramoops-0
408. chmod 0440 /sys/fs/pstore/console-ramoops-0
409. chown system log /sys/fs/pstore/pmsg-ramoops-0
410. chmod 0440 /sys/fs/pstore/pmsg-ramoops-0
411.  
412. # enable armv8_deprecated instruction hooks
413. write /proc/sys/abi/swp 1
414.  
415. # Linux's execveat() syscall may construct paths containing /dev/fd
416. # expecting it to point to /proc/self/fd
417. symlink /proc/self/fd /dev/fd
418.  
419. export DOWNLOAD_CACHE /data/cache
420.  
421. # This allows the ledtrig-transient properties to be created here so
422. # that they can be chown'd to system:system later on boot
423. write /sys/class/leds/vibrator/trigger "transient"
424.  
425. # This is used by Bionic to select optimized routines.
426. write /dev/cpu_variant:${ro.bionic.arch} ${ro.bionic.cpu_variant}
427. chmod 0444 /dev/cpu_variant:${ro.bionic.arch}
428. write /dev/cpu_variant:${ro.bionic.2nd_arch} ${ro.bionic.2nd_cpu_variant}
429. chmod 0444 /dev/cpu_variant:${ro.bionic.2nd_arch}
430.  
431. # Allow system processes to read / write power state.
432. chown system system /sys/power/state
433. chown system system /sys/power/wakeup_count
434. chmod 0660 /sys/power/state
435.  
436. chown radio wakelock /sys/power/wake_lock
437. chown radio wakelock /sys/power/wake_unlock
438. chmod 0660 /sys/power/wake_lock
439. chmod 0660 /sys/power/wake_unlock
440.  
441. # Start logd before any other services run to ensure we capture all of their logs.
442. start logd
443. # Start lmkd before any other services run so that it can register them
444. chown root system /sys/module/lowmemorykiller/parameters/adj
445. chmod 0664 /sys/module/lowmemorykiller/parameters/adj
446. chown root system /sys/module/lowmemorykiller/parameters/minfree
447. chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
448. start lmkd
449.  
450. # Start essential services.
451. start servicemanager
452. start hwservicemanager
453. start vndservicemanager
454.  
455. # Healthd can trigger a full boot from charger mode by signaling this
456. # property when the power button is held.
457. on property:sys.boot_from_charger_mode=1
458. class_stop charger
459. trigger late-init
460.  
461. on load_wt_custom_props_action
462. load_wt_custom_props
463.  
464. on load_persist_props_action
465. load_persist_props
466. start logd
467. start logd-reinit
468.  
469. # Indicate to fw loaders that the relevant mounts are up.
470. on firmware_mounts_complete
471. rm /dev/.booting
472.  
473. # Mount filesystems and start core system services.
474. on late-init
475. trigger early-fs
476.  
477. # Mount fstab in init.{$device}.rc by mount_all command. Optional parameter
478. # '--early' can be specified to skip entries with 'latemount'.
479. # /system and /vendor must be mounted by the end of the fs stage,
480. # while /data is optional.
481. trigger fs
482. trigger post-fs
483.  
484. # Mount fstab in init.{$device}.rc by mount_all with '--late' parameter
485. # to only mount entries with 'latemount'. This is needed if '--early' is
486. # specified in the previous mount_all command on the fs stage.
487. # With /system mounted and properties form /system + /factory available,
488. # some services can be started.
489. trigger late-fs
490.  
491. # Now we can mount /data. File encryption requires keymaster to decrypt
492. # /data, which in turn can only be loaded when system properties are present.
493. trigger post-fs-data
494.  
495. #we only do it after post-fs-data
496. trigger load_wt_custom_props_action
497.  
498. # Load persist properties and override properties (if enabled) from /data.
499. trigger load_persist_props_action
500.  
501. # Should be before netd, but after apex, properties and logging is available.
502. trigger load_bpf_programs
503.  
504. # Now we can start zygote for devices with file based encryption
505. trigger zygote-start
506.  
507. # Remove a file to wake up anything waiting for firmware.
508. trigger firmware_mounts_complete
509.  
510. trigger early-boot
511. trigger boot
512.  
513. on early-fs
514. # Once metadata has been mounted, we'll need vold to deal with userdata checkpointing
515. start vold
516.  
517. on post-fs
518. exec - system system -- /system/bin/vdc checkpoint markBootAttempt
519.  
520. # Once everything is setup, no need to modify /.
521. # The bind+remount combination allows this to work in containers.
522. mount rootfs rootfs / remount bind ro nodev
523.  
524. # Make sure /sys/kernel/debug (if present) is labeled properly
525. # Note that tracefs may be mounted under debug, so we need to cross filesystems
526. restorecon --recursive --cross-filesystems /sys/kernel/debug
527.  
528. # We chown/chmod /cache again so because mount is run as root + defaults
529. chown system cache /cache
530. chmod 0770 /cache
531. # We restorecon /cache in case the cache partition has been reset.
532. restorecon_recursive /cache
533.  
534. # Create /cache/recovery in case it's not there. It'll also fix the odd
535. # permissions if created by the recovery system.
536. mkdir /cache/recovery 0770 system cache
537.  
538. # Backup/restore mechanism uses the cache partition
539. mkdir /cache/backup_stage 0700 system system
540. mkdir /cache/backup 0700 system system
541.  
542. #change permissions on vmallocinfo so we can grab it from bugreports
543. chown root log /proc/vmallocinfo
544. chmod 0440 /proc/vmallocinfo
545.  
546. chown root log /proc/slabinfo
547. chmod 0440 /proc/slabinfo
548.  
549. #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
550. chown root system /proc/kmsg
551. chmod 0440 /proc/kmsg
552. chown root system /proc/sysrq-trigger
553. chmod 0220 /proc/sysrq-trigger
554. chown system log /proc/last_kmsg
555. chmod 0440 /proc/last_kmsg
556.  
557. # make the selinux kernel policy world-readable
558. chmod 0444 /sys/fs/selinux/policy
559.  
560. # create the lost+found directories, so as to enforce our permissions
561. mkdir /cache/lost+found 0770 root root
562.  
563. restorecon_recursive /metadata
564. mkdir /metadata/vold
565. chmod 0700 /metadata/vold
566. mkdir /metadata/password_slots 0771 root system
567. mkdir /metadata/bootstat 0750 system log
568. mkdir /metadata/ota 0700 root system
569. mkdir /metadata/ota/snapshots 0700 root system
570.  
571. mkdir /metadata/apex 0700 root system
572. mkdir /metadata/apex/sessions 0700 root system
573. # On some devices we see a weird behaviour in which /metadata/apex doesn't
574. # have a correct label. To workaround this bug, explicitly call restorecon
575. # on /metadata/apex. For most of the boot sequences /metadata/apex will
576. # already have a correct selinux label, meaning that this call will be a
577. # no-op.
578. restorecon_recursive /metadata/apex
579.  
580. mkdir /metadata/staged-install 0770 root system
581. on late-fs
582. # Ensure that tracefs has the correct permissions.
583. # This does not work correctly if it is called in post-fs.
584. chmod 0755 /sys/kernel/tracing
585. chmod 0755 /sys/kernel/debug/tracing
586.  
587. # HALs required before storage encryption can get unlocked (FBE/FDE)
588. class_start early_hal
589.  
590. on post-fs-data
591. mark_post_data
592.  
593. # Start checkpoint before we touch data
594. exec - system system -- /system/bin/vdc checkpoint prepareCheckpoint
595.  
596. # We chown/chmod /data again so because mount is run as root + defaults
597. chown system system /data
598. chmod 0771 /data
599. # We restorecon /data in case the userdata partition has been reset.
600. restorecon /data
601.  
602. # Make sure we have the device encryption key.
603. installkey /data
604.  
605. # Start bootcharting as soon as possible after the data partition is
606. # mounted to collect more data.
607. mkdir /data/bootchart 0755 shell shell encryption=Require
608. bootchart start
609.  
610. # Make sure that apexd is started in the default namespace
611. enter_default_mount_ns
612.  
613. # /data/apex is now available. Start apexd to scan and activate APEXes.
614. mkdir /data/apex 0755 root system encryption=None
615. mkdir /data/apex/active 0755 root system
616. mkdir /data/apex/backup 0700 root system
617. mkdir /data/apex/hashtree 0700 root system
618. mkdir /data/apex/sessions 0700 root system
619. mkdir /data/app-staging 0750 system system encryption=None
620. start apexd
621.  
622. # Avoid predictable entropy pool. Carry over entropy from previous boot.
623. copy /data/system/entropy.dat /dev/urandom
624.  
625. # create basic filesystem structure
626. mkdir /data/misc 01771 system misc encryption=Require
627. mkdir /data/misc/recovery 0770 system log
628. copy /data/misc/recovery/ro.build.fingerprint /data/misc/recovery/ro.build.fingerprint.1
629. chmod 0440 /data/misc/recovery/ro.build.fingerprint.1
630. chown system log /data/misc/recovery/ro.build.fingerprint.1
631. write /data/misc/recovery/ro.build.fingerprint ${ro.build.fingerprint}
632. chmod 0440 /data/misc/recovery/ro.build.fingerprint
633. chown system log /data/misc/recovery/ro.build.fingerprint
634. mkdir /data/misc/recovery/proc 0770 system log
635. copy /data/misc/recovery/proc/version /data/misc/recovery/proc/version.1
636. chmod 0440 /data/misc/recovery/proc/version.1
637. chown system log /data/misc/recovery/proc/version.1
638. copy /proc/version /data/misc/recovery/proc/version
639. chmod 0440 /data/misc/recovery/proc/version
640. chown system log /data/misc/recovery/proc/version
641. mkdir /data/misc/bluedroid 02770 bluetooth bluetooth
642. # Fix the access permissions and group ownership for 'bt_config.conf'
643. chmod 0660 /data/misc/bluedroid/bt_config.conf
644. chown bluetooth bluetooth /data/misc/bluedroid/bt_config.conf
645. mkdir /data/misc/bluetooth 0770 bluetooth bluetooth
646. mkdir /data/misc/bluetooth/logs 0770 bluetooth bluetooth
647. mkdir /data/misc/credstore 0700 credstore credstore
648. mkdir /data/misc/keystore 0700 keystore keystore
649. mkdir /data/misc/gatekeeper 0700 system system
650. mkdir /data/misc/keychain 0771 system system
651. mkdir /data/misc/net 0750 root shell
652. mkdir /data/misc/radio 0770 system radio
653. mkdir /data/misc/sms 0770 system radio
654. mkdir /data/misc/carrierid 0770 system radio
655. mkdir /data/misc/apns 0770 system radio
656. mkdir /data/misc/emergencynumberdb 0770 system radio
657. mkdir /data/misc/zoneinfo 0775 system system
658. mkdir /data/misc/network_watchlist 0774 system system
659. mkdir /data/misc/textclassifier 0771 system system
660. mkdir /data/misc/vpn 0770 system vpn
661. mkdir /data/misc/shared_relro 0771 shared_relro shared_relro
662. mkdir /data/misc/systemkeys 0700 system system
663. mkdir /data/misc/wifi 0770 wifi wifi
664. mkdir /data/misc/wifi/sockets 0770 wifi wifi
665. mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi
666. mkdir /data/misc/ethernet 0770 system system
667. mkdir /data/misc/dhcp 0770 dhcp dhcp
668. mkdir /data/misc/user 0771 root root
669. # give system access to wpa_supplicant.conf for backup and restore
670. chmod 0660 /data/misc/wifi/wpa_supplicant.conf
671. mkdir /data/local 0751 root root encryption=Require
672. mkdir /data/misc/media 0700 media media
673. mkdir /data/misc/audioserver 0700 audioserver audioserver
674. mkdir /data/misc/cameraserver 0700 cameraserver cameraserver
675. mkdir /data/misc/vold 0700 root root
676. mkdir /data/misc/boottrace 0771 system shell
677. mkdir /data/misc/update_engine 0700 root root
678. mkdir /data/misc/update_engine_log 02750 root log
679. mkdir /data/misc/trace 0700 root root
680. # create location to store surface and window trace files
681. mkdir /data/misc/wmtrace 0700 system system
682. # profile file layout
683. mkdir /data/misc/profiles 0771 system system
684. mkdir /data/misc/profiles/cur 0771 system system
685. mkdir /data/misc/profiles/ref 0770 system system
686. mkdir /data/misc/profman 0770 system shell
687. mkdir /data/misc/gcov 0770 root root
688. mkdir /data/misc/installd 0700 root root
689. mkdir /data/misc/apexdata 0711 root root
690. mkdir /data/misc/apexrollback 0700 root root
691. mkdir /data/misc/snapshotctl_log 0755 root root
692. # create location to store pre-reboot information
693. mkdir /data/misc/prereboot 0700 system system
694.  
695. mkdir /data/preloads 0775 system system encryption=None
696.  
697. mkdir /data/vendor 0771 root root encryption=Require
698. mkdir /data/vendor_ce 0771 root root encryption=None
699. mkdir /data/vendor_de 0771 root root encryption=None
700. mkdir /data/vendor/hardware 0771 root root
701.  
702. # For security reasons, /data/local/tmp should always be empty.
703. # Do not place files or directories in /data/local/tmp
704. mkdir /data/local/tmp 0771 shell shell
705. mkdir /data/local/traces 0777 shell shell
706. mkdir /data/data 0771 system system encryption=None
707. mkdir /data/app-private 0771 system system encryption=Require
708. mkdir /data/app-ephemeral 0771 system system encryption=Require
709. mkdir /data/app-asec 0700 root root encryption=Require
710. mkdir /data/app-lib 0771 system system encryption=Require
711. mkdir /data/app 0771 system system encryption=Require
712. mkdir /data/property 0700 root root encryption=Require
713. mkdir /data/tombstones 0771 system system encryption=Require
714. mkdir /data/vendor/tombstones 0771 root root
715. mkdir /data/vendor/tombstones/wifi 0771 wifi wifi
716.  
717. # create dalvik-cache, so as to enforce our permissions
718. mkdir /data/dalvik-cache 0771 root root encryption=Require
719. # create the A/B OTA directory, so as to enforce our permissions
720. mkdir /data/ota 0771 root root encryption=Require
721.  
722. # create the OTA package directory. It will be accessed by GmsCore (cache
723. # group), update_engine and update_verifier.
724. mkdir /data/ota_package 0770 system cache encryption=Require
725.  
726. # create resource-cache and double-check the perms
727. mkdir /data/resource-cache 0771 system system encryption=Require
728. chown system system /data/resource-cache
729. chmod 0771 /data/resource-cache
730.  
731. # create the lost+found directories, so as to enforce our permissions
732. mkdir /data/lost+found 0770 root root encryption=None
733.  
734. # create directory for DRM plug-ins - give drm the read/write access to
735. # the following directory.
736. mkdir /data/drm 0770 drm drm encryption=Require
737.  
738. # create directory for MediaDrm plug-ins - give drm the read/write access to
739. # the following directory.
740. mkdir /data/mediadrm 0770 mediadrm mediadrm encryption=Require
741.  
742. mkdir /data/anr 0775 system system encryption=Require
743.  
744. # NFC: create data/nfc for nv storage
745. mkdir /data/nfc 0770 nfc nfc encryption=Require
746. mkdir /data/nfc/param 0770 nfc nfc
747.  
748. # Create all remaining /data root dirs so that they are made through init
749. # and get proper encryption policy installed
750. mkdir /data/backup 0700 system system encryption=Require
751. mkdir /data/ss 0700 system system encryption=Require
752.  
753. mkdir /data/system 0775 system system encryption=Require
754. mkdir /data/system/dropbox 0700 system system
755. mkdir /data/system/heapdump 0700 system system
756. mkdir /data/system/users 0775 system system
757.  
758. mkdir /data/system_de 0770 system system encryption=None
759. mkdir /data/system_ce 0770 system system encryption=None
760.  
761. mkdir /data/misc_de 01771 system misc encryption=None
762. mkdir /data/misc_ce 01771 system misc encryption=None
763.  
764. mkdir /data/user 0711 system system encryption=None
765. mkdir /data/user_de 0711 system system encryption=None
766.  
767. # Unlink /data/user/0 if we previously symlink it to /data/data
768. rm /data/user/0
769.  
770. # Bind mount /data/user/0 to /data/data
771. mkdir /data/user/0 0700 system system encryption=None
772. mount none /data/data /data/user/0 bind rec
773.  
774. # A tmpfs directory, which will contain all apps CE DE data directory that
775. # bind mount from the original source.
776. mount tmpfs tmpfs /data_mirror nodev noexec nosuid mode=0700,uid=0,gid=1000
777. restorecon /data_mirror
778. mkdir /data_mirror/data_ce 0700 root root
779. mkdir /data_mirror/data_de 0700 root root
780.  
781. # Create CE and DE data directory for default volume
782. mkdir /data_mirror/data_ce/null 0700 root root
783. mkdir /data_mirror/data_de/null 0700 root root
784.  
785. # Bind mount CE and DE data directory to mirror's default volume directory
786. mount none /data/user /data_mirror/data_ce/null bind rec
787. mount none /data/user_de /data_mirror/data_de/null bind rec
788.  
789. # Create mirror directory for jit profiles
790. mkdir /data_mirror/cur_profiles 0700 root root
791. mount none /data/misc/profiles/cur /data_mirror/cur_profiles bind rec
792.  
793. mkdir /data/cache 0770 system cache encryption=Require
794. mkdir /data/cache/recovery 0770 system cache
795. mkdir /data/cache/backup_stage 0700 system system
796. mkdir /data/cache/backup 0700 system system
797.  
798. # Delete these if need be, per b/139193659
799. mkdir /data/rollback 0700 system system encryption=DeleteIfNecessary
800. mkdir /data/rollback-observer 0700 system system encryption=DeleteIfNecessary
801.  
802. # Create root dir for Incremental Service
803. mkdir /data/incremental 0771 system system encryption=Require
804.  
805. # Create directories for statsd
806. mkdir /data/misc/stats-active-metric/ 0770 statsd system
807. mkdir /data/misc/stats-data/ 0770 statsd system
808. mkdir /data/misc/stats-metadata/ 0770 statsd system
809. mkdir /data/misc/stats-service/ 0770 statsd system
810. mkdir /data/misc/train-info/ 0770 statsd system
811.  
812. # +TypeReq add by xuxiaojiang,add,2020/11/6,Add for arcsoft dualcam algo.
813. mkdir /mnt/vendor/persist 0775 system system
814. mkdir /mnt/vendor/persist/camera 0775 system system
815. # -TypeReq add by xuxiaojiang,add,2020/11/6,Add for arcsoft dualcam algo.
816.  
817. # Wait for apexd to finish activating APEXes before starting more processes.
818. wait_for_prop apexd.status activated
819. perform_apex_config
820.  
821. # Special-case /data/media/obb per b/64566063
822. mkdir /data/media 0770 media_rw media_rw encryption=None
823. exec - media_rw media_rw -- /system/bin/chattr +F /data/media
824. mkdir /data/media/obb 0770 media_rw media_rw encryption=Attempt
825.  
826. exec_start derive_sdk
827.  
828. init_user0
829.  
830. # Allow apexd to snapshot and restore device encrypted apex data in the case
831. # of a rollback. This should be done immediately after DE_user data keys
832. # are loaded. APEXes should not access this data until this has been
833. # completed and apexd.status becomes "ready".
834. exec_start apexd-snapshotde
835.  
836. # Set SELinux security contexts on upgrade or policy update.
837. restorecon --recursive --skip-ce /data
838.  
839. # Check any timezone data in /data is newer than the copy in the time zone data
840. # module, delete if not.
841. exec - system system -- /system/bin/tzdatacheck /apex/com.android.tzdata/etc/tz /data/misc/zoneinfo
842.  
843. # If there is no post-fs-data action in the init.<device>.rc file, you
844. # must uncomment this line, otherwise encrypted filesystems
845. # won't work.
846. # Set indication (checked by vold) that we have finished this action
847. #setprop vold.post_fs_data_done 1
848.  
849. # sys.memfd_use set to false by default, which keeps it disabled
850. # until it is confirmed that apps and vendor processes don't make
851. # IOCTLs on ashmem fds any more.
852. setprop sys.use_memfd false
853.  
854. # Set fscklog permission
855. chown root system /dev/fscklogs/log
856. chmod 0770 /dev/fscklogs/log
857.  
858. # Enable FUSE by default
859. setprop persist.sys.fuse true
860.  
861. # Switch between sdcardfs and FUSE depending on persist property
862. # TODO: Move this to ro property before launch because FDE devices
863. # interact with persistent properties differently during boot
864. on zygote-start && property:persist.sys.fuse=true
865. # Mount default storage into root namespace
866. mount none /mnt/user/0 /storage bind rec
867. mount none none /storage slave rec
868. on zygote-start && property:persist.sys.fuse=false
869. # Mount default storage into root namespace
870. mount none /mnt/runtime/default /storage bind rec
871. mount none none /storage slave rec
872. on zygote-start && property:persist.sys.fuse=""
873. # Mount default storage into root namespace
874. mount none /mnt/runtime/default /storage bind rec
875. mount none none /storage slave rec
876.  
877. # It is recommended to put unnecessary data/ initialization from post-fs-data
878. # to start-zygote in device's init.rc to unblock zygote start.
879. on zygote-start && property:ro.crypto.state=unencrypted
880. # A/B update verifier that marks a successful boot.
881. exec_start update_verifier_nonencrypted
882. start statsd
883. start netd
884. start zygote
885. start zygote_secondary
886.  
887. # apkcaching
888. mkdir /data/preloads 0775 system system
889. mkdir /data/preloads/media 0775 system system
890. mkdir /data/preloads/demo 0755 system system
891.  
892. on zygote-start && property:ro.crypto.state=unsupported
893. # A/B update verifier that marks a successful boot.
894. exec_start update_verifier_nonencrypted
895. start statsd
896. start netd
897. start zygote
898. start zygote_secondary
899.  
900. # apkcaching
901. mkdir /data/preloads 0775 system system
902. mkdir /data/preloads/media 0775 system system
903. mkdir /data/preloads/demo 0755 system system
904.  
905. on zygote-start && property:ro.crypto.state=encrypted && property:ro.crypto.type=file
906. # A/B update verifier that marks a successful boot.
907. exec_start update_verifier_nonencrypted
908. start statsd
909. start netd
910. start zygote
911. start zygote_secondary
912.  
913. # apkcaching
914. mkdir /data/preloads 0775 system system
915. mkdir /data/preloads/media 0775 system system
916. mkdir /data/preloads/demo 0755 system system
917.  
918. on boot
919. # basic network init
920. ifup lo
921. hostname localhost
922. domainname localdomain
923.  
924. # IPsec SA default expiration length
925. write /proc/sys/net/core/xfrm_acq_expires 3600
926.  
927. # Memory management. Basic kernel parameters, and allow the high
928. # level system server to be able to adjust the kernel OOM driver
929. # parameters to match how it is managing things.
930. write /proc/sys/vm/overcommit_memory 1
931. write /proc/sys/vm/min_free_order_shift 4
932.  
933. # System server manages zram writeback
934. chown root system /sys/block/zram0/idle
935. chmod 0664 /sys/block/zram0/idle
936. chown root system /sys/block/zram0/writeback
937. chmod 0664 /sys/block/zram0/writeback
938.  
939. # Tweak background writeout
940. write /proc/sys/vm/dirty_expire_centisecs 200
941. write /proc/sys/vm/dirty_background_ratio 5
942.  
943. # F2FS tuning. Set cp_interval larger than dirty_expire_centisecs
944. # to avoid power consumption when system becomes mostly idle. Be careful
945. # to make it too large, since it may bring userdata loss, if they
946. # are not aware of using fsync()/sync() to prepare sudden power-cut.
947. write /sys/fs/f2fs/${dev.mnt.blk.data}/cp_interval 200
948. write /sys/fs/f2fs/${dev.mnt.blk.data}/gc_urgent_sleep_time 50
949. write /sys/fs/f2fs/${dev.mnt.blk.data}/iostat_enable 1
950.  
951. # limit discard size to 128MB in order to avoid long IO latency
952. # for filesystem tuning first (dm or sda)
953. # Note that, if dm-<num> is used, sda/mmcblk0 should be tuned in vendor/init.rc
954. write /sys/devices/virtual/block/${dev.mnt.blk.data}/queue/discard_max_bytes 134217728
955.  
956. # Permissions for System Server and daemons.
957. chown system system /sys/power/autosleep
958.  
959. chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
960. chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
961. chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
962. chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
963. chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
964. chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
965. chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
966. chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
967. chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
968. chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
969. chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
970. chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
971. chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
972. chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
973. chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
974. chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
975. chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
976. chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
977. chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
978. chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
979. chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
980. chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
981. chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
982.  
983. # Assume SMP uses shared cpufreq policy for all CPUs
984. chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
985. chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
986.  
987. chown system system /sys/class/leds/vibrator/trigger
988. chown system system /sys/class/leds/vibrator/activate
989. chown system system /sys/class/leds/vibrator/brightness
990. chown system system /sys/class/leds/vibrator/duration
991. chown system system /sys/class/leds/vibrator/state
992. chown system system /sys/class/timed_output/vibrator/enable
993. chown system system /sys/class/leds/keyboard-backlight/brightness
994. chown system system /sys/class/leds/lcd-backlight/brightness
995. chown system system /sys/class/leds/button-backlight/brightness
996. chown system system /sys/class/leds/jogball-backlight/brightness
997. chown system system /sys/class/leds/red/brightness
998. chown system system /sys/class/leds/green/brightness
999. chown system system /sys/class/leds/blue/brightness
1000. chown system system /sys/class/leds/red/device/grpfreq
1001. chown system system /sys/class/leds/red/device/grppwm
1002. chown system system /sys/class/leds/red/device/blink
1003. chown system system /sys/module/sco/parameters/disable_esco
1004. chown system system /sys/kernel/ipv4/tcp_wmem_min
1005. chown system system /sys/kernel/ipv4/tcp_wmem_def
1006. chown system system /sys/kernel/ipv4/tcp_wmem_max
1007. chown system system /sys/kernel/ipv4/tcp_rmem_min
1008. chown system system /sys/kernel/ipv4/tcp_rmem_def
1009. chown system system /sys/kernel/ipv4/tcp_rmem_max
1010. chown root radio /proc/cmdline
1011.  
1012. # Define default initial receive window size in segments.
1013. setprop net.tcp.default_init_rwnd 60
1014.  
1015. # Start standard binderized HAL daemons
1016. class_start hal
1017.  
1018. class_start core
1019.  
1020. # Requires keystore (currently a core service) to be ready first.
1021. exec -- /system/bin/fsverity_init
1022.  
1023. on nonencrypted
1024. class_start main
1025. class_start late_start
1026.  
1027. on property:sys.init_log_level=*
1028. loglevel ${sys.init_log_level}
1029.  
1030. on charger
1031. class_start charger
1032.  
1033. on property:vold.decrypt=trigger_load_persist_props
1034. load_persist_props
1035. start logd
1036. start logd-reinit
1037.  
1038. on property:vold.decrypt=trigger_post_fs_data
1039. trigger post-fs-data
1040. trigger zygote-start
1041.  
1042. on property:vold.decrypt=trigger_restart_min_framework
1043. # A/B update verifier that marks a successful boot.
1044. exec_start update_verifier
1045. class_start main
1046.  
1047. on property:vold.decrypt=trigger_restart_framework
1048. # A/B update verifier that marks a successful boot.
1049. exec_start update_verifier
1050. class_start_post_data hal
1051. class_start_post_data core
1052. class_start main
1053. class_start late_start
1054. setprop service.bootanim.exit 0
1055. start bootanim
1056.  
1057. on property:vold.decrypt=trigger_shutdown_framework
1058. class_reset late_start
1059. class_reset main
1060. class_reset_post_data core
1061. class_reset_post_data hal
1062.  
1063. on property:sys.boot_completed=1
1064. bootchart stop
1065. # Setup per_boot directory so other .rc could start to use it on boot_completed
1066. exec - system system -- /bin/rm -rf /data/per_boot
1067. mkdir /data/per_boot 0700 system system encryption=Require key=per_boot_ref
1068.  
1069. # system server cannot write to /proc/sys files,
1070. # and chown/chmod does not work for /proc/sys/ entries.
1071. # So proxy writes through init.
1072. on property:sys.sysctl.extra_free_kbytes=*
1073. write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes}
1074.  
1075. # "tcp_default_init_rwnd" Is too long!
1076. on property:sys.sysctl.tcp_def_init_rwnd=*
1077. write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd}
1078.  
1079. # perf_event_open syscall security:
1080. # Newer kernels have the ability to control the use of the syscall via SELinux
1081. # hooks. init tests for this, and sets sys_init.perf_lsm_hooks to 1 if the
1082. # kernel has the hooks. In this case, the system-wide perf_event_paranoid
1083. # sysctl is set to -1 (unrestricted use), and the SELinux policy is used for
1084. # controlling access. On older kernels, the paranoid value is the only means of
1085. # controlling access. It is normally 3 (allow only root), but the shell user
1086. # can lower it to 1 (allowing thread-scoped pofiling) via security.perf_harden.
1087. on property:sys.init.perf_lsm_hooks=1
1088. write /proc/sys/kernel/perf_event_paranoid -1
1089. on property:security.perf_harden=0 && property:sys.init.perf_lsm_hooks=""
1090. write /proc/sys/kernel/perf_event_paranoid 1
1091. on property:security.perf_harden=1 && property:sys.init.perf_lsm_hooks=""
1092. write /proc/sys/kernel/perf_event_paranoid 3
1093.  
1094. # Additionally, simpleperf profiler uses debug.* and security.perf_harden
1095. # sysprops to be able to indirectly set these sysctls.
1096. on property:security.perf_harden=0
1097. write /proc/sys/kernel/perf_event_max_sample_rate ${debug.perf_event_max_sample_rate:-100000}
1098. write /proc/sys/kernel/perf_cpu_time_max_percent ${debug.perf_cpu_time_max_percent:-25}
1099. write /proc/sys/kernel/perf_event_mlock_kb ${debug.perf_event_mlock_kb:-516}
1100. # Default values.
1101. on property:security.perf_harden=1
1102. write /proc/sys/kernel/perf_event_max_sample_rate 100000
1103. write /proc/sys/kernel/perf_cpu_time_max_percent 25
1104. write /proc/sys/kernel/perf_event_mlock_kb 516
1105.  
1106.  
1107. # on shutdown
1108. # In device's init.rc, this trigger can be used to do device-specific actions
1109. # before shutdown. e.g disable watchdog and mask error handling
1110.  
1111. ## Daemon processes to be run by init.
1112. ##
1113. service ueventd /system/bin/ueventd
1114. class core
1115. critical
1116. seclabel u:r:ueventd:s0
1117. shutdown critical
1118.  
1119. service console /system/bin/sh
1120. class core
1121. console
1122. disabled
1123. user shell
1124. group shell log readproc
1125. seclabel u:r:shell:s0
1126. setenv HOSTNAME console
1127.  
1128. on property:ro.debuggable=1
1129. # Give writes to anyone for the trace folder on debug builds.
1130. # The folder is used to store method traces.
1131. chmod 0773 /data/misc/trace
1132. # Give reads to anyone for the window trace folder on debug builds.
1133. chmod 0775 /data/misc/wmtrace
1134.  
1135. on init && property:ro.debuggable=1
1136. start console
1137.  
1138. on userspace-reboot-requested
1139. # TODO(b/135984674): reset all necessary properties here.
1140. setprop sys.boot_completed ""
1141. setprop dev.bootcomplete ""
1142. setprop sys.init.updatable_crashing ""
1143. setprop sys.init.updatable_crashing_process_name ""
1144. setprop apexd.status ""
1145. setprop sys.user.0.ce_available ""
1146. setprop sys.shutdown.requested ""
1147. setprop service.bootanim.exit ""
1148.  
1149. on userspace-reboot-fs-remount
1150. # Make sure that vold is running.
1151. # This is mostly a precaution measure in case vold for some reason wasn't running when
1152. # userspace reboot was initiated.
1153. start vold
1154. exec - system system -- /system/bin/vdc checkpoint resetCheckpoint
1155. exec - system system -- /system/bin/vdc checkpoint markBootAttempt
1156. # Unmount /data_mirror mounts in the reverse order of corresponding mounts.
1157. umount /data_mirror/data_ce/null/0
1158. umount /data_mirror/data_ce/null
1159. umount /data_mirror/data_de/null
1160. umount /data_mirror/cur_profiles
1161. umount /data_mirror
1162. remount_userdata
1163. start bootanim
1164.  
1165. on userspace-reboot-resume
1166. trigger userspace-reboot-fs-remount
1167. trigger post-fs-data
1168. trigger zygote-start
1169. trigger early-boot
1170. trigger boot
1171.  
1172. #+ExtR RNN-5679 baiyun1.wt add, 2021/08/27, add by Netflix required.
1173. on property:gsm.netflix.channel=*
1174. setprop ro.netflix.channel ${gsm.netflix.channel}
1175. #-ExtR RNN-5679 baiyun1.wt add, 2021/08/27, add by Netflix required.
1176.  
1177. on property:sys.boot_completed=1 && property:sys.init.userspace_reboot.in_progress=1
1178. setprop sys.init.userspace_reboot.in_progress ""