1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /system/etc/init/hw/init.usb.rc 9import /init.${ro.hardware}.rc 10import /vendor/etc/init/hw/init.${ro.hardware}.rc 11import /system/etc/init/hw/init.usb.configfs.rc 12import /system/etc/init/hw/init.${ro.zygote}.rc 13 14# Cgroups are mounted right before early-init using list from /etc/cgroups.json 15on early-init 16 # Disable sysrq from keyboard 17 write /proc/sys/kernel/sysrq 0 18 19 # Android doesn't need kernel module autoloading, and it causes SELinux 20 # denials. So disable it by setting modprobe to the empty string. Note: to 21 # explicitly set a sysctl to an empty string, a trailing newline is needed. 22 write /proc/sys/kernel/modprobe \n 23 24 # Set the security context of /adb_keys if present. 25 restorecon /adb_keys 26 27 # Set the security context of /postinstall if present. 28 restorecon /postinstall 29 30 mkdir /acct/uid 31 32 # memory.pressure_level used by lmkd 33 chown root system /dev/memcg/memory.pressure_level 34 chmod 0040 /dev/memcg/memory.pressure_level 35 # app mem cgroups, used by activity manager, lmkd and zygote 36 mkdir /dev/memcg/apps/ 0755 system system 37 # cgroup for system_server and surfaceflinger 38 mkdir /dev/memcg/system 0550 system system 39 40 # symlink the Android specific /dev/tun to Linux expected /dev/net/tun 41 mkdir /dev/net 0755 root root 42 symlink ../tun /dev/net/tun 43 44 # set RLIMIT_NICE to allow priorities from 19 to -20 45 setrlimit nice 40 40 46 47 # Allow up to 32K FDs per process 48 setrlimit nofile 32768 32768 49 50 # set RLIMIT_MEMLOCK to 64KB 51 setrlimit memlock 65536 65536 52 53 # Set up linker config subdirectories based on mount namespaces 54 mkdir /linkerconfig/bootstrap 0755 55 mkdir /linkerconfig/default 0755 56 57 # Disable dm-verity hash prefetching, since it doesn't help performance 58 # Read more in b/136247322 59 write /sys/module/dm_verity/parameters/prefetch_cluster 0 60 61 # Generate empty ld.config.txt for early executed processes which rely on 62 # /system/lib libraries. 63 write /linkerconfig/bootstrap/ld.config.txt \# 64 write /linkerconfig/default/ld.config.txt \# 65 chmod 644 /linkerconfig/bootstrap/ld.config.txt 66 chmod 644 /linkerconfig/default/ld.config.txt 67 68 # Mount bootstrap linker configuration as current 69 mount none /linkerconfig/bootstrap /linkerconfig bind rec 70 71 start ueventd 72 73 # Run apexd-bootstrap so that APEXes that provide critical libraries 74 # become available. Note that this is executed as exec_start to ensure that 75 # the libraries are available to the processes started after this statement. 76 exec_start apexd-bootstrap 77 78 # Generate linker config based on apex mounted in bootstrap namespace 79 update_linker_config 80 81 # These must already exist by the time boringssl_self_test32 / boringssl_self_test64 run. 82 mkdir /dev/boringssl 0755 root root 83 mkdir /dev/boringssl/selftest 0755 root root 84 85 # Mount tracefs (with GID=AID_READTRACEFS) 86 mount tracefs tracefs /sys/kernel/tracing gid=3012 87 88 # create sys dirctory 89 mkdir /dev/sys 0755 system system 90 mkdir /dev/sys/fs 0755 system system 91 mkdir /dev/sys/block 0755 system system 92 93 # Create location for fs_mgr to store abbreviated output from filesystem 94 # checker programs. 95 mkdir /dev/fscklogs 0770 root system 96 97on init 98 sysclktz 0 99 100 # Mix device-specific information into the entropy pool 101 copy /proc/cmdline /dev/urandom 102 copy /system/etc/prop.default /dev/urandom 103 104 symlink /proc/self/fd/0 /dev/stdin 105 symlink /proc/self/fd/1 /dev/stdout 106 symlink /proc/self/fd/2 /dev/stderr 107 108 # Create energy-aware scheduler tuning nodes 109 mkdir /dev/stune/foreground 110 mkdir /dev/stune/background 111 mkdir /dev/stune/top-app 112 mkdir /dev/stune/rt 113 chown system system /dev/stune 114 chown system system /dev/stune/foreground 115 chown system system /dev/stune/background 116 chown system system /dev/stune/top-app 117 chown system system /dev/stune/rt 118 chown system system /dev/stune/tasks 119 chown system system /dev/stune/foreground/tasks 120 chown system system /dev/stune/background/tasks 121 chown system system /dev/stune/top-app/tasks 122 chown system system /dev/stune/rt/tasks 123 chown system system /dev/stune/cgroup.procs 124 chown system system /dev/stune/foreground/cgroup.procs 125 chown system system /dev/stune/background/cgroup.procs 126 chown system system /dev/stune/top-app/cgroup.procs 127 chown system system /dev/stune/rt/cgroup.procs 128 chmod 0664 /dev/stune/tasks 129 chmod 0664 /dev/stune/foreground/tasks 130 chmod 0664 /dev/stune/background/tasks 131 chmod 0664 /dev/stune/top-app/tasks 132 chmod 0664 /dev/stune/rt/tasks 133 chmod 0664 /dev/stune/cgroup.procs 134 chmod 0664 /dev/stune/foreground/cgroup.procs 135 chmod 0664 /dev/stune/background/cgroup.procs 136 chmod 0664 /dev/stune/top-app/cgroup.procs 137 chmod 0664 /dev/stune/rt/cgroup.procs 138 139 # cpuctl hierarchy for devices using utilclamp 140 mkdir /dev/cpuctl/foreground 141 mkdir /dev/cpuctl/background 142 mkdir /dev/cpuctl/top-app 143 mkdir /dev/cpuctl/rt 144 mkdir /dev/cpuctl/system 145 mkdir /dev/cpuctl/system-background 146 mkdir /dev/cpuctl/dex2oat 147 chown system system /dev/cpuctl 148 chown system system /dev/cpuctl/foreground 149 chown system system /dev/cpuctl/background 150 chown system system /dev/cpuctl/top-app 151 chown system system /dev/cpuctl/rt 152 chown system system /dev/cpuctl/system 153 chown system system /dev/cpuctl/system-background 154 chown system system /dev/cpuctl/dex2oat 155 chown system system /dev/cpuctl/tasks 156 chown system system /dev/cpuctl/foreground/tasks 157 chown system system /dev/cpuctl/background/tasks 158 chown system system /dev/cpuctl/top-app/tasks 159 chown system system /dev/cpuctl/rt/tasks 160 chown system system /dev/cpuctl/system/tasks 161 chown system system /dev/cpuctl/system-background/tasks 162 chown system system /dev/cpuctl/dex2oat/tasks 163 chown system system /dev/cpuctl/cgroup.procs 164 chown system system /dev/cpuctl/foreground/cgroup.procs 165 chown system system /dev/cpuctl/background/cgroup.procs 166 chown system system /dev/cpuctl/top-app/cgroup.procs 167 chown system system /dev/cpuctl/rt/cgroup.procs 168 chown system system /dev/cpuctl/system/cgroup.procs 169 chown system system /dev/cpuctl/system-background/cgroup.procs 170 chown system system /dev/cpuctl/dex2oat/cgroup.procs 171 chmod 0664 /dev/cpuctl/tasks 172 chmod 0664 /dev/cpuctl/foreground/tasks 173 chmod 0664 /dev/cpuctl/background/tasks 174 chmod 0664 /dev/cpuctl/top-app/tasks 175 chmod 0664 /dev/cpuctl/rt/tasks 176 chmod 0664 /dev/cpuctl/system/tasks 177 chmod 0664 /dev/cpuctl/system-background/tasks 178 chmod 0664 /dev/cpuctl/dex2oat/tasks 179 chmod 0664 /dev/cpuctl/cgroup.procs 180 chmod 0664 /dev/cpuctl/foreground/cgroup.procs 181 chmod 0664 /dev/cpuctl/background/cgroup.procs 182 chmod 0664 /dev/cpuctl/top-app/cgroup.procs 183 chmod 0664 /dev/cpuctl/rt/cgroup.procs 184 chmod 0664 /dev/cpuctl/system/cgroup.procs 185 chmod 0664 /dev/cpuctl/system-background/cgroup.procs 186 chmod 0664 /dev/cpuctl/dex2oat/cgroup.procs 187 188 # Create a cpu group for NNAPI HAL processes 189 mkdir /dev/cpuctl/nnapi-hal 190 chown system system /dev/cpuctl/nnapi-hal 191 chown system system /dev/cpuctl/nnapi-hal/tasks 192 chown system system /dev/cpuctl/nnapi-hal/cgroup.procs 193 chmod 0664 /dev/cpuctl/nnapi-hal/tasks 194 chmod 0664 /dev/cpuctl/nnapi-hal/cgroup.procs 195 write /dev/cpuctl/nnapi-hal/cpu.uclamp.min 1 196 write /dev/cpuctl/nnapi-hal/cpu.uclamp.latency_sensitive 1 197 198 # Create a cpu group for camera daemon processes 199 mkdir /dev/cpuctl/camera-daemon 200 chown system system /dev/cpuctl/camera-daemon 201 chown system system /dev/cpuctl/camera-daemon/tasks 202 chown system system /dev/cpuctl/camera-daemon/cgroup.procs 203 chmod 0664 /dev/cpuctl/camera-daemon/tasks 204 chmod 0664 /dev/cpuctl/camera-daemon/cgroup.procs 205 206 # Create an stune group for camera-specific processes 207 mkdir /dev/stune/camera-daemon 208 chown system system /dev/stune/camera-daemon 209 chown system system /dev/stune/camera-daemon/tasks 210 chown system system /dev/stune/camera-daemon/cgroup.procs 211 chmod 0664 /dev/stune/camera-daemon/tasks 212 chmod 0664 /dev/stune/camera-daemon/cgroup.procs 213 214 # Create an stune group for NNAPI HAL processes 215 mkdir /dev/stune/nnapi-hal 216 chown system system /dev/stune/nnapi-hal 217 chown system system /dev/stune/nnapi-hal/tasks 218 chown system system /dev/stune/nnapi-hal/cgroup.procs 219 chmod 0664 /dev/stune/nnapi-hal/tasks 220 chmod 0664 /dev/stune/nnapi-hal/cgroup.procs 221 write /dev/stune/nnapi-hal/schedtune.boost 1 222 write /dev/stune/nnapi-hal/schedtune.prefer_idle 1 223 224 # Create blkio group and apply initial settings. 225 # This feature needs kernel to support it, and the 226 # device's init.rc must actually set the correct values. 227 mkdir /dev/blkio/background 228 chown system system /dev/blkio 229 chown system system /dev/blkio/background 230 chown system system /dev/blkio/tasks 231 chown system system /dev/blkio/background/tasks 232 chown system system /dev/blkio/cgroup.procs 233 chown system system /dev/blkio/background/cgroup.procs 234 chmod 0664 /dev/blkio/tasks 235 chmod 0664 /dev/blkio/background/tasks 236 chmod 0664 /dev/blkio/cgroup.procs 237 chmod 0664 /dev/blkio/background/cgroup.procs 238 write /dev/blkio/blkio.weight 1000 239 write /dev/blkio/background/blkio.weight 200 240 write /dev/blkio/background/blkio.bfq.weight 10 241 write /dev/blkio/blkio.group_idle 0 242 write /dev/blkio/background/blkio.group_idle 0 243 244 restorecon_recursive /mnt 245 246 mount configfs none /config nodev noexec nosuid 247 chmod 0770 /config/sdcardfs 248 chown system package_info /config/sdcardfs 249 250 # Mount binderfs 251 mkdir /dev/binderfs 252 mount binder binder /dev/binderfs stats=global 253 chmod 0755 /dev/binderfs 254 255 # Mount fusectl 256 mount fusectl none /sys/fs/fuse/connections 257 258 symlink /dev/binderfs/binder /dev/binder 259 symlink /dev/binderfs/hwbinder /dev/hwbinder 260 symlink /dev/binderfs/vndbinder /dev/vndbinder 261 262 chmod 0666 /dev/binderfs/hwbinder 263 chmod 0666 /dev/binderfs/binder 264 chmod 0666 /dev/binderfs/vndbinder 265 266 mkdir /mnt/secure 0700 root root 267 mkdir /mnt/secure/asec 0700 root root 268 mkdir /mnt/asec 0755 root system 269 mkdir /mnt/obb 0755 root system 270 mkdir /mnt/media_rw 0750 root external_storage 271 mkdir /mnt/user 0755 root root 272 mkdir /mnt/user/0 0755 root root 273 mkdir /mnt/user/0/self 0755 root root 274 mkdir /mnt/user/0/emulated 0755 root root 275 mkdir /mnt/user/0/emulated/0 0755 root root 276 277 # Prepare directories for pass through processes 278 mkdir /mnt/pass_through 0700 root root 279 mkdir /mnt/pass_through/0 0710 root media_rw 280 mkdir /mnt/pass_through/0/self 0710 root media_rw 281 mkdir /mnt/pass_through/0/emulated 0710 root media_rw 282 mkdir /mnt/pass_through/0/emulated/0 0710 root media_rw 283 284 mkdir /mnt/expand 0771 system system 285 mkdir /mnt/appfuse 0711 root root 286 287 # Storage views to support runtime permissions 288 mkdir /mnt/runtime 0700 root root 289 mkdir /mnt/runtime/default 0755 root root 290 mkdir /mnt/runtime/default/self 0755 root root 291 mkdir /mnt/runtime/read 0755 root root 292 mkdir /mnt/runtime/read/self 0755 root root 293 mkdir /mnt/runtime/write 0755 root root 294 mkdir /mnt/runtime/write/self 0755 root root 295 mkdir /mnt/runtime/full 0755 root root 296 mkdir /mnt/runtime/full/self 0755 root root 297 298 # Symlink to keep legacy apps working in multi-user world 299 symlink /storage/self/primary /mnt/sdcard 300 symlink /mnt/user/0/primary /mnt/runtime/default/self/primary 301 302 write /proc/sys/kernel/panic_on_oops 1 303 write /proc/sys/kernel/hung_task_timeout_secs 0 304 write /proc/cpu/alignment 4 305 306 # scheduler tunables 307 # Disable auto-scaling of scheduler tunables with hotplug. The tunables 308 # will vary across devices in unpredictable ways if allowed to scale with 309 # cpu cores. 310 write /proc/sys/kernel/sched_tunable_scaling 0 311 write /proc/sys/kernel/sched_latency_ns 10000000 312 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 313 write /proc/sys/kernel/sched_child_runs_first 0 314 315 write /proc/sys/kernel/randomize_va_space 2 316 write /proc/sys/vm/mmap_min_addr 32768 317 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 318 write /proc/sys/net/unix/max_dgram_qlen 2400 319 320 # Assign reasonable ceiling values for socket rcv/snd buffers. 321 # These should almost always be overridden by the target per the 322 # the corresponding technology maximums. 323 write /proc/sys/net/core/rmem_max 262144 324 write /proc/sys/net/core/wmem_max 262144 325 326 # reflect fwmark from incoming packets onto generated replies 327 write /proc/sys/net/ipv4/fwmark_reflect 1 328 write /proc/sys/net/ipv6/fwmark_reflect 1 329 330 # set fwmark on accepted sockets 331 write /proc/sys/net/ipv4/tcp_fwmark_accept 1 332 333 # disable icmp redirects 334 write /proc/sys/net/ipv4/conf/all/accept_redirects 0 335 write /proc/sys/net/ipv6/conf/all/accept_redirects 0 336 337 # /proc/net/fib_trie leaks interface IP addresses 338 chmod 0400 /proc/net/fib_trie 339 340 # sets up initial cpusets for ActivityManager 341 # this ensures that the cpusets are present and usable, but the device's 342 # init.rc must actually set the correct cpus 343 mkdir /dev/cpuset/foreground 344 copy /dev/cpuset/cpus /dev/cpuset/foreground/cpus 345 copy /dev/cpuset/mems /dev/cpuset/foreground/mems 346 mkdir /dev/cpuset/background 347 copy /dev/cpuset/cpus /dev/cpuset/background/cpus 348 copy /dev/cpuset/mems /dev/cpuset/background/mems 349 350 # system-background is for system tasks that should only run on 351 # little cores, not on bigs 352 mkdir /dev/cpuset/system-background 353 copy /dev/cpuset/cpus /dev/cpuset/system-background/cpus 354 copy /dev/cpuset/mems /dev/cpuset/system-background/mems 355 356 # restricted is for system tasks that are being throttled 357 # due to screen off. 358 mkdir /dev/cpuset/restricted 359 copy /dev/cpuset/cpus /dev/cpuset/restricted/cpus 360 copy /dev/cpuset/mems /dev/cpuset/restricted/mems 361 362 mkdir /dev/cpuset/top-app 363 copy /dev/cpuset/cpus /dev/cpuset/top-app/cpus 364 copy /dev/cpuset/mems /dev/cpuset/top-app/mems 365 366 # create a cpuset for camera daemon processes 367 mkdir /dev/cpuset/camera-daemon 368 copy /dev/cpuset/cpus /dev/cpuset/camera-daemon/cpus 369 copy /dev/cpuset/mems /dev/cpuset/camera-daemon/mems 370 371 # change permissions for all cpusets we'll touch at runtime 372 chown system system /dev/cpuset 373 chown system system /dev/cpuset/foreground 374 chown system system /dev/cpuset/background 375 chown system system /dev/cpuset/system-background 376 chown system system /dev/cpuset/top-app 377 chown system system /dev/cpuset/restricted 378 chown system system /dev/cpuset/camera-daemon 379 chown system system /dev/cpuset/tasks 380 chown system system /dev/cpuset/foreground/tasks 381 chown system system /dev/cpuset/background/tasks 382 chown system system /dev/cpuset/system-background/tasks 383 chown system system /dev/cpuset/top-app/tasks 384 chown system system /dev/cpuset/restricted/tasks 385 chown system system /dev/cpuset/camera-daemon/tasks 386 chown system system /dev/cpuset/cgroup.procs 387 chown system system /dev/cpuset/foreground/cgroup.procs 388 chown system system /dev/cpuset/background/cgroup.procs 389 chown system system /dev/cpuset/system-background/cgroup.procs 390 chown system system /dev/cpuset/top-app/cgroup.procs 391 chown system system /dev/cpuset/restricted/cgroup.procs 392 chown system system /dev/cpuset/camera-daemon/cgroup.procs 393 394 # set system-background to 0775 so SurfaceFlinger can touch it 395 chmod 0775 /dev/cpuset/system-background 396 397 chmod 0664 /dev/cpuset/foreground/tasks 398 chmod 0664 /dev/cpuset/background/tasks 399 chmod 0664 /dev/cpuset/system-background/tasks 400 chmod 0664 /dev/cpuset/top-app/tasks 401 chmod 0664 /dev/cpuset/restricted/tasks 402 chmod 0664 /dev/cpuset/tasks 403 chmod 0664 /dev/cpuset/camera-daemon/tasks 404 chmod 0664 /dev/cpuset/foreground/cgroup.procs 405 chmod 0664 /dev/cpuset/background/cgroup.procs 406 chmod 0664 /dev/cpuset/system-background/cgroup.procs 407 chmod 0664 /dev/cpuset/top-app/cgroup.procs 408 chmod 0664 /dev/cpuset/restricted/cgroup.procs 409 chmod 0664 /dev/cpuset/cgroup.procs 410 chmod 0664 /dev/cpuset/camera-daemon/cgroup.procs 411 412 # make the PSI monitor accessible to others 413 chown system system /proc/pressure/memory 414 chmod 0664 /proc/pressure/memory 415 416 # qtaguid will limit access to specific data based on group memberships. 417 # net_bw_acct grants impersonation of socket owners. 418 # net_bw_stats grants access to other apps' detailed tagged-socket stats. 419 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 420 chown root net_bw_stats /proc/net/xt_qtaguid/stats 421 422 # Allow everybody to read the xt_qtaguid resource tracking misc dev. 423 # This is needed by any process that uses socket tagging. 424 chmod 0644 /dev/xt_qtaguid 425 426 mount bpf bpf /sys/fs/bpf nodev noexec nosuid 427 428 # pstore/ramoops previous console log 429 mount pstore pstore /sys/fs/pstore nodev noexec nosuid 430 chown system log /sys/fs/pstore 431 chmod 0550 /sys/fs/pstore 432 chown system log /sys/fs/pstore/console-ramoops 433 chmod 0440 /sys/fs/pstore/console-ramoops 434 chown system log /sys/fs/pstore/console-ramoops-0 435 chmod 0440 /sys/fs/pstore/console-ramoops-0 436 chown system log /sys/fs/pstore/pmsg-ramoops-0 437 chmod 0440 /sys/fs/pstore/pmsg-ramoops-0 438 439 # enable armv8_deprecated instruction hooks 440 write /proc/sys/abi/swp 1 441 442 # Linux's execveat() syscall may construct paths containing /dev/fd 443 # expecting it to point to /proc/self/fd 444 symlink /proc/self/fd /dev/fd 445 446 export DOWNLOAD_CACHE /data/cache 447 448 # This allows the ledtrig-transient properties to be created here so 449 # that they can be chown'd to system:system later on boot 450 write /sys/class/leds/vibrator/trigger "transient" 451 452 # This is used by Bionic to select optimized routines. 453 write /dev/cpu_variant:${ro.bionic.arch} ${ro.bionic.cpu_variant} 454 chmod 0444 /dev/cpu_variant:${ro.bionic.arch} 455 write /dev/cpu_variant:${ro.bionic.2nd_arch} ${ro.bionic.2nd_cpu_variant} 456 chmod 0444 /dev/cpu_variant:${ro.bionic.2nd_arch} 457 458 # Allow system processes to read / write power state. 459 chown system system /sys/power/state 460 chown system system /sys/power/wakeup_count 461 chmod 0660 /sys/power/state 462 463 chown radio wakelock /sys/power/wake_lock 464 chown radio wakelock /sys/power/wake_unlock 465 chmod 0660 /sys/power/wake_lock 466 chmod 0660 /sys/power/wake_unlock 467 468 # Start logd before any other services run to ensure we capture all of their logs. 469 start logd 470 # Start lmkd before any other services run so that it can register them 471 write /proc/sys/vm/watermark_boost_factor 0 472 chown root system /sys/module/lowmemorykiller/parameters/adj 473 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 474 chown root system /sys/module/lowmemorykiller/parameters/minfree 475 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 476 start lmkd 477 478 # Start essential services. 479 start servicemanager 480 start hwservicemanager 481 start vndservicemanager 482 483# Run boringssl self test for each ABI. Any failures trigger reboot to firmware. 484on init && property:ro.product.cpu.abilist32=* 485 exec_start boringssl_self_test32 486on init && property:ro.product.cpu.abilist64=* 487 exec_start boringssl_self_test64 488on property:apexd.status=ready && property:ro.product.cpu.abilist32=* 489 exec_start boringssl_self_test_apex32 490on property:apexd.status=ready && property:ro.product.cpu.abilist64=* 491 exec_start boringssl_self_test_apex64 492 493service boringssl_self_test32 /system/bin/boringssl_self_test32 494 reboot_on_failure reboot,boringssl-self-check-failed 495 stdio_to_kmsg 496 # Explicitly specify that boringssl_self_test32 doesn't require any capabilities 497 capabilities 498 user nobody 499 500service boringssl_self_test64 /system/bin/boringssl_self_test64 501 reboot_on_failure reboot,boringssl-self-check-failed 502 stdio_to_kmsg 503 # Explicitly specify that boringssl_self_test64 doesn't require any capabilities 504 capabilities 505 user nobody 506 507service boringssl_self_test_apex32 /apex/com.android.conscrypt/bin/boringssl_self_test32 508 reboot_on_failure reboot,boringssl-self-check-failed 509 stdio_to_kmsg 510 # Explicitly specify that boringssl_self_test_apex32 doesn't require any capabilities 511 capabilities 512 user nobody 513 514service boringssl_self_test_apex64 /apex/com.android.conscrypt/bin/boringssl_self_test64 515 reboot_on_failure reboot,boringssl-self-check-failed 516 stdio_to_kmsg 517 # Explicitly specify that boringssl_self_test_apex64 doesn't require any capabilities 518 capabilities 519 user nobody 520 521# Healthd can trigger a full boot from charger mode by signaling this 522# property when the power button is held. 523on property:sys.boot_from_charger_mode=1 524 class_stop charger 525 trigger late-init 526 527# Indicate to fw loaders that the relevant mounts are up. 528on firmware_mounts_complete 529 rm /dev/.booting 530 531# Mount filesystems and start core system services. 532on late-init 533 trigger early-fs 534 535 # Mount fstab in init.{$device}.rc by mount_all command. Optional parameter 536 # '--early' can be specified to skip entries with 'latemount'. 537 # /system and /vendor must be mounted by the end of the fs stage, 538 # while /data is optional. 539 trigger fs 540 trigger post-fs 541 542 # Mount fstab in init.{$device}.rc by mount_all with '--late' parameter 543 # to only mount entries with 'latemount'. This is needed if '--early' is 544 # specified in the previous mount_all command on the fs stage. 545 # With /system mounted and properties form /system + /factory available, 546 # some services can be started. 547 trigger late-fs 548 549 # Now we can mount /data. File encryption requires keymaster to decrypt 550 # /data, which in turn can only be loaded when system properties are present. 551 trigger post-fs-data 552 553 # Should be before netd, but after apex, properties and logging is available. 554 trigger load_bpf_programs 555 556 # Now we can start zygote for devices with file based encryption 557 trigger zygote-start 558 559 # Remove a file to wake up anything waiting for firmware. 560 trigger firmware_mounts_complete 561 562 trigger early-boot 563 trigger boot 564 565on early-fs 566 # Once metadata has been mounted, we'll need vold to deal with userdata checkpointing 567 start vold 568 569on post-fs 570 exec - system system -- /system/bin/vdc checkpoint markBootAttempt 571 572 # Once everything is setup, no need to modify /. 573 # The bind+remount combination allows this to work in containers. 574 mount rootfs rootfs / remount bind ro nodev 575 576 # Mount default storage into root namespace 577 mount none /mnt/user/0 /storage bind rec 578 mount none none /storage slave rec 579 580 # Make sure /sys/kernel/debug (if present) is labeled properly 581 # Note that tracefs may be mounted under debug, so we need to cross filesystems 582 restorecon --recursive --cross-filesystems /sys/kernel/debug 583 584 # We chown/chmod /cache again so because mount is run as root + defaults 585 chown system cache /cache 586 chmod 0770 /cache 587 # We restorecon /cache in case the cache partition has been reset. 588 restorecon_recursive /cache 589 590 # Create /cache/recovery in case it's not there. It'll also fix the odd 591 # permissions if created by the recovery system. 592 mkdir /cache/recovery 0770 system cache 593 594 # Backup/restore mechanism uses the cache partition 595 mkdir /cache/backup_stage 0700 system system 596 mkdir /cache/backup 0700 system system 597 598 #change permissions on vmallocinfo so we can grab it from bugreports 599 chown root log /proc/vmallocinfo 600 chmod 0440 /proc/vmallocinfo 601 602 chown root log /proc/slabinfo 603 chmod 0440 /proc/slabinfo 604 605 chown root log /proc/pagetypeinfo 606 chmod 0440 /proc/pagetypeinfo 607 608 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 609 chown root system /proc/kmsg 610 chmod 0440 /proc/kmsg 611 chown root system /proc/sysrq-trigger 612 chmod 0220 /proc/sysrq-trigger 613 chown system log /proc/last_kmsg 614 chmod 0440 /proc/last_kmsg 615 616 # make the selinux kernel policy world-readable 617 chmod 0444 /sys/fs/selinux/policy 618 619 # create the lost+found directories, so as to enforce our permissions 620 mkdir /cache/lost+found 0770 root root 621 622 restorecon_recursive /metadata 623 mkdir /metadata/vold 624 chmod 0700 /metadata/vold 625 mkdir /metadata/password_slots 0771 root system 626 mkdir /metadata/bootstat 0750 system log 627 mkdir /metadata/ota 0700 root system 628 mkdir /metadata/ota/snapshots 0700 root system 629 mkdir /metadata/userspacereboot 0770 root system 630 mkdir /metadata/watchdog 0770 root system 631 632 mkdir /metadata/apex 0700 root system 633 mkdir /metadata/apex/sessions 0700 root system 634 # On some devices we see a weird behaviour in which /metadata/apex doesn't 635 # have a correct label. To workaround this bug, explicitly call restorecon 636 # on /metadata/apex. For most of the boot sequences /metadata/apex will 637 # already have a correct selinux label, meaning that this call will be a 638 # no-op. 639 restorecon_recursive /metadata/apex 640 641 mkdir /metadata/staged-install 0770 root system 642 mkdir /metadata/sepolicy 0700 root root 643on late-fs 644 # Ensure that tracefs has the correct permissions. 645 # This does not work correctly if it is called in post-fs. 646 chmod 0755 /sys/kernel/tracing 647 chmod 0755 /sys/kernel/debug/tracing 648 649 # HALs required before storage encryption can get unlocked (FBE) 650 class_start early_hal 651 652 # Load trusted keys from dm-verity protected partitions 653 exec -- /system/bin/fsverity_init --load-verified-keys 654 655# Only enable the bootreceiver tracing instance for kernels 5.10 and above. 656on late-fs && property:ro.kernel.version=4.9 657 setprop bootreceiver.enable 0 658on late-fs && property:ro.kernel.version=4.14 659 setprop bootreceiver.enable 0 660on late-fs && property:ro.kernel.version=4.19 661 setprop bootreceiver.enable 0 662on late-fs && property:ro.kernel.version=5.4 663 setprop bootreceiver.enable 0 664on late-fs 665 # Bootreceiver tracing instance is enabled by default. 666 setprop bootreceiver.enable ${bootreceiver.enable:-1} 667 668on property:ro.product.cpu.abilist64=* && property:bootreceiver.enable=1 669 # Set up a tracing instance for system_server to monitor error_report_end events. 670 # These are sent by kernel tools like KASAN and KFENCE when a memory corruption 671 # is detected. This is only needed for 64-bit systems. 672 mkdir /sys/kernel/tracing/instances/bootreceiver 0700 system system 673 restorecon_recursive /sys/kernel/tracing/instances/bootreceiver 674 write /sys/kernel/tracing/instances/bootreceiver/buffer_size_kb 1 675 write /sys/kernel/tracing/instances/bootreceiver/trace_options disable_on_free 676 write /sys/kernel/tracing/instances/bootreceiver/events/error_report/error_report_end/enable 1 677 678on post-fs-data 679 680 mark_post_data 681 682 # Start checkpoint before we touch data 683 exec - system system -- /system/bin/vdc checkpoint prepareCheckpoint 684 685 # We chown/chmod /data again so because mount is run as root + defaults 686 chown system system /data 687 chmod 0771 /data 688 # We restorecon /data in case the userdata partition has been reset. 689 restorecon /data 690 691 # Make sure we have the device encryption key. 692 installkey /data 693 694 # Start bootcharting as soon as possible after the data partition is 695 # mounted to collect more data. 696 mkdir /data/bootchart 0755 shell shell encryption=Require 697 bootchart start 698 699 # Avoid predictable entropy pool. Carry over entropy from previous boot. 700 copy /data/system/entropy.dat /dev/urandom 701 702 mkdir /data/vendor 0771 root root encryption=Require 703 mkdir /data/vendor/hardware 0771 root root 704 705 # Start tombstoned early to be able to store tombstones. 706 mkdir /data/anr 0775 system system encryption=Require 707 mkdir /data/tombstones 0771 system system encryption=Require 708 mkdir /data/vendor/tombstones 0771 root root 709 mkdir /data/vendor/tombstones/wifi 0771 wifi wifi 710 start tombstoned 711 712 # Make sure that apexd is started in the default namespace 713 enter_default_mount_ns 714 715 # set up keystore directory structure first so that we can end early boot 716 # and start apexd 717 mkdir /data/misc 01771 system misc encryption=Require 718 mkdir /data/misc/keystore 0700 keystore keystore 719 # work around b/183668221 720 restorecon /data/misc /data/misc/keystore 721 722 # Boot level 30 723 # odsign signing keys have MAX_BOOT_LEVEL=30 724 # This is currently the earliest boot level, but we start at 30 725 # to leave room for earlier levels. 726 setprop keystore.boot_level 30 727 728 # Now that /data is mounted and we have created /data/misc/keystore, 729 # we can tell keystore to stop allowing use of early-boot keys, 730 # and access its database for the first time to support creation and 731 # use of MAX_BOOT_LEVEL keys. 732 exec - system system -- /system/bin/vdc keymaster earlyBootEnded 733 734 # Multi-installed APEXes are selected using persist props. 735 # Load persist properties and override properties (if enabled) from /data, 736 # before starting apexd. 737 # /data/property should be created before `load_persist_props` 738 mkdir /data/property 0700 root root encryption=Require 739 load_persist_props 740 741 start logd 742 start logd-reinit 743 744 # Some existing vendor rc files use 'on load_persist_props_action' to know 745 # when persist props are ready. These are difficult to change due to GRF, 746 # so continue triggering this action here even though props are already loaded 747 # by the 'load_persist_props' call above. 748 trigger load_persist_props_action 749 750 # /data/apex is now available. Start apexd to scan and activate APEXes. 751 # 752 # To handle userspace reboots, make sure that apexd is started cleanly here 753 # (set apexd.status="") and that it is restarted if it's already running. 754 # 755 # /data/apex uses encryption=None because direct I/O support is needed on 756 # APEX files, but some devices don't support direct I/O on encrypted files. 757 # Also, APEXes are public information, similar to the system image. 758 # /data/apex/decompressed and /data/apex/ota_reserved override this setting; 759 # they are encrypted so that files in them can be hard-linked into 760 # /data/rollback which is encrypted. 761 mkdir /data/apex 0755 root system encryption=None 762 mkdir /data/apex/active 0755 root system 763 mkdir /data/apex/backup 0700 root system 764 mkdir /data/apex/decompressed 0755 root system encryption=Require 765 mkdir /data/apex/hashtree 0700 root system 766 mkdir /data/apex/sessions 0700 root system 767 mkdir /data/app-staging 0751 system system encryption=DeleteIfNecessary 768 mkdir /data/apex/ota_reserved 0700 root system encryption=Require 769 setprop apexd.status "" 770 restart apexd 771 772 # create rest of basic filesystem structure 773 mkdir /data/misc/recovery 0770 system log 774 copy /data/misc/recovery/ro.build.fingerprint /data/misc/recovery/ro.build.fingerprint.1 775 chmod 0440 /data/misc/recovery/ro.build.fingerprint.1 776 chown system log /data/misc/recovery/ro.build.fingerprint.1 777 write /data/misc/recovery/ro.build.fingerprint ${ro.build.fingerprint} 778 chmod 0440 /data/misc/recovery/ro.build.fingerprint 779 chown system log /data/misc/recovery/ro.build.fingerprint 780 mkdir /data/misc/recovery/proc 0770 system log 781 copy /data/misc/recovery/proc/version /data/misc/recovery/proc/version.1 782 chmod 0440 /data/misc/recovery/proc/version.1 783 chown system log /data/misc/recovery/proc/version.1 784 copy /proc/version /data/misc/recovery/proc/version 785 chmod 0440 /data/misc/recovery/proc/version 786 chown system log /data/misc/recovery/proc/version 787 mkdir /data/misc/bluedroid 02770 bluetooth bluetooth 788 # Fix the access permissions and group ownership for 'bt_config.conf' 789 chmod 0660 /data/misc/bluedroid/bt_config.conf 790 chown bluetooth bluetooth /data/misc/bluedroid/bt_config.conf 791 mkdir /data/misc/bluetooth 0770 bluetooth bluetooth 792 mkdir /data/misc/bluetooth/logs 0770 bluetooth bluetooth 793 mkdir /data/misc/nfc 0770 nfc nfc 794 mkdir /data/misc/nfc/logs 0770 nfc nfc 795 mkdir /data/misc/credstore 0700 credstore credstore 796 mkdir /data/misc/gatekeeper 0700 system system 797 mkdir /data/misc/keychain 0771 system system 798 mkdir /data/misc/net 0750 root shell 799 mkdir /data/misc/radio 0770 system radio 800 mkdir /data/misc/sms 0770 system radio 801 mkdir /data/misc/carrierid 0770 system radio 802 mkdir /data/misc/apns 0770 system radio 803 mkdir /data/misc/emergencynumberdb 0770 system radio 804 mkdir /data/misc/network_watchlist 0774 system system 805 mkdir /data/misc/textclassifier 0771 system system 806 mkdir /data/misc/vpn 0770 system vpn 807 mkdir /data/misc/shared_relro 0771 shared_relro shared_relro 808 mkdir /data/misc/systemkeys 0700 system system 809 mkdir /data/misc/threadnetwork 0770 thread_network thread_network 810 mkdir /data/misc/wifi 0770 wifi wifi 811 mkdir /data/misc/wifi/sockets 0770 wifi wifi 812 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 813 mkdir /data/misc/ethernet 0770 system system 814 mkdir /data/misc/dhcp 0770 dhcp dhcp 815 mkdir /data/misc/user 0771 root root 816 # give system access to wpa_supplicant.conf for backup and restore 817 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 818 mkdir /data/local 0751 root root encryption=Require 819 mkdir /data/misc/media 0700 media media 820 mkdir /data/misc/audioserver 0700 audioserver audioserver 821 mkdir /data/misc/cameraserver 0700 cameraserver cameraserver 822 mkdir /data/misc/vold 0700 root root 823 mkdir /data/misc/boottrace 0771 system shell 824 mkdir /data/misc/update_engine 0700 root root 825 mkdir /data/misc/update_engine_log 02750 root log 826 mkdir /data/misc/trace 0700 root root 827 # create location to store surface and window trace files 828 mkdir /data/misc/wmtrace 0700 system system 829 # create location to store accessibility trace files 830 mkdir /data/misc/a11ytrace 0700 system system 831 # profile file layout 832 mkdir /data/misc/profiles 0771 system system 833 mkdir /data/misc/profiles/cur 0771 system system 834 mkdir /data/misc/profiles/ref 0771 system system 835 mkdir /data/misc/profman 0770 system shell 836 mkdir /data/misc/gcov 0770 root root 837 mkdir /data/misc/installd 0700 root root 838 mkdir /data/misc/apexdata 0711 root root 839 mkdir /data/misc/apexrollback 0700 root root 840 mkdir /data/misc/appcompat/ 0700 system system 841 mkdir /data/misc/snapshotctl_log 0755 root root 842 # create location to store pre-reboot information 843 mkdir /data/misc/prereboot 0700 system system 844 # directory used for on-device refresh metrics file. 845 mkdir /data/misc/odrefresh 0777 system system 846 # directory used for on-device signing key blob 847 mkdir /data/misc/odsign 0710 root system 848 # directory used for odsign metrics 849 mkdir /data/misc/odsign/metrics 0770 root system 850 851 # Directory for VirtualizationService temporary image files. 852 # Delete any stale files owned by the old virtualizationservice uid (b/230056726). 853 chmod 0770 /data/misc/virtualizationservice 854 exec - virtualizationservice system -- /bin/rm -rf /data/misc/virtualizationservice 855 mkdir /data/misc/virtualizationservice 0771 system system 856 857 # /data/preloads uses encryption=None because it only contains preloaded 858 # files that are public information, similar to the system image. 859 mkdir /data/preloads 0775 system system encryption=None 860 861 # For security reasons, /data/local/tmp should always be empty. 862 # Do not place files or directories in /data/local/tmp 863 mkdir /data/local/tmp 0771 shell shell 864 mkdir /data/local/traces 0777 shell shell 865 mkdir /data/app-private 0771 system system encryption=Require 866 mkdir /data/app-ephemeral 0771 system system encryption=Require 867 mkdir /data/app-asec 0700 root root encryption=Require 868 mkdir /data/app-lib 0771 system system encryption=Require 869 mkdir /data/app 0771 system system encryption=Require 870 871 # create directory for updated font files. 872 mkdir /data/fonts/ 0771 root root encryption=Require 873 mkdir /data/fonts/files 0771 system system 874 mkdir /data/fonts/config 0770 system system 875 876 # Create directories to push tests to for each linker namespace. 877 # Create the subdirectories in case the first test is run as root 878 # so it doesn't end up owned by root. 879 # Set directories to be executable by any process so that debuggerd, 880 # aka crash_dump, can read any executables/shared libraries. 881 mkdir /data/local/tests 0701 shell shell 882 mkdir /data/local/tests/product 0701 shell shell 883 mkdir /data/local/tests/system 0701 shell shell 884 mkdir /data/local/tests/unrestricted 0701 shell shell 885 mkdir /data/local/tests/vendor 0701 shell shell 886 887 # create dalvik-cache, so as to enforce our permissions 888 mkdir /data/dalvik-cache 0771 root root encryption=Require 889 # create the A/B OTA directory, so as to enforce our permissions 890 mkdir /data/ota 0771 root root encryption=Require 891 892 # create the OTA package directory. It will be accessed by GmsCore (cache 893 # group), update_engine and update_verifier. 894 mkdir /data/ota_package 0770 system cache encryption=Require 895 896 # create resource-cache and double-check the perms 897 mkdir /data/resource-cache 0771 system system encryption=Require 898 chown system system /data/resource-cache 899 chmod 0771 /data/resource-cache 900 901 # Ensure that lost+found exists and has the correct permissions. Linux 902 # filesystems expect this directory to exist; it's where the fsck tool puts 903 # any recovered files that weren't present in any directory. It must be 904 # unencrypted, as fsck must be able to write to it. 905 mkdir /data/lost+found 0770 root root encryption=None 906 907 # create directory for DRM plug-ins - give drm the read/write access to 908 # the following directory. 909 mkdir /data/drm 0770 drm drm encryption=Require 910 911 # create directory for MediaDrm plug-ins - give drm the read/write access to 912 # the following directory. 913 mkdir /data/mediadrm 0770 mediadrm mediadrm encryption=Require 914 915 # NFC: create data/nfc for nv storage 916 mkdir /data/nfc 0770 nfc nfc encryption=Require 917 mkdir /data/nfc/param 0770 nfc nfc 918 919 # Create all remaining /data root dirs so that they are made through init 920 # and get proper encryption policy installed 921 mkdir /data/backup 0700 system system encryption=Require 922 mkdir /data/ss 0700 system system encryption=Require 923 924 mkdir /data/system 0775 system system encryption=Require 925 mkdir /data/system/environ 0700 system system 926 # b/183861600 attempt to fix selinux label before running derive_classpath service 927 restorecon /data/system/environ 928 mkdir /data/system/dropbox 0700 system system 929 mkdir /data/system/heapdump 0700 system system 930 mkdir /data/system/users 0775 system system 931 # Mkdir and set SELinux security contexts for shutdown-checkpoints. 932 # TODO(b/270286197): remove these after couple releases. 933 mkdir /data/system/shutdown-checkpoints 0700 system system 934 restorecon_recursive /data/system/shutdown-checkpoints 935 936 # Create the parent directories of the user CE and DE storage directories. 937 # These parent directories must use encryption=None, since each of their 938 # subdirectories uses a different encryption policy (a per-user one), and 939 # encryption policies apply recursively. These directories should never 940 # contain any subdirectories other than the per-user ones. /data/media/obb 941 # is an exception that exists for legacy reasons. 942 mkdir /data/media 0770 media_rw media_rw encryption=None 943 mkdir /data/misc_ce 01771 system misc encryption=None 944 mkdir /data/misc_de 01771 system misc encryption=None 945 mkdir /data/system_ce 0770 system system encryption=None 946 mkdir /data/system_de 0770 system system encryption=None 947 mkdir /data/user 0711 system system encryption=None 948 mkdir /data/user_de 0711 system system encryption=None 949 mkdir /data/vendor_ce 0771 root root encryption=None 950 mkdir /data/vendor_de 0771 root root encryption=None 951 952 # Set the casefold flag on /data/media. For upgrades, a restorecon can be 953 # needed first to relabel the directory from media_rw_data_file. 954 restorecon /data/media 955 exec - media_rw media_rw -- /system/bin/chattr +F /data/media 956 957 # A tmpfs directory, which will contain all apps and sdk sandbox CE and DE 958 # data directory that bind mount from the original source. 959 mount tmpfs tmpfs /data_mirror nodev noexec nosuid mode=0700,uid=0,gid=1000 960 restorecon /data_mirror 961 mkdir /data_mirror/data_ce 0700 root root 962 mkdir /data_mirror/data_de 0700 root root 963 mkdir /data_mirror/misc_ce 0700 root root 964 mkdir /data_mirror/misc_de 0700 root root 965 966 # Create CE and DE data directory for default volume 967 mkdir /data_mirror/data_ce/null 0700 root root 968 mkdir /data_mirror/data_de/null 0700 root root 969 mkdir /data_mirror/misc_ce/null 0700 root root 970 mkdir /data_mirror/misc_de/null 0700 root root 971 972 # Bind mount CE and DE data directory to mirror's default volume directory. 973 # Note that because the /data mount has the "shared" propagation type, the 974 # later bind mount of /data/data onto /data/user/0 will automatically 975 # propagate to /data_mirror/data_ce/null/0 as well. 976 mount none /data/user /data_mirror/data_ce/null bind rec 977 mount none /data/user_de /data_mirror/data_de/null bind rec 978 mount none /data/misc_ce /data_mirror/misc_ce/null bind rec 979 mount none /data/misc_de /data_mirror/misc_de/null bind rec 980 981 # Create mirror directory for jit profiles 982 mkdir /data_mirror/cur_profiles 0700 root root 983 mount none /data/misc/profiles/cur /data_mirror/cur_profiles bind rec 984 mkdir /data_mirror/ref_profiles 0700 root root 985 mount none /data/misc/profiles/ref /data_mirror/ref_profiles bind rec 986 987 mkdir /data/cache 0770 system cache encryption=Require 988 mkdir /data/cache/recovery 0770 system cache 989 mkdir /data/cache/backup_stage 0700 system system 990 mkdir /data/cache/backup 0700 system system 991 992 # Delete these if need be, per b/139193659 993 mkdir /data/rollback 0700 system system encryption=DeleteIfNecessary 994 mkdir /data/rollback-observer 0700 system system encryption=DeleteIfNecessary 995 mkdir /data/rollback-history 0700 system system encryption=DeleteIfNecessary 996 997 # Create root dir for Incremental Service 998 mkdir /data/incremental 0771 system system encryption=Require 999 1000 # Create directories for statsd 1001 mkdir /data/misc/stats-active-metric/ 0770 statsd system 1002 mkdir /data/misc/stats-data/ 0770 statsd system 1003 mkdir /data/misc/stats-data/restricted-data 0770 statsd system 1004 mkdir /data/misc/stats-metadata/ 0770 statsd system 1005 mkdir /data/misc/stats-service/ 0770 statsd system 1006 mkdir /data/misc/train-info/ 0770 statsd system 1007 1008 # Wait for apexd to finish activating APEXes before starting more processes. 1009 wait_for_prop apexd.status activated 1010 perform_apex_config 1011 1012 # Create directories for boot animation. 1013 mkdir /data/bootanim 0755 system system encryption=DeleteIfNecessary 1014 1015 exec_start derive_sdk 1016 1017 init_user0 1018 1019 # Set SELinux security contexts on upgrade or policy update. 1020 restorecon --recursive --skip-ce /data 1021 1022 # Define and export *CLASSPATH variables 1023 # Must start before 'odsign', as odsign depends on *CLASSPATH variables 1024 exec_start derive_classpath 1025 load_exports /data/system/environ/classpath 1026 1027 # Start ART's oneshot boot service to propagate boot experiment flags to 1028 # dalvik.vm.*. This needs to be done before odsign since odrefresh uses and 1029 # validates those properties against the signed cache-info.xml. 1030 exec_start art_boot 1031 1032 # Start the on-device signing daemon, and wait for it to finish, to ensure 1033 # ART artifacts are generated if needed. 1034 # Must start after 'derive_classpath' to have *CLASSPATH variables set. 1035 start odsign 1036 1037 # Before we can lock keys and proceed to the next boot stage, wait for 1038 # odsign to be done with the key 1039 wait_for_prop odsign.key.done 1 1040 1041 # Lock the fs-verity keyring, so no more keys can be added 1042 exec -- /system/bin/fsverity_init --lock 1043 1044 # Bump the boot level to 1000000000; this prevents further on-device signing. 1045 # This is a special value that shuts down the thread which listens for 1046 # further updates. 1047 setprop keystore.boot_level 1000000000 1048 1049 # Allow apexd to snapshot and restore device encrypted apex data in the case 1050 # of a rollback. This should be done immediately after DE_user data keys 1051 # are loaded. APEXes should not access this data until this has been 1052 # completed and apexd.status becomes "ready". 1053 exec_start apexd-snapshotde 1054 1055 # sys.memfd_use set to false by default, which keeps it disabled 1056 # until it is confirmed that apps and vendor processes don't make 1057 # IOCTLs on ashmem fds any more. 1058 setprop sys.use_memfd false 1059 1060 # Set fscklog permission 1061 chown root system /dev/fscklogs/log 1062 chmod 0770 /dev/fscklogs/log 1063 1064 # Enable FUSE by default 1065 setprop persist.sys.fuse true 1066 1067 # Update dm-verity state and set partition.*.verified properties. 1068 verity_update_state 1069 1070# It is recommended to put unnecessary data/ initialization from post-fs-data 1071# to start-zygote in device's init.rc to unblock zygote start. 1072on zygote-start && property:ro.crypto.state=unencrypted 1073 wait_for_prop odsign.verification.done 1 1074 # A/B update verifier that marks a successful boot. 1075 exec_start update_verifier_nonencrypted 1076 start statsd 1077 start netd 1078 start zygote 1079 start zygote_secondary 1080 1081on zygote-start && property:ro.crypto.state=unsupported 1082 wait_for_prop odsign.verification.done 1 1083 # A/B update verifier that marks a successful boot. 1084 exec_start update_verifier_nonencrypted 1085 start statsd 1086 start netd 1087 start zygote 1088 start zygote_secondary 1089 1090on zygote-start && property:ro.crypto.state=encrypted && property:ro.crypto.type=file 1091 wait_for_prop odsign.verification.done 1 1092 # A/B update verifier that marks a successful boot. 1093 exec_start update_verifier_nonencrypted 1094 start statsd 1095 start netd 1096 start zygote 1097 start zygote_secondary 1098 1099on boot && property:ro.config.low_ram=true 1100 # Tweak background writeout 1101 write /proc/sys/vm/dirty_expire_centisecs 200 1102 write /proc/sys/vm/dirty_background_ratio 5 1103 1104on boot 1105 # basic network init 1106 ifup lo 1107 hostname localhost 1108 domainname localdomain 1109 1110 # IPsec SA default expiration length 1111 write /proc/sys/net/core/xfrm_acq_expires 3600 1112 1113 # Memory management. Basic kernel parameters, and allow the high 1114 # level system server to be able to adjust the kernel OOM driver 1115 # parameters to match how it is managing things. 1116 write /proc/sys/vm/overcommit_memory 1 1117 write /proc/sys/vm/min_free_order_shift 4 1118 1119 # System server manages zram writeback 1120 chown root system /sys/block/zram0/idle 1121 chmod 0664 /sys/block/zram0/idle 1122 chown root system /sys/block/zram0/writeback 1123 chmod 0664 /sys/block/zram0/writeback 1124 1125 # to access F2FS sysfs on dm-<num> directly 1126 mkdir /dev/sys/fs/by-name 0755 system system 1127 symlink /sys/fs/f2fs/${dev.mnt.dev.data} /dev/sys/fs/by-name/userdata 1128 1129 # dev.mnt.dev.data=dm-N, dev.mnt.blk.data=sdaN/mmcblk0pN, dev.mnt.rootdisk.data=sda/mmcblk0, or 1130 # dev.mnt.dev.data=sdaN/mmcblk0pN, dev.mnt.blk.data=sdaN/mmcblk0pN, dev.mnt.rootdisk.data=sda/mmcblk0 1131 mkdir /dev/sys/block/by-name 0755 system system 1132 symlink /sys/class/block/${dev.mnt.dev.data} /dev/sys/block/by-name/userdata 1133 symlink /sys/class/block/${dev.mnt.rootdisk.data} /dev/sys/block/by-name/rootdisk 1134 1135 # F2FS tuning. Set cp_interval larger than dirty_expire_centisecs, 30 secs, 1136 # to avoid power consumption when system becomes mostly idle. Be careful 1137 # to make it too large, since it may bring userdata loss, if they 1138 # are not aware of using fsync()/sync() to prepare sudden power-cut. 1139 write /dev/sys/fs/by-name/userdata/cp_interval 200 1140 write /dev/sys/fs/by-name/userdata/gc_urgent_sleep_time 50 1141 write /dev/sys/fs/by-name/userdata/iostat_period_ms 1000 1142 write /dev/sys/fs/by-name/userdata/iostat_enable 1 1143 1144 # set readahead multiplier for POSIX_FADV_SEQUENTIAL files 1145 write /dev/sys/fs/by-name/userdata/seq_file_ra_mul 128 1146 1147 # limit discard size to 128MB in order to avoid long IO latency 1148 # for filesystem tuning first (dm or sda) 1149 # this requires enabling selinux entry for sda/mmcblk0 in vendor side 1150 write /dev/sys/block/by-name/userdata/queue/discard_max_bytes 134217728 1151 write /dev/sys/block/by-name/rootdisk/queue/discard_max_bytes 134217728 1152 1153 # Permissions for System Server and daemons. 1154 chown system system /sys/power/autosleep 1155 1156 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 1157 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 1158 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 1159 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 1160 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 1161 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 1162 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 1163 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 1164 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 1165 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 1166 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 1167 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 1168 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 1169 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 1170 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 1171 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 1172 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 1173 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 1174 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 1175 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 1176 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 1177 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 1178 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 1179 1180 chown system system /sys/class/leds/vibrator/trigger 1181 chown system system /sys/class/leds/vibrator/activate 1182 chown system system /sys/class/leds/vibrator/brightness 1183 chown system system /sys/class/leds/vibrator/duration 1184 chown system system /sys/class/leds/vibrator/state 1185 chown system system /sys/class/timed_output/vibrator/enable 1186 chown system system /sys/class/leds/keyboard-backlight/brightness 1187 chown system system /sys/class/leds/lcd-backlight/brightness 1188 chown system system /sys/class/leds/button-backlight/brightness 1189 chown system system /sys/class/leds/jogball-backlight/brightness 1190 chown system system /sys/class/leds/red/brightness 1191 chown system system /sys/class/leds/green/brightness 1192 chown system system /sys/class/leds/blue/brightness 1193 chown system system /sys/class/leds/red/device/grpfreq 1194 chown system system /sys/class/leds/red/device/grppwm 1195 chown system system /sys/class/leds/red/device/blink 1196 chown system system /sys/module/sco/parameters/disable_esco 1197 chown system system /sys/kernel/ipv4/tcp_wmem_min 1198 chown system system /sys/kernel/ipv4/tcp_wmem_def 1199 chown system system /sys/kernel/ipv4/tcp_wmem_max 1200 chown system system /sys/kernel/ipv4/tcp_rmem_min 1201 chown system system /sys/kernel/ipv4/tcp_rmem_def 1202 chown system system /sys/kernel/ipv4/tcp_rmem_max 1203 chown root radio /proc/cmdline 1204 chown root system /proc/bootconfig 1205 1206 # Define default initial receive window size in segments. 1207 setprop net.tcp_def_init_rwnd 60 1208 1209 # Start standard binderized HAL daemons 1210 class_start hal 1211 1212 class_start core 1213 1214on nonencrypted 1215 class_start main 1216 class_start late_start 1217 1218on property:sys.init_log_level=* 1219 loglevel ${sys.init_log_level} 1220 1221on charger 1222 class_start charger 1223 1224on property:sys.boot_completed=1 1225 bootchart stop 1226 # Setup per_boot directory so other .rc could start to use it on boot_completed 1227 exec - system system -- /bin/rm -rf /data/per_boot 1228 mkdir /data/per_boot 0700 system system encryption=Require key=per_boot_ref 1229 1230# system server cannot write to /proc/sys files, 1231# and chown/chmod does not work for /proc/sys/ entries. 1232# So proxy writes through init. 1233on property:sys.sysctl.extra_free_kbytes=* 1234 exec -- /system/bin/extra_free_kbytes.sh ${sys.sysctl.extra_free_kbytes} 1235 1236# Allow users to drop caches 1237on property:perf.drop_caches=3 1238 write /proc/sys/vm/drop_caches 3 1239 setprop perf.drop_caches 0 1240 1241# "tcp_default_init_rwnd" Is too long! 1242on property:net.tcp_def_init_rwnd=* 1243 write /proc/sys/net/ipv4/tcp_default_init_rwnd ${net.tcp_def_init_rwnd} 1244 1245# perf_event_open syscall security: 1246# Newer kernels have the ability to control the use of the syscall via SELinux 1247# hooks. init tests for this, and sets sys_init.perf_lsm_hooks to 1 if the 1248# kernel has the hooks. In this case, the system-wide perf_event_paranoid 1249# sysctl is set to -1 (unrestricted use), and the SELinux policy is used for 1250# controlling access. On older kernels, the paranoid value is the only means of 1251# controlling access. It is normally 3 (allow only root), but the shell user 1252# can lower it to 1 (allowing thread-scoped pofiling) via security.perf_harden. 1253on load_bpf_programs && property:sys.init.perf_lsm_hooks=1 1254 write /proc/sys/kernel/perf_event_paranoid -1 1255on property:security.perf_harden=0 && property:sys.init.perf_lsm_hooks="" 1256 write /proc/sys/kernel/perf_event_paranoid 1 1257on property:security.perf_harden=1 && property:sys.init.perf_lsm_hooks="" 1258 write /proc/sys/kernel/perf_event_paranoid 3 1259 1260# Additionally, simpleperf profiler uses debug.* and security.perf_harden 1261# sysprops to be able to indirectly set these sysctls. 1262on property:security.perf_harden=0 1263 write /proc/sys/kernel/perf_event_max_sample_rate ${debug.perf_event_max_sample_rate:-100000} 1264 write /proc/sys/kernel/perf_cpu_time_max_percent ${debug.perf_cpu_time_max_percent:-25} 1265 write /proc/sys/kernel/perf_event_mlock_kb ${debug.perf_event_mlock_kb:-516} 1266# Default values. 1267on property:security.perf_harden=1 1268 write /proc/sys/kernel/perf_event_max_sample_rate 100000 1269 write /proc/sys/kernel/perf_cpu_time_max_percent 25 1270 write /proc/sys/kernel/perf_event_mlock_kb 516 1271 1272# This property can be set only on userdebug/eng. See neverallow rule in 1273# /system/sepolicy/private/property.te . 1274on property:security.lower_kptr_restrict=1 1275 write /proc/sys/kernel/kptr_restrict 0 1276 1277on property:security.lower_kptr_restrict=0 1278 write /proc/sys/kernel/kptr_restrict 2 1279 1280 1281# on shutdown 1282# In device's init.rc, this trigger can be used to do device-specific actions 1283# before shutdown. e.g disable watchdog and mask error handling 1284 1285## Daemon processes to be run by init. 1286## 1287service ueventd /system/bin/ueventd 1288 class core 1289 critical 1290 seclabel u:r:ueventd:s0 1291 user root 1292 shutdown critical 1293 1294service console /system/bin/sh 1295 class core 1296 console 1297 disabled 1298 user shell 1299 group shell log readproc 1300 seclabel u:r:shell:s0 1301 setenv HOSTNAME console 1302 shutdown critical 1303 1304on property:ro.debuggable=1 1305 # Give writes to the same group for the trace folder on debug builds, 1306 # it's further protected by selinux policy. 1307 # The folder is used to store method traces. 1308 chmod 0773 /data/misc/trace 1309 # Give writes and reads to anyone for the window trace folder on debug builds, 1310 # it's further protected by selinux policy. 1311 chmod 0777 /data/misc/wmtrace 1312 # Give reads to anyone for the accessibility trace folder on debug builds. 1313 chmod 0775 /data/misc/a11ytrace 1314 1315on init && property:ro.debuggable=1 1316 start console 1317 1318on userspace-reboot-requested 1319 # TODO(b/135984674): reset all necessary properties here. 1320 setprop sys.boot_completed "" 1321 setprop dev.bootcomplete "" 1322 setprop sys.init.updatable_crashing "" 1323 setprop sys.init.updatable_crashing_process_name "" 1324 setprop sys.user.0.ce_available "" 1325 setprop sys.shutdown.requested "" 1326 setprop service.bootanim.exit "" 1327 setprop service.bootanim.progress "" 1328 1329on userspace-reboot-fs-remount 1330 # Make sure that vold is running. 1331 # This is mostly a precaution measure in case vold for some reason wasn't running when 1332 # userspace reboot was initiated. 1333 start vold 1334 exec - system system -- /system/bin/vdc checkpoint resetCheckpoint 1335 exec - system system -- /system/bin/vdc checkpoint markBootAttempt 1336 # Unmount /data_mirror mounts in the reverse order of corresponding mounts. 1337 umount /data_mirror/data_ce/null/0 1338 umount /data_mirror/data_ce/null 1339 umount /data_mirror/data_de/null 1340 umount /data_mirror/cur_profiles 1341 umount /data_mirror/ref_profiles 1342 umount /data_mirror 1343 remount_userdata 1344 start bootanim 1345 1346on userspace-reboot-resume 1347 trigger userspace-reboot-fs-remount 1348 trigger post-fs-data 1349 trigger zygote-start 1350 trigger early-boot 1351 trigger boot 1352 1353on property:sys.boot_completed=1 && property:sys.init.userspace_reboot.in_progress=1 1354 setprop sys.init.userspace_reboot.in_progress "" 1355 1356# Multi-Gen LRU Experiment 1357on property:persist.device_config.mglru_native.lru_gen_config=none 1358 write /sys/kernel/mm/lru_gen/enabled 0 1359on property:persist.device_config.mglru_native.lru_gen_config=core 1360 write /sys/kernel/mm/lru_gen/enabled 1 1361on property:persist.device_config.mglru_native.lru_gen_config=core_and_mm_walk 1362 write /sys/kernel/mm/lru_gen/enabled 3 1363on property:persist.device_config.mglru_native.lru_gen_config=core_and_nonleaf_young 1364 write /sys/kernel/mm/lru_gen/enabled 5 1365on property:persist.device_config.mglru_native.lru_gen_config=all 1366 write /sys/kernel/mm/lru_gen/enabled 7 1367