1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /system/etc/init/hw/init.usb.rc 9import /init.${ro.hardware}.rc 10import /vendor/etc/init/hw/init.${ro.hardware}.rc 11import /system/etc/init/hw/init.usb.configfs.rc 12import /system/etc/init/hw/init.${ro.zygote}.rc 13 14# Cgroups are mounted right before early-init using list from /etc/cgroups.json 15on early-init 16 # Disable sysrq from keyboard 17 write /proc/sys/kernel/sysrq 0 18 19 # Android doesn't need kernel module autoloading, and it causes SELinux 20 # denials. So disable it by setting modprobe to the empty string. Note: to 21 # explicitly set a sysctl to an empty string, a trailing newline is needed. 22 write /proc/sys/kernel/modprobe \n 23 24 # Set the security context of /adb_keys if present. 25 restorecon /adb_keys 26 27 # Set the security context of /postinstall if present. 28 restorecon /postinstall 29 30 mkdir /acct/uid 31 32 # memory.pressure_level used by lmkd 33 chown root system /dev/memcg/memory.pressure_level 34 chmod 0040 /dev/memcg/memory.pressure_level 35 # app mem cgroups, used by activity manager, lmkd and zygote 36 mkdir /dev/memcg/apps/ 0755 system system 37 # cgroup for system_server and surfaceflinger 38 mkdir /dev/memcg/system 0550 system system 39 40 # symlink the Android specific /dev/tun to Linux expected /dev/net/tun 41 mkdir /dev/net 0755 root root 42 symlink ../tun /dev/net/tun 43 44 # set RLIMIT_NICE to allow priorities from 19 to -20 45 setrlimit nice 40 40 46 47 # Allow up to 32K FDs per process 48 setrlimit nofile 32768 32768 49 50 # Set up linker config subdirectories based on mount namespaces 51 mkdir /linkerconfig/bootstrap 0755 52 mkdir /linkerconfig/default 0755 53 54 # Disable dm-verity hash prefetching, since it doesn't help performance 55 # Read more in b/136247322 56 write /sys/module/dm_verity/parameters/prefetch_cluster 0 57 58 # Generate ld.config.txt for early executed processes 59 exec -- /system/bin/bootstrap/linkerconfig --target /linkerconfig/bootstrap 60 chmod 644 /linkerconfig/bootstrap/ld.config.txt 61 copy /linkerconfig/bootstrap/ld.config.txt /linkerconfig/default/ld.config.txt 62 chmod 644 /linkerconfig/default/ld.config.txt 63 64 # Mount bootstrap linker configuration as current 65 mount none /linkerconfig/bootstrap /linkerconfig bind rec 66 67 start ueventd 68 69 # Run apexd-bootstrap so that APEXes that provide critical libraries 70 # become available. Note that this is executed as exec_start to ensure that 71 # the libraries are available to the processes started after this statement. 72 exec_start apexd-bootstrap 73 74 # Generate linker config based on apex mounted in bootstrap namespace 75 update_linker_config 76 77 # These must already exist by the time boringssl_self_test32 / boringssl_self_test64 run. 78 mkdir /dev/boringssl 0755 root root 79 mkdir /dev/boringssl/selftest 0755 root root 80 81 # Mount tracefs (with GID=AID_READTRACEFS) 82 mount tracefs tracefs /sys/kernel/tracing gid=3012 83 84 # create sys dirctory 85 mkdir /dev/sys 0755 system system 86 mkdir /dev/sys/fs 0755 system system 87 mkdir /dev/sys/block 0755 system system 88 89# Run boringssl self test for each ABI so that later processes can skip it. http://b/139348610 90on early-init && property:ro.product.cpu.abilist32=* 91 exec_start boringssl_self_test32 92on early-init && property:ro.product.cpu.abilist64=* 93 exec_start boringssl_self_test64 94on property:apexd.status=ready && property:ro.product.cpu.abilist32=* 95 exec_start boringssl_self_test_apex32 96on property:apexd.status=ready && property:ro.product.cpu.abilist64=* 97 exec_start boringssl_self_test_apex64 98 99service boringssl_self_test32 /system/bin/boringssl_self_test32 100 setenv BORINGSSL_SELF_TEST_CREATE_FLAG true # Any nonempty value counts as true 101 reboot_on_failure reboot,boringssl-self-check-failed 102 stdio_to_kmsg 103 104service boringssl_self_test64 /system/bin/boringssl_self_test64 105 setenv BORINGSSL_SELF_TEST_CREATE_FLAG true # Any nonempty value counts as true 106 reboot_on_failure reboot,boringssl-self-check-failed 107 stdio_to_kmsg 108 109service boringssl_self_test_apex32 /apex/com.android.conscrypt/bin/boringssl_self_test32 110 setenv BORINGSSL_SELF_TEST_CREATE_FLAG true # Any nonempty value counts as true 111 reboot_on_failure reboot,boringssl-self-check-failed 112 stdio_to_kmsg 113 114service boringssl_self_test_apex64 /apex/com.android.conscrypt/bin/boringssl_self_test64 115 setenv BORINGSSL_SELF_TEST_CREATE_FLAG true # Any nonempty value counts as true 116 reboot_on_failure reboot,boringssl-self-check-failed 117 stdio_to_kmsg 118 119on init 120 sysclktz 0 121 122 # Mix device-specific information into the entropy pool 123 copy /proc/cmdline /dev/urandom 124 copy /system/etc/prop.default /dev/urandom 125 126 symlink /proc/self/fd/0 /dev/stdin 127 symlink /proc/self/fd/1 /dev/stdout 128 symlink /proc/self/fd/2 /dev/stderr 129 130 # Create energy-aware scheduler tuning nodes 131 mkdir /dev/stune/foreground 132 mkdir /dev/stune/background 133 mkdir /dev/stune/top-app 134 mkdir /dev/stune/rt 135 chown system system /dev/stune 136 chown system system /dev/stune/foreground 137 chown system system /dev/stune/background 138 chown system system /dev/stune/top-app 139 chown system system /dev/stune/rt 140 chown system system /dev/stune/tasks 141 chown system system /dev/stune/foreground/tasks 142 chown system system /dev/stune/background/tasks 143 chown system system /dev/stune/top-app/tasks 144 chown system system /dev/stune/rt/tasks 145 chmod 0664 /dev/stune/tasks 146 chmod 0664 /dev/stune/foreground/tasks 147 chmod 0664 /dev/stune/background/tasks 148 chmod 0664 /dev/stune/top-app/tasks 149 chmod 0664 /dev/stune/rt/tasks 150 151 # cpuctl hierarchy for devices using utilclamp 152 mkdir /dev/cpuctl/foreground 153 mkdir /dev/cpuctl/background 154 mkdir /dev/cpuctl/top-app 155 mkdir /dev/cpuctl/rt 156 mkdir /dev/cpuctl/system 157 mkdir /dev/cpuctl/system-background 158 mkdir /dev/cpuctl/dex2oat 159 chown system system /dev/cpuctl 160 chown system system /dev/cpuctl/foreground 161 chown system system /dev/cpuctl/background 162 chown system system /dev/cpuctl/top-app 163 chown system system /dev/cpuctl/rt 164 chown system system /dev/cpuctl/system 165 chown system system /dev/cpuctl/system-background 166 chown system system /dev/cpuctl/dex2oat 167 chown system system /dev/cpuctl/tasks 168 chown system system /dev/cpuctl/foreground/tasks 169 chown system system /dev/cpuctl/background/tasks 170 chown system system /dev/cpuctl/top-app/tasks 171 chown system system /dev/cpuctl/rt/tasks 172 chown system system /dev/cpuctl/system/tasks 173 chown system system /dev/cpuctl/system-background/tasks 174 chown system system /dev/cpuctl/dex2oat/tasks 175 chmod 0664 /dev/cpuctl/tasks 176 chmod 0664 /dev/cpuctl/foreground/tasks 177 chmod 0664 /dev/cpuctl/background/tasks 178 chmod 0664 /dev/cpuctl/top-app/tasks 179 chmod 0664 /dev/cpuctl/rt/tasks 180 chmod 0664 /dev/cpuctl/system/tasks 181 chmod 0664 /dev/cpuctl/system-background/tasks 182 chmod 0664 /dev/cpuctl/dex2oat/tasks 183 184 # Create a cpu group for NNAPI HAL processes 185 mkdir /dev/cpuctl/nnapi-hal 186 chown system system /dev/cpuctl/nnapi-hal 187 chown system system /dev/cpuctl/nnapi-hal/tasks 188 chmod 0664 /dev/cpuctl/nnapi-hal/tasks 189 write /dev/cpuctl/nnapi-hal/cpu.uclamp.min 1 190 write /dev/cpuctl/nnapi-hal/cpu.uclamp.latency_sensitive 1 191 192 # Create a cpu group for camera daemon processes 193 mkdir /dev/cpuctl/camera-daemon 194 chown system system /dev/cpuctl/camera-daemon 195 chown system system /dev/cpuctl/camera-daemon/tasks 196 chmod 0664 /dev/cpuctl/camera-daemon/tasks 197 198 # Create an stune group for camera-specific processes 199 mkdir /dev/stune/camera-daemon 200 chown system system /dev/stune/camera-daemon 201 chown system system /dev/stune/camera-daemon/tasks 202 chmod 0664 /dev/stune/camera-daemon/tasks 203 204 # Create an stune group for NNAPI HAL processes 205 mkdir /dev/stune/nnapi-hal 206 chown system system /dev/stune/nnapi-hal 207 chown system system /dev/stune/nnapi-hal/tasks 208 chmod 0664 /dev/stune/nnapi-hal/tasks 209 write /dev/stune/nnapi-hal/schedtune.boost 1 210 write /dev/stune/nnapi-hal/schedtune.prefer_idle 1 211 212 # Create blkio group and apply initial settings. 213 # This feature needs kernel to support it, and the 214 # device's init.rc must actually set the correct values. 215 mkdir /dev/blkio/background 216 chown system system /dev/blkio 217 chown system system /dev/blkio/background 218 chown system system /dev/blkio/tasks 219 chown system system /dev/blkio/background/tasks 220 chmod 0664 /dev/blkio/tasks 221 chmod 0664 /dev/blkio/background/tasks 222 write /dev/blkio/blkio.weight 1000 223 write /dev/blkio/background/blkio.weight 200 224 write /dev/blkio/background/blkio.bfq.weight 10 225 write /dev/blkio/blkio.group_idle 0 226 write /dev/blkio/background/blkio.group_idle 0 227 228 restorecon_recursive /mnt 229 230 mount configfs none /config nodev noexec nosuid 231 chmod 0770 /config/sdcardfs 232 chown system package_info /config/sdcardfs 233 234 # Mount binderfs 235 mkdir /dev/binderfs 236 mount binder binder /dev/binderfs stats=global 237 chmod 0755 /dev/binderfs 238 239 # Mount fusectl 240 mount fusectl none /sys/fs/fuse/connections 241 242 symlink /dev/binderfs/binder /dev/binder 243 symlink /dev/binderfs/hwbinder /dev/hwbinder 244 symlink /dev/binderfs/vndbinder /dev/vndbinder 245 246 chmod 0666 /dev/binderfs/hwbinder 247 chmod 0666 /dev/binderfs/binder 248 chmod 0666 /dev/binderfs/vndbinder 249 250 mkdir /mnt/secure 0700 root root 251 mkdir /mnt/secure/asec 0700 root root 252 mkdir /mnt/asec 0755 root system 253 mkdir /mnt/obb 0755 root system 254 mkdir /mnt/media_rw 0750 root external_storage 255 mkdir /mnt/user 0755 root root 256 mkdir /mnt/user/0 0755 root root 257 mkdir /mnt/user/0/self 0755 root root 258 mkdir /mnt/user/0/emulated 0755 root root 259 mkdir /mnt/user/0/emulated/0 0755 root root 260 261 # Prepare directories for pass through processes 262 mkdir /mnt/pass_through 0700 root root 263 mkdir /mnt/pass_through/0 0710 root media_rw 264 mkdir /mnt/pass_through/0/self 0710 root media_rw 265 mkdir /mnt/pass_through/0/emulated 0710 root media_rw 266 mkdir /mnt/pass_through/0/emulated/0 0710 root media_rw 267 268 mkdir /mnt/expand 0771 system system 269 mkdir /mnt/appfuse 0711 root root 270 271 # Storage views to support runtime permissions 272 mkdir /mnt/runtime 0700 root root 273 mkdir /mnt/runtime/default 0755 root root 274 mkdir /mnt/runtime/default/self 0755 root root 275 mkdir /mnt/runtime/read 0755 root root 276 mkdir /mnt/runtime/read/self 0755 root root 277 mkdir /mnt/runtime/write 0755 root root 278 mkdir /mnt/runtime/write/self 0755 root root 279 mkdir /mnt/runtime/full 0755 root root 280 mkdir /mnt/runtime/full/self 0755 root root 281 282 # Symlink to keep legacy apps working in multi-user world 283 symlink /storage/self/primary /mnt/sdcard 284 symlink /mnt/user/0/primary /mnt/runtime/default/self/primary 285 286 write /proc/sys/kernel/panic_on_oops 1 287 write /proc/sys/kernel/hung_task_timeout_secs 0 288 write /proc/cpu/alignment 4 289 290 # scheduler tunables 291 # Disable auto-scaling of scheduler tunables with hotplug. The tunables 292 # will vary across devices in unpredictable ways if allowed to scale with 293 # cpu cores. 294 write /proc/sys/kernel/sched_tunable_scaling 0 295 write /proc/sys/kernel/sched_latency_ns 10000000 296 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 297 write /proc/sys/kernel/sched_child_runs_first 0 298 299 write /proc/sys/kernel/randomize_va_space 2 300 write /proc/sys/vm/mmap_min_addr 32768 301 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 302 write /proc/sys/net/unix/max_dgram_qlen 600 303 304 # Assign reasonable ceiling values for socket rcv/snd buffers. 305 # These should almost always be overridden by the target per the 306 # the corresponding technology maximums. 307 write /proc/sys/net/core/rmem_max 262144 308 write /proc/sys/net/core/wmem_max 262144 309 310 # reflect fwmark from incoming packets onto generated replies 311 write /proc/sys/net/ipv4/fwmark_reflect 1 312 write /proc/sys/net/ipv6/fwmark_reflect 1 313 314 # set fwmark on accepted sockets 315 write /proc/sys/net/ipv4/tcp_fwmark_accept 1 316 317 # disable icmp redirects 318 write /proc/sys/net/ipv4/conf/all/accept_redirects 0 319 write /proc/sys/net/ipv6/conf/all/accept_redirects 0 320 321 # /proc/net/fib_trie leaks interface IP addresses 322 chmod 0400 /proc/net/fib_trie 323 324 # sets up initial cpusets for ActivityManager 325 # this ensures that the cpusets are present and usable, but the device's 326 # init.rc must actually set the correct cpus 327 mkdir /dev/cpuset/foreground 328 copy /dev/cpuset/cpus /dev/cpuset/foreground/cpus 329 copy /dev/cpuset/mems /dev/cpuset/foreground/mems 330 mkdir /dev/cpuset/background 331 copy /dev/cpuset/cpus /dev/cpuset/background/cpus 332 copy /dev/cpuset/mems /dev/cpuset/background/mems 333 334 # system-background is for system tasks that should only run on 335 # little cores, not on bigs 336 mkdir /dev/cpuset/system-background 337 copy /dev/cpuset/cpus /dev/cpuset/system-background/cpus 338 copy /dev/cpuset/mems /dev/cpuset/system-background/mems 339 340 # restricted is for system tasks that are being throttled 341 # due to screen off. 342 mkdir /dev/cpuset/restricted 343 copy /dev/cpuset/cpus /dev/cpuset/restricted/cpus 344 copy /dev/cpuset/mems /dev/cpuset/restricted/mems 345 346 mkdir /dev/cpuset/top-app 347 copy /dev/cpuset/cpus /dev/cpuset/top-app/cpus 348 copy /dev/cpuset/mems /dev/cpuset/top-app/mems 349 350 # create a cpuset for camera daemon processes 351 mkdir /dev/cpuset/camera-daemon 352 copy /dev/cpuset/cpus /dev/cpuset/camera-daemon/cpus 353 copy /dev/cpuset/mems /dev/cpuset/camera-daemon/mems 354 355 # change permissions for all cpusets we'll touch at runtime 356 chown system system /dev/cpuset 357 chown system system /dev/cpuset/foreground 358 chown system system /dev/cpuset/background 359 chown system system /dev/cpuset/system-background 360 chown system system /dev/cpuset/top-app 361 chown system system /dev/cpuset/restricted 362 chown system system /dev/cpuset/camera-daemon 363 chown system system /dev/cpuset/tasks 364 chown system system /dev/cpuset/foreground/tasks 365 chown system system /dev/cpuset/background/tasks 366 chown system system /dev/cpuset/system-background/tasks 367 chown system system /dev/cpuset/top-app/tasks 368 chown system system /dev/cpuset/restricted/tasks 369 chown system system /dev/cpuset/camera-daemon/tasks 370 371 # set system-background to 0775 so SurfaceFlinger can touch it 372 chmod 0775 /dev/cpuset/system-background 373 374 chmod 0664 /dev/cpuset/foreground/tasks 375 chmod 0664 /dev/cpuset/background/tasks 376 chmod 0664 /dev/cpuset/system-background/tasks 377 chmod 0664 /dev/cpuset/top-app/tasks 378 chmod 0664 /dev/cpuset/restricted/tasks 379 chmod 0664 /dev/cpuset/tasks 380 chmod 0664 /dev/cpuset/camera-daemon/tasks 381 382 # make the PSI monitor accessible to others 383 chown system system /proc/pressure/memory 384 chmod 0664 /proc/pressure/memory 385 386 # qtaguid will limit access to specific data based on group memberships. 387 # net_bw_acct grants impersonation of socket owners. 388 # net_bw_stats grants access to other apps' detailed tagged-socket stats. 389 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 390 chown root net_bw_stats /proc/net/xt_qtaguid/stats 391 392 # Allow everybody to read the xt_qtaguid resource tracking misc dev. 393 # This is needed by any process that uses socket tagging. 394 chmod 0644 /dev/xt_qtaguid 395 396 mount bpf bpf /sys/fs/bpf nodev noexec nosuid 397 398 # Create location for fs_mgr to store abbreviated output from filesystem 399 # checker programs. 400 mkdir /dev/fscklogs 0770 root system 401 402 # pstore/ramoops previous console log 403 mount pstore pstore /sys/fs/pstore nodev noexec nosuid 404 chown system log /sys/fs/pstore 405 chmod 0550 /sys/fs/pstore 406 chown system log /sys/fs/pstore/console-ramoops 407 chmod 0440 /sys/fs/pstore/console-ramoops 408 chown system log /sys/fs/pstore/console-ramoops-0 409 chmod 0440 /sys/fs/pstore/console-ramoops-0 410 chown system log /sys/fs/pstore/pmsg-ramoops-0 411 chmod 0440 /sys/fs/pstore/pmsg-ramoops-0 412 413 # enable armv8_deprecated instruction hooks 414 write /proc/sys/abi/swp 1 415 416 # Linux's execveat() syscall may construct paths containing /dev/fd 417 # expecting it to point to /proc/self/fd 418 symlink /proc/self/fd /dev/fd 419 420 export DOWNLOAD_CACHE /data/cache 421 422 # This allows the ledtrig-transient properties to be created here so 423 # that they can be chown'd to system:system later on boot 424 write /sys/class/leds/vibrator/trigger "transient" 425 426 # This is used by Bionic to select optimized routines. 427 write /dev/cpu_variant:${ro.bionic.arch} ${ro.bionic.cpu_variant} 428 chmod 0444 /dev/cpu_variant:${ro.bionic.arch} 429 write /dev/cpu_variant:${ro.bionic.2nd_arch} ${ro.bionic.2nd_cpu_variant} 430 chmod 0444 /dev/cpu_variant:${ro.bionic.2nd_arch} 431 432 # Allow system processes to read / write power state. 433 chown system system /sys/power/state 434 chown system system /sys/power/wakeup_count 435 chmod 0660 /sys/power/state 436 437 chown radio wakelock /sys/power/wake_lock 438 chown radio wakelock /sys/power/wake_unlock 439 chmod 0660 /sys/power/wake_lock 440 chmod 0660 /sys/power/wake_unlock 441 442 # Start logd before any other services run to ensure we capture all of their logs. 443 start logd 444 # Start lmkd before any other services run so that it can register them 445 chown root system /sys/module/lowmemorykiller/parameters/adj 446 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 447 chown root system /sys/module/lowmemorykiller/parameters/minfree 448 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 449 start lmkd 450 451 # Start essential services. 452 start servicemanager 453 start hwservicemanager 454 start vndservicemanager 455 456# Healthd can trigger a full boot from charger mode by signaling this 457# property when the power button is held. 458on property:sys.boot_from_charger_mode=1 459 class_stop charger 460 trigger late-init 461 462on load_persist_props_action 463 load_persist_props 464 start logd 465 start logd-reinit 466 467# Indicate to fw loaders that the relevant mounts are up. 468on firmware_mounts_complete 469 rm /dev/.booting 470 471# Mount filesystems and start core system services. 472on late-init 473 trigger early-fs 474 475 # Mount fstab in init.{$device}.rc by mount_all command. Optional parameter 476 # '--early' can be specified to skip entries with 'latemount'. 477 # /system and /vendor must be mounted by the end of the fs stage, 478 # while /data is optional. 479 trigger fs 480 trigger post-fs 481 482 # Mount fstab in init.{$device}.rc by mount_all with '--late' parameter 483 # to only mount entries with 'latemount'. This is needed if '--early' is 484 # specified in the previous mount_all command on the fs stage. 485 # With /system mounted and properties form /system + /factory available, 486 # some services can be started. 487 trigger late-fs 488 489 # Now we can mount /data. File encryption requires keymaster to decrypt 490 # /data, which in turn can only be loaded when system properties are present. 491 trigger post-fs-data 492 493 # Load persist properties and override properties (if enabled) from /data. 494 trigger load_persist_props_action 495 496 # Should be before netd, but after apex, properties and logging is available. 497 trigger load_bpf_programs 498 499 # Now we can start zygote for devices with file based encryption 500 trigger zygote-start 501 502 # Remove a file to wake up anything waiting for firmware. 503 trigger firmware_mounts_complete 504 505 trigger early-boot 506 trigger boot 507 508on early-fs 509 # Once metadata has been mounted, we'll need vold to deal with userdata checkpointing 510 start vold 511 512on post-fs 513 exec - system system -- /system/bin/vdc checkpoint markBootAttempt 514 515 # Once everything is setup, no need to modify /. 516 # The bind+remount combination allows this to work in containers. 517 mount rootfs rootfs / remount bind ro nodev 518 519 # Mount default storage into root namespace 520 mount none /mnt/user/0 /storage bind rec 521 mount none none /storage slave rec 522 523 # Make sure /sys/kernel/debug (if present) is labeled properly 524 # Note that tracefs may be mounted under debug, so we need to cross filesystems 525 restorecon --recursive --cross-filesystems /sys/kernel/debug 526 527 # We chown/chmod /cache again so because mount is run as root + defaults 528 chown system cache /cache 529 chmod 0770 /cache 530 # We restorecon /cache in case the cache partition has been reset. 531 restorecon_recursive /cache 532 533 # Create /cache/recovery in case it's not there. It'll also fix the odd 534 # permissions if created by the recovery system. 535 mkdir /cache/recovery 0770 system cache 536 537 # Backup/restore mechanism uses the cache partition 538 mkdir /cache/backup_stage 0700 system system 539 mkdir /cache/backup 0700 system system 540 541 #change permissions on vmallocinfo so we can grab it from bugreports 542 chown root log /proc/vmallocinfo 543 chmod 0440 /proc/vmallocinfo 544 545 chown root log /proc/slabinfo 546 chmod 0440 /proc/slabinfo 547 548 chown root log /proc/pagetypeinfo 549 chmod 0440 /proc/pagetypeinfo 550 551 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 552 chown root system /proc/kmsg 553 chmod 0440 /proc/kmsg 554 chown root system /proc/sysrq-trigger 555 chmod 0220 /proc/sysrq-trigger 556 chown system log /proc/last_kmsg 557 chmod 0440 /proc/last_kmsg 558 559 # make the selinux kernel policy world-readable 560 chmod 0444 /sys/fs/selinux/policy 561 562 # create the lost+found directories, so as to enforce our permissions 563 mkdir /cache/lost+found 0770 root root 564 565 restorecon_recursive /metadata 566 mkdir /metadata/vold 567 chmod 0700 /metadata/vold 568 mkdir /metadata/password_slots 0771 root system 569 mkdir /metadata/bootstat 0750 system log 570 mkdir /metadata/ota 0700 root system 571 mkdir /metadata/ota/snapshots 0700 root system 572 mkdir /metadata/userspacereboot 0770 root system 573 mkdir /metadata/watchdog 0770 root system 574 575 mkdir /metadata/apex 0700 root system 576 mkdir /metadata/apex/sessions 0700 root system 577 # On some devices we see a weird behaviour in which /metadata/apex doesn't 578 # have a correct label. To workaround this bug, explicitly call restorecon 579 # on /metadata/apex. For most of the boot sequences /metadata/apex will 580 # already have a correct selinux label, meaning that this call will be a 581 # no-op. 582 restorecon_recursive /metadata/apex 583 584 mkdir /metadata/staged-install 0770 root system 585on late-fs 586 # Ensure that tracefs has the correct permissions. 587 # This does not work correctly if it is called in post-fs. 588 chmod 0755 /sys/kernel/tracing 589 chmod 0755 /sys/kernel/debug/tracing 590 591 # HALs required before storage encryption can get unlocked (FBE/FDE) 592 class_start early_hal 593 594 # Load trusted keys from dm-verity protected partitions 595 exec -- /system/bin/fsverity_init --load-verified-keys 596 597# Only enable the bootreceiver tracing instance for kernels 5.10 and above. 598on late-fs && property:ro.kernel.version=4.9 599 setprop bootreceiver.enable 0 600on late-fs && property:ro.kernel.version=4.14 601 setprop bootreceiver.enable 0 602on late-fs && property:ro.kernel.version=4.19 603 setprop bootreceiver.enable 0 604on late-fs && property:ro.kernel.version=5.4 605 setprop bootreceiver.enable 0 606on late-fs 607 # Bootreceiver tracing instance is enabled by default. 608 setprop bootreceiver.enable ${bootreceiver.enable:-1} 609 610on property:ro.product.cpu.abilist64=* && property:bootreceiver.enable=1 611 # Set up a tracing instance for system_server to monitor error_report_end events. 612 # These are sent by kernel tools like KASAN and KFENCE when a memory corruption 613 # is detected. This is only needed for 64-bit systems. 614 mkdir /sys/kernel/tracing/instances/bootreceiver 0700 system system 615 restorecon_recursive /sys/kernel/tracing/instances/bootreceiver 616 write /sys/kernel/tracing/instances/bootreceiver/buffer_size_kb 1 617 write /sys/kernel/tracing/instances/bootreceiver/trace_options disable_on_free 618 write /sys/kernel/tracing/instances/bootreceiver/events/error_report/error_report_end/enable 1 619 620on post-fs-data 621 622 mark_post_data 623 624 # Start checkpoint before we touch data 625 exec - system system -- /system/bin/vdc checkpoint prepareCheckpoint 626 627 # We chown/chmod /data again so because mount is run as root + defaults 628 chown system system /data 629 chmod 0771 /data 630 # We restorecon /data in case the userdata partition has been reset. 631 restorecon /data 632 633 # Make sure we have the device encryption key. 634 installkey /data 635 636 # Start bootcharting as soon as possible after the data partition is 637 # mounted to collect more data. 638 mkdir /data/bootchart 0755 shell shell encryption=Require 639 bootchart start 640 641 # Avoid predictable entropy pool. Carry over entropy from previous boot. 642 copy /data/system/entropy.dat /dev/urandom 643 644 mkdir /data/vendor 0771 root root encryption=Require 645 mkdir /data/vendor_ce 0771 root root encryption=None 646 mkdir /data/vendor_de 0771 root root encryption=None 647 mkdir /data/vendor/hardware 0771 root root 648 649 # Start tombstoned early to be able to store tombstones. 650 mkdir /data/anr 0775 system system encryption=Require 651 mkdir /data/tombstones 0771 system system encryption=Require 652 mkdir /data/vendor/tombstones 0771 root root 653 mkdir /data/vendor/tombstones/wifi 0771 wifi wifi 654 start tombstoned 655 656 # Make sure that apexd is started in the default namespace 657 enter_default_mount_ns 658 659 # set up keystore directory structure first so that we can end early boot 660 # and start apexd 661 mkdir /data/misc 01771 system misc encryption=Require 662 mkdir /data/misc/keystore 0700 keystore keystore 663 # work around b/183668221 664 restorecon /data/misc /data/misc/keystore 665 666 # Boot level 30 667 # odsign signing keys have MAX_BOOT_LEVEL=30 668 # This is currently the earliest boot level, but we start at 30 669 # to leave room for earlier levels. 670 setprop keystore.boot_level 30 671 672 # Now that /data is mounted and we have created /data/misc/keystore, 673 # we can tell keystore to stop allowing use of early-boot keys, 674 # and access its database for the first time to support creation and 675 # use of MAX_BOOT_LEVEL keys. 676 exec - system system -- /system/bin/vdc keymaster earlyBootEnded 677 678 # /data/apex is now available. Start apexd to scan and activate APEXes. 679 # 680 # To handle userspace reboots as well as devices that use FDE, make sure 681 # that apexd is started cleanly here (set apexd.status="") and that it is 682 # restarted if it's already running. 683 mkdir /data/apex 0755 root system encryption=None 684 mkdir /data/apex/active 0755 root system 685 mkdir /data/apex/backup 0700 root system 686 mkdir /data/apex/decompressed 0755 root system encryption=Require 687 mkdir /data/apex/hashtree 0700 root system 688 mkdir /data/apex/sessions 0700 root system 689 mkdir /data/app-staging 0751 system system encryption=DeleteIfNecessary 690 mkdir /data/apex/ota_reserved 0700 root system encryption=Require 691 setprop apexd.status "" 692 restart apexd 693 694 # create rest of basic filesystem structure 695 mkdir /data/misc/recovery 0770 system log 696 copy /data/misc/recovery/ro.build.fingerprint /data/misc/recovery/ro.build.fingerprint.1 697 chmod 0440 /data/misc/recovery/ro.build.fingerprint.1 698 chown system log /data/misc/recovery/ro.build.fingerprint.1 699 write /data/misc/recovery/ro.build.fingerprint ${ro.build.fingerprint} 700 chmod 0440 /data/misc/recovery/ro.build.fingerprint 701 chown system log /data/misc/recovery/ro.build.fingerprint 702 mkdir /data/misc/recovery/proc 0770 system log 703 copy /data/misc/recovery/proc/version /data/misc/recovery/proc/version.1 704 chmod 0440 /data/misc/recovery/proc/version.1 705 chown system log /data/misc/recovery/proc/version.1 706 copy /proc/version /data/misc/recovery/proc/version 707 chmod 0440 /data/misc/recovery/proc/version 708 chown system log /data/misc/recovery/proc/version 709 mkdir /data/misc/bluedroid 02770 bluetooth bluetooth 710 # Fix the access permissions and group ownership for 'bt_config.conf' 711 chmod 0660 /data/misc/bluedroid/bt_config.conf 712 chown bluetooth bluetooth /data/misc/bluedroid/bt_config.conf 713 mkdir /data/misc/bluetooth 0770 bluetooth bluetooth 714 mkdir /data/misc/bluetooth/logs 0770 bluetooth bluetooth 715 mkdir /data/misc/nfc 0770 nfc nfc 716 mkdir /data/misc/nfc/logs 0770 nfc nfc 717 mkdir /data/misc/credstore 0700 credstore credstore 718 mkdir /data/misc/gatekeeper 0700 system system 719 mkdir /data/misc/keychain 0771 system system 720 mkdir /data/misc/net 0750 root shell 721 mkdir /data/misc/radio 0770 system radio 722 mkdir /data/misc/sms 0770 system radio 723 mkdir /data/misc/carrierid 0770 system radio 724 mkdir /data/misc/apns 0770 system radio 725 mkdir /data/misc/emergencynumberdb 0770 system radio 726 mkdir /data/misc/zoneinfo 0775 system system 727 mkdir /data/misc/network_watchlist 0774 system system 728 mkdir /data/misc/textclassifier 0771 system system 729 mkdir /data/misc/vpn 0770 system vpn 730 mkdir /data/misc/shared_relro 0771 shared_relro shared_relro 731 mkdir /data/misc/systemkeys 0700 system system 732 mkdir /data/misc/wifi 0770 wifi wifi 733 mkdir /data/misc/wifi/sockets 0770 wifi wifi 734 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 735 mkdir /data/misc/ethernet 0770 system system 736 mkdir /data/misc/dhcp 0770 dhcp dhcp 737 mkdir /data/misc/user 0771 root root 738 # give system access to wpa_supplicant.conf for backup and restore 739 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 740 mkdir /data/local 0751 root root encryption=Require 741 mkdir /data/misc/media 0700 media media 742 mkdir /data/misc/audioserver 0700 audioserver audioserver 743 mkdir /data/misc/cameraserver 0700 cameraserver cameraserver 744 mkdir /data/misc/vold 0700 root root 745 mkdir /data/misc/boottrace 0771 system shell 746 mkdir /data/misc/update_engine 0700 root root 747 mkdir /data/misc/update_engine_log 02750 root log 748 mkdir /data/misc/trace 0700 root root 749 # create location to store surface and window trace files 750 mkdir /data/misc/wmtrace 0700 system system 751 # create location to store accessibility trace files 752 mkdir /data/misc/a11ytrace 0700 system system 753 # profile file layout 754 mkdir /data/misc/profiles 0771 system system 755 mkdir /data/misc/profiles/cur 0771 system system 756 mkdir /data/misc/profiles/ref 0771 system system 757 mkdir /data/misc/profman 0770 system shell 758 mkdir /data/misc/gcov 0770 root root 759 mkdir /data/misc/installd 0700 root root 760 mkdir /data/misc/apexdata 0711 root root 761 mkdir /data/misc/apexrollback 0700 root root 762 mkdir /data/misc/appcompat/ 0700 system system 763 mkdir /data/misc/snapshotctl_log 0755 root root 764 # create location to store pre-reboot information 765 mkdir /data/misc/prereboot 0700 system system 766 # directory used for on-device refresh metrics file. 767 mkdir /data/misc/odrefresh 0777 system system 768 # directory used for on-device signing key blob 769 mkdir /data/misc/odsign 0700 root root 770 771 mkdir /data/preloads 0775 system system encryption=None 772 773 # For security reasons, /data/local/tmp should always be empty. 774 # Do not place files or directories in /data/local/tmp 775 mkdir /data/local/tmp 0771 shell shell 776 mkdir /data/local/traces 0777 shell shell 777 mkdir /data/data 0771 system system encryption=None 778 mkdir /data/app-private 0771 system system encryption=Require 779 mkdir /data/app-ephemeral 0771 system system encryption=Require 780 mkdir /data/app-asec 0700 root root encryption=Require 781 mkdir /data/app-lib 0771 system system encryption=Require 782 mkdir /data/app 0771 system system encryption=Require 783 mkdir /data/property 0700 root root encryption=Require 784 785 # create directory for updated font files. 786 mkdir /data/fonts/ 0771 root root encryption=Require 787 mkdir /data/fonts/files 0771 system system 788 mkdir /data/fonts/config 0770 system system 789 790 # Create directories to push tests to for each linker namespace. 791 # Create the subdirectories in case the first test is run as root 792 # so it doesn't end up owned by root. 793 mkdir /data/local/tests 0700 shell shell 794 mkdir /data/local/tests/product 0700 shell shell 795 mkdir /data/local/tests/system 0700 shell shell 796 mkdir /data/local/tests/unrestricted 0700 shell shell 797 mkdir /data/local/tests/vendor 0700 shell shell 798 799 # create dalvik-cache, so as to enforce our permissions 800 mkdir /data/dalvik-cache 0771 root root encryption=Require 801 # create the A/B OTA directory, so as to enforce our permissions 802 mkdir /data/ota 0771 root root encryption=Require 803 804 # create the OTA package directory. It will be accessed by GmsCore (cache 805 # group), update_engine and update_verifier. 806 mkdir /data/ota_package 0770 system cache encryption=Require 807 808 # create resource-cache and double-check the perms 809 mkdir /data/resource-cache 0771 system system encryption=Require 810 chown system system /data/resource-cache 811 chmod 0771 /data/resource-cache 812 813 # create the lost+found directories, so as to enforce our permissions 814 mkdir /data/lost+found 0770 root root encryption=None 815 816 # create directory for DRM plug-ins - give drm the read/write access to 817 # the following directory. 818 mkdir /data/drm 0770 drm drm encryption=Require 819 820 # create directory for MediaDrm plug-ins - give drm the read/write access to 821 # the following directory. 822 mkdir /data/mediadrm 0770 mediadrm mediadrm encryption=Require 823 824 # NFC: create data/nfc for nv storage 825 mkdir /data/nfc 0770 nfc nfc encryption=Require 826 mkdir /data/nfc/param 0770 nfc nfc 827 828 # Create all remaining /data root dirs so that they are made through init 829 # and get proper encryption policy installed 830 mkdir /data/backup 0700 system system encryption=Require 831 mkdir /data/ss 0700 system system encryption=Require 832 833 mkdir /data/system 0775 system system encryption=Require 834 mkdir /data/system/environ 0700 system system 835 # b/183861600 attempt to fix selinux label before running derive_classpath service 836 restorecon /data/system/environ 837 mkdir /data/system/dropbox 0700 system system 838 mkdir /data/system/heapdump 0700 system system 839 mkdir /data/system/users 0775 system system 840 841 mkdir /data/system_de 0770 system system encryption=None 842 mkdir /data/system_ce 0770 system system encryption=None 843 844 mkdir /data/misc_de 01771 system misc encryption=None 845 mkdir /data/misc_ce 01771 system misc encryption=None 846 847 mkdir /data/user 0711 system system encryption=None 848 mkdir /data/user_de 0711 system system encryption=None 849 850 # Unlink /data/user/0 if we previously symlink it to /data/data 851 rm /data/user/0 852 853 # Bind mount /data/user/0 to /data/data 854 mkdir /data/user/0 0700 system system encryption=None 855 mount none /data/data /data/user/0 bind rec 856 857 # A tmpfs directory, which will contain all apps CE DE data directory that 858 # bind mount from the original source. 859 mount tmpfs tmpfs /data_mirror nodev noexec nosuid mode=0700,uid=0,gid=1000 860 restorecon /data_mirror 861 mkdir /data_mirror/data_ce 0700 root root 862 mkdir /data_mirror/data_de 0700 root root 863 864 # Create CE and DE data directory for default volume 865 mkdir /data_mirror/data_ce/null 0700 root root 866 mkdir /data_mirror/data_de/null 0700 root root 867 868 # Bind mount CE and DE data directory to mirror's default volume directory 869 mount none /data/user /data_mirror/data_ce/null bind rec 870 mount none /data/user_de /data_mirror/data_de/null bind rec 871 872 # Create mirror directory for jit profiles 873 mkdir /data_mirror/cur_profiles 0700 root root 874 mount none /data/misc/profiles/cur /data_mirror/cur_profiles bind rec 875 mkdir /data_mirror/ref_profiles 0700 root root 876 mount none /data/misc/profiles/ref /data_mirror/ref_profiles bind rec 877 878 mkdir /data/cache 0770 system cache encryption=Require 879 mkdir /data/cache/recovery 0770 system cache 880 mkdir /data/cache/backup_stage 0700 system system 881 mkdir /data/cache/backup 0700 system system 882 883 # Delete these if need be, per b/139193659 884 mkdir /data/rollback 0700 system system encryption=DeleteIfNecessary 885 mkdir /data/rollback-observer 0700 system system encryption=DeleteIfNecessary 886 mkdir /data/rollback-history 0700 system system encryption=DeleteIfNecessary 887 888 # Create root dir for Incremental Service 889 mkdir /data/incremental 0771 system system encryption=Require 890 891 # Create directories for statsd 892 mkdir /data/misc/stats-active-metric/ 0770 statsd system 893 mkdir /data/misc/stats-data/ 0770 statsd system 894 mkdir /data/misc/stats-metadata/ 0770 statsd system 895 mkdir /data/misc/stats-service/ 0770 statsd system 896 mkdir /data/misc/train-info/ 0770 statsd system 897 898 # Wait for apexd to finish activating APEXes before starting more processes. 899 wait_for_prop apexd.status activated 900 perform_apex_config 901 902 # Special-case /data/media/obb per b/64566063 903 mkdir /data/media 0770 media_rw media_rw encryption=None 904 exec - media_rw media_rw -- /system/bin/chattr +F /data/media 905 mkdir /data/media/obb 0770 media_rw media_rw encryption=Attempt 906 907 exec_start derive_sdk 908 909 init_user0 910 911 # Set SELinux security contexts on upgrade or policy update. 912 restorecon --recursive --skip-ce /data 913 914 # Define and export *CLASSPATH variables 915 # Must start before 'odsign', as odsign depends on *CLASSPATH variables 916 exec_start derive_classpath 917 load_exports /data/system/environ/classpath 918 919 # Start the on-device signing daemon, and wait for it to finish, to ensure 920 # ART artifacts are generated if needed. 921 # Must start after 'derive_classpath' to have *CLASSPATH variables set. 922 start odsign 923 924 # Before we can lock keys and proceed to the next boot stage, wait for 925 # odsign to be done with the key 926 wait_for_prop odsign.key.done 1 927 928 # Lock the fs-verity keyring, so no more keys can be added 929 exec -- /system/bin/fsverity_init --lock 930 931 # Bump the boot level to 1000000000; this prevents further on-device signing. 932 # This is a special value that shuts down the thread which listens for 933 # further updates. 934 setprop keystore.boot_level 1000000000 935 936 # Allow apexd to snapshot and restore device encrypted apex data in the case 937 # of a rollback. This should be done immediately after DE_user data keys 938 # are loaded. APEXes should not access this data until this has been 939 # completed and apexd.status becomes "ready". 940 exec_start apexd-snapshotde 941 942 # Check any timezone data in /data is newer than the copy in the time zone data 943 # module, delete if not. 944 exec - system system -- /system/bin/tzdatacheck /apex/com.android.tzdata/etc/tz /data/misc/zoneinfo 945 946 # If there is no post-fs-data action in the init.<device>.rc file, you 947 # must uncomment this line, otherwise encrypted filesystems 948 # won't work. 949 # Set indication (checked by vold) that we have finished this action 950 #setprop vold.post_fs_data_done 1 951 952 # sys.memfd_use set to false by default, which keeps it disabled 953 # until it is confirmed that apps and vendor processes don't make 954 # IOCTLs on ashmem fds any more. 955 setprop sys.use_memfd false 956 957 # Set fscklog permission 958 chown root system /dev/fscklogs/log 959 chmod 0770 /dev/fscklogs/log 960 961 # Enable FUSE by default 962 setprop persist.sys.fuse true 963 964# It is recommended to put unnecessary data/ initialization from post-fs-data 965# to start-zygote in device's init.rc to unblock zygote start. 966on zygote-start && property:ro.crypto.state=unencrypted 967 wait_for_prop odsign.verification.done 1 968 # A/B update verifier that marks a successful boot. 969 exec_start update_verifier_nonencrypted 970 start statsd 971 start netd 972 start zygote 973 start zygote_secondary 974 975on zygote-start && property:ro.crypto.state=unsupported 976 wait_for_prop odsign.verification.done 1 977 # A/B update verifier that marks a successful boot. 978 exec_start update_verifier_nonencrypted 979 start statsd 980 start netd 981 start zygote 982 start zygote_secondary 983 984on zygote-start && property:ro.crypto.state=encrypted && property:ro.crypto.type=file 985 wait_for_prop odsign.verification.done 1 986 # A/B update verifier that marks a successful boot. 987 exec_start update_verifier_nonencrypted 988 start statsd 989 start netd 990 start zygote 991 start zygote_secondary 992 993on boot && property:ro.config.low_ram=true 994 # Tweak background writeout 995 write /proc/sys/vm/dirty_expire_centisecs 200 996 write /proc/sys/vm/dirty_background_ratio 5 997 998on boot 999 # basic network init 1000 ifup lo 1001 hostname localhost 1002 domainname localdomain 1003 1004 # IPsec SA default expiration length 1005 write /proc/sys/net/core/xfrm_acq_expires 3600 1006 1007 # Memory management. Basic kernel parameters, and allow the high 1008 # level system server to be able to adjust the kernel OOM driver 1009 # parameters to match how it is managing things. 1010 write /proc/sys/vm/overcommit_memory 1 1011 write /proc/sys/vm/min_free_order_shift 4 1012 1013 # System server manages zram writeback 1014 chown root system /sys/block/zram0/idle 1015 chmod 0664 /sys/block/zram0/idle 1016 chown root system /sys/block/zram0/writeback 1017 chmod 0664 /sys/block/zram0/writeback 1018 1019 # to access F2FS sysfs on dm-<num> directly 1020 mkdir /dev/sys/fs/by-name 0755 system system 1021 symlink /sys/fs/f2fs/${dev.mnt.blk.data} /dev/sys/fs/by-name/userdata 1022 1023 # to access dm-<num> sysfs 1024 mkdir /dev/sys/block/by-name 0755 system system 1025 symlink /sys/devices/virtual/block/${dev.mnt.blk.data} /dev/sys/block/by-name/userdata 1026 1027 # F2FS tuning. Set cp_interval larger than dirty_expire_centisecs, 30 secs, 1028 # to avoid power consumption when system becomes mostly idle. Be careful 1029 # to make it too large, since it may bring userdata loss, if they 1030 # are not aware of using fsync()/sync() to prepare sudden power-cut. 1031 write /dev/sys/fs/by-name/userdata/cp_interval 200 1032 write /dev/sys/fs/by-name/userdata/gc_urgent_sleep_time 50 1033 write /dev/sys/fs/by-name/userdata/iostat_enable 1 1034 1035 # limit discard size to 128MB in order to avoid long IO latency 1036 # for filesystem tuning first (dm or sda) 1037 # Note that, if dm-<num> is used, sda/mmcblk0 should be tuned in vendor/init.rc 1038 write /dev/sys/block/by-name/userdata/queue/discard_max_bytes 134217728 1039 1040 # Permissions for System Server and daemons. 1041 chown system system /sys/power/autosleep 1042 1043 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 1044 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 1045 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 1046 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 1047 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 1048 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 1049 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 1050 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 1051 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 1052 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 1053 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 1054 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 1055 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 1056 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 1057 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 1058 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 1059 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 1060 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 1061 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 1062 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 1063 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 1064 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 1065 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 1066 1067 # Assume SMP uses shared cpufreq policy for all CPUs 1068 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 1069 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 1070 1071 chown system system /sys/class/leds/vibrator/trigger 1072 chown system system /sys/class/leds/vibrator/activate 1073 chown system system /sys/class/leds/vibrator/brightness 1074 chown system system /sys/class/leds/vibrator/duration 1075 chown system system /sys/class/leds/vibrator/state 1076 chown system system /sys/class/timed_output/vibrator/enable 1077 chown system system /sys/class/leds/keyboard-backlight/brightness 1078 chown system system /sys/class/leds/lcd-backlight/brightness 1079 chown system system /sys/class/leds/button-backlight/brightness 1080 chown system system /sys/class/leds/jogball-backlight/brightness 1081 chown system system /sys/class/leds/red/brightness 1082 chown system system /sys/class/leds/green/brightness 1083 chown system system /sys/class/leds/blue/brightness 1084 chown system system /sys/class/leds/red/device/grpfreq 1085 chown system system /sys/class/leds/red/device/grppwm 1086 chown system system /sys/class/leds/red/device/blink 1087 chown system system /sys/module/sco/parameters/disable_esco 1088 chown system system /sys/kernel/ipv4/tcp_wmem_min 1089 chown system system /sys/kernel/ipv4/tcp_wmem_def 1090 chown system system /sys/kernel/ipv4/tcp_wmem_max 1091 chown system system /sys/kernel/ipv4/tcp_rmem_min 1092 chown system system /sys/kernel/ipv4/tcp_rmem_def 1093 chown system system /sys/kernel/ipv4/tcp_rmem_max 1094 chown root radio /proc/cmdline 1095 1096 # Define default initial receive window size in segments. 1097 setprop net.tcp_def_init_rwnd 60 1098 1099 # Start standard binderized HAL daemons 1100 class_start hal 1101 1102 class_start core 1103 1104on nonencrypted 1105 class_start main 1106 class_start late_start 1107 1108on property:sys.init_log_level=* 1109 loglevel ${sys.init_log_level} 1110 1111on charger 1112 class_start charger 1113 1114on property:vold.decrypt=trigger_load_persist_props 1115 load_persist_props 1116 start logd 1117 start logd-reinit 1118 1119on property:vold.decrypt=trigger_post_fs_data 1120 trigger post-fs-data 1121 trigger zygote-start 1122 1123on property:vold.decrypt=trigger_restart_min_framework 1124 # A/B update verifier that marks a successful boot. 1125 exec_start update_verifier 1126 class_start main 1127 1128on property:vold.decrypt=trigger_restart_framework 1129 # A/B update verifier that marks a successful boot. 1130 exec_start update_verifier 1131 class_start_post_data hal 1132 class_start_post_data core 1133 class_start main 1134 class_start late_start 1135 setprop service.bootanim.exit 0 1136 setprop service.bootanim.progress 0 1137 start bootanim 1138 1139on property:vold.decrypt=trigger_shutdown_framework 1140 class_reset late_start 1141 class_reset main 1142 class_reset_post_data core 1143 class_reset_post_data hal 1144 1145on property:sys.boot_completed=1 1146 bootchart stop 1147 # Setup per_boot directory so other .rc could start to use it on boot_completed 1148 exec - system system -- /bin/rm -rf /data/per_boot 1149 mkdir /data/per_boot 0700 system system encryption=Require key=per_boot_ref 1150 1151# system server cannot write to /proc/sys files, 1152# and chown/chmod does not work for /proc/sys/ entries. 1153# So proxy writes through init. 1154on property:sys.sysctl.extra_free_kbytes=* 1155 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 1156 1157# Allow users to drop caches 1158on property:perf.drop_caches=3 1159 write /proc/sys/vm/drop_caches 3 1160 setprop perf.drop_caches 0 1161 1162# "tcp_default_init_rwnd" Is too long! 1163on property:net.tcp_def_init_rwnd=* 1164 write /proc/sys/net/ipv4/tcp_default_init_rwnd ${net.tcp_def_init_rwnd} 1165 1166# perf_event_open syscall security: 1167# Newer kernels have the ability to control the use of the syscall via SELinux 1168# hooks. init tests for this, and sets sys_init.perf_lsm_hooks to 1 if the 1169# kernel has the hooks. In this case, the system-wide perf_event_paranoid 1170# sysctl is set to -1 (unrestricted use), and the SELinux policy is used for 1171# controlling access. On older kernels, the paranoid value is the only means of 1172# controlling access. It is normally 3 (allow only root), but the shell user 1173# can lower it to 1 (allowing thread-scoped pofiling) via security.perf_harden. 1174on property:sys.init.perf_lsm_hooks=1 1175 write /proc/sys/kernel/perf_event_paranoid -1 1176on property:security.perf_harden=0 && property:sys.init.perf_lsm_hooks="" 1177 write /proc/sys/kernel/perf_event_paranoid 1 1178on property:security.perf_harden=1 && property:sys.init.perf_lsm_hooks="" 1179 write /proc/sys/kernel/perf_event_paranoid 3 1180 1181# Additionally, simpleperf profiler uses debug.* and security.perf_harden 1182# sysprops to be able to indirectly set these sysctls. 1183on property:security.perf_harden=0 1184 write /proc/sys/kernel/perf_event_max_sample_rate ${debug.perf_event_max_sample_rate:-100000} 1185 write /proc/sys/kernel/perf_cpu_time_max_percent ${debug.perf_cpu_time_max_percent:-25} 1186 write /proc/sys/kernel/perf_event_mlock_kb ${debug.perf_event_mlock_kb:-516} 1187# Default values. 1188on property:security.perf_harden=1 1189 write /proc/sys/kernel/perf_event_max_sample_rate 100000 1190 write /proc/sys/kernel/perf_cpu_time_max_percent 25 1191 write /proc/sys/kernel/perf_event_mlock_kb 516 1192 1193# This property can be set only on userdebug/eng. See neverallow rule in 1194# /system/sepolicy/private/property.te . 1195on property:security.lower_kptr_restrict=1 1196 write /proc/sys/kernel/kptr_restrict 0 1197 1198on property:security.lower_kptr_restrict=0 1199 write /proc/sys/kernel/kptr_restrict 2 1200 1201 1202# on shutdown 1203# In device's init.rc, this trigger can be used to do device-specific actions 1204# before shutdown. e.g disable watchdog and mask error handling 1205 1206## Daemon processes to be run by init. 1207## 1208service ueventd /system/bin/ueventd 1209 class core 1210 critical 1211 seclabel u:r:ueventd:s0 1212 shutdown critical 1213 1214service console /system/bin/sh 1215 class core 1216 console 1217 disabled 1218 user shell 1219 group shell log readproc 1220 seclabel u:r:shell:s0 1221 setenv HOSTNAME console 1222 1223on property:ro.debuggable=1 1224 # Give writes to anyone for the trace folder on debug builds. 1225 # The folder is used to store method traces. 1226 chmod 0773 /data/misc/trace 1227 # Give reads to anyone for the window trace folder on debug builds. 1228 chmod 0775 /data/misc/wmtrace 1229 # Give reads to anyone for the accessibility trace folder on debug builds. 1230 chmod 0775 /data/misc/a11ytrace 1231 1232on init && property:ro.debuggable=1 1233 start console 1234 1235on userspace-reboot-requested 1236 # TODO(b/135984674): reset all necessary properties here. 1237 setprop sys.boot_completed "" 1238 setprop dev.bootcomplete "" 1239 setprop sys.init.updatable_crashing "" 1240 setprop sys.init.updatable_crashing_process_name "" 1241 setprop sys.user.0.ce_available "" 1242 setprop sys.shutdown.requested "" 1243 setprop service.bootanim.exit "" 1244 setprop service.bootanim.progress "" 1245 1246on userspace-reboot-fs-remount 1247 # Make sure that vold is running. 1248 # This is mostly a precaution measure in case vold for some reason wasn't running when 1249 # userspace reboot was initiated. 1250 start vold 1251 exec - system system -- /system/bin/vdc checkpoint resetCheckpoint 1252 exec - system system -- /system/bin/vdc checkpoint markBootAttempt 1253 # Unmount /data_mirror mounts in the reverse order of corresponding mounts. 1254 umount /data_mirror/data_ce/null/0 1255 umount /data_mirror/data_ce/null 1256 umount /data_mirror/data_de/null 1257 umount /data_mirror/cur_profiles 1258 umount /data_mirror/ref_profiles 1259 umount /data_mirror 1260 remount_userdata 1261 start bootanim 1262 1263on userspace-reboot-resume 1264 trigger userspace-reboot-fs-remount 1265 trigger post-fs-data 1266 trigger zygote-start 1267 trigger early-boot 1268 trigger boot 1269 1270on property:sys.boot_completed=1 && property:sys.init.userspace_reboot.in_progress=1 1271 setprop sys.init.userspace_reboot.in_progress "" 1272