1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /system/etc/init/hw/init.usb.rc 9import /init.${ro.hardware}.rc 10import /vendor/etc/init/hw/init.${ro.hardware}.rc 11import /system/etc/init/hw/init.usb.configfs.rc 12import /system/etc/init/hw/init.${ro.zygote}.rc 13 14# Cgroups are mounted right before early-init using list from /etc/cgroups.json 15on early-init 16 # Disable sysrq from keyboard 17 write /proc/sys/kernel/sysrq 0 18 19 # Android doesn't need kernel module autoloading, and it causes SELinux 20 # denials. So disable it by setting modprobe to the empty string. Note: to 21 # explicitly set a sysctl to an empty string, a trailing newline is needed. 22 write /proc/sys/kernel/modprobe \n 23 24 # Set the security context of /adb_keys if present. 25 restorecon /adb_keys 26 27 # Set the security context of /postinstall if present. 28 restorecon /postinstall 29 30 mkdir /acct/uid 31 32 # memory.pressure_level used by lmkd 33 chown root system /dev/memcg/memory.pressure_level 34 chmod 0040 /dev/memcg/memory.pressure_level 35 # app mem cgroups, used by activity manager, lmkd and zygote 36 mkdir /dev/memcg/apps/ 0755 system system 37 # cgroup for system_server and surfaceflinger 38 mkdir /dev/memcg/system 0550 system system 39 40 # symlink the Android specific /dev/tun to Linux expected /dev/net/tun 41 mkdir /dev/net 0755 root root 42 symlink ../tun /dev/net/tun 43 44 # set RLIMIT_NICE to allow priorities from 19 to -20 45 setrlimit nice 40 40 46 47 # Allow up to 32K FDs per process 48 setrlimit nofile 32768 32768 49 50 # Set up linker config subdirectories based on mount namespaces 51 mkdir /linkerconfig/bootstrap 0755 52 mkdir /linkerconfig/default 0755 53 54 # Disable dm-verity hash prefetching, since it doesn't help performance 55 # Read more in b/136247322 56 write /sys/module/dm_verity/parameters/prefetch_cluster 0 57 58 # Generate ld.config.txt for early executed processes 59 exec -- /system/bin/bootstrap/linkerconfig --target /linkerconfig/bootstrap 60 chmod 644 /linkerconfig/bootstrap/ld.config.txt 61 copy /linkerconfig/bootstrap/ld.config.txt /linkerconfig/default/ld.config.txt 62 chmod 644 /linkerconfig/default/ld.config.txt 63 64 # Mount bootstrap linker configuration as current 65 mount none /linkerconfig/bootstrap /linkerconfig bind rec 66 67 start ueventd 68 69 # Run apexd-bootstrap so that APEXes that provide critical libraries 70 # become available. Note that this is executed as exec_start to ensure that 71 # the libraries are available to the processes started after this statement. 72 exec_start apexd-bootstrap 73 74 # Generate linker config based on apex mounted in bootstrap namespace 75 update_linker_config 76 77 # These must already exist by the time boringssl_self_test32 / boringssl_self_test64 run. 78 mkdir /dev/boringssl 0755 root root 79 mkdir /dev/boringssl/selftest 0755 root root 80 81 # Mount tracefs 82 mount tracefs tracefs /sys/kernel/tracing 83 84 # create sys dirctory 85 mkdir /dev/sys 0755 system system 86 mkdir /dev/sys/fs 0755 system system 87 mkdir /dev/sys/block 0755 system system 88 89# Run boringssl self test for each ABI so that later processes can skip it. http://b/139348610 90on early-init && property:ro.product.cpu.abilist32=* 91 exec_start boringssl_self_test32 92on early-init && property:ro.product.cpu.abilist64=* 93 exec_start boringssl_self_test64 94on property:apexd.status=ready && property:ro.product.cpu.abilist32=* 95 exec_start boringssl_self_test_apex32 96on property:apexd.status=ready && property:ro.product.cpu.abilist64=* 97 exec_start boringssl_self_test_apex64 98 99service boringssl_self_test32 /system/bin/boringssl_self_test32 100 setenv BORINGSSL_SELF_TEST_CREATE_FLAG true # Any nonempty value counts as true 101 reboot_on_failure reboot,boringssl-self-check-failed 102 stdio_to_kmsg 103 104service boringssl_self_test64 /system/bin/boringssl_self_test64 105 setenv BORINGSSL_SELF_TEST_CREATE_FLAG true # Any nonempty value counts as true 106 reboot_on_failure reboot,boringssl-self-check-failed 107 stdio_to_kmsg 108 109service boringssl_self_test_apex32 /apex/com.android.conscrypt/bin/boringssl_self_test32 110 setenv BORINGSSL_SELF_TEST_CREATE_FLAG true # Any nonempty value counts as true 111 reboot_on_failure reboot,boringssl-self-check-failed 112 stdio_to_kmsg 113 114service boringssl_self_test_apex64 /apex/com.android.conscrypt/bin/boringssl_self_test64 115 setenv BORINGSSL_SELF_TEST_CREATE_FLAG true # Any nonempty value counts as true 116 reboot_on_failure reboot,boringssl-self-check-failed 117 stdio_to_kmsg 118 119on init 120 sysclktz 0 121 122 # Mix device-specific information into the entropy pool 123 copy /proc/cmdline /dev/urandom 124 copy /system/etc/prop.default /dev/urandom 125 126 symlink /proc/self/fd/0 /dev/stdin 127 symlink /proc/self/fd/1 /dev/stdout 128 symlink /proc/self/fd/2 /dev/stderr 129 130 # Create energy-aware scheduler tuning nodes 131 mkdir /dev/stune/foreground 132 mkdir /dev/stune/background 133 mkdir /dev/stune/top-app 134 mkdir /dev/stune/rt 135 chown system system /dev/stune 136 chown system system /dev/stune/foreground 137 chown system system /dev/stune/background 138 chown system system /dev/stune/top-app 139 chown system system /dev/stune/rt 140 chown system system /dev/stune/tasks 141 chown system system /dev/stune/foreground/tasks 142 chown system system /dev/stune/background/tasks 143 chown system system /dev/stune/top-app/tasks 144 chown system system /dev/stune/rt/tasks 145 chmod 0664 /dev/stune/tasks 146 chmod 0664 /dev/stune/foreground/tasks 147 chmod 0664 /dev/stune/background/tasks 148 chmod 0664 /dev/stune/top-app/tasks 149 chmod 0664 /dev/stune/rt/tasks 150 151 # cpuctl hierarchy for devices using utilclamp 152 mkdir /dev/cpuctl/foreground 153 mkdir /dev/cpuctl/background 154 mkdir /dev/cpuctl/top-app 155 mkdir /dev/cpuctl/rt 156 mkdir /dev/cpuctl/system 157 mkdir /dev/cpuctl/system-background 158 chown system system /dev/cpuctl 159 chown system system /dev/cpuctl/foreground 160 chown system system /dev/cpuctl/background 161 chown system system /dev/cpuctl/top-app 162 chown system system /dev/cpuctl/rt 163 chown system system /dev/cpuctl/system 164 chown system system /dev/cpuctl/system-background 165 chown system system /dev/cpuctl/tasks 166 chown system system /dev/cpuctl/foreground/tasks 167 chown system system /dev/cpuctl/background/tasks 168 chown system system /dev/cpuctl/top-app/tasks 169 chown system system /dev/cpuctl/rt/tasks 170 chown system system /dev/cpuctl/system/tasks 171 chown system system /dev/cpuctl/system-background/tasks 172 chmod 0664 /dev/cpuctl/tasks 173 chmod 0664 /dev/cpuctl/foreground/tasks 174 chmod 0664 /dev/cpuctl/background/tasks 175 chmod 0664 /dev/cpuctl/top-app/tasks 176 chmod 0664 /dev/cpuctl/rt/tasks 177 chmod 0664 /dev/cpuctl/system/tasks 178 chmod 0664 /dev/cpuctl/system-background/tasks 179 180 # Create a cpu group for NNAPI HAL processes 181 mkdir /dev/cpuctl/nnapi-hal 182 chown system system /dev/cpuctl/nnapi-hal 183 chown system system /dev/cpuctl/nnapi-hal/tasks 184 chmod 0664 /dev/cpuctl/nnapi-hal/tasks 185 write /dev/cpuctl/nnapi-hal/cpu.uclamp.min 1 186 write /dev/cpuctl/nnapi-hal/cpu.uclamp.latency_sensitive 1 187 188 # Create a cpu group for camera daemon processes 189 mkdir /dev/cpuctl/camera-daemon 190 chown system system /dev/cpuctl/camera-daemon 191 chown system system /dev/cpuctl/camera-daemon/tasks 192 chmod 0664 /dev/cpuctl/camera-daemon/tasks 193 194 # Create an stune group for camera-specific processes 195 mkdir /dev/stune/camera-daemon 196 chown system system /dev/stune/camera-daemon 197 chown system system /dev/stune/camera-daemon/tasks 198 chmod 0664 /dev/stune/camera-daemon/tasks 199 200 # Create an stune group for NNAPI HAL processes 201 mkdir /dev/stune/nnapi-hal 202 chown system system /dev/stune/nnapi-hal 203 chown system system /dev/stune/nnapi-hal/tasks 204 chmod 0664 /dev/stune/nnapi-hal/tasks 205 write /dev/stune/nnapi-hal/schedtune.boost 1 206 write /dev/stune/nnapi-hal/schedtune.prefer_idle 1 207 208 # Create blkio group and apply initial settings. 209 # This feature needs kernel to support it, and the 210 # device's init.rc must actually set the correct values. 211 mkdir /dev/blkio/background 212 chown system system /dev/blkio 213 chown system system /dev/blkio/background 214 chown system system /dev/blkio/tasks 215 chown system system /dev/blkio/background/tasks 216 chmod 0664 /dev/blkio/tasks 217 chmod 0664 /dev/blkio/background/tasks 218 write /dev/blkio/blkio.weight 1000 219 write /dev/blkio/background/blkio.weight 200 220 write /dev/blkio/background/blkio.bfq.weight 10 221 write /dev/blkio/blkio.group_idle 0 222 write /dev/blkio/background/blkio.group_idle 0 223 224 restorecon_recursive /mnt 225 226 mount configfs none /config nodev noexec nosuid 227 chmod 0770 /config/sdcardfs 228 chown system package_info /config/sdcardfs 229 230 # Mount binderfs 231 mkdir /dev/binderfs 232 mount binder binder /dev/binderfs stats=global 233 chmod 0755 /dev/binderfs 234 235 # Mount fusectl 236 mount fusectl none /sys/fs/fuse/connections 237 238 symlink /dev/binderfs/binder /dev/binder 239 symlink /dev/binderfs/hwbinder /dev/hwbinder 240 symlink /dev/binderfs/vndbinder /dev/vndbinder 241 242 chmod 0666 /dev/binderfs/hwbinder 243 chmod 0666 /dev/binderfs/binder 244 chmod 0666 /dev/binderfs/vndbinder 245 246 mkdir /mnt/secure 0700 root root 247 mkdir /mnt/secure/asec 0700 root root 248 mkdir /mnt/asec 0755 root system 249 mkdir /mnt/obb 0755 root system 250 mkdir /mnt/media_rw 0750 root external_storage 251 mkdir /mnt/user 0755 root root 252 mkdir /mnt/user/0 0755 root root 253 mkdir /mnt/user/0/self 0755 root root 254 mkdir /mnt/user/0/emulated 0755 root root 255 mkdir /mnt/user/0/emulated/0 0755 root root 256 257 # Prepare directories for pass through processes 258 mkdir /mnt/pass_through 0700 root root 259 mkdir /mnt/pass_through/0 0710 root media_rw 260 mkdir /mnt/pass_through/0/self 0710 root media_rw 261 mkdir /mnt/pass_through/0/emulated 0710 root media_rw 262 mkdir /mnt/pass_through/0/emulated/0 0710 root media_rw 263 264 mkdir /mnt/expand 0771 system system 265 mkdir /mnt/appfuse 0711 root root 266 267 # Storage views to support runtime permissions 268 mkdir /mnt/runtime 0700 root root 269 mkdir /mnt/runtime/default 0755 root root 270 mkdir /mnt/runtime/default/self 0755 root root 271 mkdir /mnt/runtime/read 0755 root root 272 mkdir /mnt/runtime/read/self 0755 root root 273 mkdir /mnt/runtime/write 0755 root root 274 mkdir /mnt/runtime/write/self 0755 root root 275 mkdir /mnt/runtime/full 0755 root root 276 mkdir /mnt/runtime/full/self 0755 root root 277 278 # Symlink to keep legacy apps working in multi-user world 279 symlink /storage/self/primary /mnt/sdcard 280 symlink /mnt/user/0/primary /mnt/runtime/default/self/primary 281 282 write /proc/sys/kernel/panic_on_oops 1 283 write /proc/sys/kernel/hung_task_timeout_secs 0 284 write /proc/cpu/alignment 4 285 286 # scheduler tunables 287 # Disable auto-scaling of scheduler tunables with hotplug. The tunables 288 # will vary across devices in unpredictable ways if allowed to scale with 289 # cpu cores. 290 write /proc/sys/kernel/sched_tunable_scaling 0 291 write /proc/sys/kernel/sched_latency_ns 10000000 292 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 293 write /proc/sys/kernel/sched_child_runs_first 0 294 295 write /proc/sys/kernel/randomize_va_space 2 296 write /proc/sys/vm/mmap_min_addr 32768 297 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 298 write /proc/sys/net/unix/max_dgram_qlen 600 299 300 # Assign reasonable ceiling values for socket rcv/snd buffers. 301 # These should almost always be overridden by the target per the 302 # the corresponding technology maximums. 303 write /proc/sys/net/core/rmem_max 262144 304 write /proc/sys/net/core/wmem_max 262144 305 306 # reflect fwmark from incoming packets onto generated replies 307 write /proc/sys/net/ipv4/fwmark_reflect 1 308 write /proc/sys/net/ipv6/fwmark_reflect 1 309 310 # set fwmark on accepted sockets 311 write /proc/sys/net/ipv4/tcp_fwmark_accept 1 312 313 # disable icmp redirects 314 write /proc/sys/net/ipv4/conf/all/accept_redirects 0 315 write /proc/sys/net/ipv6/conf/all/accept_redirects 0 316 317 # /proc/net/fib_trie leaks interface IP addresses 318 chmod 0400 /proc/net/fib_trie 319 320 # sets up initial cpusets for ActivityManager 321 # this ensures that the cpusets are present and usable, but the device's 322 # init.rc must actually set the correct cpus 323 mkdir /dev/cpuset/foreground 324 copy /dev/cpuset/cpus /dev/cpuset/foreground/cpus 325 copy /dev/cpuset/mems /dev/cpuset/foreground/mems 326 mkdir /dev/cpuset/background 327 copy /dev/cpuset/cpus /dev/cpuset/background/cpus 328 copy /dev/cpuset/mems /dev/cpuset/background/mems 329 330 # system-background is for system tasks that should only run on 331 # little cores, not on bigs 332 mkdir /dev/cpuset/system-background 333 copy /dev/cpuset/cpus /dev/cpuset/system-background/cpus 334 copy /dev/cpuset/mems /dev/cpuset/system-background/mems 335 336 # restricted is for system tasks that are being throttled 337 # due to screen off. 338 mkdir /dev/cpuset/restricted 339 copy /dev/cpuset/cpus /dev/cpuset/restricted/cpus 340 copy /dev/cpuset/mems /dev/cpuset/restricted/mems 341 342 mkdir /dev/cpuset/top-app 343 copy /dev/cpuset/cpus /dev/cpuset/top-app/cpus 344 copy /dev/cpuset/mems /dev/cpuset/top-app/mems 345 346 # create a cpuset for camera daemon processes 347 mkdir /dev/cpuset/camera-daemon 348 copy /dev/cpuset/cpus /dev/cpuset/camera-daemon/cpus 349 copy /dev/cpuset/mems /dev/cpuset/camera-daemon/mems 350 351 # change permissions for all cpusets we'll touch at runtime 352 chown system system /dev/cpuset 353 chown system system /dev/cpuset/foreground 354 chown system system /dev/cpuset/background 355 chown system system /dev/cpuset/system-background 356 chown system system /dev/cpuset/top-app 357 chown system system /dev/cpuset/restricted 358 chown system system /dev/cpuset/camera-daemon 359 chown system system /dev/cpuset/tasks 360 chown system system /dev/cpuset/foreground/tasks 361 chown system system /dev/cpuset/background/tasks 362 chown system system /dev/cpuset/system-background/tasks 363 chown system system /dev/cpuset/top-app/tasks 364 chown system system /dev/cpuset/restricted/tasks 365 chown system system /dev/cpuset/camera-daemon/tasks 366 367 # set system-background to 0775 so SurfaceFlinger can touch it 368 chmod 0775 /dev/cpuset/system-background 369 370 chmod 0664 /dev/cpuset/foreground/tasks 371 chmod 0664 /dev/cpuset/background/tasks 372 chmod 0664 /dev/cpuset/system-background/tasks 373 chmod 0664 /dev/cpuset/top-app/tasks 374 chmod 0664 /dev/cpuset/restricted/tasks 375 chmod 0664 /dev/cpuset/tasks 376 chmod 0664 /dev/cpuset/camera-daemon/tasks 377 378 # make the PSI monitor accessible to others 379 chown system system /proc/pressure/memory 380 chmod 0664 /proc/pressure/memory 381 382 # qtaguid will limit access to specific data based on group memberships. 383 # net_bw_acct grants impersonation of socket owners. 384 # net_bw_stats grants access to other apps' detailed tagged-socket stats. 385 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 386 chown root net_bw_stats /proc/net/xt_qtaguid/stats 387 388 # Allow everybody to read the xt_qtaguid resource tracking misc dev. 389 # This is needed by any process that uses socket tagging. 390 chmod 0644 /dev/xt_qtaguid 391 392 mount bpf bpf /sys/fs/bpf nodev noexec nosuid 393 394 # Create location for fs_mgr to store abbreviated output from filesystem 395 # checker programs. 396 mkdir /dev/fscklogs 0770 root system 397 398 # pstore/ramoops previous console log 399 mount pstore pstore /sys/fs/pstore nodev noexec nosuid 400 chown system log /sys/fs/pstore 401 chmod 0550 /sys/fs/pstore 402 chown system log /sys/fs/pstore/console-ramoops 403 chmod 0440 /sys/fs/pstore/console-ramoops 404 chown system log /sys/fs/pstore/console-ramoops-0 405 chmod 0440 /sys/fs/pstore/console-ramoops-0 406 chown system log /sys/fs/pstore/pmsg-ramoops-0 407 chmod 0440 /sys/fs/pstore/pmsg-ramoops-0 408 409 # enable armv8_deprecated instruction hooks 410 write /proc/sys/abi/swp 1 411 412 # Linux's execveat() syscall may construct paths containing /dev/fd 413 # expecting it to point to /proc/self/fd 414 symlink /proc/self/fd /dev/fd 415 416 export DOWNLOAD_CACHE /data/cache 417 418 # This allows the ledtrig-transient properties to be created here so 419 # that they can be chown'd to system:system later on boot 420 write /sys/class/leds/vibrator/trigger "transient" 421 422 # This is used by Bionic to select optimized routines. 423 write /dev/cpu_variant:${ro.bionic.arch} ${ro.bionic.cpu_variant} 424 chmod 0444 /dev/cpu_variant:${ro.bionic.arch} 425 write /dev/cpu_variant:${ro.bionic.2nd_arch} ${ro.bionic.2nd_cpu_variant} 426 chmod 0444 /dev/cpu_variant:${ro.bionic.2nd_arch} 427 428 # Allow system processes to read / write power state. 429 chown system system /sys/power/state 430 chown system system /sys/power/wakeup_count 431 chmod 0660 /sys/power/state 432 433 chown radio wakelock /sys/power/wake_lock 434 chown radio wakelock /sys/power/wake_unlock 435 chmod 0660 /sys/power/wake_lock 436 chmod 0660 /sys/power/wake_unlock 437 438 # Start logd before any other services run to ensure we capture all of their logs. 439 start logd 440 # Start lmkd before any other services run so that it can register them 441 chown root system /sys/module/lowmemorykiller/parameters/adj 442 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 443 chown root system /sys/module/lowmemorykiller/parameters/minfree 444 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 445 start lmkd 446 447 # Start essential services. 448 start servicemanager 449 start hwservicemanager 450 start vndservicemanager 451 452# Healthd can trigger a full boot from charger mode by signaling this 453# property when the power button is held. 454on property:sys.boot_from_charger_mode=1 455 class_stop charger 456 trigger late-init 457 458on load_persist_props_action 459 load_persist_props 460 start logd 461 start logd-reinit 462 463# Indicate to fw loaders that the relevant mounts are up. 464on firmware_mounts_complete 465 rm /dev/.booting 466 467# Mount filesystems and start core system services. 468on late-init 469 trigger early-fs 470 471 # Mount fstab in init.{$device}.rc by mount_all command. Optional parameter 472 # '--early' can be specified to skip entries with 'latemount'. 473 # /system and /vendor must be mounted by the end of the fs stage, 474 # while /data is optional. 475 trigger fs 476 trigger post-fs 477 478 # Mount fstab in init.{$device}.rc by mount_all with '--late' parameter 479 # to only mount entries with 'latemount'. This is needed if '--early' is 480 # specified in the previous mount_all command on the fs stage. 481 # With /system mounted and properties form /system + /factory available, 482 # some services can be started. 483 trigger late-fs 484 485 # Now we can mount /data. File encryption requires keymaster to decrypt 486 # /data, which in turn can only be loaded when system properties are present. 487 trigger post-fs-data 488 489 # Load persist properties and override properties (if enabled) from /data. 490 trigger load_persist_props_action 491 492 # Should be before netd, but after apex, properties and logging is available. 493 trigger load_bpf_programs 494 495 # Now we can start zygote for devices with file based encryption 496 trigger zygote-start 497 498 # Remove a file to wake up anything waiting for firmware. 499 trigger firmware_mounts_complete 500 501 trigger early-boot 502 trigger boot 503 504on early-fs 505 # Once metadata has been mounted, we'll need vold to deal with userdata checkpointing 506 start vold 507 508on post-fs 509 exec - system system -- /system/bin/vdc checkpoint markBootAttempt 510 511 # Once everything is setup, no need to modify /. 512 # The bind+remount combination allows this to work in containers. 513 mount rootfs rootfs / remount bind ro nodev 514 515 # Mount default storage into root namespace 516 mount none /mnt/user/0 /storage bind rec 517 mount none none /storage slave rec 518 519 # Make sure /sys/kernel/debug (if present) is labeled properly 520 # Note that tracefs may be mounted under debug, so we need to cross filesystems 521 restorecon --recursive --cross-filesystems /sys/kernel/debug 522 523 # We chown/chmod /cache again so because mount is run as root + defaults 524 chown system cache /cache 525 chmod 0770 /cache 526 # We restorecon /cache in case the cache partition has been reset. 527 restorecon_recursive /cache 528 529 # Create /cache/recovery in case it's not there. It'll also fix the odd 530 # permissions if created by the recovery system. 531 mkdir /cache/recovery 0770 system cache 532 533 # Backup/restore mechanism uses the cache partition 534 mkdir /cache/backup_stage 0700 system system 535 mkdir /cache/backup 0700 system system 536 537 #change permissions on vmallocinfo so we can grab it from bugreports 538 chown root log /proc/vmallocinfo 539 chmod 0440 /proc/vmallocinfo 540 541 chown root log /proc/slabinfo 542 chmod 0440 /proc/slabinfo 543 544 chown root log /proc/pagetypeinfo 545 chmod 0440 /proc/pagetypeinfo 546 547 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 548 chown root system /proc/kmsg 549 chmod 0440 /proc/kmsg 550 chown root system /proc/sysrq-trigger 551 chmod 0220 /proc/sysrq-trigger 552 chown system log /proc/last_kmsg 553 chmod 0440 /proc/last_kmsg 554 555 # make the selinux kernel policy world-readable 556 chmod 0444 /sys/fs/selinux/policy 557 558 # create the lost+found directories, so as to enforce our permissions 559 mkdir /cache/lost+found 0770 root root 560 561 restorecon_recursive /metadata 562 mkdir /metadata/vold 563 chmod 0700 /metadata/vold 564 mkdir /metadata/password_slots 0771 root system 565 mkdir /metadata/bootstat 0750 system log 566 mkdir /metadata/ota 0700 root system 567 mkdir /metadata/ota/snapshots 0700 root system 568 mkdir /metadata/userspacereboot 0770 root system 569 mkdir /metadata/watchdog 0770 root system 570 571 mkdir /metadata/apex 0700 root system 572 mkdir /metadata/apex/sessions 0700 root system 573 # On some devices we see a weird behaviour in which /metadata/apex doesn't 574 # have a correct label. To workaround this bug, explicitly call restorecon 575 # on /metadata/apex. For most of the boot sequences /metadata/apex will 576 # already have a correct selinux label, meaning that this call will be a 577 # no-op. 578 restorecon_recursive /metadata/apex 579 580 mkdir /metadata/staged-install 0770 root system 581on late-fs 582 # Ensure that tracefs has the correct permissions. 583 # This does not work correctly if it is called in post-fs. 584 chmod 0755 /sys/kernel/tracing 585 chmod 0755 /sys/kernel/debug/tracing 586 587 # HALs required before storage encryption can get unlocked (FBE/FDE) 588 class_start early_hal 589 590 # Load trusted keys from dm-verity protected partitions 591 exec -- /system/bin/fsverity_init --load-verified-keys 592 593 # Set up a tracing instance for system_server to monitor error_report_end events. 594 # These are sent by kernel tools like KASAN and KFENCE when a memory corruption 595 # is detected. 596 mkdir /sys/kernel/tracing/instances/bootreceiver 0700 system system 597 restorecon_recursive /sys/kernel/tracing/instances/bootreceiver 598 write /sys/kernel/tracing/instances/bootreceiver/buffer_size_kb 1 599 write /sys/kernel/tracing/instances/bootreceiver/trace_options disable_on_free 600 write /sys/kernel/tracing/instances/bootreceiver/events/error_report/error_report_end/enable 1 601 602on post-fs-data 603 604 mark_post_data 605 606 # Start checkpoint before we touch data 607 exec - system system -- /system/bin/vdc checkpoint prepareCheckpoint 608 609 # We chown/chmod /data again so because mount is run as root + defaults 610 chown system system /data 611 chmod 0771 /data 612 # We restorecon /data in case the userdata partition has been reset. 613 restorecon /data 614 615 # Make sure we have the device encryption key. 616 installkey /data 617 618 # Start bootcharting as soon as possible after the data partition is 619 # mounted to collect more data. 620 mkdir /data/bootchart 0755 shell shell encryption=Require 621 bootchart start 622 623 # Avoid predictable entropy pool. Carry over entropy from previous boot. 624 copy /data/system/entropy.dat /dev/urandom 625 626 mkdir /data/vendor 0771 root root encryption=Require 627 mkdir /data/vendor_ce 0771 root root encryption=None 628 mkdir /data/vendor_de 0771 root root encryption=None 629 mkdir /data/vendor/hardware 0771 root root 630 631 # Start tombstoned early to be able to store tombstones. 632 mkdir /data/anr 0775 system system encryption=Require 633 mkdir /data/tombstones 0771 system system encryption=Require 634 mkdir /data/vendor/tombstones 0771 root root 635 mkdir /data/vendor/tombstones/wifi 0771 wifi wifi 636 start tombstoned 637 638 # Make sure that apexd is started in the default namespace 639 enter_default_mount_ns 640 641 # set up keystore directory structure first so that we can end early boot 642 # and start apexd 643 mkdir /data/misc 01771 system misc encryption=Require 644 mkdir /data/misc/keystore 0700 keystore keystore 645 # work around b/183668221 646 restorecon /data/misc /data/misc/keystore 647 648 # Boot level 30 649 # odsign signing keys have MAX_BOOT_LEVEL=30 650 # This is currently the earliest boot level, but we start at 30 651 # to leave room for earlier levels. 652 setprop keystore.boot_level 30 653 654 # Now that /data is mounted and we have created /data/misc/keystore, 655 # we can tell keystore to stop allowing use of early-boot keys, 656 # and access its database for the first time to support creation and 657 # use of MAX_BOOT_LEVEL keys. 658 exec - system system -- /system/bin/vdc keymaster earlyBootEnded 659 660 # /data/apex is now available. Start apexd to scan and activate APEXes. 661 # 662 # To handle userspace reboots as well as devices that use FDE, make sure 663 # that apexd is started cleanly here (set apexd.status="") and that it is 664 # restarted if it's already running. 665 mkdir /data/apex 0755 root system encryption=None 666 mkdir /data/apex/active 0755 root system 667 mkdir /data/apex/backup 0700 root system 668 mkdir /data/apex/decompressed 0755 root system encryption=Require 669 mkdir /data/apex/hashtree 0700 root system 670 mkdir /data/apex/sessions 0700 root system 671 mkdir /data/app-staging 0751 system system encryption=DeleteIfNecessary 672 mkdir /data/apex/ota_reserved 0700 root system encryption=Require 673 setprop apexd.status "" 674 restart apexd 675 676 # create rest of basic filesystem structure 677 mkdir /data/misc/recovery 0770 system log 678 copy /data/misc/recovery/ro.build.fingerprint /data/misc/recovery/ro.build.fingerprint.1 679 chmod 0440 /data/misc/recovery/ro.build.fingerprint.1 680 chown system log /data/misc/recovery/ro.build.fingerprint.1 681 write /data/misc/recovery/ro.build.fingerprint ${ro.build.fingerprint} 682 chmod 0440 /data/misc/recovery/ro.build.fingerprint 683 chown system log /data/misc/recovery/ro.build.fingerprint 684 mkdir /data/misc/recovery/proc 0770 system log 685 copy /data/misc/recovery/proc/version /data/misc/recovery/proc/version.1 686 chmod 0440 /data/misc/recovery/proc/version.1 687 chown system log /data/misc/recovery/proc/version.1 688 copy /proc/version /data/misc/recovery/proc/version 689 chmod 0440 /data/misc/recovery/proc/version 690 chown system log /data/misc/recovery/proc/version 691 mkdir /data/misc/bluedroid 02770 bluetooth bluetooth 692 # Fix the access permissions and group ownership for 'bt_config.conf' 693 chmod 0660 /data/misc/bluedroid/bt_config.conf 694 chown bluetooth bluetooth /data/misc/bluedroid/bt_config.conf 695 mkdir /data/misc/bluetooth 0770 bluetooth bluetooth 696 mkdir /data/misc/bluetooth/logs 0770 bluetooth bluetooth 697 mkdir /data/misc/nfc 0770 nfc nfc 698 mkdir /data/misc/nfc/logs 0770 nfc nfc 699 mkdir /data/misc/credstore 0700 credstore credstore 700 mkdir /data/misc/gatekeeper 0700 system system 701 mkdir /data/misc/keychain 0771 system system 702 mkdir /data/misc/net 0750 root shell 703 mkdir /data/misc/radio 0770 system radio 704 mkdir /data/misc/sms 0770 system radio 705 mkdir /data/misc/carrierid 0770 system radio 706 mkdir /data/misc/apns 0770 system radio 707 mkdir /data/misc/emergencynumberdb 0770 system radio 708 mkdir /data/misc/zoneinfo 0775 system system 709 mkdir /data/misc/network_watchlist 0774 system system 710 mkdir /data/misc/textclassifier 0771 system system 711 mkdir /data/misc/vpn 0770 system vpn 712 mkdir /data/misc/shared_relro 0771 shared_relro shared_relro 713 mkdir /data/misc/systemkeys 0700 system system 714 mkdir /data/misc/wifi 0770 wifi wifi 715 mkdir /data/misc/wifi/sockets 0770 wifi wifi 716 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 717 mkdir /data/misc/ethernet 0770 system system 718 mkdir /data/misc/dhcp 0770 dhcp dhcp 719 mkdir /data/misc/user 0771 root root 720 # give system access to wpa_supplicant.conf for backup and restore 721 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 722 mkdir /data/local 0751 root root encryption=Require 723 mkdir /data/misc/media 0700 media media 724 mkdir /data/misc/audioserver 0700 audioserver audioserver 725 mkdir /data/misc/cameraserver 0700 cameraserver cameraserver 726 mkdir /data/misc/vold 0700 root root 727 mkdir /data/misc/boottrace 0771 system shell 728 mkdir /data/misc/update_engine 0700 root root 729 mkdir /data/misc/update_engine_log 02750 root log 730 mkdir /data/misc/trace 0700 root root 731 # create location to store surface and window trace files 732 mkdir /data/misc/wmtrace 0700 system system 733 # create location to store accessibility trace files 734 mkdir /data/misc/a11ytrace 0700 system system 735 # profile file layout 736 mkdir /data/misc/profiles 0771 system system 737 mkdir /data/misc/profiles/cur 0771 system system 738 mkdir /data/misc/profiles/ref 0771 system system 739 mkdir /data/misc/profman 0770 system shell 740 mkdir /data/misc/gcov 0770 root root 741 mkdir /data/misc/installd 0700 root root 742 mkdir /data/misc/apexdata 0711 root root 743 mkdir /data/misc/apexrollback 0700 root root 744 mkdir /data/misc/appcompat/ 0700 system system 745 mkdir /data/misc/snapshotctl_log 0755 root root 746 # create location to store pre-reboot information 747 mkdir /data/misc/prereboot 0700 system system 748 # directory used for on-device refresh metrics file. 749 mkdir /data/misc/odrefresh 0777 system system 750 # directory used for on-device signing key blob 751 mkdir /data/misc/odsign 0700 root root 752 753 mkdir /data/preloads 0775 system system encryption=None 754 755 # For security reasons, /data/local/tmp should always be empty. 756 # Do not place files or directories in /data/local/tmp 757 mkdir /data/local/tmp 0771 shell shell 758 mkdir /data/local/traces 0777 shell shell 759 mkdir /data/data 0771 system system encryption=None 760 mkdir /data/app-private 0771 system system encryption=Require 761 mkdir /data/app-ephemeral 0771 system system encryption=Require 762 mkdir /data/app-asec 0700 root root encryption=Require 763 mkdir /data/app-lib 0771 system system encryption=Require 764 mkdir /data/app 0771 system system encryption=Require 765 mkdir /data/property 0700 root root encryption=Require 766 767 # create directory for updated font files. 768 mkdir /data/fonts/ 0771 root root encryption=Require 769 mkdir /data/fonts/files 0771 system system 770 mkdir /data/fonts/config 0770 system system 771 772 # Create directories to push tests to for each linker namespace. 773 # Create the subdirectories in case the first test is run as root 774 # so it doesn't end up owned by root. 775 mkdir /data/local/tests 0700 shell shell 776 mkdir /data/local/tests/product 0700 shell shell 777 mkdir /data/local/tests/system 0700 shell shell 778 mkdir /data/local/tests/unrestricted 0700 shell shell 779 mkdir /data/local/tests/vendor 0700 shell shell 780 781 # create dalvik-cache, so as to enforce our permissions 782 mkdir /data/dalvik-cache 0771 root root encryption=Require 783 # create the A/B OTA directory, so as to enforce our permissions 784 mkdir /data/ota 0771 root root encryption=Require 785 786 # create the OTA package directory. It will be accessed by GmsCore (cache 787 # group), update_engine and update_verifier. 788 mkdir /data/ota_package 0770 system cache encryption=Require 789 790 # create resource-cache and double-check the perms 791 mkdir /data/resource-cache 0771 system system encryption=Require 792 chown system system /data/resource-cache 793 chmod 0771 /data/resource-cache 794 795 # create the lost+found directories, so as to enforce our permissions 796 mkdir /data/lost+found 0770 root root encryption=None 797 798 # create directory for DRM plug-ins - give drm the read/write access to 799 # the following directory. 800 mkdir /data/drm 0770 drm drm encryption=Require 801 802 # create directory for MediaDrm plug-ins - give drm the read/write access to 803 # the following directory. 804 mkdir /data/mediadrm 0770 mediadrm mediadrm encryption=Require 805 806 # NFC: create data/nfc for nv storage 807 mkdir /data/nfc 0770 nfc nfc encryption=Require 808 mkdir /data/nfc/param 0770 nfc nfc 809 810 # Create all remaining /data root dirs so that they are made through init 811 # and get proper encryption policy installed 812 mkdir /data/backup 0700 system system encryption=Require 813 mkdir /data/ss 0700 system system encryption=Require 814 815 mkdir /data/system 0775 system system encryption=Require 816 mkdir /data/system/environ 0700 system system 817 # b/183861600 attempt to fix selinux label before running derive_classpath service 818 restorecon /data/system/environ 819 mkdir /data/system/dropbox 0700 system system 820 mkdir /data/system/heapdump 0700 system system 821 mkdir /data/system/users 0775 system system 822 823 mkdir /data/system_de 0770 system system encryption=None 824 mkdir /data/system_ce 0770 system system encryption=None 825 826 mkdir /data/misc_de 01771 system misc encryption=None 827 mkdir /data/misc_ce 01771 system misc encryption=None 828 829 mkdir /data/user 0711 system system encryption=None 830 mkdir /data/user_de 0711 system system encryption=None 831 832 # Unlink /data/user/0 if we previously symlink it to /data/data 833 rm /data/user/0 834 835 # Bind mount /data/user/0 to /data/data 836 mkdir /data/user/0 0700 system system encryption=None 837 mount none /data/data /data/user/0 bind rec 838 839 # A tmpfs directory, which will contain all apps CE DE data directory that 840 # bind mount from the original source. 841 mount tmpfs tmpfs /data_mirror nodev noexec nosuid mode=0700,uid=0,gid=1000 842 restorecon /data_mirror 843 mkdir /data_mirror/data_ce 0700 root root 844 mkdir /data_mirror/data_de 0700 root root 845 846 # Create CE and DE data directory for default volume 847 mkdir /data_mirror/data_ce/null 0700 root root 848 mkdir /data_mirror/data_de/null 0700 root root 849 850 # Bind mount CE and DE data directory to mirror's default volume directory 851 mount none /data/user /data_mirror/data_ce/null bind rec 852 mount none /data/user_de /data_mirror/data_de/null bind rec 853 854 # Create mirror directory for jit profiles 855 mkdir /data_mirror/cur_profiles 0700 root root 856 mount none /data/misc/profiles/cur /data_mirror/cur_profiles bind rec 857 mkdir /data_mirror/ref_profiles 0700 root root 858 mount none /data/misc/profiles/ref /data_mirror/ref_profiles bind rec 859 860 mkdir /data/cache 0770 system cache encryption=Require 861 mkdir /data/cache/recovery 0770 system cache 862 mkdir /data/cache/backup_stage 0700 system system 863 mkdir /data/cache/backup 0700 system system 864 865 # Delete these if need be, per b/139193659 866 mkdir /data/rollback 0700 system system encryption=DeleteIfNecessary 867 mkdir /data/rollback-observer 0700 system system encryption=DeleteIfNecessary 868 mkdir /data/rollback-history 0700 system system encryption=DeleteIfNecessary 869 870 # Create root dir for Incremental Service 871 mkdir /data/incremental 0771 system system encryption=Require 872 873 # Create directories for statsd 874 mkdir /data/misc/stats-active-metric/ 0770 statsd system 875 mkdir /data/misc/stats-data/ 0770 statsd system 876 mkdir /data/misc/stats-metadata/ 0770 statsd system 877 mkdir /data/misc/stats-service/ 0770 statsd system 878 mkdir /data/misc/train-info/ 0770 statsd system 879 880 # Wait for apexd to finish activating APEXes before starting more processes. 881 wait_for_prop apexd.status activated 882 perform_apex_config 883 884 # Special-case /data/media/obb per b/64566063 885 mkdir /data/media 0770 media_rw media_rw encryption=None 886 exec - media_rw media_rw -- /system/bin/chattr +F /data/media 887 mkdir /data/media/obb 0770 media_rw media_rw encryption=Attempt 888 889 exec_start derive_sdk 890 891 init_user0 892 893 # Set SELinux security contexts on upgrade or policy update. 894 restorecon --recursive --skip-ce /data 895 896 # Define and export *CLASSPATH variables 897 # Must start before 'odsign', as odsign depends on *CLASSPATH variables 898 exec_start derive_classpath 899 load_exports /data/system/environ/classpath 900 901 # Start the on-device signing daemon, and wait for it to finish, to ensure 902 # ART artifacts are generated if needed. 903 # Must start after 'derive_classpath' to have *CLASSPATH variables set. 904 start odsign 905 906 # Before we can lock keys and proceed to the next boot stage, wait for 907 # odsign to be done with the key 908 wait_for_prop odsign.key.done 1 909 910 # Lock the fs-verity keyring, so no more keys can be added 911 exec -- /system/bin/fsverity_init --lock 912 913 # Bump the boot level to 1000000000; this prevents further on-device signing. 914 # This is a special value that shuts down the thread which listens for 915 # further updates. 916 setprop keystore.boot_level 1000000000 917 918 # Allow apexd to snapshot and restore device encrypted apex data in the case 919 # of a rollback. This should be done immediately after DE_user data keys 920 # are loaded. APEXes should not access this data until this has been 921 # completed and apexd.status becomes "ready". 922 exec_start apexd-snapshotde 923 924 # Check any timezone data in /data is newer than the copy in the time zone data 925 # module, delete if not. 926 exec - system system -- /system/bin/tzdatacheck /apex/com.android.tzdata/etc/tz /data/misc/zoneinfo 927 928 # If there is no post-fs-data action in the init.<device>.rc file, you 929 # must uncomment this line, otherwise encrypted filesystems 930 # won't work. 931 # Set indication (checked by vold) that we have finished this action 932 #setprop vold.post_fs_data_done 1 933 934 # sys.memfd_use set to false by default, which keeps it disabled 935 # until it is confirmed that apps and vendor processes don't make 936 # IOCTLs on ashmem fds any more. 937 setprop sys.use_memfd false 938 939 # Set fscklog permission 940 chown root system /dev/fscklogs/log 941 chmod 0770 /dev/fscklogs/log 942 943 # Enable FUSE by default 944 setprop persist.sys.fuse true 945 946# It is recommended to put unnecessary data/ initialization from post-fs-data 947# to start-zygote in device's init.rc to unblock zygote start. 948on zygote-start && property:ro.crypto.state=unencrypted 949 wait_for_prop odsign.verification.done 1 950 # A/B update verifier that marks a successful boot. 951 exec_start update_verifier_nonencrypted 952 start statsd 953 start netd 954 start zygote 955 start zygote_secondary 956 957on zygote-start && property:ro.crypto.state=unsupported 958 wait_for_prop odsign.verification.done 1 959 # A/B update verifier that marks a successful boot. 960 exec_start update_verifier_nonencrypted 961 start statsd 962 start netd 963 start zygote 964 start zygote_secondary 965 966on zygote-start && property:ro.crypto.state=encrypted && property:ro.crypto.type=file 967 wait_for_prop odsign.verification.done 1 968 # A/B update verifier that marks a successful boot. 969 exec_start update_verifier_nonencrypted 970 start statsd 971 start netd 972 start zygote 973 start zygote_secondary 974 975on boot && property:ro.config.low_ram=true 976 # Tweak background writeout 977 write /proc/sys/vm/dirty_expire_centisecs 200 978 write /proc/sys/vm/dirty_background_ratio 5 979 980on boot 981 # basic network init 982 ifup lo 983 hostname localhost 984 domainname localdomain 985 986 # IPsec SA default expiration length 987 write /proc/sys/net/core/xfrm_acq_expires 3600 988 989 # Memory management. Basic kernel parameters, and allow the high 990 # level system server to be able to adjust the kernel OOM driver 991 # parameters to match how it is managing things. 992 write /proc/sys/vm/overcommit_memory 1 993 write /proc/sys/vm/min_free_order_shift 4 994 995 # System server manages zram writeback 996 chown root system /sys/block/zram0/idle 997 chmod 0664 /sys/block/zram0/idle 998 chown root system /sys/block/zram0/writeback 999 chmod 0664 /sys/block/zram0/writeback 1000 1001 # to access F2FS sysfs on dm-<num> directly 1002 mkdir /dev/sys/fs/by-name 0755 system system 1003 symlink /sys/fs/f2fs/${dev.mnt.blk.data} /dev/sys/fs/by-name/userdata 1004 1005 # to access dm-<num> sysfs 1006 mkdir /dev/sys/block/by-name 0755 system system 1007 symlink /sys/devices/virtual/block/${dev.mnt.blk.data} /dev/sys/block/by-name/userdata 1008 1009 # F2FS tuning. Set cp_interval larger than dirty_expire_centisecs, 30 secs, 1010 # to avoid power consumption when system becomes mostly idle. Be careful 1011 # to make it too large, since it may bring userdata loss, if they 1012 # are not aware of using fsync()/sync() to prepare sudden power-cut. 1013 write /dev/sys/fs/by-name/userdata/cp_interval 200 1014 write /dev/sys/fs/by-name/userdata/gc_urgent_sleep_time 50 1015 write /dev/sys/fs/by-name/userdata/iostat_enable 1 1016 1017 # limit discard size to 128MB in order to avoid long IO latency 1018 # for filesystem tuning first (dm or sda) 1019 # Note that, if dm-<num> is used, sda/mmcblk0 should be tuned in vendor/init.rc 1020 write /dev/sys/block/by-name/userdata/queue/discard_max_bytes 134217728 1021 1022 # Permissions for System Server and daemons. 1023 chown system system /sys/power/autosleep 1024 1025 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 1026 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 1027 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 1028 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 1029 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 1030 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 1031 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 1032 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 1033 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 1034 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 1035 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 1036 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 1037 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 1038 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 1039 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 1040 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 1041 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 1042 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 1043 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 1044 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 1045 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 1046 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 1047 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 1048 1049 # Assume SMP uses shared cpufreq policy for all CPUs 1050 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 1051 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 1052 1053 chown system system /sys/class/leds/vibrator/trigger 1054 chown system system /sys/class/leds/vibrator/activate 1055 chown system system /sys/class/leds/vibrator/brightness 1056 chown system system /sys/class/leds/vibrator/duration 1057 chown system system /sys/class/leds/vibrator/state 1058 chown system system /sys/class/timed_output/vibrator/enable 1059 chown system system /sys/class/leds/keyboard-backlight/brightness 1060 chown system system /sys/class/leds/lcd-backlight/brightness 1061 chown system system /sys/class/leds/button-backlight/brightness 1062 chown system system /sys/class/leds/jogball-backlight/brightness 1063 chown system system /sys/class/leds/red/brightness 1064 chown system system /sys/class/leds/green/brightness 1065 chown system system /sys/class/leds/blue/brightness 1066 chown system system /sys/class/leds/red/device/grpfreq 1067 chown system system /sys/class/leds/red/device/grppwm 1068 chown system system /sys/class/leds/red/device/blink 1069 chown system system /sys/module/sco/parameters/disable_esco 1070 chown system system /sys/kernel/ipv4/tcp_wmem_min 1071 chown system system /sys/kernel/ipv4/tcp_wmem_def 1072 chown system system /sys/kernel/ipv4/tcp_wmem_max 1073 chown system system /sys/kernel/ipv4/tcp_rmem_min 1074 chown system system /sys/kernel/ipv4/tcp_rmem_def 1075 chown system system /sys/kernel/ipv4/tcp_rmem_max 1076 chown root radio /proc/cmdline 1077 1078 # Define default initial receive window size in segments. 1079 setprop net.tcp_def_init_rwnd 60 1080 1081 # Start standard binderized HAL daemons 1082 class_start hal 1083 1084 class_start core 1085 1086on nonencrypted 1087 class_start main 1088 class_start late_start 1089 1090on property:sys.init_log_level=* 1091 loglevel ${sys.init_log_level} 1092 1093on charger 1094 class_start charger 1095 1096on property:vold.decrypt=trigger_load_persist_props 1097 load_persist_props 1098 start logd 1099 start logd-reinit 1100 1101on property:vold.decrypt=trigger_post_fs_data 1102 trigger post-fs-data 1103 trigger zygote-start 1104 1105on property:vold.decrypt=trigger_restart_min_framework 1106 # A/B update verifier that marks a successful boot. 1107 exec_start update_verifier 1108 class_start main 1109 1110on property:vold.decrypt=trigger_restart_framework 1111 # A/B update verifier that marks a successful boot. 1112 exec_start update_verifier 1113 class_start_post_data hal 1114 class_start_post_data core 1115 class_start main 1116 class_start late_start 1117 setprop service.bootanim.exit 0 1118 setprop service.bootanim.progress 0 1119 start bootanim 1120 1121on property:vold.decrypt=trigger_shutdown_framework 1122 class_reset late_start 1123 class_reset main 1124 class_reset_post_data core 1125 class_reset_post_data hal 1126 1127on property:sys.boot_completed=1 1128 bootchart stop 1129 # Setup per_boot directory so other .rc could start to use it on boot_completed 1130 exec - system system -- /bin/rm -rf /data/per_boot 1131 mkdir /data/per_boot 0700 system system encryption=Require key=per_boot_ref 1132 1133# system server cannot write to /proc/sys files, 1134# and chown/chmod does not work for /proc/sys/ entries. 1135# So proxy writes through init. 1136on property:sys.sysctl.extra_free_kbytes=* 1137 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 1138 1139# Allow users to drop caches 1140on property:perf.drop_caches=3 1141 write /proc/sys/vm/drop_caches 3 1142 setprop perf.drop_caches 0 1143 1144# "tcp_default_init_rwnd" Is too long! 1145on property:net.tcp_def_init_rwnd=* 1146 write /proc/sys/net/ipv4/tcp_default_init_rwnd ${net.tcp_def_init_rwnd} 1147 1148# perf_event_open syscall security: 1149# Newer kernels have the ability to control the use of the syscall via SELinux 1150# hooks. init tests for this, and sets sys_init.perf_lsm_hooks to 1 if the 1151# kernel has the hooks. In this case, the system-wide perf_event_paranoid 1152# sysctl is set to -1 (unrestricted use), and the SELinux policy is used for 1153# controlling access. On older kernels, the paranoid value is the only means of 1154# controlling access. It is normally 3 (allow only root), but the shell user 1155# can lower it to 1 (allowing thread-scoped pofiling) via security.perf_harden. 1156on property:sys.init.perf_lsm_hooks=1 1157 write /proc/sys/kernel/perf_event_paranoid -1 1158on property:security.perf_harden=0 && property:sys.init.perf_lsm_hooks="" 1159 write /proc/sys/kernel/perf_event_paranoid 1 1160on property:security.perf_harden=1 && property:sys.init.perf_lsm_hooks="" 1161 write /proc/sys/kernel/perf_event_paranoid 3 1162 1163# Additionally, simpleperf profiler uses debug.* and security.perf_harden 1164# sysprops to be able to indirectly set these sysctls. 1165on property:security.perf_harden=0 1166 write /proc/sys/kernel/perf_event_max_sample_rate ${debug.perf_event_max_sample_rate:-100000} 1167 write /proc/sys/kernel/perf_cpu_time_max_percent ${debug.perf_cpu_time_max_percent:-25} 1168 write /proc/sys/kernel/perf_event_mlock_kb ${debug.perf_event_mlock_kb:-516} 1169# Default values. 1170on property:security.perf_harden=1 1171 write /proc/sys/kernel/perf_event_max_sample_rate 100000 1172 write /proc/sys/kernel/perf_cpu_time_max_percent 25 1173 write /proc/sys/kernel/perf_event_mlock_kb 516 1174 1175# This property can be set only on userdebug/eng. See neverallow rule in 1176# /system/sepolicy/private/property.te . 1177on property:security.lower_kptr_restrict=1 1178 write /proc/sys/kernel/kptr_restrict 0 1179 1180on property:security.lower_kptr_restrict=0 1181 write /proc/sys/kernel/kptr_restrict 2 1182 1183 1184# on shutdown 1185# In device's init.rc, this trigger can be used to do device-specific actions 1186# before shutdown. e.g disable watchdog and mask error handling 1187 1188## Daemon processes to be run by init. 1189## 1190service ueventd /system/bin/ueventd 1191 class core 1192 critical 1193 seclabel u:r:ueventd:s0 1194 shutdown critical 1195 1196service console /system/bin/sh 1197 class core 1198 console 1199 disabled 1200 user shell 1201 group shell log readproc 1202 seclabel u:r:shell:s0 1203 setenv HOSTNAME console 1204 1205on property:ro.debuggable=1 1206 # Give writes to anyone for the trace folder on debug builds. 1207 # The folder is used to store method traces. 1208 chmod 0773 /data/misc/trace 1209 # Give reads to anyone for the window trace folder on debug builds. 1210 chmod 0775 /data/misc/wmtrace 1211 # Give reads to anyone for the accessibility trace folder on debug builds. 1212 chmod 0775 /data/misc/a11ytrace 1213 1214on init && property:ro.debuggable=1 1215 start console 1216 1217on userspace-reboot-requested 1218 # TODO(b/135984674): reset all necessary properties here. 1219 setprop sys.boot_completed "" 1220 setprop dev.bootcomplete "" 1221 setprop sys.init.updatable_crashing "" 1222 setprop sys.init.updatable_crashing_process_name "" 1223 setprop sys.user.0.ce_available "" 1224 setprop sys.shutdown.requested "" 1225 setprop service.bootanim.exit "" 1226 setprop service.bootanim.progress "" 1227 1228on userspace-reboot-fs-remount 1229 # Make sure that vold is running. 1230 # This is mostly a precaution measure in case vold for some reason wasn't running when 1231 # userspace reboot was initiated. 1232 start vold 1233 exec - system system -- /system/bin/vdc checkpoint resetCheckpoint 1234 exec - system system -- /system/bin/vdc checkpoint markBootAttempt 1235 # Unmount /data_mirror mounts in the reverse order of corresponding mounts. 1236 umount /data_mirror/data_ce/null/0 1237 umount /data_mirror/data_ce/null 1238 umount /data_mirror/data_de/null 1239 umount /data_mirror/cur_profiles 1240 umount /data_mirror/ref_profiles 1241 umount /data_mirror 1242 remount_userdata 1243 start bootanim 1244 1245on userspace-reboot-resume 1246 trigger userspace-reboot-fs-remount 1247 trigger post-fs-data 1248 trigger zygote-start 1249 trigger early-boot 1250 trigger boot 1251 1252on property:sys.boot_completed=1 && property:sys.init.userspace_reboot.in_progress=1 1253 setprop sys.init.userspace_reboot.in_progress "" 1254