1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
|
# Copyright (C) 2012 The Android Open Source Project
#
# IMPORTANT: Do not create world writable files or directories.
# This is a common source of Android security bugs.
#
import /init.environ.rc
import /system/etc/init/hw/init.usb.rc
import /init.${ro.hardware}.rc
import /vendor/etc/init/hw/init.${ro.hardware}.rc
import /system/etc/init/hw/init.usb.configfs.rc
import /system/etc/init/hw/init.${ro.zygote}.rc
# Cgroups are mounted right before early-init using list from /etc/cgroups.json
on early-init
# Disable sysrq from keyboard
write /proc/sys/kernel/sysrq 0
# Android doesn't need kernel module autoloading, and it causes SELinux
# denials. So disable it by setting modprobe to the empty string. Note: to
# explicitly set a sysctl to an empty string, a trailing newline is needed.
write /proc/sys/kernel/modprobe \n
# Set the security context of /adb_keys if present.
restorecon /adb_keys
# Set the security context of /postinstall if present.
restorecon /postinstall
mkdir /acct/uid
# memory.pressure_level used by lmkd
chown root system /dev/memcg/memory.pressure_level
chmod 0040 /dev/memcg/memory.pressure_level
# app mem cgroups, used by activity manager, lmkd and zygote
mkdir /dev/memcg/apps/ 0755 system system
# cgroup for system_server and surfaceflinger
mkdir /dev/memcg/system 0550 system system
# symlink the Android specific /dev/tun to Linux expected /dev/net/tun
mkdir /dev/net 0755 root root
symlink ../tun /dev/net/tun
# set RLIMIT_NICE to allow priorities from 19 to -20
setrlimit nice 40 40
# Allow up to 32K FDs per process
setrlimit nofile 32768 32768
# set RLIMIT_MEMLOCK to 64KB
setrlimit memlock 65536 65536
# Set up linker config subdirectories based on mount namespaces
mkdir /linkerconfig/bootstrap 0755
mkdir /linkerconfig/default 0755
# Disable dm-verity hash prefetching, since it doesn't help performance
# Read more in b/136247322
write /sys/module/dm_verity/parameters/prefetch_cluster 0
# Generate empty ld.config.txt for early executed processes which rely on
# /system/lib libraries.
write /linkerconfig/bootstrap/ld.config.txt \#
write /linkerconfig/default/ld.config.txt \#
chmod 644 /linkerconfig/bootstrap/ld.config.txt
chmod 644 /linkerconfig/default/ld.config.txt
# Mount bootstrap linker configuration as current
mount none /linkerconfig/bootstrap /linkerconfig bind rec
start ueventd
# Run apexd-bootstrap so that APEXes that provide critical libraries
# become available. Note that this is executed as exec_start to ensure that
# the libraries are available to the processes started after this statement.
exec_start apexd-bootstrap
perform_apex_config --bootstrap
# These must already exist by the time boringssl_self_test32 / boringssl_self_test64 run.
mkdir /dev/boringssl 0755 root root
mkdir /dev/boringssl/selftest 0755 root root
# Mount tracefs (with GID=AID_READTRACEFS)
mount tracefs tracefs /sys/kernel/tracing gid=3012
# create sys dirctory
mkdir /dev/sys 0755 system system
mkdir /dev/sys/fs 0755 system system
mkdir /dev/sys/block 0755 system system
# Create location for fs_mgr to store abbreviated output from filesystem
# checker programs.
mkdir /dev/fscklogs 0770 root system
# Create tmpfs for use by the shell user.
mount tmpfs tmpfs /tmp
restorecon /tmp
chown shell shell /tmp
chmod 0771 /tmp
on init
sysclktz 0
# Mix device-specific information into the entropy pool
copy /proc/cmdline /dev/urandom
copy /system/etc/prop.default /dev/urandom
symlink /proc/self/fd/0 /dev/stdin
symlink /proc/self/fd/1 /dev/stdout
symlink /proc/self/fd/2 /dev/stderr
# Create socket dir for ot-daemon
mkdir /dev/socket/ot-daemon 0770 thread_network thread_network
# Create energy-aware scheduler tuning nodes
mkdir /dev/stune/foreground
mkdir /dev/stune/background
mkdir /dev/stune/top-app
mkdir /dev/stune/rt
chown system system /dev/stune
chown system system /dev/stune/foreground
chown system system /dev/stune/background
chown system system /dev/stune/top-app
chown system system /dev/stune/rt
chown system system /dev/stune/tasks
chown system system /dev/stune/foreground/tasks
chown system system /dev/stune/background/tasks
chown system system /dev/stune/top-app/tasks
chown system system /dev/stune/rt/tasks
chown system system /dev/stune/cgroup.procs
chown system system /dev/stune/foreground/cgroup.procs
chown system system /dev/stune/background/cgroup.procs
chown system system /dev/stune/top-app/cgroup.procs
chown system system /dev/stune/rt/cgroup.procs
chmod 0664 /dev/stune/tasks
chmod 0664 /dev/stune/foreground/tasks
chmod 0664 /dev/stune/background/tasks
chmod 0664 /dev/stune/top-app/tasks
chmod 0664 /dev/stune/rt/tasks
chmod 0664 /dev/stune/cgroup.procs
chmod 0664 /dev/stune/foreground/cgroup.procs
chmod 0664 /dev/stune/background/cgroup.procs
chmod 0664 /dev/stune/top-app/cgroup.procs
chmod 0664 /dev/stune/rt/cgroup.procs
# cpuctl hierarchy for devices using utilclamp
mkdir /dev/cpuctl/foreground
mkdir /dev/cpuctl/background
mkdir /dev/cpuctl/top-app
mkdir /dev/cpuctl/rt
mkdir /dev/cpuctl/system
mkdir /dev/cpuctl/system-background
mkdir /dev/cpuctl/dex2oat
chown system system /dev/cpuctl
chown system system /dev/cpuctl/foreground
chown system system /dev/cpuctl/background
chown system system /dev/cpuctl/top-app
chown system system /dev/cpuctl/rt
chown system system /dev/cpuctl/system
chown system system /dev/cpuctl/system-background
chown system system /dev/cpuctl/dex2oat
chown system system /dev/cpuctl/tasks
chown system system /dev/cpuctl/foreground/tasks
chown system system /dev/cpuctl/background/tasks
chown system system /dev/cpuctl/top-app/tasks
chown system system /dev/cpuctl/rt/tasks
chown system system /dev/cpuctl/system/tasks
chown system system /dev/cpuctl/system-background/tasks
chown system system /dev/cpuctl/dex2oat/tasks
chown system system /dev/cpuctl/cgroup.procs
chown system system /dev/cpuctl/foreground/cgroup.procs
chown system system /dev/cpuctl/background/cgroup.procs
chown system system /dev/cpuctl/top-app/cgroup.procs
chown system system /dev/cpuctl/rt/cgroup.procs
chown system system /dev/cpuctl/system/cgroup.procs
chown system system /dev/cpuctl/system-background/cgroup.procs
chown system system /dev/cpuctl/dex2oat/cgroup.procs
chmod 0664 /dev/cpuctl/tasks
chmod 0664 /dev/cpuctl/foreground/tasks
chmod 0664 /dev/cpuctl/background/tasks
chmod 0664 /dev/cpuctl/top-app/tasks
chmod 0664 /dev/cpuctl/rt/tasks
chmod 0664 /dev/cpuctl/system/tasks
chmod 0664 /dev/cpuctl/system-background/tasks
chmod 0664 /dev/cpuctl/dex2oat/tasks
chmod 0664 /dev/cpuctl/cgroup.procs
chmod 0664 /dev/cpuctl/foreground/cgroup.procs
chmod 0664 /dev/cpuctl/background/cgroup.procs
chmod 0664 /dev/cpuctl/top-app/cgroup.procs
chmod 0664 /dev/cpuctl/rt/cgroup.procs
chmod 0664 /dev/cpuctl/system/cgroup.procs
chmod 0664 /dev/cpuctl/system-background/cgroup.procs
chmod 0664 /dev/cpuctl/dex2oat/cgroup.procs
# Create a cpu group for NNAPI HAL processes
mkdir /dev/cpuctl/nnapi-hal
chown system system /dev/cpuctl/nnapi-hal
chown system system /dev/cpuctl/nnapi-hal/tasks
chown system system /dev/cpuctl/nnapi-hal/cgroup.procs
chmod 0664 /dev/cpuctl/nnapi-hal/tasks
chmod 0664 /dev/cpuctl/nnapi-hal/cgroup.procs
write /dev/cpuctl/nnapi-hal/cpu.uclamp.min 1
write /dev/cpuctl/nnapi-hal/cpu.uclamp.latency_sensitive 1
# Create a cpu group for camera daemon processes
mkdir /dev/cpuctl/camera-daemon
chown system system /dev/cpuctl/camera-daemon
chown system system /dev/cpuctl/camera-daemon/tasks
chown system system /dev/cpuctl/camera-daemon/cgroup.procs
chmod 0664 /dev/cpuctl/camera-daemon/tasks
chmod 0664 /dev/cpuctl/camera-daemon/cgroup.procs
# Create an stune group for camera-specific processes
mkdir /dev/stune/camera-daemon
chown system system /dev/stune/camera-daemon
chown system system /dev/stune/camera-daemon/tasks
chown system system /dev/stune/camera-daemon/cgroup.procs
chmod 0664 /dev/stune/camera-daemon/tasks
chmod 0664 /dev/stune/camera-daemon/cgroup.procs
# Create an stune group for NNAPI HAL processes
mkdir /dev/stune/nnapi-hal
chown system system /dev/stune/nnapi-hal
chown system system /dev/stune/nnapi-hal/tasks
chown system system /dev/stune/nnapi-hal/cgroup.procs
chmod 0664 /dev/stune/nnapi-hal/tasks
chmod 0664 /dev/stune/nnapi-hal/cgroup.procs
write /dev/stune/nnapi-hal/schedtune.boost 1
write /dev/stune/nnapi-hal/schedtune.prefer_idle 1
# Create blkio group and apply initial settings.
# This feature needs kernel to support it, and the
# device's init.rc must actually set the correct values.
mkdir /dev/blkio/background
chown system system /dev/blkio
chown system system /dev/blkio/background
chown system system /dev/blkio/tasks
chown system system /dev/blkio/background/tasks
chown system system /dev/blkio/cgroup.procs
chown system system /dev/blkio/background/cgroup.procs
chmod 0664 /dev/blkio/tasks
chmod 0664 /dev/blkio/background/tasks
chmod 0664 /dev/blkio/cgroup.procs
chmod 0664 /dev/blkio/background/cgroup.procs
write /dev/blkio/blkio.weight 1000
write /dev/blkio/background/blkio.weight 200
write /dev/blkio/background/blkio.bfq.weight 10
write /dev/blkio/blkio.group_idle 0
write /dev/blkio/background/blkio.group_idle 0
write /dev/blkio/blkio.prio.class promote-to-rt
write /dev/blkio/background/blkio.prio.class restrict-to-be
restorecon_recursive /mnt
mount configfs none /config nodev noexec nosuid
chmod 0770 /config/sdcardfs
chown system package_info /config/sdcardfs
# Mount binderfs
mkdir /dev/binderfs
mount binder binder /dev/binderfs stats=global
chmod 0755 /dev/binderfs
# Mount fusectl
mount fusectl none /sys/fs/fuse/connections
symlink /dev/binderfs/binder /dev/binder
symlink /dev/binderfs/hwbinder /dev/hwbinder
symlink /dev/binderfs/vndbinder /dev/vndbinder
chmod 0666 /dev/binderfs/hwbinder
chmod 0666 /dev/binderfs/binder
chmod 0666 /dev/binderfs/vndbinder
mkdir /mnt/secure 0700 root root
mkdir /mnt/secure/asec 0700 root root
mkdir /mnt/asec 0755 root system
mkdir /mnt/obb 0755 root system
mkdir /mnt/media_rw 0750 root external_storage
mkdir /mnt/user 0755 root root
mkdir /mnt/user/0 0755 root root
mkdir /mnt/user/0/self 0755 root root
mkdir /mnt/user/0/emulated 0755 root root
mkdir /mnt/user/0/emulated/0 0755 root root
# Prepare directories for pass through processes
mkdir /mnt/pass_through 0700 root root
mkdir /mnt/pass_through/0 0710 root media_rw
mkdir /mnt/pass_through/0/self 0710 root media_rw
mkdir /mnt/pass_through/0/emulated 0710 root media_rw
mkdir /mnt/pass_through/0/emulated/0 0710 root media_rw
mkdir /mnt/expand 0771 system system
mkdir /mnt/appfuse 0711 root root
# Storage views to support runtime permissions
mkdir /mnt/runtime 0700 root root
mkdir /mnt/runtime/default 0755 root root
mkdir /mnt/runtime/default/self 0755 root root
mkdir /mnt/runtime/read 0755 root root
mkdir /mnt/runtime/read/self 0755 root root
mkdir /mnt/runtime/write 0755 root root
mkdir /mnt/runtime/write/self 0755 root root
mkdir /mnt/runtime/full 0755 root root
mkdir /mnt/runtime/full/self 0755 root root
# For Pre-reboot Dexopt
mkdir /mnt/pre_reboot_dexopt 0755 artd artd
# Symlink to keep legacy apps working in multi-user world
symlink /storage/self/primary /mnt/sdcard
symlink /mnt/user/0/primary /mnt/runtime/default/self/primary
write /proc/sys/kernel/panic_on_oops 1
write /proc/sys/kernel/hung_task_timeout_secs 0
write /proc/cpu/alignment 4
# scheduler tunables
# Disable auto-scaling of scheduler tunables with hotplug. The tunables
# will vary across devices in unpredictable ways if allowed to scale with
# cpu cores.
write /proc/sys/kernel/sched_tunable_scaling 0
write /proc/sys/kernel/sched_latency_ns 10000000
write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
write /proc/sys/kernel/sched_child_runs_first 0
write /proc/sys/kernel/randomize_va_space 2
write /proc/sys/vm/mmap_min_addr 32768
write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
write /proc/sys/net/unix/max_dgram_qlen 2400
# Assign reasonable ceiling values for socket rcv/snd buffers.
# These should almost always be overridden by the target per the
# the corresponding technology maximums.
write /proc/sys/net/core/rmem_max 262144
write /proc/sys/net/core/wmem_max 262144
# reflect fwmark from incoming packets onto generated replies
write /proc/sys/net/ipv4/fwmark_reflect 1
write /proc/sys/net/ipv6/fwmark_reflect 1
# set fwmark on accepted sockets
write /proc/sys/net/ipv4/tcp_fwmark_accept 1
# disable icmp redirects
write /proc/sys/net/ipv4/conf/all/accept_redirects 0
write /proc/sys/net/ipv6/conf/all/accept_redirects 0
# /proc/net/fib_trie leaks interface IP addresses
chmod 0400 /proc/net/fib_trie
# sets up initial cpusets for ActivityManager
# this ensures that the cpusets are present and usable, but the device's
# init.rc must actually set the correct cpus
mkdir /dev/cpuset/foreground
copy /dev/cpuset/cpus /dev/cpuset/foreground/cpus
copy /dev/cpuset/mems /dev/cpuset/foreground/mems
mkdir /dev/cpuset/background
copy /dev/cpuset/cpus /dev/cpuset/background/cpus
copy /dev/cpuset/mems /dev/cpuset/background/mems
# system-background is for system tasks that should only run on
# little cores, not on bigs
mkdir /dev/cpuset/system-background
copy /dev/cpuset/cpus /dev/cpuset/system-background/cpus
copy /dev/cpuset/mems /dev/cpuset/system-background/mems
# restricted is for system tasks that are being throttled
# due to screen off.
mkdir /dev/cpuset/restricted
copy /dev/cpuset/cpus /dev/cpuset/restricted/cpus
copy /dev/cpuset/mems /dev/cpuset/restricted/mems
mkdir /dev/cpuset/top-app
copy /dev/cpuset/cpus /dev/cpuset/top-app/cpus
copy /dev/cpuset/mems /dev/cpuset/top-app/mems
# create a cpuset for camera daemon processes
mkdir /dev/cpuset/camera-daemon
copy /dev/cpuset/cpus /dev/cpuset/camera-daemon/cpus
copy /dev/cpuset/mems /dev/cpuset/camera-daemon/mems
# change permissions for all cpusets we'll touch at runtime
chown system system /dev/cpuset
chown system system /dev/cpuset/foreground
chown system system /dev/cpuset/background
chown system system /dev/cpuset/system-background
chown system system /dev/cpuset/top-app
chown system system /dev/cpuset/restricted
chown system system /dev/cpuset/camera-daemon
chown system system /dev/cpuset/tasks
chown system system /dev/cpuset/foreground/tasks
chown system system /dev/cpuset/background/tasks
chown system system /dev/cpuset/system-background/tasks
chown system system /dev/cpuset/top-app/tasks
chown system system /dev/cpuset/restricted/tasks
chown system system /dev/cpuset/camera-daemon/tasks
chown system system /dev/cpuset/cgroup.procs
chown system system /dev/cpuset/foreground/cgroup.procs
chown system system /dev/cpuset/background/cgroup.procs
chown system system /dev/cpuset/system-background/cgroup.procs
chown system system /dev/cpuset/top-app/cgroup.procs
chown system system /dev/cpuset/restricted/cgroup.procs
chown system system /dev/cpuset/camera-daemon/cgroup.procs
# set system-background to 0775 so SurfaceFlinger can touch it
chmod 0775 /dev/cpuset/system-background
chmod 0664 /dev/cpuset/foreground/tasks
chmod 0664 /dev/cpuset/background/tasks
chmod 0664 /dev/cpuset/system-background/tasks
chmod 0664 /dev/cpuset/top-app/tasks
chmod 0664 /dev/cpuset/restricted/tasks
chmod 0664 /dev/cpuset/tasks
chmod 0664 /dev/cpuset/camera-daemon/tasks
chmod 0664 /dev/cpuset/foreground/cgroup.procs
chmod 0664 /dev/cpuset/background/cgroup.procs
chmod 0664 /dev/cpuset/system-background/cgroup.procs
chmod 0664 /dev/cpuset/top-app/cgroup.procs
chmod 0664 /dev/cpuset/restricted/cgroup.procs
chmod 0664 /dev/cpuset/cgroup.procs
chmod 0664 /dev/cpuset/camera-daemon/cgroup.procs
# make the PSI monitor accessible to others
chown system system /proc/pressure/memory
chmod 0664 /proc/pressure/memory
mount bpf bpf /sys/fs/bpf nodev noexec nosuid
# pstore/ramoops previous console log
mount pstore pstore /sys/fs/pstore nodev noexec nosuid
chown system log /sys/fs/pstore
chmod 0550 /sys/fs/pstore
chown system log /sys/fs/pstore/console-ramoops
chmod 0440 /sys/fs/pstore/console-ramoops
chown system log /sys/fs/pstore/console-ramoops-0
chmod 0440 /sys/fs/pstore/console-ramoops-0
chown system log /sys/fs/pstore/pmsg-ramoops-0
chmod 0440 /sys/fs/pstore/pmsg-ramoops-0
# enable armv8_deprecated instruction hooks
write /proc/sys/abi/swp 1
# Linux's execveat() syscall may construct paths containing /dev/fd
# expecting it to point to /proc/self/fd
symlink /proc/self/fd /dev/fd
export DOWNLOAD_CACHE /data/cache
# This allows the ledtrig-transient properties to be created here so
# that they can be chown'd to system:system later on boot
write /sys/class/leds/vibrator/trigger "transient"
# This is used by Bionic to select optimized routines.
write /dev/cpu_variant:${ro.bionic.arch} ${ro.bionic.cpu_variant}
chmod 0444 /dev/cpu_variant:${ro.bionic.arch}
write /dev/cpu_variant:${ro.bionic.2nd_arch} ${ro.bionic.2nd_cpu_variant}
chmod 0444 /dev/cpu_variant:${ro.bionic.2nd_arch}
# Allow system processes to read / write power state.
chown system system /sys/power/state
chown system system /sys/power/wakeup_count
chmod 0660 /sys/power/state
chown radio wakelock /sys/power/wake_lock
chown radio wakelock /sys/power/wake_unlock
chmod 0660 /sys/power/wake_lock
chmod 0660 /sys/power/wake_unlock
# Start logd before any other services run to ensure we capture all of their logs.
start logd
# Start lmkd before any other services run so that it can register them
write /proc/sys/vm/watermark_boost_factor 0
chown root system /sys/module/lowmemorykiller/parameters/adj
chmod 0664 /sys/module/lowmemorykiller/parameters/adj
chown root system /sys/module/lowmemorykiller/parameters/minfree
chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
start lmkd
# Start essential services.
start servicemanager
start hwservicemanager
start vndservicemanager
# Run boringssl self test for each ABI. Any failures trigger reboot to firmware.
import /system/etc/init/hw/init.boringssl.${ro.zygote}.rc
service boringssl_self_test32 /system/bin/boringssl_self_test32
reboot_on_failure reboot,boringssl-self-check-failed
stdio_to_kmsg
# Explicitly specify that boringssl_self_test32 doesn't require any capabilities
capabilities
user nobody
service boringssl_self_test64 /system/bin/boringssl_self_test64
reboot_on_failure reboot,boringssl-self-check-failed
stdio_to_kmsg
# Explicitly specify that boringssl_self_test64 doesn't require any capabilities
capabilities
user nobody
service boringssl_self_test_apex32 /apex/com.android.conscrypt/bin/boringssl_self_test32
reboot_on_failure reboot,boringssl-self-check-failed
stdio_to_kmsg
# Explicitly specify that boringssl_self_test_apex32 doesn't require any capabilities
capabilities
user nobody
service boringssl_self_test_apex64 /apex/com.android.conscrypt/bin/boringssl_self_test64
reboot_on_failure reboot,boringssl-self-check-failed
stdio_to_kmsg
# Explicitly specify that boringssl_self_test_apex64 doesn't require any capabilities
capabilities
user nobody
# Healthd can trigger a full boot from charger mode by signaling this
# property when the power button is held.
on property:sys.boot_from_charger_mode=1
class_stop charger
trigger late-init
# Indicate to fw loaders that the relevant mounts are up.
on firmware_mounts_complete
rm /dev/.booting
# Mount filesystems and start core system services.
on late-init
trigger early-fs
# Mount fstab in init.{$device}.rc by mount_all command. Optional parameter
# '--early' can be specified to skip entries with 'latemount'.
# /system and /vendor must be mounted by the end of the fs stage,
# while /data is optional.
trigger fs
trigger post-fs
# Mount fstab in init.{$device}.rc by mount_all with '--late' parameter
# to only mount entries with 'latemount'. This is needed if '--early' is
# specified in the previous mount_all command on the fs stage.
# With /system mounted and properties form /system + /factory available,
# some services can be started.
trigger late-fs
# Now we can mount /data. File encryption requires keymaster to decrypt
# /data, which in turn can only be loaded when system properties are present.
trigger post-fs-data
# Should be before netd, but after apex, properties and logging is available.
trigger load_bpf_programs
# Now we can start zygote.
trigger zygote-start
# Remove a file to wake up anything waiting for firmware.
trigger firmware_mounts_complete
trigger early-boot
trigger boot
on early-fs
# Once metadata has been mounted, we'll need vold to deal with userdata checkpointing
start vold
on post-fs
exec - system system -- /system/bin/vdc checkpoint markBootAttempt
# Once everything is setup, no need to modify /.
# The bind+remount combination allows this to work in containers.
mount rootfs rootfs / remount bind ro nodev
# Mount default storage into root namespace
mount none /mnt/user/0 /storage bind rec
mount none none /storage slave rec
# Make sure /sys/kernel/debug (if present) is labeled properly
# Note that tracefs may be mounted under debug, so we need to cross filesystems
restorecon --recursive --cross-filesystems /sys/kernel/debug
# We chown/chmod /cache again so because mount is run as root + defaults
chown system cache /cache
chmod 0770 /cache
# We restorecon /cache in case the cache partition has been reset.
restorecon_recursive /cache
# Create /cache/recovery in case it's not there. It'll also fix the odd
# permissions if created by the recovery system.
mkdir /cache/recovery 0770 system cache
# Backup/restore mechanism uses the cache partition
mkdir /cache/backup_stage 0700 system system
mkdir /cache/backup 0700 system system
#change permissions on vmallocinfo so we can grab it from bugreports
chown root log /proc/vmallocinfo
chmod 0440 /proc/vmallocinfo
chown root log /proc/slabinfo
chmod 0440 /proc/slabinfo
chown root log /proc/pagetypeinfo
chmod 0440 /proc/pagetypeinfo
#change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
chown root system /proc/kmsg
chmod 0440 /proc/kmsg
chown root system /proc/sysrq-trigger
chmod 0220 /proc/sysrq-trigger
chown system log /proc/last_kmsg
chmod 0440 /proc/last_kmsg
# make the selinux kernel policy world-readable
chmod 0444 /sys/fs/selinux/policy
# create the lost+found directories, so as to enforce our permissions
mkdir /cache/lost+found 0770 root root
restorecon_recursive /metadata
mkdir /metadata/vold
chmod 0700 /metadata/vold
mkdir /metadata/password_slots 0771 root system
mkdir /metadata/bootstat 0750 system log
mkdir /metadata/ota 0750 root system
mkdir /metadata/ota/snapshots 0750 root system
mkdir /metadata/userspacereboot 0770 root system
mkdir /metadata/watchdog 0770 root system
mkdir /metadata/apex 0700 root system
mkdir /metadata/apex/sessions 0700 root system
# On some devices we see a weird behaviour in which /metadata/apex doesn't
# have a correct label. To workaround this bug, explicitly call restorecon
# on /metadata/apex. For most of the boot sequences /metadata/apex will
# already have a correct selinux label, meaning that this call will be a
# no-op.
restorecon_recursive /metadata/apex
mkdir /metadata/staged-install 0770 root system
mkdir /metadata/aconfig 0775 root system
mkdir /metadata/aconfig/flags 0770 root system
mkdir /metadata/aconfig/boot 0775 root system
mkdir /metadata/aconfig_test_missions 0775 root system
exec_start aconfigd-init
start aconfigd
on late-fs
# Ensure that tracefs has the correct permissions.
# This does not work correctly if it is called in post-fs.
chmod 0755 /sys/kernel/tracing
chmod 0755 /sys/kernel/debug/tracing
# HALs required before storage encryption can get unlocked (FBE)
class_start early_hal
# Load trusted keys from dm-verity protected partitions
exec -- /system/bin/fsverity_init --load-verified-keys
# Only enable the bootreceiver tracing instance for kernels 5.10 and above.
on late-fs && property:ro.kernel.version=4.19
setprop bootreceiver.enable 0
on late-fs && property:ro.kernel.version=5.4
setprop bootreceiver.enable 0
on late-fs
# Bootreceiver tracing instance is enabled by default.
setprop bootreceiver.enable ${bootreceiver.enable:-1}
on property:ro.product.cpu.abilist64=* && property:bootreceiver.enable=1
# Set up a tracing instance for system_server to monitor error_report_end events.
# These are sent by kernel tools like KASAN and KFENCE when a memory corruption
# is detected. This is only needed for 64-bit systems.
mkdir /sys/kernel/tracing/instances/bootreceiver 0700 system system
restorecon_recursive /sys/kernel/tracing/instances/bootreceiver
write /sys/kernel/tracing/instances/bootreceiver/buffer_size_kb 1
write /sys/kernel/tracing/instances/bootreceiver/trace_options disable_on_free
write /sys/kernel/tracing/instances/bootreceiver/events/error_report/error_report_end/enable 1
on post-fs-data
mark_post_data
# Start checkpoint before we touch data
exec - system system -- /system/bin/vdc checkpoint prepareCheckpoint
# We chown/chmod /data again so because mount is run as root + defaults
chown system system /data
chmod 0771 /data
# We restorecon /data in case the userdata partition has been reset.
restorecon /data
# Make sure we have the device encryption key.
installkey /data
# Start bootcharting as soon as possible after the data partition is
# mounted to collect more data.
mkdir /data/bootchart 0755 shell shell encryption=Require
bootchart start
# Avoid predictable entropy pool. Carry over entropy from previous boot.
copy /data/system/entropy.dat /dev/urandom
mkdir /data/vendor 0771 root root encryption=Require
mkdir /data/vendor/hardware 0771 root root
# Start tombstoned early to be able to store tombstones.
mkdir /data/anr 0775 system system encryption=Require
mkdir /data/tombstones 0775 system system encryption=Require
mkdir /data/vendor/tombstones 0771 root root
mkdir /data/vendor/tombstones/wifi 0771 wifi wifi
start tombstoned
# Make sure that apexd is started in the default namespace
enter_default_mount_ns
# set up keystore directory structure first so that we can end early boot
# and start apexd
mkdir /data/misc 01771 system misc encryption=Require
mkdir /data/misc/keystore 0700 keystore keystore
# work around b/183668221
restorecon /data/misc /data/misc/keystore
# Boot level 30
# odsign signing keys have MAX_BOOT_LEVEL=30
# This is currently the earliest boot level, but we start at 30
# to leave room for earlier levels.
setprop keystore.boot_level 30
# Now that /data is mounted and we have created /data/misc/keystore,
# we can tell keystore to stop allowing use of early-boot keys,
# and access its database for the first time to support creation and
# use of MAX_BOOT_LEVEL keys.
exec - system system -- /system/bin/vdc keymaster earlyBootEnded
# Multi-installed APEXes are selected using persist props.
# Load persist properties and override properties (if enabled) from /data,
# before starting apexd.
# /data/property should be created before `load_persist_props`
mkdir /data/property 0700 root root encryption=Require
load_persist_props
start logd
start logd-reinit
# Some existing vendor rc files use 'on load_persist_props_action' to know
# when persist props are ready. These are difficult to change due to GRF,
# so continue triggering this action here even though props are already loaded
# by the 'load_persist_props' call above.
trigger load_persist_props_action
# /data/apex is now available. Start apexd to scan and activate APEXes.
#
# To handle userspace reboots, make sure that apexd is started cleanly here
# (set apexd.status="") and that it is restarted if it's already running.
#
# /data/apex uses encryption=None because direct I/O support is needed on
# APEX files, but some devices don't support direct I/O on encrypted files.
# Also, APEXes are public information, similar to the system image.
# /data/apex/decompressed and /data/apex/ota_reserved override this setting;
# they are encrypted so that files in them can be hard-linked into
# /data/rollback which is encrypted.
mkdir /data/apex 0755 root system encryption=None
mkdir /data/apex/active 0755 root system
mkdir /data/apex/backup 0700 root system
mkdir /data/apex/decompressed 0755 root system encryption=Require
mkdir /data/apex/hashtree 0700 root system
mkdir /data/apex/sessions 0700 root system
mkdir /data/app-staging 0751 system system encryption=DeleteIfNecessary
mkdir /data/apex/ota_reserved 0700 root system encryption=Require
setprop apexd.status ""
restart apexd
# create rest of basic filesystem structure
mkdir /data/misc/recovery 0770 system log
copy /data/misc/recovery/ro.build.fingerprint /data/misc/recovery/ro.build.fingerprint.1
chmod 0440 /data/misc/recovery/ro.build.fingerprint.1
chown system log /data/misc/recovery/ro.build.fingerprint.1
write /data/misc/recovery/ro.build.fingerprint ${ro.build.fingerprint}
chmod 0440 /data/misc/recovery/ro.build.fingerprint
chown system log /data/misc/recovery/ro.build.fingerprint
mkdir /data/misc/recovery/proc 0770 system log
copy /data/misc/recovery/proc/version /data/misc/recovery/proc/version.1
chmod 0440 /data/misc/recovery/proc/version.1
chown system log /data/misc/recovery/proc/version.1
copy /proc/version /data/misc/recovery/proc/version
chmod 0440 /data/misc/recovery/proc/version
chown system log /data/misc/recovery/proc/version
mkdir /data/misc/bluedroid 02770 bluetooth bluetooth
# Fix the access permissions and group ownership for 'bt_config.conf'
chmod 0660 /data/misc/bluedroid/bt_config.conf
chown bluetooth bluetooth /data/misc/bluedroid/bt_config.conf
mkdir /data/misc/bluetooth 0770 bluetooth bluetooth
mkdir /data/misc/bluetooth/logs 0770 bluetooth bluetooth
mkdir /data/misc/nfc 0770 nfc nfc
mkdir /data/misc/nfc/logs 0770 nfc nfc
mkdir /data/misc/credstore 0700 credstore credstore
mkdir /data/misc/gatekeeper 0700 system system
mkdir /data/misc/keychain 0771 system system
mkdir /data/misc/net 0750 root shell
mkdir /data/misc/radio 0770 system radio
mkdir /data/misc/sms 0770 system radio
mkdir /data/misc/carrierid 0770 system radio
mkdir /data/misc/apns 0770 system radio
mkdir /data/misc/emergencynumberdb 0770 system radio
mkdir /data/misc/network_watchlist 0774 system system
mkdir /data/misc/telephonyconfig 0770 system radio
mkdir /data/misc/textclassifier 0771 system system
mkdir /data/misc/vpn 0770 system vpn
mkdir /data/misc/shared_relro 0771 shared_relro shared_relro
mkdir /data/misc/systemkeys 0700 system system
mkdir /data/misc/wifi 0770 wifi wifi
mkdir /data/misc/wifi/sockets 0770 wifi wifi
mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi
mkdir /data/misc/ethernet 0770 system system
mkdir /data/misc/dhcp 0770 dhcp dhcp
mkdir /data/misc/user 0771 root root
# give system access to wpa_supplicant.conf for backup and restore
chmod 0660 /data/misc/wifi/wpa_supplicant.conf
mkdir /data/local 0751 root root encryption=Require
mkdir /data/misc/media 0700 media media
mkdir /data/misc/audioserver 0700 audioserver audioserver
mkdir /data/misc/cameraserver 0700 cameraserver cameraserver
mkdir /data/misc/vold 0700 root root
mkdir /data/misc/boottrace 0771 system shell
mkdir /data/misc/update_engine 0700 root root
mkdir /data/misc/update_engine_log 02750 root log
mkdir /data/misc/trace 0700 root root
# create location to store surface and window trace files
mkdir /data/misc/wmtrace 0700 system system
# create location to store accessibility trace files
mkdir /data/misc/a11ytrace 0700 system system
# profile file layout
mkdir /data/misc/profiles 0771 system system
mkdir /data/misc/profiles/cur 0771 system system
mkdir /data/misc/profiles/ref 0771 system system
mkdir /data/misc/profman 0770 system shell
mkdir /data/misc/gcov 0770 root root
mkdir /data/misc/installd 0700 root root
mkdir /data/misc/apexdata 0711 root root
mkdir /data/misc/apexrollback 0700 root root
mkdir /data/misc/appcompat/ 0700 system system
mkdir /data/misc/uprobestats-configs/ 0777 uprobestats uprobestats
mkdir /data/misc/snapshotctl_log 0755 root root
# create location to store pre-reboot information
mkdir /data/misc/prereboot 0700 system system
# directory used for on-device refresh metrics file.
mkdir /data/misc/odrefresh 0777 system system
# directory used for on-device signing key blob
mkdir /data/misc/odsign 0710 root system
# directory used for odsign metrics
mkdir /data/misc/odsign/metrics 0770 root system
# directory used for connectivity blob store.
mkdir /data/misc/connectivityblobdb 0770 system system
# Directory for VirtualizationService temporary image files.
# Delete any stale files owned by the old virtualizationservice uid (b/230056726).
chmod 0770 /data/misc/virtualizationservice
exec - virtualizationservice system -- /bin/rm -rf /data/misc/virtualizationservice
mkdir /data/misc/virtualizationservice 0771 system system
# /data/preloads uses encryption=None because it only contains preloaded
# files that are public information, similar to the system image.
mkdir /data/preloads 0775 system system encryption=None
# For security reasons, /data/local/tmp should always be empty.
# Do not place files or directories in /data/local/tmp
mkdir /data/local/tmp 0771 shell shell
mkdir /data/local/traces 0777 shell shell
mkdir /data/app-private 0771 system system encryption=Require
mkdir /data/app-ephemeral 0771 system system encryption=Require
mkdir /data/app-asec 0700 root root encryption=Require
mkdir /data/app-lib 0771 system system encryption=Require
mkdir /data/app 0771 system system encryption=Require
# Create directory for app metadata files
mkdir /data/app-metadata 0700 system system encryption=Require
# create directory for updated font files.
mkdir /data/fonts/ 0771 root root encryption=Require
mkdir /data/fonts/files 0771 system system
mkdir /data/fonts/config 0770 system system
# Create directories to push tests to for each linker namespace.
# Create the subdirectories in case the first test is run as root
# so it doesn't end up owned by root.
# Set directories to be executable by any process so that debuggerd,
# aka crash_dump, can read any executables/shared libraries.
mkdir /data/local/tests 0701 shell shell
mkdir /data/local/tests/product 0701 shell shell
mkdir /data/local/tests/system 0701 shell shell
mkdir /data/local/tests/unrestricted 0701 shell shell
mkdir /data/local/tests/vendor 0701 shell shell
# create dalvik-cache, so as to enforce our permissions
mkdir /data/dalvik-cache 0771 root root encryption=Require
# create the A/B OTA directory, so as to enforce our permissions
mkdir /data/ota 0771 root root encryption=Require
# create the OTA package directory. It will be accessed by GmsCore (cache
# group), update_engine and update_verifier.
mkdir /data/ota_package 0770 system cache encryption=Require
# create resource-cache and double-check the perms
mkdir /data/resource-cache 0771 system system encryption=Require
chown system system /data/resource-cache
chmod 0771 /data/resource-cache
# Ensure that lost+found exists and has the correct permissions. Linux
# filesystems expect this directory to exist; it's where the fsck tool puts
# any recovered files that weren't present in any directory. It must be
# unencrypted, as fsck must be able to write to it.
mkdir /data/lost+found 0770 root root encryption=None
# create directory for DRM plug-ins - give drm the read/write access to
# the following directory.
mkdir /data/drm 0770 drm drm encryption=Require
# create directory for MediaDrm plug-ins - give drm the read/write access to
# the following directory.
mkdir /data/mediadrm 0770 mediadrm mediadrm encryption=Require
# NFC: create data/nfc for nv storage
mkdir /data/nfc 0770 nfc nfc encryption=Require
mkdir /data/nfc/param 0770 nfc nfc
# Create all remaining /data root dirs so that they are made through init
# and get proper encryption policy installed
mkdir /data/backup 0700 system system encryption=Require
mkdir /data/ss 0700 system system encryption=Require
mkdir /data/system 0775 system system encryption=Require
mkdir /data/system/environ 0700 system system
# b/183861600 attempt to fix selinux label before running derive_classpath service
restorecon /data/system/environ
mkdir /data/system/dropbox 0700 system system
mkdir /data/system/heapdump 0700 system system
mkdir /data/system/users 0775 system system
# Mkdir and set SELinux security contexts for shutdown-checkpoints.
# TODO(b/270286197): remove these after couple releases.
mkdir /data/system/shutdown-checkpoints 0700 system system
restorecon_recursive /data/system/shutdown-checkpoints
# Create the parent directories of the user CE and DE storage directories.
# These parent directories must use encryption=None, since each of their
# subdirectories uses a different encryption policy (a per-user one), and
# encryption policies apply recursively. These directories should never
# contain any subdirectories other than the per-user ones. /data/media/obb
# is an exception that exists for legacy reasons.
#
# Don't use any write mode bits (0222) for any of these directories, since
# the only process that should write to them directly is vold (since it
# needs to set up file-based encryption on the subdirectories), which runs
# as root with CAP_DAC_OVERRIDE. This is also fully enforced via the
# SELinux policy. But we also set the DAC file modes accordingly, to try to
# minimize differences in behavior if SELinux is set to permissive mode.
mkdir /data/media 0550 media_rw media_rw encryption=None
mkdir /data/misc_ce 0551 system misc encryption=None
mkdir /data/misc_de 0551 system misc encryption=None
mkdir /data/system_ce 0550 system system encryption=None
mkdir /data/system_de 0550 system system encryption=None
mkdir /data/user 0511 system system encryption=None
mkdir /data/user_de 0511 system system encryption=None
mkdir /data/vendor_ce 0551 root root encryption=None
mkdir /data/vendor_de 0551 root root encryption=None
# Similar to the top-level CE and DE directories, /data/storage_area must
# itself be unencrypted, since it contains encrypted directories.
mkdir /data/storage_area 0551 root root encryption=None
# Set the casefold flag on /data/media. For upgrades, a restorecon can be
# needed first to relabel the directory from media_rw_data_file.
restorecon /data/media
exec - media_rw media_rw -- /system/bin/chattr +F /data/media
# A tmpfs directory, which will contain all apps and sdk sandbox CE and DE
# data directory that bind mount from the original source.
mount tmpfs tmpfs /data_mirror nodev noexec nosuid mode=0700,uid=0,gid=1000
restorecon /data_mirror
mkdir /data_mirror/data_ce 0700 root root
mkdir /data_mirror/data_de 0700 root root
mkdir /data_mirror/misc_ce 0700 root root
mkdir /data_mirror/misc_de 0700 root root
mkdir /data_mirror/storage_area 0700 root root
# Create CE and DE data directory for default volume
# Not needed for storage_area directory, since this is
# not supported for non-default volumes and the path
# does not include the volume ID
mkdir /data_mirror/data_ce/null 0700 root root
mkdir /data_mirror/data_de/null 0700 root root
mkdir /data_mirror/misc_ce/null 0700 root root
mkdir /data_mirror/misc_de/null 0700 root root
# Bind mount CE and DE data directory to mirror's default volume directory.
# Note that because the /data mount has the "shared" propagation type, the
# later bind mount of /data/data onto /data/user/0 will automatically
# propagate to /data_mirror/data_ce/null/0 as well.
mount none /data/user /data_mirror/data_ce/null bind rec
mount none /data/user_de /data_mirror/data_de/null bind rec
mount none /data/misc_ce /data_mirror/misc_ce/null bind rec
mount none /data/misc_de /data_mirror/misc_de/null bind rec
# Also bind mount for the storage area directory (minus the volume ID)
mount none /data/storage_area /data_mirror/storage_area bind rec
# Create mirror directory for jit profiles
mkdir /data_mirror/cur_profiles 0700 root root
mount none /data/misc/profiles/cur /data_mirror/cur_profiles bind rec
mkdir /data_mirror/ref_profiles 0700 root root
mount none /data/misc/profiles/ref /data_mirror/ref_profiles bind rec
mkdir /data/cache 0770 system cache encryption=Require
mkdir /data/cache/recovery 0770 system cache
mkdir /data/cache/backup_stage 0700 system system
mkdir /data/cache/backup 0700 system system
# Delete these if need be, per b/139193659
mkdir /data/rollback 0700 system system encryption=DeleteIfNecessary
mkdir /data/rollback-observer 0700 system system encryption=DeleteIfNecessary
mkdir /data/rollback-history 0700 system system encryption=DeleteIfNecessary
# Create root dir for Incremental Service
mkdir /data/incremental 0771 system system encryption=Require
# Create directories for statsd
mkdir /data/misc/stats-active-metric/ 0770 statsd system
mkdir /data/misc/stats-data/ 0770 statsd system
mkdir /data/misc/stats-data/restricted-data 0770 statsd system
mkdir /data/misc/stats-metadata/ 0770 statsd system
mkdir /data/misc/stats-service/ 0770 statsd system
mkdir /data/misc/train-info/ 0770 statsd system
# Wait for apexd to finish activating APEXes before starting more processes.
wait_for_prop apexd.status activated
perform_apex_config
# Create directories for boot animation.
mkdir /data/misc/bootanim 0755 system system
exec_start derive_sdk
init_user0
# Set SELinux security contexts on upgrade or policy update.
restorecon --recursive --skip-ce /data
# Define and export *CLASSPATH variables
# Must start before 'odsign', as odsign depends on *CLASSPATH variables
exec_start derive_classpath
load_exports /data/system/environ/classpath
# Start ART's oneshot boot service to propagate boot experiment flags to
# dalvik.vm.*. This needs to be done before odsign since odrefresh uses and
# validates those properties against the signed cache-info.xml.
exec_start art_boot
# Start the on-device signing daemon, and wait for it to finish, to ensure
# ART artifacts are generated if needed.
# Must start after 'derive_classpath' to have *CLASSPATH variables set.
start odsign
# Wait for odsign to be done with the key.
wait_for_prop odsign.key.done 1
# Bump the boot level to 1000000000; this prevents further on-device signing.
# This is a special value that shuts down the thread which listens for
# further updates.
setprop keystore.boot_level 1000000000
# Allow apexd to snapshot and restore device encrypted apex data in the case
# of a rollback. This should be done immediately after DE_user data keys
# are loaded. APEXes should not access this data until this has been
# completed and apexd.status becomes "ready".
exec_start apexd-snapshotde
# sys.memfd_use set to false by default, which keeps it disabled
# until it is confirmed that apps and vendor processes don't make
# IOCTLs on ashmem fds any more.
setprop sys.use_memfd false
# Set fscklog permission
chown root system /dev/fscklogs/log
chmod 0770 /dev/fscklogs/log
# Enable FUSE by default
setprop persist.sys.fuse true
# Update dm-verity state and set partition.*.verified properties.
verity_update_state
# It is recommended to put unnecessary data/ initialization from post-fs-data
# to start-zygote in device's init.rc to unblock zygote start.
on zygote-start
wait_for_prop odsign.verification.done 1
# A/B update verifier that marks a successful boot.
exec_start update_verifier
start statsd
start netd
start zygote
start zygote_secondary
on boot && property:ro.config.low_ram=true
# Tweak background writeout
write /proc/sys/vm/dirty_expire_centisecs 200
write /proc/sys/vm/dirty_background_ratio 5
on boot && property:suspend.disable_sync_on_suspend=true
write /sys/power/sync_on_suspend 0
on boot
# basic network init
ifup lo
hostname localhost
domainname localdomain
# IPsec SA default expiration length
write /proc/sys/net/core/xfrm_acq_expires 3600
# Memory management. Basic kernel parameters, and allow the high
# level system server to be able to adjust the kernel OOM driver
# parameters to match how it is managing things.
write /proc/sys/vm/overcommit_memory 1
write /proc/sys/vm/min_free_order_shift 4
# System server manages zram writeback
chown root system /sys/block/zram0/idle
chmod 0664 /sys/block/zram0/idle
chown root system /sys/block/zram0/writeback
chmod 0664 /sys/block/zram0/writeback
# to access F2FS sysfs on dm-<num> directly
mkdir /dev/sys/fs/by-name 0755 system system
symlink /sys/fs/f2fs/${dev.mnt.dev.data} /dev/sys/fs/by-name/userdata
# dev.mnt.dev.data=dm-N, dev.mnt.blk.data=sdaN/mmcblk0pN, dev.mnt.rootdisk.data=sda/mmcblk0, or
# dev.mnt.dev.data=sdaN/mmcblk0pN, dev.mnt.blk.data=sdaN/mmcblk0pN, dev.mnt.rootdisk.data=sda/mmcblk0
mkdir /dev/sys/block/by-name 0755 system system
symlink /sys/class/block/${dev.mnt.dev.data} /dev/sys/block/by-name/userdata
symlink /sys/class/block/${dev.mnt.rootdisk.data} /dev/sys/block/by-name/rootdisk
# F2FS tuning. Set cp_interval larger than dirty_expire_centisecs, 30 secs,
# to avoid power consumption when system becomes mostly idle. Be careful
# to make it too large, since it may bring userdata loss, if they
# are not aware of using fsync()/sync() to prepare sudden power-cut.
write /dev/sys/fs/by-name/userdata/cp_interval 200
write /dev/sys/fs/by-name/userdata/gc_urgent_sleep_time 50
write /dev/sys/fs/by-name/userdata/iostat_period_ms 1000
write /dev/sys/fs/by-name/userdata/iostat_enable 1
# set readahead multiplier for POSIX_FADV_SEQUENTIAL files
write /dev/sys/fs/by-name/userdata/seq_file_ra_mul 128
# limit discard size to 128MB in order to avoid long IO latency
# for filesystem tuning first (dm or sda)
# this requires enabling selinux entry for sda/mmcblk0 in vendor side
write /dev/sys/block/by-name/userdata/queue/discard_max_bytes 134217728
write /dev/sys/block/by-name/rootdisk/queue/discard_max_bytes 134217728
# Permissions for System Server and daemons.
chown system system /sys/power/autosleep
chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
chown system system /sys/class/leds/vibrator/trigger
chown system system /sys/class/leds/vibrator/activate
chown system system /sys/class/leds/vibrator/brightness
chown system system /sys/class/leds/vibrator/duration
chown system system /sys/class/leds/vibrator/state
chown system system /sys/class/timed_output/vibrator/enable
chown system system /sys/class/leds/keyboard-backlight/brightness
chown system system /sys/class/leds/lcd-backlight/brightness
chown system system /sys/class/leds/button-backlight/brightness
chown system system /sys/class/leds/jogball-backlight/brightness
chown system system /sys/class/leds/red/brightness
chown system system /sys/class/leds/green/brightness
chown system system /sys/class/leds/blue/brightness
chown system system /sys/class/leds/red/device/grpfreq
chown system system /sys/class/leds/red/device/grppwm
chown system system /sys/class/leds/red/device/blink
chown system system /sys/module/sco/parameters/disable_esco
chown system system /sys/kernel/ipv4/tcp_wmem_min
chown system system /sys/kernel/ipv4/tcp_wmem_def
chown system system /sys/kernel/ipv4/tcp_wmem_max
chown system system /sys/kernel/ipv4/tcp_rmem_min
chown system system /sys/kernel/ipv4/tcp_rmem_def
chown system system /sys/kernel/ipv4/tcp_rmem_max
chown root radio /proc/cmdline
chown root system /proc/bootconfig
# Define default initial receive window size in segments.
setprop net.tcp_def_init_rwnd 60
# Start standard binderized HAL daemons
class_start hal
class_start core
on nonencrypted
class_start main
class_start late_start
on property:sys.init_log_level=*
loglevel ${sys.init_log_level}
on charger
class_start charger
on property:sys.boot_completed=1
bootchart stop
# Setup per_boot directory so other .rc could start to use it on boot_completed
exec - system system -- /bin/rm -rf /data/per_boot
mkdir /data/per_boot 0700 system system encryption=Require key=per_boot_ref
# system server cannot write to /proc/sys files,
# and chown/chmod does not work for /proc/sys/ entries.
# So proxy writes through init.
on property:sys.sysctl.extra_free_kbytes=*
exec -- /system/bin/extra_free_kbytes.sh ${sys.sysctl.extra_free_kbytes}
# Allow users to drop caches
on property:perf.drop_caches=3
write /proc/sys/vm/drop_caches 3
setprop perf.drop_caches 0
# "tcp_default_init_rwnd" Is too long!
on property:net.tcp_def_init_rwnd=*
write /proc/sys/net/ipv4/tcp_default_init_rwnd ${net.tcp_def_init_rwnd}
# perf_event_open syscall security:
# Newer kernels have the ability to control the use of the syscall via SELinux
# hooks. init tests for this, and sets sys_init.perf_lsm_hooks to 1 if the
# kernel has the hooks. In this case, the system-wide perf_event_paranoid
# sysctl is set to -1 (unrestricted use), and the SELinux policy is used for
# controlling access. On older kernels, the paranoid value is the only means of
# controlling access. It is normally 3 (allow only root), but the shell user
# can lower it to 1 (allowing thread-scoped pofiling) via security.perf_harden.
on load_bpf_programs && property:sys.init.perf_lsm_hooks=1
write /proc/sys/kernel/perf_event_paranoid -1
on property:security.perf_harden=0 && property:sys.init.perf_lsm_hooks=""
write /proc/sys/kernel/perf_event_paranoid 1
on property:security.perf_harden=1 && property:sys.init.perf_lsm_hooks=""
write /proc/sys/kernel/perf_event_paranoid 3
# Additionally, simpleperf profiler uses debug.* and security.perf_harden
# sysprops to be able to indirectly set these sysctls.
on property:security.perf_harden=0
write /proc/sys/kernel/perf_event_max_sample_rate ${debug.perf_event_max_sample_rate:-100000}
write /proc/sys/kernel/perf_cpu_time_max_percent ${debug.perf_cpu_time_max_percent:-25}
write /proc/sys/kernel/perf_event_mlock_kb ${debug.perf_event_mlock_kb:-516}
# Default values.
on property:security.perf_harden=1
write /proc/sys/kernel/perf_event_max_sample_rate 100000
write /proc/sys/kernel/perf_cpu_time_max_percent 25
write /proc/sys/kernel/perf_event_mlock_kb 516
# This property can be set only on userdebug/eng. See neverallow rule in
# /system/sepolicy/private/property.te .
on property:security.lower_kptr_restrict=1
write /proc/sys/kernel/kptr_restrict 0
on property:security.lower_kptr_restrict=0
write /proc/sys/kernel/kptr_restrict 2
# on shutdown
# In device's init.rc, this trigger can be used to do device-specific actions
# before shutdown. e.g disable watchdog and mask error handling
## Daemon processes to be run by init.
##
service ueventd /system/bin/ueventd
class core
critical
seclabel u:r:ueventd:s0
user root
shutdown critical
service console /system/bin/sh
class core
console
disabled
user shell
group shell log readproc
seclabel u:r:shell:s0
setenv HOSTNAME console
shutdown critical
on property:ro.debuggable=1
# Give writes to the same group for the trace folder on debug builds,
# it's further protected by selinux policy.
# The folder is used to store method traces.
chmod 0773 /data/misc/trace
# Give writes and reads to anyone for the window trace folder on debug builds,
# it's further protected by selinux policy.
chmod 0777 /data/misc/wmtrace
# Give reads to anyone for the accessibility trace folder on debug builds.
chmod 0775 /data/misc/a11ytrace
on init && property:ro.debuggable=1
start console
on userspace-reboot-requested
# TODO(b/135984674): reset all necessary properties here.
setprop sys.boot_completed ""
setprop dev.bootcomplete ""
setprop sys.init.updatable_crashing ""
setprop sys.init.updatable_crashing_process_name ""
setprop sys.user.0.ce_available ""
setprop sys.shutdown.requested ""
setprop service.bootanim.exit ""
setprop service.bootanim.progress ""
on userspace-reboot-fs-remount
# Make sure that vold is running.
# This is mostly a precaution measure in case vold for some reason wasn't running when
# userspace reboot was initiated.
start vold
exec - system system -- /system/bin/vdc checkpoint resetCheckpoint
exec - system system -- /system/bin/vdc checkpoint markBootAttempt
# Unmount /data_mirror mounts in the reverse order of corresponding mounts.
umount /data_mirror/data_ce/null/0
umount /data_mirror/data_ce/null
umount /data_mirror/data_de/null
umount /data_mirror/storage_area/0
umount /data_mirror/storage_area
umount /data_mirror/cur_profiles
umount /data_mirror/ref_profiles
umount /data_mirror
remount_userdata
start bootanim
on userspace-reboot-resume
trigger userspace-reboot-fs-remount
trigger post-fs-data
trigger zygote-start
trigger early-boot
trigger boot
on property:sys.boot_completed=1 && property:sys.init.userspace_reboot.in_progress=1
setprop sys.init.userspace_reboot.in_progress ""
# Multi-Gen LRU Experiment
on property:persist.device_config.mglru_native.lru_gen_config=none
write /sys/kernel/mm/lru_gen/enabled 0
on property:persist.device_config.mglru_native.lru_gen_config=core
write /sys/kernel/mm/lru_gen/enabled 1
on property:persist.device_config.mglru_native.lru_gen_config=core_and_mm_walk
write /sys/kernel/mm/lru_gen/enabled 3
on property:persist.device_config.mglru_native.lru_gen_config=core_and_nonleaf_young
write /sys/kernel/mm/lru_gen/enabled 5
on property:persist.device_config.mglru_native.lru_gen_config=all
write /sys/kernel/mm/lru_gen/enabled 7
# Allow other processes to run `snapshotctl` through `init`. This requires
# `set_prop` permission on `snapshotctl_prop`.
on property:sys.snapshotctl.map=requested
# "root" is needed to talk to gsid and pass its check on uid.
# "system" is needed to write to "/dev/socket/snapuserd" to talk to
# snapuserd.
exec - root root system -- /system/bin/snapshotctl map
setprop sys.snapshotctl.map "finished"
on property:sys.snapshotctl.unmap=requested
exec - root root system -- /system/bin/snapshotctl unmap
setprop sys.snapshotctl.unmap "finished"
|