2012-03-14 23:22:54 +01:00
|
|
|
# Copyright (C) 2012 The Android Open Source Project
|
|
|
|
|
#
|
|
|
|
|
# IMPORTANT: Do not create world writable files or directories.
|
|
|
|
|
# This is a common source of Android security bugs.
|
|
|
|
|
#
|
|
|
|
|
|
2013-07-24 03:03:37 +02:00
|
|
|
import /init.environ.rc
|
2019-11-04 19:30:36 +01:00
|
|
|
import /system/etc/init/hw/init.usb.rc
|
2012-08-28 19:25:13 +02:00
|
|
|
import /init.${ro.hardware}.rc
|
2017-05-18 21:46:34 +02:00
|
|
|
import /vendor/etc/init/hw/init.${ro.hardware}.rc
|
2019-11-04 19:30:36 +01:00
|
|
|
import /system/etc/init/hw/init.usb.configfs.rc
|
|
|
|
|
import /system/etc/init/hw/init.${ro.zygote}.rc
|
2011-12-16 23:23:22 +01:00
|
|
|
|
2018-12-21 20:41:50 +01:00
|
|
|
# Cgroups are mounted right before early-init using list from /etc/cgroups.json
|
2010-04-21 21:04:20 +02:00
|
|
|
on early-init
|
2015-10-10 02:09:10 +02:00
|
|
|
# Disable sysrq from keyboard
|
|
|
|
|
write /proc/sys/kernel/sysrq 0
|
|
|
|
|
|
init.rc: disable kernel module autoloading
There is a longstanding bug where file-based encryption causes spurious
SELinux denials of module_request because it uses the kernel's crypto
API, and the crypto API tries to autoload kernel modules.
While this sometimes indicate missing kconfig options, it can still
happen even if all needed kconfig options are enabled. This is because
a crypto algorithm can be a composition like "hmac(sha512)", and the
crypto API will first look for the full composition before it
instantiates it using the components like "hmac" and "sha512". But
often an implementation of the full composition doesn't exist.
However, as far as I can tell, Android doesn't actually use kernel
module autoloading at all. First, Android never changes
/proc/sys/kernel/modprobe from the default of "/sbin/modprobe", yet this
isn't where modprobe is located on Android. Android's SELinux policy
contains a neverallow rule that ensures that only init (not even
vendor_init) can write to this setting, so vendors can't be changing it.
Vendors could potentially be setting CONFIG_STATIC_USERMODEHELPER_PATH,
which overrides the path of all usermode helpers including modprobe.
But this is a relatively new kconfig option, available only in
android-4.14 and later. Also, for a vendor to actually do this they'd
also need to extend the SELinux policy with a domain_auto_trans rule to
allow their usermode helper to be executed by the kernel.
Android does increasingly use kernel modules, and GKI (Generic Kernel
Image) will require them. However, the modules are actually inserted by
userspace by 'init', not autoloaded.
It's possible to disable kernel module autoloading completely by setting
/proc/sys/kernel/modprobe to an empty string. So, let's do that.
This prevents lots of spurious SELinux denials, and allows removing
unnecessary rules to allow or dontaudit the module_request permission.
Note: when the kernel doesn't have CONFIG_ANDROID_BINDERFS enabled, this
change exposes a kernel bug that causes a WARNING in get_fs_type(). To
avoid this WARNING, a kernel fix should be applied too -- currently
under discussion upstream
(https://lkml.kernel.org/r/20200310223731.126894-1-ebiggers@kernel.org).
Bug: 130424539
Bug: 132409186
Bug: 144399145
Bug: 146477240
Bug: 148005188
Bug: 149542343
Test: Tested on cuttlefish and coral:
- Checked that /proc/sys/kernel/modprobe contains /sbin/modprobe
before this change, and the empty string after.
- Checked that if all SELinux rules for module_request are removed,
there are SELinux denials for module_request before this change
but none after.
- Ran lsmod both before and after and verified that the list is the
same, i.e. checked that this change doesn't break how Android
actually loads kernel modules.
Change-Id: I4132fe1a491e7b789311afcf693c1f6493fb9dc5
2020-03-11 17:56:15 +01:00
|
|
|
# Android doesn't need kernel module autoloading, and it causes SELinux
|
|
|
|
|
# denials. So disable it by setting modprobe to the empty string. Note: to
|
|
|
|
|
# explicitly set a sysctl to an empty string, a trailing newline is needed.
|
|
|
|
|
write /proc/sys/kernel/modprobe \n
|
|
|
|
|
|
2013-10-01 15:21:47 +02:00
|
|
|
# Set the security context of /adb_keys if present.
|
|
|
|
|
restorecon /adb_keys
|
|
|
|
|
|
2016-03-01 02:23:36 +01:00
|
|
|
# Set the security context of /postinstall if present.
|
|
|
|
|
restorecon /postinstall
|
|
|
|
|
|
2017-06-01 01:07:53 +02:00
|
|
|
mkdir /acct/uid
|
|
|
|
|
|
2018-04-09 18:50:32 +02:00
|
|
|
# memory.pressure_level used by lmkd
|
|
|
|
|
chown root system /dev/memcg/memory.pressure_level
|
|
|
|
|
chmod 0040 /dev/memcg/memory.pressure_level
|
2017-06-01 01:07:53 +02:00
|
|
|
# app mem cgroups, used by activity manager, lmkd and zygote
|
|
|
|
|
mkdir /dev/memcg/apps/ 0755 system system
|
2017-06-28 08:09:03 +02:00
|
|
|
# cgroup for system_server and surfaceflinger
|
|
|
|
|
mkdir /dev/memcg/system 0550 system system
|
2017-06-01 01:07:53 +02:00
|
|
|
|
2020-01-25 09:34:33 +01:00
|
|
|
# symlink the Android specific /dev/tun to Linux expected /dev/net/tun
|
|
|
|
|
mkdir /dev/net 0755 root root
|
|
|
|
|
symlink ../tun /dev/net/tun
|
|
|
|
|
|
2019-06-06 20:05:52 +02:00
|
|
|
# set RLIMIT_NICE to allow priorities from 19 to -20
|
|
|
|
|
setrlimit nice 40 40
|
|
|
|
|
|
|
|
|
|
# Allow up to 32K FDs per process
|
|
|
|
|
setrlimit nofile 32768 32768
|
|
|
|
|
|
2022-12-08 00:39:05 +01:00
|
|
|
# set RLIMIT_MEMLOCK to 64KB
|
|
|
|
|
setrlimit memlock 65536 65536
|
|
|
|
|
|
2019-12-16 06:31:04 +01:00
|
|
|
# Set up linker config subdirectories based on mount namespaces
|
|
|
|
|
mkdir /linkerconfig/bootstrap 0755
|
|
|
|
|
mkdir /linkerconfig/default 0755
|
|
|
|
|
|
2019-12-16 09:59:08 +01:00
|
|
|
# Disable dm-verity hash prefetching, since it doesn't help performance
|
|
|
|
|
# Read more in b/136247322
|
|
|
|
|
write /sys/module/dm_verity/parameters/prefetch_cluster 0
|
|
|
|
|
|
2022-12-13 10:04:52 +01:00
|
|
|
# Generate empty ld.config.txt for early executed processes which rely on
|
|
|
|
|
# /system/lib libraries.
|
|
|
|
|
write /linkerconfig/bootstrap/ld.config.txt \#
|
|
|
|
|
write /linkerconfig/default/ld.config.txt \#
|
2019-12-16 06:31:04 +01:00
|
|
|
chmod 644 /linkerconfig/bootstrap/ld.config.txt
|
|
|
|
|
chmod 644 /linkerconfig/default/ld.config.txt
|
|
|
|
|
|
|
|
|
|
# Mount bootstrap linker configuration as current
|
|
|
|
|
mount none /linkerconfig/bootstrap /linkerconfig bind rec
|
2019-07-08 11:59:50 +02:00
|
|
|
|
2010-04-21 21:04:20 +02:00
|
|
|
start ueventd
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2019-02-22 14:15:25 +01:00
|
|
|
# Run apexd-bootstrap so that APEXes that provide critical libraries
|
|
|
|
|
# become available. Note that this is executed as exec_start to ensure that
|
|
|
|
|
# the libraries are available to the processes started after this statement.
|
|
|
|
|
exec_start apexd-bootstrap
|
2023-08-10 06:12:53 +02:00
|
|
|
perform_apex_config --bootstrap
|
2019-12-16 06:31:04 +01:00
|
|
|
|
2019-09-11 19:22:10 +02:00
|
|
|
# These must already exist by the time boringssl_self_test32 / boringssl_self_test64 run.
|
|
|
|
|
mkdir /dev/boringssl 0755 root root
|
|
|
|
|
mkdir /dev/boringssl/selftest 0755 root root
|
|
|
|
|
|
2021-12-07 01:13:06 +01:00
|
|
|
# Mount tracefs (with GID=AID_READTRACEFS)
|
|
|
|
|
mount tracefs tracefs /sys/kernel/tracing gid=3012
|
2020-04-23 17:19:25 +02:00
|
|
|
|
2020-07-21 02:34:47 +02:00
|
|
|
# create sys dirctory
|
|
|
|
|
mkdir /dev/sys 0755 system system
|
|
|
|
|
mkdir /dev/sys/fs 0755 system system
|
|
|
|
|
mkdir /dev/sys/block 0755 system system
|
|
|
|
|
|
2022-04-29 20:31:38 +02:00
|
|
|
# Create location for fs_mgr to store abbreviated output from filesystem
|
|
|
|
|
# checker programs.
|
|
|
|
|
mkdir /dev/fscklogs 0770 root system
|
|
|
|
|
|
2023-12-14 23:03:07 +01:00
|
|
|
# Create tmpfs for use by the shell user.
|
|
|
|
|
mount tmpfs tmpfs /tmp
|
|
|
|
|
restorecon /tmp
|
|
|
|
|
chown shell shell /tmp
|
|
|
|
|
chmod 0771 /tmp
|
|
|
|
|
|
2009-03-04 04:32:55 +01:00
|
|
|
on init
|
2014-06-19 05:35:40 +02:00
|
|
|
sysclktz 0
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2016-01-23 03:02:29 +01:00
|
|
|
# Mix device-specific information into the entropy pool
|
|
|
|
|
copy /proc/cmdline /dev/urandom
|
2019-01-25 18:31:28 +01:00
|
|
|
copy /system/etc/prop.default /dev/urandom
|
2016-01-23 03:02:29 +01:00
|
|
|
|
2018-08-22 22:21:21 +02:00
|
|
|
symlink /proc/self/fd/0 /dev/stdin
|
|
|
|
|
symlink /proc/self/fd/1 /dev/stdout
|
|
|
|
|
symlink /proc/self/fd/2 /dev/stderr
|
|
|
|
|
|
2024-01-21 18:10:15 +01:00
|
|
|
# Create socket dir for ot-daemon
|
|
|
|
|
mkdir /dev/socket/ot-daemon 0770 thread_network thread_network
|
|
|
|
|
|
2015-10-27 00:22:11 +01:00
|
|
|
# Create energy-aware scheduler tuning nodes
|
2016-02-23 18:00:36 +01:00
|
|
|
mkdir /dev/stune/foreground
|
2016-07-11 22:57:31 +02:00
|
|
|
mkdir /dev/stune/background
|
2016-07-11 20:40:15 +02:00
|
|
|
mkdir /dev/stune/top-app
|
2016-12-19 20:01:55 +01:00
|
|
|
mkdir /dev/stune/rt
|
2016-02-23 18:00:36 +01:00
|
|
|
chown system system /dev/stune
|
|
|
|
|
chown system system /dev/stune/foreground
|
2016-07-11 22:57:31 +02:00
|
|
|
chown system system /dev/stune/background
|
2016-07-11 20:40:15 +02:00
|
|
|
chown system system /dev/stune/top-app
|
2016-12-19 20:01:55 +01:00
|
|
|
chown system system /dev/stune/rt
|
2016-02-23 18:00:36 +01:00
|
|
|
chown system system /dev/stune/tasks
|
|
|
|
|
chown system system /dev/stune/foreground/tasks
|
2016-07-11 22:57:31 +02:00
|
|
|
chown system system /dev/stune/background/tasks
|
2016-07-11 20:40:15 +02:00
|
|
|
chown system system /dev/stune/top-app/tasks
|
2016-12-19 20:01:55 +01:00
|
|
|
chown system system /dev/stune/rt/tasks
|
2022-01-21 02:55:27 +01:00
|
|
|
chown system system /dev/stune/cgroup.procs
|
|
|
|
|
chown system system /dev/stune/foreground/cgroup.procs
|
|
|
|
|
chown system system /dev/stune/background/cgroup.procs
|
|
|
|
|
chown system system /dev/stune/top-app/cgroup.procs
|
|
|
|
|
chown system system /dev/stune/rt/cgroup.procs
|
2016-02-23 18:00:36 +01:00
|
|
|
chmod 0664 /dev/stune/tasks
|
|
|
|
|
chmod 0664 /dev/stune/foreground/tasks
|
2016-07-11 22:57:31 +02:00
|
|
|
chmod 0664 /dev/stune/background/tasks
|
2016-07-11 20:40:15 +02:00
|
|
|
chmod 0664 /dev/stune/top-app/tasks
|
2016-12-19 20:01:55 +01:00
|
|
|
chmod 0664 /dev/stune/rt/tasks
|
2022-01-21 02:55:27 +01:00
|
|
|
chmod 0664 /dev/stune/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/stune/foreground/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/stune/background/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/stune/top-app/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/stune/rt/cgroup.procs
|
2015-10-27 00:22:11 +01:00
|
|
|
|
2020-10-13 19:41:00 +02:00
|
|
|
# cpuctl hierarchy for devices using utilclamp
|
|
|
|
|
mkdir /dev/cpuctl/foreground
|
|
|
|
|
mkdir /dev/cpuctl/background
|
|
|
|
|
mkdir /dev/cpuctl/top-app
|
|
|
|
|
mkdir /dev/cpuctl/rt
|
2020-11-19 01:04:08 +01:00
|
|
|
mkdir /dev/cpuctl/system
|
2020-11-24 09:26:40 +01:00
|
|
|
mkdir /dev/cpuctl/system-background
|
2021-10-20 16:52:43 +02:00
|
|
|
mkdir /dev/cpuctl/dex2oat
|
2020-10-13 19:41:00 +02:00
|
|
|
chown system system /dev/cpuctl
|
|
|
|
|
chown system system /dev/cpuctl/foreground
|
|
|
|
|
chown system system /dev/cpuctl/background
|
|
|
|
|
chown system system /dev/cpuctl/top-app
|
|
|
|
|
chown system system /dev/cpuctl/rt
|
2020-11-19 01:04:08 +01:00
|
|
|
chown system system /dev/cpuctl/system
|
2020-11-24 09:26:40 +01:00
|
|
|
chown system system /dev/cpuctl/system-background
|
2021-10-20 16:52:43 +02:00
|
|
|
chown system system /dev/cpuctl/dex2oat
|
2020-10-13 19:41:00 +02:00
|
|
|
chown system system /dev/cpuctl/tasks
|
|
|
|
|
chown system system /dev/cpuctl/foreground/tasks
|
|
|
|
|
chown system system /dev/cpuctl/background/tasks
|
|
|
|
|
chown system system /dev/cpuctl/top-app/tasks
|
|
|
|
|
chown system system /dev/cpuctl/rt/tasks
|
2020-11-19 01:04:08 +01:00
|
|
|
chown system system /dev/cpuctl/system/tasks
|
2020-11-24 09:26:40 +01:00
|
|
|
chown system system /dev/cpuctl/system-background/tasks
|
2021-10-20 16:52:43 +02:00
|
|
|
chown system system /dev/cpuctl/dex2oat/tasks
|
2022-01-21 02:55:27 +01:00
|
|
|
chown system system /dev/cpuctl/cgroup.procs
|
|
|
|
|
chown system system /dev/cpuctl/foreground/cgroup.procs
|
|
|
|
|
chown system system /dev/cpuctl/background/cgroup.procs
|
|
|
|
|
chown system system /dev/cpuctl/top-app/cgroup.procs
|
|
|
|
|
chown system system /dev/cpuctl/rt/cgroup.procs
|
|
|
|
|
chown system system /dev/cpuctl/system/cgroup.procs
|
|
|
|
|
chown system system /dev/cpuctl/system-background/cgroup.procs
|
|
|
|
|
chown system system /dev/cpuctl/dex2oat/cgroup.procs
|
2020-10-13 19:41:00 +02:00
|
|
|
chmod 0664 /dev/cpuctl/tasks
|
|
|
|
|
chmod 0664 /dev/cpuctl/foreground/tasks
|
|
|
|
|
chmod 0664 /dev/cpuctl/background/tasks
|
|
|
|
|
chmod 0664 /dev/cpuctl/top-app/tasks
|
|
|
|
|
chmod 0664 /dev/cpuctl/rt/tasks
|
2020-11-19 01:04:08 +01:00
|
|
|
chmod 0664 /dev/cpuctl/system/tasks
|
2020-11-24 09:26:40 +01:00
|
|
|
chmod 0664 /dev/cpuctl/system-background/tasks
|
2021-10-20 16:52:43 +02:00
|
|
|
chmod 0664 /dev/cpuctl/dex2oat/tasks
|
2022-01-21 02:55:27 +01:00
|
|
|
chmod 0664 /dev/cpuctl/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/cpuctl/foreground/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/cpuctl/background/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/cpuctl/top-app/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/cpuctl/rt/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/cpuctl/system/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/cpuctl/system-background/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/cpuctl/dex2oat/cgroup.procs
|
2020-11-19 01:04:08 +01:00
|
|
|
|
|
|
|
|
# Create a cpu group for NNAPI HAL processes
|
|
|
|
|
mkdir /dev/cpuctl/nnapi-hal
|
|
|
|
|
chown system system /dev/cpuctl/nnapi-hal
|
|
|
|
|
chown system system /dev/cpuctl/nnapi-hal/tasks
|
2022-01-21 02:55:27 +01:00
|
|
|
chown system system /dev/cpuctl/nnapi-hal/cgroup.procs
|
2020-11-19 01:04:08 +01:00
|
|
|
chmod 0664 /dev/cpuctl/nnapi-hal/tasks
|
2022-01-21 02:55:27 +01:00
|
|
|
chmod 0664 /dev/cpuctl/nnapi-hal/cgroup.procs
|
2020-11-19 01:04:08 +01:00
|
|
|
write /dev/cpuctl/nnapi-hal/cpu.uclamp.min 1
|
|
|
|
|
write /dev/cpuctl/nnapi-hal/cpu.uclamp.latency_sensitive 1
|
|
|
|
|
|
2020-12-01 08:45:01 +01:00
|
|
|
# Create a cpu group for camera daemon processes
|
|
|
|
|
mkdir /dev/cpuctl/camera-daemon
|
|
|
|
|
chown system system /dev/cpuctl/camera-daemon
|
|
|
|
|
chown system system /dev/cpuctl/camera-daemon/tasks
|
2022-01-21 02:55:27 +01:00
|
|
|
chown system system /dev/cpuctl/camera-daemon/cgroup.procs
|
2020-12-01 08:45:01 +01:00
|
|
|
chmod 0664 /dev/cpuctl/camera-daemon/tasks
|
2022-01-21 02:55:27 +01:00
|
|
|
chmod 0664 /dev/cpuctl/camera-daemon/cgroup.procs
|
2020-12-01 08:45:01 +01:00
|
|
|
|
2020-11-30 19:56:29 +01:00
|
|
|
# Create an stune group for camera-specific processes
|
|
|
|
|
mkdir /dev/stune/camera-daemon
|
|
|
|
|
chown system system /dev/stune/camera-daemon
|
|
|
|
|
chown system system /dev/stune/camera-daemon/tasks
|
2022-01-21 02:55:27 +01:00
|
|
|
chown system system /dev/stune/camera-daemon/cgroup.procs
|
2020-11-30 19:56:29 +01:00
|
|
|
chmod 0664 /dev/stune/camera-daemon/tasks
|
2022-01-21 02:55:27 +01:00
|
|
|
chmod 0664 /dev/stune/camera-daemon/cgroup.procs
|
2020-11-30 19:56:29 +01:00
|
|
|
|
2020-02-08 00:01:24 +01:00
|
|
|
# Create an stune group for NNAPI HAL processes
|
|
|
|
|
mkdir /dev/stune/nnapi-hal
|
|
|
|
|
chown system system /dev/stune/nnapi-hal
|
|
|
|
|
chown system system /dev/stune/nnapi-hal/tasks
|
2022-01-21 02:55:27 +01:00
|
|
|
chown system system /dev/stune/nnapi-hal/cgroup.procs
|
2020-02-08 00:01:24 +01:00
|
|
|
chmod 0664 /dev/stune/nnapi-hal/tasks
|
2022-01-21 02:55:27 +01:00
|
|
|
chmod 0664 /dev/stune/nnapi-hal/cgroup.procs
|
2020-02-08 00:01:24 +01:00
|
|
|
write /dev/stune/nnapi-hal/schedtune.boost 1
|
|
|
|
|
write /dev/stune/nnapi-hal/schedtune.prefer_idle 1
|
|
|
|
|
|
2024-01-26 04:48:12 +01:00
|
|
|
# Create blkio group and apply initial settings.
|
|
|
|
|
# This feature needs kernel to support it, and the
|
|
|
|
|
# device's init.rc must actually set the correct values.
|
|
|
|
|
mkdir /dev/blkio/background
|
|
|
|
|
chown system system /dev/blkio
|
|
|
|
|
chown system system /dev/blkio/background
|
|
|
|
|
chown system system /dev/blkio/tasks
|
|
|
|
|
chown system system /dev/blkio/background/tasks
|
|
|
|
|
chown system system /dev/blkio/cgroup.procs
|
|
|
|
|
chown system system /dev/blkio/background/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/blkio/tasks
|
|
|
|
|
chmod 0664 /dev/blkio/background/tasks
|
|
|
|
|
chmod 0664 /dev/blkio/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/blkio/background/cgroup.procs
|
|
|
|
|
write /dev/blkio/blkio.weight 1000
|
|
|
|
|
write /dev/blkio/background/blkio.weight 200
|
|
|
|
|
write /dev/blkio/background/blkio.bfq.weight 10
|
|
|
|
|
write /dev/blkio/blkio.group_idle 0
|
|
|
|
|
write /dev/blkio/background/blkio.group_idle 0
|
2024-02-01 19:46:04 +01:00
|
|
|
write /dev/blkio/background/blkio.prio.class restrict-to-be
|
2024-01-26 04:48:12 +01:00
|
|
|
|
2015-03-16 18:17:47 +01:00
|
|
|
restorecon_recursive /mnt
|
2012-08-18 01:01:16 +02:00
|
|
|
|
2018-02-14 17:35:01 +01:00
|
|
|
mount configfs none /config nodev noexec nosuid
|
2017-11-29 23:49:08 +01:00
|
|
|
chmod 0770 /config/sdcardfs
|
2016-02-19 04:48:31 +01:00
|
|
|
chown system package_info /config/sdcardfs
|
|
|
|
|
|
2020-02-03 21:33:57 +01:00
|
|
|
# Mount binderfs
|
|
|
|
|
mkdir /dev/binderfs
|
|
|
|
|
mount binder binder /dev/binderfs stats=global
|
|
|
|
|
chmod 0755 /dev/binderfs
|
|
|
|
|
|
2020-04-28 22:27:10 +02:00
|
|
|
# Mount fusectl
|
|
|
|
|
mount fusectl none /sys/fs/fuse/connections
|
|
|
|
|
|
2020-02-03 21:33:57 +01:00
|
|
|
symlink /dev/binderfs/binder /dev/binder
|
|
|
|
|
symlink /dev/binderfs/hwbinder /dev/hwbinder
|
|
|
|
|
symlink /dev/binderfs/vndbinder /dev/vndbinder
|
|
|
|
|
|
|
|
|
|
chmod 0666 /dev/binderfs/hwbinder
|
|
|
|
|
chmod 0666 /dev/binderfs/binder
|
|
|
|
|
chmod 0666 /dev/binderfs/vndbinder
|
|
|
|
|
|
2010-02-20 03:25:22 +01:00
|
|
|
mkdir /mnt/secure 0700 root root
|
2015-03-16 18:17:47 +01:00
|
|
|
mkdir /mnt/secure/asec 0700 root root
|
|
|
|
|
mkdir /mnt/asec 0755 root system
|
|
|
|
|
mkdir /mnt/obb 0755 root system
|
2020-01-24 23:13:58 +01:00
|
|
|
mkdir /mnt/media_rw 0750 root external_storage
|
2015-03-16 18:17:47 +01:00
|
|
|
mkdir /mnt/user 0755 root root
|
|
|
|
|
mkdir /mnt/user/0 0755 root root
|
2019-08-09 21:02:49 +02:00
|
|
|
mkdir /mnt/user/0/self 0755 root root
|
|
|
|
|
mkdir /mnt/user/0/emulated 0755 root root
|
|
|
|
|
mkdir /mnt/user/0/emulated/0 0755 root root
|
2019-09-23 15:21:27 +02:00
|
|
|
|
|
|
|
|
# Prepare directories for pass through processes
|
2020-01-20 15:16:14 +01:00
|
|
|
mkdir /mnt/pass_through 0700 root root
|
2020-01-31 17:26:13 +01:00
|
|
|
mkdir /mnt/pass_through/0 0710 root media_rw
|
|
|
|
|
mkdir /mnt/pass_through/0/self 0710 root media_rw
|
|
|
|
|
mkdir /mnt/pass_through/0/emulated 0710 root media_rw
|
|
|
|
|
mkdir /mnt/pass_through/0/emulated/0 0710 root media_rw
|
2019-09-23 15:21:27 +02:00
|
|
|
|
2015-04-06 23:08:54 +02:00
|
|
|
mkdir /mnt/expand 0771 system system
|
2015-12-11 05:29:04 +01:00
|
|
|
mkdir /mnt/appfuse 0711 root root
|
2015-03-16 18:17:47 +01:00
|
|
|
|
2015-06-23 23:30:37 +02:00
|
|
|
# Storage views to support runtime permissions
|
2015-08-06 20:39:44 +02:00
|
|
|
mkdir /mnt/runtime 0700 root root
|
|
|
|
|
mkdir /mnt/runtime/default 0755 root root
|
|
|
|
|
mkdir /mnt/runtime/default/self 0755 root root
|
|
|
|
|
mkdir /mnt/runtime/read 0755 root root
|
|
|
|
|
mkdir /mnt/runtime/read/self 0755 root root
|
|
|
|
|
mkdir /mnt/runtime/write 0755 root root
|
|
|
|
|
mkdir /mnt/runtime/write/self 0755 root root
|
2019-01-17 08:25:28 +01:00
|
|
|
mkdir /mnt/runtime/full 0755 root root
|
|
|
|
|
mkdir /mnt/runtime/full/self 0755 root root
|
2010-02-20 03:25:22 +01:00
|
|
|
|
2024-02-29 18:29:18 +01:00
|
|
|
# For Pre-reboot Dexopt
|
|
|
|
|
mkdir /mnt/pre_reboot_dexopt 0755 artd artd
|
|
|
|
|
|
2015-03-16 18:17:47 +01:00
|
|
|
# Symlink to keep legacy apps working in multi-user world
|
2016-04-13 05:36:01 +02:00
|
|
|
symlink /storage/self/primary /mnt/sdcard
|
2015-08-06 20:39:44 +02:00
|
|
|
symlink /mnt/user/0/primary /mnt/runtime/default/self/primary
|
2010-07-15 21:14:44 +02:00
|
|
|
|
2009-03-04 04:32:55 +01:00
|
|
|
write /proc/sys/kernel/panic_on_oops 1
|
|
|
|
|
write /proc/sys/kernel/hung_task_timeout_secs 0
|
|
|
|
|
write /proc/cpu/alignment 4
|
2015-07-21 01:01:48 +02:00
|
|
|
|
|
|
|
|
# scheduler tunables
|
|
|
|
|
# Disable auto-scaling of scheduler tunables with hotplug. The tunables
|
|
|
|
|
# will vary across devices in unpredictable ways if allowed to scale with
|
|
|
|
|
# cpu cores.
|
|
|
|
|
write /proc/sys/kernel/sched_tunable_scaling 0
|
2009-03-04 04:32:55 +01:00
|
|
|
write /proc/sys/kernel/sched_latency_ns 10000000
|
|
|
|
|
write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
|
2009-09-16 22:32:23 +02:00
|
|
|
write /proc/sys/kernel/sched_child_runs_first 0
|
2015-07-21 01:01:48 +02:00
|
|
|
|
2011-10-06 20:47:11 +02:00
|
|
|
write /proc/sys/kernel/randomize_va_space 2
|
2011-12-05 23:48:08 +01:00
|
|
|
write /proc/sys/vm/mmap_min_addr 32768
|
2013-02-22 03:36:43 +01:00
|
|
|
write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
|
2023-05-30 21:47:07 +02:00
|
|
|
write /proc/sys/net/unix/max_dgram_qlen 2400
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2016-12-07 19:55:45 +01:00
|
|
|
# Assign reasonable ceiling values for socket rcv/snd buffers.
|
|
|
|
|
# These should almost always be overridden by the target per the
|
|
|
|
|
# the corresponding technology maximums.
|
|
|
|
|
write /proc/sys/net/core/rmem_max 262144
|
|
|
|
|
write /proc/sys/net/core/wmem_max 262144
|
|
|
|
|
|
2014-04-10 02:44:56 +02:00
|
|
|
# reflect fwmark from incoming packets onto generated replies
|
|
|
|
|
write /proc/sys/net/ipv4/fwmark_reflect 1
|
|
|
|
|
write /proc/sys/net/ipv6/fwmark_reflect 1
|
|
|
|
|
|
|
|
|
|
# set fwmark on accepted sockets
|
|
|
|
|
write /proc/sys/net/ipv4/tcp_fwmark_accept 1
|
|
|
|
|
|
2014-12-03 18:57:00 +01:00
|
|
|
# disable icmp redirects
|
|
|
|
|
write /proc/sys/net/ipv4/conf/all/accept_redirects 0
|
|
|
|
|
write /proc/sys/net/ipv6/conf/all/accept_redirects 0
|
|
|
|
|
|
2017-08-25 21:55:52 +02:00
|
|
|
# /proc/net/fib_trie leaks interface IP addresses
|
|
|
|
|
chmod 0400 /proc/net/fib_trie
|
|
|
|
|
|
2015-06-08 23:56:29 +02:00
|
|
|
# sets up initial cpusets for ActivityManager
|
2015-10-15 21:38:15 +02:00
|
|
|
# this ensures that the cpusets are present and usable, but the device's
|
|
|
|
|
# init.rc must actually set the correct cpus
|
2015-06-08 23:56:29 +02:00
|
|
|
mkdir /dev/cpuset/foreground
|
2017-04-14 03:27:35 +02:00
|
|
|
copy /dev/cpuset/cpus /dev/cpuset/foreground/cpus
|
|
|
|
|
copy /dev/cpuset/mems /dev/cpuset/foreground/mems
|
2015-06-08 23:56:29 +02:00
|
|
|
mkdir /dev/cpuset/background
|
2017-04-14 03:27:35 +02:00
|
|
|
copy /dev/cpuset/cpus /dev/cpuset/background/cpus
|
|
|
|
|
copy /dev/cpuset/mems /dev/cpuset/background/mems
|
2015-10-15 21:38:15 +02:00
|
|
|
|
2015-09-18 22:18:49 +02:00
|
|
|
# system-background is for system tasks that should only run on
|
|
|
|
|
# little cores, not on bigs
|
|
|
|
|
mkdir /dev/cpuset/system-background
|
2017-04-14 03:27:35 +02:00
|
|
|
copy /dev/cpuset/cpus /dev/cpuset/system-background/cpus
|
|
|
|
|
copy /dev/cpuset/mems /dev/cpuset/system-background/mems
|
2015-10-15 21:38:15 +02:00
|
|
|
|
2018-04-13 19:15:49 +02:00
|
|
|
# restricted is for system tasks that are being throttled
|
|
|
|
|
# due to screen off.
|
|
|
|
|
mkdir /dev/cpuset/restricted
|
|
|
|
|
copy /dev/cpuset/cpus /dev/cpuset/restricted/cpus
|
|
|
|
|
copy /dev/cpuset/mems /dev/cpuset/restricted/mems
|
|
|
|
|
|
2016-01-12 01:16:35 +01:00
|
|
|
mkdir /dev/cpuset/top-app
|
2017-04-14 03:27:35 +02:00
|
|
|
copy /dev/cpuset/cpus /dev/cpuset/top-app/cpus
|
|
|
|
|
copy /dev/cpuset/mems /dev/cpuset/top-app/mems
|
2016-01-12 01:16:35 +01:00
|
|
|
|
2020-12-01 08:45:01 +01:00
|
|
|
# create a cpuset for camera daemon processes
|
|
|
|
|
mkdir /dev/cpuset/camera-daemon
|
|
|
|
|
copy /dev/cpuset/cpus /dev/cpuset/camera-daemon/cpus
|
|
|
|
|
copy /dev/cpuset/mems /dev/cpuset/camera-daemon/mems
|
|
|
|
|
|
2015-10-15 21:38:15 +02:00
|
|
|
# change permissions for all cpusets we'll touch at runtime
|
2015-06-08 23:56:29 +02:00
|
|
|
chown system system /dev/cpuset
|
|
|
|
|
chown system system /dev/cpuset/foreground
|
|
|
|
|
chown system system /dev/cpuset/background
|
2015-10-27 00:22:11 +01:00
|
|
|
chown system system /dev/cpuset/system-background
|
2016-01-12 01:16:35 +01:00
|
|
|
chown system system /dev/cpuset/top-app
|
2018-04-13 19:15:49 +02:00
|
|
|
chown system system /dev/cpuset/restricted
|
2020-12-01 08:45:01 +01:00
|
|
|
chown system system /dev/cpuset/camera-daemon
|
2015-06-08 23:56:29 +02:00
|
|
|
chown system system /dev/cpuset/tasks
|
|
|
|
|
chown system system /dev/cpuset/foreground/tasks
|
|
|
|
|
chown system system /dev/cpuset/background/tasks
|
2015-10-27 00:22:11 +01:00
|
|
|
chown system system /dev/cpuset/system-background/tasks
|
2016-01-12 01:16:35 +01:00
|
|
|
chown system system /dev/cpuset/top-app/tasks
|
2018-04-13 19:15:49 +02:00
|
|
|
chown system system /dev/cpuset/restricted/tasks
|
2020-12-01 08:45:01 +01:00
|
|
|
chown system system /dev/cpuset/camera-daemon/tasks
|
2022-01-21 02:55:27 +01:00
|
|
|
chown system system /dev/cpuset/cgroup.procs
|
|
|
|
|
chown system system /dev/cpuset/foreground/cgroup.procs
|
|
|
|
|
chown system system /dev/cpuset/background/cgroup.procs
|
|
|
|
|
chown system system /dev/cpuset/system-background/cgroup.procs
|
|
|
|
|
chown system system /dev/cpuset/top-app/cgroup.procs
|
|
|
|
|
chown system system /dev/cpuset/restricted/cgroup.procs
|
|
|
|
|
chown system system /dev/cpuset/camera-daemon/cgroup.procs
|
2015-11-10 23:31:09 +01:00
|
|
|
|
|
|
|
|
# set system-background to 0775 so SurfaceFlinger can touch it
|
|
|
|
|
chmod 0775 /dev/cpuset/system-background
|
|
|
|
|
|
2015-07-24 00:18:36 +02:00
|
|
|
chmod 0664 /dev/cpuset/foreground/tasks
|
|
|
|
|
chmod 0664 /dev/cpuset/background/tasks
|
2015-10-27 00:22:11 +01:00
|
|
|
chmod 0664 /dev/cpuset/system-background/tasks
|
2016-01-12 01:16:35 +01:00
|
|
|
chmod 0664 /dev/cpuset/top-app/tasks
|
2018-04-13 19:15:49 +02:00
|
|
|
chmod 0664 /dev/cpuset/restricted/tasks
|
2015-07-24 00:18:36 +02:00
|
|
|
chmod 0664 /dev/cpuset/tasks
|
2020-12-01 08:45:01 +01:00
|
|
|
chmod 0664 /dev/cpuset/camera-daemon/tasks
|
2022-01-21 02:55:27 +01:00
|
|
|
chmod 0664 /dev/cpuset/foreground/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/cpuset/background/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/cpuset/system-background/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/cpuset/top-app/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/cpuset/restricted/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/cpuset/cgroup.procs
|
|
|
|
|
chmod 0664 /dev/cpuset/camera-daemon/cgroup.procs
|
2015-06-08 23:56:29 +02:00
|
|
|
|
2019-02-15 20:51:09 +01:00
|
|
|
# make the PSI monitor accessible to others
|
|
|
|
|
chown system system /proc/pressure/memory
|
|
|
|
|
chmod 0664 /proc/pressure/memory
|
2015-06-08 23:56:29 +02:00
|
|
|
|
2018-02-12 20:30:46 +01:00
|
|
|
mount bpf bpf /sys/fs/bpf nodev noexec nosuid
|
2017-10-23 20:57:59 +02:00
|
|
|
|
2014-06-19 05:35:40 +02:00
|
|
|
# pstore/ramoops previous console log
|
2018-02-12 20:30:46 +01:00
|
|
|
mount pstore pstore /sys/fs/pstore nodev noexec nosuid
|
2018-06-29 19:32:11 +02:00
|
|
|
chown system log /sys/fs/pstore
|
|
|
|
|
chmod 0550 /sys/fs/pstore
|
2013-11-22 05:23:54 +01:00
|
|
|
chown system log /sys/fs/pstore/console-ramoops
|
|
|
|
|
chmod 0440 /sys/fs/pstore/console-ramoops
|
2017-06-27 18:32:32 +02:00
|
|
|
chown system log /sys/fs/pstore/console-ramoops-0
|
|
|
|
|
chmod 0440 /sys/fs/pstore/console-ramoops-0
|
2014-12-15 16:52:19 +01:00
|
|
|
chown system log /sys/fs/pstore/pmsg-ramoops-0
|
|
|
|
|
chmod 0440 /sys/fs/pstore/pmsg-ramoops-0
|
2013-11-22 05:23:54 +01:00
|
|
|
|
2015-01-26 19:40:29 +01:00
|
|
|
# enable armv8_deprecated instruction hooks
|
|
|
|
|
write /proc/sys/abi/swp 1
|
|
|
|
|
|
2016-02-01 18:59:44 +01:00
|
|
|
# Linux's execveat() syscall may construct paths containing /dev/fd
|
|
|
|
|
# expecting it to point to /proc/self/fd
|
|
|
|
|
symlink /proc/self/fd /dev/fd
|
|
|
|
|
|
2016-06-21 21:04:54 +02:00
|
|
|
export DOWNLOAD_CACHE /data/cache
|
|
|
|
|
|
2017-03-09 02:36:18 +01:00
|
|
|
# This allows the ledtrig-transient properties to be created here so
|
|
|
|
|
# that they can be chown'd to system:system later on boot
|
|
|
|
|
write /sys/class/leds/vibrator/trigger "transient"
|
|
|
|
|
|
2018-11-04 18:50:05 +01:00
|
|
|
# This is used by Bionic to select optimized routines.
|
|
|
|
|
write /dev/cpu_variant:${ro.bionic.arch} ${ro.bionic.cpu_variant}
|
|
|
|
|
chmod 0444 /dev/cpu_variant:${ro.bionic.arch}
|
|
|
|
|
write /dev/cpu_variant:${ro.bionic.2nd_arch} ${ro.bionic.2nd_cpu_variant}
|
|
|
|
|
chmod 0444 /dev/cpu_variant:${ro.bionic.2nd_arch}
|
|
|
|
|
|
2019-04-08 22:29:07 +02:00
|
|
|
# Allow system processes to read / write power state.
|
|
|
|
|
chown system system /sys/power/state
|
|
|
|
|
chown system system /sys/power/wakeup_count
|
|
|
|
|
chmod 0660 /sys/power/state
|
|
|
|
|
|
2019-07-16 23:31:55 +02:00
|
|
|
chown radio wakelock /sys/power/wake_lock
|
|
|
|
|
chown radio wakelock /sys/power/wake_unlock
|
|
|
|
|
chmod 0660 /sys/power/wake_lock
|
|
|
|
|
chmod 0660 /sys/power/wake_unlock
|
|
|
|
|
|
2018-10-17 22:14:55 +02:00
|
|
|
# Start logd before any other services run to ensure we capture all of their logs.
|
|
|
|
|
start logd
|
2019-10-23 02:18:42 +02:00
|
|
|
# Start lmkd before any other services run so that it can register them
|
2021-07-01 05:55:02 +02:00
|
|
|
write /proc/sys/vm/watermark_boost_factor 0
|
2020-02-14 01:17:10 +01:00
|
|
|
chown root system /sys/module/lowmemorykiller/parameters/adj
|
|
|
|
|
chmod 0664 /sys/module/lowmemorykiller/parameters/adj
|
|
|
|
|
chown root system /sys/module/lowmemorykiller/parameters/minfree
|
|
|
|
|
chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
|
2019-10-23 02:18:42 +02:00
|
|
|
start lmkd
|
2019-02-02 11:45:23 +01:00
|
|
|
|
2018-10-17 22:14:55 +02:00
|
|
|
# Start essential services.
|
|
|
|
|
start servicemanager
|
|
|
|
|
start hwservicemanager
|
|
|
|
|
start vndservicemanager
|
|
|
|
|
|
2022-07-07 16:18:55 +02:00
|
|
|
# Run boringssl self test for each ABI. Any failures trigger reboot to firmware.
|
2023-08-10 11:03:34 +02:00
|
|
|
import /system/etc/init/hw/init.boringssl.${ro.zygote}.rc
|
2022-07-07 16:18:55 +02:00
|
|
|
|
|
|
|
|
service boringssl_self_test32 /system/bin/boringssl_self_test32
|
|
|
|
|
reboot_on_failure reboot,boringssl-self-check-failed
|
|
|
|
|
stdio_to_kmsg
|
2022-12-30 00:12:33 +01:00
|
|
|
# Explicitly specify that boringssl_self_test32 doesn't require any capabilities
|
|
|
|
|
capabilities
|
2023-04-10 22:55:05 +02:00
|
|
|
user nobody
|
2022-07-07 16:18:55 +02:00
|
|
|
|
|
|
|
|
service boringssl_self_test64 /system/bin/boringssl_self_test64
|
|
|
|
|
reboot_on_failure reboot,boringssl-self-check-failed
|
|
|
|
|
stdio_to_kmsg
|
2022-12-30 00:12:33 +01:00
|
|
|
# Explicitly specify that boringssl_self_test64 doesn't require any capabilities
|
|
|
|
|
capabilities
|
2023-04-10 22:55:05 +02:00
|
|
|
user nobody
|
2022-07-07 16:18:55 +02:00
|
|
|
|
|
|
|
|
service boringssl_self_test_apex32 /apex/com.android.conscrypt/bin/boringssl_self_test32
|
|
|
|
|
reboot_on_failure reboot,boringssl-self-check-failed
|
|
|
|
|
stdio_to_kmsg
|
2022-12-30 00:12:33 +01:00
|
|
|
# Explicitly specify that boringssl_self_test_apex32 doesn't require any capabilities
|
|
|
|
|
capabilities
|
2023-04-10 22:55:05 +02:00
|
|
|
user nobody
|
2022-07-07 16:18:55 +02:00
|
|
|
|
|
|
|
|
service boringssl_self_test_apex64 /apex/com.android.conscrypt/bin/boringssl_self_test64
|
|
|
|
|
reboot_on_failure reboot,boringssl-self-check-failed
|
|
|
|
|
stdio_to_kmsg
|
2022-12-30 00:12:33 +01:00
|
|
|
# Explicitly specify that boringssl_self_test_apex64 doesn't require any capabilities
|
|
|
|
|
capabilities
|
2023-04-10 22:55:05 +02:00
|
|
|
user nobody
|
2022-07-07 16:18:55 +02:00
|
|
|
|
2014-06-17 00:06:21 +02:00
|
|
|
# Healthd can trigger a full boot from charger mode by signaling this
|
|
|
|
|
# property when the power button is held.
|
|
|
|
|
on property:sys.boot_from_charger_mode=1
|
|
|
|
|
class_stop charger
|
|
|
|
|
trigger late-init
|
|
|
|
|
|
2014-07-12 00:05:23 +02:00
|
|
|
# Indicate to fw loaders that the relevant mounts are up.
|
|
|
|
|
on firmware_mounts_complete
|
|
|
|
|
rm /dev/.booting
|
|
|
|
|
|
2014-06-17 00:06:21 +02:00
|
|
|
# Mount filesystems and start core system services.
|
|
|
|
|
on late-init
|
|
|
|
|
trigger early-fs
|
2016-08-23 20:58:09 +02:00
|
|
|
|
|
|
|
|
# Mount fstab in init.{$device}.rc by mount_all command. Optional parameter
|
|
|
|
|
# '--early' can be specified to skip entries with 'latemount'.
|
|
|
|
|
# /system and /vendor must be mounted by the end of the fs stage,
|
|
|
|
|
# while /data is optional.
|
2014-06-17 00:06:21 +02:00
|
|
|
trigger fs
|
|
|
|
|
trigger post-fs
|
|
|
|
|
|
2016-08-23 20:58:09 +02:00
|
|
|
# Mount fstab in init.{$device}.rc by mount_all with '--late' parameter
|
|
|
|
|
# to only mount entries with 'latemount'. This is needed if '--early' is
|
|
|
|
|
# specified in the previous mount_all command on the fs stage.
|
|
|
|
|
# With /system mounted and properties form /system + /factory available,
|
|
|
|
|
# some services can be started.
|
|
|
|
|
trigger late-fs
|
|
|
|
|
|
2015-07-01 23:40:56 +02:00
|
|
|
# Now we can mount /data. File encryption requires keymaster to decrypt
|
2016-08-23 20:58:09 +02:00
|
|
|
# /data, which in turn can only be loaded when system properties are present.
|
2015-07-01 23:40:56 +02:00
|
|
|
trigger post-fs-data
|
2016-08-23 20:58:09 +02:00
|
|
|
|
2020-06-22 10:11:24 +02:00
|
|
|
# Should be before netd, but after apex, properties and logging is available.
|
|
|
|
|
trigger load_bpf_programs
|
|
|
|
|
|
2023-07-11 01:13:44 +02:00
|
|
|
# Now we can start zygote.
|
2018-09-05 19:12:40 +02:00
|
|
|
trigger zygote-start
|
|
|
|
|
|
2014-07-16 05:39:41 +02:00
|
|
|
# Remove a file to wake up anything waiting for firmware.
|
|
|
|
|
trigger firmware_mounts_complete
|
|
|
|
|
|
2014-06-17 00:06:21 +02:00
|
|
|
trigger early-boot
|
|
|
|
|
trigger boot
|
|
|
|
|
|
2019-06-17 22:23:05 +02:00
|
|
|
on early-fs
|
|
|
|
|
# Once metadata has been mounted, we'll need vold to deal with userdata checkpointing
|
2018-10-12 00:35:07 +02:00
|
|
|
start vold
|
2019-06-17 22:23:05 +02:00
|
|
|
|
|
|
|
|
on post-fs
|
2018-10-12 00:35:07 +02:00
|
|
|
exec - system system -- /system/bin/vdc checkpoint markBootAttempt
|
2017-03-24 17:23:07 +01:00
|
|
|
|
2018-02-14 17:36:16 +01:00
|
|
|
# Once everything is setup, no need to modify /.
|
2018-07-11 17:13:34 +02:00
|
|
|
# The bind+remount combination allows this to work in containers.
|
|
|
|
|
mount rootfs rootfs / remount bind ro nodev
|
2010-09-09 00:06:45 +02:00
|
|
|
|
2020-09-11 12:06:29 +02:00
|
|
|
# Mount default storage into root namespace
|
|
|
|
|
mount none /mnt/user/0 /storage bind rec
|
|
|
|
|
mount none none /storage slave rec
|
|
|
|
|
|
2015-12-08 01:57:08 +01:00
|
|
|
# Make sure /sys/kernel/debug (if present) is labeled properly
|
2016-11-15 00:40:18 +01:00
|
|
|
# Note that tracefs may be mounted under debug, so we need to cross filesystems
|
|
|
|
|
restorecon --recursive --cross-filesystems /sys/kernel/debug
|
2016-11-02 22:23:31 +01:00
|
|
|
|
2010-12-04 01:33:31 +01:00
|
|
|
# We chown/chmod /cache again so because mount is run as root + defaults
|
|
|
|
|
chown system cache /cache
|
|
|
|
|
chmod 0770 /cache
|
2012-01-13 14:54:34 +01:00
|
|
|
# We restorecon /cache in case the cache partition has been reset.
|
2014-07-09 21:39:21 +02:00
|
|
|
restorecon_recursive /cache
|
2010-12-04 01:33:31 +01:00
|
|
|
|
2015-05-11 23:08:18 +02:00
|
|
|
# Create /cache/recovery in case it's not there. It'll also fix the odd
|
|
|
|
|
# permissions if created by the recovery system.
|
|
|
|
|
mkdir /cache/recovery 0770 system cache
|
2010-12-04 01:33:31 +01:00
|
|
|
|
2016-01-29 02:09:42 +01:00
|
|
|
# Backup/restore mechanism uses the cache partition
|
|
|
|
|
mkdir /cache/backup_stage 0700 system system
|
|
|
|
|
mkdir /cache/backup 0700 system system
|
|
|
|
|
|
2010-12-04 01:33:31 +01:00
|
|
|
#change permissions on vmallocinfo so we can grab it from bugreports
|
|
|
|
|
chown root log /proc/vmallocinfo
|
|
|
|
|
chmod 0440 /proc/vmallocinfo
|
|
|
|
|
|
2012-09-25 23:22:02 +02:00
|
|
|
chown root log /proc/slabinfo
|
|
|
|
|
chmod 0440 /proc/slabinfo
|
|
|
|
|
|
2020-06-14 11:21:13 +02:00
|
|
|
chown root log /proc/pagetypeinfo
|
|
|
|
|
chmod 0440 /proc/pagetypeinfo
|
|
|
|
|
|
2010-12-04 01:33:31 +01:00
|
|
|
#change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
|
|
|
|
|
chown root system /proc/kmsg
|
|
|
|
|
chmod 0440 /proc/kmsg
|
|
|
|
|
chown root system /proc/sysrq-trigger
|
|
|
|
|
chmod 0220 /proc/sysrq-trigger
|
2012-08-03 03:14:33 +02:00
|
|
|
chown system log /proc/last_kmsg
|
|
|
|
|
chmod 0440 /proc/last_kmsg
|
2010-12-04 01:33:31 +01:00
|
|
|
|
2014-03-26 00:31:07 +01:00
|
|
|
# make the selinux kernel policy world-readable
|
|
|
|
|
chmod 0444 /sys/fs/selinux/policy
|
|
|
|
|
|
2010-12-04 01:33:31 +01:00
|
|
|
# create the lost+found directories, so as to enforce our permissions
|
2011-07-09 01:52:18 +02:00
|
|
|
mkdir /cache/lost+found 0770 root root
|
2010-12-04 01:33:31 +01:00
|
|
|
|
2018-05-17 19:12:34 +02:00
|
|
|
restorecon_recursive /metadata
|
|
|
|
|
mkdir /metadata/vold
|
|
|
|
|
chmod 0700 /metadata/vold
|
2019-03-06 07:16:36 +01:00
|
|
|
mkdir /metadata/password_slots 0771 root system
|
2019-05-23 19:00:34 +02:00
|
|
|
mkdir /metadata/bootstat 0750 system log
|
2023-07-14 17:57:30 +02:00
|
|
|
mkdir /metadata/ota 0750 root system
|
|
|
|
|
mkdir /metadata/ota/snapshots 0750 root system
|
2020-05-11 15:10:09 +02:00
|
|
|
mkdir /metadata/userspacereboot 0770 root system
|
2020-12-05 18:25:09 +01:00
|
|
|
mkdir /metadata/watchdog 0770 root system
|
2018-05-17 19:12:34 +02:00
|
|
|
|
2019-03-12 22:05:20 +01:00
|
|
|
mkdir /metadata/apex 0700 root system
|
|
|
|
|
mkdir /metadata/apex/sessions 0700 root system
|
2020-06-22 18:47:23 +02:00
|
|
|
# On some devices we see a weird behaviour in which /metadata/apex doesn't
|
|
|
|
|
# have a correct label. To workaround this bug, explicitly call restorecon
|
|
|
|
|
# on /metadata/apex. For most of the boot sequences /metadata/apex will
|
|
|
|
|
# already have a correct selinux label, meaning that this call will be a
|
|
|
|
|
# no-op.
|
|
|
|
|
restorecon_recursive /metadata/apex
|
|
|
|
|
|
2020-05-07 16:52:48 +02:00
|
|
|
mkdir /metadata/staged-install 0770 root system
|
2024-02-13 04:24:08 +01:00
|
|
|
|
2024-02-28 22:20:35 +01:00
|
|
|
mkdir /metadata/aconfig 0775 root system
|
|
|
|
|
mkdir /metadata/aconfig/flags 0770 root system
|
2024-05-21 17:30:59 +02:00
|
|
|
mkdir /metadata/aconfig/maps 0775 root system
|
2024-02-28 22:20:35 +01:00
|
|
|
mkdir /metadata/aconfig/boot 0775 root system
|
2024-04-05 15:52:03 +02:00
|
|
|
|
|
|
|
|
mkdir /metadata/aconfig_test_missions 0775 root system
|
2024-05-17 02:46:28 +02:00
|
|
|
exec_start aconfigd-platform-init
|
2024-02-13 04:24:08 +01:00
|
|
|
|
2017-04-06 21:44:59 +02:00
|
|
|
on late-fs
|
2017-06-13 19:15:05 +02:00
|
|
|
# Ensure that tracefs has the correct permissions.
|
|
|
|
|
# This does not work correctly if it is called in post-fs.
|
2020-01-29 18:10:47 +01:00
|
|
|
chmod 0755 /sys/kernel/tracing
|
2017-06-13 19:15:05 +02:00
|
|
|
chmod 0755 /sys/kernel/debug/tracing
|
|
|
|
|
|
2023-01-18 03:17:13 +01:00
|
|
|
# HALs required before storage encryption can get unlocked (FBE)
|
2017-04-06 21:44:59 +02:00
|
|
|
class_start early_hal
|
|
|
|
|
|
2020-11-30 10:05:40 +01:00
|
|
|
# Load trusted keys from dm-verity protected partitions
|
|
|
|
|
exec -- /system/bin/fsverity_init --load-verified-keys
|
|
|
|
|
|
2021-09-29 15:30:02 +02:00
|
|
|
# Only enable the bootreceiver tracing instance for kernels 5.10 and above.
|
|
|
|
|
on late-fs && property:ro.kernel.version=4.19
|
|
|
|
|
setprop bootreceiver.enable 0
|
|
|
|
|
on late-fs && property:ro.kernel.version=5.4
|
|
|
|
|
setprop bootreceiver.enable 0
|
|
|
|
|
on late-fs
|
|
|
|
|
# Bootreceiver tracing instance is enabled by default.
|
|
|
|
|
setprop bootreceiver.enable ${bootreceiver.enable:-1}
|
|
|
|
|
|
|
|
|
|
on property:ro.product.cpu.abilist64=* && property:bootreceiver.enable=1
|
2021-03-02 16:50:16 +01:00
|
|
|
# Set up a tracing instance for system_server to monitor error_report_end events.
|
|
|
|
|
# These are sent by kernel tools like KASAN and KFENCE when a memory corruption
|
2021-08-03 09:47:40 +02:00
|
|
|
# is detected. This is only needed for 64-bit systems.
|
2021-03-02 16:50:16 +01:00
|
|
|
mkdir /sys/kernel/tracing/instances/bootreceiver 0700 system system
|
|
|
|
|
restorecon_recursive /sys/kernel/tracing/instances/bootreceiver
|
|
|
|
|
write /sys/kernel/tracing/instances/bootreceiver/buffer_size_kb 1
|
|
|
|
|
write /sys/kernel/tracing/instances/bootreceiver/trace_options disable_on_free
|
|
|
|
|
write /sys/kernel/tracing/instances/bootreceiver/events/error_report/error_report_end/enable 1
|
|
|
|
|
|
2010-12-04 01:33:31 +01:00
|
|
|
on post-fs-data
|
2021-03-09 10:57:00 +01:00
|
|
|
|
Support for stopping/starting post-data-mount class subsets.
On devices that use FDE and APEX at the same time, we need to bring up a
minimal framework to be able to mount the /data partition. During this
period, a tmpfs /data filesystem is created, which doesn't contain any
of the updated APEXEs. As a consequence, all those processes will be
using the APEXes from the /system partition.
This is obviously not desired, as APEXes in /system may be old and/or
contain security issues. Additionally, it would create a difference
between FBE and FDE devices at runtime.
Ideally, we restart all processes that have started after we created the
tmpfs /data. We can't (re)start based on class names alone, because some
classes (eg 'hal') contain services that are required to start apexd
itself and that shouldn't be killed (eg the graphics HAL).
To address this, keep track of which processes are started after /data
is mounted, with a new 'mark_post_data' keyword. Additionally, create
'class_reset_post_data', which resets all services in the class that
were created after the initial /data mount, and 'class_start_post_data',
which starts all services in the class that were started after /data was
mounted.
On a device with FBE, these keywords wouldn't be used; on a device with
FDE, we'd use them to bring down the right processes after the user has
entered the correct secret, and restart them.
Bug: 118485723
Test: manually verified process list
Change-Id: I16adb776dacf1dd1feeaff9e60639b99899905eb
2019-04-23 16:26:01 +02:00
|
|
|
mark_post_data
|
|
|
|
|
|
2018-10-04 17:37:17 +02:00
|
|
|
# Start checkpoint before we touch data
|
|
|
|
|
exec - system system -- /system/bin/vdc checkpoint prepareCheckpoint
|
|
|
|
|
|
2009-03-04 04:32:55 +01:00
|
|
|
# We chown/chmod /data again so because mount is run as root + defaults
|
|
|
|
|
chown system system /data
|
|
|
|
|
chmod 0771 /data
|
2012-01-13 14:54:34 +01:00
|
|
|
# We restorecon /data in case the userdata partition has been reset.
|
|
|
|
|
restorecon /data
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2016-02-02 18:15:59 +01:00
|
|
|
# Make sure we have the device encryption key.
|
2015-04-29 00:07:10 +02:00
|
|
|
installkey /data
|
|
|
|
|
|
2014-12-05 06:45:02 +01:00
|
|
|
# Start bootcharting as soon as possible after the data partition is
|
|
|
|
|
# mounted to collect more data.
|
2019-10-28 15:55:03 +01:00
|
|
|
mkdir /data/bootchart 0755 shell shell encryption=Require
|
2016-11-11 02:43:47 +01:00
|
|
|
bootchart start
|
2014-12-05 06:45:02 +01:00
|
|
|
|
2021-04-08 19:04:43 +02:00
|
|
|
# Avoid predictable entropy pool. Carry over entropy from previous boot.
|
|
|
|
|
copy /data/system/entropy.dat /dev/urandom
|
|
|
|
|
|
2020-10-16 19:02:40 +02:00
|
|
|
mkdir /data/vendor 0771 root root encryption=Require
|
|
|
|
|
mkdir /data/vendor/hardware 0771 root root
|
|
|
|
|
|
2020-10-01 22:01:15 +02:00
|
|
|
# Start tombstoned early to be able to store tombstones.
|
2020-12-17 16:32:50 +01:00
|
|
|
mkdir /data/anr 0775 system system encryption=Require
|
2024-02-23 21:54:27 +01:00
|
|
|
mkdir /data/tombstones 0775 system system encryption=Require
|
2020-10-01 22:01:15 +02:00
|
|
|
mkdir /data/vendor/tombstones 0771 root root
|
|
|
|
|
mkdir /data/vendor/tombstones/wifi 0771 wifi wifi
|
|
|
|
|
start tombstoned
|
|
|
|
|
|
2020-12-17 16:32:50 +01:00
|
|
|
# Make sure that apexd is started in the default namespace
|
|
|
|
|
enter_default_mount_ns
|
|
|
|
|
|
2021-04-08 19:04:43 +02:00
|
|
|
# set up keystore directory structure first so that we can end early boot
|
|
|
|
|
# and start apexd
|
|
|
|
|
mkdir /data/misc 01771 system misc encryption=Require
|
|
|
|
|
mkdir /data/misc/keystore 0700 keystore keystore
|
|
|
|
|
# work around b/183668221
|
|
|
|
|
restorecon /data/misc /data/misc/keystore
|
|
|
|
|
|
|
|
|
|
# Boot level 30
|
|
|
|
|
# odsign signing keys have MAX_BOOT_LEVEL=30
|
|
|
|
|
# This is currently the earliest boot level, but we start at 30
|
|
|
|
|
# to leave room for earlier levels.
|
|
|
|
|
setprop keystore.boot_level 30
|
|
|
|
|
|
|
|
|
|
# Now that /data is mounted and we have created /data/misc/keystore,
|
|
|
|
|
# we can tell keystore to stop allowing use of early-boot keys,
|
|
|
|
|
# and access its database for the first time to support creation and
|
|
|
|
|
# use of MAX_BOOT_LEVEL keys.
|
|
|
|
|
exec - system system -- /system/bin/vdc keymaster earlyBootEnded
|
|
|
|
|
|
2021-11-16 21:28:29 +01:00
|
|
|
# Multi-installed APEXes are selected using persist props.
|
|
|
|
|
# Load persist properties and override properties (if enabled) from /data,
|
|
|
|
|
# before starting apexd.
|
2022-08-18 02:56:18 +02:00
|
|
|
# /data/property should be created before `load_persist_props`
|
|
|
|
|
mkdir /data/property 0700 root root encryption=Require
|
2021-11-16 21:28:29 +01:00
|
|
|
load_persist_props
|
2022-08-18 02:56:18 +02:00
|
|
|
|
2021-11-16 21:28:29 +01:00
|
|
|
start logd
|
|
|
|
|
start logd-reinit
|
2022-08-18 02:56:18 +02:00
|
|
|
|
2021-11-16 21:28:29 +01:00
|
|
|
# Some existing vendor rc files use 'on load_persist_props_action' to know
|
|
|
|
|
# when persist props are ready. These are difficult to change due to GRF,
|
|
|
|
|
# so continue triggering this action here even though props are already loaded
|
|
|
|
|
# by the 'load_persist_props' call above.
|
|
|
|
|
trigger load_persist_props_action
|
|
|
|
|
|
2019-02-22 14:15:25 +01:00
|
|
|
# /data/apex is now available. Start apexd to scan and activate APEXes.
|
2021-04-28 19:15:38 +02:00
|
|
|
#
|
2023-01-18 03:17:13 +01:00
|
|
|
# To handle userspace reboots, make sure that apexd is started cleanly here
|
|
|
|
|
# (set apexd.status="") and that it is restarted if it's already running.
|
2022-05-12 01:31:08 +02:00
|
|
|
#
|
|
|
|
|
# /data/apex uses encryption=None because direct I/O support is needed on
|
|
|
|
|
# APEX files, but some devices don't support direct I/O on encrypted files.
|
|
|
|
|
# Also, APEXes are public information, similar to the system image.
|
|
|
|
|
# /data/apex/decompressed and /data/apex/ota_reserved override this setting;
|
|
|
|
|
# they are encrypted so that files in them can be hard-linked into
|
|
|
|
|
# /data/rollback which is encrypted.
|
2020-04-21 21:50:53 +02:00
|
|
|
mkdir /data/apex 0755 root system encryption=None
|
|
|
|
|
mkdir /data/apex/active 0755 root system
|
2019-02-22 14:15:25 +01:00
|
|
|
mkdir /data/apex/backup 0700 root system
|
2021-04-27 22:44:10 +02:00
|
|
|
mkdir /data/apex/decompressed 0755 root system encryption=Require
|
2019-04-18 04:01:35 +02:00
|
|
|
mkdir /data/apex/hashtree 0700 root system
|
2019-02-22 14:15:25 +01:00
|
|
|
mkdir /data/apex/sessions 0700 root system
|
2020-12-09 22:05:28 +01:00
|
|
|
mkdir /data/app-staging 0751 system system encryption=DeleteIfNecessary
|
2021-02-10 15:32:17 +01:00
|
|
|
mkdir /data/apex/ota_reserved 0700 root system encryption=Require
|
2021-04-28 19:15:38 +02:00
|
|
|
setprop apexd.status ""
|
|
|
|
|
restart apexd
|
2018-08-17 13:52:25 +02:00
|
|
|
|
2021-04-08 19:04:43 +02:00
|
|
|
# create rest of basic filesystem structure
|
2017-07-14 19:37:57 +02:00
|
|
|
mkdir /data/misc/recovery 0770 system log
|
2017-07-26 22:18:15 +02:00
|
|
|
copy /data/misc/recovery/ro.build.fingerprint /data/misc/recovery/ro.build.fingerprint.1
|
|
|
|
|
chmod 0440 /data/misc/recovery/ro.build.fingerprint.1
|
|
|
|
|
chown system log /data/misc/recovery/ro.build.fingerprint.1
|
|
|
|
|
write /data/misc/recovery/ro.build.fingerprint ${ro.build.fingerprint}
|
|
|
|
|
chmod 0440 /data/misc/recovery/ro.build.fingerprint
|
|
|
|
|
chown system log /data/misc/recovery/ro.build.fingerprint
|
2017-07-14 19:37:57 +02:00
|
|
|
mkdir /data/misc/recovery/proc 0770 system log
|
|
|
|
|
copy /data/misc/recovery/proc/version /data/misc/recovery/proc/version.1
|
|
|
|
|
chmod 0440 /data/misc/recovery/proc/version.1
|
|
|
|
|
chown system log /data/misc/recovery/proc/version.1
|
|
|
|
|
copy /proc/version /data/misc/recovery/proc/version
|
|
|
|
|
chmod 0440 /data/misc/recovery/proc/version
|
|
|
|
|
chown system log /data/misc/recovery/proc/version
|
2016-09-20 20:52:14 +02:00
|
|
|
mkdir /data/misc/bluedroid 02770 bluetooth bluetooth
|
2015-06-20 04:12:46 +02:00
|
|
|
# Fix the access permissions and group ownership for 'bt_config.conf'
|
|
|
|
|
chmod 0660 /data/misc/bluedroid/bt_config.conf
|
2016-09-20 20:52:14 +02:00
|
|
|
chown bluetooth bluetooth /data/misc/bluedroid/bt_config.conf
|
|
|
|
|
mkdir /data/misc/bluetooth 0770 bluetooth bluetooth
|
|
|
|
|
mkdir /data/misc/bluetooth/logs 0770 bluetooth bluetooth
|
2020-07-08 11:08:16 +02:00
|
|
|
mkdir /data/misc/nfc 0770 nfc nfc
|
|
|
|
|
mkdir /data/misc/nfc/logs 0770 nfc nfc
|
2019-10-28 18:42:14 +01:00
|
|
|
mkdir /data/misc/credstore 0700 credstore credstore
|
2015-04-16 22:16:24 +02:00
|
|
|
mkdir /data/misc/gatekeeper 0700 system system
|
2011-07-01 07:50:29 +02:00
|
|
|
mkdir /data/misc/keychain 0771 system system
|
2014-07-08 07:09:54 +02:00
|
|
|
mkdir /data/misc/net 0750 root shell
|
2013-07-16 18:46:17 +02:00
|
|
|
mkdir /data/misc/radio 0770 system radio
|
2012-09-27 01:04:27 +02:00
|
|
|
mkdir /data/misc/sms 0770 system radio
|
2017-11-21 21:31:57 +01:00
|
|
|
mkdir /data/misc/carrierid 0770 system radio
|
2018-05-21 16:53:00 +02:00
|
|
|
mkdir /data/misc/apns 0770 system radio
|
2019-10-14 22:24:58 +02:00
|
|
|
mkdir /data/misc/emergencynumberdb 0770 system radio
|
2017-10-27 17:35:35 +02:00
|
|
|
mkdir /data/misc/network_watchlist 0774 system system
|
2024-01-13 15:52:46 +01:00
|
|
|
mkdir /data/misc/telephonyconfig 0770 system radio
|
2017-04-27 19:46:59 +02:00
|
|
|
mkdir /data/misc/textclassifier 0771 system system
|
2011-07-09 05:03:03 +02:00
|
|
|
mkdir /data/misc/vpn 0770 system vpn
|
2014-05-22 19:40:21 +02:00
|
|
|
mkdir /data/misc/shared_relro 0771 shared_relro shared_relro
|
2010-01-06 22:18:12 +01:00
|
|
|
mkdir /data/misc/systemkeys 0700 system system
|
2009-07-09 00:42:08 +02:00
|
|
|
mkdir /data/misc/wifi 0770 wifi wifi
|
2014-01-29 19:53:03 +01:00
|
|
|
mkdir /data/misc/wifi/sockets 0770 wifi wifi
|
|
|
|
|
mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi
|
2014-03-10 09:13:07 +01:00
|
|
|
mkdir /data/misc/ethernet 0770 system system
|
2014-01-29 19:53:03 +01:00
|
|
|
mkdir /data/misc/dhcp 0770 dhcp dhcp
|
2014-04-25 16:21:35 +02:00
|
|
|
mkdir /data/misc/user 0771 root root
|
2014-01-29 19:53:03 +01:00
|
|
|
# give system access to wpa_supplicant.conf for backup and restore
|
2009-07-02 21:08:13 +02:00
|
|
|
chmod 0660 /data/misc/wifi/wpa_supplicant.conf
|
2019-10-28 15:55:03 +01:00
|
|
|
mkdir /data/local 0751 root root encryption=Require
|
2013-02-22 23:54:45 +01:00
|
|
|
mkdir /data/misc/media 0700 media media
|
2016-02-24 00:23:46 +01:00
|
|
|
mkdir /data/misc/audioserver 0700 audioserver audioserver
|
2016-03-01 21:45:27 +01:00
|
|
|
mkdir /data/misc/cameraserver 0700 cameraserver cameraserver
|
2015-06-03 14:33:43 +02:00
|
|
|
mkdir /data/misc/vold 0700 root root
|
2015-06-15 11:49:35 +02:00
|
|
|
mkdir /data/misc/boottrace 0771 system shell
|
2015-10-07 20:00:55 +02:00
|
|
|
mkdir /data/misc/update_engine 0700 root root
|
2017-11-03 18:59:36 +01:00
|
|
|
mkdir /data/misc/update_engine_log 02750 root log
|
2015-11-10 20:16:43 +01:00
|
|
|
mkdir /data/misc/trace 0700 root root
|
2017-11-27 18:54:31 +01:00
|
|
|
# create location to store surface and window trace files
|
|
|
|
|
mkdir /data/misc/wmtrace 0700 system system
|
2021-02-09 20:54:46 +01:00
|
|
|
# create location to store accessibility trace files
|
|
|
|
|
mkdir /data/misc/a11ytrace 0700 system system
|
2016-02-01 20:27:01 +01:00
|
|
|
# profile file layout
|
|
|
|
|
mkdir /data/misc/profiles 0771 system system
|
|
|
|
|
mkdir /data/misc/profiles/cur 0771 system system
|
2021-05-14 20:28:04 +02:00
|
|
|
mkdir /data/misc/profiles/ref 0771 system system
|
2016-05-28 23:10:38 +02:00
|
|
|
mkdir /data/misc/profman 0770 system shell
|
2017-02-22 02:27:02 +01:00
|
|
|
mkdir /data/misc/gcov 0770 root root
|
2019-08-16 21:39:17 +02:00
|
|
|
mkdir /data/misc/installd 0700 root root
|
2020-01-17 12:41:04 +01:00
|
|
|
mkdir /data/misc/apexdata 0711 root root
|
2019-12-02 19:24:12 +01:00
|
|
|
mkdir /data/misc/apexrollback 0700 root root
|
2020-12-23 16:26:11 +01:00
|
|
|
mkdir /data/misc/appcompat/ 0700 system system
|
2023-11-21 18:32:33 +01:00
|
|
|
mkdir /data/misc/uprobestats-configs/ 0777 uprobestats uprobestats
|
2020-02-09 01:38:56 +01:00
|
|
|
mkdir /data/misc/snapshotctl_log 0755 root root
|
2020-01-02 03:57:30 +01:00
|
|
|
# create location to store pre-reboot information
|
|
|
|
|
mkdir /data/misc/prereboot 0700 system system
|
2021-04-09 16:04:15 +02:00
|
|
|
# directory used for on-device refresh metrics file.
|
|
|
|
|
mkdir /data/misc/odrefresh 0777 system system
|
2020-11-27 12:21:34 +01:00
|
|
|
# directory used for on-device signing key blob
|
2022-03-09 19:35:33 +01:00
|
|
|
mkdir /data/misc/odsign 0710 root system
|
|
|
|
|
# directory used for odsign metrics
|
|
|
|
|
mkdir /data/misc/odsign/metrics 0770 root system
|
2023-12-19 11:38:27 +01:00
|
|
|
# directory used for connectivity blob store.
|
|
|
|
|
mkdir /data/misc/connectivityblobdb 0770 system system
|
2022-07-14 23:53:47 +02:00
|
|
|
|
2022-04-27 18:27:19 +02:00
|
|
|
# Directory for VirtualizationService temporary image files.
|
|
|
|
|
# Delete any stale files owned by the old virtualizationservice uid (b/230056726).
|
|
|
|
|
chmod 0770 /data/misc/virtualizationservice
|
|
|
|
|
exec - virtualizationservice system -- /bin/rm -rf /data/misc/virtualizationservice
|
2022-12-17 14:41:25 +01:00
|
|
|
mkdir /data/misc/virtualizationservice 0771 system system
|
2013-10-01 15:21:47 +02:00
|
|
|
|
2022-05-12 01:31:08 +02:00
|
|
|
# /data/preloads uses encryption=None because it only contains preloaded
|
|
|
|
|
# files that are public information, similar to the system image.
|
2019-10-28 15:55:03 +01:00
|
|
|
mkdir /data/preloads 0775 system system encryption=None
|
2018-10-24 16:29:16 +02:00
|
|
|
|
2012-03-14 23:22:54 +01:00
|
|
|
# For security reasons, /data/local/tmp should always be empty.
|
|
|
|
|
# Do not place files or directories in /data/local/tmp
|
2009-03-04 04:32:55 +01:00
|
|
|
mkdir /data/local/tmp 0771 shell shell
|
2018-01-18 23:23:51 +01:00
|
|
|
mkdir /data/local/traces 0777 shell shell
|
2019-10-28 15:55:03 +01:00
|
|
|
mkdir /data/app-private 0771 system system encryption=Require
|
|
|
|
|
mkdir /data/app-ephemeral 0771 system system encryption=Require
|
|
|
|
|
mkdir /data/app-asec 0700 root root encryption=Require
|
|
|
|
|
mkdir /data/app-lib 0771 system system encryption=Require
|
|
|
|
|
mkdir /data/app 0771 system system encryption=Require
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2024-04-24 02:06:01 +02:00
|
|
|
# Create directory for app metadata files
|
|
|
|
|
mkdir /data/app-metadata 0700 system system encryption=Require
|
|
|
|
|
|
2020-11-18 05:06:49 +01:00
|
|
|
# create directory for updated font files.
|
|
|
|
|
mkdir /data/fonts/ 0771 root root encryption=Require
|
|
|
|
|
mkdir /data/fonts/files 0771 system system
|
|
|
|
|
mkdir /data/fonts/config 0770 system system
|
|
|
|
|
|
2020-09-01 01:15:28 +02:00
|
|
|
# Create directories to push tests to for each linker namespace.
|
|
|
|
|
# Create the subdirectories in case the first test is run as root
|
|
|
|
|
# so it doesn't end up owned by root.
|
2021-09-08 21:36:24 +02:00
|
|
|
# Set directories to be executable by any process so that debuggerd,
|
|
|
|
|
# aka crash_dump, can read any executables/shared libraries.
|
|
|
|
|
mkdir /data/local/tests 0701 shell shell
|
|
|
|
|
mkdir /data/local/tests/product 0701 shell shell
|
|
|
|
|
mkdir /data/local/tests/system 0701 shell shell
|
|
|
|
|
mkdir /data/local/tests/unrestricted 0701 shell shell
|
|
|
|
|
mkdir /data/local/tests/vendor 0701 shell shell
|
2020-09-01 01:15:28 +02:00
|
|
|
|
2011-07-09 01:52:18 +02:00
|
|
|
# create dalvik-cache, so as to enforce our permissions
|
2019-10-28 15:55:03 +01:00
|
|
|
mkdir /data/dalvik-cache 0771 root root encryption=Require
|
2015-12-08 18:33:07 +01:00
|
|
|
# create the A/B OTA directory, so as to enforce our permissions
|
2019-10-28 15:55:03 +01:00
|
|
|
mkdir /data/ota 0771 root root encryption=Require
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2016-05-26 01:41:08 +02:00
|
|
|
# create the OTA package directory. It will be accessed by GmsCore (cache
|
|
|
|
|
# group), update_engine and update_verifier.
|
2019-10-28 15:55:03 +01:00
|
|
|
mkdir /data/ota_package 0770 system cache encryption=Require
|
2016-05-26 01:41:08 +02:00
|
|
|
|
2011-05-30 10:24:54 +02:00
|
|
|
# create resource-cache and double-check the perms
|
2019-10-28 15:55:03 +01:00
|
|
|
mkdir /data/resource-cache 0771 system system encryption=Require
|
2011-05-30 10:24:54 +02:00
|
|
|
chown system system /data/resource-cache
|
|
|
|
|
chmod 0771 /data/resource-cache
|
|
|
|
|
|
2022-05-12 01:31:08 +02:00
|
|
|
# Ensure that lost+found exists and has the correct permissions. Linux
|
|
|
|
|
# filesystems expect this directory to exist; it's where the fsck tool puts
|
|
|
|
|
# any recovered files that weren't present in any directory. It must be
|
|
|
|
|
# unencrypted, as fsck must be able to write to it.
|
2019-10-28 15:55:03 +01:00
|
|
|
mkdir /data/lost+found 0770 root root encryption=None
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2012-01-07 00:19:26 +01:00
|
|
|
# create directory for DRM plug-ins - give drm the read/write access to
|
|
|
|
|
# the following directory.
|
2019-10-28 15:55:03 +01:00
|
|
|
mkdir /data/drm 0770 drm drm encryption=Require
|
2010-07-27 01:38:35 +02:00
|
|
|
|
2013-04-24 04:54:17 +02:00
|
|
|
# create directory for MediaDrm plug-ins - give drm the read/write access to
|
|
|
|
|
# the following directory.
|
2019-10-28 15:55:03 +01:00
|
|
|
mkdir /data/mediadrm 0770 mediadrm mediadrm encryption=Require
|
2013-04-24 04:54:17 +02:00
|
|
|
|
2017-11-21 19:40:25 +01:00
|
|
|
# NFC: create data/nfc for nv storage
|
2019-10-28 15:55:03 +01:00
|
|
|
mkdir /data/nfc 0770 nfc nfc encryption=Require
|
2017-11-21 19:40:25 +01:00
|
|
|
mkdir /data/nfc/param 0770 nfc nfc
|
|
|
|
|
|
2015-03-26 16:49:42 +01:00
|
|
|
# Create all remaining /data root dirs so that they are made through init
|
|
|
|
|
# and get proper encryption policy installed
|
2019-10-28 15:55:03 +01:00
|
|
|
mkdir /data/backup 0700 system system encryption=Require
|
|
|
|
|
mkdir /data/ss 0700 system system encryption=Require
|
2015-11-10 02:07:35 +01:00
|
|
|
|
2019-10-28 15:55:03 +01:00
|
|
|
mkdir /data/system 0775 system system encryption=Require
|
2021-03-30 12:49:05 +02:00
|
|
|
mkdir /data/system/environ 0700 system system
|
|
|
|
|
# b/183861600 attempt to fix selinux label before running derive_classpath service
|
|
|
|
|
restorecon /data/system/environ
|
2018-04-17 01:04:38 +02:00
|
|
|
mkdir /data/system/dropbox 0700 system system
|
2015-04-08 01:44:08 +02:00
|
|
|
mkdir /data/system/heapdump 0700 system system
|
2016-04-15 05:09:34 +02:00
|
|
|
mkdir /data/system/users 0775 system system
|
2023-02-08 04:25:21 +01:00
|
|
|
# Mkdir and set SELinux security contexts for shutdown-checkpoints.
|
|
|
|
|
# TODO(b/270286197): remove these after couple releases.
|
|
|
|
|
mkdir /data/system/shutdown-checkpoints 0700 system system
|
|
|
|
|
restorecon_recursive /data/system/shutdown-checkpoints
|
2016-02-03 22:44:44 +01:00
|
|
|
|
2022-05-12 01:31:08 +02:00
|
|
|
# Create the parent directories of the user CE and DE storage directories.
|
|
|
|
|
# These parent directories must use encryption=None, since each of their
|
|
|
|
|
# subdirectories uses a different encryption policy (a per-user one), and
|
|
|
|
|
# encryption policies apply recursively. These directories should never
|
|
|
|
|
# contain any subdirectories other than the per-user ones. /data/media/obb
|
|
|
|
|
# is an exception that exists for legacy reasons.
|
Remove write permission from file mode of top-level user dirs
Due to the work done for b/156305599 ("Ensure no process except vold can
create directories like /data/system_ce/0"), the SELinux policy now
enforces that vold is the only process that can write to directories
that contain per-user encrypted subdirectories. This is essential to
prevent bugs where directories that are supposed to be encrypted get
created too early so are not actually encrypted as intended.
However, this only works when SELinux is in enforcing mode. When
SELinux is in permissive mode, only DAC is enforced, and the file modes
allow other processes to write to many of these directories. That
allows system_server to break things once again.
Therefore, remove the write bit from the file modes so that write access
is always denied to processes that don't have CAP_DAC_OVERRIDE. This is
not as strong a restriction as the SELinux policy, which still applies
independently, but it does keep out system_server by itself.
Also remove the sticky bit from /data/misc_ce and /data/misc_de, since
there is no reason for it. (It probably was originally copied from
/data/misc, which might need it. But misc_{ce,de} don't need it.)
Bug: 285239971
Test: Booted Cuttlefish
Change-Id: I1213a4d18c5f851acf213d786400d79d73777ed0
2023-06-08 22:54:49 +02:00
|
|
|
#
|
|
|
|
|
# Don't use any write mode bits (0222) for any of these directories, since
|
|
|
|
|
# the only process that should write to them directly is vold (since it
|
|
|
|
|
# needs to set up file-based encryption on the subdirectories), which runs
|
|
|
|
|
# as root with CAP_DAC_OVERRIDE. This is also fully enforced via the
|
|
|
|
|
# SELinux policy. But we also set the DAC file modes accordingly, to try to
|
|
|
|
|
# minimize differences in behavior if SELinux is set to permissive mode.
|
|
|
|
|
mkdir /data/media 0550 media_rw media_rw encryption=None
|
|
|
|
|
mkdir /data/misc_ce 0551 system misc encryption=None
|
|
|
|
|
mkdir /data/misc_de 0551 system misc encryption=None
|
|
|
|
|
mkdir /data/system_ce 0550 system system encryption=None
|
|
|
|
|
mkdir /data/system_de 0550 system system encryption=None
|
|
|
|
|
mkdir /data/user 0511 system system encryption=None
|
|
|
|
|
mkdir /data/user_de 0511 system system encryption=None
|
|
|
|
|
mkdir /data/vendor_ce 0551 root root encryption=None
|
|
|
|
|
mkdir /data/vendor_de 0551 root root encryption=None
|
2019-12-12 13:55:03 +01:00
|
|
|
|
2024-01-09 22:54:43 +01:00
|
|
|
# Similar to the top-level CE and DE directories, /data/storage_area must
|
|
|
|
|
# itself be unencrypted, since it contains encrypted directories.
|
|
|
|
|
mkdir /data/storage_area 0551 root root encryption=None
|
|
|
|
|
|
2022-05-17 04:26:16 +02:00
|
|
|
# Set the casefold flag on /data/media. For upgrades, a restorecon can be
|
|
|
|
|
# needed first to relabel the directory from media_rw_data_file.
|
|
|
|
|
restorecon /data/media
|
|
|
|
|
exec - media_rw media_rw -- /system/bin/chattr +F /data/media
|
|
|
|
|
|
2022-03-28 21:05:36 +02:00
|
|
|
# A tmpfs directory, which will contain all apps and sdk sandbox CE and DE
|
|
|
|
|
# data directory that bind mount from the original source.
|
2020-03-04 14:30:09 +01:00
|
|
|
mount tmpfs tmpfs /data_mirror nodev noexec nosuid mode=0700,uid=0,gid=1000
|
2019-12-12 13:55:03 +01:00
|
|
|
restorecon /data_mirror
|
|
|
|
|
mkdir /data_mirror/data_ce 0700 root root
|
|
|
|
|
mkdir /data_mirror/data_de 0700 root root
|
2022-03-28 21:05:36 +02:00
|
|
|
mkdir /data_mirror/misc_ce 0700 root root
|
|
|
|
|
mkdir /data_mirror/misc_de 0700 root root
|
2024-01-09 22:54:43 +01:00
|
|
|
mkdir /data_mirror/storage_area 0700 root root
|
2019-12-12 13:55:03 +01:00
|
|
|
|
|
|
|
|
# Create CE and DE data directory for default volume
|
2024-01-09 22:54:43 +01:00
|
|
|
# Not needed for storage_area directory, since this is
|
|
|
|
|
# not supported for non-default volumes and the path
|
|
|
|
|
# does not include the volume ID
|
2019-12-12 13:55:03 +01:00
|
|
|
mkdir /data_mirror/data_ce/null 0700 root root
|
|
|
|
|
mkdir /data_mirror/data_de/null 0700 root root
|
2022-03-28 21:05:36 +02:00
|
|
|
mkdir /data_mirror/misc_ce/null 0700 root root
|
|
|
|
|
mkdir /data_mirror/misc_de/null 0700 root root
|
2019-12-12 13:55:03 +01:00
|
|
|
|
2022-05-11 07:33:21 +02:00
|
|
|
# Bind mount CE and DE data directory to mirror's default volume directory.
|
2022-10-26 19:49:01 +02:00
|
|
|
# Note that because the /data mount has the "shared" propagation type, the
|
|
|
|
|
# later bind mount of /data/data onto /data/user/0 will automatically
|
|
|
|
|
# propagate to /data_mirror/data_ce/null/0 as well.
|
|
|
|
|
mount none /data/user /data_mirror/data_ce/null bind rec
|
2019-12-12 13:55:03 +01:00
|
|
|
mount none /data/user_de /data_mirror/data_de/null bind rec
|
2022-03-28 21:05:36 +02:00
|
|
|
mount none /data/misc_ce /data_mirror/misc_ce/null bind rec
|
|
|
|
|
mount none /data/misc_de /data_mirror/misc_de/null bind rec
|
2019-12-12 13:55:03 +01:00
|
|
|
|
2024-01-09 22:54:43 +01:00
|
|
|
# Also bind mount for the storage area directory (minus the volume ID)
|
|
|
|
|
mount none /data/storage_area /data_mirror/storage_area bind rec
|
|
|
|
|
|
2019-12-13 18:32:18 +01:00
|
|
|
# Create mirror directory for jit profiles
|
|
|
|
|
mkdir /data_mirror/cur_profiles 0700 root root
|
|
|
|
|
mount none /data/misc/profiles/cur /data_mirror/cur_profiles bind rec
|
2021-06-08 13:15:14 +02:00
|
|
|
mkdir /data_mirror/ref_profiles 0700 root root
|
|
|
|
|
mount none /data/misc/profiles/ref /data_mirror/ref_profiles bind rec
|
2019-12-13 18:32:18 +01:00
|
|
|
|
2019-10-28 15:55:03 +01:00
|
|
|
mkdir /data/cache 0770 system cache encryption=Require
|
2016-06-21 21:04:54 +02:00
|
|
|
mkdir /data/cache/recovery 0770 system cache
|
|
|
|
|
mkdir /data/cache/backup_stage 0700 system system
|
|
|
|
|
mkdir /data/cache/backup 0700 system system
|
|
|
|
|
|
2019-10-28 15:55:03 +01:00
|
|
|
# Delete these if need be, per b/139193659
|
|
|
|
|
mkdir /data/rollback 0700 system system encryption=DeleteIfNecessary
|
|
|
|
|
mkdir /data/rollback-observer 0700 system system encryption=DeleteIfNecessary
|
2020-11-13 08:45:49 +01:00
|
|
|
mkdir /data/rollback-history 0700 system system encryption=DeleteIfNecessary
|
2019-08-09 23:13:41 +02:00
|
|
|
|
2019-12-17 21:41:34 +01:00
|
|
|
# Create root dir for Incremental Service
|
2019-12-20 01:04:11 +01:00
|
|
|
mkdir /data/incremental 0771 system system encryption=Require
|
2019-12-17 21:41:34 +01:00
|
|
|
|
2020-02-19 19:56:17 +01:00
|
|
|
# Create directories for statsd
|
2020-03-05 17:53:11 +01:00
|
|
|
mkdir /data/misc/stats-active-metric/ 0770 statsd system
|
2020-02-19 19:56:17 +01:00
|
|
|
mkdir /data/misc/stats-data/ 0770 statsd system
|
2023-02-14 00:01:07 +01:00
|
|
|
mkdir /data/misc/stats-data/restricted-data 0770 statsd system
|
2020-03-05 17:53:11 +01:00
|
|
|
mkdir /data/misc/stats-metadata/ 0770 statsd system
|
2020-02-19 19:56:17 +01:00
|
|
|
mkdir /data/misc/stats-service/ 0770 statsd system
|
|
|
|
|
mkdir /data/misc/train-info/ 0770 statsd system
|
|
|
|
|
|
2019-02-22 14:15:25 +01:00
|
|
|
# Wait for apexd to finish activating APEXes before starting more processes.
|
2020-02-06 12:55:51 +01:00
|
|
|
wait_for_prop apexd.status activated
|
2019-11-19 19:08:45 +01:00
|
|
|
perform_apex_config
|
2024-05-17 02:46:28 +02:00
|
|
|
exec_start aconfigd-mainline-init
|
|
|
|
|
start aconfigd
|
2019-11-19 19:08:45 +01:00
|
|
|
|
2021-12-23 23:40:00 +01:00
|
|
|
# Create directories for boot animation.
|
2024-04-04 17:48:47 +02:00
|
|
|
mkdir /data/misc/bootanim 0755 system system
|
2021-12-23 23:40:00 +01:00
|
|
|
|
2019-12-05 16:38:37 +01:00
|
|
|
exec_start derive_sdk
|
2019-02-22 14:15:25 +01:00
|
|
|
|
2016-02-01 17:37:13 +01:00
|
|
|
init_user0
|
|
|
|
|
|
2021-01-18 11:14:22 +01:00
|
|
|
# Set SELinux security contexts on upgrade or policy update.
|
|
|
|
|
restorecon --recursive --skip-ce /data
|
|
|
|
|
|
2021-03-30 12:56:40 +02:00
|
|
|
# Define and export *CLASSPATH variables
|
|
|
|
|
# Must start before 'odsign', as odsign depends on *CLASSPATH variables
|
|
|
|
|
exec_start derive_classpath
|
|
|
|
|
load_exports /data/system/environ/classpath
|
|
|
|
|
|
2023-05-15 21:29:00 +02:00
|
|
|
# Start ART's oneshot boot service to propagate boot experiment flags to
|
|
|
|
|
# dalvik.vm.*. This needs to be done before odsign since odrefresh uses and
|
|
|
|
|
# validates those properties against the signed cache-info.xml.
|
|
|
|
|
exec_start art_boot
|
|
|
|
|
|
2020-11-27 12:21:34 +01:00
|
|
|
# Start the on-device signing daemon, and wait for it to finish, to ensure
|
|
|
|
|
# ART artifacts are generated if needed.
|
2021-03-19 12:08:49 +01:00
|
|
|
# Must start after 'derive_classpath' to have *CLASSPATH variables set.
|
2021-03-17 08:44:55 +01:00
|
|
|
start odsign
|
|
|
|
|
|
2023-07-06 19:27:46 +02:00
|
|
|
# Wait for odsign to be done with the key.
|
2021-03-17 08:44:55 +01:00
|
|
|
wait_for_prop odsign.key.done 1
|
2020-11-27 12:21:34 +01:00
|
|
|
|
2021-04-08 19:04:43 +02:00
|
|
|
# Bump the boot level to 1000000000; this prevents further on-device signing.
|
|
|
|
|
# This is a special value that shuts down the thread which listens for
|
|
|
|
|
# further updates.
|
|
|
|
|
setprop keystore.boot_level 1000000000
|
2021-03-09 10:57:00 +01:00
|
|
|
|
2020-01-23 20:52:42 +01:00
|
|
|
# Allow apexd to snapshot and restore device encrypted apex data in the case
|
|
|
|
|
# of a rollback. This should be done immediately after DE_user data keys
|
|
|
|
|
# are loaded. APEXes should not access this data until this has been
|
2020-02-06 12:55:51 +01:00
|
|
|
# completed and apexd.status becomes "ready".
|
2020-01-23 20:52:42 +01:00
|
|
|
exec_start apexd-snapshotde
|
|
|
|
|
|
2019-02-01 01:27:23 +01:00
|
|
|
# sys.memfd_use set to false by default, which keeps it disabled
|
|
|
|
|
# until it is confirmed that apps and vendor processes don't make
|
|
|
|
|
# IOCTLs on ashmem fds any more.
|
|
|
|
|
setprop sys.use_memfd false
|
|
|
|
|
|
2019-04-19 19:58:39 +02:00
|
|
|
# Set fscklog permission
|
|
|
|
|
chown root system /dev/fscklogs/log
|
|
|
|
|
chmod 0770 /dev/fscklogs/log
|
|
|
|
|
|
2020-02-10 21:24:40 +01:00
|
|
|
# Enable FUSE by default
|
|
|
|
|
setprop persist.sys.fuse true
|
|
|
|
|
|
2022-10-21 02:45:05 +02:00
|
|
|
# Update dm-verity state and set partition.*.verified properties.
|
|
|
|
|
verity_update_state
|
|
|
|
|
|
2017-04-20 23:37:55 +02:00
|
|
|
# It is recommended to put unnecessary data/ initialization from post-fs-data
|
|
|
|
|
# to start-zygote in device's init.rc to unblock zygote start.
|
2023-07-11 01:13:44 +02:00
|
|
|
on zygote-start
|
2021-03-17 08:44:55 +01:00
|
|
|
wait_for_prop odsign.verification.done 1
|
2017-04-20 23:37:55 +02:00
|
|
|
# A/B update verifier that marks a successful boot.
|
2023-07-11 01:48:38 +02:00
|
|
|
exec_start update_verifier
|
2020-06-24 05:32:54 +02:00
|
|
|
start statsd
|
2017-04-20 23:37:55 +02:00
|
|
|
start netd
|
|
|
|
|
start zygote
|
|
|
|
|
start zygote_secondary
|
2017-03-09 21:35:02 +01:00
|
|
|
|
2019-04-02 16:01:43 +02:00
|
|
|
on boot && property:ro.config.low_ram=true
|
|
|
|
|
# Tweak background writeout
|
|
|
|
|
write /proc/sys/vm/dirty_expire_centisecs 200
|
|
|
|
|
write /proc/sys/vm/dirty_background_ratio 5
|
|
|
|
|
|
2023-08-16 19:16:50 +02:00
|
|
|
on boot && property:suspend.disable_sync_on_suspend=true
|
|
|
|
|
write /sys/power/sync_on_suspend 0
|
|
|
|
|
|
2009-03-04 04:32:55 +01:00
|
|
|
on boot
|
2014-06-19 05:35:40 +02:00
|
|
|
# basic network init
|
2009-03-04 04:32:55 +01:00
|
|
|
ifup lo
|
|
|
|
|
hostname localhost
|
|
|
|
|
domainname localdomain
|
|
|
|
|
|
2018-03-13 03:00:50 +01:00
|
|
|
# IPsec SA default expiration length
|
|
|
|
|
write /proc/sys/net/core/xfrm_acq_expires 3600
|
|
|
|
|
|
2014-06-19 05:35:40 +02:00
|
|
|
# Memory management. Basic kernel parameters, and allow the high
|
|
|
|
|
# level system server to be able to adjust the kernel OOM driver
|
|
|
|
|
# parameters to match how it is managing things.
|
2009-03-04 04:32:55 +01:00
|
|
|
write /proc/sys/vm/overcommit_memory 1
|
2009-03-13 21:04:37 +01:00
|
|
|
write /proc/sys/vm/min_free_order_shift 4
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2019-01-09 20:28:59 +01:00
|
|
|
# System server manages zram writeback
|
|
|
|
|
chown root system /sys/block/zram0/idle
|
|
|
|
|
chmod 0664 /sys/block/zram0/idle
|
|
|
|
|
chown root system /sys/block/zram0/writeback
|
|
|
|
|
chmod 0664 /sys/block/zram0/writeback
|
|
|
|
|
|
2020-07-21 02:34:47 +02:00
|
|
|
# to access F2FS sysfs on dm-<num> directly
|
|
|
|
|
mkdir /dev/sys/fs/by-name 0755 system system
|
2021-05-26 05:12:11 +02:00
|
|
|
symlink /sys/fs/f2fs/${dev.mnt.dev.data} /dev/sys/fs/by-name/userdata
|
2020-07-21 02:34:47 +02:00
|
|
|
|
2022-03-05 00:06:02 +01:00
|
|
|
# dev.mnt.dev.data=dm-N, dev.mnt.blk.data=sdaN/mmcblk0pN, dev.mnt.rootdisk.data=sda/mmcblk0, or
|
|
|
|
|
# dev.mnt.dev.data=sdaN/mmcblk0pN, dev.mnt.blk.data=sdaN/mmcblk0pN, dev.mnt.rootdisk.data=sda/mmcblk0
|
2020-07-21 02:34:47 +02:00
|
|
|
mkdir /dev/sys/block/by-name 0755 system system
|
2022-02-15 10:05:06 +01:00
|
|
|
symlink /sys/class/block/${dev.mnt.dev.data} /dev/sys/block/by-name/userdata
|
2022-03-05 00:06:02 +01:00
|
|
|
symlink /sys/class/block/${dev.mnt.rootdisk.data} /dev/sys/block/by-name/rootdisk
|
2020-07-21 02:34:47 +02:00
|
|
|
|
2019-04-02 16:01:43 +02:00
|
|
|
# F2FS tuning. Set cp_interval larger than dirty_expire_centisecs, 30 secs,
|
2019-03-29 17:16:51 +01:00
|
|
|
# to avoid power consumption when system becomes mostly idle. Be careful
|
|
|
|
|
# to make it too large, since it may bring userdata loss, if they
|
|
|
|
|
# are not aware of using fsync()/sync() to prepare sudden power-cut.
|
2020-07-21 02:34:47 +02:00
|
|
|
write /dev/sys/fs/by-name/userdata/cp_interval 200
|
|
|
|
|
write /dev/sys/fs/by-name/userdata/gc_urgent_sleep_time 50
|
2022-11-29 22:04:12 +01:00
|
|
|
write /dev/sys/fs/by-name/userdata/iostat_period_ms 1000
|
2020-07-21 02:34:47 +02:00
|
|
|
write /dev/sys/fs/by-name/userdata/iostat_enable 1
|
2019-03-29 17:16:51 +01:00
|
|
|
|
2022-04-29 20:49:07 +02:00
|
|
|
# set readahead multiplier for POSIX_FADV_SEQUENTIAL files
|
2023-06-28 23:35:30 +02:00
|
|
|
write /dev/sys/fs/by-name/userdata/seq_file_ra_mul 128
|
2022-04-29 20:49:07 +02:00
|
|
|
|
2019-11-28 00:42:10 +01:00
|
|
|
# limit discard size to 128MB in order to avoid long IO latency
|
|
|
|
|
# for filesystem tuning first (dm or sda)
|
2022-03-05 00:06:02 +01:00
|
|
|
# this requires enabling selinux entry for sda/mmcblk0 in vendor side
|
2020-07-21 02:34:47 +02:00
|
|
|
write /dev/sys/block/by-name/userdata/queue/discard_max_bytes 134217728
|
2022-03-05 00:06:02 +01:00
|
|
|
write /dev/sys/block/by-name/rootdisk/queue/discard_max_bytes 134217728
|
2019-11-28 00:42:10 +01:00
|
|
|
|
2009-03-04 04:32:55 +01:00
|
|
|
# Permissions for System Server and daemons.
|
2012-05-03 02:57:50 +02:00
|
|
|
chown system system /sys/power/autosleep
|
2012-04-11 23:48:51 +02:00
|
|
|
|
|
|
|
|
chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
|
|
|
|
|
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
|
2012-12-21 03:52:03 +01:00
|
|
|
chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
|
|
|
|
|
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
|
2012-04-11 23:48:51 +02:00
|
|
|
chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
|
|
|
|
|
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
|
|
|
|
|
chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
|
|
|
|
|
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
|
2012-12-21 03:52:03 +01:00
|
|
|
chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
|
|
|
|
|
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
|
2012-04-11 23:48:51 +02:00
|
|
|
chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
|
|
|
|
|
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
|
2012-04-19 22:17:24 +02:00
|
|
|
chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
|
|
|
|
|
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
|
2012-04-25 00:37:13 +02:00
|
|
|
chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
|
|
|
|
|
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
|
2012-05-04 00:20:48 +02:00
|
|
|
chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
|
2012-04-28 05:21:18 +02:00
|
|
|
chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
|
|
|
|
|
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
|
2012-12-20 02:43:06 +01:00
|
|
|
chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
|
|
|
|
|
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
|
2013-03-25 21:17:13 +01:00
|
|
|
chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
|
|
|
|
|
chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
|
2012-04-11 23:48:51 +02:00
|
|
|
|
2017-03-09 02:36:18 +01:00
|
|
|
chown system system /sys/class/leds/vibrator/trigger
|
|
|
|
|
chown system system /sys/class/leds/vibrator/activate
|
|
|
|
|
chown system system /sys/class/leds/vibrator/brightness
|
|
|
|
|
chown system system /sys/class/leds/vibrator/duration
|
|
|
|
|
chown system system /sys/class/leds/vibrator/state
|
2009-03-04 04:32:55 +01:00
|
|
|
chown system system /sys/class/timed_output/vibrator/enable
|
|
|
|
|
chown system system /sys/class/leds/keyboard-backlight/brightness
|
|
|
|
|
chown system system /sys/class/leds/lcd-backlight/brightness
|
|
|
|
|
chown system system /sys/class/leds/button-backlight/brightness
|
2009-03-19 01:39:49 +01:00
|
|
|
chown system system /sys/class/leds/jogball-backlight/brightness
|
2009-03-04 04:32:55 +01:00
|
|
|
chown system system /sys/class/leds/red/brightness
|
|
|
|
|
chown system system /sys/class/leds/green/brightness
|
|
|
|
|
chown system system /sys/class/leds/blue/brightness
|
|
|
|
|
chown system system /sys/class/leds/red/device/grpfreq
|
|
|
|
|
chown system system /sys/class/leds/red/device/grppwm
|
|
|
|
|
chown system system /sys/class/leds/red/device/blink
|
|
|
|
|
chown system system /sys/module/sco/parameters/disable_esco
|
|
|
|
|
chown system system /sys/kernel/ipv4/tcp_wmem_min
|
|
|
|
|
chown system system /sys/kernel/ipv4/tcp_wmem_def
|
|
|
|
|
chown system system /sys/kernel/ipv4/tcp_wmem_max
|
|
|
|
|
chown system system /sys/kernel/ipv4/tcp_rmem_min
|
|
|
|
|
chown system system /sys/kernel/ipv4/tcp_rmem_def
|
|
|
|
|
chown system system /sys/kernel/ipv4/tcp_rmem_max
|
|
|
|
|
chown root radio /proc/cmdline
|
2022-06-09 10:41:18 +02:00
|
|
|
chown root system /proc/bootconfig
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2014-06-19 05:35:40 +02:00
|
|
|
# Define default initial receive window size in segments.
|
2021-03-17 06:59:02 +01:00
|
|
|
setprop net.tcp_def_init_rwnd 60
|
2014-02-21 21:05:01 +01:00
|
|
|
|
2017-03-24 17:23:07 +01:00
|
|
|
# Start standard binderized HAL daemons
|
|
|
|
|
class_start hal
|
|
|
|
|
|
2010-12-04 01:33:31 +01:00
|
|
|
class_start core
|
|
|
|
|
|
|
|
|
|
on nonencrypted
|
2014-01-30 19:43:52 +01:00
|
|
|
class_start main
|
2010-12-04 01:33:31 +01:00
|
|
|
class_start late_start
|
|
|
|
|
|
2014-06-26 22:55:03 +02:00
|
|
|
on property:sys.init_log_level=*
|
|
|
|
|
loglevel ${sys.init_log_level}
|
|
|
|
|
|
2011-08-25 00:28:23 +02:00
|
|
|
on charger
|
|
|
|
|
class_start charger
|
|
|
|
|
|
2016-11-11 02:43:47 +01:00
|
|
|
on property:sys.boot_completed=1
|
|
|
|
|
bootchart stop
|
2019-09-12 00:02:44 +02:00
|
|
|
# Setup per_boot directory so other .rc could start to use it on boot_completed
|
|
|
|
|
exec - system system -- /bin/rm -rf /data/per_boot
|
2019-10-28 15:55:03 +01:00
|
|
|
mkdir /data/per_boot 0700 system system encryption=Require key=per_boot_ref
|
2016-11-11 02:43:47 +01:00
|
|
|
|
2014-02-21 21:05:01 +01:00
|
|
|
# system server cannot write to /proc/sys files,
|
|
|
|
|
# and chown/chmod does not work for /proc/sys/ entries.
|
|
|
|
|
# So proxy writes through init.
|
2013-07-25 19:34:30 +02:00
|
|
|
on property:sys.sysctl.extra_free_kbytes=*
|
2021-07-22 00:16:20 +02:00
|
|
|
exec -- /system/bin/extra_free_kbytes.sh ${sys.sysctl.extra_free_kbytes}
|
2014-06-19 05:35:40 +02:00
|
|
|
|
2021-02-11 03:38:05 +01:00
|
|
|
# Allow users to drop caches
|
|
|
|
|
on property:perf.drop_caches=3
|
|
|
|
|
write /proc/sys/vm/drop_caches 3
|
|
|
|
|
setprop perf.drop_caches 0
|
|
|
|
|
|
2014-02-21 21:05:01 +01:00
|
|
|
# "tcp_default_init_rwnd" Is too long!
|
2020-10-15 15:09:25 +02:00
|
|
|
on property:net.tcp_def_init_rwnd=*
|
|
|
|
|
write /proc/sys/net/ipv4/tcp_default_init_rwnd ${net.tcp_def_init_rwnd}
|
2014-02-21 21:05:01 +01:00
|
|
|
|
init: add builtin check for perf_event LSM hooks
Historically, the syscall was controlled by a system-wide
perf_event_paranoid sysctl, which is not flexible enough to allow only
specific processes to use the syscall. However, SELinux support for the
syscall has been upstreamed recently[1] (and is being backported to
Android R release common kernels).
[1] https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e
As the presence of these hooks is not guaranteed on all Android R
platforms (since we support upgrades while keeping an older kernel), we
need to test for the feature dynamically. The LSM hooks themselves have
no way of being detected directly, so we instead test for their effects,
so we perform several syscalls, and look for a specific success/failure
combination, corresponding to the platform's SELinux policy.
If hooks are detected, perf_event_paranoid is set to -1 (unrestricted),
as the SELinux policy is then sufficient to control access.
This is done within init for several reasons:
* CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done
if non-root users aren't allowed to use the syscall (the default).
* init is already the setter of the paranoid value (see init.rc), which
is also a privileged operation.
* the test itself is simple (couple of syscalls), so having a dedicated
test binary/domain felt excessive.
I decided to go through a new sysprop (set by a builtin test in
second-stage init), and keeping the actuation in init.rc. We can change
it to an immediate write to the paranoid value if a use-case comes up
that requires the decision to be made earlier in the init sequence.
Bug: 137092007
Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-14 23:02:53 +01:00
|
|
|
# perf_event_open syscall security:
|
|
|
|
|
# Newer kernels have the ability to control the use of the syscall via SELinux
|
|
|
|
|
# hooks. init tests for this, and sets sys_init.perf_lsm_hooks to 1 if the
|
|
|
|
|
# kernel has the hooks. In this case, the system-wide perf_event_paranoid
|
|
|
|
|
# sysctl is set to -1 (unrestricted use), and the SELinux policy is used for
|
|
|
|
|
# controlling access. On older kernels, the paranoid value is the only means of
|
|
|
|
|
# controlling access. It is normally 3 (allow only root), but the shell user
|
|
|
|
|
# can lower it to 1 (allowing thread-scoped pofiling) via security.perf_harden.
|
2022-11-03 02:57:47 +01:00
|
|
|
on load_bpf_programs && property:sys.init.perf_lsm_hooks=1
|
init: add builtin check for perf_event LSM hooks
Historically, the syscall was controlled by a system-wide
perf_event_paranoid sysctl, which is not flexible enough to allow only
specific processes to use the syscall. However, SELinux support for the
syscall has been upstreamed recently[1] (and is being backported to
Android R release common kernels).
[1] https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e
As the presence of these hooks is not guaranteed on all Android R
platforms (since we support upgrades while keeping an older kernel), we
need to test for the feature dynamically. The LSM hooks themselves have
no way of being detected directly, so we instead test for their effects,
so we perform several syscalls, and look for a specific success/failure
combination, corresponding to the platform's SELinux policy.
If hooks are detected, perf_event_paranoid is set to -1 (unrestricted),
as the SELinux policy is then sufficient to control access.
This is done within init for several reasons:
* CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done
if non-root users aren't allowed to use the syscall (the default).
* init is already the setter of the paranoid value (see init.rc), which
is also a privileged operation.
* the test itself is simple (couple of syscalls), so having a dedicated
test binary/domain felt excessive.
I decided to go through a new sysprop (set by a builtin test in
second-stage init), and keeping the actuation in init.rc. We can change
it to an immediate write to the paranoid value if a use-case comes up
that requires the decision to be made earlier in the init sequence.
Bug: 137092007
Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-14 23:02:53 +01:00
|
|
|
write /proc/sys/kernel/perf_event_paranoid -1
|
|
|
|
|
on property:security.perf_harden=0 && property:sys.init.perf_lsm_hooks=""
|
2015-09-04 22:23:01 +02:00
|
|
|
write /proc/sys/kernel/perf_event_paranoid 1
|
init: add builtin check for perf_event LSM hooks
Historically, the syscall was controlled by a system-wide
perf_event_paranoid sysctl, which is not flexible enough to allow only
specific processes to use the syscall. However, SELinux support for the
syscall has been upstreamed recently[1] (and is being backported to
Android R release common kernels).
[1] https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e
As the presence of these hooks is not guaranteed on all Android R
platforms (since we support upgrades while keeping an older kernel), we
need to test for the feature dynamically. The LSM hooks themselves have
no way of being detected directly, so we instead test for their effects,
so we perform several syscalls, and look for a specific success/failure
combination, corresponding to the platform's SELinux policy.
If hooks are detected, perf_event_paranoid is set to -1 (unrestricted),
as the SELinux policy is then sufficient to control access.
This is done within init for several reasons:
* CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done
if non-root users aren't allowed to use the syscall (the default).
* init is already the setter of the paranoid value (see init.rc), which
is also a privileged operation.
* the test itself is simple (couple of syscalls), so having a dedicated
test binary/domain felt excessive.
I decided to go through a new sysprop (set by a builtin test in
second-stage init), and keeping the actuation in init.rc. We can change
it to an immediate write to the paranoid value if a use-case comes up
that requires the decision to be made earlier in the init sequence.
Bug: 137092007
Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-14 23:02:53 +01:00
|
|
|
on property:security.perf_harden=1 && property:sys.init.perf_lsm_hooks=""
|
|
|
|
|
write /proc/sys/kernel/perf_event_paranoid 3
|
|
|
|
|
|
|
|
|
|
# Additionally, simpleperf profiler uses debug.* and security.perf_harden
|
|
|
|
|
# sysprops to be able to indirectly set these sysctls.
|
|
|
|
|
on property:security.perf_harden=0
|
2018-06-29 23:52:47 +02:00
|
|
|
write /proc/sys/kernel/perf_event_max_sample_rate ${debug.perf_event_max_sample_rate:-100000}
|
|
|
|
|
write /proc/sys/kernel/perf_cpu_time_max_percent ${debug.perf_cpu_time_max_percent:-25}
|
|
|
|
|
write /proc/sys/kernel/perf_event_mlock_kb ${debug.perf_event_mlock_kb:-516}
|
init: add builtin check for perf_event LSM hooks
Historically, the syscall was controlled by a system-wide
perf_event_paranoid sysctl, which is not flexible enough to allow only
specific processes to use the syscall. However, SELinux support for the
syscall has been upstreamed recently[1] (and is being backported to
Android R release common kernels).
[1] https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e
As the presence of these hooks is not guaranteed on all Android R
platforms (since we support upgrades while keeping an older kernel), we
need to test for the feature dynamically. The LSM hooks themselves have
no way of being detected directly, so we instead test for their effects,
so we perform several syscalls, and look for a specific success/failure
combination, corresponding to the platform's SELinux policy.
If hooks are detected, perf_event_paranoid is set to -1 (unrestricted),
as the SELinux policy is then sufficient to control access.
This is done within init for several reasons:
* CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done
if non-root users aren't allowed to use the syscall (the default).
* init is already the setter of the paranoid value (see init.rc), which
is also a privileged operation.
* the test itself is simple (couple of syscalls), so having a dedicated
test binary/domain felt excessive.
I decided to go through a new sysprop (set by a builtin test in
second-stage init), and keeping the actuation in init.rc. We can change
it to an immediate write to the paranoid value if a use-case comes up
that requires the decision to be made earlier in the init sequence.
Bug: 137092007
Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-14 23:02:53 +01:00
|
|
|
# Default values.
|
2015-09-04 22:23:01 +02:00
|
|
|
on property:security.perf_harden=1
|
init: add builtin check for perf_event LSM hooks
Historically, the syscall was controlled by a system-wide
perf_event_paranoid sysctl, which is not flexible enough to allow only
specific processes to use the syscall. However, SELinux support for the
syscall has been upstreamed recently[1] (and is being backported to
Android R release common kernels).
[1] https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e
As the presence of these hooks is not guaranteed on all Android R
platforms (since we support upgrades while keeping an older kernel), we
need to test for the feature dynamically. The LSM hooks themselves have
no way of being detected directly, so we instead test for their effects,
so we perform several syscalls, and look for a specific success/failure
combination, corresponding to the platform's SELinux policy.
If hooks are detected, perf_event_paranoid is set to -1 (unrestricted),
as the SELinux policy is then sufficient to control access.
This is done within init for several reasons:
* CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done
if non-root users aren't allowed to use the syscall (the default).
* init is already the setter of the paranoid value (see init.rc), which
is also a privileged operation.
* the test itself is simple (couple of syscalls), so having a dedicated
test binary/domain felt excessive.
I decided to go through a new sysprop (set by a builtin test in
second-stage init), and keeping the actuation in init.rc. We can change
it to an immediate write to the paranoid value if a use-case comes up
that requires the decision to be made earlier in the init sequence.
Bug: 137092007
Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-14 23:02:53 +01:00
|
|
|
write /proc/sys/kernel/perf_event_max_sample_rate 100000
|
|
|
|
|
write /proc/sys/kernel/perf_cpu_time_max_percent 25
|
|
|
|
|
write /proc/sys/kernel/perf_event_mlock_kb 516
|
|
|
|
|
|
2020-10-09 14:59:41 +02:00
|
|
|
# This property can be set only on userdebug/eng. See neverallow rule in
|
|
|
|
|
# /system/sepolicy/private/property.te .
|
|
|
|
|
on property:security.lower_kptr_restrict=1
|
|
|
|
|
write /proc/sys/kernel/kptr_restrict 0
|
|
|
|
|
|
|
|
|
|
on property:security.lower_kptr_restrict=0
|
|
|
|
|
write /proc/sys/kernel/kptr_restrict 2
|
|
|
|
|
|
2013-07-25 19:34:30 +02:00
|
|
|
|
2017-06-28 07:08:45 +02:00
|
|
|
# on shutdown
|
|
|
|
|
# In device's init.rc, this trigger can be used to do device-specific actions
|
|
|
|
|
# before shutdown. e.g disable watchdog and mask error handling
|
|
|
|
|
|
2009-03-04 04:32:55 +01:00
|
|
|
## Daemon processes to be run by init.
|
|
|
|
|
##
|
2018-07-20 23:57:00 +02:00
|
|
|
service ueventd /system/bin/ueventd
|
2010-12-04 01:33:31 +01:00
|
|
|
class core
|
2010-10-28 00:40:23 +02:00
|
|
|
critical
|
2012-01-13 14:54:34 +01:00
|
|
|
seclabel u:r:ueventd:s0
|
2023-04-10 22:55:05 +02:00
|
|
|
user root
|
2017-07-05 20:38:44 +02:00
|
|
|
shutdown critical
|
2010-10-28 00:40:23 +02:00
|
|
|
|
2009-03-04 04:32:55 +01:00
|
|
|
service console /system/bin/sh
|
2010-12-04 01:33:31 +01:00
|
|
|
class core
|
2009-03-04 04:32:55 +01:00
|
|
|
console
|
2010-10-28 00:40:23 +02:00
|
|
|
disabled
|
|
|
|
|
user shell
|
2015-11-08 01:52:17 +01:00
|
|
|
group shell log readproc
|
2013-12-23 20:11:02 +01:00
|
|
|
seclabel u:r:shell:s0
|
2017-10-11 20:18:51 +02:00
|
|
|
setenv HOSTNAME console
|
2020-06-02 19:19:38 +02:00
|
|
|
shutdown critical
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2010-11-19 15:12:27 +01:00
|
|
|
on property:ro.debuggable=1
|
2023-01-20 21:15:28 +01:00
|
|
|
# Give writes to the same group for the trace folder on debug builds,
|
|
|
|
|
# it's further protected by selinux policy.
|
2015-11-10 20:16:43 +01:00
|
|
|
# The folder is used to store method traces.
|
|
|
|
|
chmod 0773 /data/misc/trace
|
2023-01-20 21:15:28 +01:00
|
|
|
# Give writes and reads to anyone for the window trace folder on debug builds,
|
|
|
|
|
# it's further protected by selinux policy.
|
|
|
|
|
chmod 0777 /data/misc/wmtrace
|
2021-02-09 20:54:46 +01:00
|
|
|
# Give reads to anyone for the accessibility trace folder on debug builds.
|
|
|
|
|
chmod 0775 /data/misc/a11ytrace
|
2019-08-27 23:57:32 +02:00
|
|
|
|
|
|
|
|
on init && property:ro.debuggable=1
|
2010-10-28 00:40:23 +02:00
|
|
|
start console
|
2019-10-07 17:26:33 +02:00
|
|
|
|
2019-11-01 21:56:33 +01:00
|
|
|
on userspace-reboot-requested
|
2019-10-07 17:26:33 +02:00
|
|
|
# TODO(b/135984674): reset all necessary properties here.
|
2019-12-20 17:34:48 +01:00
|
|
|
setprop sys.boot_completed ""
|
2020-02-07 18:42:27 +01:00
|
|
|
setprop dev.bootcomplete ""
|
2019-12-20 17:34:48 +01:00
|
|
|
setprop sys.init.updatable_crashing ""
|
|
|
|
|
setprop sys.init.updatable_crashing_process_name ""
|
|
|
|
|
setprop sys.user.0.ce_available ""
|
2019-12-30 17:05:11 +01:00
|
|
|
setprop sys.shutdown.requested ""
|
2020-01-27 18:14:46 +01:00
|
|
|
setprop service.bootanim.exit ""
|
2020-12-15 19:34:47 +01:00
|
|
|
setprop service.bootanim.progress ""
|
2019-10-07 17:26:33 +02:00
|
|
|
|
2019-10-23 21:11:32 +02:00
|
|
|
on userspace-reboot-fs-remount
|
|
|
|
|
# Make sure that vold is running.
|
|
|
|
|
# This is mostly a precaution measure in case vold for some reason wasn't running when
|
|
|
|
|
# userspace reboot was initiated.
|
|
|
|
|
start vold
|
|
|
|
|
exec - system system -- /system/bin/vdc checkpoint resetCheckpoint
|
|
|
|
|
exec - system system -- /system/bin/vdc checkpoint markBootAttempt
|
2020-04-07 01:26:15 +02:00
|
|
|
# Unmount /data_mirror mounts in the reverse order of corresponding mounts.
|
|
|
|
|
umount /data_mirror/data_ce/null/0
|
|
|
|
|
umount /data_mirror/data_ce/null
|
|
|
|
|
umount /data_mirror/data_de/null
|
2024-01-09 22:54:43 +01:00
|
|
|
umount /data_mirror/storage_area/0
|
|
|
|
|
umount /data_mirror/storage_area
|
2020-04-07 01:26:15 +02:00
|
|
|
umount /data_mirror/cur_profiles
|
2021-06-08 13:15:14 +02:00
|
|
|
umount /data_mirror/ref_profiles
|
2020-04-07 01:26:15 +02:00
|
|
|
umount /data_mirror
|
2019-10-23 21:11:32 +02:00
|
|
|
remount_userdata
|
2020-01-27 18:14:46 +01:00
|
|
|
start bootanim
|
2019-10-23 21:11:32 +02:00
|
|
|
|
2019-10-09 16:23:02 +02:00
|
|
|
on userspace-reboot-resume
|
2019-10-23 21:11:32 +02:00
|
|
|
trigger userspace-reboot-fs-remount
|
2019-10-07 17:26:33 +02:00
|
|
|
trigger post-fs-data
|
|
|
|
|
trigger zygote-start
|
|
|
|
|
trigger early-boot
|
|
|
|
|
trigger boot
|
2019-11-13 22:47:06 +01:00
|
|
|
|
|
|
|
|
on property:sys.boot_completed=1 && property:sys.init.userspace_reboot.in_progress=1
|
2020-02-07 00:33:42 +01:00
|
|
|
setprop sys.init.userspace_reboot.in_progress ""
|
2022-04-07 00:07:38 +02:00
|
|
|
|
|
|
|
|
# Multi-Gen LRU Experiment
|
|
|
|
|
on property:persist.device_config.mglru_native.lru_gen_config=none
|
|
|
|
|
write /sys/kernel/mm/lru_gen/enabled 0
|
|
|
|
|
on property:persist.device_config.mglru_native.lru_gen_config=core
|
|
|
|
|
write /sys/kernel/mm/lru_gen/enabled 1
|
|
|
|
|
on property:persist.device_config.mglru_native.lru_gen_config=core_and_mm_walk
|
|
|
|
|
write /sys/kernel/mm/lru_gen/enabled 3
|
|
|
|
|
on property:persist.device_config.mglru_native.lru_gen_config=core_and_nonleaf_young
|
|
|
|
|
write /sys/kernel/mm/lru_gen/enabled 5
|
|
|
|
|
on property:persist.device_config.mglru_native.lru_gen_config=all
|
|
|
|
|
write /sys/kernel/mm/lru_gen/enabled 7
|
2024-03-08 19:49:41 +01:00
|
|
|
|
|
|
|
|
# Allow other processes to run `snapshotctl` through `init`. This requires
|
|
|
|
|
# `set_prop` permission on `snapshotctl_prop`.
|
|
|
|
|
on property:sys.snapshotctl.map=requested
|
|
|
|
|
# "root" is needed to talk to gsid and pass its check on uid.
|
|
|
|
|
# "system" is needed to write to "/dev/socket/snapuserd" to talk to
|
|
|
|
|
# snapuserd.
|
|
|
|
|
exec - root root system -- /system/bin/snapshotctl map
|
|
|
|
|
setprop sys.snapshotctl.map "finished"
|
|
|
|
|
|
|
|
|
|
on property:sys.snapshotctl.unmap=requested
|
|
|
|
|
exec - root root system -- /system/bin/snapshotctl unmap
|
|
|
|
|
setprop sys.snapshotctl.unmap "finished"
|
