1# Copyright (C) 2021 The Android Open Source Project 2# 3# init.rc for microdroid. This contains a minimal script plus basic service definitions (e.g. apexd) 4# needed for microdroid to run. 5# TODO(b/179340780): support APEX init scripts 6# 7# IMPORTANT: Do not create world writable files or directories. 8# This is a common source of Android security bugs. 9# 10 11import /init.environ.rc 12 13# Cgroups are mounted right before early-init using list from /etc/cgroups.json 14on early-init 15 # Android doesn't need kernel module autoloading, and it causes SELinux 16 # denials. So disable it by setting modprobe to the empty string. Note: to 17 # explicitly set a sysctl to an empty string, a trailing newline is needed. 18 write /proc/sys/kernel/modprobe \n 19 20 # set RLIMIT_NICE to allow priorities from 19 to -20 21 setrlimit nice 40 40 22 23 start ueventd 24 25 # Generate empty linker config to suppress warnings 26 write /linkerconfig/ld.config.txt \# 27 chmod 644 /linkerconfig/ld.config.txt 28 29 # Applies debug policy to decide whether to enable adb, adb root, and logcat. 30 # We don't directly exec the binary to specify stdio_to_kmsg. 31 exec_start init_debug_policy 32 33 # Wait for ueventd to have finished cold boot. 34 # This is needed by prng-seeder (at least). 35 # (In Android this happens inside apexd-bootstrap.) 36 wait_for_prop ro.cold_boot_done true 37 38on init 39 mkdir /mnt/apk 0755 root root 40 mkdir /mnt/extra-apk 0755 root root 41 42 # Allow the payload access to the console (default is 0600) 43 chmod 0666 /dev/console 44 45 # Microdroid_manager starts apkdmverity/zipfuse/apexd 46 start microdroid_manager 47 48 # Wait for apexd to finish activating APEXes before starting more processes. 49 # Microdroid starts apexd in VM mode in which apexd doesn't wait for init after setting 50 # apexd.status to activated, but immediately transitions to ready. Therefore, it's not safe to 51 # wait for the activated status, by the time this line is reached it may be already be ready. 52 wait_for_prop apexd.status ready 53 perform_apex_config 54 55 # Notify to microdroid_manager that perform_apex_config is done. 56 # Microdroid_manager shouldn't execute payload before this, because app 57 # payloads are not designed to run with bootstrap bionic 58 setprop apex_config.done true 59 60on property:microdroid_manager.init_done=1 61 # Stop ueventd to save memory 62 stop ueventd 63 64on init && property:ro.boot.microdroid.debuggable=1 65 # Mount tracefs (with GID=AID_READTRACEFS) 66 mount tracefs tracefs /sys/kernel/tracing gid=3012 67 68on property:init_debug_policy.adbd.enabled=1 69 start adbd 70 71# Mount filesystems and start core system services. 72on late-init 73 trigger early-fs 74 75 # Mount fstab in init.{$device}.rc by mount_all command. Optional parameter 76 # '--early' can be specified to skip entries with 'latemount'. 77 # /system and /vendor must be mounted by the end of the fs stage, 78 # while /data is optional. 79 trigger fs 80 trigger post-fs 81 82 # Mount fstab in init.{$device}.rc by mount_all with '--late' parameter 83 # to only mount entries with 'latemount'. This is needed if '--early' is 84 # specified in the previous mount_all command on the fs stage. 85 # With /system mounted and properties form /system + /factory available, 86 # some services can be started. 87 trigger late-fs 88 89 # Wait for microdroid_manager to finish setting up sysprops from the payload config. 90 # Some further actions in the boot sequence might depend on the sysprops from the payloag, 91 # e.g. microdroid.config.enable_authfs configures whether to run authfs_service after 92 # /data is mounted. 93 wait_for_prop microdroid_manager.config_done 1 94 95 trigger post-fs-data 96 97 trigger early-boot 98 trigger boot 99 100on post-fs 101 # Once everything is setup, no need to modify /. 102 # The bind+remount combination allows this to work in containers. 103 mount rootfs rootfs / remount bind ro nodev 104 105 # TODO(b/185767624): change the hard-coded size? 106 mount tmpfs tmpfs /data noatime nosuid nodev noexec rw size=128M 107 108 # We chown/chmod /data again so because mount is run as root + defaults 109 chown system system /data 110 chmod 0771 /data 111 112 # We restorecon /data in case the userdata partition has been reset. 113 restorecon /data 114 115 # set up misc directory structure first so that we can end early boot 116 # and start apexd 117 mkdir /data/misc 01771 system misc 118 # work around b/183668221 119 restorecon /data/misc 120 121 mkdir /data/misc/authfs 0700 root root 122 123on late-fs && property:ro.debuggable=1 124 # Ensure that tracefs has the correct permissions. 125 # This does not work correctly if it is called in post-fs. 126 chmod 0755 /sys/kernel/tracing 127 chmod 0755 /sys/kernel/debug/tracing 128 129on post-fs-data 130 mark_post_data 131 132 mkdir /data/vendor 0771 root root 133 mkdir /data/vendor_ce 0771 root root 134 mkdir /data/vendor_de 0771 root root 135 mkdir /data/vendor/hardware 0771 root root 136 137 # For security reasons, /data/local/tmp should always be empty. 138 # Do not place files or directories in /data/local/tmp 139 mkdir /data/local 0751 root root 140 mkdir /data/local/tmp 0771 shell shell 141 142on post-fs-data && property:microdroid_manager.authfs.enabled=1 143 start authfs_service 144 145on boot 146 # Mark boot completed. This will notify microdroid_manager to run payload. 147 setprop dev.bootcomplete 1 148 149service apexd-vm /system/bin/apexd --vm 150 user root 151 group system 152 oneshot 153 disabled 154 capabilities CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER SYS_ADMIN 155 156service ueventd /system/bin/ueventd 157 user root 158 group root 159 class core 160 critical 161 seclabel u:r:ueventd:s0 162 capabilities CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER FSETID MKNOD NET_ADMIN SETGID SETUID SYS_MODULE SYS_RAWIO SYS_ADMIN 163 164service console /system/bin/sh 165 class core 166 console 167 disabled 168 user shell 169 group shell log readproc 170 seclabel u:r:shell:s0 171 setenv HOSTNAME console 172 173service init_debug_policy /system/bin/init_debug_policy 174 user root 175 oneshot 176 disabled 177 stdio_to_kmsg 178