1*00c7fec1SAndroid Build Coastguard Worker# Copyright (C) 2012 The Android Open Source Project 2*00c7fec1SAndroid Build Coastguard Worker# 3*00c7fec1SAndroid Build Coastguard Worker# IMPORTANT: Do not create world writable files or directories. 4*00c7fec1SAndroid Build Coastguard Worker# This is a common source of Android security bugs. 5*00c7fec1SAndroid Build Coastguard Worker# 6*00c7fec1SAndroid Build Coastguard Worker 7*00c7fec1SAndroid Build Coastguard Workerimport /init.environ.rc 8*00c7fec1SAndroid Build Coastguard Workerimport /system/etc/init/hw/init.usb.rc 9*00c7fec1SAndroid Build Coastguard Workerimport /init.${ro.hardware}.rc 10*00c7fec1SAndroid Build Coastguard Workerimport /vendor/etc/init/hw/init.${ro.hardware}.rc 11*00c7fec1SAndroid Build Coastguard Workerimport /system/etc/init/hw/init.usb.configfs.rc 12*00c7fec1SAndroid Build Coastguard Workerimport /system/etc/init/hw/init.${ro.zygote}.rc 13*00c7fec1SAndroid Build Coastguard Worker 14*00c7fec1SAndroid Build Coastguard Worker# Cgroups are mounted right before early-init using list from /etc/cgroups.json 15*00c7fec1SAndroid Build Coastguard Workeron early-init 16*00c7fec1SAndroid Build Coastguard Worker # Disable sysrq from keyboard 17*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/sysrq 0 18*00c7fec1SAndroid Build Coastguard Worker 19*00c7fec1SAndroid Build Coastguard Worker # Android doesn't need kernel module autoloading, and it causes SELinux 20*00c7fec1SAndroid Build Coastguard Worker # denials. So disable it by setting modprobe to the empty string. Note: to 21*00c7fec1SAndroid Build Coastguard Worker # explicitly set a sysctl to an empty string, a trailing newline is needed. 22*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/modprobe \n 23*00c7fec1SAndroid Build Coastguard Worker 24*00c7fec1SAndroid Build Coastguard Worker # Set the security context of /adb_keys if present. 25*00c7fec1SAndroid Build Coastguard Worker restorecon /adb_keys 26*00c7fec1SAndroid Build Coastguard Worker 27*00c7fec1SAndroid Build Coastguard Worker # Set the security context of /postinstall if present. 28*00c7fec1SAndroid Build Coastguard Worker restorecon /postinstall 29*00c7fec1SAndroid Build Coastguard Worker 30*00c7fec1SAndroid Build Coastguard Worker mkdir /acct/uid 31*00c7fec1SAndroid Build Coastguard Worker 32*00c7fec1SAndroid Build Coastguard Worker # memory.pressure_level used by lmkd 33*00c7fec1SAndroid Build Coastguard Worker chown root system /dev/memcg/memory.pressure_level 34*00c7fec1SAndroid Build Coastguard Worker chmod 0040 /dev/memcg/memory.pressure_level 35*00c7fec1SAndroid Build Coastguard Worker # app mem cgroups, used by activity manager, lmkd and zygote 36*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/memcg/apps/ 0755 system system 37*00c7fec1SAndroid Build Coastguard Worker # cgroup for system_server and surfaceflinger 38*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/memcg/system 0550 system system 39*00c7fec1SAndroid Build Coastguard Worker 40*00c7fec1SAndroid Build Coastguard Worker # symlink the Android specific /dev/tun to Linux expected /dev/net/tun 41*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/net 0755 root root 42*00c7fec1SAndroid Build Coastguard Worker symlink ../tun /dev/net/tun 43*00c7fec1SAndroid Build Coastguard Worker 44*00c7fec1SAndroid Build Coastguard Worker # set RLIMIT_NICE to allow priorities from 19 to -20 45*00c7fec1SAndroid Build Coastguard Worker setrlimit nice 40 40 46*00c7fec1SAndroid Build Coastguard Worker 47*00c7fec1SAndroid Build Coastguard Worker # Allow up to 32K FDs per process 48*00c7fec1SAndroid Build Coastguard Worker setrlimit nofile 32768 32768 49*00c7fec1SAndroid Build Coastguard Worker 50*00c7fec1SAndroid Build Coastguard Worker # set RLIMIT_MEMLOCK to 64KB 51*00c7fec1SAndroid Build Coastguard Worker setrlimit memlock 65536 65536 52*00c7fec1SAndroid Build Coastguard Worker 53*00c7fec1SAndroid Build Coastguard Worker # Set up linker config subdirectories based on mount namespaces 54*00c7fec1SAndroid Build Coastguard Worker mkdir /linkerconfig/bootstrap 0755 55*00c7fec1SAndroid Build Coastguard Worker mkdir /linkerconfig/default 0755 56*00c7fec1SAndroid Build Coastguard Worker 57*00c7fec1SAndroid Build Coastguard Worker # Greatly extend dm-verity's Merkle tree cache timeout. The default timeout 58*00c7fec1SAndroid Build Coastguard Worker # is much too short and is unnecessary, given that there is also a shrinker. 59*00c7fec1SAndroid Build Coastguard Worker write /sys/module/dm_bufio/parameters/max_age_seconds 86400 60*00c7fec1SAndroid Build Coastguard Worker 61*00c7fec1SAndroid Build Coastguard Worker # Disable dm-verity hash prefetching, since it doesn't help performance 62*00c7fec1SAndroid Build Coastguard Worker # Read more in b/136247322 63*00c7fec1SAndroid Build Coastguard Worker write /sys/module/dm_verity/parameters/prefetch_cluster 0 64*00c7fec1SAndroid Build Coastguard Worker 65*00c7fec1SAndroid Build Coastguard Worker # Generate empty ld.config.txt for early executed processes which rely on 66*00c7fec1SAndroid Build Coastguard Worker # /system/lib libraries. 67*00c7fec1SAndroid Build Coastguard Worker write /linkerconfig/bootstrap/ld.config.txt \# 68*00c7fec1SAndroid Build Coastguard Worker write /linkerconfig/default/ld.config.txt \# 69*00c7fec1SAndroid Build Coastguard Worker chmod 644 /linkerconfig/bootstrap/ld.config.txt 70*00c7fec1SAndroid Build Coastguard Worker chmod 644 /linkerconfig/default/ld.config.txt 71*00c7fec1SAndroid Build Coastguard Worker 72*00c7fec1SAndroid Build Coastguard Worker # Mount bootstrap linker configuration as current 73*00c7fec1SAndroid Build Coastguard Worker mount none /linkerconfig/bootstrap /linkerconfig bind rec 74*00c7fec1SAndroid Build Coastguard Worker 75*00c7fec1SAndroid Build Coastguard Worker start ueventd 76*00c7fec1SAndroid Build Coastguard Worker 77*00c7fec1SAndroid Build Coastguard Worker # Mount tracefs (with GID=AID_READTRACEFS) 78*00c7fec1SAndroid Build Coastguard Worker mount tracefs tracefs /sys/kernel/tracing gid=3012 79*00c7fec1SAndroid Build Coastguard Worker 80*00c7fec1SAndroid Build Coastguard Worker # Run apexd-bootstrap so that APEXes that provide critical libraries 81*00c7fec1SAndroid Build Coastguard Worker # become available. Note that this is executed as exec_start to ensure that 82*00c7fec1SAndroid Build Coastguard Worker # the libraries are available to the processes started after this statement. 83*00c7fec1SAndroid Build Coastguard Worker exec_start apexd-bootstrap 84*00c7fec1SAndroid Build Coastguard Worker perform_apex_config --bootstrap 85*00c7fec1SAndroid Build Coastguard Worker 86*00c7fec1SAndroid Build Coastguard Worker # These must already exist by the time boringssl_self_test32 / boringssl_self_test64 run. 87*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/boringssl 0755 root root 88*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/boringssl/selftest 0755 root root 89*00c7fec1SAndroid Build Coastguard Worker 90*00c7fec1SAndroid Build Coastguard Worker # create sys dirctory 91*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/sys 0755 system system 92*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/sys/fs 0755 system system 93*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/sys/block 0755 system system 94*00c7fec1SAndroid Build Coastguard Worker 95*00c7fec1SAndroid Build Coastguard Worker # Create location for fs_mgr to store abbreviated output from filesystem 96*00c7fec1SAndroid Build Coastguard Worker # checker programs. 97*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/fscklogs 0770 root system 98*00c7fec1SAndroid Build Coastguard Worker 99*00c7fec1SAndroid Build Coastguard Worker # Create tmpfs for use by the shell user. 100*00c7fec1SAndroid Build Coastguard Worker mount tmpfs tmpfs /tmp 101*00c7fec1SAndroid Build Coastguard Worker restorecon /tmp 102*00c7fec1SAndroid Build Coastguard Worker chown shell shell /tmp 103*00c7fec1SAndroid Build Coastguard Worker chmod 0771 /tmp 104*00c7fec1SAndroid Build Coastguard Worker 105*00c7fec1SAndroid Build Coastguard Workeron init 106*00c7fec1SAndroid Build Coastguard Worker sysclktz 0 107*00c7fec1SAndroid Build Coastguard Worker 108*00c7fec1SAndroid Build Coastguard Worker # Mix device-specific information into the entropy pool 109*00c7fec1SAndroid Build Coastguard Worker copy /proc/cmdline /dev/urandom 110*00c7fec1SAndroid Build Coastguard Worker copy /proc/bootconfig /dev/urandom 111*00c7fec1SAndroid Build Coastguard Worker 112*00c7fec1SAndroid Build Coastguard Worker symlink /proc/self/fd/0 /dev/stdin 113*00c7fec1SAndroid Build Coastguard Worker symlink /proc/self/fd/1 /dev/stdout 114*00c7fec1SAndroid Build Coastguard Worker symlink /proc/self/fd/2 /dev/stderr 115*00c7fec1SAndroid Build Coastguard Worker 116*00c7fec1SAndroid Build Coastguard Worker # Create socket dir for ot-daemon 117*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/socket/ot-daemon 0770 thread_network thread_network 118*00c7fec1SAndroid Build Coastguard Worker 119*00c7fec1SAndroid Build Coastguard Worker # cpuctl hierarchy for devices using utilclamp 120*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/cpuctl/foreground 121*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/cpuctl/foreground_window 122*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/cpuctl/background 123*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/cpuctl/top-app 124*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/cpuctl/rt 125*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/cpuctl/system 126*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/cpuctl/system-background 127*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/cpuctl/dex2oat 128*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl 129*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/foreground 130*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/foreground_window 131*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/background 132*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/top-app 133*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/rt 134*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/system 135*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/system-background 136*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/dex2oat 137*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/tasks 138*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/foreground/tasks 139*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/foreground_window/tasks 140*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/background/tasks 141*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/top-app/tasks 142*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/rt/tasks 143*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/system/tasks 144*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/system-background/tasks 145*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/dex2oat/tasks 146*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/cgroup.procs 147*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/foreground/cgroup.procs 148*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/foreground_window/cgroup.procs 149*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/background/cgroup.procs 150*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/top-app/cgroup.procs 151*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/rt/cgroup.procs 152*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/system/cgroup.procs 153*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/system-background/cgroup.procs 154*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/dex2oat/cgroup.procs 155*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/tasks 156*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/foreground/tasks 157*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/foreground_window/tasks 158*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/background/tasks 159*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/top-app/tasks 160*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/rt/tasks 161*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/system/tasks 162*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/system-background/tasks 163*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/dex2oat/tasks 164*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/cgroup.procs 165*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/foreground/cgroup.procs 166*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/foreground_window/cgroup.procs 167*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/background/cgroup.procs 168*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/top-app/cgroup.procs 169*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/rt/cgroup.procs 170*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/system/cgroup.procs 171*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/system-background/cgroup.procs 172*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/dex2oat/cgroup.procs 173*00c7fec1SAndroid Build Coastguard Worker 174*00c7fec1SAndroid Build Coastguard Worker # Create a cpu group for NNAPI HAL processes 175*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/cpuctl/nnapi-hal 176*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/nnapi-hal 177*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/nnapi-hal/tasks 178*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/nnapi-hal/cgroup.procs 179*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/nnapi-hal/tasks 180*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/nnapi-hal/cgroup.procs 181*00c7fec1SAndroid Build Coastguard Worker write /dev/cpuctl/nnapi-hal/cpu.uclamp.min 1 182*00c7fec1SAndroid Build Coastguard Worker write /dev/cpuctl/nnapi-hal/cpu.uclamp.latency_sensitive 1 183*00c7fec1SAndroid Build Coastguard Worker 184*00c7fec1SAndroid Build Coastguard Worker # Create a cpu group for camera daemon processes 185*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/cpuctl/camera-daemon 186*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/camera-daemon 187*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/camera-daemon/tasks 188*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuctl/camera-daemon/cgroup.procs 189*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/camera-daemon/tasks 190*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuctl/camera-daemon/cgroup.procs 191*00c7fec1SAndroid Build Coastguard Worker 192*00c7fec1SAndroid Build Coastguard Worker # Create blkio group and apply initial settings. 193*00c7fec1SAndroid Build Coastguard Worker # This feature needs kernel to support it, and the 194*00c7fec1SAndroid Build Coastguard Worker # device's init.rc must actually set the correct values. 195*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/blkio/background 196*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/blkio 197*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/blkio/background 198*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/blkio/tasks 199*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/blkio/background/tasks 200*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/blkio/cgroup.procs 201*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/blkio/background/cgroup.procs 202*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/blkio/tasks 203*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/blkio/background/tasks 204*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/blkio/cgroup.procs 205*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/blkio/background/cgroup.procs 206*00c7fec1SAndroid Build Coastguard Worker write /dev/blkio/blkio.weight 1000 207*00c7fec1SAndroid Build Coastguard Worker write /dev/blkio/background/blkio.weight 200 208*00c7fec1SAndroid Build Coastguard Worker write /dev/blkio/background/blkio.bfq.weight 10 209*00c7fec1SAndroid Build Coastguard Worker write /dev/blkio/blkio.group_idle 0 210*00c7fec1SAndroid Build Coastguard Worker write /dev/blkio/background/blkio.group_idle 0 211*00c7fec1SAndroid Build Coastguard Worker write /dev/blkio/background/blkio.prio.class restrict-to-be 212*00c7fec1SAndroid Build Coastguard Worker 213*00c7fec1SAndroid Build Coastguard Worker restorecon_recursive /mnt 214*00c7fec1SAndroid Build Coastguard Worker 215*00c7fec1SAndroid Build Coastguard Worker mount configfs none /config nodev noexec nosuid 216*00c7fec1SAndroid Build Coastguard Worker chmod 0770 /config/sdcardfs 217*00c7fec1SAndroid Build Coastguard Worker chown system package_info /config/sdcardfs 218*00c7fec1SAndroid Build Coastguard Worker 219*00c7fec1SAndroid Build Coastguard Worker # Mount binderfs 220*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/binderfs 221*00c7fec1SAndroid Build Coastguard Worker mount binder binder /dev/binderfs stats=global 222*00c7fec1SAndroid Build Coastguard Worker chmod 0755 /dev/binderfs 223*00c7fec1SAndroid Build Coastguard Worker 224*00c7fec1SAndroid Build Coastguard Worker # Mount fusectl 225*00c7fec1SAndroid Build Coastguard Worker mount fusectl none /sys/fs/fuse/connections 226*00c7fec1SAndroid Build Coastguard Worker 227*00c7fec1SAndroid Build Coastguard Worker symlink /dev/binderfs/binder /dev/binder 228*00c7fec1SAndroid Build Coastguard Worker symlink /dev/binderfs/hwbinder /dev/hwbinder 229*00c7fec1SAndroid Build Coastguard Worker symlink /dev/binderfs/vndbinder /dev/vndbinder 230*00c7fec1SAndroid Build Coastguard Worker 231*00c7fec1SAndroid Build Coastguard Worker chmod 0666 /dev/binderfs/hwbinder 232*00c7fec1SAndroid Build Coastguard Worker chmod 0666 /dev/binderfs/binder 233*00c7fec1SAndroid Build Coastguard Worker chmod 0666 /dev/binderfs/vndbinder 234*00c7fec1SAndroid Build Coastguard Worker 235*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/secure 0700 root root 236*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/secure/asec 0700 root root 237*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/asec 0755 root system 238*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/obb 0755 root system 239*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/media_rw 0750 root external_storage 240*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/user 0755 root root 241*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/user/0 0755 root root 242*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/user/0/self 0755 root root 243*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/user/0/emulated 0755 root root 244*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/user/0/emulated/0 0755 root root 245*00c7fec1SAndroid Build Coastguard Worker 246*00c7fec1SAndroid Build Coastguard Worker # Prepare directories for pass through processes 247*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/pass_through 0700 root root 248*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/pass_through/0 0710 root media_rw 249*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/pass_through/0/self 0710 root media_rw 250*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/pass_through/0/emulated 0710 root media_rw 251*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/pass_through/0/emulated/0 0710 root media_rw 252*00c7fec1SAndroid Build Coastguard Worker 253*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/expand 0771 system system 254*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/appfuse 0711 root root 255*00c7fec1SAndroid Build Coastguard Worker 256*00c7fec1SAndroid Build Coastguard Worker # Storage views to support runtime permissions 257*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/runtime 0700 root root 258*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/runtime/default 0755 root root 259*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/runtime/default/self 0755 root root 260*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/runtime/read 0755 root root 261*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/runtime/read/self 0755 root root 262*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/runtime/write 0755 root root 263*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/runtime/write/self 0755 root root 264*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/runtime/full 0755 root root 265*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/runtime/full/self 0755 root root 266*00c7fec1SAndroid Build Coastguard Worker 267*00c7fec1SAndroid Build Coastguard Worker # For Pre-reboot Dexopt 268*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/pre_reboot_dexopt 0755 artd artd 269*00c7fec1SAndroid Build Coastguard Worker 270*00c7fec1SAndroid Build Coastguard Worker # Symlink to keep legacy apps working in multi-user world 271*00c7fec1SAndroid Build Coastguard Worker symlink /storage/self/primary /mnt/sdcard 272*00c7fec1SAndroid Build Coastguard Worker symlink /mnt/user/0/primary /mnt/runtime/default/self/primary 273*00c7fec1SAndroid Build Coastguard Worker 274*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/panic_on_oops 1 275*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/hung_task_timeout_secs 0 276*00c7fec1SAndroid Build Coastguard Worker write /proc/cpu/alignment 4 277*00c7fec1SAndroid Build Coastguard Worker 278*00c7fec1SAndroid Build Coastguard Worker # scheduler tunables 279*00c7fec1SAndroid Build Coastguard Worker # Disable auto-scaling of scheduler tunables with hotplug. The tunables 280*00c7fec1SAndroid Build Coastguard Worker # will vary across devices in unpredictable ways if allowed to scale with 281*00c7fec1SAndroid Build Coastguard Worker # cpu cores. 282*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/sched_tunable_scaling 0 283*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/sched_latency_ns 10000000 284*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 285*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/sched_child_runs_first 0 286*00c7fec1SAndroid Build Coastguard Worker 287*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/randomize_va_space 2 288*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/vm/mmap_min_addr 32768 289*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 290*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/net/unix/max_dgram_qlen 2400 291*00c7fec1SAndroid Build Coastguard Worker 292*00c7fec1SAndroid Build Coastguard Worker # Assign reasonable ceiling values for socket rcv/snd buffers. 293*00c7fec1SAndroid Build Coastguard Worker # These should almost always be overridden by the target per the 294*00c7fec1SAndroid Build Coastguard Worker # the corresponding technology maximums. 295*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/net/core/rmem_max 262144 296*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/net/core/wmem_max 262144 297*00c7fec1SAndroid Build Coastguard Worker 298*00c7fec1SAndroid Build Coastguard Worker # reflect fwmark from incoming packets onto generated replies 299*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/net/ipv4/fwmark_reflect 1 300*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/net/ipv6/fwmark_reflect 1 301*00c7fec1SAndroid Build Coastguard Worker 302*00c7fec1SAndroid Build Coastguard Worker # set fwmark on accepted sockets 303*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/net/ipv4/tcp_fwmark_accept 1 304*00c7fec1SAndroid Build Coastguard Worker 305*00c7fec1SAndroid Build Coastguard Worker # disable icmp redirects 306*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/net/ipv4/conf/all/accept_redirects 0 307*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/net/ipv6/conf/all/accept_redirects 0 308*00c7fec1SAndroid Build Coastguard Worker 309*00c7fec1SAndroid Build Coastguard Worker # /proc/net/fib_trie leaks interface IP addresses 310*00c7fec1SAndroid Build Coastguard Worker chmod 0400 /proc/net/fib_trie 311*00c7fec1SAndroid Build Coastguard Worker 312*00c7fec1SAndroid Build Coastguard Worker # sets up initial cpusets for ActivityManager 313*00c7fec1SAndroid Build Coastguard Worker # this ensures that the cpusets are present and usable, but the device's 314*00c7fec1SAndroid Build Coastguard Worker # init.rc must actually set the correct cpus 315*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/cpuset/foreground 316*00c7fec1SAndroid Build Coastguard Worker copy /dev/cpuset/cpus /dev/cpuset/foreground/cpus 317*00c7fec1SAndroid Build Coastguard Worker copy /dev/cpuset/mems /dev/cpuset/foreground/mems 318*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/cpuset/foreground_window 319*00c7fec1SAndroid Build Coastguard Worker copy /dev/cpuset/cpus /dev/cpuset/foreground_window/cpus 320*00c7fec1SAndroid Build Coastguard Worker copy /dev/cpuset/mems /dev/cpuset/foreground_window/mems 321*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/cpuset/background 322*00c7fec1SAndroid Build Coastguard Worker copy /dev/cpuset/cpus /dev/cpuset/background/cpus 323*00c7fec1SAndroid Build Coastguard Worker copy /dev/cpuset/mems /dev/cpuset/background/mems 324*00c7fec1SAndroid Build Coastguard Worker 325*00c7fec1SAndroid Build Coastguard Worker # system-background is for system tasks that should only run on 326*00c7fec1SAndroid Build Coastguard Worker # little cores, not on bigs 327*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/cpuset/system-background 328*00c7fec1SAndroid Build Coastguard Worker copy /dev/cpuset/cpus /dev/cpuset/system-background/cpus 329*00c7fec1SAndroid Build Coastguard Worker copy /dev/cpuset/mems /dev/cpuset/system-background/mems 330*00c7fec1SAndroid Build Coastguard Worker 331*00c7fec1SAndroid Build Coastguard Worker # restricted is for system tasks that are being throttled 332*00c7fec1SAndroid Build Coastguard Worker # due to screen off. 333*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/cpuset/restricted 334*00c7fec1SAndroid Build Coastguard Worker copy /dev/cpuset/cpus /dev/cpuset/restricted/cpus 335*00c7fec1SAndroid Build Coastguard Worker copy /dev/cpuset/mems /dev/cpuset/restricted/mems 336*00c7fec1SAndroid Build Coastguard Worker 337*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/cpuset/top-app 338*00c7fec1SAndroid Build Coastguard Worker copy /dev/cpuset/cpus /dev/cpuset/top-app/cpus 339*00c7fec1SAndroid Build Coastguard Worker copy /dev/cpuset/mems /dev/cpuset/top-app/mems 340*00c7fec1SAndroid Build Coastguard Worker 341*00c7fec1SAndroid Build Coastguard Worker # create a cpuset for camera daemon processes 342*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/cpuset/camera-daemon 343*00c7fec1SAndroid Build Coastguard Worker copy /dev/cpuset/cpus /dev/cpuset/camera-daemon/cpus 344*00c7fec1SAndroid Build Coastguard Worker copy /dev/cpuset/mems /dev/cpuset/camera-daemon/mems 345*00c7fec1SAndroid Build Coastguard Worker 346*00c7fec1SAndroid Build Coastguard Worker # change permissions for all cpusets we'll touch at runtime 347*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset 348*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/foreground 349*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/foreground_window 350*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/background 351*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/system-background 352*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/top-app 353*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/restricted 354*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/camera-daemon 355*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/tasks 356*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/foreground/tasks 357*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/foreground_window/tasks 358*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/background/tasks 359*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/system-background/tasks 360*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/top-app/tasks 361*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/restricted/tasks 362*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/camera-daemon/tasks 363*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/cgroup.procs 364*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/foreground/cgroup.procs 365*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/foreground_window/cgroup.procs 366*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/background/cgroup.procs 367*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/system-background/cgroup.procs 368*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/top-app/cgroup.procs 369*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/restricted/cgroup.procs 370*00c7fec1SAndroid Build Coastguard Worker chown system system /dev/cpuset/camera-daemon/cgroup.procs 371*00c7fec1SAndroid Build Coastguard Worker 372*00c7fec1SAndroid Build Coastguard Worker # set system-background to 0775 so SurfaceFlinger can touch it 373*00c7fec1SAndroid Build Coastguard Worker chmod 0775 /dev/cpuset/system-background 374*00c7fec1SAndroid Build Coastguard Worker 375*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuset/foreground/tasks 376*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuset/foreground_window/tasks 377*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuset/background/tasks 378*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuset/system-background/tasks 379*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuset/top-app/tasks 380*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuset/restricted/tasks 381*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuset/tasks 382*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuset/camera-daemon/tasks 383*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuset/foreground/cgroup.procs 384*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuset/foreground_window/cgroup.procs 385*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuset/background/cgroup.procs 386*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuset/system-background/cgroup.procs 387*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuset/top-app/cgroup.procs 388*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuset/restricted/cgroup.procs 389*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuset/cgroup.procs 390*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /dev/cpuset/camera-daemon/cgroup.procs 391*00c7fec1SAndroid Build Coastguard Worker 392*00c7fec1SAndroid Build Coastguard Worker # make the PSI monitor accessible to others 393*00c7fec1SAndroid Build Coastguard Worker chown system system /proc/pressure/memory 394*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /proc/pressure/memory 395*00c7fec1SAndroid Build Coastguard Worker 396*00c7fec1SAndroid Build Coastguard Worker mount bpf bpf /sys/fs/bpf nodev noexec nosuid 397*00c7fec1SAndroid Build Coastguard Worker 398*00c7fec1SAndroid Build Coastguard Worker # pstore/ramoops previous console log 399*00c7fec1SAndroid Build Coastguard Worker mount pstore pstore /sys/fs/pstore nodev noexec nosuid 400*00c7fec1SAndroid Build Coastguard Worker chown system log /sys/fs/pstore 401*00c7fec1SAndroid Build Coastguard Worker chmod 0550 /sys/fs/pstore 402*00c7fec1SAndroid Build Coastguard Worker chown system log /sys/fs/pstore/console-ramoops 403*00c7fec1SAndroid Build Coastguard Worker chmod 0440 /sys/fs/pstore/console-ramoops 404*00c7fec1SAndroid Build Coastguard Worker chown system log /sys/fs/pstore/console-ramoops-0 405*00c7fec1SAndroid Build Coastguard Worker chmod 0440 /sys/fs/pstore/console-ramoops-0 406*00c7fec1SAndroid Build Coastguard Worker chown system log /sys/fs/pstore/pmsg-ramoops-0 407*00c7fec1SAndroid Build Coastguard Worker chmod 0440 /sys/fs/pstore/pmsg-ramoops-0 408*00c7fec1SAndroid Build Coastguard Worker 409*00c7fec1SAndroid Build Coastguard Worker # enable armv8_deprecated instruction hooks 410*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/abi/swp 1 411*00c7fec1SAndroid Build Coastguard Worker 412*00c7fec1SAndroid Build Coastguard Worker # Linux's execveat() syscall may construct paths containing /dev/fd 413*00c7fec1SAndroid Build Coastguard Worker # expecting it to point to /proc/self/fd 414*00c7fec1SAndroid Build Coastguard Worker symlink /proc/self/fd /dev/fd 415*00c7fec1SAndroid Build Coastguard Worker 416*00c7fec1SAndroid Build Coastguard Worker export DOWNLOAD_CACHE /data/cache 417*00c7fec1SAndroid Build Coastguard Worker 418*00c7fec1SAndroid Build Coastguard Worker # This allows the ledtrig-transient properties to be created here so 419*00c7fec1SAndroid Build Coastguard Worker # that they can be chown'd to system:system later on boot 420*00c7fec1SAndroid Build Coastguard Worker write /sys/class/leds/vibrator/trigger "transient" 421*00c7fec1SAndroid Build Coastguard Worker 422*00c7fec1SAndroid Build Coastguard Worker # This is used by Bionic to select optimized routines. 423*00c7fec1SAndroid Build Coastguard Worker write /dev/cpu_variant:${ro.bionic.arch} ${ro.bionic.cpu_variant} 424*00c7fec1SAndroid Build Coastguard Worker chmod 0444 /dev/cpu_variant:${ro.bionic.arch} 425*00c7fec1SAndroid Build Coastguard Worker write /dev/cpu_variant:${ro.bionic.2nd_arch} ${ro.bionic.2nd_cpu_variant} 426*00c7fec1SAndroid Build Coastguard Worker chmod 0444 /dev/cpu_variant:${ro.bionic.2nd_arch} 427*00c7fec1SAndroid Build Coastguard Worker 428*00c7fec1SAndroid Build Coastguard Worker # Allow system processes to read / write power state. 429*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/power/state 430*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/power/wakeup_count 431*00c7fec1SAndroid Build Coastguard Worker chmod 0660 /sys/power/state 432*00c7fec1SAndroid Build Coastguard Worker 433*00c7fec1SAndroid Build Coastguard Worker chown radio wakelock /sys/power/wake_lock 434*00c7fec1SAndroid Build Coastguard Worker chown radio wakelock /sys/power/wake_unlock 435*00c7fec1SAndroid Build Coastguard Worker chmod 0660 /sys/power/wake_lock 436*00c7fec1SAndroid Build Coastguard Worker chmod 0660 /sys/power/wake_unlock 437*00c7fec1SAndroid Build Coastguard Worker 438*00c7fec1SAndroid Build Coastguard Worker # Start logd before any other services run to ensure we capture all of their logs. 439*00c7fec1SAndroid Build Coastguard Worker start logd 440*00c7fec1SAndroid Build Coastguard Worker # Start lmkd before any other services run so that it can register them 441*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/vm/watermark_boost_factor 0 442*00c7fec1SAndroid Build Coastguard Worker chown root system /sys/module/lowmemorykiller/parameters/adj 443*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /sys/module/lowmemorykiller/parameters/adj 444*00c7fec1SAndroid Build Coastguard Worker chown root system /sys/module/lowmemorykiller/parameters/minfree 445*00c7fec1SAndroid Build Coastguard Worker chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 446*00c7fec1SAndroid Build Coastguard Worker start lmkd 447*00c7fec1SAndroid Build Coastguard Worker 448*00c7fec1SAndroid Build Coastguard Worker # Start essential services. 449*00c7fec1SAndroid Build Coastguard Worker start servicemanager 450*00c7fec1SAndroid Build Coastguard Worker start hwservicemanager 451*00c7fec1SAndroid Build Coastguard Worker start vndservicemanager 452*00c7fec1SAndroid Build Coastguard Worker 453*00c7fec1SAndroid Build Coastguard Worker # Mount /mnt/vm ASAP to allow early VMs to run. 454*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/vm 0755 root root 455*00c7fec1SAndroid Build Coastguard Worker mount tmpfs tmpfs /mnt/vm nosuid nodev noexec rw 456*00c7fec1SAndroid Build Coastguard Worker restorecon /mnt/vm 457*00c7fec1SAndroid Build Coastguard Worker chown system system /mnt/vm 458*00c7fec1SAndroid Build Coastguard Worker chmod 0770 /mnt/vm 459*00c7fec1SAndroid Build Coastguard Worker mkdir /mnt/vm/early 0770 system system 460*00c7fec1SAndroid Build Coastguard Worker 461*00c7fec1SAndroid Build Coastguard Worker# Run boringssl self test for each ABI. Any failures trigger reboot to firmware. 462*00c7fec1SAndroid Build Coastguard Workerimport /system/etc/init/hw/init.boringssl.${ro.zygote}.rc 463*00c7fec1SAndroid Build Coastguard Worker 464*00c7fec1SAndroid Build Coastguard Workerservice boringssl_self_test32 /system/bin/boringssl_self_test32 465*00c7fec1SAndroid Build Coastguard Worker reboot_on_failure reboot,boringssl-self-check-failed 466*00c7fec1SAndroid Build Coastguard Worker stdio_to_kmsg 467*00c7fec1SAndroid Build Coastguard Worker # Explicitly specify that boringssl_self_test32 doesn't require any capabilities 468*00c7fec1SAndroid Build Coastguard Worker capabilities 469*00c7fec1SAndroid Build Coastguard Worker user nobody 470*00c7fec1SAndroid Build Coastguard Worker 471*00c7fec1SAndroid Build Coastguard Workerservice boringssl_self_test64 /system/bin/boringssl_self_test64 472*00c7fec1SAndroid Build Coastguard Worker reboot_on_failure reboot,boringssl-self-check-failed 473*00c7fec1SAndroid Build Coastguard Worker stdio_to_kmsg 474*00c7fec1SAndroid Build Coastguard Worker # Explicitly specify that boringssl_self_test64 doesn't require any capabilities 475*00c7fec1SAndroid Build Coastguard Worker capabilities 476*00c7fec1SAndroid Build Coastguard Worker user nobody 477*00c7fec1SAndroid Build Coastguard Worker 478*00c7fec1SAndroid Build Coastguard Workerservice boringssl_self_test_apex32 /apex/com.android.conscrypt/bin/boringssl_self_test32 479*00c7fec1SAndroid Build Coastguard Worker reboot_on_failure reboot,boringssl-self-check-failed 480*00c7fec1SAndroid Build Coastguard Worker stdio_to_kmsg 481*00c7fec1SAndroid Build Coastguard Worker # Explicitly specify that boringssl_self_test_apex32 doesn't require any capabilities 482*00c7fec1SAndroid Build Coastguard Worker capabilities 483*00c7fec1SAndroid Build Coastguard Worker user nobody 484*00c7fec1SAndroid Build Coastguard Worker 485*00c7fec1SAndroid Build Coastguard Workerservice boringssl_self_test_apex64 /apex/com.android.conscrypt/bin/boringssl_self_test64 486*00c7fec1SAndroid Build Coastguard Worker reboot_on_failure reboot,boringssl-self-check-failed 487*00c7fec1SAndroid Build Coastguard Worker stdio_to_kmsg 488*00c7fec1SAndroid Build Coastguard Worker # Explicitly specify that boringssl_self_test_apex64 doesn't require any capabilities 489*00c7fec1SAndroid Build Coastguard Worker capabilities 490*00c7fec1SAndroid Build Coastguard Worker user nobody 491*00c7fec1SAndroid Build Coastguard Worker 492*00c7fec1SAndroid Build Coastguard Worker# Healthd can trigger a full boot from charger mode by signaling this 493*00c7fec1SAndroid Build Coastguard Worker# property when the power button is held. 494*00c7fec1SAndroid Build Coastguard Workeron property:sys.boot_from_charger_mode=1 495*00c7fec1SAndroid Build Coastguard Worker class_stop charger 496*00c7fec1SAndroid Build Coastguard Worker trigger late-init 497*00c7fec1SAndroid Build Coastguard Worker 498*00c7fec1SAndroid Build Coastguard Worker# Indicate to fw loaders that the relevant mounts are up. 499*00c7fec1SAndroid Build Coastguard Workeron firmware_mounts_complete 500*00c7fec1SAndroid Build Coastguard Worker rm /dev/.booting 501*00c7fec1SAndroid Build Coastguard Worker 502*00c7fec1SAndroid Build Coastguard Worker# Mount filesystems and start core system services. 503*00c7fec1SAndroid Build Coastguard Workeron late-init 504*00c7fec1SAndroid Build Coastguard Worker trigger early-fs 505*00c7fec1SAndroid Build Coastguard Worker 506*00c7fec1SAndroid Build Coastguard Worker # Mount fstab in init.{$device}.rc by mount_all command. Optional parameter 507*00c7fec1SAndroid Build Coastguard Worker # '--early' can be specified to skip entries with 'latemount'. 508*00c7fec1SAndroid Build Coastguard Worker # /system and /vendor must be mounted by the end of the fs stage, 509*00c7fec1SAndroid Build Coastguard Worker # while /data is optional. 510*00c7fec1SAndroid Build Coastguard Worker trigger fs 511*00c7fec1SAndroid Build Coastguard Worker trigger post-fs 512*00c7fec1SAndroid Build Coastguard Worker 513*00c7fec1SAndroid Build Coastguard Worker # Mount fstab in init.{$device}.rc by mount_all with '--late' parameter 514*00c7fec1SAndroid Build Coastguard Worker # to only mount entries with 'latemount'. This is needed if '--early' is 515*00c7fec1SAndroid Build Coastguard Worker # specified in the previous mount_all command on the fs stage. 516*00c7fec1SAndroid Build Coastguard Worker # With /system mounted and properties form /system + /factory available, 517*00c7fec1SAndroid Build Coastguard Worker # some services can be started. 518*00c7fec1SAndroid Build Coastguard Worker trigger late-fs 519*00c7fec1SAndroid Build Coastguard Worker 520*00c7fec1SAndroid Build Coastguard Worker # Now we can mount /data. File encryption requires keymaster to decrypt 521*00c7fec1SAndroid Build Coastguard Worker # /data, which in turn can only be loaded when system properties are present. 522*00c7fec1SAndroid Build Coastguard Worker trigger post-fs-data 523*00c7fec1SAndroid Build Coastguard Worker 524*00c7fec1SAndroid Build Coastguard Worker # Should be before netd, but after apex, properties and logging is available. 525*00c7fec1SAndroid Build Coastguard Worker trigger load-bpf-programs 526*00c7fec1SAndroid Build Coastguard Worker trigger bpf-progs-loaded 527*00c7fec1SAndroid Build Coastguard Worker 528*00c7fec1SAndroid Build Coastguard Worker # Now we can start zygote. 529*00c7fec1SAndroid Build Coastguard Worker trigger zygote-start 530*00c7fec1SAndroid Build Coastguard Worker 531*00c7fec1SAndroid Build Coastguard Worker # Remove a file to wake up anything waiting for firmware. 532*00c7fec1SAndroid Build Coastguard Worker trigger firmware_mounts_complete 533*00c7fec1SAndroid Build Coastguard Worker 534*00c7fec1SAndroid Build Coastguard Worker trigger early-boot 535*00c7fec1SAndroid Build Coastguard Worker trigger boot 536*00c7fec1SAndroid Build Coastguard Worker 537*00c7fec1SAndroid Build Coastguard Workeron early-fs 538*00c7fec1SAndroid Build Coastguard Worker # Once metadata has been mounted, we'll need vold to deal with userdata checkpointing 539*00c7fec1SAndroid Build Coastguard Worker start vold 540*00c7fec1SAndroid Build Coastguard Worker 541*00c7fec1SAndroid Build Coastguard Workeron post-fs 542*00c7fec1SAndroid Build Coastguard Worker exec - system system -- /system/bin/vdc checkpoint markBootAttempt 543*00c7fec1SAndroid Build Coastguard Worker 544*00c7fec1SAndroid Build Coastguard Worker # Once everything is setup, no need to modify /. 545*00c7fec1SAndroid Build Coastguard Worker # The bind+remount combination allows this to work in containers. 546*00c7fec1SAndroid Build Coastguard Worker mount rootfs rootfs / remount bind ro nodev 547*00c7fec1SAndroid Build Coastguard Worker 548*00c7fec1SAndroid Build Coastguard Worker # Mount default storage into root namespace 549*00c7fec1SAndroid Build Coastguard Worker mount none /mnt/user/0 /storage bind rec 550*00c7fec1SAndroid Build Coastguard Worker mount none none /storage slave rec 551*00c7fec1SAndroid Build Coastguard Worker 552*00c7fec1SAndroid Build Coastguard Worker # Make sure /sys/kernel/debug (if present) is labeled properly 553*00c7fec1SAndroid Build Coastguard Worker # Note that tracefs may be mounted under debug, so we need to cross filesystems 554*00c7fec1SAndroid Build Coastguard Worker restorecon --recursive --cross-filesystems /sys/kernel/debug 555*00c7fec1SAndroid Build Coastguard Worker 556*00c7fec1SAndroid Build Coastguard Worker # We chown/chmod /cache again so because mount is run as root + defaults 557*00c7fec1SAndroid Build Coastguard Worker chown system cache /cache 558*00c7fec1SAndroid Build Coastguard Worker chmod 0770 /cache 559*00c7fec1SAndroid Build Coastguard Worker # We restorecon /cache in case the cache partition has been reset. 560*00c7fec1SAndroid Build Coastguard Worker restorecon_recursive /cache 561*00c7fec1SAndroid Build Coastguard Worker 562*00c7fec1SAndroid Build Coastguard Worker # Create /cache/recovery in case it's not there. It'll also fix the odd 563*00c7fec1SAndroid Build Coastguard Worker # permissions if created by the recovery system. 564*00c7fec1SAndroid Build Coastguard Worker mkdir /cache/recovery 0770 system cache 565*00c7fec1SAndroid Build Coastguard Worker 566*00c7fec1SAndroid Build Coastguard Worker # Backup/restore mechanism uses the cache partition 567*00c7fec1SAndroid Build Coastguard Worker mkdir /cache/backup_stage 0700 system system 568*00c7fec1SAndroid Build Coastguard Worker mkdir /cache/backup 0700 system system 569*00c7fec1SAndroid Build Coastguard Worker 570*00c7fec1SAndroid Build Coastguard Worker #change permissions on vmallocinfo so we can grab it from bugreports 571*00c7fec1SAndroid Build Coastguard Worker chown root log /proc/vmallocinfo 572*00c7fec1SAndroid Build Coastguard Worker chmod 0440 /proc/vmallocinfo 573*00c7fec1SAndroid Build Coastguard Worker 574*00c7fec1SAndroid Build Coastguard Worker chown root log /proc/slabinfo 575*00c7fec1SAndroid Build Coastguard Worker chmod 0440 /proc/slabinfo 576*00c7fec1SAndroid Build Coastguard Worker 577*00c7fec1SAndroid Build Coastguard Worker chown root log /proc/pagetypeinfo 578*00c7fec1SAndroid Build Coastguard Worker chmod 0440 /proc/pagetypeinfo 579*00c7fec1SAndroid Build Coastguard Worker 580*00c7fec1SAndroid Build Coastguard Worker #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 581*00c7fec1SAndroid Build Coastguard Worker chown root system /proc/kmsg 582*00c7fec1SAndroid Build Coastguard Worker chmod 0440 /proc/kmsg 583*00c7fec1SAndroid Build Coastguard Worker chown root system /proc/sysrq-trigger 584*00c7fec1SAndroid Build Coastguard Worker chmod 0220 /proc/sysrq-trigger 585*00c7fec1SAndroid Build Coastguard Worker chown system log /proc/last_kmsg 586*00c7fec1SAndroid Build Coastguard Worker chmod 0440 /proc/last_kmsg 587*00c7fec1SAndroid Build Coastguard Worker 588*00c7fec1SAndroid Build Coastguard Worker # make the selinux kernel policy world-readable 589*00c7fec1SAndroid Build Coastguard Worker chmod 0444 /sys/fs/selinux/policy 590*00c7fec1SAndroid Build Coastguard Worker 591*00c7fec1SAndroid Build Coastguard Worker # create the lost+found directories, so as to enforce our permissions 592*00c7fec1SAndroid Build Coastguard Worker mkdir /cache/lost+found 0770 root root 593*00c7fec1SAndroid Build Coastguard Worker 594*00c7fec1SAndroid Build Coastguard Worker restorecon_recursive /metadata 595*00c7fec1SAndroid Build Coastguard Worker mkdir /metadata/vold 596*00c7fec1SAndroid Build Coastguard Worker chmod 0700 /metadata/vold 597*00c7fec1SAndroid Build Coastguard Worker mkdir /metadata/password_slots 0771 root system 598*00c7fec1SAndroid Build Coastguard Worker mkdir /metadata/bootstat 0750 system log 599*00c7fec1SAndroid Build Coastguard Worker mkdir /metadata/ota 0750 root system 600*00c7fec1SAndroid Build Coastguard Worker mkdir /metadata/ota/snapshots 0750 root system 601*00c7fec1SAndroid Build Coastguard Worker mkdir /metadata/watchdog 0770 root system 602*00c7fec1SAndroid Build Coastguard Worker mkdir /metadata/tradeinmode 0770 root system 603*00c7fec1SAndroid Build Coastguard Worker mkdir /metadata/prefetch 0770 root system 604*00c7fec1SAndroid Build Coastguard Worker 605*00c7fec1SAndroid Build Coastguard Worker mkdir /metadata/apex 0700 root system 606*00c7fec1SAndroid Build Coastguard Worker mkdir /metadata/apex/sessions 0700 root system 607*00c7fec1SAndroid Build Coastguard Worker # On some devices we see a weird behaviour in which /metadata/apex doesn't 608*00c7fec1SAndroid Build Coastguard Worker # have a correct label. To workaround this bug, explicitly call restorecon 609*00c7fec1SAndroid Build Coastguard Worker # on /metadata/apex. For most of the boot sequences /metadata/apex will 610*00c7fec1SAndroid Build Coastguard Worker # already have a correct selinux label, meaning that this call will be a 611*00c7fec1SAndroid Build Coastguard Worker # no-op. 612*00c7fec1SAndroid Build Coastguard Worker restorecon_recursive /metadata/apex 613*00c7fec1SAndroid Build Coastguard Worker 614*00c7fec1SAndroid Build Coastguard Worker mkdir /metadata/staged-install 0770 root system 615*00c7fec1SAndroid Build Coastguard Worker 616*00c7fec1SAndroid Build Coastguard Workeron late-fs 617*00c7fec1SAndroid Build Coastguard Worker # Ensure that tracefs has the correct permissions. 618*00c7fec1SAndroid Build Coastguard Worker # This does not work correctly if it is called in post-fs. 619*00c7fec1SAndroid Build Coastguard Worker chmod 0755 /sys/kernel/tracing 620*00c7fec1SAndroid Build Coastguard Worker chmod 0755 /sys/kernel/debug/tracing 621*00c7fec1SAndroid Build Coastguard Worker 622*00c7fec1SAndroid Build Coastguard Worker # HALs required before storage encryption can get unlocked (FBE) 623*00c7fec1SAndroid Build Coastguard Worker class_start early_hal 624*00c7fec1SAndroid Build Coastguard Worker 625*00c7fec1SAndroid Build Coastguard Worker # Load trusted keys from dm-verity protected partitions 626*00c7fec1SAndroid Build Coastguard Worker exec -- /system/bin/fsverity_init --load-verified-keys 627*00c7fec1SAndroid Build Coastguard Worker 628*00c7fec1SAndroid Build Coastguard Worker# Only enable the bootreceiver tracing instance for kernels 5.10 and above. 629*00c7fec1SAndroid Build Coastguard Workeron late-fs && property:ro.kernel.version=4.19 630*00c7fec1SAndroid Build Coastguard Worker setprop bootreceiver.enable 0 631*00c7fec1SAndroid Build Coastguard Workeron late-fs && property:ro.kernel.version=5.4 632*00c7fec1SAndroid Build Coastguard Worker setprop bootreceiver.enable 0 633*00c7fec1SAndroid Build Coastguard Workeron late-fs 634*00c7fec1SAndroid Build Coastguard Worker # Bootreceiver tracing instance is enabled by default. 635*00c7fec1SAndroid Build Coastguard Worker setprop bootreceiver.enable ${bootreceiver.enable:-1} 636*00c7fec1SAndroid Build Coastguard Worker 637*00c7fec1SAndroid Build Coastguard Workeron property:ro.product.cpu.abilist64=* && property:bootreceiver.enable=1 638*00c7fec1SAndroid Build Coastguard Worker # Set up a tracing instance for system_server to monitor error_report_end events. 639*00c7fec1SAndroid Build Coastguard Worker # These are sent by kernel tools like KASAN and KFENCE when a memory corruption 640*00c7fec1SAndroid Build Coastguard Worker # is detected. This is only needed for 64-bit systems. 641*00c7fec1SAndroid Build Coastguard Worker mkdir /sys/kernel/tracing/instances/bootreceiver 0700 system system 642*00c7fec1SAndroid Build Coastguard Worker restorecon_recursive /sys/kernel/tracing/instances/bootreceiver 643*00c7fec1SAndroid Build Coastguard Worker write /sys/kernel/tracing/instances/bootreceiver/buffer_size_kb 1 644*00c7fec1SAndroid Build Coastguard Worker write /sys/kernel/tracing/instances/bootreceiver/trace_options disable_on_free 645*00c7fec1SAndroid Build Coastguard Worker write /sys/kernel/tracing/instances/bootreceiver/events/error_report/error_report_end/enable 1 646*00c7fec1SAndroid Build Coastguard Worker 647*00c7fec1SAndroid Build Coastguard Workeron post-fs-data 648*00c7fec1SAndroid Build Coastguard Worker 649*00c7fec1SAndroid Build Coastguard Worker # Start checkpoint before we touch data 650*00c7fec1SAndroid Build Coastguard Worker exec - system system -- /system/bin/vdc checkpoint prepareCheckpoint 651*00c7fec1SAndroid Build Coastguard Worker 652*00c7fec1SAndroid Build Coastguard Worker # We chown/chmod /data again so because mount is run as root + defaults 653*00c7fec1SAndroid Build Coastguard Worker chown system system /data 654*00c7fec1SAndroid Build Coastguard Worker chmod 0771 /data 655*00c7fec1SAndroid Build Coastguard Worker # We restorecon /data in case the userdata partition has been reset. 656*00c7fec1SAndroid Build Coastguard Worker restorecon /data 657*00c7fec1SAndroid Build Coastguard Worker 658*00c7fec1SAndroid Build Coastguard Worker # Make sure we have the device encryption key. 659*00c7fec1SAndroid Build Coastguard Worker installkey /data 660*00c7fec1SAndroid Build Coastguard Worker 661*00c7fec1SAndroid Build Coastguard Worker # Start bootcharting as soon as possible after the data partition is 662*00c7fec1SAndroid Build Coastguard Worker # mounted to collect more data. 663*00c7fec1SAndroid Build Coastguard Worker mkdir /data/bootchart 0755 shell shell encryption=Require 664*00c7fec1SAndroid Build Coastguard Worker bootchart start 665*00c7fec1SAndroid Build Coastguard Worker 666*00c7fec1SAndroid Build Coastguard Worker # Avoid predictable entropy pool. Carry over entropy from previous boot. 667*00c7fec1SAndroid Build Coastguard Worker copy /data/system/entropy.dat /dev/urandom 668*00c7fec1SAndroid Build Coastguard Worker 669*00c7fec1SAndroid Build Coastguard Worker mkdir /data/vendor 0771 root root encryption=Require 670*00c7fec1SAndroid Build Coastguard Worker mkdir /data/vendor/hardware 0771 root root 671*00c7fec1SAndroid Build Coastguard Worker 672*00c7fec1SAndroid Build Coastguard Worker # Start tombstoned early to be able to store tombstones. 673*00c7fec1SAndroid Build Coastguard Worker mkdir /data/anr 0775 system system encryption=Require 674*00c7fec1SAndroid Build Coastguard Worker mkdir /data/tombstones 0775 system system encryption=Require 675*00c7fec1SAndroid Build Coastguard Worker mkdir /data/vendor/tombstones 0771 root root 676*00c7fec1SAndroid Build Coastguard Worker mkdir /data/vendor/tombstones/wifi 0771 wifi wifi 677*00c7fec1SAndroid Build Coastguard Worker start tombstoned 678*00c7fec1SAndroid Build Coastguard Worker 679*00c7fec1SAndroid Build Coastguard Worker # Make sure that apexd is started in the default namespace 680*00c7fec1SAndroid Build Coastguard Worker enter_default_mount_ns 681*00c7fec1SAndroid Build Coastguard Worker 682*00c7fec1SAndroid Build Coastguard Worker # set up keystore directory structure first so that we can end early boot 683*00c7fec1SAndroid Build Coastguard Worker # and start apexd 684*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc 01771 system misc encryption=Require 685*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/keystore 0700 keystore keystore 686*00c7fec1SAndroid Build Coastguard Worker # work around b/183668221 687*00c7fec1SAndroid Build Coastguard Worker restorecon /data/misc /data/misc/keystore 688*00c7fec1SAndroid Build Coastguard Worker 689*00c7fec1SAndroid Build Coastguard Worker # Boot level 30 690*00c7fec1SAndroid Build Coastguard Worker # odsign signing keys have MAX_BOOT_LEVEL=30 691*00c7fec1SAndroid Build Coastguard Worker # This is currently the earliest boot level, but we start at 30 692*00c7fec1SAndroid Build Coastguard Worker # to leave room for earlier levels. 693*00c7fec1SAndroid Build Coastguard Worker setprop keystore.boot_level 30 694*00c7fec1SAndroid Build Coastguard Worker 695*00c7fec1SAndroid Build Coastguard Worker # Now that /data is mounted and we have created /data/misc/keystore, 696*00c7fec1SAndroid Build Coastguard Worker # we can tell keystore to stop allowing use of early-boot keys, 697*00c7fec1SAndroid Build Coastguard Worker # and access its database for the first time to support creation and 698*00c7fec1SAndroid Build Coastguard Worker # use of MAX_BOOT_LEVEL keys. 699*00c7fec1SAndroid Build Coastguard Worker exec - system system -- /system/bin/vdc keymaster earlyBootEnded 700*00c7fec1SAndroid Build Coastguard Worker 701*00c7fec1SAndroid Build Coastguard Worker # Multi-installed APEXes are selected using persist props. 702*00c7fec1SAndroid Build Coastguard Worker # Load persist properties and override properties (if enabled) from /data, 703*00c7fec1SAndroid Build Coastguard Worker # before starting apexd. 704*00c7fec1SAndroid Build Coastguard Worker # /data/property should be created before `load_persist_props` 705*00c7fec1SAndroid Build Coastguard Worker mkdir /data/property 0700 root root encryption=Require 706*00c7fec1SAndroid Build Coastguard Worker load_persist_props 707*00c7fec1SAndroid Build Coastguard Worker 708*00c7fec1SAndroid Build Coastguard Worker start logd 709*00c7fec1SAndroid Build Coastguard Worker start logd-reinit 710*00c7fec1SAndroid Build Coastguard Worker 711*00c7fec1SAndroid Build Coastguard Worker # Some existing vendor rc files use 'on load_persist_props_action' to know 712*00c7fec1SAndroid Build Coastguard Worker # when persist props are ready. These are difficult to change due to GRF, 713*00c7fec1SAndroid Build Coastguard Worker # so continue triggering this action here even though props are already loaded 714*00c7fec1SAndroid Build Coastguard Worker # by the 'load_persist_props' call above. 715*00c7fec1SAndroid Build Coastguard Worker trigger load_persist_props_action 716*00c7fec1SAndroid Build Coastguard Worker 717*00c7fec1SAndroid Build Coastguard Worker # /data/apex is now available. Start apexd to scan and activate APEXes. 718*00c7fec1SAndroid Build Coastguard Worker # 719*00c7fec1SAndroid Build Coastguard Worker # To handle userspace reboots, make sure that apexd is started cleanly here 720*00c7fec1SAndroid Build Coastguard Worker # (set apexd.status="") and that it is restarted if it's already running. 721*00c7fec1SAndroid Build Coastguard Worker # 722*00c7fec1SAndroid Build Coastguard Worker # /data/apex uses encryption=None because direct I/O support is needed on 723*00c7fec1SAndroid Build Coastguard Worker # APEX files, but some devices don't support direct I/O on encrypted files. 724*00c7fec1SAndroid Build Coastguard Worker # Also, APEXes are public information, similar to the system image. 725*00c7fec1SAndroid Build Coastguard Worker # /data/apex/decompressed and /data/apex/ota_reserved override this setting; 726*00c7fec1SAndroid Build Coastguard Worker # they are encrypted so that files in them can be hard-linked into 727*00c7fec1SAndroid Build Coastguard Worker # /data/rollback which is encrypted. 728*00c7fec1SAndroid Build Coastguard Worker mkdir /data/apex 0755 root system encryption=None 729*00c7fec1SAndroid Build Coastguard Worker mkdir /data/apex/active 0755 root system 730*00c7fec1SAndroid Build Coastguard Worker mkdir /data/apex/backup 0700 root system 731*00c7fec1SAndroid Build Coastguard Worker mkdir /data/apex/decompressed 0755 root system encryption=Require 732*00c7fec1SAndroid Build Coastguard Worker mkdir /data/apex/sessions 0700 root system 733*00c7fec1SAndroid Build Coastguard Worker mkdir /data/app-staging 0751 system system encryption=DeleteIfNecessary 734*00c7fec1SAndroid Build Coastguard Worker mkdir /data/apex/ota_reserved 0700 root system encryption=Require 735*00c7fec1SAndroid Build Coastguard Worker setprop apexd.status "" 736*00c7fec1SAndroid Build Coastguard Worker restart apexd 737*00c7fec1SAndroid Build Coastguard Worker 738*00c7fec1SAndroid Build Coastguard Worker # create rest of basic filesystem structure 739*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/recovery 0770 system log 740*00c7fec1SAndroid Build Coastguard Worker copy /data/misc/recovery/ro.build.fingerprint /data/misc/recovery/ro.build.fingerprint.1 741*00c7fec1SAndroid Build Coastguard Worker chmod 0440 /data/misc/recovery/ro.build.fingerprint.1 742*00c7fec1SAndroid Build Coastguard Worker chown system log /data/misc/recovery/ro.build.fingerprint.1 743*00c7fec1SAndroid Build Coastguard Worker write /data/misc/recovery/ro.build.fingerprint ${ro.build.fingerprint} 744*00c7fec1SAndroid Build Coastguard Worker chmod 0440 /data/misc/recovery/ro.build.fingerprint 745*00c7fec1SAndroid Build Coastguard Worker chown system log /data/misc/recovery/ro.build.fingerprint 746*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/recovery/proc 0770 system log 747*00c7fec1SAndroid Build Coastguard Worker copy /data/misc/recovery/proc/version /data/misc/recovery/proc/version.1 748*00c7fec1SAndroid Build Coastguard Worker chmod 0440 /data/misc/recovery/proc/version.1 749*00c7fec1SAndroid Build Coastguard Worker chown system log /data/misc/recovery/proc/version.1 750*00c7fec1SAndroid Build Coastguard Worker copy /proc/version /data/misc/recovery/proc/version 751*00c7fec1SAndroid Build Coastguard Worker chmod 0440 /data/misc/recovery/proc/version 752*00c7fec1SAndroid Build Coastguard Worker chown system log /data/misc/recovery/proc/version 753*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/bluedroid 02770 bluetooth bluetooth 754*00c7fec1SAndroid Build Coastguard Worker # Fix the access permissions and group ownership for 'bt_config.conf' 755*00c7fec1SAndroid Build Coastguard Worker chmod 0660 /data/misc/bluedroid/bt_config.conf 756*00c7fec1SAndroid Build Coastguard Worker chown bluetooth bluetooth /data/misc/bluedroid/bt_config.conf 757*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/bluetooth 0770 bluetooth bluetooth 758*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/bluetooth/logs 0770 bluetooth bluetooth 759*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/nfc 0770 nfc nfc 760*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/nfc/logs 0770 nfc nfc 761*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/credstore 0700 credstore credstore 762*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/gatekeeper 0700 system system 763*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/keychain 0771 system system 764*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/net 0750 root shell 765*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/radio 0770 system radio 766*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/sms 0770 system radio 767*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/carrierid 0770 system radio 768*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/apns 0770 system radio 769*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/emergencynumberdb 0770 system radio 770*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/network_watchlist 0774 system system 771*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/telephonyconfig 0770 system radio 772*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/textclassifier 0771 system system 773*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/vpn 0770 system vpn 774*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/shared_relro 0771 shared_relro shared_relro 775*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/systemkeys 0700 system system 776*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/wifi 0770 wifi wifi 777*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/wifi/mainline_supplicant 0770 wifi wifi 778*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/wifi/mainline_supplicant/sockets 0770 wifi wifi 779*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/wifi/sockets 0770 wifi wifi 780*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 781*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/ethernet 0770 system system 782*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/dhcp 0770 dhcp dhcp 783*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/user 0771 root root 784*00c7fec1SAndroid Build Coastguard Worker # give system access to wpa_supplicant.conf for backup and restore 785*00c7fec1SAndroid Build Coastguard Worker chmod 0660 /data/misc/wifi/wpa_supplicant.conf 786*00c7fec1SAndroid Build Coastguard Worker mkdir /data/local 0751 root root encryption=Require 787*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/media 0700 media media 788*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/audioserver 0700 audioserver audioserver 789*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/cameraserver 0700 cameraserver cameraserver 790*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/vold 0700 root root 791*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/boottrace 0771 system shell 792*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/update_engine 0700 root root 793*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/update_engine_log 02750 root log 794*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/trace 0700 root root 795*00c7fec1SAndroid Build Coastguard Worker # create location to store surface and window trace files 796*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/wmtrace 0700 system system 797*00c7fec1SAndroid Build Coastguard Worker # create location to store accessibility trace files 798*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/a11ytrace 0700 system system 799*00c7fec1SAndroid Build Coastguard Worker # profile file layout 800*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/profiles 0771 system system 801*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/profiles/cur 0771 system system 802*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/profiles/ref 0771 system system 803*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/profman 0770 system shell 804*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/gcov 0770 root root 805*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/installd 0700 root root 806*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/apexdata 0711 root root 807*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/apexrollback 0700 root root 808*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/appcompat/ 0700 system system 809*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/uprobestats-configs/ 0777 uprobestats uprobestats 810*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/snapshotctl_log 0755 root root 811*00c7fec1SAndroid Build Coastguard Worker # create location to store pre-reboot information 812*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/prereboot 0700 system system 813*00c7fec1SAndroid Build Coastguard Worker # directory used for on-device refresh metrics file. 814*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/odrefresh 0777 system system 815*00c7fec1SAndroid Build Coastguard Worker # directory used for on-device signing key blob 816*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/odsign 0710 root system 817*00c7fec1SAndroid Build Coastguard Worker # directory used for odsign metrics 818*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/odsign/metrics 0770 root system 819*00c7fec1SAndroid Build Coastguard Worker # directory used for connectivity blob store. 820*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/connectivityblobdb 0770 system system 821*00c7fec1SAndroid Build Coastguard Worker 822*00c7fec1SAndroid Build Coastguard Worker # Directory for VirtualizationService temporary image files. 823*00c7fec1SAndroid Build Coastguard Worker # Delete any stale files owned by the old virtualizationservice uid (b/230056726). 824*00c7fec1SAndroid Build Coastguard Worker chmod 0770 /data/misc/virtualizationservice 825*00c7fec1SAndroid Build Coastguard Worker exec - virtualizationservice system -- /bin/rm -rf /data/misc/virtualizationservice 826*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/virtualizationservice 0771 system system 827*00c7fec1SAndroid Build Coastguard Worker 828*00c7fec1SAndroid Build Coastguard Worker # /data/preloads uses encryption=None because it only contains preloaded 829*00c7fec1SAndroid Build Coastguard Worker # files that are public information, similar to the system image. 830*00c7fec1SAndroid Build Coastguard Worker mkdir /data/preloads 0775 system system encryption=None 831*00c7fec1SAndroid Build Coastguard Worker 832*00c7fec1SAndroid Build Coastguard Worker # For security reasons, /data/local/tmp should always be empty. 833*00c7fec1SAndroid Build Coastguard Worker # Do not place files or directories in /data/local/tmp 834*00c7fec1SAndroid Build Coastguard Worker mkdir /data/local/tmp 0771 shell shell 835*00c7fec1SAndroid Build Coastguard Worker mkdir /data/local/traces 0777 shell shell 836*00c7fec1SAndroid Build Coastguard Worker mkdir /data/app-private 0771 system system encryption=Require 837*00c7fec1SAndroid Build Coastguard Worker mkdir /data/app-ephemeral 0771 system system encryption=Require 838*00c7fec1SAndroid Build Coastguard Worker mkdir /data/app-asec 0700 root root encryption=Require 839*00c7fec1SAndroid Build Coastguard Worker mkdir /data/app-lib 0771 system system encryption=Require 840*00c7fec1SAndroid Build Coastguard Worker mkdir /data/app 0771 system system encryption=Require 841*00c7fec1SAndroid Build Coastguard Worker 842*00c7fec1SAndroid Build Coastguard Worker # Create directory for app metadata files 843*00c7fec1SAndroid Build Coastguard Worker mkdir /data/app-metadata 0700 system system encryption=Require 844*00c7fec1SAndroid Build Coastguard Worker 845*00c7fec1SAndroid Build Coastguard Worker # create directory for updated font files. 846*00c7fec1SAndroid Build Coastguard Worker mkdir /data/fonts/ 0771 root root encryption=Require 847*00c7fec1SAndroid Build Coastguard Worker mkdir /data/fonts/files 0771 system system 848*00c7fec1SAndroid Build Coastguard Worker mkdir /data/fonts/config 0770 system system 849*00c7fec1SAndroid Build Coastguard Worker 850*00c7fec1SAndroid Build Coastguard Worker # Create directories to push tests to for each linker namespace. 851*00c7fec1SAndroid Build Coastguard Worker # Create the subdirectories in case the first test is run as root 852*00c7fec1SAndroid Build Coastguard Worker # so it doesn't end up owned by root. 853*00c7fec1SAndroid Build Coastguard Worker # Set directories to be executable by any process so that debuggerd, 854*00c7fec1SAndroid Build Coastguard Worker # aka crash_dump, can read any executables/shared libraries. 855*00c7fec1SAndroid Build Coastguard Worker mkdir /data/local/tests 0701 shell shell 856*00c7fec1SAndroid Build Coastguard Worker mkdir /data/local/tests/product 0701 shell shell 857*00c7fec1SAndroid Build Coastguard Worker mkdir /data/local/tests/system 0701 shell shell 858*00c7fec1SAndroid Build Coastguard Worker mkdir /data/local/tests/unrestricted 0701 shell shell 859*00c7fec1SAndroid Build Coastguard Worker mkdir /data/local/tests/vendor 0701 shell shell 860*00c7fec1SAndroid Build Coastguard Worker 861*00c7fec1SAndroid Build Coastguard Worker # create dalvik-cache, so as to enforce our permissions 862*00c7fec1SAndroid Build Coastguard Worker mkdir /data/dalvik-cache 0771 root root encryption=Require 863*00c7fec1SAndroid Build Coastguard Worker # create the A/B OTA directory, so as to enforce our permissions 864*00c7fec1SAndroid Build Coastguard Worker mkdir /data/ota 0771 root root encryption=Require 865*00c7fec1SAndroid Build Coastguard Worker 866*00c7fec1SAndroid Build Coastguard Worker # create the OTA package directory. It will be accessed by GmsCore (cache 867*00c7fec1SAndroid Build Coastguard Worker # group), update_engine and update_verifier. 868*00c7fec1SAndroid Build Coastguard Worker mkdir /data/ota_package 0770 system cache encryption=Require 869*00c7fec1SAndroid Build Coastguard Worker 870*00c7fec1SAndroid Build Coastguard Worker # create resource-cache and double-check the perms 871*00c7fec1SAndroid Build Coastguard Worker mkdir /data/resource-cache 0771 system system encryption=Require 872*00c7fec1SAndroid Build Coastguard Worker chown system system /data/resource-cache 873*00c7fec1SAndroid Build Coastguard Worker chmod 0771 /data/resource-cache 874*00c7fec1SAndroid Build Coastguard Worker 875*00c7fec1SAndroid Build Coastguard Worker # Ensure that lost+found exists and has the correct permissions. Linux 876*00c7fec1SAndroid Build Coastguard Worker # filesystems expect this directory to exist; it's where the fsck tool puts 877*00c7fec1SAndroid Build Coastguard Worker # any recovered files that weren't present in any directory. It must be 878*00c7fec1SAndroid Build Coastguard Worker # unencrypted, as fsck must be able to write to it. 879*00c7fec1SAndroid Build Coastguard Worker mkdir /data/lost+found 0770 root root encryption=None 880*00c7fec1SAndroid Build Coastguard Worker 881*00c7fec1SAndroid Build Coastguard Worker # create directory for DRM plug-ins - give drm the read/write access to 882*00c7fec1SAndroid Build Coastguard Worker # the following directory. 883*00c7fec1SAndroid Build Coastguard Worker mkdir /data/drm 0770 drm drm encryption=Require 884*00c7fec1SAndroid Build Coastguard Worker 885*00c7fec1SAndroid Build Coastguard Worker # create directory for MediaDrm plug-ins - give drm the read/write access to 886*00c7fec1SAndroid Build Coastguard Worker # the following directory. 887*00c7fec1SAndroid Build Coastguard Worker mkdir /data/mediadrm 0770 mediadrm mediadrm encryption=Require 888*00c7fec1SAndroid Build Coastguard Worker 889*00c7fec1SAndroid Build Coastguard Worker # NFC: create data/nfc for nv storage 890*00c7fec1SAndroid Build Coastguard Worker mkdir /data/nfc 0770 nfc nfc encryption=Require 891*00c7fec1SAndroid Build Coastguard Worker mkdir /data/nfc/param 0770 nfc nfc 892*00c7fec1SAndroid Build Coastguard Worker 893*00c7fec1SAndroid Build Coastguard Worker # Create all remaining /data root dirs so that they are made through init 894*00c7fec1SAndroid Build Coastguard Worker # and get proper encryption policy installed 895*00c7fec1SAndroid Build Coastguard Worker mkdir /data/backup 0700 system system encryption=Require 896*00c7fec1SAndroid Build Coastguard Worker mkdir /data/ss 0700 system system encryption=Require 897*00c7fec1SAndroid Build Coastguard Worker 898*00c7fec1SAndroid Build Coastguard Worker mkdir /data/system 0775 system system encryption=Require 899*00c7fec1SAndroid Build Coastguard Worker mkdir /data/system/environ 0700 system system 900*00c7fec1SAndroid Build Coastguard Worker # b/183861600 attempt to fix selinux label before running derive_classpath service 901*00c7fec1SAndroid Build Coastguard Worker restorecon /data/system/environ 902*00c7fec1SAndroid Build Coastguard Worker mkdir /data/system/dropbox 0700 system system 903*00c7fec1SAndroid Build Coastguard Worker mkdir /data/system/heapdump 0700 system system 904*00c7fec1SAndroid Build Coastguard Worker mkdir /data/system/users 0775 system system 905*00c7fec1SAndroid Build Coastguard Worker # Mkdir and set SELinux security contexts for shutdown-checkpoints. 906*00c7fec1SAndroid Build Coastguard Worker # TODO(b/270286197): remove these after couple releases. 907*00c7fec1SAndroid Build Coastguard Worker mkdir /data/system/shutdown-checkpoints 0700 system system 908*00c7fec1SAndroid Build Coastguard Worker restorecon_recursive /data/system/shutdown-checkpoints 909*00c7fec1SAndroid Build Coastguard Worker 910*00c7fec1SAndroid Build Coastguard Worker # Create the parent directories of the user CE and DE storage directories. 911*00c7fec1SAndroid Build Coastguard Worker # These parent directories must use encryption=None, since each of their 912*00c7fec1SAndroid Build Coastguard Worker # subdirectories uses a different encryption policy (a per-user one), and 913*00c7fec1SAndroid Build Coastguard Worker # encryption policies apply recursively. These directories should never 914*00c7fec1SAndroid Build Coastguard Worker # contain any subdirectories other than the per-user ones. /data/media/obb 915*00c7fec1SAndroid Build Coastguard Worker # is an exception that exists for legacy reasons. 916*00c7fec1SAndroid Build Coastguard Worker # 917*00c7fec1SAndroid Build Coastguard Worker # Don't use any write mode bits (0222) for any of these directories, since 918*00c7fec1SAndroid Build Coastguard Worker # the only process that should write to them directly is vold (since it 919*00c7fec1SAndroid Build Coastguard Worker # needs to set up file-based encryption on the subdirectories), which runs 920*00c7fec1SAndroid Build Coastguard Worker # as root with CAP_DAC_OVERRIDE. This is also fully enforced via the 921*00c7fec1SAndroid Build Coastguard Worker # SELinux policy. But we also set the DAC file modes accordingly, to try to 922*00c7fec1SAndroid Build Coastguard Worker # minimize differences in behavior if SELinux is set to permissive mode. 923*00c7fec1SAndroid Build Coastguard Worker mkdir /data/media 0550 media_rw media_rw encryption=None 924*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc_ce 0551 system misc encryption=None 925*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc_de 0551 system misc encryption=None 926*00c7fec1SAndroid Build Coastguard Worker mkdir /data/system_ce 0550 system system encryption=None 927*00c7fec1SAndroid Build Coastguard Worker mkdir /data/system_de 0550 system system encryption=None 928*00c7fec1SAndroid Build Coastguard Worker mkdir /data/user 0511 system system encryption=None 929*00c7fec1SAndroid Build Coastguard Worker mkdir /data/user_de 0511 system system encryption=None 930*00c7fec1SAndroid Build Coastguard Worker mkdir /data/vendor_ce 0551 root root encryption=None 931*00c7fec1SAndroid Build Coastguard Worker mkdir /data/vendor_de 0551 root root encryption=None 932*00c7fec1SAndroid Build Coastguard Worker 933*00c7fec1SAndroid Build Coastguard Worker # Similar to the top-level CE and DE directories, /data/storage_area must 934*00c7fec1SAndroid Build Coastguard Worker # itself be unencrypted, since it contains encrypted directories. 935*00c7fec1SAndroid Build Coastguard Worker mkdir /data/storage_area 0551 root root encryption=None 936*00c7fec1SAndroid Build Coastguard Worker 937*00c7fec1SAndroid Build Coastguard Worker # Set the casefold flag on /data/media. For upgrades, a restorecon can be 938*00c7fec1SAndroid Build Coastguard Worker # needed first to relabel the directory from media_rw_data_file. 939*00c7fec1SAndroid Build Coastguard Worker restorecon /data/media 940*00c7fec1SAndroid Build Coastguard Worker exec - media_rw media_rw -- /system/bin/chattr +F /data/media 941*00c7fec1SAndroid Build Coastguard Worker 942*00c7fec1SAndroid Build Coastguard Worker # A tmpfs directory, which will contain all apps and sdk sandbox CE and DE 943*00c7fec1SAndroid Build Coastguard Worker # data directory that bind mount from the original source. 944*00c7fec1SAndroid Build Coastguard Worker mount tmpfs tmpfs /data_mirror nodev noexec nosuid mode=0700,uid=0,gid=1000 945*00c7fec1SAndroid Build Coastguard Worker restorecon /data_mirror 946*00c7fec1SAndroid Build Coastguard Worker mkdir /data_mirror/data_ce 0700 root root 947*00c7fec1SAndroid Build Coastguard Worker mkdir /data_mirror/data_de 0700 root root 948*00c7fec1SAndroid Build Coastguard Worker mkdir /data_mirror/misc_ce 0700 root root 949*00c7fec1SAndroid Build Coastguard Worker mkdir /data_mirror/misc_de 0700 root root 950*00c7fec1SAndroid Build Coastguard Worker mkdir /data_mirror/storage_area 0700 root root 951*00c7fec1SAndroid Build Coastguard Worker 952*00c7fec1SAndroid Build Coastguard Worker # Create CE and DE data directory for default volume 953*00c7fec1SAndroid Build Coastguard Worker # Not needed for storage_area directory, since this is 954*00c7fec1SAndroid Build Coastguard Worker # not supported for non-default volumes and the path 955*00c7fec1SAndroid Build Coastguard Worker # does not include the volume ID 956*00c7fec1SAndroid Build Coastguard Worker mkdir /data_mirror/data_ce/null 0700 root root 957*00c7fec1SAndroid Build Coastguard Worker mkdir /data_mirror/data_de/null 0700 root root 958*00c7fec1SAndroid Build Coastguard Worker mkdir /data_mirror/misc_ce/null 0700 root root 959*00c7fec1SAndroid Build Coastguard Worker mkdir /data_mirror/misc_de/null 0700 root root 960*00c7fec1SAndroid Build Coastguard Worker 961*00c7fec1SAndroid Build Coastguard Worker # Bind mount CE and DE data directory to mirror's default volume directory. 962*00c7fec1SAndroid Build Coastguard Worker # Note that because the /data mount has the "shared" propagation type, the 963*00c7fec1SAndroid Build Coastguard Worker # later bind mount of /data/data onto /data/user/0 will automatically 964*00c7fec1SAndroid Build Coastguard Worker # propagate to /data_mirror/data_ce/null/0 as well. 965*00c7fec1SAndroid Build Coastguard Worker mount none /data/user /data_mirror/data_ce/null bind rec 966*00c7fec1SAndroid Build Coastguard Worker mount none /data/user_de /data_mirror/data_de/null bind rec 967*00c7fec1SAndroid Build Coastguard Worker mount none /data/misc_ce /data_mirror/misc_ce/null bind rec 968*00c7fec1SAndroid Build Coastguard Worker mount none /data/misc_de /data_mirror/misc_de/null bind rec 969*00c7fec1SAndroid Build Coastguard Worker 970*00c7fec1SAndroid Build Coastguard Worker # Also bind mount for the storage area directory (minus the volume ID) 971*00c7fec1SAndroid Build Coastguard Worker mount none /data/storage_area /data_mirror/storage_area bind rec 972*00c7fec1SAndroid Build Coastguard Worker 973*00c7fec1SAndroid Build Coastguard Worker # Create mirror directory for jit profiles 974*00c7fec1SAndroid Build Coastguard Worker mkdir /data_mirror/cur_profiles 0700 root root 975*00c7fec1SAndroid Build Coastguard Worker mount none /data/misc/profiles/cur /data_mirror/cur_profiles bind rec 976*00c7fec1SAndroid Build Coastguard Worker mkdir /data_mirror/ref_profiles 0700 root root 977*00c7fec1SAndroid Build Coastguard Worker mount none /data/misc/profiles/ref /data_mirror/ref_profiles bind rec 978*00c7fec1SAndroid Build Coastguard Worker 979*00c7fec1SAndroid Build Coastguard Worker mkdir /data/cache 0770 system cache encryption=Require 980*00c7fec1SAndroid Build Coastguard Worker mkdir /data/cache/recovery 0770 system cache 981*00c7fec1SAndroid Build Coastguard Worker mkdir /data/cache/backup_stage 0700 system system 982*00c7fec1SAndroid Build Coastguard Worker mkdir /data/cache/backup 0700 system system 983*00c7fec1SAndroid Build Coastguard Worker 984*00c7fec1SAndroid Build Coastguard Worker # Delete these if need be, per b/139193659 985*00c7fec1SAndroid Build Coastguard Worker mkdir /data/rollback 0700 system system encryption=DeleteIfNecessary 986*00c7fec1SAndroid Build Coastguard Worker mkdir /data/rollback-observer 0700 system system encryption=DeleteIfNecessary 987*00c7fec1SAndroid Build Coastguard Worker mkdir /data/rollback-history 0700 system system encryption=DeleteIfNecessary 988*00c7fec1SAndroid Build Coastguard Worker 989*00c7fec1SAndroid Build Coastguard Worker # Create root dir for Incremental Service 990*00c7fec1SAndroid Build Coastguard Worker mkdir /data/incremental 0771 system system encryption=Require 991*00c7fec1SAndroid Build Coastguard Worker 992*00c7fec1SAndroid Build Coastguard Worker # Create directories for statsd 993*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/stats-active-metric/ 0770 statsd system 994*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/stats-data/ 0770 statsd system 995*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/stats-data/restricted-data 0770 statsd system 996*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/stats-metadata/ 0770 statsd system 997*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/stats-service/ 0770 statsd system 998*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/train-info/ 0770 statsd system 999*00c7fec1SAndroid Build Coastguard Worker 1000*00c7fec1SAndroid Build Coastguard Worker # Wait for apexd to finish activating APEXes before starting more processes. 1001*00c7fec1SAndroid Build Coastguard Worker wait_for_prop apexd.status activated 1002*00c7fec1SAndroid Build Coastguard Worker perform_apex_config 1003*00c7fec1SAndroid Build Coastguard Worker 1004*00c7fec1SAndroid Build Coastguard Worker exec_start system_aconfigd_mainline_init 1005*00c7fec1SAndroid Build Coastguard Worker start system_aconfigd_socket_service 1006*00c7fec1SAndroid Build Coastguard Worker 1007*00c7fec1SAndroid Build Coastguard Worker # start mainline aconfigd init, after transition, the above system_aconfigd_mainline_init 1008*00c7fec1SAndroid Build Coastguard Worker # will be deprecated 1009*00c7fec1SAndroid Build Coastguard Worker exec_start mainline_aconfigd_init 1010*00c7fec1SAndroid Build Coastguard Worker start mainline_aconfigd_socket_service 1011*00c7fec1SAndroid Build Coastguard Worker 1012*00c7fec1SAndroid Build Coastguard Worker # Create directories for boot animation. 1013*00c7fec1SAndroid Build Coastguard Worker mkdir /data/misc/bootanim 0755 system system 1014*00c7fec1SAndroid Build Coastguard Worker 1015*00c7fec1SAndroid Build Coastguard Worker exec_start derive_sdk 1016*00c7fec1SAndroid Build Coastguard Worker 1017*00c7fec1SAndroid Build Coastguard Worker init_user0 1018*00c7fec1SAndroid Build Coastguard Worker 1019*00c7fec1SAndroid Build Coastguard Worker # Set SELinux security contexts on upgrade or policy update. 1020*00c7fec1SAndroid Build Coastguard Worker restorecon --recursive --skip-ce /data 1021*00c7fec1SAndroid Build Coastguard Worker 1022*00c7fec1SAndroid Build Coastguard Worker # Define and export *CLASSPATH variables 1023*00c7fec1SAndroid Build Coastguard Worker # Must start before 'odsign', as odsign depends on *CLASSPATH variables 1024*00c7fec1SAndroid Build Coastguard Worker exec_start derive_classpath 1025*00c7fec1SAndroid Build Coastguard Worker load_exports /data/system/environ/classpath 1026*00c7fec1SAndroid Build Coastguard Worker 1027*00c7fec1SAndroid Build Coastguard Worker # Start ART's oneshot boot service to propagate boot experiment flags to 1028*00c7fec1SAndroid Build Coastguard Worker # dalvik.vm.*. This needs to be done before odsign since odrefresh uses and 1029*00c7fec1SAndroid Build Coastguard Worker # validates those properties against the signed cache-info.xml. 1030*00c7fec1SAndroid Build Coastguard Worker exec_start art_boot 1031*00c7fec1SAndroid Build Coastguard Worker 1032*00c7fec1SAndroid Build Coastguard Worker # Start the on-device signing daemon, and wait for it to finish, to ensure 1033*00c7fec1SAndroid Build Coastguard Worker # ART artifacts are generated if needed. 1034*00c7fec1SAndroid Build Coastguard Worker # Must start after 'derive_classpath' to have *CLASSPATH variables set. 1035*00c7fec1SAndroid Build Coastguard Worker start odsign 1036*00c7fec1SAndroid Build Coastguard Worker 1037*00c7fec1SAndroid Build Coastguard Worker # Wait for odsign to be done with the key. 1038*00c7fec1SAndroid Build Coastguard Worker wait_for_prop odsign.key.done 1 1039*00c7fec1SAndroid Build Coastguard Worker 1040*00c7fec1SAndroid Build Coastguard Worker # Bump the boot level to 1000000000; this prevents further on-device signing. 1041*00c7fec1SAndroid Build Coastguard Worker # This is a special value that shuts down the thread which listens for 1042*00c7fec1SAndroid Build Coastguard Worker # further updates. 1043*00c7fec1SAndroid Build Coastguard Worker setprop keystore.boot_level 1000000000 1044*00c7fec1SAndroid Build Coastguard Worker 1045*00c7fec1SAndroid Build Coastguard Worker # Allow apexd to snapshot and restore device encrypted apex data in the case 1046*00c7fec1SAndroid Build Coastguard Worker # of a rollback. This should be done immediately after DE_user data keys 1047*00c7fec1SAndroid Build Coastguard Worker # are loaded. APEXes should not access this data until this has been 1048*00c7fec1SAndroid Build Coastguard Worker # completed and apexd.status becomes "ready". 1049*00c7fec1SAndroid Build Coastguard Worker exec_start apexd-snapshotde 1050*00c7fec1SAndroid Build Coastguard Worker 1051*00c7fec1SAndroid Build Coastguard Worker # sys.memfd_use set to false by default, which keeps it disabled 1052*00c7fec1SAndroid Build Coastguard Worker # until it is confirmed that apps and vendor processes don't make 1053*00c7fec1SAndroid Build Coastguard Worker # IOCTLs on ashmem fds any more. 1054*00c7fec1SAndroid Build Coastguard Worker setprop sys.use_memfd false 1055*00c7fec1SAndroid Build Coastguard Worker 1056*00c7fec1SAndroid Build Coastguard Worker # Set fscklog permission 1057*00c7fec1SAndroid Build Coastguard Worker chown root system /dev/fscklogs/log 1058*00c7fec1SAndroid Build Coastguard Worker chmod 0770 /dev/fscklogs/log 1059*00c7fec1SAndroid Build Coastguard Worker 1060*00c7fec1SAndroid Build Coastguard Worker # Enable FUSE by default 1061*00c7fec1SAndroid Build Coastguard Worker setprop persist.sys.fuse true 1062*00c7fec1SAndroid Build Coastguard Worker 1063*00c7fec1SAndroid Build Coastguard Worker # Update dm-verity state and set partition.*.verified properties. 1064*00c7fec1SAndroid Build Coastguard Worker verity_update_state 1065*00c7fec1SAndroid Build Coastguard Worker 1066*00c7fec1SAndroid Build Coastguard Workeron property:vold.checkpoint_committed=1 1067*00c7fec1SAndroid Build Coastguard Worker trigger post-fs-data-checkpointed 1068*00c7fec1SAndroid Build Coastguard Worker 1069*00c7fec1SAndroid Build Coastguard Worker# It is important that we start bpfloader after: 1070*00c7fec1SAndroid Build Coastguard Worker# - /sys/fs/bpf is already mounted, 1071*00c7fec1SAndroid Build Coastguard Worker# - apex (incl. rollback) is initialized (so that we can load bpf 1072*00c7fec1SAndroid Build Coastguard Worker# programs shipped as part of apex mainline modules) 1073*00c7fec1SAndroid Build Coastguard Worker# - logd is ready for us to log stuff 1074*00c7fec1SAndroid Build Coastguard Worker# 1075*00c7fec1SAndroid Build Coastguard Worker# At the same time we want to be as early as possible to reduce races and thus 1076*00c7fec1SAndroid Build Coastguard Worker# failures (before memory is fragmented, and cpu is busy running tons of other 1077*00c7fec1SAndroid Build Coastguard Worker# stuff) and we absolutely want to be before netd and the system boot slot is 1078*00c7fec1SAndroid Build Coastguard Worker# considered to have booted successfully. 1079*00c7fec1SAndroid Build Coastguard Workeron load-bpf-programs 1080*00c7fec1SAndroid Build Coastguard Worker exec_start bpfloader 1081*00c7fec1SAndroid Build Coastguard Worker 1082*00c7fec1SAndroid Build Coastguard Workeron bpf-progs-loaded 1083*00c7fec1SAndroid Build Coastguard Worker start netd 1084*00c7fec1SAndroid Build Coastguard Worker 1085*00c7fec1SAndroid Build Coastguard Worker# It is recommended to put unnecessary data/ initialization from post-fs-data 1086*00c7fec1SAndroid Build Coastguard Worker# to start-zygote in device's init.rc to unblock zygote start. 1087*00c7fec1SAndroid Build Coastguard Workeron zygote-start 1088*00c7fec1SAndroid Build Coastguard Worker wait_for_prop odsign.verification.done 1 1089*00c7fec1SAndroid Build Coastguard Worker # A/B update verifier that marks a successful boot. 1090*00c7fec1SAndroid Build Coastguard Worker exec_start update_verifier 1091*00c7fec1SAndroid Build Coastguard Worker start statsd 1092*00c7fec1SAndroid Build Coastguard Worker start zygote 1093*00c7fec1SAndroid Build Coastguard Worker start zygote_secondary 1094*00c7fec1SAndroid Build Coastguard Worker 1095*00c7fec1SAndroid Build Coastguard Workeron boot && property:ro.config.low_ram=true 1096*00c7fec1SAndroid Build Coastguard Worker # Tweak background writeout 1097*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/vm/dirty_expire_centisecs 200 1098*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/vm/dirty_background_ratio 5 1099*00c7fec1SAndroid Build Coastguard Worker 1100*00c7fec1SAndroid Build Coastguard Workeron boot && property:suspend.disable_sync_on_suspend=true 1101*00c7fec1SAndroid Build Coastguard Worker write /sys/power/sync_on_suspend 0 1102*00c7fec1SAndroid Build Coastguard Worker 1103*00c7fec1SAndroid Build Coastguard Workeron boot 1104*00c7fec1SAndroid Build Coastguard Worker # basic network init 1105*00c7fec1SAndroid Build Coastguard Worker ifup lo 1106*00c7fec1SAndroid Build Coastguard Worker hostname localhost 1107*00c7fec1SAndroid Build Coastguard Worker domainname localdomain 1108*00c7fec1SAndroid Build Coastguard Worker 1109*00c7fec1SAndroid Build Coastguard Worker # IPsec SA default expiration length 1110*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/net/core/xfrm_acq_expires 3600 1111*00c7fec1SAndroid Build Coastguard Worker 1112*00c7fec1SAndroid Build Coastguard Worker # Memory management. Basic kernel parameters, and allow the high 1113*00c7fec1SAndroid Build Coastguard Worker # level system server to be able to adjust the kernel OOM driver 1114*00c7fec1SAndroid Build Coastguard Worker # parameters to match how it is managing things. 1115*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/vm/overcommit_memory 1 1116*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/vm/min_free_order_shift 4 1117*00c7fec1SAndroid Build Coastguard Worker 1118*00c7fec1SAndroid Build Coastguard Worker # System server manages zram writeback 1119*00c7fec1SAndroid Build Coastguard Worker chown root system /sys/block/zram0/idle 1120*00c7fec1SAndroid Build Coastguard Worker chmod 0220 /sys/block/zram0/idle 1121*00c7fec1SAndroid Build Coastguard Worker chown root system /sys/block/zram0/writeback 1122*00c7fec1SAndroid Build Coastguard Worker chmod 0220 /sys/block/zram0/writeback 1123*00c7fec1SAndroid Build Coastguard Worker 1124*00c7fec1SAndroid Build Coastguard Worker # to access F2FS sysfs on dm-<num> directly 1125*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/sys/fs/by-name 0755 system system 1126*00c7fec1SAndroid Build Coastguard Worker symlink /sys/fs/f2fs/${dev.mnt.dev.data} /dev/sys/fs/by-name/userdata 1127*00c7fec1SAndroid Build Coastguard Worker 1128*00c7fec1SAndroid Build Coastguard Worker # dev.mnt.dev.data=dm-N, dev.mnt.blk.data=sdaN/mmcblk0pN, dev.mnt.rootdisk.data=sda/mmcblk0, or 1129*00c7fec1SAndroid Build Coastguard Worker # dev.mnt.dev.data=sdaN/mmcblk0pN, dev.mnt.blk.data=sdaN/mmcblk0pN, dev.mnt.rootdisk.data=sda/mmcblk0 1130*00c7fec1SAndroid Build Coastguard Worker mkdir /dev/sys/block/by-name 0755 system system 1131*00c7fec1SAndroid Build Coastguard Worker symlink /sys/class/block/${dev.mnt.dev.data} /dev/sys/block/by-name/userdata 1132*00c7fec1SAndroid Build Coastguard Worker symlink /sys/class/block/${dev.mnt.rootdisk.data} /dev/sys/block/by-name/rootdisk 1133*00c7fec1SAndroid Build Coastguard Worker 1134*00c7fec1SAndroid Build Coastguard Worker # F2FS tuning. Set cp_interval larger than dirty_expire_centisecs, 30 secs, 1135*00c7fec1SAndroid Build Coastguard Worker # to avoid power consumption when system becomes mostly idle. Be careful 1136*00c7fec1SAndroid Build Coastguard Worker # to make it too large, since it may bring userdata loss, if they 1137*00c7fec1SAndroid Build Coastguard Worker # are not aware of using fsync()/sync() to prepare sudden power-cut. 1138*00c7fec1SAndroid Build Coastguard Worker write /dev/sys/fs/by-name/userdata/cp_interval 200 1139*00c7fec1SAndroid Build Coastguard Worker write /dev/sys/fs/by-name/userdata/gc_urgent_sleep_time 50 1140*00c7fec1SAndroid Build Coastguard Worker write /dev/sys/fs/by-name/userdata/iostat_period_ms 1000 1141*00c7fec1SAndroid Build Coastguard Worker write /dev/sys/fs/by-name/userdata/iostat_enable 1 1142*00c7fec1SAndroid Build Coastguard Worker 1143*00c7fec1SAndroid Build Coastguard Worker # set readahead multiplier for POSIX_FADV_SEQUENTIAL files 1144*00c7fec1SAndroid Build Coastguard Worker write /dev/sys/fs/by-name/userdata/seq_file_ra_mul 128 1145*00c7fec1SAndroid Build Coastguard Worker 1146*00c7fec1SAndroid Build Coastguard Worker # limit discard size to 128MB in order to avoid long IO latency 1147*00c7fec1SAndroid Build Coastguard Worker # for filesystem tuning first (dm or sda) 1148*00c7fec1SAndroid Build Coastguard Worker # this requires enabling selinux entry for sda/mmcblk0 in vendor side 1149*00c7fec1SAndroid Build Coastguard Worker write /dev/sys/block/by-name/userdata/queue/discard_max_bytes 134217728 1150*00c7fec1SAndroid Build Coastguard Worker write /dev/sys/block/by-name/rootdisk/queue/discard_max_bytes 134217728 1151*00c7fec1SAndroid Build Coastguard Worker 1152*00c7fec1SAndroid Build Coastguard Worker # Permissions for System Server and daemons. 1153*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/power/autosleep 1154*00c7fec1SAndroid Build Coastguard Worker 1155*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 1156*00c7fec1SAndroid Build Coastguard Worker chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 1157*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 1158*00c7fec1SAndroid Build Coastguard Worker chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 1159*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 1160*00c7fec1SAndroid Build Coastguard Worker chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 1161*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 1162*00c7fec1SAndroid Build Coastguard Worker chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 1163*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 1164*00c7fec1SAndroid Build Coastguard Worker chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 1165*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 1166*00c7fec1SAndroid Build Coastguard Worker chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 1167*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 1168*00c7fec1SAndroid Build Coastguard Worker chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 1169*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 1170*00c7fec1SAndroid Build Coastguard Worker chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 1171*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 1172*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 1173*00c7fec1SAndroid Build Coastguard Worker chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 1174*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 1175*00c7fec1SAndroid Build Coastguard Worker chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 1176*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 1177*00c7fec1SAndroid Build Coastguard Worker chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 1178*00c7fec1SAndroid Build Coastguard Worker 1179*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/class/leds/vibrator/trigger 1180*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/class/leds/vibrator/activate 1181*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/class/leds/vibrator/brightness 1182*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/class/leds/vibrator/duration 1183*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/class/leds/vibrator/state 1184*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/class/timed_output/vibrator/enable 1185*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/class/leds/keyboard-backlight/brightness 1186*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/class/leds/lcd-backlight/brightness 1187*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/class/leds/button-backlight/brightness 1188*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/class/leds/jogball-backlight/brightness 1189*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/class/leds/red/brightness 1190*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/class/leds/green/brightness 1191*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/class/leds/blue/brightness 1192*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/class/leds/red/device/grpfreq 1193*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/class/leds/red/device/grppwm 1194*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/class/leds/red/device/blink 1195*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/module/sco/parameters/disable_esco 1196*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/kernel/ipv4/tcp_wmem_min 1197*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/kernel/ipv4/tcp_wmem_def 1198*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/kernel/ipv4/tcp_wmem_max 1199*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/kernel/ipv4/tcp_rmem_min 1200*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/kernel/ipv4/tcp_rmem_def 1201*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/kernel/ipv4/tcp_rmem_max 1202*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/firmware/acpi/tables 1203*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/firmware/acpi/tables/BERT 1204*00c7fec1SAndroid Build Coastguard Worker chown system system /sys/firmware/acpi/tables/data/BERT 1205*00c7fec1SAndroid Build Coastguard Worker chown root radio /proc/cmdline 1206*00c7fec1SAndroid Build Coastguard Worker chown root system /proc/bootconfig 1207*00c7fec1SAndroid Build Coastguard Worker 1208*00c7fec1SAndroid Build Coastguard Worker # Define default initial receive window size in segments. 1209*00c7fec1SAndroid Build Coastguard Worker setprop net.tcp_def_init_rwnd 60 1210*00c7fec1SAndroid Build Coastguard Worker 1211*00c7fec1SAndroid Build Coastguard Worker # Start standard binderized HAL daemons 1212*00c7fec1SAndroid Build Coastguard Worker class_start hal 1213*00c7fec1SAndroid Build Coastguard Worker 1214*00c7fec1SAndroid Build Coastguard Worker class_start core 1215*00c7fec1SAndroid Build Coastguard Worker 1216*00c7fec1SAndroid Build Coastguard Workeron nonencrypted 1217*00c7fec1SAndroid Build Coastguard Worker class_start main 1218*00c7fec1SAndroid Build Coastguard Worker class_start late_start 1219*00c7fec1SAndroid Build Coastguard Worker 1220*00c7fec1SAndroid Build Coastguard Workeron property:sys.init_log_level=* 1221*00c7fec1SAndroid Build Coastguard Worker loglevel ${sys.init_log_level} 1222*00c7fec1SAndroid Build Coastguard Worker 1223*00c7fec1SAndroid Build Coastguard Workeron charger 1224*00c7fec1SAndroid Build Coastguard Worker class_start charger 1225*00c7fec1SAndroid Build Coastguard Worker 1226*00c7fec1SAndroid Build Coastguard Workeron property:sys.boot_completed=1 1227*00c7fec1SAndroid Build Coastguard Worker bootchart stop 1228*00c7fec1SAndroid Build Coastguard Worker # Setup per_boot directory so other .rc could start to use it on boot_completed 1229*00c7fec1SAndroid Build Coastguard Worker exec - system system -- /bin/rm -rf /data/per_boot 1230*00c7fec1SAndroid Build Coastguard Worker mkdir /data/per_boot 0700 system system encryption=Require key=per_boot_ref 1231*00c7fec1SAndroid Build Coastguard Worker 1232*00c7fec1SAndroid Build Coastguard Worker# system server cannot write to /proc/sys files, 1233*00c7fec1SAndroid Build Coastguard Worker# and chown/chmod does not work for /proc/sys/ entries. 1234*00c7fec1SAndroid Build Coastguard Worker# So proxy writes through init. 1235*00c7fec1SAndroid Build Coastguard Workeron property:sys.sysctl.extra_free_kbytes=* 1236*00c7fec1SAndroid Build Coastguard Worker exec -- /system/bin/extra_free_kbytes.sh ${sys.sysctl.extra_free_kbytes} 1237*00c7fec1SAndroid Build Coastguard Worker 1238*00c7fec1SAndroid Build Coastguard Worker# Allow users to drop caches 1239*00c7fec1SAndroid Build Coastguard Workeron property:perf.drop_caches=3 1240*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/vm/drop_caches 3 1241*00c7fec1SAndroid Build Coastguard Worker setprop perf.drop_caches 0 1242*00c7fec1SAndroid Build Coastguard Worker 1243*00c7fec1SAndroid Build Coastguard Worker# "tcp_default_init_rwnd" Is too long! 1244*00c7fec1SAndroid Build Coastguard Workeron property:net.tcp_def_init_rwnd=* 1245*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/net/ipv4/tcp_default_init_rwnd ${net.tcp_def_init_rwnd} 1246*00c7fec1SAndroid Build Coastguard Worker 1247*00c7fec1SAndroid Build Coastguard Worker# perf_event_open syscall security: 1248*00c7fec1SAndroid Build Coastguard Worker# Newer kernels have the ability to control the use of the syscall via SELinux 1249*00c7fec1SAndroid Build Coastguard Worker# hooks. init tests for this, and sets sys_init.perf_lsm_hooks to 1 if the 1250*00c7fec1SAndroid Build Coastguard Worker# kernel has the hooks. In this case, the system-wide perf_event_paranoid 1251*00c7fec1SAndroid Build Coastguard Worker# sysctl is set to -1 (unrestricted use), and the SELinux policy is used for 1252*00c7fec1SAndroid Build Coastguard Worker# controlling access. On older kernels, the paranoid value is the only means of 1253*00c7fec1SAndroid Build Coastguard Worker# controlling access. It is normally 3 (allow only root), but the shell user 1254*00c7fec1SAndroid Build Coastguard Worker# can lower it to 1 (allowing thread-scoped pofiling) via security.perf_harden. 1255*00c7fec1SAndroid Build Coastguard Workeron load-bpf-programs && property:sys.init.perf_lsm_hooks=1 1256*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/perf_event_paranoid -1 1257*00c7fec1SAndroid Build Coastguard Workeron property:security.perf_harden=0 && property:sys.init.perf_lsm_hooks="" 1258*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/perf_event_paranoid 1 1259*00c7fec1SAndroid Build Coastguard Workeron property:security.perf_harden=1 && property:sys.init.perf_lsm_hooks="" 1260*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/perf_event_paranoid 3 1261*00c7fec1SAndroid Build Coastguard Worker 1262*00c7fec1SAndroid Build Coastguard Worker# Additionally, simpleperf profiler uses debug.* and security.perf_harden 1263*00c7fec1SAndroid Build Coastguard Worker# sysprops to be able to indirectly set these sysctls. 1264*00c7fec1SAndroid Build Coastguard Workeron property:security.perf_harden=0 1265*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/perf_event_max_sample_rate ${debug.perf_event_max_sample_rate:-100000} 1266*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/perf_cpu_time_max_percent ${debug.perf_cpu_time_max_percent:-25} 1267*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/perf_event_mlock_kb ${debug.perf_event_mlock_kb:-516} 1268*00c7fec1SAndroid Build Coastguard Worker# Default values. 1269*00c7fec1SAndroid Build Coastguard Workeron property:security.perf_harden=1 1270*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/perf_event_max_sample_rate 100000 1271*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/perf_cpu_time_max_percent 25 1272*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/perf_event_mlock_kb 516 1273*00c7fec1SAndroid Build Coastguard Worker 1274*00c7fec1SAndroid Build Coastguard Worker# This property can be set only on userdebug/eng. See neverallow rule in 1275*00c7fec1SAndroid Build Coastguard Worker# /system/sepolicy/private/property.te . 1276*00c7fec1SAndroid Build Coastguard Workeron property:security.lower_kptr_restrict=1 1277*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/kptr_restrict 0 1278*00c7fec1SAndroid Build Coastguard Worker 1279*00c7fec1SAndroid Build Coastguard Workeron property:security.lower_kptr_restrict=0 1280*00c7fec1SAndroid Build Coastguard Worker write /proc/sys/kernel/kptr_restrict 2 1281*00c7fec1SAndroid Build Coastguard Worker 1282*00c7fec1SAndroid Build Coastguard Worker 1283*00c7fec1SAndroid Build Coastguard Worker# on shutdown 1284*00c7fec1SAndroid Build Coastguard Worker# In device's init.rc, this trigger can be used to do device-specific actions 1285*00c7fec1SAndroid Build Coastguard Worker# before shutdown. e.g disable watchdog and mask error handling 1286*00c7fec1SAndroid Build Coastguard Worker 1287*00c7fec1SAndroid Build Coastguard Worker## Daemon processes to be run by init. 1288*00c7fec1SAndroid Build Coastguard Worker## 1289*00c7fec1SAndroid Build Coastguard Workerservice ueventd /system/bin/ueventd 1290*00c7fec1SAndroid Build Coastguard Worker class core 1291*00c7fec1SAndroid Build Coastguard Worker critical 1292*00c7fec1SAndroid Build Coastguard Worker seclabel u:r:ueventd:s0 1293*00c7fec1SAndroid Build Coastguard Worker user root 1294*00c7fec1SAndroid Build Coastguard Worker shutdown critical 1295*00c7fec1SAndroid Build Coastguard Worker 1296*00c7fec1SAndroid Build Coastguard Workerservice console /system/bin/sh 1297*00c7fec1SAndroid Build Coastguard Worker class core 1298*00c7fec1SAndroid Build Coastguard Worker console 1299*00c7fec1SAndroid Build Coastguard Worker disabled 1300*00c7fec1SAndroid Build Coastguard Worker user shell 1301*00c7fec1SAndroid Build Coastguard Worker group shell log readproc 1302*00c7fec1SAndroid Build Coastguard Worker seclabel u:r:shell:s0 1303*00c7fec1SAndroid Build Coastguard Worker setenv HOSTNAME console 1304*00c7fec1SAndroid Build Coastguard Worker shutdown critical 1305*00c7fec1SAndroid Build Coastguard Worker 1306*00c7fec1SAndroid Build Coastguard Workeron property:ro.debuggable=1 1307*00c7fec1SAndroid Build Coastguard Worker # Give writes to the same group for the trace folder on debug builds, 1308*00c7fec1SAndroid Build Coastguard Worker # it's further protected by selinux policy. 1309*00c7fec1SAndroid Build Coastguard Worker # The folder is used to store method traces. 1310*00c7fec1SAndroid Build Coastguard Worker chmod 0773 /data/misc/trace 1311*00c7fec1SAndroid Build Coastguard Worker # Give writes and reads to anyone for the window trace folder on debug builds, 1312*00c7fec1SAndroid Build Coastguard Worker # it's further protected by selinux policy. 1313*00c7fec1SAndroid Build Coastguard Worker chmod 0777 /data/misc/wmtrace 1314*00c7fec1SAndroid Build Coastguard Worker # Give reads to anyone for the accessibility trace folder on debug builds. 1315*00c7fec1SAndroid Build Coastguard Worker chmod 0775 /data/misc/a11ytrace 1316*00c7fec1SAndroid Build Coastguard Worker 1317*00c7fec1SAndroid Build Coastguard Workeron init && property:ro.debuggable=1 1318*00c7fec1SAndroid Build Coastguard Worker start console 1319*00c7fec1SAndroid Build Coastguard Worker 1320*00c7fec1SAndroid Build Coastguard Worker# Multi-Gen LRU Experiment 1321*00c7fec1SAndroid Build Coastguard Workeron property:persist.device_config.mglru_native.lru_gen_config=none 1322*00c7fec1SAndroid Build Coastguard Worker write /sys/kernel/mm/lru_gen/enabled 0 1323*00c7fec1SAndroid Build Coastguard Workeron property:persist.device_config.mglru_native.lru_gen_config=core 1324*00c7fec1SAndroid Build Coastguard Worker write /sys/kernel/mm/lru_gen/enabled 1 1325*00c7fec1SAndroid Build Coastguard Workeron property:persist.device_config.mglru_native.lru_gen_config=core_and_mm_walk 1326*00c7fec1SAndroid Build Coastguard Worker write /sys/kernel/mm/lru_gen/enabled 3 1327*00c7fec1SAndroid Build Coastguard Workeron property:persist.device_config.mglru_native.lru_gen_config=core_and_nonleaf_young 1328*00c7fec1SAndroid Build Coastguard Worker write /sys/kernel/mm/lru_gen/enabled 5 1329*00c7fec1SAndroid Build Coastguard Workeron property:persist.device_config.mglru_native.lru_gen_config=all 1330*00c7fec1SAndroid Build Coastguard Worker write /sys/kernel/mm/lru_gen/enabled 7 1331*00c7fec1SAndroid Build Coastguard Worker 1332*00c7fec1SAndroid Build Coastguard Worker# Allow other processes to run `snapshotctl` through `init`. This requires 1333*00c7fec1SAndroid Build Coastguard Worker# `set_prop` permission on `snapshotctl_prop`. 1334*00c7fec1SAndroid Build Coastguard Workeron property:sys.snapshotctl.map=requested 1335*00c7fec1SAndroid Build Coastguard Worker # "root" is needed to talk to gsid and pass its check on uid. 1336*00c7fec1SAndroid Build Coastguard Worker # "system" is needed to write to "/dev/socket/snapuserd" to talk to 1337*00c7fec1SAndroid Build Coastguard Worker # snapuserd. 1338*00c7fec1SAndroid Build Coastguard Worker exec - root root system -- /system/bin/snapshotctl map 1339*00c7fec1SAndroid Build Coastguard Worker setprop sys.snapshotctl.map "finished" 1340*00c7fec1SAndroid Build Coastguard Worker 1341*00c7fec1SAndroid Build Coastguard Workeron property:sys.snapshotctl.unmap=requested 1342*00c7fec1SAndroid Build Coastguard Worker exec - root root system -- /system/bin/snapshotctl unmap 1343*00c7fec1SAndroid Build Coastguard Worker setprop sys.snapshotctl.unmap "finished" 1344