Commit | Line | Data |
---|---|---|
f3fa1980 S |
1 | # Copyright (C) 2012 The Android Open Source Project |
2 | # | |
3 | # IMPORTANT: Do not create world writable files or directories. | |
4 | # This is a common source of Android security bugs. | |
5 | # | |
6 | import /init.environ.rc | |
7 | import init.ssd.rc | |
8 | import init.no_ssd.rc | |
9 | import init.ssd_nomuser.rc | |
10 | import init.fon.rc | |
11 | import init.aee.rc | |
12 | ||
13 | on early-init | |
14 | # Set init and its forked children's oom_adj. | |
15 | write /proc/1/oom_score_adj -1000 | |
16 | ||
17 | # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. | |
18 | #write /sys/fs/selinux/checkreqprot 0 | |
19 | ||
20 | # Set the security context for the init process. | |
21 | # This should occur before anything else (e.g. ueventd) is started. | |
22 | setcon u:r:init:s0 | |
23 | ||
24 | # Set the security context of /adb_keys if present. | |
25 | restorecon /adb_keys | |
26 | ||
27 | start ueventd | |
28 | ||
29 | # create mountpoints | |
30 | mkdir /mnt 0775 root system | |
31 | ||
32 | on init | |
33 | ||
34 | sysclktz 0 | |
35 | ||
36 | loglevel 5 | |
37 | ||
38 | # Backward compatibility | |
39 | symlink /system/etc /etc | |
40 | symlink /sys/kernel/debug /d | |
41 | ||
42 | # Right now vendor lives on the same filesystem as system, | |
43 | # but someday that may change. | |
44 | symlink /system/vendor /vendor | |
45 | ||
46 | # Create cgroup mount point for cpu accounting | |
47 | mkdir /acct | |
48 | mount cgroup none /acct cpuacct | |
49 | mkdir /acct/uid | |
50 | ||
51 | mkdir /system | |
52 | mkdir /data 0771 system system | |
53 | mkdir /cache 0770 system cache | |
54 | mkdir /config 0500 root root | |
55 | ||
56 | # See storage config details at http://source.android.com/tech/storage/ | |
57 | mkdir /mnt/shell 0700 shell shell | |
58 | mkdir /mnt/media_rw 0700 media_rw media_rw | |
59 | mkdir /storage 0751 root sdcard_r | |
60 | ||
61 | mkdir /mnt/cd-rom 0000 system system | |
62 | ||
63 | # Directory for putting things only root should see. | |
64 | mkdir /mnt/secure 0700 root root | |
65 | ||
66 | # Directory for staging bindmounts | |
67 | mkdir /mnt/secure/staging 0700 root root | |
68 | ||
69 | # Directory-target for where the secure container | |
70 | # imagefile directory will be bind-mounted | |
71 | mkdir /mnt/secure/asec 0700 root root | |
72 | ||
73 | # Secure container public mount points. | |
74 | mkdir /mnt/asec 0700 root system | |
75 | mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 | |
76 | ||
77 | # Filesystem image public mount points. | |
78 | mkdir /mnt/obb 0700 root system | |
79 | mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 | |
80 | ||
81 | write /proc/sys/kernel/panic_on_oops 1 | |
82 | write /proc/sys/kernel/hung_task_timeout_secs 0 | |
83 | write /proc/cpu/alignment 4 | |
84 | write /proc/sys/kernel/sched_latency_ns 10000000 | |
85 | write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 | |
86 | write /proc/sys/kernel/sched_compat_yield 1 | |
87 | ||
88 | # Healthd can trigger a full boot from charger mode by signaling this | |
89 | # property when the power button is held. | |
90 | on property:sys.boot_from_charger_mode=1 | |
91 | class_stop charger | |
92 | trigger late-init | |
93 | ||
94 | # Load properties from /system/ + /factory after fs mount. | |
95 | on load_all_props_action | |
96 | load_all_props | |
97 | ||
98 | # Mount filesystems and start core system services. | |
99 | on late-init | |
100 | trigger early-fs | |
101 | trigger fs | |
102 | trigger post-fs | |
103 | trigger post-fs-data | |
104 | ||
105 | # Load properties from /system/ + /factory after fs mount. Place | |
106 | # this in another action so that the load will be scheduled after the prior | |
107 | # issued fs triggers have completed. | |
108 | trigger load_all_props_action | |
109 | ||
110 | trigger early-boot | |
111 | trigger boot | |
112 | ||
113 | on fs | |
114 | write /proc/bootprof "INIT:eMMC:Mount_START" | |
115 | mount_all /fstab.mt8127 | |
116 | write /proc/bootprof "INIT:eMMC:Mount_END" | |
117 | ||
118 | # mount secro partition | |
119 | # mount yaffs2 mtd@secstatic /system/secro ro | |
120 | # mount ext4 /dev/block/platform/mtk-msdc.0/by-name/SEC_RO /system/secro ro | |
121 | ||
122 | on post-fs | |
123 | # once everything is setup, no need to modify / | |
124 | mount rootfs rootfs / ro remount | |
125 | ||
126 | # We chown/chmod /cache again so because mount is run as root + defaults | |
127 | chown system cache /cache | |
128 | chmod 0770 /cache | |
129 | # We restorecon /cache in case the cache partition has been reset. | |
130 | restorecon_recursive /cache | |
131 | ||
132 | #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks | |
133 | chown root system /proc/kmsg | |
134 | chmod 0440 /proc/kmsg | |
135 | ||
136 | # make the selinux kernel policy world-readable | |
137 | chmod 0444 /sys/fs/selinux/policy | |
138 | ||
139 | # create the lost+found directories, so as to enforce our permissions | |
140 | mkdir /cache/lost+found 0770 root root | |
141 | ||
142 | on post-fs-data | |
143 | # We chown/chmod /data again so because mount is run as root + defaults | |
144 | chown system system /data | |
145 | chmod 0771 /data | |
146 | # We restorecon /data in case the userdata partition has been reset. | |
147 | restorecon /data | |
148 | ||
149 | ||
150 | # create basic filesystem structure | |
151 | mkdir /data/nvram 2770 root system | |
152 | mkdir /data/misc 01771 system misc | |
153 | mkdir /data/misc/bluetoothd 0770 bluetooth bluetooth | |
154 | mkdir /data/misc/bluetooth 0770 system system | |
155 | mkdir /data/misc/keystore 0700 keystore keystore | |
156 | mkdir /data/misc/keychain 0771 system system | |
157 | mkdir /data/misc/vpn 0770 system vpn | |
158 | mkdir /data/misc/systemkeys 0700 system system | |
159 | # give system access to wpa_supplicant.conf for backup and restore | |
160 | mkdir /data/misc/wifi 0770 wifi wifi | |
161 | chmod 0660 /data/misc/wifi/wpa_supplicant.conf | |
162 | chmod 0660 /data/misc/wifi/p2p_supplicant.conf | |
163 | mkdir /data/local 0751 root root | |
164 | # For security reasons, /data/local/tmp should always be empty. | |
165 | # Do not place files or directories in /data/local/tmp | |
166 | mkdir /data/local/tmp 0771 shell shell | |
167 | mkdir /data/data 0771 system system | |
168 | mkdir /data/app-private 0771 system system | |
169 | mkdir /data/app-asec 0700 root root | |
170 | mkdir /data/app 0771 system system | |
171 | mkdir /data/property 0700 root root | |
172 | mkdir /data/ssh 0750 root shell | |
173 | mkdir /data/ssh/empty 0700 root root | |
174 | ||
175 | # create the lost+found directories, so as to enforce our permissions | |
176 | mkdir /data/lost+found 0770 | |
177 | ||
178 | # double check the perms, in case lost+found already exists, and set owner | |
179 | chown root root /data/lost+found | |
180 | chmod 0770 /data/lost+found | |
181 | ||
182 | # H264 Decoder | |
183 | chmod 777 /dev/MT6516_H264_DEC | |
184 | ||
185 | # Internal SRAM Driver | |
186 | chmod 777 /dev/MT6516_Int_SRAM | |
187 | ||
188 | # MM QUEUE Driver | |
189 | chmod 777 /dev/MT6516_MM_QUEUE | |
190 | ||
191 | # MPEG4 Decoder | |
192 | chmod 777 /dev/MT6516_MP4_DEC | |
193 | ||
194 | # MPEG4 Encoder | |
195 | chmod 777 /dev/MT6516_MP4_ENC | |
196 | ||
197 | # OpenCORE proxy config | |
198 | chmod 0666 /data/http-proxy-cfg | |
199 | ||
200 | # OpenCORE player config | |
201 | chmod 0666 /etc/player.cfg | |
202 | ||
203 | start NvRAMAgent | |
204 | ||
205 | # WiFi | |
206 | mkdir /data/misc/wifi 0770 system wifi | |
207 | mkdir /data/misc/wifi/sockets 0770 system wifi | |
208 | mkdir /data/misc/dhcp 0770 dhcp dhcp | |
209 | chown dhcp dhcp /data/misc/dhcp | |
210 | chmod 0660 /sys/class/rfkill/rfkill1/state | |
211 | chown system system /sys/class/rfkill/rfkill1/state | |
212 | # Turn off wifi by default | |
213 | write /sys/class/rfkill/rfkill1/state 0 | |
214 | ||
215 | ||
216 | ||
217 | # Set this property so surfaceflinger is not started by system_init | |
218 | setprop system_init.startsurfaceflinger 0 | |
219 | ||
220 | #otp | |
221 | chmod 0660 /dev/otp | |
222 | chown root system /dev/otp | |
223 | ||
224 | # Touch Panel | |
225 | chown system system /sys/touchpanel/calibration | |
226 | chmod 0660 /sys/touchpanel/calibration | |
227 | ||
228 | chmod 0777 /dev/pmem_multimedia | |
229 | chmod 0777 /dev/mt6516-isp | |
230 | chmod 0777 /dev/mt6516-IDP | |
231 | chmod 0777 /dev/mt9p012 | |
232 | chmod 0777 /dev/mt6516_jpeg | |
233 | chmod 0777 /dev/FM50AF | |
234 | ||
235 | ||
236 | ||
237 | # RTC | |
238 | mkdir /data/misc/rtc 0770 system system | |
239 | ||
240 | # M4U | |
241 | #insmod /system/lib/modules/m4u.ko | |
242 | #mknod /dev/M4U_device c 188 0 | |
243 | chmod 0444 /dev/M4U_device | |
244 | ||
245 | # Sensor | |
246 | chmod 0666 /dev/sensor | |
247 | ||
248 | # GPIO | |
249 | chmod 0666 /dev/mtgpio | |
250 | ||
251 | # Android SEC related device nodes | |
252 | insmod /system/lib/modules/sec.ko | |
253 | mknod /dev/sec c 182 0 | |
254 | chmod 0660 /dev/sec | |
255 | chown root system /dev/sec | |
256 | ||
257 | # device info interface | |
258 | #insmod /system/lib/modules/devinfo.ko | |
259 | #mknod /dev/devmap c 196 0; | |
260 | chmod 0440 /dev/devmap | |
261 | chown root system /dev/devmap | |
262 | ||
263 | # change key_provisioning | |
264 | mkdir /data/key_provisioning | |
265 | chmod 0770 /data/key_provisioning | |
266 | chown system system /data/key_provisioning | |
267 | ||
268 | # Separate location for storing security policy files on data | |
269 | mkdir /data/security 0711 system system | |
270 | ||
271 | # Reload policy from /data/security if present. | |
272 | setprop selinux.reload_policy 1 | |
273 | ||
274 | # Set SELinux security contexts on upgrade or policy update. | |
275 | restorecon_recursive /data | |
276 | ||
277 | # If there is no fs-post-data action in the init.<device>.rc file, you | |
278 | # must uncomment this line, otherwise encrypted filesystems | |
279 | # won't work. | |
280 | # Set indication (checked by vold) that we have finished this action | |
281 | setprop vold.post_fs_data_done 1 | |
282 | ||
283 | on boot | |
284 | chown root /remount.sh | |
285 | chmod 700 /remount.sh | |
286 | exec /remount.sh | |
287 | ||
288 | start drvbd | |
289 | ||
290 | # basic network init | |
291 | ifup lo | |
292 | hostname localhost | |
293 | domainname localdomain | |
294 | ||
295 | class_start default | |
296 | class_start core | |
297 | ||
298 | on nonencrypted | |
299 | class_start main | |
300 | class_start late_start | |
301 | ||
302 | on property:vold.decrypt=trigger_default_encryption | |
303 | start defaultcrypto | |
304 | ||
305 | on property:vold.decrypt=trigger_encryption | |
306 | start surfaceflinger | |
307 | start encrypt | |
308 | ||
309 | on property:vold.decrypt=trigger_reset_main | |
310 | class_reset main | |
311 | ||
312 | on property:vold.decrypt=trigger_load_persist_props | |
313 | load_persist_props | |
314 | ||
315 | on property:vold.decrypt=trigger_post_fs_data | |
316 | trigger post-fs-data | |
317 | ||
318 | on property:vold.decrypt=trigger_restart_min_framework | |
319 | class_start main | |
320 | ||
321 | on property:vold.decrypt=trigger_restart_framework | |
322 | start nvram_daemon | |
323 | class_start main | |
324 | class_start late_start | |
325 | start permission_check | |
326 | ||
327 | on property:vold.decrypt=trigger_shutdown_framework | |
328 | class_reset late_start | |
329 | class_reset main | |
330 | ||
331 | service ueventd /sbin/ueventd | |
332 | class core | |
333 | critical | |
334 | seclabel u:r:ueventd:s0 | |
335 | ||
336 | service logd /system/bin/logd | |
337 | class core | |
338 | socket logd stream 0666 logd logd | |
339 | socket logdr seqpacket 0666 logd logd | |
340 | socket logdw dgram 0222 logd logd | |
341 | seclabel u:r:logd:s0 | |
342 | ||
343 | service console /system/bin/sh | |
344 | class core | |
345 | console | |
346 | disabled | |
347 | user shell | |
348 | group shell log | |
349 | seclabel u:r:shell:s0 | |
350 | ||
351 | on property:sys.powerctl=* | |
352 | powerctl ${sys.powerctl} | |
353 | ||
354 | on property:ro.debuggable=1 | |
355 | start console | |
356 | ||
357 | # adbd is controlled via property triggers in init.<platform>.usb.rc | |
358 | service adbd /sbin/adbd --root_seclabel=u:r:su:s0 | |
359 | class core | |
360 | socket adbd stream 660 system system | |
361 | disabled | |
362 | seclabel u:r:adbd:s0 | |
363 | ||
364 | service vold /system/bin/vold | |
365 | class core | |
366 | socket vold stream 0660 root mount | |
367 | ioprio be 2 | |
368 | ||
369 | # One shot invocation to deal with encrypted volume. | |
370 | service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted | |
371 | disabled | |
372 | oneshot | |
373 | # vold will set vold.decrypt to trigger_restart_framework (default | |
374 | # encryption) or trigger_restart_min_framework (other encryption) | |
375 | ||
376 | # One shot invocation to encrypt unencrypted volumes | |
377 | service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace default | |
378 | disabled | |
379 | oneshot | |
380 | # vold will set vold.decrypt to trigger_restart_framework (default | |
381 | # encryption) | |
382 | ||
383 | service meta_tst /system/bin/meta_tst | |
384 | ||
385 | #drm operation server | |
386 | service kisd /system/bin/kisd | |
387 | ||
388 | service servicemanager /system/bin/servicemanager | |
389 | class core | |
390 | user system | |
391 | group system | |
392 | critical | |
393 | service nvram_daemon /system/bin/nvram_daemon | |
394 | class main | |
395 | user root | |
396 | group system | |
397 | oneshot | |
398 | ||
399 | service NvRAMAgent /system/bin/nvram_agent_binder | |
400 | user system | |
401 | group system | |
402 | ||
403 | service drvbd /system/bin/drvbd | |
404 | class main | |
405 | user system | |
406 | group system | |
407 | ||
408 | service debuggerd /system/bin/debuggerd | |
409 | class main | |
410 | ||
411 | service debuggerd64 /system/bin/debuggerd64 | |
412 | class main | |
413 | ||
414 | ||
415 | service mobile_log_d /system/bin/mobile_log_d | |
416 | class main | |
417 | ||
418 | on property:ro.boot.mblogenable=0 | |
419 | stop mobile_log_d | |
420 | ||
421 | on property:ro.boot.mblogenable=1 | |
422 | start mobile_log_d | |
423 | ||
424 | #mass_storage,adb,acm | |
425 | on property:ro.boot.usbconfig=0 | |
426 | write /sys/class/android_usb/android0/iSerial $ro.serialno | |
427 | write /sys/class/android_usb/android0/enable 0 | |
428 | write /sys/class/android_usb/android0/idVendor 0e8d | |
429 | write /sys/class/android_usb/android0/idProduct 2006 | |
430 | write /sys/class/android_usb/android0/f_acm/instances 1 | |
431 | write /sys/class/android_usb/android0/functions mass_storage,adb,acm | |
432 | write /sys/class/android_usb/android0/enable 1 | |
433 | start adbd | |
434 | ||
435 | #acm | |
436 | on property:ro.boot.usbconfig=1 | |
437 | write /sys/class/android_usb/android0/enable 0 | |
438 | write /sys/class/android_usb/android0/iSerial " " | |
439 | write /sys/class/android_usb/android0/idVendor 0e8d | |
440 | write /sys/class/android_usb/android0/idProduct 2007 | |
441 | write /sys/class/android_usb/android0/f_acm/instances 1 | |
442 | write /sys/class/android_usb/android0/functions acm | |
443 | write /sys/class/android_usb/android0/bDeviceClass 02 | |
444 | write /sys/class/android_usb/android0/enable 1 |