1 # Copyright (C) 2012 The Android Open Source Project
3 # IMPORTANT: Do not create world writable files or directories.
4 # This is a common source of Android security bugs.
6 import /init.environ.rc
9 import init.ssd_nomuser.rc
14 # Set init and its forked children's oom_adj.
15 write /proc/1/oom_score_adj -1000
17 # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
18 #write /sys/fs/selinux/checkreqprot 0
20 # Set the security context for the init process.
21 # This should occur before anything else (e.g. ueventd) is started.
24 # Set the security context of /adb_keys if present.
30 mkdir /mnt 0775 root system
38 # Backward compatibility
39 symlink /system/etc /etc
40 symlink /sys/kernel/debug /d
42 # Right now vendor lives on the same filesystem as system,
43 # but someday that may change.
44 symlink /system/vendor /vendor
46 # Create cgroup mount point for cpu accounting
48 mount cgroup none /acct cpuacct
52 mkdir /data 0771 system system
53 mkdir /cache 0770 system cache
54 mkdir /config 0500 root root
56 # See storage config details at http://source.android.com/tech/storage/
57 mkdir /mnt/shell 0700 shell shell
58 mkdir /mnt/media_rw 0700 media_rw media_rw
59 mkdir /storage 0751 root sdcard_r
61 mkdir /mnt/cd-rom 0000 system system
63 # Directory for putting things only root should see.
64 mkdir /mnt/secure 0700 root root
66 # Directory for staging bindmounts
67 mkdir /mnt/secure/staging 0700 root root
69 # Directory-target for where the secure container
70 # imagefile directory will be bind-mounted
71 mkdir /mnt/secure/asec 0700 root root
73 # Secure container public mount points.
74 mkdir /mnt/asec 0700 root system
75 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
77 # Filesystem image public mount points.
78 mkdir /mnt/obb 0700 root system
79 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
81 write /proc/sys/kernel/panic_on_oops 1
82 write /proc/sys/kernel/hung_task_timeout_secs 0
83 write /proc/cpu/alignment 4
84 write /proc/sys/kernel/sched_latency_ns 10000000
85 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
86 write /proc/sys/kernel/sched_compat_yield 1
88 # Healthd can trigger a full boot from charger mode by signaling this
89 # property when the power button is held.
90 on property:sys.boot_from_charger_mode=1
94 # Load properties from /system/ + /factory after fs mount.
95 on load_all_props_action
98 # Mount filesystems and start core system services.
105 # Load properties from /system/ + /factory after fs mount. Place
106 # this in another action so that the load will be scheduled after the prior
107 # issued fs triggers have completed.
108 trigger load_all_props_action
114 write /proc/bootprof "INIT:eMMC:Mount_START"
115 mount_all /fstab.mt8127
116 write /proc/bootprof "INIT:eMMC:Mount_END"
118 # mount secro partition
119 # mount yaffs2 mtd@secstatic /system/secro ro
120 # mount ext4 /dev/block/platform/mtk-msdc.0/by-name/SEC_RO /system/secro ro
123 # once everything is setup, no need to modify /
124 mount rootfs rootfs / ro remount
126 # We chown/chmod /cache again so because mount is run as root + defaults
127 chown system cache /cache
129 # We restorecon /cache in case the cache partition has been reset.
130 restorecon_recursive /cache
132 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
133 chown root system /proc/kmsg
134 chmod 0440 /proc/kmsg
136 # make the selinux kernel policy world-readable
137 chmod 0444 /sys/fs/selinux/policy
139 # create the lost+found directories, so as to enforce our permissions
140 mkdir /cache/lost+found 0770 root root
143 # We chown/chmod /data again so because mount is run as root + defaults
144 chown system system /data
146 # We restorecon /data in case the userdata partition has been reset.
150 # create basic filesystem structure
151 mkdir /data/nvram 2770 root system
152 mkdir /data/misc 01771 system misc
153 mkdir /data/misc/bluetoothd 0770 bluetooth bluetooth
154 mkdir /data/misc/bluetooth 0770 system system
155 mkdir /data/misc/keystore 0700 keystore keystore
156 mkdir /data/misc/keychain 0771 system system
157 mkdir /data/misc/vpn 0770 system vpn
158 mkdir /data/misc/systemkeys 0700 system system
159 # give system access to wpa_supplicant.conf for backup and restore
160 mkdir /data/misc/wifi 0770 wifi wifi
161 chmod 0660 /data/misc/wifi/wpa_supplicant.conf
162 chmod 0660 /data/misc/wifi/p2p_supplicant.conf
163 mkdir /data/local 0751 root root
164 # For security reasons, /data/local/tmp should always be empty.
165 # Do not place files or directories in /data/local/tmp
166 mkdir /data/local/tmp 0771 shell shell
167 mkdir /data/data 0771 system system
168 mkdir /data/app-private 0771 system system
169 mkdir /data/app-asec 0700 root root
170 mkdir /data/app 0771 system system
171 mkdir /data/property 0700 root root
172 mkdir /data/ssh 0750 root shell
173 mkdir /data/ssh/empty 0700 root root
175 # create the lost+found directories, so as to enforce our permissions
176 mkdir /data/lost+found 0770
178 # double check the perms, in case lost+found already exists, and set owner
179 chown root root /data/lost+found
180 chmod 0770 /data/lost+found
183 chmod 777 /dev/MT6516_H264_DEC
185 # Internal SRAM Driver
186 chmod 777 /dev/MT6516_Int_SRAM
189 chmod 777 /dev/MT6516_MM_QUEUE
192 chmod 777 /dev/MT6516_MP4_DEC
195 chmod 777 /dev/MT6516_MP4_ENC
197 # OpenCORE proxy config
198 chmod 0666 /data/http-proxy-cfg
200 # OpenCORE player config
201 chmod 0666 /etc/player.cfg
206 mkdir /data/misc/wifi 0770 system wifi
207 mkdir /data/misc/wifi/sockets 0770 system wifi
208 mkdir /data/misc/dhcp 0770 dhcp dhcp
209 chown dhcp dhcp /data/misc/dhcp
210 chmod 0660 /sys/class/rfkill/rfkill1/state
211 chown system system /sys/class/rfkill/rfkill1/state
212 # Turn off wifi by default
213 write /sys/class/rfkill/rfkill1/state 0
217 # Set this property so surfaceflinger is not started by system_init
218 setprop system_init.startsurfaceflinger 0
222 chown root system /dev/otp
225 chown system system /sys/touchpanel/calibration
226 chmod 0660 /sys/touchpanel/calibration
228 chmod 0777 /dev/pmem_multimedia
229 chmod 0777 /dev/mt6516-isp
230 chmod 0777 /dev/mt6516-IDP
231 chmod 0777 /dev/mt9p012
232 chmod 0777 /dev/mt6516_jpeg
233 chmod 0777 /dev/FM50AF
238 mkdir /data/misc/rtc 0770 system system
241 #insmod /system/lib/modules/m4u.ko
242 #mknod /dev/M4U_device c 188 0
243 chmod 0444 /dev/M4U_device
246 chmod 0666 /dev/sensor
249 chmod 0666 /dev/mtgpio
251 # Android SEC related device nodes
252 insmod /system/lib/modules/sec.ko
253 mknod /dev/sec c 182 0
255 chown root system /dev/sec
257 # device info interface
258 #insmod /system/lib/modules/devinfo.ko
259 #mknod /dev/devmap c 196 0;
260 chmod 0440 /dev/devmap
261 chown root system /dev/devmap
263 # change key_provisioning
264 mkdir /data/key_provisioning
265 chmod 0770 /data/key_provisioning
266 chown system system /data/key_provisioning
268 # Separate location for storing security policy files on data
269 mkdir /data/security 0711 system system
271 # Reload policy from /data/security if present.
272 setprop selinux.reload_policy 1
274 # Set SELinux security contexts on upgrade or policy update.
275 restorecon_recursive /data
277 # If there is no fs-post-data action in the init.<device>.rc file, you
278 # must uncomment this line, otherwise encrypted filesystems
280 # Set indication (checked by vold) that we have finished this action
281 setprop vold.post_fs_data_done 1
284 chown root /remount.sh
285 chmod 700 /remount.sh
293 domainname localdomain
300 class_start late_start
302 on property:vold.decrypt=trigger_default_encryption
305 on property:vold.decrypt=trigger_encryption
309 on property:vold.decrypt=trigger_reset_main
312 on property:vold.decrypt=trigger_load_persist_props
315 on property:vold.decrypt=trigger_post_fs_data
318 on property:vold.decrypt=trigger_restart_min_framework
321 on property:vold.decrypt=trigger_restart_framework
324 class_start late_start
325 start permission_check
327 on property:vold.decrypt=trigger_shutdown_framework
328 class_reset late_start
331 service ueventd /sbin/ueventd
334 seclabel u:r:ueventd:s0
336 service logd /system/bin/logd
338 socket logd stream 0666 logd logd
339 socket logdr seqpacket 0666 logd logd
340 socket logdw dgram 0222 logd logd
343 service console /system/bin/sh
349 seclabel u:r:shell:s0
351 on property:sys.powerctl=*
352 powerctl ${sys.powerctl}
354 on property:ro.debuggable=1
357 # adbd is controlled via property triggers in init.<platform>.usb.rc
358 service adbd /sbin/adbd --root_seclabel=u:r:su:s0
360 socket adbd stream 660 system system
364 service vold /system/bin/vold
366 socket vold stream 0660 root mount
369 # One shot invocation to deal with encrypted volume.
370 service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted
373 # vold will set vold.decrypt to trigger_restart_framework (default
374 # encryption) or trigger_restart_min_framework (other encryption)
376 # One shot invocation to encrypt unencrypted volumes
377 service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace default
380 # vold will set vold.decrypt to trigger_restart_framework (default
383 service meta_tst /system/bin/meta_tst
385 #drm operation server
386 service kisd /system/bin/kisd
388 service servicemanager /system/bin/servicemanager
393 service nvram_daemon /system/bin/nvram_daemon
399 service NvRAMAgent /system/bin/nvram_agent_binder
403 service drvbd /system/bin/drvbd
408 service debuggerd /system/bin/debuggerd
411 service debuggerd64 /system/bin/debuggerd64
415 service mobile_log_d /system/bin/mobile_log_d
418 on property:ro.boot.mblogenable=0
421 on property:ro.boot.mblogenable=1
424 #mass_storage,adb,acm
425 on property:ro.boot.usbconfig=0
426 write /sys/class/android_usb/android0/iSerial $ro.serialno
427 write /sys/class/android_usb/android0/enable 0
428 write /sys/class/android_usb/android0/idVendor 0e8d
429 write /sys/class/android_usb/android0/idProduct 2006
430 write /sys/class/android_usb/android0/f_acm/instances 1
431 write /sys/class/android_usb/android0/functions mass_storage,adb,acm
432 write /sys/class/android_usb/android0/enable 1
436 on property:ro.boot.usbconfig=1
437 write /sys/class/android_usb/android0/enable 0
438 write /sys/class/android_usb/android0/iSerial " "
439 write /sys/class/android_usb/android0/idVendor 0e8d
440 write /sys/class/android_usb/android0/idProduct 2007
441 write /sys/class/android_usb/android0/f_acm/instances 1
442 write /sys/class/android_usb/android0/functions acm
443 write /sys/class/android_usb/android0/bDeviceClass 02
444 write /sys/class/android_usb/android0/enable 1