diff options
author | Vishal Bhoj <vishal.bhoj@hackbox.linaro.org> | 2014-11-18 12:13:25 +0000 |
---|---|---|
committer | Vishal Bhoj <vishal.bhoj@hackbox.linaro.org> | 2014-11-18 12:13:25 +0000 |
commit | b894787129374d77cae1f6fe020043cc634649a7 (patch) | |
tree | c02f419c9c61921ec455b60e09e8676a6cf6eff8 | |
parent | 34693a81aba52a4e42cf77e5eaac7d6d3108821b (diff) | |
download | vexpress-b894787129374d77cae1f6fe020043cc634649a7.tar.gz |
(HACK): provide modified init.rc
Change-Id: Iab73799652497dc9ed0323b526e520a68f725903
Signed-off-by: Vishal Bhoj <vishal.bhoj@hackbox.linaro.org>
-rw-r--r-- | device.mk | 3 | ||||
-rw-r--r-- | init.rc | 640 |
2 files changed, 643 insertions, 0 deletions
@@ -1,4 +1,7 @@ +TARGET_PROVIDES_INIT_RC := true + PRODUCT_COPY_FILES := \ + device/linaro/vexpress/init.rc:root/init.rc \ device/linaro/vexpress/fstab.arm-versatileexpress:root/fstab.arm-versatileexpress \ device/linaro/vexpress/fstab.arm-versatileexpress-usb:root/fstab.arm-versatileexpress-usb \ device/linaro/build/fstab.partitions:root/fstab.v2p-aarch64 \ @@ -0,0 +1,640 @@ +# Copyright (C) 2012 The Android Open Source Project +# +# IMPORTANT: Do not create world writable files or directories. +# This is a common source of Android security bugs. +# + +import /init.environ.rc +import /init.usb.rc +import /init.${ro.hardware}.rc +import /init.${ro.zygote}.rc +import /init.trace.rc + +on early-init + # Set init and its forked children's oom_adj. + write /proc/1/oom_score_adj -1000 + + # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. + write /sys/fs/selinux/checkreqprot 0 + + # Set the security context for the init process. + # This should occur before anything else (e.g. ueventd) is started. + setcon u:r:init:s0 + + # Set the security context of /adb_keys if present. + restorecon /adb_keys + + start ueventd + + # create mountpoints + mkdir /mnt 0775 root system + +on init + sysclktz 0 + + loglevel 3 + + # Backward compatibility + symlink /system/etc /etc + symlink /sys/kernel/debug /d + + # Right now vendor lives on the same filesystem as system, + # but someday that may change. + symlink /system/vendor /vendor + + # Create cgroup mount point for cpu accounting + mkdir /acct + mount cgroup none /acct cpuacct + mkdir /acct/uid + + # Create cgroup mount point for memory + mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 + mkdir /sys/fs/cgroup/memory 0750 root system + mount cgroup none /sys/fs/cgroup/memory memory + write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 + chown root system /sys/fs/cgroup/memory/tasks + chmod 0660 /sys/fs/cgroup/memory/tasks + mkdir /sys/fs/cgroup/memory/sw 0750 root system + write /sys/fs/cgroup/memory/sw/memory.swappiness 100 + write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 + chown root system /sys/fs/cgroup/memory/sw/tasks + chmod 0660 /sys/fs/cgroup/memory/sw/tasks + + mkdir /system + mkdir /data 0771 system system + mkdir /cache 0770 system cache + mkdir /config 0500 root root + + # See storage config details at http://source.android.com/tech/storage/ + mkdir /mnt/shell 0700 shell shell + mkdir /mnt/media_rw 0700 media_rw media_rw + mkdir /storage 0751 root sdcard_r + + # Directory for putting things only root should see. + mkdir /mnt/secure 0700 root root + + # Directory for staging bindmounts + mkdir /mnt/secure/staging 0700 root root + + # Directory-target for where the secure container + # imagefile directory will be bind-mounted + mkdir /mnt/secure/asec 0700 root root + + # Secure container public mount points. + mkdir /mnt/asec 0700 root system + mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 + + # Filesystem image public mount points. + mkdir /mnt/obb 0700 root system + mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 + + # memory control cgroup + mkdir /dev/memcg 0700 root system + mount cgroup none /dev/memcg memory + + write /proc/sys/kernel/panic_on_oops 1 + write /proc/sys/kernel/hung_task_timeout_secs 0 + write /proc/cpu/alignment 4 + write /proc/sys/kernel/sched_latency_ns 10000000 + write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 + write /proc/sys/kernel/sched_compat_yield 1 + write /proc/sys/kernel/sched_child_runs_first 0 + write /proc/sys/kernel/randomize_va_space 2 + write /proc/sys/kernel/kptr_restrict 2 + write /proc/sys/vm/mmap_min_addr 32768 + write /proc/sys/net/ipv4/ping_group_range "0 2147483647" + write /proc/sys/net/unix/max_dgram_qlen 300 + write /proc/sys/kernel/sched_rt_runtime_us 950000 + write /proc/sys/kernel/sched_rt_period_us 1000000 + + # reflect fwmark from incoming packets onto generated replies + write /proc/sys/net/ipv4/fwmark_reflect 1 + write /proc/sys/net/ipv6/fwmark_reflect 1 + + # set fwmark on accepted sockets + write /proc/sys/net/ipv4/tcp_fwmark_accept 1 + + # Create cgroup mount points for process groups + mkdir /dev/cpuctl + mount cgroup none /dev/cpuctl cpu + chown system system /dev/cpuctl + chown system system /dev/cpuctl/tasks + chmod 0660 /dev/cpuctl/tasks + write /dev/cpuctl/cpu.shares 1024 + write /dev/cpuctl/cpu.rt_runtime_us 950000 + write /dev/cpuctl/cpu.rt_period_us 1000000 + + mkdir /dev/cpuctl/apps + chown system system /dev/cpuctl/apps/tasks + chmod 0666 /dev/cpuctl/apps/tasks + write /dev/cpuctl/apps/cpu.shares 1024 + write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 + write /dev/cpuctl/apps/cpu.rt_period_us 1000000 + + mkdir /dev/cpuctl/apps/bg_non_interactive + chown system system /dev/cpuctl/apps/bg_non_interactive/tasks + chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks + # 5.0 % + write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 + write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 + write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 + + # qtaguid will limit access to specific data based on group memberships. + # net_bw_acct grants impersonation of socket owners. + # net_bw_stats grants access to other apps' detailed tagged-socket stats. + chown root net_bw_acct /proc/net/xt_qtaguid/ctrl + chown root net_bw_stats /proc/net/xt_qtaguid/stats + + # Allow everybody to read the xt_qtaguid resource tracking misc dev. + # This is needed by any process that uses socket tagging. + chmod 0644 /dev/xt_qtaguid + + # Create location for fs_mgr to store abbreviated output from filesystem + # checker programs. + mkdir /dev/fscklogs 0770 root system + + # pstore/ramoops previous console log + mount pstore pstore /sys/fs/pstore + chown system log /sys/fs/pstore/console-ramoops + chmod 0440 /sys/fs/pstore/console-ramoops + +# Healthd can trigger a full boot from charger mode by signaling this +# property when the power button is held. +on property:sys.boot_from_charger_mode=1 + class_stop charger + trigger late-init + +# Load properties from /system/ + /factory after fs mount. +on load_all_props_action + load_all_props + +# Indicate to fw loaders that the relevant mounts are up. +on firmware_mounts_complete + rm /dev/.booting + +# Mount filesystems and start core system services. +on late-init + trigger early-fs + trigger fs + trigger post-fs + trigger post-fs-data + + # Load properties from /system/ + /factory after fs mount. Place + # this in another action so that the load will be scheduled after the prior + # issued fs triggers have completed. + trigger load_all_props_action + + # Remove a file to wake up anything waiting for firmware. + trigger firmware_mounts_complete + + trigger early-boot + trigger boot + + +on post-fs + # once everything is setup, no need to modify / + mount rootfs rootfs / ro remount + # mount shared so changes propagate into child namespaces + mount rootfs rootfs / shared rec + + # We chown/chmod /cache again so because mount is run as root + defaults + chown system cache /cache + chmod 0770 /cache + # We restorecon /cache in case the cache partition has been reset. + restorecon_recursive /cache + + # This may have been created by the recovery system with odd permissions + chown system cache /cache/recovery + chmod 0770 /cache/recovery + + #change permissions on vmallocinfo so we can grab it from bugreports + chown root log /proc/vmallocinfo + chmod 0440 /proc/vmallocinfo + + chown root log /proc/slabinfo + chmod 0440 /proc/slabinfo + + #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks + chown root system /proc/kmsg + chmod 0440 /proc/kmsg + chown root system /proc/sysrq-trigger + chmod 0220 /proc/sysrq-trigger + chown system log /proc/last_kmsg + chmod 0440 /proc/last_kmsg + + # make the selinux kernel policy world-readable + chmod 0444 /sys/fs/selinux/policy + + # create the lost+found directories, so as to enforce our permissions + mkdir /cache/lost+found 0770 root root + +on post-fs-data + # We chown/chmod /data again so because mount is run as root + defaults + chown system system /data + chmod 0771 /data + # We restorecon /data in case the userdata partition has been reset. + restorecon /data + + # Avoid predictable entropy pool. Carry over entropy from previous boot. + copy /data/system/entropy.dat /dev/urandom + + # Create dump dir and collect dumps. + # Do this before we mount cache so eventually we can use cache for + # storing dumps on platforms which do not have a dedicated dump partition. + mkdir /data/dontpanic 0750 root log + + # Collect apanic data, free resources and re-arm trigger + copy /proc/apanic_console /data/dontpanic/apanic_console + chown root log /data/dontpanic/apanic_console + chmod 0640 /data/dontpanic/apanic_console + + copy /proc/apanic_threads /data/dontpanic/apanic_threads + chown root log /data/dontpanic/apanic_threads + chmod 0640 /data/dontpanic/apanic_threads + + write /proc/apanic_console 1 + + # create basic filesystem structure + mkdir /data/misc 01771 system misc + mkdir /data/misc/adb 02750 system shell + mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack + mkdir /data/misc/bluetooth 0770 system system + mkdir /data/misc/keystore 0700 keystore keystore + mkdir /data/misc/keychain 0771 system system + mkdir /data/misc/net 0750 root shell + mkdir /data/misc/radio 0770 system radio + mkdir /data/misc/sms 0770 system radio + mkdir /data/misc/zoneinfo 0775 system system + mkdir /data/misc/vpn 0770 system vpn + mkdir /data/misc/shared_relro 0771 shared_relro shared_relro + mkdir /data/misc/systemkeys 0700 system system + mkdir /data/misc/wifi 0770 wifi wifi + mkdir /data/misc/wifi/sockets 0770 wifi wifi + mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi + mkdir /data/misc/ethernet 0770 system system + mkdir /data/misc/dhcp 0770 dhcp dhcp + mkdir /data/misc/user 0771 root root + # give system access to wpa_supplicant.conf for backup and restore + chmod 0660 /data/misc/wifi/wpa_supplicant.conf + mkdir /data/local 0751 root root + mkdir /data/misc/media 0700 media media + + # For security reasons, /data/local/tmp should always be empty. + # Do not place files or directories in /data/local/tmp + mkdir /data/local/tmp 0771 shell shell + mkdir /data/data 0771 system system + mkdir /data/app-private 0771 system system + mkdir /data/app-asec 0700 root root + mkdir /data/app-lib 0771 system system + mkdir /data/app 0771 system system + mkdir /data/property 0700 root root + + # create dalvik-cache, so as to enforce our permissions + mkdir /data/dalvik-cache 0771 root root + mkdir /data/dalvik-cache/profiles 0711 system system + + # create resource-cache and double-check the perms + mkdir /data/resource-cache 0771 system system + chown system system /data/resource-cache + chmod 0771 /data/resource-cache + + # create the lost+found directories, so as to enforce our permissions + mkdir /data/lost+found 0770 root root + + # create directory for DRM plug-ins - give drm the read/write access to + # the following directory. + mkdir /data/drm 0770 drm drm + + # create directory for MediaDrm plug-ins - give drm the read/write access to + # the following directory. + mkdir /data/mediadrm 0770 mediadrm mediadrm + + # symlink to bugreport storage location + symlink /data/data/com.android.shell/files/bugreports /data/bugreports + + # Separate location for storing security policy files on data + mkdir /data/security 0711 system system + + # Reload policy from /data/security if present. + setprop selinux.reload_policy 1 + + # Set SELinux security contexts on upgrade or policy update. + restorecon_recursive /data + + # If there is no fs-post-data action in the init.<device>.rc file, you + # must uncomment this line, otherwise encrypted filesystems + # won't work. + # Set indication (checked by vold) that we have finished this action + #setprop vold.post_fs_data_done 1 + +on boot + # basic network init + ifup lo + hostname localhost + domainname localdomain + + # set RLIMIT_NICE to allow priorities from 19 to -20 + setrlimit 13 40 40 + + # Memory management. Basic kernel parameters, and allow the high + # level system server to be able to adjust the kernel OOM driver + # parameters to match how it is managing things. + write /proc/sys/vm/overcommit_memory 1 + write /proc/sys/vm/min_free_order_shift 4 + chown root system /sys/module/lowmemorykiller/parameters/adj + chmod 0220 /sys/module/lowmemorykiller/parameters/adj + chown root system /sys/module/lowmemorykiller/parameters/minfree + chmod 0220 /sys/module/lowmemorykiller/parameters/minfree + + # Tweak background writeout + write /proc/sys/vm/dirty_expire_centisecs 200 + write /proc/sys/vm/dirty_background_ratio 5 + + # Permissions for System Server and daemons. + chown radio system /sys/android_power/state + chown radio system /sys/android_power/request_state + chown radio system /sys/android_power/acquire_full_wake_lock + chown radio system /sys/android_power/acquire_partial_wake_lock + chown radio system /sys/android_power/release_wake_lock + chown system system /sys/power/autosleep + chown system system /sys/power/state + chown system system /sys/power/wakeup_count + chown radio system /sys/power/wake_lock + chown radio system /sys/power/wake_unlock + chmod 0660 /sys/power/state + chmod 0660 /sys/power/wake_lock + chmod 0660 /sys/power/wake_unlock + + chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate + chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate + chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack + chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack + chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time + chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time + chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq + chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq + chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads + chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads + chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load + chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load + chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay + chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay + chown system system /sys/devices/system/cpu/cpufreq/interactive/boost + chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost + chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse + chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost + chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost + chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration + chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration + chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy + chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy + + # Assume SMP uses shared cpufreq policy for all CPUs + chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq + chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq + + chown system system /sys/class/timed_output/vibrator/enable + chown system system /sys/class/leds/keyboard-backlight/brightness + chown system system /sys/class/leds/lcd-backlight/brightness + chown system system /sys/class/leds/button-backlight/brightness + chown system system /sys/class/leds/jogball-backlight/brightness + chown system system /sys/class/leds/red/brightness + chown system system /sys/class/leds/green/brightness + chown system system /sys/class/leds/blue/brightness + chown system system /sys/class/leds/red/device/grpfreq + chown system system /sys/class/leds/red/device/grppwm + chown system system /sys/class/leds/red/device/blink + chown system system /sys/class/timed_output/vibrator/enable + chown system system /sys/module/sco/parameters/disable_esco + chown system system /sys/kernel/ipv4/tcp_wmem_min + chown system system /sys/kernel/ipv4/tcp_wmem_def + chown system system /sys/kernel/ipv4/tcp_wmem_max + chown system system /sys/kernel/ipv4/tcp_rmem_min + chown system system /sys/kernel/ipv4/tcp_rmem_def + chown system system /sys/kernel/ipv4/tcp_rmem_max + chown root radio /proc/cmdline + + # Define default initial receive window size in segments. + setprop net.tcp.default_init_rwnd 60 + + class_start core + +on nonencrypted + class_start main + class_start late_start + +on property:vold.decrypt=trigger_default_encryption + start defaultcrypto + +on property:vold.decrypt=trigger_encryption + start surfaceflinger + start encrypt + +on property:sys.init_log_level=* + loglevel ${sys.init_log_level} + +on charger + class_start charger + +on property:vold.decrypt=trigger_reset_main + class_reset main + +on property:vold.decrypt=trigger_load_persist_props + load_persist_props + +on property:vold.decrypt=trigger_post_fs_data + trigger post-fs-data + +on property:vold.decrypt=trigger_restart_min_framework + class_start main + +on property:vold.decrypt=trigger_restart_framework + class_start main + class_start late_start + +on property:vold.decrypt=trigger_shutdown_framework + class_reset late_start + class_reset main + +on property:sys.powerctl=* + powerctl ${sys.powerctl} + +# system server cannot write to /proc/sys files, +# and chown/chmod does not work for /proc/sys/ entries. +# So proxy writes through init. +on property:sys.sysctl.extra_free_kbytes=* + write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} + +# "tcp_default_init_rwnd" Is too long! +on property:sys.sysctl.tcp_def_init_rwnd=* + write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd} + + +## Daemon processes to be run by init. +## +service ueventd /sbin/ueventd + class core + critical + seclabel u:r:ueventd:s0 + +service logd /system/bin/logd + class core + socket logd stream 0666 logd logd + socket logdr seqpacket 0666 logd logd + socket logdw dgram 0222 logd logd + seclabel u:r:logd:s0 + +service healthd /sbin/healthd + class core + critical + seclabel u:r:healthd:s0 + +service console /system/bin/sh + class core + console + disabled + user root + group shell log + seclabel u:r:su:s0 + +on property:ro.debuggable=1 + start console + +# adbd is controlled via property triggers in init.<platform>.usb.rc +service adbd /sbin/adbd --root_seclabel=u:r:su:s0 + class core + socket adbd stream 660 system system + disabled + seclabel u:r:adbd:s0 + +# adbd on at boot in emulator +on property:ro.kernel.qemu=1 + start adbd + +service lmkd /system/bin/lmkd + class core + critical + socket lmkd seqpacket 0660 system system + +service servicemanager /system/bin/servicemanager + class core + user system + group system + critical + onrestart restart healthd + onrestart restart zygote + onrestart restart media + onrestart restart surfaceflinger + onrestart restart drm + +service vold /system/bin/vold + class core + socket vold stream 0660 root mount + ioprio be 2 + +service netd /system/bin/netd + class main + socket netd stream 0660 root system + socket dnsproxyd stream 0660 root inet + socket mdns stream 0660 root system + socket fwmarkd stream 0660 root inet + +service debuggerd /system/bin/debuggerd + class main + +service debuggerd64 /system/bin/debuggerd64 + class main + +service ril-daemon /system/bin/rild + class main + socket rild stream 660 root radio + socket rild-debug stream 660 radio system + user root + group radio cache inet misc audio log + +service surfaceflinger /system/bin/surfaceflinger + class core + user system + group graphics drmrpc + onrestart restart zygote + +service drm /system/bin/drmserver + class main + user drm + group drm system inet drmrpc + +service media /system/bin/mediaserver + class main + user media + group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm + ioprio rt 4 + +# One shot invocation to deal with encrypted volume. +service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted + disabled + oneshot + # vold will set vold.decrypt to trigger_restart_framework (default + # encryption) or trigger_restart_min_framework (other encryption) + +# One shot invocation to encrypt unencrypted volumes +service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace default + disabled + oneshot + # vold will set vold.decrypt to trigger_restart_framework (default + # encryption) + +service bootanim /system/bin/bootanimation + class core + user graphics + group graphics audio + disabled + oneshot + +service installd /system/bin/installd + class main + socket installd stream 600 system system + +service flash_recovery /system/bin/install-recovery.sh + class main + seclabel u:r:install_recovery:s0 + oneshot + +service racoon /system/bin/racoon + class main + socket racoon stream 600 system system + # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. + group vpn net_admin inet + disabled + oneshot + +service mtpd /system/bin/mtpd + class main + socket mtpd stream 600 system system + user vpn + group vpn net_admin inet net_raw + disabled + oneshot + +service keystore /system/bin/keystore /data/misc/keystore + class main + user keystore + group keystore drmrpc + +service dumpstate /system/bin/dumpstate -s + class main + socket dumpstate stream 0660 shell log + disabled + oneshot + +service mdnsd /system/bin/mdnsd + class main + user mdnsr + group inet net_raw + socket mdnsd stream 0660 mdnsr inet + disabled + oneshot + +service pre-recovery /system/bin/uncrypt + class main + disabled + oneshot |