# Copyright (C) 2012 The Android Open Source Project
#
# IMPORTANT: Do not create world writable files or directories.
# This is a common source of Android security bugs.
#
# 分析开始
# 第一步,导入其他的rc文件,这里先不管这些rc文件的内容,只对init.rc文件进行分析
import /init.environ.rc
import /init.usb.rc
import /init.${ro.hardware}.rc
import /init.${ro.zygote}.rc
import /init.trace.rc
# 第二步,动作片段1,在early-init触发器被触发时运行以下的命令
# 这里说明一下,early-init触发器不是init语法当中原本定义的触发器,但是可以在init.c的代码当中对此触发器进行触发
on early-init
# Set init and its forked children's oom_adj.
# 直译,设置init进程以及它的子进程的oom_adj(内存清理优先级设置为最低,可以保证init永远不会被内存清理清除掉)
write /proc/1/oom_score_adj -1000
# Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
# 直译,在mmap/mprotect调用时对可执行性严格支持SELinux检查
write /sys/fs/selinux/checkreqprot 0
# Set the security context for the init process.
# This should occur before anything else (e.g. ueventd) is started.
# 直译,设置init进程的安全上下文
# 这应该在任何程序(比如ueventd)开启前发生。
setcon u:r:init:s0
# Set the security context of /adb_keys if present.
# 直译,设置/adb_keys的安全上下文
restorecon /adb_keys
start ueventd
# create mountpoints
# 直译,创建挂载点
mkdir /mnt 0775 root system
# 第三部分,动作片段2,在init触发器被触发时调用以下命令
on init
# 设置系统时钟
sysclktz 0
# 设置日志等级
loglevel 3
# Backward compatibility
# 直译,增强兼容性
# 将system/etc链接到/etc,将sys/kernel/debug链接到/d
symlink system/etc /etc
symlink sys/kernel/debug /d
# Right now vendor lives on the same filesystem as system,
# but someday that may change.
# 直译,现在vendor和系统存在于同一个文件系统,不过也许某天会改变
symlink system/vendor /vendor
# Create cgroup mount point for cpu accounting
# 直译,为cpu的计算创建挂载点
mkdir /acct
mount cgroup none /acct cpuacct
mkdir /acct/uid
# Create cgroup mount point for memory
# 直译,为内存创建挂载点
mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000
mkdir /sys/fs/cgroup/memory 0750 root system
mount cgroup none /sys/fs/cgroup/memory memory
write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
chown root system /sys/fs/cgroup/memory/tasks
chmod 0660 /sys/fs/cgroup/memory/tasks
mkdir /sys/fs/cgroup/memory/sw 0750 root system
write /sys/fs/cgroup/memory/sw/memory.swappiness 100
write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1
chown root system /sys/fs/cgroup/memory/sw/tasks
chmod 0660 /sys/fs/cgroup/memory/sw/tasks
# 创建system、data、cache、config文件夹
mkdir /system
mkdir /data 0771 system system
mkdir /cache 0770 system cache
mkdir /config 0500 root root
# See storage config details at http://source.android.com/tech/storage/
# 直译,在http://source.android.com/tech/storage/查看更多的存储配置信息
# 创建存储目录
mkdir /mnt/shell 0700 shell shell
mkdir /mnt/media_rw 0700 media_rw media_rw
mkdir /storage 0751 root sdcard_r
# Directory for putting things only root should see.
# 直译,一个只有root用户可见的用来放置文件的目录
mkdir /mnt/secure 0700 root root
# Directory for staging bindmounts
# 直译,用于绑定挂载的目录
mkdir /mnt/secure/staging 0700 root root
# Directory-target for where the secure container
# imagefile directory will be bind-mounted
# 包文件目录---安全文件的包含者---的目标目录会被绑定挂载
mkdir /mnt/secure/asec 0700 root root
# Secure container public mount points.
# 安全文件包含者的公共挂载点
mkdir /mnt/asec 0700 root system
mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
# Filesystem image public mount points.
# 文件系统包的公共挂载点
mkdir /mnt/obb 0700 root system
mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
# memory control cgroup
# 内存控制组
mkdir /dev/memcg 0700 root system
mount cgroup none /dev/memcg memory
write /proc/sys/kernel/panic_on_oops 1
write /proc/sys/kernel/hung_task_timeout_secs 0
write /proc/cpu/alignment 4
write /proc/sys/kernel/sched_latency_ns 10000000
write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
write /proc/sys/kernel/sched_compat_yield 1
write /proc/sys/kernel/sched_child_runs_first 0
write /proc/sys/kernel/randomize_va_space 2
write /proc/sys/kernel/kptr_restrict 2
write /proc/sys/vm/mmap_min_addr 32768
write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
write /proc/sys/net/unix/max_dgram_qlen 300
write /proc/sys/kernel/sched_rt_runtime_us 950000
write /proc/sys/kernel/sched_rt_period_us 1000000
# reflect fwmark from incoming packets onto generated replies
# 直译,将fwmark从输入的包中映射到生成的依赖中
write /proc/sys/net/ipv4/fwmark_reflect 1
write /proc/sys/net/ipv6/fwmark_reflect 1
# set fwmark on accepted sockets
# 直译,设置fwmark到可接受的socket
write /proc/sys/net/ipv4/tcp_fwmark_accept 1
# Create cgroup mount points for process groups
# 直译,为进程组创建控制组的挂载节点
mkdir /dev/cpuctl
mount cgroup none /dev/cpuctl cpu
chown system system /dev/cpuctl
chmod 0660 /dev/cpuctl
chown system system /dev/cpuctl/tasks
chmod 0666 /dev/cpuctl/tasks
write /dev/cpuctl/cpu.shares 1024
write /dev/cpuctl/cpu.rt_runtime_us 800000
write /dev/cpuctl/cpu.rt_period_us 1000000
#
# IMPORTANT: Do not create world writable files or directories.
# This is a common source of Android security bugs.
#
# 分析开始
# 第一步,导入其他的rc文件,这里先不管这些rc文件的内容,只对init.rc文件进行分析
import /init.environ.rc
import /init.usb.rc
import /init.${ro.hardware}.rc
import /init.${ro.zygote}.rc
import /init.trace.rc
# 第二步,动作片段1,在early-init触发器被触发时运行以下的命令
# 这里说明一下,early-init触发器不是init语法当中原本定义的触发器,但是可以在init.c的代码当中对此触发器进行触发
on early-init
# Set init and its forked children's oom_adj.
# 直译,设置init进程以及它的子进程的oom_adj(内存清理优先级设置为最低,可以保证init永远不会被内存清理清除掉)
write /proc/1/oom_score_adj -1000
# Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
# 直译,在mmap/mprotect调用时对可执行性严格支持SELinux检查
write /sys/fs/selinux/checkreqprot 0
# Set the security context for the init process.
# This should occur before anything else (e.g. ueventd) is started.
# 直译,设置init进程的安全上下文
# 这应该在任何程序(比如ueventd)开启前发生。
setcon u:r:init:s0
# Set the security context of /adb_keys if present.
# 直译,设置/adb_keys的安全上下文
restorecon /adb_keys
start ueventd
# create mountpoints
# 直译,创建挂载点
mkdir /mnt 0775 root system
# 第三部分,动作片段2,在init触发器被触发时调用以下命令
on init
# 设置系统时钟
sysclktz 0
# 设置日志等级
loglevel 3
# Backward compatibility
# 直译,增强兼容性
# 将system/etc链接到/etc,将sys/kernel/debug链接到/d
symlink system/etc /etc
symlink sys/kernel/debug /d
# Right now vendor lives on the same filesystem as system,
# but someday that may change.
# 直译,现在vendor和系统存在于同一个文件系统,不过也许某天会改变
symlink system/vendor /vendor
# Create cgroup mount point for cpu accounting
# 直译,为cpu的计算创建挂载点
mkdir /acct
mount cgroup none /acct cpuacct
mkdir /acct/uid
# Create cgroup mount point for memory
# 直译,为内存创建挂载点
mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000
mkdir /sys/fs/cgroup/memory 0750 root system
mount cgroup none /sys/fs/cgroup/memory memory
write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
chown root system /sys/fs/cgroup/memory/tasks
chmod 0660 /sys/fs/cgroup/memory/tasks
mkdir /sys/fs/cgroup/memory/sw 0750 root system
write /sys/fs/cgroup/memory/sw/memory.swappiness 100
write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1
chown root system /sys/fs/cgroup/memory/sw/tasks
chmod 0660 /sys/fs/cgroup/memory/sw/tasks
# 创建system、data、cache、config文件夹
mkdir /system
mkdir /data 0771 system system
mkdir /cache 0770 system cache
mkdir /config 0500 root root
# See storage config details at http://source.android.com/tech/storage/
# 直译,在http://source.android.com/tech/storage/查看更多的存储配置信息
# 创建存储目录
mkdir /mnt/shell 0700 shell shell
mkdir /mnt/media_rw 0700 media_rw media_rw
mkdir /storage 0751 root sdcard_r
# Directory for putting things only root should see.
# 直译,一个只有root用户可见的用来放置文件的目录
mkdir /mnt/secure 0700 root root
# Directory for staging bindmounts
# 直译,用于绑定挂载的目录
mkdir /mnt/secure/staging 0700 root root
# Directory-target for where the secure container
# imagefile directory will be bind-mounted
# 包文件目录---安全文件的包含者---的目标目录会被绑定挂载
mkdir /mnt/secure/asec 0700 root root
# Secure container public mount points.
# 安全文件包含者的公共挂载点
mkdir /mnt/asec 0700 root system
mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
# Filesystem image public mount points.
# 文件系统包的公共挂载点
mkdir /mnt/obb 0700 root system
mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
# memory control cgroup
# 内存控制组
mkdir /dev/memcg 0700 root system
mount cgroup none /dev/memcg memory
write /proc/sys/kernel/panic_on_oops 1
write /proc/sys/kernel/hung_task_timeout_secs 0
write /proc/cpu/alignment 4
write /proc/sys/kernel/sched_latency_ns 10000000
write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
write /proc/sys/kernel/sched_compat_yield 1
write /proc/sys/kernel/sched_child_runs_first 0
write /proc/sys/kernel/randomize_va_space 2
write /proc/sys/kernel/kptr_restrict 2
write /proc/sys/vm/mmap_min_addr 32768
write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
write /proc/sys/net/unix/max_dgram_qlen 300
write /proc/sys/kernel/sched_rt_runtime_us 950000
write /proc/sys/kernel/sched_rt_period_us 1000000
# reflect fwmark from incoming packets onto generated replies
# 直译,将fwmark从输入的包中映射到生成的依赖中
write /proc/sys/net/ipv4/fwmark_reflect 1
write /proc/sys/net/ipv6/fwmark_reflect 1
# set fwmark on accepted sockets
# 直译,设置fwmark到可接受的socket
write /proc/sys/net/ipv4/tcp_fwmark_accept 1
# Create cgroup mount points for process groups
# 直译,为进程组创建控制组的挂载节点
mkdir /dev/cpuctl
mount cgroup none /dev/cpuctl cpu
chown system system /dev/cpuctl
chmod 0660 /dev/cpuctl
chown system system /dev/cpuctl/tasks
chmod 0666 /dev/cpuctl/tasks
write /dev/cpuctl/cpu.shares 1024
write /dev/cpuctl/cpu.rt_runtime_us 800000
write /dev/cpuctl/cpu.rt_period_us 1000000