init.rc revision 7ac2807546487de0cd74a8bbd976753c8f5862f3 
1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.environ.rc
8import /init.usb.rc
9import /init.${ro.hardware}.rc
10import /init.${ro.zygote}.rc
11import /init.trace.rc
12
13on early-init
14    # Set init and its forked children's oom_adj.
15    write /proc/1/oom_score_adj -1000
16
17    # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
18    write /sys/fs/selinux/checkreqprot 0
19
20    # Set the security context for the init process.
21    # This should occur before anything else (e.g. ueventd) is started.
22    setcon u:r:init:s0
23
24    # Set the security context of /adb_keys if present.
25    restorecon /adb_keys
26
27    start ueventd
28
29    # create mountpoints
30    mkdir /mnt 0775 root system
31
32on init
33    sysclktz 0
34
35    # Backward compatibility.
36    symlink /system/etc /etc
37    symlink /sys/kernel/debug /d
38
39    # Link /vendor to /system/vendor for devices without a vendor partition.
40    symlink /system/vendor /vendor
41
42    # Create cgroup mount point for cpu accounting
43    mkdir /acct
44    mount cgroup none /acct cpuacct
45    mkdir /acct/uid
46
47    # Create cgroup mount point for memory
48    mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000
49    mkdir /sys/fs/cgroup/memory 0750 root system
50    mount cgroup none /sys/fs/cgroup/memory memory
51    write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
52    chown root system /sys/fs/cgroup/memory/tasks
53    chmod 0660 /sys/fs/cgroup/memory/tasks
54    mkdir /sys/fs/cgroup/memory/sw 0750 root system
55    write /sys/fs/cgroup/memory/sw/memory.swappiness 100
56    write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1
57    chown root system /sys/fs/cgroup/memory/sw/tasks
58    chmod 0660 /sys/fs/cgroup/memory/sw/tasks
59
60    mkdir /system
61    mkdir /data 0771 system system
62    mkdir /cache 0770 system cache
63    mkdir /config 0500 root root
64
65    # See storage config details at http://source.android.com/tech/storage/
66    mkdir /mnt/shell 0700 shell shell
67    mkdir /mnt/media_rw 0700 media_rw media_rw
68    mkdir /storage 0751 root sdcard_r
69
70    # Directory for putting things only root should see.
71    mkdir /mnt/secure 0700 root root
72
73    # Directory for staging bindmounts
74    mkdir /mnt/secure/staging 0700 root root
75
76    # Directory-target for where the secure container
77    # imagefile directory will be bind-mounted
78    mkdir /mnt/secure/asec  0700 root root
79
80    # Secure container public mount points.
81    mkdir /mnt/asec  0700 root system
82    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
83
84    # Filesystem image public mount points.
85    mkdir /mnt/obb 0700 root system
86    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
87
88    # memory control cgroup
89    mkdir /dev/memcg 0700 root system
90    mount cgroup none /dev/memcg memory
91
92    write /proc/sys/kernel/panic_on_oops 1
93    write /proc/sys/kernel/hung_task_timeout_secs 0
94    write /proc/cpu/alignment 4
95    write /proc/sys/kernel/sched_latency_ns 10000000
96    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
97    write /proc/sys/kernel/sched_compat_yield 1
98    write /proc/sys/kernel/sched_child_runs_first 0
99    write /proc/sys/kernel/randomize_va_space 2
100    write /proc/sys/kernel/kptr_restrict 2
101    write /proc/sys/vm/mmap_min_addr 32768
102    write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
103    write /proc/sys/net/unix/max_dgram_qlen 300
104    write /proc/sys/kernel/sched_rt_runtime_us 950000
105    write /proc/sys/kernel/sched_rt_period_us 1000000
106
107    # reflect fwmark from incoming packets onto generated replies
108    write /proc/sys/net/ipv4/fwmark_reflect 1
109    write /proc/sys/net/ipv6/fwmark_reflect 1
110
111    # set fwmark on accepted sockets
112    write /proc/sys/net/ipv4/tcp_fwmark_accept 1
113
114    # Create cgroup mount points for process groups
115    mkdir /dev/cpuctl
116    mount cgroup none /dev/cpuctl cpu
117    chown system system /dev/cpuctl
118    chown system system /dev/cpuctl/tasks
119    chmod 0666 /dev/cpuctl/tasks
120    write /dev/cpuctl/cpu.shares 1024
121    write /dev/cpuctl/cpu.rt_runtime_us 800000
122    write /dev/cpuctl/cpu.rt_period_us 1000000
123
124    mkdir /dev/cpuctl/bg_non_interactive
125    chown system system /dev/cpuctl/bg_non_interactive/tasks
126    chmod 0666 /dev/cpuctl/bg_non_interactive/tasks
127    # 5.0 %
128    write /dev/cpuctl/bg_non_interactive/cpu.shares 52
129    write /dev/cpuctl/bg_non_interactive/cpu.rt_runtime_us 700000
130    write /dev/cpuctl/bg_non_interactive/cpu.rt_period_us 1000000
131
132    # qtaguid will limit access to specific data based on group memberships.
133    #   net_bw_acct grants impersonation of socket owners.
134    #   net_bw_stats grants access to other apps' detailed tagged-socket stats.
135    chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
136    chown root net_bw_stats /proc/net/xt_qtaguid/stats
137
138    # Allow everybody to read the xt_qtaguid resource tracking misc dev.
139    # This is needed by any process that uses socket tagging.
140    chmod 0644 /dev/xt_qtaguid
141
142    # Create location for fs_mgr to store abbreviated output from filesystem
143    # checker programs.
144    mkdir /dev/fscklogs 0770 root system
145
146    # pstore/ramoops previous console log
147    mount pstore pstore /sys/fs/pstore
148    chown system log /sys/fs/pstore/console-ramoops
149    chmod 0440 /sys/fs/pstore/console-ramoops
150    chown system log /sys/fs/pstore/pmsg-ramoops-0
151    chmod 0440 /sys/fs/pstore/pmsg-ramoops-0
152
153    # enable armv8_deprecated instruction hooks
154    write /proc/sys/abi/swp 1
155
156# Healthd can trigger a full boot from charger mode by signaling this
157# property when the power button is held.
158on property:sys.boot_from_charger_mode=1
159    class_stop charger
160    trigger late-init
161
162# Load properties from /system/ + /factory after fs mount.
163on load_all_props_action
164    load_all_props
165    start logd-reinit
166
167# Indicate to fw loaders that the relevant mounts are up.
168on firmware_mounts_complete
169    rm /dev/.booting
170
171# Mount filesystems and start core system services.
172on late-init
173    trigger early-fs
174    trigger fs
175    trigger post-fs
176    trigger post-fs-data
177
178    # Load properties from /system/ + /factory after fs mount. Place
179    # this in another action so that the load will be scheduled after the prior
180    # issued fs triggers have completed.
181    trigger load_all_props_action
182
183    # Remove a file to wake up anything waiting for firmware.
184    trigger firmware_mounts_complete
185
186    trigger early-boot
187    trigger boot
188
189
190on post-fs
191    start logd
192    # once everything is setup, no need to modify /
193    mount rootfs rootfs / ro remount
194    # mount shared so changes propagate into child namespaces
195    mount rootfs rootfs / shared rec
196
197    # We chown/chmod /cache again so because mount is run as root + defaults
198    chown system cache /cache
199    chmod 0770 /cache
200    # We restorecon /cache in case the cache partition has been reset.
201    restorecon_recursive /cache
202
203    # This may have been created by the recovery system with odd permissions
204    chown system cache /cache/recovery
205    chmod 0770 /cache/recovery
206
207    #change permissions on vmallocinfo so we can grab it from bugreports
208    chown root log /proc/vmallocinfo
209    chmod 0440 /proc/vmallocinfo
210
211    chown root log /proc/slabinfo
212    chmod 0440 /proc/slabinfo
213
214    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
215    chown root system /proc/kmsg
216    chmod 0440 /proc/kmsg
217    chown root system /proc/sysrq-trigger
218    chmod 0220 /proc/sysrq-trigger
219    chown system log /proc/last_kmsg
220    chmod 0440 /proc/last_kmsg
221
222    # make the selinux kernel policy world-readable
223    chmod 0444 /sys/fs/selinux/policy
224
225    # create the lost+found directories, so as to enforce our permissions
226    mkdir /cache/lost+found 0770 root root
227
228on post-fs-data
229    installkey /data
230
231    # We chown/chmod /data again so because mount is run as root + defaults
232    chown system system /data
233    chmod 0771 /data
234    # We restorecon /data in case the userdata partition has been reset.
235    restorecon /data
236
237    # Start bootcharting as soon as possible after the data partition is
238    # mounted to collect more data.
239    mkdir /data/bootchart 0755 shell shell
240    bootchart_init
241
242    # Avoid predictable entropy pool. Carry over entropy from previous boot.
243    copy /data/system/entropy.dat /dev/urandom
244
245    # create basic filesystem structure
246    mkdir /data/misc 01771 system misc
247    mkdir /data/misc/adb 02750 system shell
248    mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
249    mkdir /data/misc/bluetooth 0770 system system
250    mkdir /data/misc/keystore 0700 keystore keystore
251    mkdir /data/misc/gatekeeper 0700 system system
252    mkdir /data/misc/keychain 0771 system system
253    mkdir /data/misc/net 0750 root shell
254    mkdir /data/misc/radio 0770 system radio
255    mkdir /data/misc/sms 0770 system radio
256    mkdir /data/misc/zoneinfo 0775 system system
257    mkdir /data/misc/vpn 0770 system vpn
258    mkdir /data/misc/shared_relro 0771 shared_relro shared_relro
259    mkdir /data/misc/systemkeys 0700 system system
260    mkdir /data/misc/wifi 0770 wifi wifi
261    mkdir /data/misc/wifi/sockets 0770 wifi wifi
262    mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi
263    mkdir /data/misc/ethernet 0770 system system
264    mkdir /data/misc/dhcp 0770 dhcp dhcp
265    mkdir /data/misc/user 0771 root root
266    # give system access to wpa_supplicant.conf for backup and restore
267    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
268    mkdir /data/local 0751 root root
269    mkdir /data/misc/media 0700 media media
270
271    # For security reasons, /data/local/tmp should always be empty.
272    # Do not place files or directories in /data/local/tmp
273    mkdir /data/local/tmp 0771 shell shell
274    mkdir /data/data 0771 system system
275    mkdir /data/app-private 0771 system system
276    mkdir /data/app-asec 0700 root root
277    mkdir /data/app-lib 0771 system system
278    mkdir /data/app 0771 system system
279    mkdir /data/property 0700 root root
280    mkdir /data/tombstones 0771 system system
281
282    # create dalvik-cache, so as to enforce our permissions
283    mkdir /data/dalvik-cache 0771 root root
284    mkdir /data/dalvik-cache/profiles 0711 system system
285
286    # create resource-cache and double-check the perms
287    mkdir /data/resource-cache 0771 system system
288    chown system system /data/resource-cache
289    chmod 0771 /data/resource-cache
290
291    # create the lost+found directories, so as to enforce our permissions
292    mkdir /data/lost+found 0770 root root
293
294    # create directory for DRM plug-ins - give drm the read/write access to
295    # the following directory.
296    mkdir /data/drm 0770 drm drm
297
298    # create directory for MediaDrm plug-ins - give drm the read/write access to
299    # the following directory.
300    mkdir /data/mediadrm 0770 mediadrm mediadrm
301
302    mkdir /data/adb 0700 root root
303
304    # symlink to bugreport storage location
305    symlink /data/data/com.android.shell/files/bugreports /data/bugreports
306
307    # Separate location for storing security policy files on data
308    mkdir /data/security 0711 system system
309
310    # Create all remaining /data root dirs so that they are made through init
311    # and get proper encryption policy installed
312    mkdir /data/backup 0700 system system
313    mkdir /data/media 0770 media_rw media_rw
314    mkdir /data/ss 0700 system system
315    mkdir /data/system 0775 system system
316    mkdir /data/system/heapdump 0700 system system
317    mkdir /data/user 0711 system system
318
319    # Reload policy from /data/security if present.
320    setprop selinux.reload_policy 1
321
322    # Set SELinux security contexts on upgrade or policy update.
323    restorecon_recursive /data
324
325    # Check any timezone data in /data is newer than the copy in /system, delete if not.
326    exec u:r:tzdatacheck:s0 system system -- /system/bin/tzdatacheck /system/usr/share/zoneinfo /data/misc/zoneinfo
327
328    # If there is no fs-post-data action in the init.<device>.rc file, you
329    # must uncomment this line, otherwise encrypted filesystems
330    # won't work.
331    # Set indication (checked by vold) that we have finished this action
332    #setprop vold.post_fs_data_done 1
333
334on boot
335    # basic network init
336    ifup lo
337    hostname localhost
338    domainname localdomain
339
340    # set RLIMIT_NICE to allow priorities from 19 to -20
341    setrlimit 13 40 40
342
343    # Memory management.  Basic kernel parameters, and allow the high
344    # level system server to be able to adjust the kernel OOM driver
345    # parameters to match how it is managing things.
346    write /proc/sys/vm/overcommit_memory 1
347    write /proc/sys/vm/min_free_order_shift 4
348    chown root system /sys/module/lowmemorykiller/parameters/adj
349    chmod 0220 /sys/module/lowmemorykiller/parameters/adj
350    chown root system /sys/module/lowmemorykiller/parameters/minfree
351    chmod 0220 /sys/module/lowmemorykiller/parameters/minfree
352
353    # Tweak background writeout
354    write /proc/sys/vm/dirty_expire_centisecs 200
355    write /proc/sys/vm/dirty_background_ratio  5
356
357    # Permissions for System Server and daemons.
358    chown radio system /sys/android_power/state
359    chown radio system /sys/android_power/request_state
360    chown radio system /sys/android_power/acquire_full_wake_lock
361    chown radio system /sys/android_power/acquire_partial_wake_lock
362    chown radio system /sys/android_power/release_wake_lock
363    chown system system /sys/power/autosleep
364    chown system system /sys/power/state
365    chown system system /sys/power/wakeup_count
366    chown radio system /sys/power/wake_lock
367    chown radio system /sys/power/wake_unlock
368    chmod 0660 /sys/power/state
369    chmod 0660 /sys/power/wake_lock
370    chmod 0660 /sys/power/wake_unlock
371
372    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
373    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
374    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
375    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
376    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
377    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
378    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
379    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
380    chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
381    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
382    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
383    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
384    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
385    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
386    chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
387    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
388    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
389    chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
390    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
391    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
392    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
393    chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
394    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
395
396    # Assume SMP uses shared cpufreq policy for all CPUs
397    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
398    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
399
400    chown system system /sys/class/timed_output/vibrator/enable
401    chown system system /sys/class/leds/keyboard-backlight/brightness
402    chown system system /sys/class/leds/lcd-backlight/brightness
403    chown system system /sys/class/leds/button-backlight/brightness
404    chown system system /sys/class/leds/jogball-backlight/brightness
405    chown system system /sys/class/leds/red/brightness
406    chown system system /sys/class/leds/green/brightness
407    chown system system /sys/class/leds/blue/brightness
408    chown system system /sys/class/leds/red/device/grpfreq
409    chown system system /sys/class/leds/red/device/grppwm
410    chown system system /sys/class/leds/red/device/blink
411    chown system system /sys/class/timed_output/vibrator/enable
412    chown system system /sys/module/sco/parameters/disable_esco
413    chown system system /sys/kernel/ipv4/tcp_wmem_min
414    chown system system /sys/kernel/ipv4/tcp_wmem_def
415    chown system system /sys/kernel/ipv4/tcp_wmem_max
416    chown system system /sys/kernel/ipv4/tcp_rmem_min
417    chown system system /sys/kernel/ipv4/tcp_rmem_def
418    chown system system /sys/kernel/ipv4/tcp_rmem_max
419    chown root radio /proc/cmdline
420
421    # Define default initial receive window size in segments.
422    setprop net.tcp.default_init_rwnd 60
423
424    class_start core
425
426on nonencrypted
427    class_start main
428    class_start late_start
429
430on property:vold.decrypt=trigger_default_encryption
431    start defaultcrypto
432
433on property:vold.decrypt=trigger_encryption
434    start surfaceflinger
435    start encrypt
436
437on property:sys.init_log_level=*
438    loglevel ${sys.init_log_level}
439
440on charger
441    class_start charger
442
443on property:vold.decrypt=trigger_reset_main
444    class_reset main
445
446on property:vold.decrypt=trigger_load_persist_props
447    load_persist_props
448    start logd-reinit
449
450on property:vold.decrypt=trigger_post_fs_data
451    trigger post-fs-data
452
453on property:vold.decrypt=trigger_restart_min_framework
454    class_start main
455
456on property:vold.decrypt=trigger_restart_framework
457    installkey /data
458    class_start main
459    class_start late_start
460
461on property:vold.decrypt=trigger_shutdown_framework
462    class_reset late_start
463    class_reset main
464
465on property:sys.powerctl=*
466    powerctl ${sys.powerctl}
467
468# system server cannot write to /proc/sys files,
469# and chown/chmod does not work for /proc/sys/ entries.
470# So proxy writes through init.
471on property:sys.sysctl.extra_free_kbytes=*
472    write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes}
473
474# "tcp_default_init_rwnd" Is too long!
475on property:sys.sysctl.tcp_def_init_rwnd=*
476    write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd}
477
478
479## Daemon processes to be run by init.
480##
481service ueventd /sbin/ueventd
482    class core
483    critical
484    seclabel u:r:ueventd:s0
485
486service logd /system/bin/logd
487    class core
488    socket logd stream 0666 logd logd
489    socket logdr seqpacket 0666 logd logd
490    socket logdw dgram 0222 logd logd
491
492service logd-reinit /system/bin/logd --reinit
493    start logd
494    oneshot
495    disabled
496
497service healthd /sbin/healthd
498    class core
499    critical
500    seclabel u:r:healthd:s0
501
502service console /system/bin/sh
503    class core
504    console
505    disabled
506    user shell
507    group shell log
508    seclabel u:r:shell:s0
509
510on property:ro.debuggable=1
511    start console
512
513# adbd is controlled via property triggers in init.<platform>.usb.rc
514service adbd /sbin/adbd --root_seclabel=u:r:su:s0
515    class core
516    socket adbd stream 660 system system
517    disabled
518    seclabel u:r:adbd:s0
519
520# adbd on at boot in emulator
521on property:ro.kernel.qemu=1
522    start adbd
523
524service lmkd /system/bin/lmkd
525    class core
526    critical
527    socket lmkd seqpacket 0660 system system
528
529service servicemanager /system/bin/servicemanager
530    class core
531    user system
532    group system
533    critical
534    onrestart restart healthd
535    onrestart restart zygote
536    onrestart restart media
537    onrestart restart surfaceflinger
538    onrestart restart drm
539
540service vold /system/bin/vold
541    class core
542    socket vold stream 0660 root mount
543    ioprio be 2
544
545service netd /system/bin/netd
546    class main
547    socket netd stream 0660 root system
548    socket dnsproxyd stream 0660 root inet
549    socket mdns stream 0660 root system
550    socket fwmarkd stream 0660 root inet
551
552service debuggerd /system/bin/debuggerd
553    class main
554
555service debuggerd64 /system/bin/debuggerd64
556    class main
557
558service ril-daemon /system/bin/rild
559    class main
560    socket rild stream 660 root radio
561    socket rild-debug stream 660 radio system
562    user root
563    group radio cache inet misc audio log
564
565service surfaceflinger /system/bin/surfaceflinger
566    class core
567    user system
568    group graphics drmrpc
569    onrestart restart zygote
570
571service drm /system/bin/drmserver
572    class main
573    user drm
574    group drm system inet drmrpc
575
576service media /system/bin/mediaserver
577    class main
578    user media
579    group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm
580    ioprio rt 4
581
582# One shot invocation to deal with encrypted volume.
583service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted
584    disabled
585    oneshot
586    # vold will set vold.decrypt to trigger_restart_framework (default
587    # encryption) or trigger_restart_min_framework (other encryption)
588
589# One shot invocation to encrypt unencrypted volumes
590service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace default
591    disabled
592    oneshot
593    # vold will set vold.decrypt to trigger_restart_framework (default
594    # encryption)
595
596service bootanim /system/bin/bootanimation
597    class core
598    user graphics
599    group graphics audio
600    disabled
601    oneshot
602
603service installd /system/bin/installd
604    class main
605    socket installd stream 600 system system
606
607service flash_recovery /system/bin/install-recovery.sh
608    class main
609    oneshot
610
611service racoon /system/bin/racoon
612    class main
613    socket racoon stream 600 system system
614    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
615    group vpn net_admin inet
616    disabled
617    oneshot
618
619service mtpd /system/bin/mtpd
620    class main
621    socket mtpd stream 600 system system
622    user vpn
623    group vpn net_admin inet net_raw
624    disabled
625    oneshot
626
627service keystore /system/bin/keystore /data/misc/keystore
628    class main
629    user keystore
630    group keystore drmrpc
631
632service dumpstate /system/bin/dumpstate -s
633    class main
634    socket dumpstate stream 0660 shell log
635    disabled
636    oneshot
637
638service mdnsd /system/bin/mdnsd
639    class main
640    user mdnsr
641    group inet net_raw
642    socket mdnsd stream 0660 mdnsr inet
643    disabled
644    oneshot
645
646service pre-recovery /system/bin/uncrypt
647    class main
648    disabled
649    oneshot
650