Merge branch 'master' of gitee.com:openharmony/startup_init_lite into initservice

Signed-off-by: NMupceet <laiguizhong@huawei.com>

README.md

-# init\_lite<a name="EN-US_TOPIC_0000001129033057"></a>
+# init<a name="EN-US_TOPIC_0000001129033057"></a>
 
 -   [Introduction](#section469617221261)
 -   [Directory Structure](#section15884114210197)
@@ -8,27 +8,27 @@
 
 ## Introduction<a name="section469617221261"></a>
 
-The init\_lite module starts system service processes from the time the kernel loads the first user-space process to the time the first application is started. In addition to loading key system processes, the module needs to configure their permissions during the startup and keep the specified process alive after sub-processes are started. If a process exits abnormally, the module needs to restart it, and to perform system reset for a special process.
+The init module starts system service processes from the time the kernel loads the first user-space process to the time the first application is started. In addition to loading key system processes, the module needs to configure their permissions during the startup and keep the specified process alive after sub-processes are started. If a process exits abnormally, the module needs to restart it, and to perform system reset for a special process.
 
 ## Directory Structure<a name="section15884114210197"></a>
 
 ```
-base/startup/init_lite/             # init_lite module
+base/startup/init/             # init module
 ├── LICENSE
 └── services
-    ├── include                  # Header files for the init_lite module
-    ├── src                      # Source files for the init_lite module
-    └── test                     # Source files of the test cases for the init_lite module
+    ├── include                  # Header files for the init module
+    ├── src                      # Source files for the init module
+    └── test                     # Source files of the test cases for the init module
         └── unittest
 vendor
 └──huawei
         └──camera
-                └──init_configs  # init_lite configuration files (in JSON format, and deployed in /etc/init.cfg after image burning)
+                └──init_configs  # init configuration files (in JSON format, and deployed in /etc/init.cfg after image burning)
 ```
 
 ## Constraints<a name="section12212842173518"></a>
 
-Currently, the init\_lite module applies only to small-system devices \(reference memory ≥ 1 MB\), for example, Hi3516D V300 and Hi3518E V300.
+Currently, the init module applies only to small-system devices \(reference memory ≥ 1 MB\), for example, Hi3516D V300 and Hi3518E V300.
 
 ## Usage<a name="section837771600"></a>
 

README_zh.md

@@ -14,7 +14,7 @@ init组件负责处理从内核加载第一个用户态进程开始，到第一
 ## 目录<a name="section15884114210197"></a>
 
 ```
-base/startup/init_lite/          # init组件
+base/startup/init/          # init组件
 ├── device_info
 ├── initsync
 ├── interfaces                   # init提供的对外接口
@@ -84,7 +84,7 @@ init将系统启动分为三个阶段：
 
 每个沙盒环境的分为只读资源和可写资源，只读资源由init在初始化时创建好，通过mount bind把只读文件指向全局FS中对应的目录，然后启动相应沙盒进程时通过SetNamespace跳入到沙盒环境运行。对于可写目录，通过对全局/data目录进行划分，由存储服务进行统一管理分配，通过mnt namespace完成可写目录的沙盒化。
 
-init的关键配置文件init.cfg位于代码仓库base/startup/init_lite/service/etc目录，部署在/etc/下，采用json格式，文件大小目前限制在100KB以内。
+init的关键配置文件init.cfg位于代码仓库base/startup/init/service/etc目录，部署在/etc/下，采用json格式，文件大小目前限制在100KB以内。
 
 配置文件格式和内容说明如下所示：
 

bundle.json

@@ -7,7 +7,7 @@
     "repository": "https://gitee.com/openharmony/startup_init_lite",
     "publishAs": "code-segment",
     "segment": {
-        "destPath": "base/startup/init_lite"
+        "destPath": "base/startup/init"
     },
     "dirs": {},
     "scripts": {},
@@ -23,7 +23,7 @@
             "components": [
                 "startup",
                 "safwk",
-                "utils_base",
+                "c_utils",
                 "napi",
                 "ipc",
                 "config_policy",
@@ -45,21 +45,21 @@
         },
         "build": {
             "sub_component": [
-                "//base/startup/init_lite/services:startup_init",
-                "//base/startup/init_lite/ueventd:startup_ueventd",
-                "//base/startup/init_lite/watchdog:watchdog",
-                "//base/startup/init_lite/services/begetctl:begetctl_cmd",
-                "//base/startup/init_lite/services/loopevent:loopeventgroup",
-                "//base/startup/init_lite/services/modules:modulesgroup",
-                "//base/startup/init_lite/services/param:parameter",
-                "//base/startup/init_lite/interfaces/innerkits:innergroup",
-                "//base/startup/init_lite/device_info:device_info_group",
-                "//base/startup/init_lite/interfaces/kits:kitsgroup"
+                "//base/startup/init/services:startup_init",
+                "//base/startup/init/ueventd:startup_ueventd",
+                "//base/startup/init/watchdog:watchdog",
+                "//base/startup/init/services/begetctl:begetctl_cmd",
+                "//base/startup/init/services/loopevent:loopeventgroup",
+                "//base/startup/init/services/modules:modulesgroup",
+                "//base/startup/init/services/param:parameter",
+                "//base/startup/init/interfaces/innerkits:innergroup",
+                "//base/startup/init/device_info:device_info_group",
+                "//base/startup/init/interfaces/kits:kitsgroup"
             ],
             "inner_kits": [
                 {
                     "header": {
-                        "header_base": "//base/startup/init_lite/interfaces/innerkits/include/",
+                        "header_base": "//base/startup/init/interfaces/innerkits/include/",
                         "header_files": [
                             "init_socket.h",
                             "init_file.h",
@@ -75,31 +75,40 @@
                             "syspara/sysversion.h"
                         ]
                     },
-                    "name": "//base/startup/init_lite/interfaces/innerkits:libbegetutil"
+                    "name": "//base/startup/init/interfaces/innerkits:libbegetutil"
                 },
                 {
                     "header": {
-                        "header_base": "//base/startup/init_lite/interfaces/innerkits/include/",
+                        "header_base": "//base/startup/init/interfaces/innerkits/include/",
                         "header_files": [
                             "service_watcher.h",
                             "syspara/parameter.h",
                             "syspara/sysparam_errno.h"
                         ]
                     },
-                    "name": "//base/startup/init_lite/interfaces/innerkits:libbeget_proxy"
+                    "name": "//base/startup/init/interfaces/innerkits:libbeget_proxy"
                 },
                 {
                     "header": {
-                        "header_base": "//base/startup/init_lite/interfaces/innerkits",
+                        "header_base": "//base/startup/init/interfaces/innerkits",
                         "header_files": [
                             "init_module_engine/include/init_module_engine.h"
                         ]
                     },
-                    "name": "//base/startup/init_lite/interfaces/innerkits/init_module_engine:libinit_module_engine"
+                    "name": "//base/startup/init/interfaces/innerkits/init_module_engine:libinit_module_engine"
+                },
+                {
+                    "header": {
+                        "header_base": "//base/startup/init/interfaces/innerkits/seccomp/include/",
+                        "header_files": [
+                            "seccomp_policy.h"
+                        ]
+                    },
+                    "name": "//base/startup/init/interfaces/innerkits/seccomp:seccomp"
                 }
             ],
             "test": [
-                "//base/startup/init_lite/test:testgroup"
+                "//base/startup/init/test:testgroup"
             ]
         }
     }

device_info/BUILD.gn

@@ -10,7 +10,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-import("//base/startup/init_lite/begetd.gni")
+import("//base/startup/init/begetd.gni")
 if (!defined(ohos_lite)) {
   import("//build/ohos.gni")
   import("//build/ohos/sa_profile/sa_profile.gni")
@@ -28,17 +28,18 @@ if (!defined(ohos_lite)) {
 
   ohos_shared_library("deviceinfoservice") {
     sources = [
-      "//base/startup/init_lite/interfaces/innerkits/syspara/param_comm.c",
+      "//base/startup/init/interfaces/innerkits/syspara/param_comm.c",
       "device_info_stub.cpp",
     ]
 
     include_dirs = [
+      "//foundation/distributedschedule/samgr/interfaces/innerkits/samgr_proxy/include/",
       ".",
-      "//base/startup/init_lite/services/include/param",
-      "//base/startup/init_lite/interfaces/innerkits/include",
-      "//base/startup/init_lite/interfaces/innerkits/include/syspara",
-      "//base/startup/init_lite/interfaces/innerkits/syspara",
-      "//base/startup/init_lite/interfaces/hals",
+      "//base/startup/init/services/include/param",
+      "//base/startup/init/interfaces/innerkits/include",
+      "//base/startup/init/interfaces/innerkits/include/syspara",
+      "//base/startup/init/interfaces/innerkits/syspara",
+      "//base/startup/init/interfaces/hals",
     ]
     defines = [
       "INIT_AGENT",
@@ -46,18 +47,16 @@ if (!defined(ohos_lite)) {
       "USE_MBEDTLS",
     ]
     deps = [
-      "//base/startup/init_lite/interfaces/innerkits:libbegetutil",
+      "//base/startup/init/interfaces/innerkits:libbegetutil",
       "//third_party/bounds_checking_function:libsec_shared",
       "//third_party/mbedtls:mbedtls_shared",
     ]
 
     external_deps = [
       "access_token:libaccesstoken_sdk",
-      "hilog_native:libhilog",
+      "c_utils:utils",
       "ipc:ipc_core",
       "safwk:system_ability_fwk",
-      "samgr_standard:samgr_proxy",
-      "utils_base:utils",
     ]
     install_images = [ "system" ]
     part_name = "init"

device_info/device_info_load.cpp

@@ -28,7 +28,7 @@ void DeviceInfoLoad::OnLoadSystemAbilitySuccess(int32_t systemAbilityId,
     const sptr<IRemoteObject>& remoteObject)
 {
     DINFO_CHECK(systemAbilityId == SYSPARAM_DEVICE_SERVICE_ID, return,
-        "start aystemabilityId is not deviceinfo! %d", systemAbilityId);
+        "start systemabilityId is not deviceinfo! %d", systemAbilityId);
     DINFO_CHECK(remoteObject != nullptr, return, "remoteObject is null.");
 
     DINFO_LOGI("OnLoadSystemAbilitySuccess start systemAbilityId: %d success!", systemAbilityId);
@@ -38,7 +38,7 @@ void DeviceInfoLoad::OnLoadSystemAbilitySuccess(int32_t systemAbilityId,
 void DeviceInfoLoad::OnLoadSystemAbilityFail(int32_t systemAbilityId)
 {
     DINFO_CHECK(systemAbilityId == SYSPARAM_DEVICE_SERVICE_ID, return,
-        "start aystemabilityId is not deviceinfo! %d", systemAbilityId);
+        "start systemabilityId is not deviceinfo! %d", systemAbilityId);
 
     DINFO_LOGI("OnLoadSystemAbilityFail systemAbilityId: %d failed.", systemAbilityId);
 

device_info/device_info_stub.cpp

@@ -72,13 +72,11 @@ bool DeviceInfoStub::CheckPermission(MessageParcel &data, const std::string &per
     AccessTokenID callerToken = IPCSkeleton::GetCallingTokenID();
     int32_t result = TypePermissionState::PERMISSION_GRANTED;
     int32_t tokenType = AccessTokenKit::GetTokenTypeFlag(callerToken);
-    if (tokenType == TOKEN_NATIVE) {
-        result = AccessTokenKit::VerifyNativeToken(callerToken, permission);
-    } else if (tokenType == TOKEN_HAP) {
-        result = AccessTokenKit::VerifyAccessToken(callerToken, permission);
-    } else {
+    if (tokenType == TOKEN_INVALID) {
         DINFO_LOGE("AccessToken type:%d, permission:%d denied!", tokenType, callerToken);
         return false;
+    } else {
+        result = AccessTokenKit::VerifyAccessToken(callerToken, permission);
     }
     if (result == TypePermissionState::PERMISSION_DENIED) {
         DINFO_LOGE("AccessTokenID:%d, permission:%s denied!", callerToken, permission.c_str());

initsync/BUILD.gn

@@ -14,19 +14,19 @@
 import("//build/lite/config/component/lite_component.gni")
 
 lite_component("initsync") {
-  features = [ "//base/startup/init_lite/initsync:libinitsync_shared" ]
+  features = [ "//base/startup/init/initsync:libinitsync_shared" ]
 }
 
 shared_library("libinitsync_shared") {
   sources = [ "src/init_sync.c" ]
   include_dirs = [
-    "//base/startup/init_lite/initsync/include",
-    "//base/startup/init_lite/interfaces/kits/syscap",
-    "//base/startup/init_lite/services/log",
-    "//base/startup/init_lite/interfaces/innerkits/include",
+    "//base/startup/init/initsync/include",
+    "//base/startup/init/interfaces/kits/syscap",
+    "//base/startup/init/services/log",
+    "//base/startup/init/interfaces/innerkits/include",
   ]
   public_deps = [
-    "//base/startup/init_lite/services/log:init_log",
+    "//base/startup/init/services/log:init_log",
     "//third_party/bounds_checking_function:libsec_shared",
   ]
 }
@@ -34,10 +34,10 @@ shared_library("libinitsync_shared") {
 static_library("libinitsync_static") {
   sources = [ "src/init_sync.c" ]
   include_dirs = [
-    "//base/startup/init_lite/initsync/include",
-    "//base/startup/init_lite/interfaces/kits/syscap",
-    "//base/startup/init_lite/services/log",
-    "//base/startup/init_lite/interfaces/innerkits/include",
+    "//base/startup/init/initsync/include",
+    "//base/startup/init/interfaces/kits/syscap",
+    "//base/startup/init/services/log",
+    "//base/startup/init/interfaces/innerkits/include",
   ]
   public_deps = [ "//third_party/bounds_checking_function:libsec_static" ]
 }

interfaces/innerkits/BUILD.gn

@@ -10,7 +10,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-import("//base/startup/init_lite/begetd.gni")
+import("//base/startup/init/begetd.gni")
 if (!defined(ohos_lite) || enable_ohos_startup_init_feature_begetctl_liteos) {
   syspara_sources = [
     "syscap/init_syscap.c",
@@ -23,12 +23,12 @@ if (!defined(ohos_lite) || enable_ohos_startup_init_feature_begetctl_liteos) {
 config("exported_header_files") {
   visibility = [ ":*" ]
   include_dirs = [
-    "//base/startup/init_lite/interfaces/innerkits/include",
-    "//base/startup/init_lite/interfaces/innerkits/include/syspara",
-    "//base/startup/init_lite/interfaces/innerkits/include/fs_manager",
-    "//base/startup/init_lite/interfaces/innerkits/include/token",
-    "//base/startup/init_lite/interfaces/innerkits/include/sandbox/include",
-    "//base/startup/init_lite/services/include",
+    "//base/startup/init/interfaces/innerkits/include",
+    "//base/startup/init/interfaces/innerkits/include/syspara",
+    "//base/startup/init/interfaces/innerkits/include/fs_manager",
+    "//base/startup/init/interfaces/innerkits/include/token",
+    "//base/startup/init/interfaces/innerkits/include/sandbox/include",
+    "//base/startup/init/services/include",
   ]
 }
 
@@ -36,14 +36,14 @@ include_common = [
   "./include",
   "//base/hiviewdfx/hilog_lite/interfaces/native/kits",
   "//third_party/bounds_checking_function/include",
-  "//base/startup/init_lite/services/include",
-  "//base/startup/init_lite/services/include/param",
-  "//base/startup/init_lite/interfaces/innerkits/fd_holder",
-  "//base/startup/init_lite/services/param/include",
-  "//base/startup/init_lite/interfaces/innerkits/include",
-  "//base/startup/init_lite/interfaces/innerkits/include/syspara",
-  "//base/startup/init_lite/interfaces/hals",
-  "//base/startup/init_lite/interfaces/innerkits/syspara",
+  "//base/startup/init/services/include",
+  "//base/startup/init/services/include/param",
+  "//base/startup/init/interfaces/innerkits/fd_holder",
+  "//base/startup/init/services/param/include",
+  "//base/startup/init/interfaces/innerkits/include",
+  "//base/startup/init/interfaces/innerkits/include/syspara",
+  "//base/startup/init/interfaces/hals",
+  "//base/startup/init/interfaces/innerkits/syspara",
 ]
 
 if (defined(ohos_lite)) {
@@ -67,8 +67,8 @@ if (defined(ohos_lite)) {
         "//third_party/mbedtls:mbedtls_shared",
       ]
       deps += [
-        "//base/startup/init_lite/services/log:init_log",
-        "//base/startup/init_lite/services/utils:libinit_utils",
+        "//base/startup/init/services/log:init_log",
+        "//base/startup/init/services/utils:libinit_utils",
       ]
       if (enable_ohos_startup_init_feature_begetctl_liteos) {
         sources += syspara_sources
@@ -79,16 +79,15 @@ if (defined(ohos_lite)) {
       }
       if (ohos_kernel_type == "liteos_a") {
         defines += [ "__LITEOS_A__" ]
-        deps += [
-          "//base/startup/init_lite/services/param/liteos:param_client_lite",
-        ]
+        deps +=
+            [ "//base/startup/init/services/param/liteos:param_client_lite" ]
       } else if (ohos_kernel_type == "linux") {
         sources += [ "socket/init_socket.c" ]
         defines += [ "__LINUX__" ]
         deps += [
-          "//base/startup/init_lite/services/loopevent:loopevent",
-          "//base/startup/init_lite/services/param/base:parameterbase",
-          "//base/startup/init_lite/services/param/linux:param_client",
+          "//base/startup/init/services/loopevent:loopevent",
+          "//base/startup/init/services/param/base:parameterbase",
+          "//base/startup/init/services/param/linux:param_client",
         ]
       }
     }
@@ -123,9 +122,9 @@ if (defined(ohos_lite)) {
       }
       if (enable_ohos_startup_init_feature_begetctl_liteos) {
         deps += [
-          "//base/startup/init_lite/services/log:init_log",
-          "//base/startup/init_lite/services/param/liteos:param_client_lite",
-          "//base/startup/init_lite/services/utils:libinit_utils",
+          "//base/startup/init/services/log:init_log",
+          "//base/startup/init/services/param/liteos:param_client_lite",
+          "//base/startup/init/services/utils:libinit_utils",
         ]
       }
     }
@@ -140,8 +139,7 @@ if (defined(ohos_lite)) {
       lib_extension = ".so"
     }
     deps = [ ":libbegetutil" ]
-    head_files =
-        [ "//base/startup/init_lite/interfaces/innerkits/include/syspara" ]
+    head_files = [ "//base/startup/init/interfaces/innerkits/include/syspara" ]
   }
 
   group("libbeget_proxy") {
@@ -174,24 +172,24 @@ if (defined(ohos_lite)) {
 
     include_dirs = include_common
     deps = [
-      "//base/startup/init_lite/interfaces/innerkits/control_fd:libcontrolfd",
-      "//base/startup/init_lite/interfaces/innerkits/fd_holder:fdholder",
-      "//base/startup/init_lite/interfaces/innerkits/file:libfile",
-      "//base/startup/init_lite/interfaces/innerkits/fs_manager:libfsmanager_static",
-      "//base/startup/init_lite/interfaces/innerkits/sandbox:sandbox",
-      "//base/startup/init_lite/interfaces/innerkits/socket:libsocket",
-      "//base/startup/init_lite/services/log:agent_log",
-      "//base/startup/init_lite/services/loopevent:loopevent",
-      "//base/startup/init_lite/services/param/base:parameterbase",
-      "//base/startup/init_lite/services/param/linux:param_client",
-      "//base/startup/init_lite/services/utils:libinit_utils",
+      "//base/startup/init/interfaces/innerkits/control_fd:libcontrolfd",
+      "//base/startup/init/interfaces/innerkits/fd_holder:fdholder",
+      "//base/startup/init/interfaces/innerkits/file:libfile",
+      "//base/startup/init/interfaces/innerkits/fs_manager:libfsmanager_static",
+      "//base/startup/init/interfaces/innerkits/sandbox:sandbox",
+      "//base/startup/init/interfaces/innerkits/socket:libsocket",
+      "//base/startup/init/services/log:agent_log",
+      "//base/startup/init/services/loopevent:loopevent",
+      "//base/startup/init/services/param/base:parameterbase",
+      "//base/startup/init/services/param/linux:param_client",
+      "//base/startup/init/services/utils:libinit_utils",
       "//third_party/bounds_checking_function:libsec_shared",
       "//third_party/cJSON:cjson",
       "//third_party/mbedtls:mbedtls_shared",
     ]
     external_deps = [
+      "c_utils:utils",
       "hilog_native:libhilog_base",
-      "utils_base:utils",
     ]
     public_configs = [ ":exported_header_files" ]
     part_name = "init"
@@ -209,7 +207,7 @@ if (defined(ohos_lite)) {
       "USE_MBEDTLS",
     ]
     sources = [
-      "//base/startup/init_lite/device_info/device_info.cpp",
+      "//base/startup/init/device_info/device_info.cpp",
       "service_watcher/service_watcher.c",
     ]
 
@@ -221,14 +219,14 @@ if (defined(ohos_lite)) {
 
     if (enable_ohos_startup_init_feature_watcher) {
       sources += [
-        "//base/startup/init_lite/services/param/watcher/agent/watcher.cpp",
-        "//base/startup/init_lite/services/param/watcher/agent/watcher_manager_kits.cpp",
-        "//base/startup/init_lite/services/param/watcher/agent/watcher_manager_proxy.cpp",
-        "//base/startup/init_lite/services/param/watcher/agent/watcher_stub.cpp",
+        "//base/startup/init/services/param/watcher/agent/watcher.cpp",
+        "//base/startup/init/services/param/watcher/agent/watcher_manager_kits.cpp",
+        "//base/startup/init/services/param/watcher/agent/watcher_manager_proxy.cpp",
+        "//base/startup/init/services/param/watcher/agent/watcher_stub.cpp",
       ]
       include_dirs += [
-        "//base/startup/init_lite/services/param/watcher/include",
-        "//base/startup/init_lite/services/log",
+        "//base/startup/init/services/param/watcher/include",
+        "//base/startup/init/services/log",
       ]
     } else {
       defines += [ "NO_PARAM_WATCHER" ]
@@ -236,22 +234,21 @@ if (defined(ohos_lite)) {
 
     if (enable_ohos_startup_init_feature_deviceinfo) {
       sources += [
-        "//base/startup/init_lite/device_info/device_info_kits.cpp",
-        "//base/startup/init_lite/device_info/device_info_load.cpp",
-        "//base/startup/init_lite/device_info/device_info_proxy.cpp",
+        "//base/startup/init/device_info/device_info_kits.cpp",
+        "//base/startup/init/device_info/device_info_load.cpp",
+        "//base/startup/init/device_info/device_info_proxy.cpp",
       ]
       defines += [ "PARAM_FEATURE_DEVICEINFO" ]
     } else {
-      sources += [
-        "//base/startup/init_lite/interfaces/innerkits/syspara/param_comm.c",
-      ]
+      sources +=
+          [ "//base/startup/init/interfaces/innerkits/syspara/param_comm.c" ]
     }
 
     external_deps = [
+      "c_utils:utils",
       "hilog_native:libhilog_base",
       "ipc:ipc_core",
       "samgr_standard:samgr_proxy",
-      "utils_base:utils",
     ]
     public_configs = [ ":exported_header_files" ]
     part_name = "init"
@@ -273,17 +270,17 @@ if (defined(ohos_lite)) {
 
     include_dirs = include_common
     deps = [
-      "//base/startup/init_lite/services/log:agent_log",
-      "//base/startup/init_lite/services/loopevent:loopevent",
-      "//base/startup/init_lite/services/param/base:parameterbase",
-      "//base/startup/init_lite/services/param/linux:param_client",
-      "//base/startup/init_lite/services/utils:libinit_utils",
+      "//base/startup/init/services/log:agent_log",
+      "//base/startup/init/services/loopevent:loopevent",
+      "//base/startup/init/services/param/base:parameterbase",
+      "//base/startup/init/services/param/linux:param_client",
+      "//base/startup/init/services/utils:libinit_utils",
       "//third_party/bounds_checking_function:libsec_shared",
       "//third_party/mbedtls:mbedtls_shared",
     ]
     external_deps = [
+      "c_utils:utils",
       "hilog_native:libhilog_base",
-      "utils_base:utils",
     ]
     part_name = "init"
   }
@@ -291,6 +288,9 @@ if (defined(ohos_lite)) {
 
 group("innergroup") {
   deps = [ ":libbegetutil" ]
+  if (build_seccomp) {
+    deps += [ "seccomp:seccomp" ]
+  }
   if (!defined(ohos_lite)) {
     deps += [
       ":libbeget_proxy",

interfaces/innerkits/control_fd/BUILD.gn

@@ -11,14 +11,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import("//base/startup/init_lite/begetd.gni")
+import("//base/startup/init/begetd.gni")
 import("//build/ohos.gni")
 
 config("exported_header_files") {
   visibility = [ ":*" ]
   include_dirs = [
-    "//base/startup/init_lite/interfaces/innerkits/include",
-    "//base/startup/init_lite/interfaces/innerkits/control_fd",
+    "//base/startup/init/interfaces/innerkits/include",
+    "//base/startup/init/interfaces/innerkits/control_fd",
   ]
 }
 
@@ -31,8 +31,8 @@ ohos_static_library("libcontrolfd") {
   include_dirs = [
     ".",
     "//third_party/bounds_checking_function/include",
-    "//base/startup/init_lite/services/include",
-    "//base/startup/init_lite/services/loopevent/include",
+    "//base/startup/init/services/include",
+    "//base/startup/init/services/loopevent/include",
   ]
   part_name = "init"
 }

interfaces/innerkits/control_fd/control_fd_client.c

@@ -31,11 +31,11 @@ static void ProcessPtyWrite(const WatcherHandle taskHandle, int fd, uint32_t *ev
     }
     CmdAgent *agent = (CmdAgent *)context;
     char rbuf[PTY_BUF_SIZE] = {0};
-    int rlen = read(fd, rbuf, PTY_BUF_SIZE - 1);
+    ssize_t rlen = read(fd, rbuf, PTY_BUF_SIZE - 1);
     int ret = fflush(stdin);
     BEGET_ERROR_CHECK(ret == 0, return, "[control_fd] Failed fflush err=%d", errno);
     if (rlen > 0) {
-        int wlen = write(agent->ptyFd, rbuf, rlen);
+        ssize_t wlen = write(agent->ptyFd, rbuf, rlen);
         BEGET_ERROR_CHECK(wlen == rlen, return, "[control_fd] Failed write fifo err=%d", errno);
     }
     ret = fflush(stdout);
@@ -51,7 +51,7 @@ static void ProcessPtyRead(const WatcherHandle taskHandle, int fd, uint32_t *eve
     }
     CmdAgent *agent = (CmdAgent *)context;
     char buf[PTY_BUF_SIZE] = {0};
-    int readlen = read(fd, buf, PTY_BUF_SIZE - 1);
+    long readlen = read(fd, buf, PTY_BUF_SIZE - 1);
     if (readlen > 0) {
         fprintf(stdout, "%s", buf);
     } else {
@@ -68,9 +68,9 @@ static void CmdOnRecvMessage(const TaskHandle task, const uint8_t *buffer, uint3
     BEGET_LOGI("[control_fd] CmdOnRecvMessage %s len %d.", (char *)buffer, buffLen);
 }
 
-static void CmdOnConntectComplete(const TaskHandle client)
+static void CmdOnConnectComplete(const TaskHandle client)
 {
-    BEGET_LOGI("[control_fd] CmdOnConntectComplete");
+    BEGET_LOGI("[control_fd] CmdOnConnectComplete");
 }
 
 static void CmdOnClose(const TaskHandle task)
@@ -105,8 +105,8 @@ static CmdAgent *CmdAgentCreate(const char *server)
     info.server = (char *)server;
     info.baseInfo.userDataSize = sizeof(CmdAgent);
     info.baseInfo.close = CmdOnClose;
-    info.disConntectComplete = CmdDisConnectComplete;
-    info.connectComplete = CmdOnConntectComplete;
+    info.disConnectComplete = CmdDisConnectComplete;
+    info.connectComplete = CmdOnConnectComplete;
     info.sendMessageComplete = CmdOnSendMessageComplete;
     info.recvMessage = CmdOnRecvMessage;
     LE_STATUS status = LE_CreateStreamClient(LE_GetDefaultLoop(), &task, &info);

interfaces/innerkits/control_fd/control_fd_service.c

@@ -13,11 +13,6 @@
  * limitations under the License.
  */
 #include <fcntl.h>
-#include <limits.h>
-#include <stdbool.h>
-#include <sys/ioctl.h>
-#include <sys/wait.h>
-#include <termios.h>
 #include <unistd.h>
 
 #include "beget_ext.h"
@@ -93,14 +88,14 @@ static int SendMessage(LoopHandle loop, TaskHandle task, const char *message)
     return 0;
 }
 
-static int CmdOnIncommingConntect(const LoopHandle loop, const TaskHandle server)
+static int CmdOnIncommingConnect(const LoopHandle loop, const TaskHandle server)
 {
     TaskHandle client = NULL;
     LE_StreamInfo info = {};
     info.baseInfo.flags = TASK_STREAM | TASK_PIPE | TASK_CONNECT;
     info.baseInfo.close = OnClose;
     info.baseInfo.userDataSize = sizeof(CmdTask);
-    info.disConntectComplete = NULL;
+    info.disConnectComplete = NULL;
     info.sendMessageComplete = NULL;
     info.recvMessage = CmdOnRecvMessage;
     int ret = LE_AcceptStreamClient(LE_GetDefaultLoop(), server, &client, &info);
@@ -127,8 +122,8 @@ void CmdServiceInit(const char *socketPath, CallbackControlFdProcess func)
     info.server = (char *)socketPath;
     info.socketId = -1;
     info.baseInfo.close = NULL;
-    info.disConntectComplete = NULL;
-    info.incommingConntect = CmdOnIncommingConntect;
+    info.disConnectComplete = NULL;
+    info.incommingConnect = CmdOnIncommingConnect;
     info.sendMessageComplete = NULL;
     info.recvMessage = NULL;
     g_controlFdFunc = func;

interfaces/innerkits/fd_holder/BUILD.gn

@@ -16,17 +16,17 @@ import("//build/ohos.gni")
 config("exported_header_files") {
   visibility = [ ":*" ]
   include_dirs = [
-    "//base/startup/init_lite/interfaces/innerkits/include",
-    "//base/startup/init_lite/interfaces/innerkits/fd_holder",
+    "//base/startup/init/interfaces/innerkits/include",
+    "//base/startup/init/interfaces/innerkits/fd_holder",
   ]
 }
 
 ohos_static_library("fdholder") {
   sources = [ "fd_holder_internal.c" ]
   include_dirs = [
-    "//base/startup/init_lite/services/loopevent/include",
+    "//base/startup/init/services/loopevent/include",
     "//third_party/bounds_checking_function/include",
-    "//base/startup/init_lite/interfaces/innerkits/include",
+    "//base/startup/init/interfaces/innerkits/include",
   ]
   public_configs = [ ":exported_header_files" ]
   part_name = "init"

interfaces/innerkits/file/BUILD.gn

@@ -13,14 +13,14 @@
 import("//build/ohos.gni")
 config("exported_header_files") {
   visibility = [ ":*" ]
-  include_dirs = [ "//base/startup/init_lite/interfaces/innerkits/include" ]
+  include_dirs = [ "//base/startup/init/interfaces/innerkits/include" ]
 }
 
 ohos_static_library("libfile") {
   sources = [ "init_file.c" ]
   include_dirs = [
-    "//base/startup/init_lite/services/log",
-    "//base/startup/init_lite/services/include",
+    "//base/startup/init/services/log",
+    "//base/startup/init/services/include",
     "//third_party/bounds_checking_function/include",
   ]
   public_configs = [ ":exported_header_files" ]

interfaces/innerkits/file/init_file.c

@@ -19,8 +19,6 @@
 #include <fcntl.h>
 #include <limits.h>
 #include <stdlib.h>
-#include <sys/types.h>
-#include <unistd.h>
 
 #include "beget_ext.h"
 #include "init_utils.h"

interfaces/innerkits/fs_manager/BUILD.gn

@@ -16,7 +16,7 @@ import("//build/ohos.gni")
 config("libfsmanager_exported_configs") {
   visibility = [ ":*" ]
   include_dirs =
-      [ "//base/startup/init_lite/interfaces/innerkits/include/fs_manager" ]
+      [ "//base/startup/init/interfaces/innerkits/include/fs_manager" ]
 }
 
 ohos_static_library("libfsmanager_static") {
@@ -25,11 +25,11 @@ ohos_static_library("libfsmanager_static") {
     "fstab_mount.c",
   ]
   include_dirs = [
-    "//base/startup/init_lite/interfaces/innerkits/include",
+    "//base/startup/init/interfaces/innerkits/include",
     "//third_party/bounds_checking_function/include",
-    "//base/startup/init_lite/services/log",
-    "//base/startup/init_lite/services/include",
-    "//base/startup/init_lite/services/param/include",
+    "//base/startup/init/services/log",
+    "//base/startup/init/services/include",
+    "//base/startup/init/services/param/include",
   ]
   public_configs = [ ":libfsmanager_exported_configs" ]
   part_name = "init"

interfaces/innerkits/fs_manager/fstab.c

@@ -14,16 +14,13 @@
  */
 
 #include <ctype.h>
-#include <fcntl.h>
 #include <libgen.h>
 #include <limits.h>
 #include <stdio.h>
 #include <string.h>
 #include <stdbool.h>
 #include <sys/mount.h>
-#include <sys/stat.h>
 #include <sys/types.h>
-#include <unistd.h>
 #include "beget_ext.h"
 #include "fs_manager/fs_manager.h"
 #include "init_utils.h"
@@ -45,6 +42,8 @@ struct MountFlags {
     unsigned long flags;
 };
 
+static char *g_fscryptPolicy = NULL;
+
 static unsigned int ConvertFlags(char *flagBuffer)
 {
     static struct FsManagerFlags fsFlags[] = {
@@ -387,7 +386,60 @@ static unsigned long ParseDefaultMountFlag(const char *str)
     return flags;
 }
 
-unsigned long GetMountFlags(char *mountFlag, char *fsSpecificData, size_t fsSpecificDataSize)
+static bool IsFscryptOption(const char *option)
+{
+    BEGET_LOGI("IsFscryptOption start");
+    if (!option) {
+        return false;
+    }
+    char *fscryptPre = "fscrypt=";
+    if (strncmp(option, fscryptPre, strlen(fscryptPre)) == 0) {
+        return true;
+    }
+    return false;
+}
+
+static void StoreFscryptPolicy(const char *option)
+{
+    if (option == NULL) {
+        return;
+    }
+    if (g_fscryptPolicy != NULL) {
+        BEGET_LOGW("StoreFscryptPolicy:inited policy is not empty");
+        free(g_fscryptPolicy);
+    }
+    g_fscryptPolicy = strdup(option);
+    if (g_fscryptPolicy == NULL) {
+        BEGET_LOGE("StoreFscryptPolicy:no memory");
+        return;
+    }
+    BEGET_LOGI("StoreFscryptPolicy:store fscrypt policy, %s", option);
+}
+
+int LoadFscryptPolicy(char *buf, size_t size)
+{
+    BEGET_LOGI("LoadFscryptPolicy start");
+    if (buf == NULL || g_fscryptPolicy == NULL) {
+        BEGET_LOGE("LoadFscryptPolicy:buf or fscrypt policy is empty");
+        return -ENOMEM;
+    }
+    if (size <= 0) {
+        BEGET_LOGE("LoadFscryptPloicy:size is invalid");
+        return -EINVAL;
+    }
+    if (strcpy_s(buf, size, g_fscryptPolicy) != 0) {
+        BEGET_LOGE("loadFscryptPolicy:strcmp failed, error = %d", errno);
+        return -EFAULT;
+    }
+    free(g_fscryptPolicy);
+    g_fscryptPolicy = NULL;
+    BEGET_LOGI("LoadFscryptPolicy success");
+
+    return 0;
+}
+
+unsigned long GetMountFlags(char *mountFlag, char *fsSpecificData, size_t fsSpecificDataSize,
+    const char *mountPoint)
 {
     unsigned long flags = 0;
     BEGET_CHECK_RETURN_VALUE(mountFlag != NULL && fsSpecificData != NULL, 0);
@@ -411,6 +463,11 @@ unsigned long GetMountFlags(char *mountFlag, char *fsSpecificData, size_t fsSpec
         if (IsDefaultMountFlags(p)) {
             flags |= ParseDefaultMountFlag(p);
         } else {
+            if (IsFscryptOption(p) &&
+                !strncmp(mountPoint, "/data", strlen("/data"))) {
+                StoreFscryptPolicy(p + strlen("fscrypt="));
+                continue;
+            }
             if (strncat_s(fsSpecificData, fsSpecificDataSize - 1, p, strlen(p)) != EOK) {
                 BEGET_LOGW("Failed to append mount flag \" %s \", ignore it.", p);
                 continue;

interfaces/innerkits/fs_manager/fstab_mount.c

@@ -293,7 +293,8 @@ int MountOneItem(FstabItem *item)
     unsigned long mountFlags;
     char fsSpecificData[FS_MANAGER_BUFFER_SIZE] = {0};
 
-    mountFlags = GetMountFlags(item->mountOptions, fsSpecificData, sizeof(fsSpecificData));
+    mountFlags = GetMountFlags(item->mountOptions, fsSpecificData, sizeof(fsSpecificData),
+        item->mountPoint);
     if (!IsSupportedFilesystem(item->fsType)) {
         BEGET_LOGE("Unsupported file system \" %s \"", item->fsType);
         return 0;

interfaces/innerkits/include/beget_ext.h

@@ -65,7 +65,7 @@ INIT_PUBLIC_API void SetInitCommLog(InitCommLog logFunc);
 #define STARTUP_LOGF(domain, tag, fmt, ...) \
     StartupLog(INIT_FATAL, domain, tag, "[%s:%d]" fmt, (FILE_NAME), (__LINE__), ##__VA_ARGS__)
 
-#define BASE_DOMAIN 0xA000
+#define BASE_DOMAIN 0xD002C00
 #ifndef BEGET_DOMAIN
 #define BEGET_DOMAIN (BASE_DOMAIN + 0xb)
 #endif

interfaces/innerkits/include/fs_manager/fs_manager.h

@@ -70,9 +70,13 @@ MountStatus GetMountStatusForMountPoint(const char *mp);
 int MountAllWithFstabFile(const char *fstabFile, bool required);
 int MountAllWithFstab(const Fstab *fstab, bool required);
 int UmountAllWithFstabFile(const char *file);
-unsigned long GetMountFlags(char *mountFlag, char *fsSpecificFlags, size_t fsSpecificFlagSize);
+unsigned long GetMountFlags(char *mountFlag, char *fsSpecificFlags, size_t fsSpecificFlagSize,
+    const char *mountPoint);
 
 int GetBlockDevicePath(const char *partName, char *path, int size);
+
+// Get fscrypt policy if exist
+int LoadFscryptPolicy(char *buf, size_t size);
 #ifdef __cplusplus
 #if __cplusplus
 }

interfaces/innerkits/include/modulemgr.h

@@ -75,7 +75,7 @@ void ModuleMgrDestroy(MODULE_MGR *moduleMgr);
 /**
  * @brief Install a module
  * 
- * The final module path is: /system/lib/{moduleMgrPath}/{moduleNmae}.z.so
+ * The final module path is: /system/lib/{moduleMgrPath}/{moduleName}.z.so
  *
  * @param moduleMgr module manager handle
  * @param moduleName module name

interfaces/innerkits/include/service_control.h

@@ -37,7 +37,7 @@ typedef enum {
     SERVICE_SUSPENDED,
     SERVICE_FREEZED,
     SERVICE_DISABLED,
-    SERVICE_CRITIAL
+    SERVICE_CRITICAL
 } ServiceStatus;
 
 enum ServiceAction {

interfaces/innerkits/init_module_engine/BUILD.gn

@@ -25,9 +25,9 @@ if (defined(ohos_lite)) {
     visibility = [ ":*" ]
     include_dirs = [
       "include/",
-      "//base/startup/init_lite/services/include",
-      "//base/startup/init_lite/interfaces/innerkits/include",
-      "//base/startup/init_lite/services/log",
+      "//base/startup/init/services/include",
+      "//base/startup/init/interfaces/innerkits/include",
+      "//base/startup/init/services/log",
       "//third_party/cJSON",
     ]
   }
@@ -62,10 +62,10 @@ if (defined(ohos_lite)) {
 
   config("init_module_engine_sources_config") {
     include_dirs = [
-      "//base/startup/init_lite/interfaces/innerkits/init_module_engine/include",
-      "//base/startup/init_lite/interfaces/innerkits/include",
-      "//base/startup/init_lite/services/include",
-      "//base/startup/init_lite/services/log",
+      "//base/startup/init/interfaces/innerkits/init_module_engine/include",
+      "//base/startup/init/interfaces/innerkits/include",
+      "//base/startup/init/services/include",
+      "//base/startup/init/services/log",
       "//third_party/cJSON",
     ]
   }

interfaces/innerkits/reboot/init_reboot_innerkits.c

@@ -15,7 +15,6 @@
 #include "init_reboot.h"
 
 #include <string.h>
-#include <sys/types.h>
 #include <unistd.h>
 
 #include "beget_ext.h"

interfaces/innerkits/sandbox/BUILD.gn

@@ -11,13 +11,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import("//base/startup/init_lite/begetd.gni")
+import("//base/startup/init/begetd.gni")
 import("//build/ohos.gni")
 
 config("exported_header_files") {
   visibility = [ ":*" ]
-  include_dirs =
-      [ "//base/startup/init_lite/interfaces/innerkits/sandbox/include" ]
+  include_dirs = [ "//base/startup/init/interfaces/innerkits/sandbox/include" ]
 }
 
 ohos_static_library("sandbox") {
@@ -28,8 +27,8 @@ ohos_static_library("sandbox") {
   public_configs = [ ":exported_header_files" ]
   include_dirs = [
     "//third_party/bounds_checking_function/include",
-    "//base/startup/init_lite/services/include",
-    "//base/startup/init_lite/interfaces/innerkits/include",
+    "//base/startup/init/services/include",
+    "//base/startup/init/interfaces/innerkits/include",
     "//third_party/cJSON",
   ]
   if (target_cpu == "arm64") {

interfaces/innerkits/sandbox/sandbox.c

@@ -22,7 +22,6 @@
 #include <sys/mount.h>
 #include <sys/stat.h>
 #include <sys/syscall.h>
-#include <sys/types.h>
 #include <errno.h>
 #include "beget_ext.h"
 #include "init_utils.h"

interfaces/innerkits/sandbox/sandbox_namespace.c

@@ -17,7 +17,6 @@
 #include <fcntl.h>
 #include <sched.h>
 #include <string.h>
-#include <sys/types.h>
 #include <unistd.h>
 #include "beget_ext.h"
 

interfaces/innerkits/sandbox/system-sandbox.json

@@ -73,6 +73,14 @@
             "src-path" : "/sys_prod",
             "sandbox-path" : "/sys_prod",
             "sandbox-flags" : [ "bind", "rec", "private" ]
+        }, {
+            "src-path" : "/vendor",
+            "sandbox-path" : "/chipset",
+            "sandbox-flags" : [ "bind", "rec", "private" ]
+        }, {
+            "src-path" : "/chip_prod",
+            "sandbox-path" : "/chip_prod",
+            "sandbox-flags" : [ "bind", "rec", "private" ]
         }
     ],
     "mount-bind-files" : [{

interfaces/innerkits/sandbox/system-sandbox64.json

@@ -80,6 +80,14 @@
             "src-path" : "/sys_prod",
             "sandbox-path" : "/sys_prod",
             "sandbox-flags" : [ "bind", "rec", "private" ]
+        }, {
+            "src-path" : "/vendor",
+            "sandbox-path" : "/chipset",
+            "sandbox-flags" : [ "bind", "rec", "private" ]
+        }, {
+            "src-path" : "/chip_prod",
+            "sandbox-path" : "/chip_prod",
+            "sandbox-flags" : [ "bind", "rec", "private" ]
         }
     ],
     "mount-bind-files" : [{

interfaces/innerkits/seccomp/BUILD.gn

+# Copyright (c) 2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//build/ohos.gni")
+
+config("seccomp_public_config") {
+  include_dirs = [ "//base/startup/init/interfaces/innerkits/seccomp/include" ]
+}
+
+ohos_shared_library("seccomp") {
+  sources = [ "//base/startup/init/services/modules/seccomp/seccomp_policy.c" ]
+
+  public_configs = [ ":seccomp_public_config" ]
+
+  include_dirs = [ "//base/startup/init/services/modules/seccomp" ]
+
+  deps = [
+    "//base/startup/init/interfaces/innerkits:libbegetutil",
+    "//base/startup/init/services/modules/seccomp:appspawn_filter",
+    "//base/startup/init/services/modules/seccomp:system_filter",
+  ]
+
+  license_file = "//base/startup/init/LICENSE"
+
+  part_name = "init"
+
+  install_enable = true
+  install_images = [
+    "system",
+    "updater",
+    "ramdisk",
+  ]
+}

interfaces/innerkits/seccomp/include/seccomp_policy.h

+/*
+ * Copyright (c) 2022 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef SECCOMP_POLICY_H
+#define SECCOMP_POLICY_H
+
+#include <stdint.h>
+#include <stdbool.h>
+
+#ifdef __cplusplus
+#if __cplusplus
+extern "C" {
+#endif
+#endif
+
+typedef enum {
+    SYSTEM,
+    APPSPAWN,
+    APP
+} PolicyType;
+
+bool SetSeccompPolicy(PolicyType policy);
+
+#ifdef __cplusplus
+#if __cplusplus
+}
+#endif
+#endif
+
+#endif // SECCOMP_POLICY_H

interfaces/innerkits/service_watcher/service_watcher.c

@@ -16,7 +16,6 @@
 
 #include <errno.h>
 #include <stdio.h>
-#include <stdlib.h>
 #include <string.h>
 
 #include "beget_ext.h"

interfaces/innerkits/socket/BUILD.gn

@@ -12,10 +12,10 @@
 # limitations under the License.
 
 service_socket_sources =
-    [ "//base/startup/init_lite/interfaces/innerkits/socket/init_socket.c" ]
+    [ "//base/startup/init/interfaces/innerkits/socket/init_socket.c" ]
 service_socket_include = [
-  "//base/startup/init_lite/interfaces/innerkits/include",
-  "//base/startup/init_lite/services/log",
+  "//base/startup/init/interfaces/innerkits/include",
+  "//base/startup/init/services/log",
   "//third_party/bounds_checking_function/include",
 ]
 

interfaces/innerkits/socket/init_socket.c

@@ -14,14 +14,9 @@
  */
 
 #include "init_socket.h"
-#include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
-#include <netinet/in.h>
-#include <sys/types.h>
 #include <sys/socket.h>
-#include <sys/stat.h>
-#include <sys/uio.h>
 #include <sys/un.h>
 #include "beget_ext.h"
 #include "securec.h"

interfaces/innerkits/syscap/BUILD.gn

@@ -22,10 +22,10 @@ ohos_shared_library("syscap") {
 
   include_dirs = [
     "../include",
-    "//base/startup/init_lite/services/include/param",
+    "//base/startup/init/services/include/param",
   ]
   deps = [
-    "//base/startup/init_lite/interfaces/innerkits:libbegetutil",
+    "//base/startup/init/interfaces/innerkits:libbegetutil",
     "//third_party/bounds_checking_function:libsec_shared",
   ]
 

interfaces/innerkits/syspara/param_comm.c

@@ -15,7 +15,6 @@
 
 #include "param_comm.h"
 
-#include <ctype.h>
 #include <stdlib.h>
 #include <string.h>
 
@@ -33,8 +32,6 @@
 #include "securec.h"
 #include "beget_ext.h"
 
-static const char *g_emptyStr = "";
-
 INIT_LOCAL_API int IsValidParamValue(const char *value, uint32_t len)
 {
     if ((value == NULL) || (strlen(value) + 1 > len)) {
@@ -73,11 +70,11 @@ INIT_LOCAL_API const char *GetProperty(const char *key, const char **paramHolder
     int ret = SystemGetParameter(key, NULL, &len);
     if (ret == 0 && len > 0) {
         char *res = (char *)malloc(len + 1);
-        BEGET_CHECK(res != NULL, return g_emptyStr);
+        BEGET_CHECK(res != NULL, return NULL);
         ret = SystemGetParameter(key, res, &len);
         if (ret != 0) {
             free(res);
-            return g_emptyStr;
+            return NULL;
         }
         *paramHolder = res;
     }
@@ -154,14 +151,14 @@ INIT_LOCAL_API const char *GetSerial_(void)
 #ifdef LITEOS_SUPPORT
     return HalGetSerial();
 #else
-    static char *ohos_serial = NULL;
-    if (ohos_serial == NULL) {
-        BEGET_CHECK((ohos_serial = (char *)calloc(1, PARAM_VALUE_LEN_MAX)) != NULL, return NULL);
+    static char *ohosSerial = NULL;
+    if (ohosSerial == NULL) {
+        BEGET_CHECK((ohosSerial = (char *)calloc(1, PARAM_VALUE_LEN_MAX)) != NULL, return NULL);
     }
     uint32_t len = PARAM_VALUE_LEN_MAX;
-    int ret = SystemGetParameter("ohos.boot.sn", ohos_serial, &len);
+    int ret = SystemGetParameter("ohos.boot.sn", ohosSerial, &len);
     BEGET_CHECK(ret == 0, return NULL);
-    return ohos_serial;
+    return ohosSerial;
 #endif
 }
 

interfaces/innerkits/syspara/param_wrapper.cpp

@@ -17,7 +17,6 @@
 
 #include <unordered_map>
 #include <vector>
-#include <climits>
 
 #include "beget_ext.h"
 #include "param_comm.h"

interfaces/innerkits/syspara/parameter.c

@@ -226,17 +226,24 @@ int GetDevUdid(char *udid, int size)
 static const char *BuildOSFullName(void)
 {
     const char release[] = "Release";
-    char value[OS_FULL_NAME_LEN] = {0};
     const char *releaseType = GetOsReleaseType();
-    const char *fillname = GetFullName_();
-    if ((releaseType != NULL) && (strncmp(releaseType, release, sizeof(release) - 1) != 0)) {
-        int length = sprintf_s(value, OS_FULL_NAME_LEN, "%s(%s)", fillname, releaseType);
+    const char *fullName = GetFullName_();
+    if (fullName == NULL || releaseType == NULL) {
+        return NULL;
+    }
+    if (strncmp(releaseType, release, sizeof(release) - 1) != 0) {
+        char *value = calloc(1, OS_FULL_NAME_LEN);
+        if (value == NULL) {
+            return NULL;
+        }
+        int length = sprintf_s(value, OS_FULL_NAME_LEN, "%s(%s)", fullName, releaseType);
         if (length < 0) {
-            return EMPTY_STR;
+            free(value);
+            return NULL;
         }
+        return value;
     }
-    const char *osFullName = strdup(value);
-    return osFullName;
+    return strdup(fullName);
 }
 
 const char *GetOSFullName(void)
@@ -255,13 +262,16 @@ const char *GetOSFullName(void)
 static const char *BuildVersionId(void)
 {
     char value[VERSION_ID_MAX_LEN] = {0};
+    if (GetDeviceType() == NULL) {
+        return NULL;
+    }
 
     int len = sprintf_s(value, VERSION_ID_MAX_LEN, "%s/%s/%s/%s/%s/%s/%s/%s/%s/%s",
         GetDeviceType(), GetManufacture(), GetBrand(), GetProductSeries(),
         GetOSFullName(), GetProductModel(), GetSoftwareModel(),
         GetSdkApiVersion_(), GetIncrementalVersion(), GetBuildType());
     if (len <= 0) {
-        return EMPTY_STR;
+        return NULL;
     }
     const char *versionId = strdup(value);
     return versionId;

interfaces/innerkits/syspara/sysversion.c

@@ -14,13 +14,11 @@
  */
 #include "sysversion.h"
 
-#include <ctype.h>
 #include <stdlib.h>
 #include <string.h>
 
 #include "beget_ext.h"
 #include "param_comm.h"
-#include "parameter.h"
 #include "securec.h"
 
 /* *

interfaces/innerkits/token/BUILD.gn

@@ -12,17 +12,17 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-import("//base/startup/init_lite/begetd.gni")
+import("//base/startup/init/begetd.gni")
 import("//build/lite/config/component/lite_component.gni")
 import("//build/lite/ndk/ndk.gni")
 
 if (ohos_kernel_type == "liteos_a" || ohos_kernel_type == "linux") {
   shared_library("token_shared") {
     include_dirs = [
-      "//base/startup/init_lite/interfaces/innerkits/include",
-      "//base/startup/init_lite/interfaces/innerkits/include/token",
+      "//base/startup/init/interfaces/innerkits/include",
+      "//base/startup/init/interfaces/innerkits/include/token",
       "//utils/native/lite/include",
-      "//base/startup/init_lite/interfaces/innerkits/token",
+      "//base/startup/init/interfaces/innerkits/token",
     ]
     sources = [ "src/token_impl_posix/token.c" ]
 
@@ -38,10 +38,10 @@ if (ohos_kernel_type == "liteos_m") {
     sources = [ "src/token_impl_hal/token.c" ]
 
     include_dirs = [
-      "//base/startup/init_lite/interfaces/innerkits/include",
-      "//base/startup/init_lite/interfaces/innerkits/include/token",
+      "//base/startup/init/interfaces/innerkits/include",
+      "//base/startup/init/interfaces/innerkits/include/token",
       "//utils/native/lite/include",
-      "//base/startup/init_lite/interfaces/innerkits/token",
+      "//base/startup/init/interfaces/innerkits/token",
       "//base/hiviewdfx/hilog_lite/interfaces/native/kits/hilog_lite",
     ]
 
@@ -67,8 +67,7 @@ ndk_lib("token_notes") {
     lib_extension = ".so"
   }
   if (ohos_kernel_type != "liteos_m") {
-    deps +=
-        [ "//base/startup/init_lite/interfaces/innerkits/token:token_shared" ]
+    deps += [ "//base/startup/init/interfaces/innerkits/token:token_shared" ]
   }
-  head_files += [ "//base/startup/init_lite/interfaces/include/token" ]
+  head_files += [ "//base/startup/init/interfaces/include/token" ]
 }

interfaces/kits/BUILD.gn

@@ -16,8 +16,8 @@ import("//build/ohos.gni")
 group("kitsgroup") {
   if (!defined(ohos_lite)) {
     deps = [
-      "//base/startup/init_lite/interfaces/innerkits:libbeget_proxy",
-      "//base/startup/init_lite/interfaces/innerkits:libbegetutil",
+      "//base/startup/init/interfaces/innerkits:libbeget_proxy",
+      "//base/startup/init/interfaces/innerkits:libbegetutil",
     ]
     deps += [ "syscap:deviceinfo_ndk" ]
     if (support_jsapi) {

interfaces/kits/jskits/BUILD.gn

@@ -14,18 +14,15 @@
 import("//build/ohos.gni")
 
 ohos_shared_library("deviceinfo") {
-  include_dirs = [ "//base/startup/init_lite/interfaces/innerkits/include" ]
+  include_dirs = [ "//base/startup/init/interfaces/innerkits/include" ]
 
   sources = [ "src/native_deviceinfo_js.cpp" ]
 
   deps = [
-    "//base/startup/init_lite/interfaces/innerkits:libbeget_proxy",
-    "//base/startup/init_lite/interfaces/innerkits:libbegetutil",
-  ]
-  external_deps = [
-    "hiviewdfx_hilog_native:libhilog",
-    "napi:ace_napi",
+    "//base/startup/init/interfaces/innerkits:libbeget_proxy",
+    "//base/startup/init/interfaces/innerkits:libbegetutil",
   ]
+  external_deps = [ "napi:ace_napi" ]
   relative_install_dir = "module"
   subsystem_name = "startup"
   part_name = "init"
@@ -43,14 +40,11 @@ ohos_shared_library("systemparameter") {
   ]
 
   deps = [
-    "//base/startup/init_lite/interfaces/innerkits:libbeget_proxy",
-    "//base/startup/init_lite/interfaces/innerkits:libbegetutil",
+    "//base/startup/init/interfaces/innerkits:libbeget_proxy",
+    "//base/startup/init/interfaces/innerkits:libbegetutil",
   ]
 
-  external_deps = [
-    "hiviewdfx_hilog_native:libhilog",
-    "napi:ace_napi",
-  ]
+  external_deps = [ "napi:ace_napi" ]
   relative_install_dir = "module"
   subsystem_name = "startup"
   part_name = "init"

interfaces/kits/syscap/BUILD.gn

@@ -16,7 +16,7 @@ import("//build/ohos.gni")
 ohos_shared_library("deviceinfo_ndk") {
   sources = [ "src/syscap_ndk.c" ]
   include_dirs = [ "./include" ]
-  deps = [ "//base/startup/init_lite/interfaces/innerkits:libbegetutil" ]
+  deps = [ "//base/startup/init/interfaces/innerkits:libbegetutil" ]
   part_name = "init"
 }
 

services/BUILD.gn

@@ -10,7 +10,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-import("//base/startup/init_lite/begetd.gni")
+import("//base/startup/init/begetd.gni")
 group("startup_init") {
   deps = []
 
@@ -23,7 +23,7 @@ group("startup_init") {
 
     # for unittest
     if (ohos_build_type == "debug") {
-      deps += [ "//base/startup/init_lite/test/unittest/lite:init_test" ]
+      deps += [ "//base/startup/init/test/unittest/lite:init_test" ]
     }
   }
 
@@ -35,9 +35,9 @@ group("startup_init") {
     ]
     if (enable_ohos_startup_init_feature_watcher) {
       deps += [
-        "//base/startup/init_lite/services/param/watcher:param_watcher",
-        "//base/startup/init_lite/services/param/watcher:param_watcher.rc",
-        "//base/startup/init_lite/services/param/watcher/sa_profile:param_watcher_profile",
+        "//base/startup/init/services/param/watcher:param_watcher",
+        "//base/startup/init/services/param/watcher:param_watcher.rc",
+        "//base/startup/init/services/param/watcher/sa_profile:param_watcher_profile",
       ]
     }
   }

services/begetctl/BUILD.gn

@@ -10,21 +10,21 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-import("//base/startup/init_lite/begetd.gni")
+import("//base/startup/init/begetd.gni")
 
 common_include_dirs = [
-  "//base/startup/init_lite/services/begetctl",
-  "//base/startup/init_lite/services/begetctl/shell",
-  "//base/startup/init_lite/services/param/include",
-  "//base/startup/init_lite/services/param/adapter",
-  "//base/startup/init_lite/services/param/linux",
-  "//base/startup/init_lite/services/param/base",
-  "//base/startup/init_lite/services/include/param",
-  "//base/startup/init_lite/services/include",
-  "//base/startup/init_lite/services/loopevent/include",
-  "//base/startup/init_lite/services/init/include",
-  "//base/startup/init_lite/services/log",
-  "//base/startup/init_lite/interfaces/innerkits/include",
+  "//base/startup/init/services/begetctl",
+  "//base/startup/init/services/begetctl/shell",
+  "//base/startup/init/services/param/include",
+  "//base/startup/init/services/param/adapter",
+  "//base/startup/init/services/param/linux",
+  "//base/startup/init/services/param/base",
+  "//base/startup/init/services/include/param",
+  "//base/startup/init/services/include",
+  "//base/startup/init/services/loopevent/include",
+  "//base/startup/init/services/init/include",
+  "//base/startup/init/services/log",
+  "//base/startup/init/interfaces/innerkits/include",
   "//third_party/bounds_checking_function/include",
 ]
 
@@ -42,14 +42,14 @@ if (defined(ohos_lite)) {
       "OHOS_LITE",
     ]
     if (param_test) {
-      sources += [ "//base/startup/init_lite/test/moduletest/syspara.cpp" ]
+      sources += [ "//base/startup/init/test/moduletest/syspara.cpp" ]
     }
 
     include_dirs = common_include_dirs
     deps = [
       "//base/hiviewdfx/hilog_lite/frameworks/featured:hilog_shared",
-      "//base/startup/init_lite/interfaces/innerkits:libbegetutil",
-      "//base/startup/init_lite/services/utils:libinit_utils",
+      "//base/startup/init/interfaces/innerkits:libbegetutil",
+      "//base/startup/init/services/utils:libinit_utils",
       "//build/lite/config/component/cJSON:cjson_static",
       "//third_party/bounds_checking_function:libsec_static",
     ]
@@ -79,23 +79,23 @@ if (defined(ohos_lite)) {
 
     include_dirs = [
       "//third_party/bounds_checking_function/include",
-      "//base/startup/init_lite/interfaces/innerkits/sandbox/include",
-      "//base/startup/init_lite/interfaces/innerkits/control_fd",
+      "//base/startup/init/interfaces/innerkits/sandbox/include",
+      "//base/startup/init/interfaces/innerkits/control_fd",
     ]
     include_dirs += common_include_dirs
     deps = [
-      "//base/startup/init_lite/interfaces/innerkits:libbegetutil",
-      "//base/startup/init_lite/interfaces/innerkits/control_fd:libcontrolfd",
+      "//base/startup/init/interfaces/innerkits:libbegetutil",
+      "//base/startup/init/interfaces/innerkits/control_fd:libcontrolfd",
       "//third_party/bounds_checking_function:libsec_shared",
     ]
-    external_deps = [ "utils_base:utils" ]
+    external_deps = [ "c_utils:utils" ]
 
     if (param_test) {
       sources += [
-        "//base/startup/init_lite/test/moduletest/param_test_cmds.c",
-        "//base/startup/init_lite/test/moduletest/syspara.cpp",
+        "//base/startup/init/test/moduletest/param_test_cmds.c",
+        "//base/startup/init/test/moduletest/syspara.cpp",
       ]
-      deps += [ "//base/startup/init_lite/interfaces/innerkits:libbeget_proxy" ]
+      deps += [ "//base/startup/init/interfaces/innerkits:libbeget_proxy" ]
       defines += [
         "OHOS_SERVICE_DUMP",
         "INIT_TEST",
@@ -139,7 +139,7 @@ if (defined(ohos_lite)) {
     defines = [ "_GNU_SOURCE" ]
     include_dirs = common_include_dirs
     deps = [
-      "//base/startup/init_lite/interfaces/innerkits:libbegetutil",
+      "//base/startup/init/interfaces/innerkits:libbegetutil",
       "//third_party/bounds_checking_function:libsec_static",
     ]
 
@@ -151,10 +151,10 @@ if (defined(ohos_lite)) {
 
     if (param_test) {
       sources += [
-        "//base/startup/init_lite/test/moduletest/param_test_cmds.c",
-        "//base/startup/init_lite/test/moduletest/syspara.cpp",
+        "//base/startup/init/test/moduletest/param_test_cmds.c",
+        "//base/startup/init/test/moduletest/syspara.cpp",
       ]
-      deps += [ "//base/startup/init_lite/interfaces/innerkits:libbeget_proxy" ]
+      deps += [ "//base/startup/init/interfaces/innerkits:libbeget_proxy" ]
       defines += [
         "OHOS_SERVICE_DUMP",
         "INIT_TEST",
@@ -181,17 +181,17 @@ if (defined(ohos_lite)) {
 
     include_dirs = common_include_dirs
     deps = [
-      "//base/startup/init_lite/services/log:agent_log",
-      "//base/startup/init_lite/services/loopevent:loopevent",
-      "//base/startup/init_lite/services/param/base:parameterbase",
-      "//base/startup/init_lite/services/param/linux:param_client",
-      "//base/startup/init_lite/services/utils:libinit_utils",
+      "//base/startup/init/services/log:agent_log",
+      "//base/startup/init/services/loopevent:loopevent",
+      "//base/startup/init/services/param/base:parameterbase",
+      "//base/startup/init/services/param/linux:param_client",
+      "//base/startup/init/services/utils:libinit_utils",
       "//third_party/bounds_checking_function:libsec_static",
     ]
 
     external_deps = [
+      "c_utils:utils",
       "hilog_native:libhilog_base",
-      "utils_base:utils",
     ]
     if (build_selinux) {
       deps += [ "//third_party/selinux:libselinux" ]

services/begetctl/dump_service.c

@@ -18,7 +18,6 @@
 
 #include "begetctl.h"
 #include "control_fd.h"
-#include "init_utils.h"
 
 #define DUMP_SERVICE_INFO_CMD_ARGS 2
 static int main_cmd(BShellHandle shell, int argc, char **argv)

services/begetctl/main.c

@@ -19,7 +19,6 @@
 #include "begetctl.h"
 #include "shell.h"
 #include "shell_utils.h"
-#include "init_param.h"
 
 static BShellHandle g_handle = NULL;
 BShellHandle GetShellHandle(void)

services/begetctl/misc_daemon.cpp

@@ -18,12 +18,10 @@
 #include <cstdio>
 #include <cstdint>
 #include <fcntl.h>
-#include <getopt.h>
 #include <iostream>
 #include <string>
 #include <sys/stat.h>
 #include <unistd.h>
-#include <vector>
 
 #include "begetctl.h"
 #include "fs_manager/fs_manager.h"

services/begetctl/modulectl.c

@@ -14,7 +14,6 @@
 */
 #include <errno.h>
 #include <stdio.h>
-#include <string.h>
 
 #include "begetctl.h"
 #include "control_fd.h"

services/begetctl/param_cmd.c

@@ -14,19 +14,15 @@
  */
 #include <grp.h>
 #include <pwd.h>
-#include <fcntl.h>
 #include <sys/ioctl.h>
 #include <stdio.h>
 #include <string.h>
-#include <sys/types.h>
 #include <sys/wait.h>
 #include <termios.h>
 
 #include "begetctl.h"
-#include "init_utils.h"
 #include "param_manager.h"
 #include "param_security.h"
-#include "param_utils.h"
 #include "shell_utils.h"
 #include "init_param.h"
 #include "beget_ext.h"

services/begetctl/service_control.c

@@ -19,7 +19,6 @@
 #include <string.h>
 
 #include "begetctl.h"
-#include "init_param.h"
 #include "init_utils.h"
 
 #define SERVICE_START_NUMBER 2

services/etc/BUILD.gn

@@ -13,27 +13,26 @@
 
 if (defined(ohos_lite)) {
   copy("ohos.para") {
-    sources = [ "//base/startup/init_lite/services/etc/param/ohos.para" ]
+    sources = [ "//base/startup/init/services/etc/param/ohos.para" ]
     outputs = [ "$root_out_dir/system/etc/param/ohos.para" ]
   }
 
   copy("ohos.para.dac") {
-    sources = [ "//base/startup/init_lite/services/etc/param/ohos.para.dac" ]
+    sources = [ "//base/startup/init/services/etc/param/ohos.para.dac" ]
     outputs = [ "$root_out_dir/system/etc/param/ohos.para.dac" ]
   }
   copy("ohos.const") {
-    sources = [
-      "//base/startup/init_lite/services/etc_lite/param/ohos_const/ohos.para",
-    ]
+    sources =
+        [ "//base/startup/init/services/etc_lite/param/ohos_const/ohos.para" ]
     outputs = [ "$root_out_dir/system/etc/param/ohos_const/ohos.para" ]
   }
 
   copy("ohos.passwd") {
-    sources = [ "//base/startup/init_lite/services/etc_lite/passwd" ]
+    sources = [ "//base/startup/init/services/etc_lite/passwd" ]
     outputs = [ "$root_out_dir/etc/passwd" ]
   }
   copy("ohos.group") {
-    sources = [ "//base/startup/init_lite/services/etc_lite/group" ]
+    sources = [ "//base/startup/init/services/etc_lite/group" ]
     outputs = [ "$root_out_dir/etc/group" ]
   }
 
@@ -51,46 +50,45 @@ if (defined(ohos_lite)) {
     }
   }
 } else {
-  import("//base/startup/init_lite/services/etc/param/param_fixer.gni")
+  import("//base/startup/init/services/etc/param/param_fixer.gni")
   import("//build/ohos.gni")
 
   # init etc files group
   ohos_prebuilt_etc("init.cfg") {
     if (!enable_ramdisk) {
-      source =
-          "//base/startup/init_lite/services/etc/init.without_two_stages.cfg"
+      source = "//base/startup/init/services/etc/init.without_two_stages.cfg"
     } else {
-      source = "//base/startup/init_lite/services/etc/init.cfg"
+      source = "//base/startup/init/services/etc/init.cfg"
     }
     part_name = "init"
   }
 
   ohos_prebuilt_etc("misc.cfg") {
-    source = "//base/startup/init_lite/services/etc/misc.cfg"
+    source = "//base/startup/init/services/etc/misc.cfg"
     relative_install_dir = "init"
     part_name = "init"
   }
 
   ohos_prebuilt_etc("watchdog.cfg") {
-    source = "//base/startup/init_lite/services/etc/watchdog.cfg"
+    source = "//base/startup/init/services/etc/watchdog.cfg"
     relative_install_dir = "init"
     part_name = "init"
   }
 
   ohos_prebuilt_etc("console.cfg") {
-    source = "//base/startup/init_lite/services/etc/console.cfg"
+    source = "//base/startup/init/services/etc/console.cfg"
     relative_install_dir = "init"
     part_name = "init"
   }
 
   ohos_prebuilt_etc("ueventd.cfg") {
-    source = "//base/startup/init_lite/services/etc/ueventd.cfg"
+    source = "//base/startup/init/services/etc/ueventd.cfg"
     relative_install_dir = "init"
     part_name = "init"
   }
 
   ohos_prebuilt_etc("passwd") {
-    source = "//base/startup/init_lite/services/etc/passwd"
+    source = "//base/startup/init/services/etc/passwd"
     install_images = [
       "system",
       "updater",
@@ -99,7 +97,7 @@ if (defined(ohos_lite)) {
   }
 
   ohos_prebuilt_etc("group") {
-    source = "//base/startup/init_lite/services/etc/group"
+    source = "//base/startup/init/services/etc/group"
     install_images = [
       "system",
       "updater",
@@ -108,17 +106,17 @@ if (defined(ohos_lite)) {
   }
 
   ohos_prebuilt_etc("init.usb.cfg") {
-    source = "//base/startup/init_lite/services/etc/init.usb.cfg"
+    source = "//base/startup/init/services/etc/init.usb.cfg"
     part_name = "init"
   }
 
   ohos_prebuilt_etc("init.usb.configfs.cfg") {
-    source = "//base/startup/init_lite/services/etc/init.usb.configfs.cfg"
+    source = "//base/startup/init/services/etc/init.usb.configfs.cfg"
     part_name = "init"
   }
 
   ohos_prebuilt_para("ohos.para") {
-    source = "//base/startup/init_lite/services/etc/param/ohos.para"
+    source = "//base/startup/init/services/etc/param/ohos.para"
     install_images = [
       "system",
       "updater",
@@ -131,7 +129,7 @@ if (defined(ohos_lite)) {
   }
 
   ohos_prebuilt_para("ohos.para.dac") {
-    source = "//base/startup/init_lite/services/etc/param/ohos.para.dac"
+    source = "//base/startup/init/services/etc/param/ohos.para.dac"
     install_images = [
       "system",
       "updater",
@@ -141,18 +139,18 @@ if (defined(ohos_lite)) {
   }
 
   ohos_prebuilt_para("ohos_const.para") {
-    source = "//base/startup/init_lite/services/etc/param/ohos_const/ohos.para"
+    source = "//base/startup/init/services/etc/param/ohos_const/ohos.para"
     part_name = "init"
     module_install_dir = "etc/param/ohos_const"
   }
 
   ohos_prebuilt_etc("boot.group") {
-    source = "//base/startup/init_lite/services/etc/device.boot.group.cfg"
+    source = "//base/startup/init/services/etc/device.boot.group.cfg"
     part_name = "init"
   }
 
   ohos_prebuilt_etc("charge.group") {
-    source = "//base/startup/init_lite/services/etc/device.charge.group.cfg"
+    source = "//base/startup/init/services/etc/device.charge.group.cfg"
     part_name = "init"
   }
 
@@ -174,9 +172,10 @@ if (defined(ohos_lite)) {
 
   ohos_prebuilt_etc("system-sandbox.json") {
     if (target_cpu == "arm64") {
-      source = "//base/startup/init_lite/interfaces/innerkits/sandbox/system-sandbox64.json"
+      source = "//base/startup/init/interfaces/innerkits/sandbox/system-sandbox64.json"
     } else {
-      source = "//base/startup/init_lite/interfaces/innerkits/sandbox/system-sandbox.json"
+      source =
+          "//base/startup/init/interfaces/innerkits/sandbox/system-sandbox.json"
     }
     part_name = "init"
     module_install_dir = "etc/sandbox"
@@ -184,16 +183,16 @@ if (defined(ohos_lite)) {
 
   ohos_prebuilt_etc("chipset-sandbox.json") {
     if (target_cpu == "arm64") {
-      source = "//base/startup/init_lite/interfaces/innerkits/sandbox/chipset-sandbox64.json"
+      source = "//base/startup/init/interfaces/innerkits/sandbox/chipset-sandbox64.json"
     } else {
-      source = "//base/startup/init_lite/interfaces/innerkits/sandbox/chipset-sandbox.json"
+      source = "//base/startup/init/interfaces/innerkits/sandbox/chipset-sandbox.json"
     }
     part_name = "init"
     module_install_dir = "etc/sandbox"
   }
 
   ohos_prebuilt_etc("init.reboot") {
-    source = "//base/startup/init_lite/services/etc/init.reboot.cfg"
+    source = "//base/startup/init/services/etc/init.reboot.cfg"
     part_name = "init"
     module_install_dir = "etc/init"
   }

services/etc/group

@@ -109,3 +109,4 @@ accessibility:x:1103:
 motion_host:x:3065:
 uhdf_driver:x:3066:
 memmgr:x:1111:
+ispserver:x:3821:

services/etc/init.cfg

@@ -21,7 +21,8 @@
                 "load_persist_params ",
                 "bootchart start",
                 "chown access_token access_token /dev/access_token_id",
-                "chmod 0666 /dev/access_token_id"
+                "chmod 0666 /dev/access_token_id",
+                "start samgr"
             ]
         }, {
             "name" : "init",
@@ -105,6 +106,7 @@
         }, {
             "name" : "post-fs-data",
             "cmds" : [
+                "init_global_key /data",
                 "mkdir /data/app 0711 root root",
                 "mkdir /data/app/el1 0711 root root",
                 "mkdir /data/app/el1/bundle 0711 root root",
@@ -121,6 +123,7 @@
                 "mkdir /data/chipset/el1 0711 root root",
                 "mkdir /data/chipset/el1/public 0711 root root",
                 "mkdir /data/chipset/el2 0711 root root",
+                "init_main_user ",
                 "mkdir /data/app/el1/0 0711 root root",
                 "mkdir /data/app/el1/0/base 0711 root root",
                 "mkdir /data/app/el1/0/database 0711 system system",
@@ -152,7 +155,6 @@
                 "mkdir /data/nfc/param 0770 nfc nfc",
                 "mkdir /data/system 0775 system system",
                 "mkdir /data/system/dropbox 0700 system system",
-                "mkdir /data/system/users 0750 account account",
                 "mkdir /data/system_de 0770 system system",
                 "mkdir /data/system_ce 0770 system system",
                 "mkdir /data/misc_de 01771 system misc",
@@ -178,8 +180,6 @@
                 "chmod 0664 /sys/block/zram0/idle",
                 "write /proc/sys/vm/dirty_expire_centisecs 200",
                 "write /proc/sys/vm/dirty_background_ratio 5",
-                "chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq",
-                "chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq",
                 "chown system system /sys/class/leds/red/brightness",
                 "chown system system /sys/class/leds/green/brightness",
                 "chown system system /sys/class/leds/blue/brightness",

services/etc/init.usb.cfg

@@ -28,6 +28,13 @@
                 "uid" : "system",
                 "gid" : "system"
             }],
+            "permission" : [
+                "ohos.permission.DUMP",
+                "ohos.permission.GET_BUNDLE_INFO_PRIVILEGED",
+                "ohos.permission.INSTALL_BUNDLE",
+                "ohos.permission.REMOVE_CACHE_FILES"
+            ],
+            "permission_acls" : ["ohos.permission.DUMP"],
             "sandbox" : 0,
             "start-mode" : "condition",
             "secon" : "u:r:hdcd:s0",

services/etc/init.without_two_stages.cfg

@@ -164,7 +164,6 @@
                 "mkdir /data/system 0775 system system",
                 "mkdir /data/system/dropbox 0700 system system",
                 "mkdir /data/system/heapdump 0700 system system",
-                "mkdir /data/system/users 0750 account account",
                 "mkdir /data/system_de 0770 system system",
                 "mkdir /data/system_ce 0770 system system",
                 "mkdir /data/misc_de 01771 system misc",

services/etc/param/ohos.para

@@ -30,7 +30,7 @@ const.build.product=default
 const.product.hardwareversion=default
 const.product.bootloader.version=bootloader
 const.product.cpu.abilist=default
-const.product.software.version=OpenHarmony 3.2.5.5
+const.product.software.version=OpenHarmony 3.2.6.1
 const.product.incremental.version=default
 const.product.firstapiversion=1
 const.product.build.type=default

services/etc/param/ohos_const/ohos.para

@@ -13,4 +13,4 @@
 const.ohos.version.security_patch=2022-03-30
 const.ohos.releasetype=Canary1
 const.ohos.apiversion=9
-const.ohos.fullname=OpenHarmony-2.2.0.0
\ No newline at end of file
+const.ohos.fullname=OpenHarmony-3.2.0.0

services/etc/param/param_fixer.gni

@@ -24,7 +24,7 @@ template("ohos_prebuilt_para") {
   _output_para_file = get_path_info(invoker.source, "file")
   action_with_pydeps(_fixed_param_target) {
     deps = []
-    script = "//base/startup/init_lite/services/etc/param/param_fixer.py"
+    script = "//base/startup/init/services/etc/param/param_fixer.py"
     depfile = "${target_gen_dir}/${target_name}.d"
     args = [
       "--output",

services/etc/passwd

@@ -106,3 +106,4 @@ deviceinfo:x:1102:1102:::/bin/false
 accessibility:x:1103:1103:::/bin/false
 motion_host:x:3065:3065:::/bin/false
 memmgr:x:1111:1111:::/bin/false
+ispserver:x:3821:3821:::/bin/false

services/include/init_utils.h

@@ -78,6 +78,8 @@ int StringReplaceChr(char *strl, char oldChr, char newChr);
 
 uint32_t GetRandom(void);
 void OpenConsole(void);
+void TrimTail(char *str, char c);
+char *TrimHead(char *str, char c);
 
 INIT_LOCAL_API int StringToULL(const char *str, unsigned long long int *out);
 INIT_LOCAL_API int StringToLL(const char *str, long long int *out);

services/init/include/init_cmds.h

@@ -81,7 +81,7 @@ const struct CmdTable *GetCmdByName(const char *name);
 void ExecReboot(const char *value);
 char *BuildStringFromCmdArg(const struct CmdArgs *ctx, int startIndex);
 void ExecCmd(const struct CmdTable *cmd, const char *cmdContent);
-int FileCryptEnable(char *fileCryptOption);
+int SetFileCryptPolicy(const char *dir);
 
 void OpenHidebug(const char *name);
 #ifdef __cplusplus

services/init/init_common_cmds.c

@@ -41,8 +41,6 @@
 #endif
 #include "securec.h"
 
-static char *g_fileCryptOptions = NULL;
-
 static char *AddOneArg(const char *param, size_t paramLen)
 {
     int valueCount = 1;
@@ -345,6 +343,11 @@ static void DoMkDir(const struct CmdArgs *ctx)
     if (ret != 0) {
         INIT_LOGE("Failed to change owner %s, err %d.", ctx->argv[0], errno);
     }
+    ret = SetFileCryptPolicy(ctx->argv[0]);
+    if (ret != 0) {
+        INIT_LOGW("failed to set file fscrypt");
+    }
+
     return;
 }
 
@@ -397,16 +400,6 @@ static int GetMountFlag(unsigned long *mountflag, const char *targetStr, const c
         WaitForFile(source, WAIT_MAX_SECOND);
         return 1;
     }
-    const char *fileCryptPre = "filecrypt=";
-    size_t len = strlen(fileCryptPre);
-    if (strncmp(targetStr, fileCryptPre, len) == 0) {
-        size_t maxLen = strlen(targetStr) + 1;
-        g_fileCryptOptions = calloc(sizeof(char), maxLen);
-        INIT_ERROR_CHECK(g_fileCryptOptions != NULL, return 0, "Failed to alloc memory");
-        int ret = snprintf_s(g_fileCryptOptions, maxLen, maxLen - 1, "%s", targetStr + len);
-        INIT_ERROR_CHECK(ret >= 0, return 0, "Failed to snprintf");
-        return 1;
-    }
 
     return 0;
 }
@@ -449,18 +442,6 @@ static void DoMount(const struct CmdArgs *ctx)
     if (ret != 0) {
         INIT_LOGE("Failed to mount for %s, err %d.", target, errno);
     }
-    if ((g_fileCryptOptions != NULL) && (strncmp(target, "/data", strlen("/data")) == 0)) {
-        ret = FileCryptEnable(g_fileCryptOptions);
-        if (ret < 0) {
-            INIT_LOGE("File Crypt enabled failed");
-            free(g_fileCryptOptions);
-            g_fileCryptOptions = NULL;
-            return;
-        }
-        free(g_fileCryptOptions);
-        g_fileCryptOptions = NULL;
-        INIT_LOGI("File Crypt enabled success");
-    }
 }
 
 static int DoWriteWithMultiArgs(const struct CmdArgs *ctx, int fd)

services/init/init_common_service.c

@@ -48,6 +48,12 @@
 #include <selinux/selinux.h>
 #endif // WITH_SELINUX
 
+#ifdef WITH_SECCOMP
+#include "seccomp_policy.h"
+#define APPSPAWN_NAME ("appspawn")
+#define NWEBSPAWN_NAME ("nwebspawn")
+#endif
+
 #ifndef TIOCSCTTY
 #define TIOCSCTTY 0x540E
 #endif
@@ -62,6 +68,20 @@ static int SetAllAmbientCapability(void)
     return SERVICE_SUCCESS;
 }
 
+#ifdef WITH_SECCOMP
+static int SetSystemSeccompPolicy(const Service *service)
+{
+    if (strncmp(APPSPAWN_NAME, service->name, strlen(APPSPAWN_NAME)) \
+        && strncmp(NWEBSPAWN_NAME, service->name, strlen(NWEBSPAWN_NAME))) {
+        if (!SetSeccompPolicy(SYSTEM)) {
+            INIT_LOGE("init seccomp failed, name is %s\n", service->name);
+            return SERVICE_FAILURE;
+        }
+    }
+    return SERVICE_SUCCESS;
+}
+#endif
+
 static int SetPerms(const Service *service)
 {
     INIT_CHECK_RETURN_VALUE(KeepCapability() == 0, SERVICE_FAILURE);
@@ -271,11 +291,18 @@ static int InitServicePropertys(Service *service)
     PublishHoldFds(service);
     INIT_CHECK_ONLY_ELOG(BindCpuCore(service) == SERVICE_SUCCESS,
         "binding core number failed for service %s", service->name);
+
+#ifdef WITH_SECCOMP
+    INIT_ERROR_CHECK(SetSystemSeccompPolicy(service) == SERVICE_SUCCESS, return -1,
+        "service %s exit! set seccomp failed! err %d.", service->name, errno);
+#endif
+    
     // permissions
-    INIT_ERROR_CHECK(SetPerms(service) == SERVICE_SUCCESS, _exit(PROCESS_EXIT_CODE),
+    INIT_ERROR_CHECK(SetPerms(service) == SERVICE_SUCCESS, return -1,
         "service %s exit! set perms failed! err %d.", service->name, errno);
+    
     // write pid
-    INIT_ERROR_CHECK(WritePid(service) == SERVICE_SUCCESS, _exit(PROCESS_EXIT_CODE),
+    INIT_ERROR_CHECK(WritePid(service) == SERVICE_SUCCESS, return -1,
         "service %s exit! write pid failed!", service->name);
     SetSecon(service);
     return 0;
@@ -319,7 +346,9 @@ int ServiceStart(Service *service)
     }
     int pid = fork();
     if (pid == 0) {
-        INIT_ERROR_CHECK(InitServicePropertys(service) == 0, return SERVICE_FAILURE, "Failed init service property");
+        // fail must exit sub process
+        INIT_ERROR_CHECK(InitServicePropertys(service) == 0,
+            _exit(PROCESS_EXIT_CODE), "Failed init service property");
         ServiceExec(service);
         _exit(PROCESS_EXIT_CODE);
     } else if (pid < 0) {

services/init/init_service_manager.c

@@ -879,6 +879,16 @@ void SetServicePathWithAsan(Service *service)
 }
 #endif
 
+static void ParseOneServiceArgs(const cJSON *curItem, Service *service)
+{
+    (void)GetServiceArgs(curItem, "writepid", MAX_WRITEPID_FILES, &service->writePidArgs);
+    (void)GetServiceArgs(curItem, D_CAPS_STR_IN_CFG, MAX_WRITEPID_FILES, &service->capsArgs);
+    (void)GetServiceArgs(curItem, "permission", MAX_WRITEPID_FILES, &service->permArgs);
+    (void)GetServiceArgs(curItem, "permission_acls", MAX_WRITEPID_FILES, &service->permAclsArgs);
+    (void)GetStringItem(curItem, APL_STR_IN_CFG, service->apl, MAX_APL_NAME);
+    (void)GetCpuArgs(curItem, CPU_CORE_STR_IN_CFG, service);
+}
+
 int ParseOneService(const cJSON *curItem, Service *service)
 {
     INIT_CHECK_RETURN_VALUE(curItem != NULL && service != NULL, SERVICE_FAILURE);
@@ -916,12 +926,7 @@ int ParseOneService(const cJSON *curItem, Service *service)
     ret = GetServiceAttr(curItem, service, CONSOLE_STR_IN_CFG, SERVICE_ATTR_CONSOLE, NULL);
     INIT_ERROR_CHECK(ret == 0, return SERVICE_FAILURE, "Failed to get console for service %s", service->name);
 
-    (void)GetServiceArgs(curItem, "writepid", MAX_WRITEPID_FILES, &service->writePidArgs);
-    (void)GetServiceArgs(curItem, D_CAPS_STR_IN_CFG, MAX_WRITEPID_FILES, &service->capsArgs);
-    (void)GetServiceArgs(curItem, "permission", MAX_WRITEPID_FILES, &service->permArgs);
-    (void)GetServiceArgs(curItem, "permission_acls", MAX_WRITEPID_FILES, &service->permAclsArgs);
-    (void)GetStringItem(curItem, APL_STR_IN_CFG, service->apl, MAX_APL_NAME);
-    (void)GetCpuArgs(curItem, CPU_CORE_STR_IN_CFG, service);
+    ParseOneServiceArgs(curItem, service);
     ret = GetServiceSandbox(curItem, service);
     INIT_ERROR_CHECK(ret == 0, return SERVICE_FAILURE, "Failed to get sandbox for service %s", service->name);
     ret = GetServiceCaps(curItem, service);

services/init/lite/BUILD.gn

@@ -10,7 +10,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-import("//base/startup/init_lite/begetd.gni")
+import("//base/startup/init/begetd.gni")
 
 init_common_sources = [
   "../init_capability.c",
@@ -47,9 +47,9 @@ executable("init") {
   sources += init_common_sources
 
   include_dirs = [
-    "//base/startup/init_lite/interfaces/innerkits/include",
-    "//base/startup/init_lite/interfaces/innerkits/fd_holder",
-    "//base/startup/init_lite/services/init/include",
+    "//base/startup/init/interfaces/innerkits/include",
+    "//base/startup/init/interfaces/innerkits/fd_holder",
+    "//base/startup/init/services/init/include",
     "//third_party/cJSON",
     "//third_party/bounds_checking_function/include",
     "//base/hiviewdfx/hilog_lite/interfaces/native/kits",
@@ -58,10 +58,10 @@ executable("init") {
   ldflags = []
   deps = [
     "//base/hiviewdfx/hilog_lite/frameworks/featured:hilog_shared",
-    "//base/startup/init_lite/services/log:init_log",
-    "//base/startup/init_lite/services/loopevent:loopevent",
-    "//base/startup/init_lite/services/param/base:parameterbase",
-    "//base/startup/init_lite/services/utils:libinit_utils",
+    "//base/startup/init/services/log:init_log",
+    "//base/startup/init/services/loopevent:loopevent",
+    "//base/startup/init/services/param/base:parameterbase",
+    "//base/startup/init/services/utils:libinit_utils",
     "//build/lite/config/component/cJSON:cjson_static",
     "//third_party/bounds_checking_function:libsec_static",
   ]
@@ -71,12 +71,12 @@ executable("init") {
     include_dirs += [
       "//kernel/liteos_a/syscall",
       "//kernel/liteos_a/kernel/include",
-      "//base/startup/init_lite/interfaces/kits/syscap",
-      "//base/startup/init_lite/initsync/include",
+      "//base/startup/init/interfaces/kits/syscap",
+      "//base/startup/init/initsync/include",
     ]
     deps += [
-      "//base/startup/init_lite/initsync:initsync",
-      "//base/startup/init_lite/services/param/liteos:param_init_lite",
+      "//base/startup/init/initsync:initsync",
+      "//base/startup/init/services/param/liteos:param_init_lite",
     ]
   }
   if (ohos_kernel_type == "linux") {
@@ -89,7 +89,7 @@ executable("init") {
       "-lpthread",
     ]
     deps += [
-      "//base/startup/init_lite/services/param/linux:param_init",
+      "//base/startup/init/services/param/linux:param_init",
       "//third_party/mksh",
       "//third_party/toybox",
     ]

services/init/lite/bundle.json

@@ -7,7 +7,7 @@
     "repository": "https://gitee.com/openharmony/startup_init_lite",
     "publishAs": "code-segment",
     "segment": {
-        "destPath": "base/startup/init_lite"
+        "destPath": "base/startup/init"
     },
     "dirs": {},
     "scripts": {},
@@ -29,18 +29,18 @@
         },
         "build": {
             "sub_component": [
-                "//base/startup/init_lite/services:startup_init",
-                "//base/startup/init_lite/ueventd:startup_ueventd",
-                "//base/startup/init_lite/watchdog:watchdog",
-                "//base/startup/init_lite/services/begetctl:begetctl_cmd",
-                "//base/startup/init_lite/services/loopevent:loopeventgroup",
-                "//base/startup/init_lite/services/modules:modulesgroup",
-                "//base/startup/init_lite/services/param:parameter"
+                "//base/startup/init/services:startup_init",
+                "//base/startup/init/ueventd:startup_ueventd",
+                "//base/startup/init/watchdog:watchdog",
+                "//base/startup/init/services/begetctl:begetctl_cmd",
+                "//base/startup/init/services/loopevent:loopeventgroup",
+                "//base/startup/init/services/modules:modulesgroup",
+                "//base/startup/init/services/param:parameter"
             ],
             "inner_kits": [
                 {
                     "header": {
-                        "header_base": "//base/startup/init_lite/interfaces/innerkits/include/",
+                        "header_base": "//base/startup/init/interfaces/innerkits/include/",
                         "header_files": [
                             "beget_ext.h",
                             "syspara/parameter.h",
@@ -50,11 +50,11 @@
                             "syspara/sysversion.h"
                         ]
                     },
-                    "name": "//base/startup/init_lite/interfaces/innerkits:libbegetutil"
+                    "name": "//base/startup/init/interfaces/innerkits:libbegetutil"
                 }
             ],
             "test": [
-                "//base/startup/init_lite/test:testgroup"
+                "//base/startup/init/test:testgroup"
             ]
         }
     }

services/init/lite/init_cmds.c

@@ -108,11 +108,6 @@ static void DoLoadCfg(const struct CmdArgs *ctx)
     (void)fclose(fp);
 }
 
-int FileCryptEnable(char *fileCryptOption)
-{
-    return 0;
-}
-
 static const struct CmdTable g_cmdTable[] = {
     { "exec ", 1, 10, DoExec },
     { "loadcfg ", 1, 1, DoLoadCfg },
@@ -133,4 +128,8 @@ void PluginExecCmdByCmdIndex(int index, const char *cmdContent)
 const char *PluginGetCmdIndex(const char *cmdStr, int *index)
 {
     return NULL;
+}
+int SetFileCryptPolicy(const char *dir)
+{
+    return 0;
 }
\ No newline at end of file

services/init/standard/BUILD.gn

@@ -10,7 +10,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-import("//base/startup/init_lite/begetd.gni")
+import("//base/startup/init/begetd.gni")
 
 init_common_sources = [
   "../init_capability.c",
@@ -24,6 +24,9 @@ init_common_sources = [
   "../main.c",
 ]
 
+FSCRYPT_PATH =
+    "//foundation/filemanagement/storage_service/services/storage_daemon"
+
 import("//build/ohos.gni")
 import("//build/ohos/native_stub/native_stub.gni")
 
@@ -45,37 +48,41 @@ ohos_executable("init") {
   ]
 
   modulemgr_sources = [
-    "//base/startup/init_lite/interfaces/innerkits/hookmgr/hookmgr.c",
-    "//base/startup/init_lite/interfaces/innerkits/modulemgr/modulemgr.c",
+    "//base/startup/init/interfaces/innerkits/hookmgr/hookmgr.c",
+    "//base/startup/init/interfaces/innerkits/modulemgr/modulemgr.c",
   ]
   sources += modulemgr_sources
   sources += init_common_sources
 
-  include_dirs = [ "//base/startup/init_lite/services/init/include" ]
+  include_dirs = [
+    "//base/startup/init/services/init/include",
+    "${FSCRYPT_PATH}/include/libfscrypt",
+  ]
 
   deps = [
-    "//base/startup/init_lite/interfaces/innerkits/control_fd:libcontrolfd",
-    "//base/startup/init_lite/interfaces/innerkits/fd_holder:fdholder",
-    "//base/startup/init_lite/interfaces/innerkits/fs_manager:libfsmanager_static",
-    "//base/startup/init_lite/interfaces/innerkits/sandbox:sandbox",
-    "//base/startup/init_lite/services/loopevent:loopevent",
-    "//base/startup/init_lite/services/param/base:parameterbase",
-    "//base/startup/init_lite/services/param/linux:param_init",
-    "//base/startup/init_lite/services/utils:libinit_utils",
+    "//base/startup/init/interfaces/innerkits/control_fd:libcontrolfd",
+    "//base/startup/init/interfaces/innerkits/fd_holder:fdholder",
+    "//base/startup/init/interfaces/innerkits/fs_manager:libfsmanager_static",
+    "//base/startup/init/interfaces/innerkits/sandbox:sandbox",
+    "//base/startup/init/services/loopevent:loopevent",
+    "//base/startup/init/services/param/base:parameterbase",
+    "//base/startup/init/services/param/linux:param_init",
+    "//base/startup/init/services/utils:libinit_utils",
   ]
 
   deps += [
     "//base/customization/config_policy/frameworks/config_policy:configpolicy_util_for_init_static",
     "//base/security/access_token/interfaces/innerkits/nativetoken:libnativetoken",
     "//base/security/access_token/interfaces/innerkits/token_setproc:libtoken_setproc",
-    "//base/startup/init_lite/ueventd:libueventd_ramdisk_static",
+    "//base/startup/init/ueventd:libueventd_ramdisk_static",
     "//third_party/bounds_checking_function:libsec_static",
     "//third_party/cJSON:cjson_static",
   ]
 
-  deps += [ "//base/startup/init_lite/interfaces/innerkits/init_module_engine:libinit_stub_versionscript" ]
-  deps += [ "//base/startup/init_lite/interfaces/innerkits/init_module_engine:init_module_engine_sources" ]
-  deps += [ "//base/startup/init_lite/services/modules:static_modules" ]
+  deps += [ "//base/startup/init/interfaces/innerkits/init_module_engine:libinit_stub_versionscript" ]
+  deps += [ "//base/startup/init/interfaces/innerkits/init_module_engine:init_module_engine_sources" ]
+  deps += [ "//base/startup/init/services/modules:static_modules" ]
+  deps += [ "${FSCRYPT_PATH}/libfscrypt:libfscryptutils_static" ]
 
   cflags = []
 
@@ -86,6 +93,13 @@ ohos_executable("init") {
     ]
   }
 
+  if (build_seccomp) {
+    cflags += [ "-DWITH_SECCOMP" ]
+    include_dirs +=
+        [ "//base/startup/init/interfaces/innerkits/seccomp/include" ]
+    deps += [ "//base/startup/init/services/modules/seccomp:seccomp_static" ]
+  }
+
   if (build_selinux) {
     include_dirs += [
       "//third_party/selinux/libselinux/include/",
@@ -125,9 +139,9 @@ ohos_executable("init") {
     defines += [ "PRODUCT_RK" ]
   }
   version_script = get_label_info(
-                       "//base/startup/init_lite/interfaces/innerkits/init_module_engine:libinit_stub_versionscript",
+                       "//base/startup/init/interfaces/innerkits/init_module_engine:libinit_stub_versionscript",
                        "target_gen_dir") + "/" + get_label_info(
-                       "//base/startup/init_lite/interfaces/innerkits/init_module_engine:libinit_stub_versionscript",
+                       "//base/startup/init/interfaces/innerkits/init_module_engine:libinit_stub_versionscript",
                        "name") + stub_version_script_suffix
   defines += [ "_GNU_SOURCE" ]
   install_images = [

services/init/standard/init.c

@@ -367,8 +367,8 @@ void SystemConfig(void)
     options.preHook = InitPreHook;
     options.postHook = InitPostHook;
 
-    HookMgrExecute(GetBootStageHookMgr(), INIT_GLOBAL_INIT, (void *)&timingStat, (void *)&options);
     InitServiceSpace();
+    HookMgrExecute(GetBootStageHookMgr(), INIT_GLOBAL_INIT, (void *)&timingStat, (void *)&options);
 
     HookMgrExecute(GetBootStageHookMgr(), INIT_PRE_PARAM_SERVICE, (void *)&timingStat, (void *)&options);
     InitParamService();

services/init/standard/init_cmds.c

@@ -44,8 +44,9 @@
 #ifdef WITH_SELINUX
 #include <policycoreutils.h>
 #endif
+#include "fscrypt_utils.h"
 
-static const char *g_fscryptPolicyKey = "fscrypt.policy.config";
+#define FSCRYPT_POLICY_BUF_SIZE (60)
 
 int GetParamValue(const char *symValue, unsigned int symLen, char *paramValue, unsigned int paramLen)
 {
@@ -412,6 +413,18 @@ static void DoTimerStop(const struct CmdArgs *ctx)
     ServiceStopTimer(service);
 }
 
+static bool InitFscryptPolicy(void)
+{
+    char policy[FSCRYPT_POLICY_BUF_SIZE];
+    if (LoadFscryptPolicy(policy, FSCRYPT_POLICY_BUF_SIZE) != 0) {
+        return false;
+    }
+    if (SetFscryptSysparam(policy) == 0) {
+        return true;
+    }
+    return false;
+}
+
 static void DoInitGlobalKey(const struct CmdArgs *ctx)
 {
     INIT_LOGI("DoInitGlobalKey: start");
@@ -424,6 +437,11 @@ static void DoInitGlobalKey(const struct CmdArgs *ctx)
         INIT_LOGE("DoInitGlobalKey: not data partitation");
         return;
     }
+    if (!InitFscryptPolicy()) {
+        INIT_LOGI("DoInitGlobalKey:init fscrypt failed,not enable fscrypt");
+        return;
+    }
+
     char * const argv[] = {
         "/system/bin/sdc",
         "filecrypt",
@@ -442,6 +460,7 @@ static void DoInitMainUser(const struct CmdArgs *ctx)
         INIT_LOGE("DoInitMainUser: para invalid");
         return;
     }
+
     char * const argv[] = {
         "/system/bin/sdc",
         "filecrypt",
@@ -453,23 +472,6 @@ static void DoInitMainUser(const struct CmdArgs *ctx)
     INIT_LOGI("DoInitMainUser: end, ret = %d", ret);
 }
 
-int FileCryptEnable(char *fileCryptOption)
-{
-    INIT_LOGI("FileCryptEnable: start");
-    if (fileCryptOption == NULL) {
-        INIT_LOGE("FileCryptEnable:option null");
-        return -EINVAL;
-    }
-    int ret = SystemWriteParam(g_fscryptPolicyKey, fileCryptOption);
-    if (ret != 0) {
-        INIT_LOGE("FileCryptEnable:set fscrypt config failed");
-        return ret;
-    }
-    INIT_LOGI("FileCryptEnable:set fscrypt config success, policy:%s", fileCryptOption);
-
-    return ret;
-}
-
 static void DoMkswap(const struct CmdArgs *ctx)
 {
     INIT_LOGI("DoMkswap: start");
@@ -595,3 +597,12 @@ void OpenHidebug(const char *name)
     } while (0);
 #endif
 }
+
+int SetFileCryptPolicy(const char *dir)
+{
+    if (dir == NULL) {
+        INIT_LOGE("SetFileCryptPolicy:dir is null");
+        return -EINVAL;
+    }
+    return FscryptPolicyEnable(dir);
+}

services/init/standard/init_mount.c

@@ -75,6 +75,7 @@ static Fstab* LoadFstabFromCommandLine(void)
     bool isDone = false;
 
     INIT_ERROR_CHECK(cmdline != NULL, return NULL, "Read from \'/proc/cmdline\' failed, err = %d", errno);
+    TrimTail(cmdline, '\n');
     INIT_ERROR_CHECK((fstab = (Fstab *)calloc(1, sizeof(Fstab))) != NULL, return NULL,
         "Allocate memory for FS table failed, err = %d", errno);
     char *start = cmdline;

services/init/standard/init_reboot.c

@@ -143,12 +143,10 @@ static int DoRebootCmd(const char *cmd, const char *opt)
 {
     // by job to stop service and unmount
     DoJobNow("reboot");
-    int ret = CheckAndRebootToUpdater(NULL, "reboot", NULL, NULL);
-    if (ret == 0) {
+    (void)CheckAndRebootToUpdater(NULL, "reboot", NULL, NULL);
 #ifndef STARTUP_INIT_TEST
         return reboot(RB_AUTOBOOT);
 #endif
-    }
     return 0;
 }
 
@@ -156,12 +154,10 @@ static int DoShutdownCmd(const char *cmd, const char *opt)
 {
     // by job to stop service and unmount
     DoJobNow("reboot");
-    int ret = CheckAndRebootToUpdater(NULL, "reboot", NULL, NULL);
-    if (ret == 0) {
+    (void)CheckAndRebootToUpdater(NULL, "reboot", NULL, NULL);
 #ifndef STARTUP_INIT_TEST
         return reboot(RB_POWER_OFF);
 #endif
-    }
     return 0;
 }
 
@@ -194,6 +190,8 @@ static int DoFlashdCmd(const char *cmd, const char *opt)
 #ifdef PRODUCT_RK
 static int DoLoaderCmd(const char *cmd, const char *opt)
 {
+    // by job to stop service and unmount
+    DoJobNow("reboot");
     syscall(__NR_reboot, REBOOT_MAGIC1, REBOOT_MAGIC2, REBOOT_CMD_RESTART2, "loader");
     return 0;
 }
@@ -203,13 +201,11 @@ static int DoSuspendCmd(const char *cmd, const char *opt)
 {
     // by job to stop service and unmount
     DoJobNow("suspend");
-    int ret = CheckAndRebootToUpdater(NULL, "reboot", NULL, NULL);
-    if (ret == 0) {
+    (void)CheckAndRebootToUpdater(NULL, "reboot", NULL, NULL);
 #ifndef STARTUP_INIT_TEST
         INIT_LOGE("DoSuspendCmd %s RB_SW_SUSPEND.", cmd);
         return reboot(RB_AUTOBOOT);
 #endif
-    }
     return 0;
 }
 

services/init/standard/init_service.c

@@ -108,7 +108,7 @@ void GetAccessToken(void)
                 service->capsArgs.argv = NULL;
             }
             if (strlen(service->apl) == 0) {
-                (void)strncpy_s(service->apl, sizeof(service->apl), "system_core", sizeof(service->apl) - 1);
+                (void)strncpy_s(service->apl, sizeof(service->apl), "system_basic", sizeof(service->apl) - 1);
             }
             NativeTokenInfoParams nativeTokenInfoParams = {
                 service->capsArgs.count,

services/log/BUILD.gn

@@ -15,8 +15,8 @@ base_sources = [ "init_log.c" ]
 config("exported_header_files") {
   visibility = [ ":*" ]
   include_dirs = [
-    "//base/startup/init_lite/interfaces/innerkits/include",
-    "//base/startup/init_lite/services/log",
+    "//base/startup/init/interfaces/innerkits/include",
+    "//base/startup/init/services/log",
   ]
 }
 

services/loopevent/BUILD.gn

@@ -25,9 +25,9 @@ common_sources = [
 ]
 
 common_include = [
-  "//base/startup/init_lite/services/log",
-  "//base/startup/init_lite/interfaces/innerkits/include",
-  "//base/startup/init_lite/services/include",
+  "//base/startup/init/services/log",
+  "//base/startup/init/interfaces/innerkits/include",
+  "//base/startup/init/services/include",
   "//third_party/bounds_checking_function/include",
   "include",
   "loop",
@@ -40,7 +40,7 @@ common_include = [
 
 config("exported_header_files") {
   visibility = [ ":*" ]
-  include_dirs = [ "//base/startup/init_lite/services/loopevent/include" ]
+  include_dirs = [ "//base/startup/init/services/loopevent/include" ]
 }
 
 if (defined(ohos_lite)) {

services/loopevent/include/loop_event.h

@@ -93,17 +93,17 @@ typedef struct {
 #define TASK_SERVER (0x01 << 16)
 #define TASK_CONNECT (0x02 << 16)
 #define TASK_TEST (0x01 << 24)
-typedef void (*LE_DisConntectComplete)(const TaskHandle client);
-typedef void (*LE_ConntectComplete)(const TaskHandle client);
+typedef void (*LE_DisConnectComplete)(const TaskHandle client);
+typedef void (*LE_ConnectComplete)(const TaskHandle client);
 typedef void (*LE_SendMessageComplete)(const TaskHandle taskHandle, BufferHandle handle);
 typedef void (*LE_RecvMessage)(const TaskHandle taskHandle, const uint8_t *buffer, uint32_t buffLen);
-typedef int (*LE_IncommingConntect)(const LoopHandle loopHandle, const TaskHandle serverTask);
+typedef int (*LE_IncommingConnect)(const LoopHandle loopHandle, const TaskHandle serverTask);
 typedef struct {
     LE_BaseInfo baseInfo;
     char *server;
     int socketId;
-    LE_DisConntectComplete disConntectComplete;
-    LE_IncommingConntect incommingConntect;
+    LE_DisConnectComplete disConnectComplete;
+    LE_IncommingConnect incommingConnect;
     LE_SendMessageComplete sendMessageComplete;
     LE_RecvMessage recvMessage;
 } LE_StreamServerInfo;
@@ -111,8 +111,8 @@ typedef struct {
 typedef struct {
     LE_BaseInfo baseInfo;
     char *server;
-    LE_DisConntectComplete disConntectComplete;
-    LE_ConntectComplete connectComplete;
+    LE_DisConnectComplete disConnectComplete;
+    LE_ConnectComplete connectComplete;
     LE_SendMessageComplete sendMessageComplete;
     LE_RecvMessage recvMessage;
 } LE_StreamInfo;

services/loopevent/signal/le_signal.c

@@ -17,9 +17,7 @@
 
 #include <signal.h>
 #include <stdio.h>
-#include <stdlib.h>
 #include <sys/signalfd.h>
-#include <sys/types.h>
 #include <unistd.h>
 
 #include "le_loop.h"

services/loopevent/socket/le_socket.c

@@ -23,7 +23,6 @@
 #include <string.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
-#include <sys/types.h>
 #include <sys/un.h>
 #include <unistd.h>
 

services/loopevent/task/le_asynctask.c

@@ -14,7 +14,6 @@
  */
 #include "le_task.h"
 
-#include <errno.h>
 #include <sys/eventfd.h>
 
 #include "le_loop.h"

services/loopevent/task/le_streamtask.c

@@ -93,8 +93,8 @@ static LE_STATUS HandleStreamEvent_(const LoopHandle loopHandle, const TaskHandl
     }
     if (status == LE_DIS_CONNECTED) {
         loop->delEvent(loop, GetSocketFd(handle), Event_Read | Event_Write);
-        if (stream->disConntectComplete) {
-            stream->disConntectComplete(handle);
+        if (stream->disConnectComplete) {
+            stream->disConnectComplete(handle);
         }
         LE_CloseStreamTask(loopHandle, handle);
     }
@@ -116,8 +116,8 @@ static LE_STATUS HandleClientEvent_(const LoopHandle loopHandle, const TaskHandl
         status = HandleRecvMsg_(loopHandle, handle, client->recvMessage);
     }
     if (status == LE_DIS_CONNECTED) {
-        if (client->disConntectComplete) {
-            client->disConntectComplete(handle);
+        if (client->disConnectComplete) {
+            client->disConnectComplete(handle);
         }
         client->connected = 0;
         LE_CloseStreamTask(loopHandle, handle);
@@ -141,9 +141,9 @@ static LE_STATUS HandleServerEvent_(const LoopHandle loopHandle, const TaskHandl
         return LE_FAILURE;
     }
     StreamServerTask *server = (StreamServerTask *)serverTask;
-    LE_ONLY_CHECK(server->incommingConntect != NULL, return LE_SUCCESS);
+    LE_ONLY_CHECK(server->incommingConnect != NULL, return LE_SUCCESS);
 
-    int ret = server->incommingConntect(loopHandle, serverTask);
+    int ret = server->incommingConnect(loopHandle, serverTask);
     if (ret != LE_SUCCESS) {
         LE_LOGE("HandleServerEvent_ fd %d do not accept socket", GetSocketFd(serverTask));
     }
@@ -157,8 +157,8 @@ LE_STATUS LE_CreateStreamServer(const LoopHandle loopHandle,
 {
     LE_CHECK(loopHandle != NULL && taskHandle != NULL && info != NULL, return LE_INVALID_PARAM, "Invalid parameters");
     LE_CHECK(info->server != NULL, return LE_INVALID_PARAM, "Invalid parameters server");
-    LE_CHECK(info->incommingConntect != NULL, return LE_INVALID_PARAM,
-        "Invalid parameters incommingConntect %s", info->server);
+    LE_CHECK(info->incommingConnect != NULL, return LE_INVALID_PARAM,
+        "Invalid parameters incommingConnect %s", info->server);
 
     int fd = info->socketId;
     if (info->socketId <= 0) {
@@ -173,7 +173,7 @@ LE_STATUS LE_CreateStreamServer(const LoopHandle loopHandle,
         return LE_NO_MEMORY, "Failed to create task");
     task->base.handleEvent = HandleServerEvent_;
     task->base.innerClose = HandleStreamTaskClose_;
-    task->incommingConntect = info->incommingConntect;
+    task->incommingConnect = info->incommingConnect;
     loop->addEvent(loop, (const BaseTask *)task, Event_Read);
     int ret = memcpy_s(task->server, strlen(info->server) + 1, info->server, strlen(info->server) + 1);
     LE_CHECK(ret == 0, return LE_FAILURE, "Failed to copy server name %s", info->server);
@@ -201,7 +201,7 @@ LE_STATUS LE_CreateStreamClient(const LoopHandle loopHandle,
     task->connectComplete = info->connectComplete;
     task->sendMessageComplete = info->sendMessageComplete;
     task->recvMessage = info->recvMessage;
-    task->disConntectComplete = info->disConntectComplete;
+    task->disConnectComplete = info->disConnectComplete;
     EventLoop *loop = (EventLoop *)loopHandle;
     loop->addEvent(loop, (const BaseTask *)task, Event_Read);
     *taskHandle = (TaskHandle)task;
@@ -225,7 +225,7 @@ LE_STATUS LE_AcceptStreamClient(const LoopHandle loopHandle, const TaskHandle se
         return LE_NO_MEMORY, "Failed to create task");
     task->stream.base.handleEvent = HandleStreamEvent_;
     task->stream.base.innerClose = HandleStreamTaskClose_;
-    task->disConntectComplete = info->disConntectComplete;
+    task->disConnectComplete = info->disConnectComplete;
     task->sendMessageComplete = info->sendMessageComplete;
     task->recvMessage = info->recvMessage;
     task->serverTask = (StreamServerTask *)server;

services/loopevent/task/le_task.c

@@ -15,12 +15,9 @@
 
 #include "le_task.h"
 
-#include <errno.h>
-#include <fcntl.h>
-#include <sys/socket.h>
 
 #include "le_loop.h"
-#include "le_socket.h"
+#include "le_utils.h"
 
 int CheckTaskFlags(const BaseTask *task, uint32_t flags)
 {

services/loopevent/task/le_task.h

@@ -72,7 +72,7 @@ typedef struct LiteTask_ {
 
 typedef struct {
     BaseTask base;
-    LE_IncommingConntect incommingConntect;
+    LE_IncommingConnect incommingConnect;
     char server[0];
 } StreamServerTask;
 
@@ -91,13 +91,13 @@ typedef struct {
     StreamServerTask *serverTask;
     LE_SendMessageComplete sendMessageComplete;
     LE_RecvMessage recvMessage;
-    LE_DisConntectComplete disConntectComplete;
+    LE_DisConnectComplete disConnectComplete;
 } StreamConnectTask;
 
 typedef struct {
     StreamTask stream;
-    LE_DisConntectComplete disConntectComplete;
-    LE_ConntectComplete connectComplete;
+    LE_DisConnectComplete disConnectComplete;
+    LE_ConnectComplete connectComplete;
     LE_SendMessageComplete sendMessageComplete;
     LE_RecvMessage recvMessage;
     uint32_t connected : 1;

services/loopevent/task/le_watchtask.c

@@ -13,10 +13,6 @@
  * limitations under the License.
  */
 #include "le_task.h"
-
-#include <errno.h>
-#include <sys/eventfd.h>
-
 #include "le_loop.h"
 
 static LE_STATUS HandleWatcherEvent_(const LoopHandle loopHandle, const TaskHandle taskHandle, uint32_t oper)

services/loopevent/timer/le_timer.c

@@ -16,7 +16,6 @@
 #include "le_timer.h"
 
 #include <stdio.h>
-#include <stdlib.h>
 #include <sys/timerfd.h>
 #include <unistd.h>
 

services/modules/BUILD.gn

@@ -12,7 +12,7 @@
 # limitations under the License.
 
 if (!defined(ohos_lite)) {
-  import("//base/startup/init_lite/begetd.gni")
+  import("//base/startup/init/begetd.gni")
   import("//build/ohos.gni")
 
   ohos_shared_library("bootchart") {
@@ -20,11 +20,11 @@ if (!defined(ohos_lite)) {
 
     include_dirs = [
       ".",
-      "//base/startup/init_lite/services/include/param",
+      "//base/startup/init/services/include/param",
     ]
 
     deps = [
-      "//base/startup/init_lite/interfaces/innerkits:libbegetutil",
+      "//base/startup/init/interfaces/innerkits:libbegetutil",
       "//third_party/bounds_checking_function:libsec_shared",
       "//third_party/cJSON:cjson_static",
     ]
@@ -46,7 +46,7 @@ if (!defined(ohos_lite)) {
   ohos_source_set("libbootchart_static") {
     sources = [ "bootchart/bootchart_static.c" ]
     public_configs = [ ":libbootchart_static_config" ]
-    public_configs += [ "//base/startup/init_lite/interfaces/innerkits/init_module_engine:init_module_engine_exported_config" ]
+    public_configs += [ "//base/startup/init/interfaces/innerkits/init_module_engine:init_module_engine_exported_config" ]
   }
 }
 

services/modules/bootevent/BUILD.gn

@@ -15,15 +15,15 @@ import("//build/ohos.gni")
 
 config("bootevent_static_config") {
   include_dirs = [
-    "//base/startup/init_lite/services/param/linux",
-    "//base/startup/init_lite/services/loopevent/include",
-    "//base/startup/init_lite/services/param/include",
-    "//base/startup/init_lite/services/include/param",
+    "//base/startup/init/services/param/linux",
+    "//base/startup/init/services/loopevent/include",
+    "//base/startup/init/services/param/include",
+    "//base/startup/init/services/include/param",
   ]
 }
 
 ohos_source_set("libbootevent_static") {
   sources = [ "bootevent.c" ]
   public_configs = [ ":bootevent_static_config" ]
-  public_configs += [ "//base/startup/init_lite/interfaces/innerkits/init_module_engine:init_module_engine_exported_config" ]
+  public_configs += [ "//base/startup/init/interfaces/innerkits/init_module_engine:init_module_engine_exported_config" ]
 }

services/modules/seccomp/BUILD.gn

+# Copyright (c) 2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//base/startup/init/begetd.gni")
+import(
+    "//base/startup/init/services/modules/seccomp/scripts/seccomp_policy_fixer.gni")
+import("//build/config/clang/clang.gni")
+import("//build/ohos.gni")
+import("//build/ohos/kernel/kernel.gni")
+
+INIT_PART = "init"
+
+action("syscall_to_nr_arm") {
+  script = "${clang_base_path}/bin/clang"
+  output_dir = target_gen_dir + "/libsyscall_to_nr_arm"
+  args = [
+    "-I",
+    rebase_path(
+        "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-arm"),
+    "-I",
+    rebase_path(
+        "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"),
+    "-dD",
+    "-E",
+    "-Wall",
+    "-nostdinc",
+    "-o",
+    rebase_path(output_dir),
+    rebase_path("gen_syscall_name_nrs.c"),
+  ]
+
+  outputs = [ output_dir ]
+}
+
+action("syscall_to_nr_arm64") {
+  script = "${clang_base_path}/bin/clang"
+  output_dir = target_gen_dir + "/libsyscall_to_nr_arm64"
+  args = [
+    "-I",
+    rebase_path(
+        "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include/asm-arm64"),
+    "-I",
+    rebase_path(
+        "//kernel/linux/patches/${linux_kernel_version}/prebuilts/usr/include"),
+    "-dD",
+    "-E",
+    "-Wall",
+    "-nostdinc",
+    "-o",
+    rebase_path(output_dir),
+    rebase_path("gen_syscall_name_nrs.c"),
+  ]
+
+  outputs = [ output_dir ]
+}
+
+ohos_prebuilt_seccomp("system_filter") {
+  sources = []
+  if (target_cpu == "arm") {
+    sources += [ "seccomp_policy/system_arm.seccomp.policy" ]
+  } else if (target_cpu == "arm64") {
+    sources += [
+      # 64-bit machine also need check use 32-bit syscall
+      "seccomp_policy/system_arm.seccomp.policy",
+      "seccomp_policy/system_arm64.seccomp.policy",
+    ]
+  }
+
+  filtername = "g_systemSeccompFilter"
+  include_dirs = [ "." ]
+  part_name = INIT_PART
+  subsystem_name = "startup"
+
+  install_enable = true
+  install_images = [
+    "system",
+    "ramdisk",
+  ]
+}
+
+ohos_prebuilt_seccomp("appspawn_filter") {
+  sources = []
+  if (target_cpu == "arm") {
+    sources += [ "seccomp_policy/spawn_arm.seccomp.policy" ]
+  } else if (target_cpu == "arm64") {
+    sources += [
+      # 64-bit machine also need check use 32-bit syscall
+      "seccomp_policy/spawn_arm.seccomp.policy",
+      "seccomp_policy/spawn_arm64.seccomp.policy",
+    ]
+  }
+
+  filtername = "g_appspawnSeccompFilter"
+  include_dirs = [ "." ]
+  part_name = INIT_PART
+  subsystem_name = "startup"
+
+  install_enable = true
+  install_images = [
+    "system",
+    "ramdisk",
+  ]
+}
+
+ohos_static_library("seccomp_static") {
+  sources = [ "//base/startup/init/services/modules/seccomp/seccomp_policy.c" ]
+
+  include_dirs = [
+    "//base/startup/init/interfaces/innerkits/include",
+    "//base/startup/init/interfaces/innerkits/seccomp/include",
+    "//base/startup/init/services/modules/seccomp",
+  ]
+
+  deps = [
+    ":appspawn_filter",
+    ":system_filter",
+  ]
+
+  license_file = "//base/startup/init/LICENSE"
+
+  part_name = INIT_PART
+  subsystem_name = "startup"
+}

services/modules/seccomp/gen_syscall_name_nrs.c

+/*
+ * Copyright (c) 2022 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <asm/unistd.h>
\ No newline at end of file

services/modules/seccomp/scripts/seccomp_policy_fixer.gni

+# Copyright (c) 2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//build/config/python.gni")
+import("//build/ohos.gni")
+
+template("ohos_prebuilt_seccomp") {
+  assert(defined(invoker.sources), "source must be defined for ${target_name}.")
+  assert(defined(invoker.filtername),
+         "source must be defined for ${target_name}.")
+
+  _seccomp_filter_target = "gen_${target_name}"
+  _seccomp_filter_file = target_gen_dir + "/${target_name}.c"
+
+  action(_seccomp_filter_target) {
+    script = "//base/startup/init/services/modules/seccomp/scripts/generate_code_from_policy.py"
+
+    sources = invoker.sources
+    sources += get_target_outputs(
+            "//base/startup/init/services/modules/seccomp:syscall_to_nr_arm")
+    sources += get_target_outputs(
+            "//base/startup/init/services/modules/seccomp:syscall_to_nr_arm64")
+
+    deps = [
+      "//base/startup/init/services/modules/seccomp:syscall_to_nr_arm",
+      "//base/startup/init/services/modules/seccomp:syscall_to_nr_arm64",
+    ]
+
+    args = []
+    foreach(source, sources) {
+      args += [
+        "--srcfiles",
+        rebase_path(source),
+      ]
+    }
+    args += [
+      "--dstfile",
+      rebase_path(_seccomp_filter_file),
+      "--bpfArrayName",
+      invoker.filtername,
+    ]
+
+    outputs = [ _seccomp_filter_file ]
+  }
+
+  ohos_shared_library(target_name) {
+    deps = [ ":${_seccomp_filter_target}" ]
+    sources = get_target_outputs(":${_seccomp_filter_target}")
+
+    if (defined(invoker.include_dirs)) {
+      include_dirs = invoker.include_dirs
+    }
+
+    if (defined(invoker.install_enable)) {
+      install_enable = invoker.install_enable
+    }
+
+    if (defined(invoker.part_name)) {
+      part_name = invoker.part_name
+    }
+
+    if (defined(invoker.subsystem_name)) {
+      subsystem_name = invoker.subsystem_name
+    }
+
+    if (defined(invoker.install_images)) {
+      install_images = invoker.install_images
+    }
+  }
+}

services/modules/seccomp/seccomp_filters.h

+/*
+ * Copyright (c) 2022 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef SECCOMP_FILTERS_H
+#define SECCOMP_FILTERS_H
+
+#include <stddef.h>
+#include <linux/filter.h>
+
+#ifdef __cplusplus
+#if __cplusplus
+extern "C" {
+#endif
+#endif
+
+extern const struct sock_filter g_appspawnSeccompFilter[];
+extern const size_t g_appspawnSeccompFilterSize;
+
+extern const struct sock_filter g_systemSeccompFilter[];
+extern const size_t g_systemSeccompFilterSize;
+
+#ifdef __cplusplus
+#if __cplusplus
+}
+#endif
+#endif
+
+#endif // SECCOMP_FILTERS_H
+

services/modules/seccomp/seccomp_policy.c

+/*
+ * Copyright (c) 2022 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "seccomp_policy.h"
+#include "seccomp_filters.h"
+#include "seccomp_utils.h"
+
+#include <sys/syscall.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <errno.h>
+#include <assert.h>
+#include <linux/audit.h>
+#include <linux/seccomp.h>
+#include <linux/filter.h>
+
+#ifndef SECCOMP_SET_MODE_FILTER
+#define SECCOMP_SET_MODE_FILTER  (1)
+#endif
+
+static bool IsSupportFilterFlag(unsigned int filterFlag)
+{
+    errno = 0;
+    int ret = syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, filterFlag, NULL);
+    if (ret != -1 || errno != EFAULT) {
+        SECCOMP_LOGE("not support  seccomp flag %u", filterFlag);
+        return false;
+    }
+
+    return true;
+}
+
+static bool InstallSeccompPolicy(const struct sock_filter* filter, size_t filterSize, unsigned int filterFlag)
+{
+    unsigned int flag = 0;
+    struct sock_fprog prog = {
+        (unsigned short)filterSize,
+        (struct sock_filter*)filter
+    };
+
+    if (IsSupportFilterFlag(SECCOMP_FILTER_FLAG_TSYNC) && (filterFlag & SECCOMP_FILTER_FLAG_TSYNC)) {
+        flag |= SECCOMP_FILTER_FLAG_TSYNC;
+    }
+
+    if (IsSupportFilterFlag(SECCOMP_FILTER_FLAG_LOG) && (filterFlag & SECCOMP_FILTER_FLAG_LOG)) {
+        flag |= SECCOMP_FILTER_FLAG_LOG;
+    }
+
+    if (syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, flag, &prog) != 0) {
+        SECCOMP_LOGE("SetSeccompFilter failed");
+        return false;
+    }
+
+    return true;
+}
+
+bool SetSeccompPolicy(PolicyType policy)
+{
+    bool ret = false;
+    switch (policy) {
+        case SYSTEM:
+            ret = InstallSeccompPolicy(g_systemSeccompFilter, g_systemSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG);
+            break;
+        case APPSPAWN:
+            ret = InstallSeccompPolicy(g_appspawnSeccompFilter, g_appspawnSeccompFilterSize, SECCOMP_FILTER_FLAG_LOG);
+            break;
+        default:
+            ret = false;
+    }
+
+    return ret;
+}

services/modules/seccomp/seccomp_policy/spawn_arm.seccomp.policy

+# Copyright (c) 2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+@arch
+arm
+
+@returnValue
+KILL_PROCESS
+
+@mode
+ONLY_CHECK_ARGS
+
+@headFiles
+"seccomp_filters.h"
+
+@allowListWithArgs
+setresuid32: if arg0 >= 10000 && arg1 >= 10000 && arg2 >= 10000
+setresgid32: if arg0 >= 10000 && arg1 >= 10000 && arg2 >= 10000
\ No newline at end of file

services/modules/seccomp/seccomp_policy/spawn_arm64.seccomp.policy

+# Copyright (c) 2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+@arch
+arm64
+
+@returnValue
+KILL_PROCESS
+
+@mode
+ONLY_CHECK_ARGS
+
+@headFiles
+"seccomp_filters.h"
+
+@allowListWithArgs
+setresuid: if arg0 >= 10000 && arg1 >= 10000 && arg2 >= 10000
+setresgid: if arg0 >= 10000 && arg1 >= 10000 && arg2 >= 10000
\ No newline at end of file

services/modules/seccomp/seccomp_policy/system_arm.seccomp.policy

+# Copyright (c) 2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+@arch
+arm
+
+@returnValue
+KILL_PROCESS
+
+@headFiles
+"seccomp_filters.h"
+
+@allowList
+restart_syscall
+exit
+fork
+read
+write
+open
+close
+unlink
+execve
+chdir
+mknod
+chmod
+lseek
+getpid
+mount
+ptrace
+access
+sync
+kill
+rename
+mkdir
+rmdir
+dup
+pipe
+times
+brk
+acct
+umount2
+ioctl
+setpgid
+umask
+chroot
+dup2
+getppid
+setsid
+sigaction
+sethostname
+setrlimit
+getrusage
+gettimeofday
+settimeofday
+symlink
+readlink
+swapon
+reboot
+munmap
+truncate
+fchmod
+getpriority
+setpriority
+syslog
+setitimer
+getitimer
+stat
+wait4
+swapoff
+sysinfo
+fsync
+sigreturn
+clone
+setdomainname
+uname
+adjtimex
+mprotect
+init_module
+delete_module
+quotactl
+getpgid
+fchdir
+personality
+setfsuid
+setfsgid
+_llseek
+_newselect
+flock
+msync
+readv
+writev
+getsid
+fdatasync
+mlock
+munlock
+mlockall
+munlockall
+sched_setparam
+sched_getparam
+sched_setscheduler
+sched_getscheduler
+sched_yield
+sched_get_priority_max
+sched_get_priority_min
+sched_rr_get_interval
+nanosleep
+mremap
+poll
+prctl
+rt_sigreturn
+rt_sigaction
+rt_sigprocmask
+rt_sigpending
+rt_sigtimedwait
+rt_sigqueueinfo
+rt_sigsuspend
+pread64
+pwrite64
+getcwd
+capget
+capset
+sigaltstack
+sendfile
+vfork
+ugetrlimit
+mmap2
+truncate64
+ftruncate64
+stat64
+fstat64
+lchown32
+getuid32
+getgid32
+geteuid32
+getegid32
+setreuid32
+setregid32
+chown32
+getgroups32
+setgroups32
+pivot_root
+fchown32
+setresuid32
+getresuid32
+setresgid32
+getresgid32
+setuid32
+setgid32
+getdents64
+mincore
+madvise
+fcntl64
+gettid
+readahead
+setxattr
+lsetxattr
+fsetxattr
+getxattr
+lgetxattr
+fgetxattr
+listxattr
+llistxattr
+flistxattr
+removexattr
+lremovexattr
+fremovexattr
+tkill
+sendfile64
+futex
+sched_setaffinity
+sched_getaffinity
+io_setup
+io_destroy
+io_getevents
+io_submit
+io_cancel
+exit_group
+epoll_ctl
+set_tid_address
+timer_create
+timer_settime
+timer_gettime
+timer_getoverrun
+timer_delete
+clock_settime
+clock_gettime
+clock_getres
+clock_nanosleep
+statfs64
+fstatfs64
+tgkill
+fadvise64_64
+waitid
+socket
+bind
+connect
+listen
+accept
+getsockname
+getpeername
+socketpair
+sendto
+recvfrom
+shutdown
+setsockopt
+getsockopt
+sendmsg
+recvmsg
+inotify_add_watch
+inotify_rm_watch
+openat
+mkdirat
+mknodat
+fchownat
+fstatat64
+unlinkat
+renameat
+linkat
+symlinkat
+readlinkat
+fchmodat
+faccessat
+pselect6
+ppoll
+unshare
+set_robust_list
+get_robust_list
+splice
+sync_file_range2
+tee
+vmsplice
+getcpu
+epoll_pwait
+utimensat
+timerfd_create
+fallocate
+timerfd_settime
+timerfd_gettime
+signalfd4
+eventfd2
+epoll_create1
+dup3
+pipe2
+inotify_init1
+preadv
+pwritev
+rt_tgsigqueueinfo
+perf_event_open
+recvmmsg
+accept4
+prlimit64
+clock_adjtime
+syncfs
+sendmmsg
+setns
+process_vm_readv
+process_vm_writev
+finit_module
+sched_setattr
+sched_getattr
+renameat2
+seccomp
+getrandom
+memfd_create
+bpf
+execveat
+userfaultfd
+membarrier
+mlock2
+copy_file_range
+preadv2
+pwritev2
+statx
+clock_gettime64
+clock_settime64
+clock_adjtime64
+clock_getres_time64
+clock_nanosleep_time64
+timer_gettime64
+timer_settime64
+timerfd_gettime64
+timerfd_settime64
+utimensat_time64
+pselect6_time64
+ppoll_time64
+recvmmsg_time64
+semtimedop_time64
+rt_sigtimedwait_time64
+futex_time64
+sched_rr_get_interval_time64
+pidfd_send_signal
+pidfd_open
+close_range
+pidfd_getfd
+process_madvise
+cacheflush
+set_tls

services/modules/seccomp/seccomp_policy/system_arm64.seccomp.policy

+# Copyright (c) 2022 Huawei Device Co., Ltd.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+@arch
+arm64
+
+@returnValue
+KILL_PROCESS
+
+@headFiles
+"seccomp_filters.h"
+
+@allowList
+io_setup
+io_destroy
+io_submit
+io_cancel
+io_getevents
+setxattr
+lsetxattr
+fsetxattr
+getxattr
+lgetxattr
+fgetxattr
+listxattr
+llistxattr
+flistxattr
+removexattr
+lremovexattr
+fremovexattr
+getcwd
+eventfd2
+epoll_create1
+epoll_ctl
+epoll_pwait
+dup
+dup3
+fcntl
+inotify_init1
+inotify_add_watch
+inotify_rm_watch
+ioctl
+ioprio_set
+ioprio_get
+flock
+mknodat
+mkdirat
+unlinkat
+symlinkat
+linkat
+renameat
+umount2
+mount
+pivot_root
+statfs
+fstatfs
+truncate
+ftruncate
+fallocate
+faccessat
+chdir
+fchdir
+chroot
+fchmod
+fchmodat
+fchownat
+fchown
+openat
+close
+pipe2
+quotactl
+getdents64
+lseek
+read
+write
+readv
+writev
+pread64
+pwrite64
+preadv
+pwritev
+sendfile
+pselect6
+ppoll
+signalfd4
+vmsplice
+splice
+tee
+readlinkat
+newfstatat
+fstat
+sync
+fsync
+fdatasync
+sync_file_range
+timerfd_create
+timerfd_settime
+timerfd_gettime
+utimensat
+acct
+capget
+capset
+personality
+exit
+exit_group
+waitid
+set_tid_address
+unshare
+futex
+set_robust_list
+get_robust_list
+nanosleep
+getitimer
+setitimer
+init_module
+delete_module
+timer_create
+timer_gettime
+timer_getoverrun
+timer_settime
+timer_delete
+clock_settime
+clock_gettime
+clock_getres
+clock_nanosleep
+syslog
+ptrace
+sched_setparam
+sched_setscheduler
+sched_getscheduler
+sched_getparam
+sched_setaffinity
+sched_getaffinity
+sched_yield
+sched_get_priority_max
+sched_get_priority_min
+sched_rr_get_interval
+restart_syscall
+kill
+tkill
+tgkill
+sigaltstack
+rt_sigsuspend
+rt_sigaction
+rt_sigprocmask
+rt_sigpending
+rt_sigtimedwait
+rt_sigqueueinfo
+rt_sigreturn
+setpriority
+getpriority
+reboot
+setregid
+setgid
+setreuid
+setuid
+setresuid
+getresuid
+setresgid
+getresgid
+setfsuid
+setfsgid
+times
+setpgid
+getpgid
+getsid
+setsid
+getgroups
+setgroups
+uname
+sethostname
+setdomainname
+getrlimit
+setrlimit
+getrusage
+umask
+prctl
+getcpu
+gettimeofday
+settimeofday
+adjtimex
+getpid
+getppid
+getuid
+geteuid
+getgid
+getegid
+gettid
+sysinfo
+socket
+socketpair
+bind
+listen
+accept
+connect
+getsockname
+getpeername
+sendto
+recvfrom
+setsockopt
+getsockopt
+shutdown
+sendmsg
+recvmsg
+readahead
+brk
+munmap
+mremap
+clone
+execve
+mmap
+fadvise64
+swapon
+swapoff
+mprotect
+msync
+mlock
+munlock
+mlockall
+munlockall
+mincore
+madvise
+rt_tgsigqueueinfo
+perf_event_open
+accept4
+recvmmsg
+wait4
+prlimit64
+clock_adjtime
+syncfs
+setns
+sendmmsg
+process_vm_readv
+process_vm_writev
+finit_module
+sched_setattr
+sched_getattr
+renameat2
+seccomp
+getrandom
+memfd_create
+bpf
+execveat
+userfaultfd
+membarrier
+mlock2
+copy_file_range
+preadv2
+pwritev2
+statx
+pidfd_send_signal
+pidfd_open
+close_range
+pidfd_getfd
+process_madvise

services/modules/seccomp/seccomp_utils.h

+/*
+ * Copyright (c) 2021 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BASE_STARTUP_SECCOMP_UTILS_H
+#define BASE_STARTUP_SECCOMP_UTILS_H
+#include <stddef.h>
+#include <stdint.h>
+
+#include "beget_ext.h"
+
+#ifdef __cplusplus
+#if __cplusplus
+extern "C" {
+#endif
+#endif
+
+
+#ifndef SECCOMP_DOMAIN
+#define SECCOMP_DOMAIN (BASE_DOMAIN + 0xe)
+#endif
+#define SECCOMP_LABEL "SECCOMP"
+#define SECCOMP_LOGI(fmt, ...) STARTUP_LOGI(SECCOMP_DOMAIN, SECCOMP_LABEL, fmt, ##__VA_ARGS__)
+#define SECCOMP_LOGE(fmt, ...) STARTUP_LOGE(SECCOMP_DOMAIN, SECCOMP_LABEL, fmt, ##__VA_ARGS__)
+#define SECCOMP_LOGV(fmt, ...) STARTUP_LOGV(SECCOMP_DOMAIN, SECCOMP_LABEL, fmt, ##__VA_ARGS__)
+
+#ifdef INIT_AGENT
+#define SECCOMP_DUMP printf
+#else
+#define SECCOMP_DUMP SECCOMP_LOGI
+#endif
+
+#ifdef __cplusplus
+#if __cplusplus
+}
+#endif
+#endif
+#endif
\ No newline at end of file

services/param/BUILD.gn

@@ -10,7 +10,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-import("//base/startup/init_lite/begetd.gni")
+import("//base/startup/init/begetd.gni")
 
 group("parameter") {
   deps = []

services/param/adapter/param_dac.c

@@ -211,7 +211,7 @@ static int CheckFilePermission(const ParamSecurityLabel *localLabel, const char
 static int CheckUserInGroup(WorkSpace *space, gid_t groupId, uid_t uid)
 {
 #ifdef __MUSL__
-    static char buffer[USER_BUFFER_LEN] = {0};
+    char buffer[USER_BUFFER_LEN] = {0};
     uint32_t labelIndex = 0;
     int ret = ParamSprintf(buffer, sizeof(buffer), "%s.%d.%d", GROUP_FORMAT, groupId, uid);
     PARAM_CHECK(ret >= 0, return -1, "Failed to format name for %s.%d.%d", GROUP_FORMAT, groupId, uid);

services/param/adapter/param_persistadp.c

@@ -14,7 +14,6 @@
  */
 
 #include <errno.h>
-#include <fcntl.h>
 #include <time.h>
 #include <unistd.h>