1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.usb.rc 8import /init.${ro.hardware}.rc 9import /init.trace.rc 10 11on early-init 12 # Set init and its forked children's oom_adj. 13 write /proc/1/oom_adj -16 14 15 # Set the security context for the init process. 16 # This should occur before anything else (e.g. ueventd) is started. 17 setcon u:r:init:s0 18 19 start ueventd 20 21# create mountpoints 22 mkdir /mnt 0775 root system 23 24on init 25 26sysclktz 0 27 28loglevel 3 29 30# setup the global environment 31 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 32 export LD_LIBRARY_PATH /vendor/lib:/system/lib 33 export ANDROID_BOOTLOGO 1 34 export ANDROID_ROOT /system 35 export ANDROID_ASSETS /system/app 36 export ANDROID_DATA /data 37 export ANDROID_STORAGE /storage 38 export ASEC_MOUNTPOINT /mnt/asec 39 export LOOP_MOUNTPOINT /mnt/obb 40 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 41 42# Backward compatibility 43 symlink /system/etc /etc 44 symlink /sys/kernel/debug /d 45 46# Right now vendor lives on the same filesystem as system, 47# but someday that may change. 48 symlink /system/vendor /vendor 49 50# Create cgroup mount point for cpu accounting 51 mkdir /acct 52 mount cgroup none /acct cpuacct 53 mkdir /acct/uid 54 55 mkdir /system 56 mkdir /data 0771 system system 57 mkdir /cache 0770 system cache 58 mkdir /config 0500 root root 59 60 # See storage config details at http://source.android.com/tech/storage/ 61 mkdir /mnt/shell 0700 shell shell 62 mkdir /storage 0050 root sdcard_r 63 64 # Directory for putting things only root should see. 65 mkdir /mnt/secure 0700 root root 66 # Create private mountpoint so we can MS_MOVE from staging 67 mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0 68 69 # Directory for staging bindmounts 70 mkdir /mnt/secure/staging 0700 root root 71 72 # Directory-target for where the secure container 73 # imagefile directory will be bind-mounted 74 mkdir /mnt/secure/asec 0700 root root 75 76 # Secure container public mount points. 77 mkdir /mnt/asec 0700 root system 78 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 79 80 # Filesystem image public mount points. 81 mkdir /mnt/obb 0700 root system 82 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 83 84 write /proc/sys/kernel/panic_on_oops 1 85 write /proc/sys/kernel/hung_task_timeout_secs 0 86 write /proc/cpu/alignment 4 87 write /proc/sys/kernel/sched_latency_ns 10000000 88 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 89 write /proc/sys/kernel/sched_compat_yield 1 90 write /proc/sys/kernel/sched_child_runs_first 0 91 write /proc/sys/kernel/randomize_va_space 2 92 write /proc/sys/kernel/kptr_restrict 2 93 write /proc/sys/kernel/dmesg_restrict 1 94 write /proc/sys/vm/mmap_min_addr 32768 95 write /proc/sys/kernel/sched_rt_runtime_us 950000 96 write /proc/sys/kernel/sched_rt_period_us 1000000 97 98# Create cgroup mount points for process groups 99 mkdir /dev/cpuctl 100 mount cgroup none /dev/cpuctl cpu 101 chown system system /dev/cpuctl 102 chown system system /dev/cpuctl/tasks 103 chmod 0660 /dev/cpuctl/tasks 104 write /dev/cpuctl/cpu.shares 1024 105 write /dev/cpuctl/cpu.rt_runtime_us 950000 106 write /dev/cpuctl/cpu.rt_period_us 1000000 107 108 mkdir /dev/cpuctl/apps 109 chown system system /dev/cpuctl/apps/tasks 110 chmod 0666 /dev/cpuctl/apps/tasks 111 write /dev/cpuctl/apps/cpu.shares 1024 112 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 113 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 114 115 mkdir /dev/cpuctl/apps/bg_non_interactive 116 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 117 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 118 # 5.0 % 119 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 120 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 121 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 122 123# Allow everybody to read the xt_qtaguid resource tracking misc dev. 124# This is needed by any process that uses socket tagging. 125 chmod 0644 /dev/xt_qtaguid 126 127on fs 128# mount mtd partitions 129 # Mount /system rw first to give the filesystem a chance to save a checkpoint 130 mount yaffs2 mtd@system /system 131 mount yaffs2 mtd@system /system ro remount 132 mount yaffs2 mtd@userdata /data nosuid nodev 133 mount yaffs2 mtd@cache /cache nosuid nodev 134 135on post-fs 136 # once everything is setup, no need to modify / 137 mount rootfs rootfs / ro remount 138 # mount shared so changes propagate into child namespaces 139 mount rootfs rootfs / shared rec 140 mount tmpfs tmpfs /mnt/secure private rec 141 142 # We chown/chmod /cache again so because mount is run as root + defaults 143 chown system cache /cache 144 chmod 0770 /cache 145 # We restorecon /cache in case the cache partition has been reset. 146 restorecon /cache 147 148 # This may have been created by the recovery system with odd permissions 149 chown system cache /cache/recovery 150 chmod 0770 /cache/recovery 151 # This may have been created by the recovery system with the wrong context. 152 restorecon /cache/recovery 153 154 #change permissions on vmallocinfo so we can grab it from bugreports 155 chown root log /proc/vmallocinfo 156 chmod 0440 /proc/vmallocinfo 157 158 chown root log /proc/slabinfo 159 chmod 0440 /proc/slabinfo 160 161 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 162 chown root system /proc/kmsg 163 chmod 0440 /proc/kmsg 164 chown root system /proc/sysrq-trigger 165 chmod 0220 /proc/sysrq-trigger 166 chown system log /proc/last_kmsg 167 chmod 0440 /proc/last_kmsg 168 169 # create the lost+found directories, so as to enforce our permissions 170 mkdir /cache/lost+found 0770 root root 171 172on post-fs-data 173 # We chown/chmod /data again so because mount is run as root + defaults 174 chown system system /data 175 chmod 0771 /data 176 # We restorecon /data in case the userdata partition has been reset. 177 restorecon /data 178 179 # Create dump dir and collect dumps. 180 # Do this before we mount cache so eventually we can use cache for 181 # storing dumps on platforms which do not have a dedicated dump partition. 182 mkdir /data/dontpanic 0750 root log 183 184 # Collect apanic data, free resources and re-arm trigger 185 copy /proc/apanic_console /data/dontpanic/apanic_console 186 chown root log /data/dontpanic/apanic_console 187 chmod 0640 /data/dontpanic/apanic_console 188 189 copy /proc/apanic_threads /data/dontpanic/apanic_threads 190 chown root log /data/dontpanic/apanic_threads 191 chmod 0640 /data/dontpanic/apanic_threads 192 193 write /proc/apanic_console 1 194 195 # create basic filesystem structure 196 mkdir /data/misc 01771 system misc 197 mkdir /data/misc/adb 02750 system shell 198 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 199 mkdir /data/misc/bluetooth 0770 system system 200 mkdir /data/misc/keystore 0700 keystore keystore 201 mkdir /data/misc/keychain 0771 system system 202 mkdir /data/misc/sms 0770 system radio 203 mkdir /data/misc/vpn 0770 system vpn 204 mkdir /data/misc/systemkeys 0700 system system 205 # give system access to wpa_supplicant.conf for backup and restore 206 mkdir /data/misc/wifi 0770 wifi wifi 207 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 208 mkdir /data/local 0751 root root 209 210 # For security reasons, /data/local/tmp should always be empty. 211 # Do not place files or directories in /data/local/tmp 212 mkdir /data/local/tmp 0771 shell shell 213 mkdir /data/data 0771 system system 214 mkdir /data/app-private 0771 system system 215 mkdir /data/app-asec 0700 root root 216 mkdir /data/app-lib 0771 system system 217 mkdir /data/app 0771 system system 218 mkdir /data/property 0700 root root 219 mkdir /data/ssh 0750 root shell 220 mkdir /data/ssh/empty 0700 root root 221 222 # create dalvik-cache, so as to enforce our permissions 223 mkdir /data/dalvik-cache 0771 system system 224 225 # create resource-cache and double-check the perms 226 mkdir /data/resource-cache 0771 system system 227 chown system system /data/resource-cache 228 chmod 0771 /data/resource-cache 229 230 # create the lost+found directories, so as to enforce our permissions 231 mkdir /data/lost+found 0770 root root 232 233 # create directory for DRM plug-ins - give drm the read/write access to 234 # the following directory. 235 mkdir /data/drm 0770 drm drm 236 237 # If there is no fs-post-data action in the init.<device>.rc file, you 238 # must uncomment this line, otherwise encrypted filesystems 239 # won't work. 240 # Set indication (checked by vold) that we have finished this action 241 #setprop vold.post_fs_data_done 1 242 243on boot 244# basic network init 245 ifup lo 246 hostname localhost 247 domainname localdomain 248 249# set RLIMIT_NICE to allow priorities from 19 to -20 250 setrlimit 13 40 40 251 252# Memory management. Basic kernel parameters, and allow the high 253# level system server to be able to adjust the kernel OOM driver 254# parameters to match how it is managing things. 255 write /proc/sys/vm/overcommit_memory 1 256 write /proc/sys/vm/min_free_order_shift 4 257 chown root system /sys/module/lowmemorykiller/parameters/adj 258 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 259 chown root system /sys/module/lowmemorykiller/parameters/minfree 260 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 261 262 # Tweak background writeout 263 write /proc/sys/vm/dirty_expire_centisecs 200 264 write /proc/sys/vm/dirty_background_ratio 5 265 266 # Permissions for System Server and daemons. 267 chown radio system /sys/android_power/state 268 chown radio system /sys/android_power/request_state 269 chown radio system /sys/android_power/acquire_full_wake_lock 270 chown radio system /sys/android_power/acquire_partial_wake_lock 271 chown radio system /sys/android_power/release_wake_lock 272 chown system system /sys/power/autosleep 273 chown system system /sys/power/state 274 chown system system /sys/power/wakeup_count 275 chown radio system /sys/power/wake_lock 276 chown radio system /sys/power/wake_unlock 277 chmod 0660 /sys/power/state 278 chmod 0660 /sys/power/wake_lock 279 chmod 0660 /sys/power/wake_unlock 280 281 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 282 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 283 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 284 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 285 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 286 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 287 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 288 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 289 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 290 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 291 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 292 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 293 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 294 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 295 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 296 297 # Assume SMP uses shared cpufreq policy for all CPUs 298 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 299 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 300 301 chown system system /sys/class/timed_output/vibrator/enable 302 chown system system /sys/class/leds/keyboard-backlight/brightness 303 chown system system /sys/class/leds/lcd-backlight/brightness 304 chown system system /sys/class/leds/button-backlight/brightness 305 chown system system /sys/class/leds/jogball-backlight/brightness 306 chown system system /sys/class/leds/red/brightness 307 chown system system /sys/class/leds/green/brightness 308 chown system system /sys/class/leds/blue/brightness 309 chown system system /sys/class/leds/red/device/grpfreq 310 chown system system /sys/class/leds/red/device/grppwm 311 chown system system /sys/class/leds/red/device/blink 312 chown system system /sys/class/leds/red/brightness 313 chown system system /sys/class/leds/green/brightness 314 chown system system /sys/class/leds/blue/brightness 315 chown system system /sys/class/leds/red/device/grpfreq 316 chown system system /sys/class/leds/red/device/grppwm 317 chown system system /sys/class/leds/red/device/blink 318 chown system system /sys/class/timed_output/vibrator/enable 319 chown system system /sys/module/sco/parameters/disable_esco 320 chown system system /sys/kernel/ipv4/tcp_wmem_min 321 chown system system /sys/kernel/ipv4/tcp_wmem_def 322 chown system system /sys/kernel/ipv4/tcp_wmem_max 323 chown system system /sys/kernel/ipv4/tcp_rmem_min 324 chown system system /sys/kernel/ipv4/tcp_rmem_def 325 chown system system /sys/kernel/ipv4/tcp_rmem_max 326 chown root radio /proc/cmdline 327 328# Define TCP buffer sizes for various networks 329# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 330 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 331 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 332 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 333 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 334 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 335 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 336 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 337 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 338 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 339 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 340 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 341 342# Set this property so surfaceflinger is not started by system_init 343 setprop system_init.startsurfaceflinger 0 344 345 class_start core 346 class_start main 347 348on nonencrypted 349 class_start late_start 350 351on charger 352 class_start charger 353 354on property:vold.decrypt=trigger_reset_main 355 class_reset main 356 357on property:vold.decrypt=trigger_load_persist_props 358 load_persist_props 359 360on property:vold.decrypt=trigger_post_fs_data 361 trigger post-fs-data 362 363on property:vold.decrypt=trigger_restart_min_framework 364 class_start main 365 366on property:vold.decrypt=trigger_restart_framework 367 class_start main 368 class_start late_start 369 370on property:vold.decrypt=trigger_shutdown_framework 371 class_reset late_start 372 class_reset main 373 374## Daemon processes to be run by init. 375## 376service ueventd /sbin/ueventd 377 class core 378 critical 379 seclabel u:r:ueventd:s0 380 381on property:selinux.reload_policy=1 382 restart ueventd 383 restart installd 384 385service console /system/bin/sh 386 class core 387 console 388 disabled 389 user shell 390 group log 391 392on property:ro.debuggable=1 393 start console 394 395# adbd is controlled via property triggers in init.<platform>.usb.rc 396service adbd /sbin/adbd 397 class core 398 socket adbd stream 660 system system 399 disabled 400 seclabel u:r:adbd:s0 401 402# adbd on at boot in emulator 403on property:ro.kernel.qemu=1 404 start adbd 405 406service servicemanager /system/bin/servicemanager 407 class core 408 user system 409 group system 410 critical 411 onrestart restart zygote 412 onrestart restart media 413 onrestart restart surfaceflinger 414 onrestart restart drm 415 416service vold /system/bin/vold 417 class core 418 socket vold stream 0660 root mount 419 ioprio be 2 420 421service netd /system/bin/netd 422 class main 423 socket netd stream 0660 root system 424 socket dnsproxyd stream 0660 root inet 425 socket mdns stream 0660 root system 426 427service debuggerd /system/bin/debuggerd 428 class main 429 430service ril-daemon /system/bin/rild 431 class main 432 socket rild stream 660 root radio 433 socket rild-debug stream 660 radio system 434 user root 435 group radio cache inet misc audio log 436 437service surfaceflinger /system/bin/surfaceflinger 438 class main 439 user system 440 group graphics drmrpc 441 onrestart restart zygote 442 443service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 444 class main 445 socket zygote stream 660 root system 446 onrestart write /sys/android_power/request_state wake 447 onrestart write /sys/power/state on 448 onrestart restart media 449 onrestart restart netd 450 451service drm /system/bin/drmserver 452 class main 453 user drm 454 group drm system inet drmrpc 455 456service media /system/bin/mediaserver 457 class main 458 user media 459 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 460 ioprio rt 4 461 462service bootanim /system/bin/bootanimation 463 class main 464 user graphics 465 group graphics 466 disabled 467 oneshot 468 469service installd /system/bin/installd 470 class main 471 socket installd stream 600 system system 472 473service flash_recovery /system/etc/install-recovery.sh 474 class main 475 oneshot 476 477service racoon /system/bin/racoon 478 class main 479 socket racoon stream 600 system system 480 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 481 group vpn net_admin inet 482 disabled 483 oneshot 484 485service mtpd /system/bin/mtpd 486 class main 487 socket mtpd stream 600 system system 488 user vpn 489 group vpn net_admin inet net_raw 490 disabled 491 oneshot 492 493service keystore /system/bin/keystore /data/misc/keystore 494 class main 495 user keystore 496 group keystore drmrpc 497 socket keystore stream 666 498 499service dumpstate /system/bin/dumpstate -s 500 class main 501 socket dumpstate stream 0660 shell log 502 disabled 503 oneshot 504 505service sshd /system/bin/start-ssh 506 class main 507 disabled 508 509service mdnsd /system/bin/mdnsd 510 class main 511 user mdnsr 512 group inet net_raw 513 socket mdnsd stream 0660 mdnsr inet 514 disabled 515 oneshot 516