init.rc revision 0245e15bb78cf08b3225b31c77bda77d43995bd4
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.${ro.hardware}.rc 8import /init.usb.rc 9import /init.trace.rc 10 11on early-init 12 # Set init and its forked children's oom_adj. 13 write /proc/1/oom_adj -16 14 15 start ueventd 16 17# create mountpoints 18 mkdir /mnt 0775 root system 19 20on init 21 22sysclktz 0 23 24loglevel 3 25 26# setup the global environment 27 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 28 export LD_LIBRARY_PATH /vendor/lib:/system/lib 29 export ANDROID_BOOTLOGO 1 30 export ANDROID_ROOT /system 31 export ANDROID_ASSETS /system/app 32 export ANDROID_DATA /data 33 export ASEC_MOUNTPOINT /mnt/asec 34 export LOOP_MOUNTPOINT /mnt/obb 35 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 36 37# Backward compatibility 38 symlink /system/etc /etc 39 symlink /sys/kernel/debug /d 40 41# Right now vendor lives on the same filesystem as system, 42# but someday that may change. 43 symlink /system/vendor /vendor 44 45# Create cgroup mount point for cpu accounting 46 mkdir /acct 47 mount cgroup none /acct cpuacct 48 mkdir /acct/uid 49 50 mkdir /system 51 mkdir /data 0771 system system 52 mkdir /cache 0770 system cache 53 mkdir /config 0500 root root 54 55 # Directory for putting things only root should see. 56 mkdir /mnt/secure 0700 root root 57 58 # Directory for staging bindmounts 59 mkdir /mnt/secure/staging 0700 root root 60 61 # Directory-target for where the secure container 62 # imagefile directory will be bind-mounted 63 mkdir /mnt/secure/asec 0700 root root 64 65 # Secure container public mount points. 66 mkdir /mnt/asec 0700 root system 67 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 68 69 # Filesystem image public mount points. 70 mkdir /mnt/obb 0700 root system 71 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 72 73 write /proc/sys/kernel/panic_on_oops 1 74 write /proc/sys/kernel/hung_task_timeout_secs 0 75 write /proc/cpu/alignment 4 76 write /proc/sys/kernel/sched_latency_ns 10000000 77 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 78 write /proc/sys/kernel/sched_compat_yield 1 79 write /proc/sys/kernel/sched_child_runs_first 0 80 write /proc/sys/kernel/randomize_va_space 2 81 write /proc/sys/kernel/kptr_restrict 2 82 write /proc/sys/kernel/dmesg_restrict 1 83 write /proc/sys/vm/mmap_min_addr 32768 84 write /proc/sys/kernel/sched_rt_runtime_us 950000 85 write /proc/sys/kernel/sched_rt_period_us 1000000 86 87# Create cgroup mount points for process groups 88 mkdir /dev/cpuctl 89 mount cgroup none /dev/cpuctl cpu 90 chown system system /dev/cpuctl 91 chown system system /dev/cpuctl/tasks 92 chmod 0660 /dev/cpuctl/tasks 93 write /dev/cpuctl/cpu.shares 1024 94 write /dev/cpuctl/cpu.rt_runtime_us 950000 95 write /dev/cpuctl/cpu.rt_period_us 1000000 96 97 mkdir /dev/cpuctl/apps 98 chown system system /dev/cpuctl/apps/tasks 99 chmod 0666 /dev/cpuctl/apps/tasks 100 write /dev/cpuctl/apps/cpu.shares 1024 101 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 102 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 103 104 mkdir /dev/cpuctl/apps/bg_non_interactive 105 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 106 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 107 # 5.0 % 108 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 109 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 110 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 111 112# Allow everybody to read the xt_qtaguid resource tracking misc dev. 113# This is needed by any process that uses socket tagging. 114 chmod 0644 /dev/xt_qtaguid 115 116on fs 117# mount mtd partitions 118 # Mount /system rw first to give the filesystem a chance to save a checkpoint 119 mount yaffs2 mtd@system /system 120 mount yaffs2 mtd@system /system ro remount 121 mount yaffs2 mtd@userdata /data nosuid nodev 122 mount yaffs2 mtd@cache /cache nosuid nodev 123 124on post-fs 125 # once everything is setup, no need to modify / 126 mount rootfs rootfs / ro remount 127 128 # We chown/chmod /cache again so because mount is run as root + defaults 129 chown system cache /cache 130 chmod 0770 /cache 131 132 # This may have been created by the recovery system with odd permissions 133 chown system cache /cache/recovery 134 chmod 0770 /cache/recovery 135 136 #change permissions on vmallocinfo so we can grab it from bugreports 137 chown root log /proc/vmallocinfo 138 chmod 0440 /proc/vmallocinfo 139 140 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 141 chown root system /proc/kmsg 142 chmod 0440 /proc/kmsg 143 chown root system /proc/sysrq-trigger 144 chmod 0220 /proc/sysrq-trigger 145 146 # create the lost+found directories, so as to enforce our permissions 147 mkdir /cache/lost+found 0770 root root 148 149on post-fs-data 150 # We chown/chmod /data again so because mount is run as root + defaults 151 chown system system /data 152 chmod 0771 /data 153 154 # Create dump dir and collect dumps. 155 # Do this before we mount cache so eventually we can use cache for 156 # storing dumps on platforms which do not have a dedicated dump partition. 157 mkdir /data/dontpanic 0750 root log 158 159 # Collect apanic data, free resources and re-arm trigger 160 copy /proc/apanic_console /data/dontpanic/apanic_console 161 chown root log /data/dontpanic/apanic_console 162 chmod 0640 /data/dontpanic/apanic_console 163 164 copy /proc/apanic_threads /data/dontpanic/apanic_threads 165 chown root log /data/dontpanic/apanic_threads 166 chmod 0640 /data/dontpanic/apanic_threads 167 168 write /proc/apanic_console 1 169 170 # create basic filesystem structure 171 mkdir /data/misc 01771 system misc 172 mkdir /data/misc/adb 02750 system shell 173 mkdir /data/misc/bluedroid 0770 bluetooth bluetooth 174 mkdir /data/misc/bluetooth 0770 system system 175 mkdir /data/misc/keystore 0700 keystore keystore 176 mkdir /data/misc/keychain 0771 system system 177 mkdir /data/misc/vpn 0770 system vpn 178 mkdir /data/misc/systemkeys 0700 system system 179 # give system access to wpa_supplicant.conf for backup and restore 180 mkdir /data/misc/wifi 0770 wifi wifi 181 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 182 mkdir /data/local 0751 root root 183 184 # For security reasons, /data/local/tmp should always be empty. 185 # Do not place files or directories in /data/local/tmp 186 mkdir /data/local/tmp 0771 shell shell 187 mkdir /data/data 0771 system system 188 mkdir /data/app-private 0771 system system 189 mkdir /data/app-asec 0700 root root 190 mkdir /data/app 0771 system system 191 mkdir /data/property 0700 root root 192 mkdir /data/ssh 0750 root shell 193 mkdir /data/ssh/empty 0700 root root 194 195 # create dalvik-cache, so as to enforce our permissions 196 mkdir /data/dalvik-cache 0771 system system 197 198 # create resource-cache and double-check the perms 199 mkdir /data/resource-cache 0771 system system 200 chown system system /data/resource-cache 201 chmod 0771 /data/resource-cache 202 203 # create the lost+found directories, so as to enforce our permissions 204 mkdir /data/lost+found 0770 root root 205 206 # create directory for DRM plug-ins - give drm the read/write access to 207 # the following directory. 208 mkdir /data/drm 0770 drm drm 209 210 # If there is no fs-post-data action in the init.<device>.rc file, you 211 # must uncomment this line, otherwise encrypted filesystems 212 # won't work. 213 # Set indication (checked by vold) that we have finished this action 214 #setprop vold.post_fs_data_done 1 215 216on boot 217# basic network init 218 ifup lo 219 hostname localhost 220 domainname localdomain 221 222# set RLIMIT_NICE to allow priorities from 19 to -20 223 setrlimit 13 40 40 224 225# Memory management. Basic kernel parameters, and allow the high 226# level system server to be able to adjust the kernel OOM driver 227# parameters to match how it is managing things. 228 write /proc/sys/vm/overcommit_memory 1 229 write /proc/sys/vm/min_free_order_shift 4 230 chown root system /sys/module/lowmemorykiller/parameters/adj 231 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 232 chown root system /sys/module/lowmemorykiller/parameters/minfree 233 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 234 235 # Tweak background writeout 236 write /proc/sys/vm/dirty_expire_centisecs 200 237 write /proc/sys/vm/dirty_background_ratio 5 238 239 # Permissions for System Server and daemons. 240 chown radio system /sys/android_power/state 241 chown radio system /sys/android_power/request_state 242 chown radio system /sys/android_power/acquire_full_wake_lock 243 chown radio system /sys/android_power/acquire_partial_wake_lock 244 chown radio system /sys/android_power/release_wake_lock 245 chown system system /sys/power/autosleep 246 chown system system /sys/power/state 247 chown system system /sys/power/wakeup_count 248 chown radio system /sys/power/wake_lock 249 chown radio system /sys/power/wake_unlock 250 chmod 0660 /sys/power/state 251 chmod 0660 /sys/power/wake_lock 252 chmod 0660 /sys/power/wake_unlock 253 254 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 255 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 256 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 257 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 258 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 259 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 260 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 261 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 262 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 263 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 264 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 265 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 266 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 267 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 268 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 269 270 # Assume SMP uses shared cpufreq policy for all CPUs 271 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 272 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 273 274 chown system system /sys/class/timed_output/vibrator/enable 275 chown system system /sys/class/leds/keyboard-backlight/brightness 276 chown system system /sys/class/leds/lcd-backlight/brightness 277 chown system system /sys/class/leds/button-backlight/brightness 278 chown system system /sys/class/leds/jogball-backlight/brightness 279 chown system system /sys/class/leds/red/brightness 280 chown system system /sys/class/leds/green/brightness 281 chown system system /sys/class/leds/blue/brightness 282 chown system system /sys/class/leds/red/device/grpfreq 283 chown system system /sys/class/leds/red/device/grppwm 284 chown system system /sys/class/leds/red/device/blink 285 chown system system /sys/class/leds/red/brightness 286 chown system system /sys/class/leds/green/brightness 287 chown system system /sys/class/leds/blue/brightness 288 chown system system /sys/class/leds/red/device/grpfreq 289 chown system system /sys/class/leds/red/device/grppwm 290 chown system system /sys/class/leds/red/device/blink 291 chown system system /sys/class/timed_output/vibrator/enable 292 chown system system /sys/module/sco/parameters/disable_esco 293 chown system system /sys/kernel/ipv4/tcp_wmem_min 294 chown system system /sys/kernel/ipv4/tcp_wmem_def 295 chown system system /sys/kernel/ipv4/tcp_wmem_max 296 chown system system /sys/kernel/ipv4/tcp_rmem_min 297 chown system system /sys/kernel/ipv4/tcp_rmem_def 298 chown system system /sys/kernel/ipv4/tcp_rmem_max 299 chown root radio /proc/cmdline 300 301# Define TCP buffer sizes for various networks 302# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 303 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 304 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 305 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 306 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 307 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 308 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 309 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 310 311# Set this property so surfaceflinger is not started by system_init 312 setprop system_init.startsurfaceflinger 0 313 314 class_start core 315 class_start main 316 317on nonencrypted 318 class_start late_start 319 320on charger 321 class_start charger 322 323on property:vold.decrypt=trigger_reset_main 324 class_reset main 325 326on property:vold.decrypt=trigger_load_persist_props 327 load_persist_props 328 329on property:vold.decrypt=trigger_post_fs_data 330 trigger post-fs-data 331 332on property:vold.decrypt=trigger_restart_min_framework 333 class_start main 334 335on property:vold.decrypt=trigger_restart_framework 336 class_start main 337 class_start late_start 338 339on property:vold.decrypt=trigger_shutdown_framework 340 class_reset late_start 341 class_reset main 342 343## Daemon processes to be run by init. 344## 345service ueventd /sbin/ueventd 346 class core 347 critical 348 349service console /system/bin/sh 350 class core 351 console 352 disabled 353 user shell 354 group log 355 356on property:ro.debuggable=1 357 start console 358 359# adbd is controlled via property triggers in init.<platform>.usb.rc 360service adbd /sbin/adbd 361 class core 362 socket adbd stream 660 system system 363 disabled 364 365# adbd on at boot in emulator 366on property:ro.kernel.qemu=1 367 start adbd 368 369service servicemanager /system/bin/servicemanager 370 class core 371 user system 372 group system 373 critical 374 onrestart restart zygote 375 onrestart restart media 376 onrestart restart surfaceflinger 377 onrestart restart drm 378 379service vold /system/bin/vold 380 class core 381 socket vold stream 0660 root mount 382 ioprio be 2 383 384service netd /system/bin/netd 385 class main 386 socket netd stream 0660 root system 387 socket dnsproxyd stream 0660 root inet 388 socket mdns stream 0660 root system 389 390service debuggerd /system/bin/debuggerd 391 class main 392 393service ril-daemon /system/bin/rild 394 class main 395 socket rild stream 660 root radio 396 socket rild-debug stream 660 radio system 397 user root 398 group radio cache inet misc audio sdcard_r sdcard_rw log 399 400service surfaceflinger /system/bin/surfaceflinger 401 class main 402 user system 403 group graphics 404 onrestart restart zygote 405 406service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 407 class main 408 socket zygote stream 660 root system 409 onrestart write /sys/android_power/request_state wake 410 onrestart write /sys/power/state on 411 onrestart restart media 412 onrestart restart netd 413 414service drm /system/bin/drmserver 415 class main 416 user drm 417 group drm system inet drmrpc sdcard_r 418 419service media /system/bin/mediaserver 420 class main 421 user media 422 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc 423 ioprio rt 4 424 425service bootanim /system/bin/bootanimation 426 class main 427 user graphics 428 group graphics 429 disabled 430 oneshot 431 432service installd /system/bin/installd 433 class main 434 socket installd stream 600 system system 435 436service flash_recovery /system/etc/install-recovery.sh 437 class main 438 oneshot 439 440service racoon /system/bin/racoon 441 class main 442 socket racoon stream 600 system system 443 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 444 group vpn net_admin inet 445 disabled 446 oneshot 447 448service mtpd /system/bin/mtpd 449 class main 450 socket mtpd stream 600 system system 451 user vpn 452 group vpn net_admin inet net_raw 453 disabled 454 oneshot 455 456service keystore /system/bin/keystore /data/misc/keystore 457 class main 458 user keystore 459 group keystore drmrpc 460 socket keystore stream 666 461 462service dumpstate /system/bin/dumpstate -s 463 class main 464 socket dumpstate stream 0660 shell log 465 disabled 466 oneshot 467 468service sshd /system/bin/start-ssh 469 class main 470 disabled 471 472service mdnsd /system/bin/mdnsd 473 class main 474 user mdnsr 475 group inet net_raw 476 socket mdnsd stream 0660 mdnsr inet 477 disabled 478 oneshot 479