1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.usb.rc 8import /init.${ro.hardware}.rc 9import /init.trace.rc 10 11on early-init 12 # Set init and its forked children's oom_adj. 13 write /proc/1/oom_adj -16 14 15 # Set the security context for the init process. 16 # This should occur before anything else (e.g. ueventd) is started. 17 setcon u:r:init:s0 18 19 start ueventd 20 21# create mountpoints 22 mkdir /mnt 0775 root system 23 24on init 25 26sysclktz 0 27 28loglevel 3 29 30# setup the global environment 31 export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin 32 export LD_LIBRARY_PATH /vendor/lib:/system/lib 33 export ANDROID_BOOTLOGO 1 34 export ANDROID_ROOT /system 35 export ANDROID_ASSETS /system/app 36 export ANDROID_DATA /data 37 export ANDROID_STORAGE /storage 38 export ASEC_MOUNTPOINT /mnt/asec 39 export LOOP_MOUNTPOINT /mnt/obb 40 export BOOTCLASSPATH /system/framework/core.jar:/system/framework/core-junit.jar:/system/framework/bouncycastle.jar:/system/framework/ext.jar:/system/framework/framework.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/mms-common.jar:/system/framework/android.policy.jar:/system/framework/services.jar:/system/framework/apache-xml.jar 41 42# Backward compatibility 43 symlink /system/etc /etc 44 symlink /sys/kernel/debug /d 45 46# Right now vendor lives on the same filesystem as system, 47# but someday that may change. 48 symlink /system/vendor /vendor 49 50# Create cgroup mount point for cpu accounting 51 mkdir /acct 52 mount cgroup none /acct cpuacct 53 mkdir /acct/uid 54 55 mkdir /system 56 mkdir /data 0771 system system 57 mkdir /cache 0770 system cache 58 mkdir /config 0500 root root 59 60 # See storage config details at http://source.android.com/tech/storage/ 61 mkdir /mnt/shell 0700 shell shell 62 mkdir /storage 0050 root sdcard_r 63 64 # Directory for putting things only root should see. 65 mkdir /mnt/secure 0700 root root 66 # Create private mountpoint so we can MS_MOVE from staging 67 mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0 68 69 # Directory for staging bindmounts 70 mkdir /mnt/secure/staging 0700 root root 71 72 # Directory-target for where the secure container 73 # imagefile directory will be bind-mounted 74 mkdir /mnt/secure/asec 0700 root root 75 76 # Secure container public mount points. 77 mkdir /mnt/asec 0700 root system 78 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 79 80 # Filesystem image public mount points. 81 mkdir /mnt/obb 0700 root system 82 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 83 84 write /proc/sys/kernel/panic_on_oops 1 85 write /proc/sys/kernel/hung_task_timeout_secs 0 86 write /proc/cpu/alignment 4 87 write /proc/sys/kernel/sched_latency_ns 10000000 88 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 89 write /proc/sys/kernel/sched_compat_yield 1 90 write /proc/sys/kernel/sched_child_runs_first 0 91 write /proc/sys/kernel/randomize_va_space 2 92 write /proc/sys/kernel/kptr_restrict 2 93 write /proc/sys/kernel/dmesg_restrict 1 94 write /proc/sys/vm/mmap_min_addr 32768 95 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 96 write /proc/sys/kernel/sched_rt_runtime_us 950000 97 write /proc/sys/kernel/sched_rt_period_us 1000000 98 99# Create cgroup mount points for process groups 100 mkdir /dev/cpuctl 101 mount cgroup none /dev/cpuctl cpu 102 chown system system /dev/cpuctl 103 chown system system /dev/cpuctl/tasks 104 chmod 0660 /dev/cpuctl/tasks 105 write /dev/cpuctl/cpu.shares 1024 106 write /dev/cpuctl/cpu.rt_runtime_us 950000 107 write /dev/cpuctl/cpu.rt_period_us 1000000 108 109 mkdir /dev/cpuctl/apps 110 chown system system /dev/cpuctl/apps/tasks 111 chmod 0666 /dev/cpuctl/apps/tasks 112 write /dev/cpuctl/apps/cpu.shares 1024 113 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 114 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 115 116 mkdir /dev/cpuctl/apps/bg_non_interactive 117 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 118 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 119 # 5.0 % 120 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 121 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 122 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 123 124# qtaguid will limit access to specific data based on group memberships. 125# net_bw_acct grants impersonation of socket owners. 126# net_bw_stats grants access to other apps' detailed tagged-socket stats. 127 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 128 chown root net_bw_stats /proc/net/xt_qtaguid/stats 129 130# Allow everybody to read the xt_qtaguid resource tracking misc dev. 131# This is needed by any process that uses socket tagging. 132 chmod 0644 /dev/xt_qtaguid 133 134on fs 135# mount mtd partitions 136 # Mount /system rw first to give the filesystem a chance to save a checkpoint 137 mount yaffs2 mtd@system /system 138 mount yaffs2 mtd@system /system ro remount 139 mount yaffs2 mtd@userdata /data nosuid nodev 140 mount yaffs2 mtd@cache /cache nosuid nodev 141 142on post-fs 143 # once everything is setup, no need to modify / 144 mount rootfs rootfs / ro remount 145 # mount shared so changes propagate into child namespaces 146 mount rootfs rootfs / shared rec 147 mount tmpfs tmpfs /mnt/secure private rec 148 149 # We chown/chmod /cache again so because mount is run as root + defaults 150 chown system cache /cache 151 chmod 0770 /cache 152 # We restorecon /cache in case the cache partition has been reset. 153 restorecon /cache 154 155 # This may have been created by the recovery system with odd permissions 156 chown system cache /cache/recovery 157 chmod 0770 /cache/recovery 158 # This may have been created by the recovery system with the wrong context. 159 restorecon /cache/recovery 160 161 #change permissions on vmallocinfo so we can grab it from bugreports 162 chown root log /proc/vmallocinfo 163 chmod 0440 /proc/vmallocinfo 164 165 chown root log /proc/slabinfo 166 chmod 0440 /proc/slabinfo 167 168 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 169 chown root system /proc/kmsg 170 chmod 0440 /proc/kmsg 171 chown root system /proc/sysrq-trigger 172 chmod 0220 /proc/sysrq-trigger 173 chown system log /proc/last_kmsg 174 chmod 0440 /proc/last_kmsg 175 176 # create the lost+found directories, so as to enforce our permissions 177 mkdir /cache/lost+found 0770 root root 178 179on post-fs-data 180 # We chown/chmod /data again so because mount is run as root + defaults 181 chown system system /data 182 chmod 0771 /data 183 # We restorecon /data in case the userdata partition has been reset. 184 restorecon /data 185 186 # Create dump dir and collect dumps. 187 # Do this before we mount cache so eventually we can use cache for 188 # storing dumps on platforms which do not have a dedicated dump partition. 189 mkdir /data/dontpanic 0750 root log 190 191 # Collect apanic data, free resources and re-arm trigger 192 copy /proc/apanic_console /data/dontpanic/apanic_console 193 chown root log /data/dontpanic/apanic_console 194 chmod 0640 /data/dontpanic/apanic_console 195 196 copy /proc/apanic_threads /data/dontpanic/apanic_threads 197 chown root log /data/dontpanic/apanic_threads 198 chmod 0640 /data/dontpanic/apanic_threads 199 200 write /proc/apanic_console 1 201 202 # create basic filesystem structure 203 mkdir /data/misc 01771 system misc 204 mkdir /data/misc/adb 02750 system shell 205 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 206 mkdir /data/misc/bluetooth 0770 system system 207 mkdir /data/misc/keystore 0700 keystore keystore 208 mkdir /data/misc/keychain 0771 system system 209 mkdir /data/misc/radio 0770 system radio 210 mkdir /data/misc/sms 0770 system radio 211 mkdir /data/misc/zoneinfo 0775 system system 212 mkdir /data/misc/vpn 0770 system vpn 213 mkdir /data/misc/systemkeys 0700 system system 214 # give system access to wpa_supplicant.conf for backup and restore 215 mkdir /data/misc/wifi 0770 wifi wifi 216 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 217 mkdir /data/local 0751 root root 218 mkdir /data/misc/media 0700 media media 219 220 # For security reasons, /data/local/tmp should always be empty. 221 # Do not place files or directories in /data/local/tmp 222 mkdir /data/local/tmp 0771 shell shell 223 mkdir /data/data 0771 system system 224 mkdir /data/app-private 0771 system system 225 mkdir /data/app-asec 0700 root root 226 mkdir /data/app-lib 0771 system system 227 mkdir /data/app 0771 system system 228 mkdir /data/property 0700 root root 229 mkdir /data/ssh 0750 root shell 230 mkdir /data/ssh/empty 0700 root root 231 232 # create dalvik-cache, so as to enforce our permissions 233 mkdir /data/dalvik-cache 0771 system system 234 235 # create resource-cache and double-check the perms 236 mkdir /data/resource-cache 0771 system system 237 chown system system /data/resource-cache 238 chmod 0771 /data/resource-cache 239 240 # create the lost+found directories, so as to enforce our permissions 241 mkdir /data/lost+found 0770 root root 242 243 # create directory for DRM plug-ins - give drm the read/write access to 244 # the following directory. 245 mkdir /data/drm 0770 drm drm 246 247 # create directory for MediaDrm plug-ins - give drm the read/write access to 248 # the following directory. 249 mkdir /data/mediadrm 0770 mediadrm mediadrm 250 251 # symlink to bugreport storage location 252 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 253 254 # Separate location for storing security policy files on data 255 mkdir /data/security 0700 system system 256 257 # If there is no fs-post-data action in the init.<device>.rc file, you 258 # must uncomment this line, otherwise encrypted filesystems 259 # won't work. 260 # Set indication (checked by vold) that we have finished this action 261 #setprop vold.post_fs_data_done 1 262 263on boot 264# basic network init 265 ifup lo 266 hostname localhost 267 domainname localdomain 268 269# set RLIMIT_NICE to allow priorities from 19 to -20 270 setrlimit 13 40 40 271 272# Memory management. Basic kernel parameters, and allow the high 273# level system server to be able to adjust the kernel OOM driver 274# parameters to match how it is managing things. 275 write /proc/sys/vm/overcommit_memory 1 276 write /proc/sys/vm/min_free_order_shift 4 277 chown root system /sys/module/lowmemorykiller/parameters/adj 278 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 279 chown root system /sys/module/lowmemorykiller/parameters/minfree 280 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 281 282 # Tweak background writeout 283 write /proc/sys/vm/dirty_expire_centisecs 200 284 write /proc/sys/vm/dirty_background_ratio 5 285 286 # Permissions for System Server and daemons. 287 chown radio system /sys/android_power/state 288 chown radio system /sys/android_power/request_state 289 chown radio system /sys/android_power/acquire_full_wake_lock 290 chown radio system /sys/android_power/acquire_partial_wake_lock 291 chown radio system /sys/android_power/release_wake_lock 292 chown system system /sys/power/autosleep 293 chown system system /sys/power/state 294 chown system system /sys/power/wakeup_count 295 chown radio system /sys/power/wake_lock 296 chown radio system /sys/power/wake_unlock 297 chmod 0660 /sys/power/state 298 chmod 0660 /sys/power/wake_lock 299 chmod 0660 /sys/power/wake_unlock 300 301 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 302 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 303 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 304 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 305 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 306 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 307 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 308 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 309 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 310 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 311 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 312 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 313 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 314 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 315 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 316 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 317 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 318 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 319 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 320 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 321 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 322 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 323 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 324 325 # Assume SMP uses shared cpufreq policy for all CPUs 326 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 327 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 328 329 chown system system /sys/class/timed_output/vibrator/enable 330 chown system system /sys/class/leds/keyboard-backlight/brightness 331 chown system system /sys/class/leds/lcd-backlight/brightness 332 chown system system /sys/class/leds/button-backlight/brightness 333 chown system system /sys/class/leds/jogball-backlight/brightness 334 chown system system /sys/class/leds/red/brightness 335 chown system system /sys/class/leds/green/brightness 336 chown system system /sys/class/leds/blue/brightness 337 chown system system /sys/class/leds/red/device/grpfreq 338 chown system system /sys/class/leds/red/device/grppwm 339 chown system system /sys/class/leds/red/device/blink 340 chown system system /sys/class/leds/red/brightness 341 chown system system /sys/class/leds/green/brightness 342 chown system system /sys/class/leds/blue/brightness 343 chown system system /sys/class/leds/red/device/grpfreq 344 chown system system /sys/class/leds/red/device/grppwm 345 chown system system /sys/class/leds/red/device/blink 346 chown system system /sys/class/timed_output/vibrator/enable 347 chown system system /sys/module/sco/parameters/disable_esco 348 chown system system /sys/kernel/ipv4/tcp_wmem_min 349 chown system system /sys/kernel/ipv4/tcp_wmem_def 350 chown system system /sys/kernel/ipv4/tcp_wmem_max 351 chown system system /sys/kernel/ipv4/tcp_rmem_min 352 chown system system /sys/kernel/ipv4/tcp_rmem_def 353 chown system system /sys/kernel/ipv4/tcp_rmem_max 354 chown root radio /proc/cmdline 355 356# Set these so we can remotely update SELinux policy 357 chown system system /sys/fs/selinux/load 358 chown system system /sys/fs/selinux/enforce 359 360# Define TCP buffer sizes for various networks 361# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 362 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 363 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 364 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 365 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 366 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 367 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 368 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 369 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 370 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 371 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 372 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 373 374# Set this property so surfaceflinger is not started by system_init 375 setprop system_init.startsurfaceflinger 0 376 377 class_start core 378 class_start main 379 380on nonencrypted 381 class_start late_start 382 383on charger 384 class_start charger 385 386on property:vold.decrypt=trigger_reset_main 387 class_reset main 388 389on property:vold.decrypt=trigger_load_persist_props 390 load_persist_props 391 392on property:vold.decrypt=trigger_post_fs_data 393 trigger post-fs-data 394 395on property:vold.decrypt=trigger_restart_min_framework 396 class_start main 397 398on property:vold.decrypt=trigger_restart_framework 399 class_start main 400 class_start late_start 401 402on property:vold.decrypt=trigger_shutdown_framework 403 class_reset late_start 404 class_reset main 405 406## Daemon processes to be run by init. 407## 408service ueventd /sbin/ueventd 409 class core 410 critical 411 seclabel u:r:ueventd:s0 412 413on property:selinux.reload_policy=1 414 restart ueventd 415 restart installd 416 417service console /system/bin/sh 418 class core 419 console 420 disabled 421 user shell 422 group log 423 424on property:ro.debuggable=1 425 start console 426 427# adbd is controlled via property triggers in init.<platform>.usb.rc 428service adbd /sbin/adbd 429 class core 430 socket adbd stream 660 system system 431 disabled 432 seclabel u:r:adbd:s0 433 434# adbd on at boot in emulator 435on property:ro.kernel.qemu=1 436 start adbd 437 438service servicemanager /system/bin/servicemanager 439 class core 440 user system 441 group system 442 critical 443 onrestart restart zygote 444 onrestart restart media 445 onrestart restart surfaceflinger 446 onrestart restart drm 447 448service vold /system/bin/vold 449 class core 450 socket vold stream 0660 root mount 451 ioprio be 2 452 453service netd /system/bin/netd 454 class main 455 socket netd stream 0660 root system 456 socket dnsproxyd stream 0660 root inet 457 socket mdns stream 0660 root system 458 459service debuggerd /system/bin/debuggerd 460 class main 461 462service ril-daemon /system/bin/rild 463 class main 464 socket rild stream 660 root radio 465 socket rild-debug stream 660 radio system 466 user root 467 group radio cache inet misc audio log 468 469service surfaceflinger /system/bin/surfaceflinger 470 class main 471 user system 472 group graphics drmrpc 473 onrestart restart zygote 474 475service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 476 class main 477 socket zygote stream 660 root system 478 onrestart write /sys/android_power/request_state wake 479 onrestart write /sys/power/state on 480 onrestart restart media 481 onrestart restart netd 482 483service drm /system/bin/drmserver 484 class main 485 user drm 486 group drm system inet drmrpc 487 488service media /system/bin/mediaserver 489 class main 490 user media 491 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 492 ioprio rt 4 493 494service bootanim /system/bin/bootanimation 495 class main 496 user graphics 497 group graphics 498 disabled 499 oneshot 500 501service installd /system/bin/installd 502 class main 503 socket installd stream 600 system system 504 505service flash_recovery /system/etc/install-recovery.sh 506 class main 507 oneshot 508 509service racoon /system/bin/racoon 510 class main 511 socket racoon stream 600 system system 512 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 513 group vpn net_admin inet 514 disabled 515 oneshot 516 517service mtpd /system/bin/mtpd 518 class main 519 socket mtpd stream 600 system system 520 user vpn 521 group vpn net_admin inet net_raw 522 disabled 523 oneshot 524 525service keystore /system/bin/keystore /data/misc/keystore 526 class main 527 user keystore 528 group keystore drmrpc 529 530service dumpstate /system/bin/dumpstate -s 531 class main 532 socket dumpstate stream 0660 shell log 533 disabled 534 oneshot 535 536service sshd /system/bin/start-ssh 537 class main 538 disabled 539 540service mdnsd /system/bin/mdnsd 541 class main 542 user mdnsr 543 group inet net_raw 544 socket mdnsd stream 0660 mdnsr inet 545 disabled 546 oneshot 547