1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.trace.rc 11 12on early-init 13 # Set init and its forked children's oom_adj. 14 write /proc/1/oom_adj -16 15 16 # Set the security context for the init process. 17 # This should occur before anything else (e.g. ueventd) is started. 18 setcon u:r:init:s0 19 20 start ueventd 21 22# create mountpoints 23 mkdir /mnt 0775 root system 24 25on init 26 27sysclktz 0 28 29loglevel 3 30 31# Backward compatibility 32 symlink /system/etc /etc 33 symlink /sys/kernel/debug /d 34 35# Right now vendor lives on the same filesystem as system, 36# but someday that may change. 37 symlink /system/vendor /vendor 38 39# Create cgroup mount point for cpu accounting 40 mkdir /acct 41 mount cgroup none /acct cpuacct 42 mkdir /acct/uid 43 44# Create cgroup mount point for memory 45 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 46 mkdir /sys/fs/cgroup/memory 0750 root system 47 mount cgroup none /sys/fs/cgroup/memory memory 48 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 49 chown root system /sys/fs/cgroup/memory/tasks 50 chmod 0660 /sys/fs/cgroup/memory/tasks 51 mkdir /sys/fs/cgroup/memory/sw 0750 root system 52 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 53 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 54 chown root system /sys/fs/cgroup/memory/sw/tasks 55 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 56 57 mkdir /system 58 mkdir /data 0771 system system 59 mkdir /cache 0770 system cache 60 mkdir /config 0500 root root 61 62 # See storage config details at http://source.android.com/tech/storage/ 63 mkdir /mnt/shell 0700 shell shell 64 mkdir /mnt/media_rw 0700 media_rw media_rw 65 mkdir /storage 0751 root sdcard_r 66 67 # Directory for putting things only root should see. 68 mkdir /mnt/secure 0700 root root 69 # Create private mountpoint so we can MS_MOVE from staging 70 mount tmpfs tmpfs /mnt/secure mode=0700,uid=0,gid=0 71 72 # Directory for staging bindmounts 73 mkdir /mnt/secure/staging 0700 root root 74 75 # Directory-target for where the secure container 76 # imagefile directory will be bind-mounted 77 mkdir /mnt/secure/asec 0700 root root 78 79 # Secure container public mount points. 80 mkdir /mnt/asec 0700 root system 81 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 82 83 # Filesystem image public mount points. 84 mkdir /mnt/obb 0700 root system 85 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 86 87 write /proc/sys/kernel/panic_on_oops 1 88 write /proc/sys/kernel/hung_task_timeout_secs 0 89 write /proc/cpu/alignment 4 90 write /proc/sys/kernel/sched_latency_ns 10000000 91 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 92 write /proc/sys/kernel/sched_compat_yield 1 93 write /proc/sys/kernel/sched_child_runs_first 0 94 write /proc/sys/kernel/randomize_va_space 2 95 write /proc/sys/kernel/kptr_restrict 2 96 write /proc/sys/kernel/dmesg_restrict 1 97 write /proc/sys/vm/mmap_min_addr 32768 98 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 99 write /proc/sys/kernel/sched_rt_runtime_us 950000 100 write /proc/sys/kernel/sched_rt_period_us 1000000 101 102# Create cgroup mount points for process groups 103 mkdir /dev/cpuctl 104 mount cgroup none /dev/cpuctl cpu 105 chown system system /dev/cpuctl 106 chown system system /dev/cpuctl/tasks 107 chmod 0660 /dev/cpuctl/tasks 108 write /dev/cpuctl/cpu.shares 1024 109 write /dev/cpuctl/cpu.rt_runtime_us 950000 110 write /dev/cpuctl/cpu.rt_period_us 1000000 111 112 mkdir /dev/cpuctl/apps 113 chown system system /dev/cpuctl/apps/tasks 114 chmod 0666 /dev/cpuctl/apps/tasks 115 write /dev/cpuctl/apps/cpu.shares 1024 116 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 117 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 118 119 mkdir /dev/cpuctl/apps/bg_non_interactive 120 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 121 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 122 # 5.0 % 123 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 124 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 125 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 126 127# qtaguid will limit access to specific data based on group memberships. 128# net_bw_acct grants impersonation of socket owners. 129# net_bw_stats grants access to other apps' detailed tagged-socket stats. 130 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 131 chown root net_bw_stats /proc/net/xt_qtaguid/stats 132 133# Allow everybody to read the xt_qtaguid resource tracking misc dev. 134# This is needed by any process that uses socket tagging. 135 chmod 0644 /dev/xt_qtaguid 136 137# Create location for fs_mgr to store abbreviated output from filesystem 138# checker programs. 139 mkdir /dev/fscklogs 0770 root system 140 141on post-fs 142 # once everything is setup, no need to modify / 143 mount rootfs rootfs / ro remount 144 # mount shared so changes propagate into child namespaces 145 mount rootfs rootfs / shared rec 146 mount tmpfs tmpfs /mnt/secure private rec 147 148 # We chown/chmod /cache again so because mount is run as root + defaults 149 chown system cache /cache 150 chmod 0770 /cache 151 # We restorecon /cache in case the cache partition has been reset. 152 restorecon /cache 153 154 # This may have been created by the recovery system with odd permissions 155 chown system cache /cache/recovery 156 chmod 0770 /cache/recovery 157 # This may have been created by the recovery system with the wrong context. 158 restorecon /cache/recovery 159 160 #change permissions on vmallocinfo so we can grab it from bugreports 161 chown root log /proc/vmallocinfo 162 chmod 0440 /proc/vmallocinfo 163 164 chown root log /proc/slabinfo 165 chmod 0440 /proc/slabinfo 166 167 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 168 chown root system /proc/kmsg 169 chmod 0440 /proc/kmsg 170 chown root system /proc/sysrq-trigger 171 chmod 0220 /proc/sysrq-trigger 172 chown system log /proc/last_kmsg 173 chmod 0440 /proc/last_kmsg 174 175 # create the lost+found directories, so as to enforce our permissions 176 mkdir /cache/lost+found 0770 root root 177 178on post-fs-data 179 # We chown/chmod /data again so because mount is run as root + defaults 180 chown system system /data 181 chmod 0771 /data 182 # We restorecon /data in case the userdata partition has been reset. 183 restorecon /data 184 185 # Avoid predictable entropy pool. Carry over entropy from previous boot. 186 copy /data/system/entropy.dat /dev/urandom 187 188 # Create dump dir and collect dumps. 189 # Do this before we mount cache so eventually we can use cache for 190 # storing dumps on platforms which do not have a dedicated dump partition. 191 mkdir /data/dontpanic 0750 root log 192 193 # Collect apanic data, free resources and re-arm trigger 194 copy /proc/apanic_console /data/dontpanic/apanic_console 195 chown root log /data/dontpanic/apanic_console 196 chmod 0640 /data/dontpanic/apanic_console 197 198 copy /proc/apanic_threads /data/dontpanic/apanic_threads 199 chown root log /data/dontpanic/apanic_threads 200 chmod 0640 /data/dontpanic/apanic_threads 201 202 write /proc/apanic_console 1 203 204 # create basic filesystem structure 205 mkdir /data/misc 01771 system misc 206 mkdir /data/misc/adb 02750 system shell 207 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 208 mkdir /data/misc/bluetooth 0770 system system 209 mkdir /data/misc/keystore 0700 keystore keystore 210 mkdir /data/misc/keychain 0771 system system 211 mkdir /data/misc/radio 0770 system radio 212 mkdir /data/misc/sms 0770 system radio 213 mkdir /data/misc/zoneinfo 0775 system system 214 mkdir /data/misc/vpn 0770 system vpn 215 mkdir /data/misc/systemkeys 0700 system system 216 # give system access to wpa_supplicant.conf for backup and restore 217 mkdir /data/misc/wifi 0770 wifi wifi 218 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 219 mkdir /data/local 0751 root root 220 mkdir /data/misc/media 0700 media media 221 222 # For security reasons, /data/local/tmp should always be empty. 223 # Do not place files or directories in /data/local/tmp 224 mkdir /data/local/tmp 0771 shell shell 225 mkdir /data/data 0771 system system 226 mkdir /data/app-private 0771 system system 227 mkdir /data/app-asec 0700 root root 228 mkdir /data/app-lib 0771 system system 229 mkdir /data/app 0771 system system 230 mkdir /data/property 0700 root root 231 mkdir /data/ssh 0750 root shell 232 mkdir /data/ssh/empty 0700 root root 233 234 # create dalvik-cache, so as to enforce our permissions 235 mkdir /data/dalvik-cache 0771 system system 236 237 # create resource-cache and double-check the perms 238 mkdir /data/resource-cache 0771 system system 239 chown system system /data/resource-cache 240 chmod 0771 /data/resource-cache 241 242 # create the lost+found directories, so as to enforce our permissions 243 mkdir /data/lost+found 0770 root root 244 245 # create directory for DRM plug-ins - give drm the read/write access to 246 # the following directory. 247 mkdir /data/drm 0770 drm drm 248 249 # create directory for MediaDrm plug-ins - give drm the read/write access to 250 # the following directory. 251 mkdir /data/mediadrm 0770 mediadrm mediadrm 252 253 # symlink to bugreport storage location 254 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 255 256 # Separate location for storing security policy files on data 257 mkdir /data/security 0711 system system 258 259 # If there is no fs-post-data action in the init.<device>.rc file, you 260 # must uncomment this line, otherwise encrypted filesystems 261 # won't work. 262 # Set indication (checked by vold) that we have finished this action 263 #setprop vold.post_fs_data_done 1 264 265on boot 266# basic network init 267 ifup lo 268 hostname localhost 269 domainname localdomain 270 271# set RLIMIT_NICE to allow priorities from 19 to -20 272 setrlimit 13 40 40 273 274# Memory management. Basic kernel parameters, and allow the high 275# level system server to be able to adjust the kernel OOM driver 276# parameters to match how it is managing things. 277 write /proc/sys/vm/overcommit_memory 1 278 write /proc/sys/vm/min_free_order_shift 4 279 chown root system /sys/module/lowmemorykiller/parameters/adj 280 chmod 0664 /sys/module/lowmemorykiller/parameters/adj 281 chown root system /sys/module/lowmemorykiller/parameters/minfree 282 chmod 0664 /sys/module/lowmemorykiller/parameters/minfree 283 284 # Tweak background writeout 285 write /proc/sys/vm/dirty_expire_centisecs 200 286 write /proc/sys/vm/dirty_background_ratio 5 287 288 # Permissions for System Server and daemons. 289 chown radio system /sys/android_power/state 290 chown radio system /sys/android_power/request_state 291 chown radio system /sys/android_power/acquire_full_wake_lock 292 chown radio system /sys/android_power/acquire_partial_wake_lock 293 chown radio system /sys/android_power/release_wake_lock 294 chown system system /sys/power/autosleep 295 chown system system /sys/power/state 296 chown system system /sys/power/wakeup_count 297 chown radio system /sys/power/wake_lock 298 chown radio system /sys/power/wake_unlock 299 chmod 0660 /sys/power/state 300 chmod 0660 /sys/power/wake_lock 301 chmod 0660 /sys/power/wake_unlock 302 303 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 304 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 305 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 306 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 307 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 308 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 309 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 310 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 311 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 312 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 313 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 314 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 315 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 316 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 317 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 318 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 319 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 320 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 321 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 322 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 323 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 324 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 325 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 326 327 # Assume SMP uses shared cpufreq policy for all CPUs 328 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 329 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 330 331 chown system system /sys/class/timed_output/vibrator/enable 332 chown system system /sys/class/leds/keyboard-backlight/brightness 333 chown system system /sys/class/leds/lcd-backlight/brightness 334 chown system system /sys/class/leds/button-backlight/brightness 335 chown system system /sys/class/leds/jogball-backlight/brightness 336 chown system system /sys/class/leds/red/brightness 337 chown system system /sys/class/leds/green/brightness 338 chown system system /sys/class/leds/blue/brightness 339 chown system system /sys/class/leds/red/device/grpfreq 340 chown system system /sys/class/leds/red/device/grppwm 341 chown system system /sys/class/leds/red/device/blink 342 chown system system /sys/class/timed_output/vibrator/enable 343 chown system system /sys/module/sco/parameters/disable_esco 344 chown system system /sys/kernel/ipv4/tcp_wmem_min 345 chown system system /sys/kernel/ipv4/tcp_wmem_def 346 chown system system /sys/kernel/ipv4/tcp_wmem_max 347 chown system system /sys/kernel/ipv4/tcp_rmem_min 348 chown system system /sys/kernel/ipv4/tcp_rmem_def 349 chown system system /sys/kernel/ipv4/tcp_rmem_max 350 chown root radio /proc/cmdline 351 352# Set these so we can remotely update SELinux policy 353 chown system system /sys/fs/selinux/load 354 chown system system /sys/fs/selinux/enforce 355 356# Define TCP buffer sizes for various networks 357# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 358 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 359 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 360 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 361 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 362 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 363 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 364 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 365 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 366 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 367 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 368 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 369 370 class_start core 371 class_start main 372 373on nonencrypted 374 class_start late_start 375 376on charger 377 class_start charger 378 379on property:vold.decrypt=trigger_reset_main 380 class_reset main 381 382on property:vold.decrypt=trigger_load_persist_props 383 load_persist_props 384 385on property:vold.decrypt=trigger_post_fs_data 386 trigger post-fs-data 387 388on property:vold.decrypt=trigger_restart_min_framework 389 class_start main 390 391on property:vold.decrypt=trigger_restart_framework 392 class_start main 393 class_start late_start 394 395on property:vold.decrypt=trigger_shutdown_framework 396 class_reset late_start 397 class_reset main 398 399on property:sys.powerctl=* 400 powerctl ${sys.powerctl} 401 402# system server cannot write to /proc/sys files, so proxy it through init 403on property:sys.sysctl.extra_free_kbytes=* 404 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 405 406## Daemon processes to be run by init. 407## 408service ueventd /sbin/ueventd 409 class core 410 critical 411 seclabel u:r:ueventd:s0 412 413service healthd /sbin/healthd 414 class core 415 critical 416 seclabel u:r:healthd:s0 417 418service healthd-charger /sbin/healthd -n 419 class charger 420 critical 421 seclabel u:r:healthd:s0 422 423on property:selinux.reload_policy=1 424 restart ueventd 425 restart installd 426 427service console /system/bin/sh 428 class core 429 console 430 disabled 431 user shell 432 group log 433 434on property:ro.debuggable=1 435 start console 436 437# adbd is controlled via property triggers in init.<platform>.usb.rc 438service adbd /sbin/adbd 439 class core 440 socket adbd stream 660 system system 441 disabled 442 seclabel u:r:adbd:s0 443 444# adbd on at boot in emulator 445on property:ro.kernel.qemu=1 446 start adbd 447 448service servicemanager /system/bin/servicemanager 449 class core 450 user system 451 group system 452 critical 453 onrestart restart healthd 454 onrestart restart zygote 455 onrestart restart media 456 onrestart restart surfaceflinger 457 onrestart restart drm 458 459service vold /system/bin/vold 460 class core 461 socket vold stream 0660 root mount 462 ioprio be 2 463 464service netd /system/bin/netd 465 class main 466 socket netd stream 0660 root system 467 socket dnsproxyd stream 0660 root inet 468 socket mdns stream 0660 root system 469 470service debuggerd /system/bin/debuggerd 471 class main 472 473service ril-daemon /system/bin/rild 474 class main 475 socket rild stream 660 root radio 476 socket rild-debug stream 660 radio system 477 user root 478 group radio cache inet misc audio log 479 480service surfaceflinger /system/bin/surfaceflinger 481 class main 482 user system 483 group graphics drmrpc 484 onrestart restart zygote 485 486service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 487 class main 488 socket zygote stream 660 root system 489 onrestart write /sys/android_power/request_state wake 490 onrestart write /sys/power/state on 491 onrestart restart media 492 onrestart restart netd 493 494service drm /system/bin/drmserver 495 class main 496 user drm 497 group drm system inet drmrpc 498 499service media /system/bin/mediaserver 500 class main 501 user media 502 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 503 ioprio rt 4 504 505service bootanim /system/bin/bootanimation 506 class main 507 user graphics 508 group graphics 509 disabled 510 oneshot 511 512service installd /system/bin/installd 513 class main 514 socket installd stream 600 system system 515 516service flash_recovery /system/etc/install-recovery.sh 517 class main 518 oneshot 519 520service racoon /system/bin/racoon 521 class main 522 socket racoon stream 600 system system 523 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 524 group vpn net_admin inet 525 disabled 526 oneshot 527 528service mtpd /system/bin/mtpd 529 class main 530 socket mtpd stream 600 system system 531 user vpn 532 group vpn net_admin inet net_raw 533 disabled 534 oneshot 535 536service keystore /system/bin/keystore /data/misc/keystore 537 class main 538 user keystore 539 group keystore drmrpc 540 541service dumpstate /system/bin/dumpstate -s 542 class main 543 socket dumpstate stream 0660 shell log 544 disabled 545 oneshot 546 547service sshd /system/bin/start-ssh 548 class main 549 disabled 550 551service mdnsd /system/bin/mdnsd 552 class main 553 user mdnsr 554 group inet net_raw 555 socket mdnsd stream 0660 mdnsr inet 556 disabled 557 oneshot 558