1# Copyright (C) 2012 The Android Open Source Project
2#
3# IMPORTANT: Do not create world writable files or directories.
4# This is a common source of Android security bugs.
5#
6
7import /init.environ.rc
8import /init.usb.rc
9import /init.${ro.hardware}.rc
10import /init.${ro.zygote}.rc
11import /init.trace.rc
12
13on early-init
14    # Set init and its forked children's oom_adj.
15    write /proc/1/oom_score_adj -1000
16
17    # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
18    write /sys/fs/selinux/checkreqprot 0
19
20    # Set the security context for the init process.
21    # This should occur before anything else (e.g. ueventd) is started.
22    setcon u:r:init:s0
23
24    # Set the security context of /adb_keys if present.
25    restorecon /adb_keys
26
27    start ueventd
28
29    # create mountpoints
30    mkdir /mnt 0775 root system
31
32on init
33    sysclktz 0
34
35    loglevel 3
36
37    # Backward compatibility
38    symlink /system/etc /etc
39    symlink /sys/kernel/debug /d
40
41    # Right now vendor lives on the same filesystem as system,
42    # but someday that may change.
43    symlink /system/vendor /vendor
44
45    # Create cgroup mount point for cpu accounting
46    mkdir /acct
47    mount cgroup none /acct cpuacct
48    mkdir /acct/uid
49
50    # Create cgroup mount point for memory
51    mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000
52    mkdir /sys/fs/cgroup/memory 0750 root system
53    mount cgroup none /sys/fs/cgroup/memory memory
54    write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
55    chown root system /sys/fs/cgroup/memory/tasks
56    chmod 0660 /sys/fs/cgroup/memory/tasks
57    mkdir /sys/fs/cgroup/memory/sw 0750 root system
58    write /sys/fs/cgroup/memory/sw/memory.swappiness 100
59    write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1
60    chown root system /sys/fs/cgroup/memory/sw/tasks
61    chmod 0660 /sys/fs/cgroup/memory/sw/tasks
62
63    mkdir /system
64    mkdir /data 0771 system system
65    mkdir /cache 0770 system cache
66    mkdir /config 0500 root root
67
68    # See storage config details at http://source.android.com/tech/storage/
69    mkdir /mnt/shell 0700 shell shell
70    mkdir /mnt/media_rw 0700 media_rw media_rw
71    mkdir /storage 0751 root sdcard_r
72
73    # Directory for putting things only root should see.
74    mkdir /mnt/secure 0700 root root
75
76    # Directory for staging bindmounts
77    mkdir /mnt/secure/staging 0700 root root
78
79    # Directory-target for where the secure container
80    # imagefile directory will be bind-mounted
81    mkdir /mnt/secure/asec  0700 root root
82
83    # Secure container public mount points.
84    mkdir /mnt/asec  0700 root system
85    mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000
86
87    # Filesystem image public mount points.
88    mkdir /mnt/obb 0700 root system
89    mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000
90
91    # memory control cgroup
92    mkdir /dev/memcg 0700 root system
93    mount cgroup none /dev/memcg memory
94
95    write /proc/sys/kernel/panic_on_oops 1
96    write /proc/sys/kernel/hung_task_timeout_secs 0
97    write /proc/cpu/alignment 4
98    write /proc/sys/kernel/sched_latency_ns 10000000
99    write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000
100    write /proc/sys/kernel/sched_compat_yield 1
101    write /proc/sys/kernel/sched_child_runs_first 0
102    write /proc/sys/kernel/randomize_va_space 2
103    write /proc/sys/kernel/kptr_restrict 2
104    write /proc/sys/vm/mmap_min_addr 32768
105    write /proc/sys/net/ipv4/ping_group_range "0 2147483647"
106    write /proc/sys/net/unix/max_dgram_qlen 300
107    write /proc/sys/kernel/sched_rt_runtime_us 950000
108    write /proc/sys/kernel/sched_rt_period_us 1000000
109
110    # reflect fwmark from incoming packets onto generated replies
111    write /proc/sys/net/ipv4/fwmark_reflect 1
112    write /proc/sys/net/ipv6/fwmark_reflect 1
113
114    # set fwmark on accepted sockets
115    write /proc/sys/net/ipv4/tcp_fwmark_accept 1
116
117    # Create cgroup mount points for process groups
118    mkdir /dev/cpuctl
119    mount cgroup none /dev/cpuctl cpu
120    chown system system /dev/cpuctl
121    chown system system /dev/cpuctl/tasks
122    chmod 0666 /dev/cpuctl/tasks
123    write /dev/cpuctl/cpu.shares 1024
124    write /dev/cpuctl/cpu.rt_runtime_us 800000
125    write /dev/cpuctl/cpu.rt_period_us 1000000
126
127    mkdir /dev/cpuctl/bg_non_interactive
128    chown system system /dev/cpuctl/bg_non_interactive/tasks
129    chmod 0666 /dev/cpuctl/bg_non_interactive/tasks
130    # 5.0 %
131    write /dev/cpuctl/bg_non_interactive/cpu.shares 52
132    write /dev/cpuctl/bg_non_interactive/cpu.rt_runtime_us 700000
133    write /dev/cpuctl/bg_non_interactive/cpu.rt_period_us 1000000
134
135    # qtaguid will limit access to specific data based on group memberships.
136    #   net_bw_acct grants impersonation of socket owners.
137    #   net_bw_stats grants access to other apps' detailed tagged-socket stats.
138    chown root net_bw_acct /proc/net/xt_qtaguid/ctrl
139    chown root net_bw_stats /proc/net/xt_qtaguid/stats
140
141    # Allow everybody to read the xt_qtaguid resource tracking misc dev.
142    # This is needed by any process that uses socket tagging.
143    chmod 0644 /dev/xt_qtaguid
144
145    # Create location for fs_mgr to store abbreviated output from filesystem
146    # checker programs.
147    mkdir /dev/fscklogs 0770 root system
148
149    # pstore/ramoops previous console log
150    mount pstore pstore /sys/fs/pstore
151    chown system log /sys/fs/pstore/console-ramoops
152    chmod 0440 /sys/fs/pstore/console-ramoops
153
154# Healthd can trigger a full boot from charger mode by signaling this
155# property when the power button is held.
156on property:sys.boot_from_charger_mode=1
157    class_stop charger
158    trigger late-init
159
160# Load properties from /system/ + /factory after fs mount.
161on load_all_props_action
162    load_all_props
163
164# Indicate to fw loaders that the relevant mounts are up.
165on firmware_mounts_complete
166    rm /dev/.booting
167
168# Mount filesystems and start core system services.
169on late-init
170    trigger early-fs
171    trigger fs
172    trigger post-fs
173    trigger post-fs-data
174
175    # Load properties from /system/ + /factory after fs mount. Place
176    # this in another action so that the load will be scheduled after the prior
177    # issued fs triggers have completed.
178    trigger load_all_props_action
179
180    # Remove a file to wake up anything waiting for firmware.
181    trigger firmware_mounts_complete
182
183    trigger early-boot
184    trigger boot
185
186
187on post-fs
188    # once everything is setup, no need to modify /
189    mount rootfs rootfs / ro remount
190    # mount shared so changes propagate into child namespaces
191    mount rootfs rootfs / shared rec
192
193    # We chown/chmod /cache again so because mount is run as root + defaults
194    chown system cache /cache
195    chmod 0770 /cache
196    # We restorecon /cache in case the cache partition has been reset.
197    restorecon_recursive /cache
198
199    # This may have been created by the recovery system with odd permissions
200    chown system cache /cache/recovery
201    chmod 0770 /cache/recovery
202
203    #change permissions on vmallocinfo so we can grab it from bugreports
204    chown root log /proc/vmallocinfo
205    chmod 0440 /proc/vmallocinfo
206
207    chown root log /proc/slabinfo
208    chmod 0440 /proc/slabinfo
209
210    #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks
211    chown root system /proc/kmsg
212    chmod 0440 /proc/kmsg
213    chown root system /proc/sysrq-trigger
214    chmod 0220 /proc/sysrq-trigger
215    chown system log /proc/last_kmsg
216    chmod 0440 /proc/last_kmsg
217
218    # make the selinux kernel policy world-readable
219    chmod 0444 /sys/fs/selinux/policy
220
221    # create the lost+found directories, so as to enforce our permissions
222    mkdir /cache/lost+found 0770 root root
223
224on post-fs-data
225    # We chown/chmod /data again so because mount is run as root + defaults
226    chown system system /data
227    chmod 0771 /data
228    # We restorecon /data in case the userdata partition has been reset.
229    restorecon /data
230
231    # Avoid predictable entropy pool. Carry over entropy from previous boot.
232    copy /data/system/entropy.dat /dev/urandom
233
234    # Create dump dir and collect dumps.
235    # Do this before we mount cache so eventually we can use cache for
236    # storing dumps on platforms which do not have a dedicated dump partition.
237    mkdir /data/dontpanic 0750 root log
238
239    # Collect apanic data, free resources and re-arm trigger
240    copy /proc/apanic_console /data/dontpanic/apanic_console
241    chown root log /data/dontpanic/apanic_console
242    chmod 0640 /data/dontpanic/apanic_console
243
244    copy /proc/apanic_threads /data/dontpanic/apanic_threads
245    chown root log /data/dontpanic/apanic_threads
246    chmod 0640 /data/dontpanic/apanic_threads
247
248    write /proc/apanic_console 1
249
250    # create basic filesystem structure
251    mkdir /data/misc 01771 system misc
252    mkdir /data/misc/adb 02750 system shell
253    mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack
254    mkdir /data/misc/bluetooth 0770 system system
255    mkdir /data/misc/keystore 0700 keystore keystore
256    mkdir /data/misc/keychain 0771 system system
257    mkdir /data/misc/net 0750 root shell
258    mkdir /data/misc/radio 0770 system radio
259    mkdir /data/misc/sms 0770 system radio
260    mkdir /data/misc/zoneinfo 0775 system system
261    mkdir /data/misc/vpn 0770 system vpn
262    mkdir /data/misc/shared_relro 0771 shared_relro shared_relro
263    mkdir /data/misc/systemkeys 0700 system system
264    mkdir /data/misc/wifi 0770 wifi wifi
265    mkdir /data/misc/wifi/sockets 0770 wifi wifi
266    mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi
267    mkdir /data/misc/ethernet 0770 system system
268    mkdir /data/misc/dhcp 0770 dhcp dhcp
269    mkdir /data/misc/user 0771 root root
270    # give system access to wpa_supplicant.conf for backup and restore
271    chmod 0660 /data/misc/wifi/wpa_supplicant.conf
272    mkdir /data/local 0751 root root
273    mkdir /data/misc/media 0700 media media
274
275    # For security reasons, /data/local/tmp should always be empty.
276    # Do not place files or directories in /data/local/tmp
277    mkdir /data/local/tmp 0771 shell shell
278    mkdir /data/data 0771 system system
279    mkdir /data/app-private 0771 system system
280    mkdir /data/app-asec 0700 root root
281    mkdir /data/app-lib 0771 system system
282    mkdir /data/app 0771 system system
283    mkdir /data/property 0700 root root
284
285    # create dalvik-cache, so as to enforce our permissions
286    mkdir /data/dalvik-cache 0771 root root
287    mkdir /data/dalvik-cache/profiles 0711 system system
288
289    # create resource-cache and double-check the perms
290    mkdir /data/resource-cache 0771 system system
291    chown system system /data/resource-cache
292    chmod 0771 /data/resource-cache
293
294    # create the lost+found directories, so as to enforce our permissions
295    mkdir /data/lost+found 0770 root root
296
297    # create directory for DRM plug-ins - give drm the read/write access to
298    # the following directory.
299    mkdir /data/drm 0770 drm drm
300
301    # create directory for MediaDrm plug-ins - give drm the read/write access to
302    # the following directory.
303    mkdir /data/mediadrm 0770 mediadrm mediadrm
304
305    mkdir /data/adb 0700 root root
306
307    # symlink to bugreport storage location
308    symlink /data/data/com.android.shell/files/bugreports /data/bugreports
309
310    # Separate location for storing security policy files on data
311    mkdir /data/security 0711 system system
312
313    # Reload policy from /data/security if present.
314    setprop selinux.reload_policy 1
315
316    # Set SELinux security contexts on upgrade or policy update.
317    restorecon_recursive /data
318
319    # If there is no fs-post-data action in the init.<device>.rc file, you
320    # must uncomment this line, otherwise encrypted filesystems
321    # won't work.
322    # Set indication (checked by vold) that we have finished this action
323    #setprop vold.post_fs_data_done 1
324
325on boot
326    # basic network init
327    ifup lo
328    hostname localhost
329    domainname localdomain
330
331    # set RLIMIT_NICE to allow priorities from 19 to -20
332    setrlimit 13 40 40
333
334    # Memory management.  Basic kernel parameters, and allow the high
335    # level system server to be able to adjust the kernel OOM driver
336    # parameters to match how it is managing things.
337    write /proc/sys/vm/overcommit_memory 1
338    write /proc/sys/vm/min_free_order_shift 4
339    chown root system /sys/module/lowmemorykiller/parameters/adj
340    chmod 0220 /sys/module/lowmemorykiller/parameters/adj
341    chown root system /sys/module/lowmemorykiller/parameters/minfree
342    chmod 0220 /sys/module/lowmemorykiller/parameters/minfree
343
344    # Tweak background writeout
345    write /proc/sys/vm/dirty_expire_centisecs 200
346    write /proc/sys/vm/dirty_background_ratio  5
347
348    # Permissions for System Server and daemons.
349    chown radio system /sys/android_power/state
350    chown radio system /sys/android_power/request_state
351    chown radio system /sys/android_power/acquire_full_wake_lock
352    chown radio system /sys/android_power/acquire_partial_wake_lock
353    chown radio system /sys/android_power/release_wake_lock
354    chown system system /sys/power/autosleep
355    chown system system /sys/power/state
356    chown system system /sys/power/wakeup_count
357    chown radio system /sys/power/wake_lock
358    chown radio system /sys/power/wake_unlock
359    chmod 0660 /sys/power/state
360    chmod 0660 /sys/power/wake_lock
361    chmod 0660 /sys/power/wake_unlock
362
363    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate
364    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate
365    chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack
366    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack
367    chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
368    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time
369    chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
370    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq
371    chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads
372    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads
373    chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
374    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load
375    chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
376    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay
377    chown system system /sys/devices/system/cpu/cpufreq/interactive/boost
378    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost
379    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse
380    chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost
381    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost
382    chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
383    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration
384    chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
385    chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy
386
387    # Assume SMP uses shared cpufreq policy for all CPUs
388    chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
389    chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq
390
391    chown system system /sys/class/timed_output/vibrator/enable
392    chown system system /sys/class/leds/keyboard-backlight/brightness
393    chown system system /sys/class/leds/lcd-backlight/brightness
394    chown system system /sys/class/leds/button-backlight/brightness
395    chown system system /sys/class/leds/jogball-backlight/brightness
396    chown system system /sys/class/leds/red/brightness
397    chown system system /sys/class/leds/green/brightness
398    chown system system /sys/class/leds/blue/brightness
399    chown system system /sys/class/leds/red/device/grpfreq
400    chown system system /sys/class/leds/red/device/grppwm
401    chown system system /sys/class/leds/red/device/blink
402    chown system system /sys/class/timed_output/vibrator/enable
403    chown system system /sys/module/sco/parameters/disable_esco
404    chown system system /sys/kernel/ipv4/tcp_wmem_min
405    chown system system /sys/kernel/ipv4/tcp_wmem_def
406    chown system system /sys/kernel/ipv4/tcp_wmem_max
407    chown system system /sys/kernel/ipv4/tcp_rmem_min
408    chown system system /sys/kernel/ipv4/tcp_rmem_def
409    chown system system /sys/kernel/ipv4/tcp_rmem_max
410    chown root radio /proc/cmdline
411
412    # Define default initial receive window size in segments.
413    setprop net.tcp.default_init_rwnd 60
414
415    class_start core
416
417on nonencrypted
418    class_start main
419    class_start late_start
420
421on property:vold.decrypt=trigger_default_encryption
422    start defaultcrypto
423
424on property:vold.decrypt=trigger_encryption
425    start surfaceflinger
426    start encrypt
427
428on property:sys.init_log_level=*
429    loglevel ${sys.init_log_level}
430
431on charger
432    class_start charger
433
434on property:vold.decrypt=trigger_reset_main
435    class_reset main
436
437on property:vold.decrypt=trigger_load_persist_props
438    load_persist_props
439
440on property:vold.decrypt=trigger_post_fs_data
441    trigger post-fs-data
442
443on property:vold.decrypt=trigger_restart_min_framework
444    class_start main
445
446on property:vold.decrypt=trigger_restart_framework
447    class_start main
448    class_start late_start
449
450on property:vold.decrypt=trigger_shutdown_framework
451    class_reset late_start
452    class_reset main
453
454on property:sys.powerctl=*
455    powerctl ${sys.powerctl}
456
457# system server cannot write to /proc/sys files,
458# and chown/chmod does not work for /proc/sys/ entries.
459# So proxy writes through init.
460on property:sys.sysctl.extra_free_kbytes=*
461    write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes}
462
463# "tcp_default_init_rwnd" Is too long!
464on property:sys.sysctl.tcp_def_init_rwnd=*
465    write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd}
466
467
468## Daemon processes to be run by init.
469##
470service ueventd /sbin/ueventd
471    class core
472    critical
473    seclabel u:r:ueventd:s0
474
475service logd /system/bin/logd
476    class core
477    socket logd stream 0666 logd logd
478    socket logdr seqpacket 0666 logd logd
479    socket logdw dgram 0222 logd logd
480    seclabel u:r:logd:s0
481
482service healthd /sbin/healthd
483    class core
484    critical
485    seclabel u:r:healthd:s0
486
487service console /system/bin/sh
488    class core
489    console
490    disabled
491    user shell
492    group shell log
493    seclabel u:r:shell:s0
494
495on property:ro.debuggable=1
496    start console
497
498# adbd is controlled via property triggers in init.<platform>.usb.rc
499service adbd /sbin/adbd --root_seclabel=u:r:su:s0
500    class core
501    socket adbd stream 660 system system
502    disabled
503    seclabel u:r:adbd:s0
504
505# adbd on at boot in emulator
506on property:ro.kernel.qemu=1
507    start adbd
508
509service lmkd /system/bin/lmkd
510    class core
511    critical
512    socket lmkd seqpacket 0660 system system
513
514service servicemanager /system/bin/servicemanager
515    class core
516    user system
517    group system
518    critical
519    onrestart restart healthd
520    onrestart restart zygote
521    onrestart restart media
522    onrestart restart surfaceflinger
523    onrestart restart drm
524
525service vold /system/bin/vold
526    class core
527    socket vold stream 0660 root mount
528    ioprio be 2
529
530service netd /system/bin/netd
531    class main
532    socket netd stream 0660 root system
533    socket dnsproxyd stream 0660 root inet
534    socket mdns stream 0660 root system
535    socket fwmarkd stream 0660 root inet
536
537service debuggerd /system/bin/debuggerd
538    class main
539
540service debuggerd64 /system/bin/debuggerd64
541    class main
542
543service ril-daemon /system/bin/rild
544    class main
545    socket rild stream 660 root radio
546    socket rild-debug stream 660 radio system
547    user root
548    group radio cache inet misc audio log
549
550service surfaceflinger /system/bin/surfaceflinger
551    class core
552    user system
553    group graphics drmrpc
554    onrestart restart zygote
555
556service drm /system/bin/drmserver
557    class main
558    user drm
559    group drm system inet drmrpc
560
561service media /system/bin/mediaserver
562    class main
563    user media
564    group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm
565    ioprio rt 4
566
567# One shot invocation to deal with encrypted volume.
568service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted
569    disabled
570    oneshot
571    # vold will set vold.decrypt to trigger_restart_framework (default
572    # encryption) or trigger_restart_min_framework (other encryption)
573
574# One shot invocation to encrypt unencrypted volumes
575service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace default
576    disabled
577    oneshot
578    # vold will set vold.decrypt to trigger_restart_framework (default
579    # encryption)
580
581service bootanim /system/bin/bootanimation
582    class core
583    user graphics
584    group graphics audio
585    disabled
586    oneshot
587
588service installd /system/bin/installd
589    class main
590    socket installd stream 600 system system
591
592service flash_recovery /system/bin/install-recovery.sh
593    class main
594    seclabel u:r:install_recovery:s0
595    oneshot
596
597service racoon /system/bin/racoon
598    class main
599    socket racoon stream 600 system system
600    # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port.
601    group vpn net_admin inet
602    disabled
603    oneshot
604
605service mtpd /system/bin/mtpd
606    class main
607    socket mtpd stream 600 system system
608    user vpn
609    group vpn net_admin inet net_raw
610    disabled
611    oneshot
612
613service keystore /system/bin/keystore /data/misc/keystore
614    class main
615    user keystore
616    group keystore drmrpc
617
618service dumpstate /system/bin/dumpstate -s
619    class main
620    socket dumpstate stream 0660 shell log
621    disabled
622    oneshot
623
624service mdnsd /system/bin/mdnsd
625    class main
626    user mdnsr
627    group inet net_raw
628    socket mdnsd stream 0660 mdnsr inet
629    disabled
630    oneshot
631
632service pre-recovery /system/bin/uncrypt
633    class main
634    disabled
635    oneshot
636