init.rc revision 1d39c53e29a9c56893d170f1eac3d720076e0e55
1# Copyright (C) 2012 The Android Open Source Project 2# 3# IMPORTANT: Do not create world writable files or directories. 4# This is a common source of Android security bugs. 5# 6 7import /init.environ.rc 8import /init.usb.rc 9import /init.${ro.hardware}.rc 10import /init.trace.rc 11 12on early-init 13 # Set init and its forked children's oom_adj. 14 write /proc/1/oom_score_adj -1000 15 16 # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. 17 write /sys/fs/selinux/checkreqprot 0 18 19 # Set the security context for the init process. 20 # This should occur before anything else (e.g. ueventd) is started. 21 setcon u:r:init:s0 22 23 # Set the security context of /adb_keys if present. 24 restorecon /adb_keys 25 26 start ueventd 27 28# create mountpoints 29 mkdir /mnt 0775 root system 30 31on init 32 33sysclktz 0 34 35loglevel 3 36 37# Backward compatibility 38 symlink /system/etc /etc 39 symlink /sys/kernel/debug /d 40 41# Right now vendor lives on the same filesystem as system, 42# but someday that may change. 43 symlink /system/vendor /vendor 44 45# Create cgroup mount point for cpu accounting 46 mkdir /acct 47 mount cgroup none /acct cpuacct 48 mkdir /acct/uid 49 50# Create cgroup mount point for memory 51 mount tmpfs none /sys/fs/cgroup mode=0750,uid=0,gid=1000 52 mkdir /sys/fs/cgroup/memory 0750 root system 53 mount cgroup none /sys/fs/cgroup/memory memory 54 write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 55 chown root system /sys/fs/cgroup/memory/tasks 56 chmod 0660 /sys/fs/cgroup/memory/tasks 57 mkdir /sys/fs/cgroup/memory/sw 0750 root system 58 write /sys/fs/cgroup/memory/sw/memory.swappiness 100 59 write /sys/fs/cgroup/memory/sw/memory.move_charge_at_immigrate 1 60 chown root system /sys/fs/cgroup/memory/sw/tasks 61 chmod 0660 /sys/fs/cgroup/memory/sw/tasks 62 63 mkdir /system 64 mkdir /data 0771 system system 65 mkdir /cache 0770 system cache 66 mkdir /config 0500 root root 67 68 # See storage config details at http://source.android.com/tech/storage/ 69 mkdir /mnt/shell 0700 shell shell 70 mkdir /mnt/media_rw 0700 media_rw media_rw 71 mkdir /storage 0751 root sdcard_r 72 73 # Directory for putting things only root should see. 74 mkdir /mnt/secure 0700 root root 75 76 # Directory for staging bindmounts 77 mkdir /mnt/secure/staging 0700 root root 78 79 # Directory-target for where the secure container 80 # imagefile directory will be bind-mounted 81 mkdir /mnt/secure/asec 0700 root root 82 83 # Secure container public mount points. 84 mkdir /mnt/asec 0700 root system 85 mount tmpfs tmpfs /mnt/asec mode=0755,gid=1000 86 87 # Filesystem image public mount points. 88 mkdir /mnt/obb 0700 root system 89 mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000 90 91 # memory control cgroup 92 mkdir /dev/memcg 0700 root system 93 mount cgroup none /dev/memcg memory 94 95 write /proc/sys/kernel/panic_on_oops 1 96 write /proc/sys/kernel/hung_task_timeout_secs 0 97 write /proc/cpu/alignment 4 98 write /proc/sys/kernel/sched_latency_ns 10000000 99 write /proc/sys/kernel/sched_wakeup_granularity_ns 2000000 100 write /proc/sys/kernel/sched_compat_yield 1 101 write /proc/sys/kernel/sched_child_runs_first 0 102 write /proc/sys/kernel/randomize_va_space 2 103 write /proc/sys/kernel/kptr_restrict 2 104 write /proc/sys/kernel/dmesg_restrict 1 105 write /proc/sys/vm/mmap_min_addr 32768 106 write /proc/sys/net/ipv4/ping_group_range "0 2147483647" 107 write /proc/sys/net/unix/max_dgram_qlen 300 108 write /proc/sys/kernel/sched_rt_runtime_us 950000 109 write /proc/sys/kernel/sched_rt_period_us 1000000 110 111# Create cgroup mount points for process groups 112 mkdir /dev/cpuctl 113 mount cgroup none /dev/cpuctl cpu 114 chown system system /dev/cpuctl 115 chown system system /dev/cpuctl/tasks 116 chmod 0660 /dev/cpuctl/tasks 117 write /dev/cpuctl/cpu.shares 1024 118 write /dev/cpuctl/cpu.rt_runtime_us 950000 119 write /dev/cpuctl/cpu.rt_period_us 1000000 120 121 mkdir /dev/cpuctl/apps 122 chown system system /dev/cpuctl/apps/tasks 123 chmod 0666 /dev/cpuctl/apps/tasks 124 write /dev/cpuctl/apps/cpu.shares 1024 125 write /dev/cpuctl/apps/cpu.rt_runtime_us 800000 126 write /dev/cpuctl/apps/cpu.rt_period_us 1000000 127 128 mkdir /dev/cpuctl/apps/bg_non_interactive 129 chown system system /dev/cpuctl/apps/bg_non_interactive/tasks 130 chmod 0666 /dev/cpuctl/apps/bg_non_interactive/tasks 131 # 5.0 % 132 write /dev/cpuctl/apps/bg_non_interactive/cpu.shares 52 133 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_runtime_us 700000 134 write /dev/cpuctl/apps/bg_non_interactive/cpu.rt_period_us 1000000 135 136# qtaguid will limit access to specific data based on group memberships. 137# net_bw_acct grants impersonation of socket owners. 138# net_bw_stats grants access to other apps' detailed tagged-socket stats. 139 chown root net_bw_acct /proc/net/xt_qtaguid/ctrl 140 chown root net_bw_stats /proc/net/xt_qtaguid/stats 141 142# Allow everybody to read the xt_qtaguid resource tracking misc dev. 143# This is needed by any process that uses socket tagging. 144 chmod 0644 /dev/xt_qtaguid 145 146# Create location for fs_mgr to store abbreviated output from filesystem 147# checker programs. 148 mkdir /dev/fscklogs 0770 root system 149 150# pstore/ramoops previous console log 151 mount pstore pstore /sys/fs/pstore 152 chown system log /sys/fs/pstore/console-ramoops 153 chmod 0440 /sys/fs/pstore/console-ramoops 154 155on post-fs 156 # once everything is setup, no need to modify / 157 mount rootfs rootfs / ro remount 158 # mount shared so changes propagate into child namespaces 159 mount rootfs rootfs / shared rec 160 161 # We chown/chmod /cache again so because mount is run as root + defaults 162 chown system cache /cache 163 chmod 0770 /cache 164 # We restorecon /cache in case the cache partition has been reset. 165 restorecon /cache 166 167 # This may have been created by the recovery system with odd permissions 168 chown system cache /cache/recovery 169 chmod 0770 /cache/recovery 170 # This may have been created by the recovery system with the wrong context. 171 restorecon /cache/recovery 172 173 #change permissions on vmallocinfo so we can grab it from bugreports 174 chown root log /proc/vmallocinfo 175 chmod 0440 /proc/vmallocinfo 176 177 chown root log /proc/slabinfo 178 chmod 0440 /proc/slabinfo 179 180 #change permissions on kmsg & sysrq-trigger so bugreports can grab kthread stacks 181 chown root system /proc/kmsg 182 chmod 0440 /proc/kmsg 183 chown root system /proc/sysrq-trigger 184 chmod 0220 /proc/sysrq-trigger 185 chown system log /proc/last_kmsg 186 chmod 0440 /proc/last_kmsg 187 188 # create the lost+found directories, so as to enforce our permissions 189 mkdir /cache/lost+found 0770 root root 190 191on post-fs-data 192 # We chown/chmod /data again so because mount is run as root + defaults 193 chown system system /data 194 chmod 0771 /data 195 # We restorecon /data in case the userdata partition has been reset. 196 restorecon /data 197 198 # Avoid predictable entropy pool. Carry over entropy from previous boot. 199 copy /data/system/entropy.dat /dev/urandom 200 201 # Create dump dir and collect dumps. 202 # Do this before we mount cache so eventually we can use cache for 203 # storing dumps on platforms which do not have a dedicated dump partition. 204 mkdir /data/dontpanic 0750 root log 205 206 # Collect apanic data, free resources and re-arm trigger 207 copy /proc/apanic_console /data/dontpanic/apanic_console 208 chown root log /data/dontpanic/apanic_console 209 chmod 0640 /data/dontpanic/apanic_console 210 211 copy /proc/apanic_threads /data/dontpanic/apanic_threads 212 chown root log /data/dontpanic/apanic_threads 213 chmod 0640 /data/dontpanic/apanic_threads 214 215 write /proc/apanic_console 1 216 217 # create basic filesystem structure 218 mkdir /data/misc 01771 system misc 219 mkdir /data/misc/adb 02750 system shell 220 mkdir /data/misc/bluedroid 0770 bluetooth net_bt_stack 221 mkdir /data/misc/bluetooth 0770 system system 222 mkdir /data/misc/keystore 0700 keystore keystore 223 mkdir /data/misc/keychain 0771 system system 224 mkdir /data/misc/radio 0770 system radio 225 mkdir /data/misc/sms 0770 system radio 226 mkdir /data/misc/zoneinfo 0775 system system 227 mkdir /data/misc/vpn 0770 system vpn 228 mkdir /data/misc/systemkeys 0700 system system 229 mkdir /data/misc/wifi 0770 wifi wifi 230 mkdir /data/misc/wifi/sockets 0770 wifi wifi 231 mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi 232 mkdir /data/misc/dhcp 0770 dhcp dhcp 233 # give system access to wpa_supplicant.conf for backup and restore 234 chmod 0660 /data/misc/wifi/wpa_supplicant.conf 235 mkdir /data/local 0751 root root 236 mkdir /data/misc/media 0700 media media 237 238 # For security reasons, /data/local/tmp should always be empty. 239 # Do not place files or directories in /data/local/tmp 240 mkdir /data/local/tmp 0771 shell shell 241 mkdir /data/data 0771 system system 242 mkdir /data/app-private 0771 system system 243 mkdir /data/app-asec 0700 root root 244 mkdir /data/app-lib 0771 system system 245 mkdir /data/app 0771 system system 246 mkdir /data/property 0700 root root 247 mkdir /data/ssh 0750 root shell 248 mkdir /data/ssh/empty 0700 root root 249 250 # create dalvik-cache, so as to enforce our permissions 251 mkdir /data/dalvik-cache 0771 system system 252 253 # create resource-cache and double-check the perms 254 mkdir /data/resource-cache 0771 system system 255 chown system system /data/resource-cache 256 chmod 0771 /data/resource-cache 257 258 # create the lost+found directories, so as to enforce our permissions 259 mkdir /data/lost+found 0770 root root 260 261 # create directory for DRM plug-ins - give drm the read/write access to 262 # the following directory. 263 mkdir /data/drm 0770 drm drm 264 265 # create directory for MediaDrm plug-ins - give drm the read/write access to 266 # the following directory. 267 mkdir /data/mediadrm 0770 mediadrm mediadrm 268 269 # symlink to bugreport storage location 270 symlink /data/data/com.android.shell/files/bugreports /data/bugreports 271 272 # Separate location for storing security policy files on data 273 mkdir /data/security 0711 system system 274 275 # Reload policy from /data/security if present. 276 setprop selinux.reload_policy 1 277 278 # Set SELinux security contexts on upgrade or policy update. 279 restorecon_recursive /data 280 281 # If there is no fs-post-data action in the init.<device>.rc file, you 282 # must uncomment this line, otherwise encrypted filesystems 283 # won't work. 284 # Set indication (checked by vold) that we have finished this action 285 #setprop vold.post_fs_data_done 1 286 287on boot 288# basic network init 289 ifup lo 290 hostname localhost 291 domainname localdomain 292 293# set RLIMIT_NICE to allow priorities from 19 to -20 294 setrlimit 13 40 40 295 296# Memory management. Basic kernel parameters, and allow the high 297# level system server to be able to adjust the kernel OOM driver 298# parameters to match how it is managing things. 299 write /proc/sys/vm/overcommit_memory 1 300 write /proc/sys/vm/min_free_order_shift 4 301 chown root system /sys/module/lowmemorykiller/parameters/adj 302 chmod 0220 /sys/module/lowmemorykiller/parameters/adj 303 chown root system /sys/module/lowmemorykiller/parameters/minfree 304 chmod 0220 /sys/module/lowmemorykiller/parameters/minfree 305 306 # Tweak background writeout 307 write /proc/sys/vm/dirty_expire_centisecs 200 308 write /proc/sys/vm/dirty_background_ratio 5 309 310 # Permissions for System Server and daemons. 311 chown radio system /sys/android_power/state 312 chown radio system /sys/android_power/request_state 313 chown radio system /sys/android_power/acquire_full_wake_lock 314 chown radio system /sys/android_power/acquire_partial_wake_lock 315 chown radio system /sys/android_power/release_wake_lock 316 chown system system /sys/power/autosleep 317 chown system system /sys/power/state 318 chown system system /sys/power/wakeup_count 319 chown radio system /sys/power/wake_lock 320 chown radio system /sys/power/wake_unlock 321 chmod 0660 /sys/power/state 322 chmod 0660 /sys/power/wake_lock 323 chmod 0660 /sys/power/wake_unlock 324 325 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_rate 326 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_rate 327 chown system system /sys/devices/system/cpu/cpufreq/interactive/timer_slack 328 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/timer_slack 329 chown system system /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 330 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/min_sample_time 331 chown system system /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 332 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/hispeed_freq 333 chown system system /sys/devices/system/cpu/cpufreq/interactive/target_loads 334 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/target_loads 335 chown system system /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 336 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/go_hispeed_load 337 chown system system /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 338 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/above_hispeed_delay 339 chown system system /sys/devices/system/cpu/cpufreq/interactive/boost 340 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boost 341 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse 342 chown system system /sys/devices/system/cpu/cpufreq/interactive/input_boost 343 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/input_boost 344 chown system system /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 345 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/boostpulse_duration 346 chown system system /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 347 chmod 0660 /sys/devices/system/cpu/cpufreq/interactive/io_is_busy 348 349 # Assume SMP uses shared cpufreq policy for all CPUs 350 chown system system /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 351 chmod 0660 /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq 352 353 chown system system /sys/class/timed_output/vibrator/enable 354 chown system system /sys/class/leds/keyboard-backlight/brightness 355 chown system system /sys/class/leds/lcd-backlight/brightness 356 chown system system /sys/class/leds/button-backlight/brightness 357 chown system system /sys/class/leds/jogball-backlight/brightness 358 chown system system /sys/class/leds/red/brightness 359 chown system system /sys/class/leds/green/brightness 360 chown system system /sys/class/leds/blue/brightness 361 chown system system /sys/class/leds/red/device/grpfreq 362 chown system system /sys/class/leds/red/device/grppwm 363 chown system system /sys/class/leds/red/device/blink 364 chown system system /sys/class/timed_output/vibrator/enable 365 chown system system /sys/module/sco/parameters/disable_esco 366 chown system system /sys/kernel/ipv4/tcp_wmem_min 367 chown system system /sys/kernel/ipv4/tcp_wmem_def 368 chown system system /sys/kernel/ipv4/tcp_wmem_max 369 chown system system /sys/kernel/ipv4/tcp_rmem_min 370 chown system system /sys/kernel/ipv4/tcp_rmem_def 371 chown system system /sys/kernel/ipv4/tcp_rmem_max 372 chown root radio /proc/cmdline 373 374# Define TCP buffer sizes for various networks 375# ReadMin, ReadInitial, ReadMax, WriteMin, WriteInitial, WriteMax, 376 setprop net.tcp.buffersize.default 4096,87380,110208,4096,16384,110208 377 setprop net.tcp.buffersize.wifi 524288,1048576,2097152,262144,524288,1048576 378 setprop net.tcp.buffersize.ethernet 524288,1048576,3145728,524288,1048576,2097152 379 setprop net.tcp.buffersize.lte 524288,1048576,2097152,262144,524288,1048576 380 setprop net.tcp.buffersize.umts 4094,87380,110208,4096,16384,110208 381 setprop net.tcp.buffersize.hspa 4094,87380,262144,4096,16384,262144 382 setprop net.tcp.buffersize.hsupa 4094,87380,262144,4096,16384,262144 383 setprop net.tcp.buffersize.hsdpa 4094,87380,262144,4096,16384,262144 384 setprop net.tcp.buffersize.hspap 4094,87380,1220608,4096,16384,1220608 385 setprop net.tcp.buffersize.edge 4093,26280,35040,4096,16384,35040 386 setprop net.tcp.buffersize.gprs 4092,8760,11680,4096,8760,11680 387 setprop net.tcp.buffersize.evdo 4094,87380,262144,4096,16384,262144 388 389# Define default initial receive window size in segments. 390 setprop net.tcp.default_init_rwnd 60 391 392 class_start core 393 394on nonencrypted 395 class_start main 396 class_start late_start 397 398on property:vold.decrypt=trigger_default_encryption 399 start surfaceflinger 400 start defaultcrypto 401 402on charger 403 class_start charger 404 405on property:vold.decrypt=trigger_reset_main 406 class_reset main 407 408on property:vold.decrypt=trigger_load_persist_props 409 load_persist_props 410 411on property:vold.decrypt=trigger_post_fs_data 412 trigger post-fs-data 413 414on property:vold.decrypt=trigger_restart_min_framework 415 class_start main 416 417on property:vold.decrypt=trigger_restart_framework 418 class_start main 419 class_start late_start 420 421on property:vold.decrypt=trigger_shutdown_framework 422 class_reset late_start 423 class_reset main 424 425on property:sys.powerctl=* 426 powerctl ${sys.powerctl} 427 428# system server cannot write to /proc/sys files, 429# and chown/chmod does not work for /proc/sys/ entries. 430# So proxy writes through init. 431on property:sys.sysctl.extra_free_kbytes=* 432 write /proc/sys/vm/extra_free_kbytes ${sys.sysctl.extra_free_kbytes} 433# "tcp_default_init_rwnd" Is too long! 434on property:sys.sysctl.tcp_def_init_rwnd=* 435 write /proc/sys/net/ipv4/tcp_default_init_rwnd ${sys.sysctl.tcp_def_init_rwnd} 436 437 438## Daemon processes to be run by init. 439## 440service ueventd /sbin/ueventd 441 class core 442 critical 443 seclabel u:r:ueventd:s0 444 445service healthd /sbin/healthd 446 class core 447 critical 448 seclabel u:r:healthd:s0 449 450service console /system/bin/sh 451 class core 452 console 453 disabled 454 user shell 455 group log 456 seclabel u:r:shell:s0 457 458on property:ro.debuggable=1 459 start console 460 461# adbd is controlled via property triggers in init.<platform>.usb.rc 462service adbd /sbin/adbd --root_seclabel=u:r:su:s0 463 class core 464 socket adbd stream 660 system system 465 disabled 466 seclabel u:r:adbd:s0 467 468# adbd on at boot in emulator 469on property:ro.kernel.qemu=1 470 start adbd 471 472service lmkd /system/bin/lmkd 473 class core 474 critical 475 socket lmkd seqpacket 0660 system system 476 477service logd /system/bin/logd 478 class main 479 socket logd stream 0666 logd logd 480 socket logdr seqpacket 0666 logd logd 481 socket logdw dgram 0222 logd logd 482 483service servicemanager /system/bin/servicemanager 484 class core 485 user system 486 group system 487 critical 488 onrestart restart healthd 489 onrestart restart zygote 490 onrestart restart media 491 onrestart restart surfaceflinger 492 onrestart restart inputflinger 493 onrestart restart drm 494 495service vold /system/bin/vold 496 class core 497 socket vold stream 0660 root mount 498 ioprio be 2 499 500service netd /system/bin/netd 501 class main 502 socket netd stream 0660 root system 503 socket dnsproxyd stream 0660 root inet 504 socket mdns stream 0660 root system 505 506service debuggerd /system/bin/debuggerd 507 class main 508 509service debuggerd64 /system/bin/debuggerd64 510 class main 511 512service ril-daemon /system/bin/rild 513 class main 514 socket rild stream 660 root radio 515 socket rild-debug stream 660 radio system 516 user root 517 group radio cache inet misc audio log 518 519service surfaceflinger /system/bin/surfaceflinger 520 class main 521 user system 522 group graphics drmrpc 523 onrestart restart zygote 524 525service inputflinger /system/bin/inputflinger 526 class main 527 user system 528 group input 529 onrestart restart zygote 530 531service zygote /system/bin/app_process -Xzygote /system/bin --zygote --start-system-server 532 class main 533 socket zygote stream 660 root system 534 onrestart write /sys/android_power/request_state wake 535 onrestart write /sys/power/state on 536 onrestart restart media 537 onrestart restart netd 538 539service drm /system/bin/drmserver 540 class main 541 user drm 542 group drm system inet drmrpc 543 544service media /system/bin/mediaserver 545 class main 546 user media 547 group audio camera inet net_bt net_bt_admin net_bw_acct drmrpc mediadrm 548 ioprio rt 4 549 550# One shot invocation to deal with encrypted volume. 551service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted 552 disabled 553 oneshot 554 # vold will set vold.decrypt to trigger_restart_framework (default 555 # encryption) or trigger_restart_min_framework (other encryption) 556 557service bootanim /system/bin/bootanimation 558 class main 559 user graphics 560 group graphics 561 disabled 562 oneshot 563 564service installd /system/bin/installd 565 class main 566 socket installd stream 600 system system 567 568service flash_recovery /system/bin/install-recovery.sh 569 class main 570 oneshot 571 572service racoon /system/bin/racoon 573 class main 574 socket racoon stream 600 system system 575 # IKE uses UDP port 500. Racoon will setuid to vpn after binding the port. 576 group vpn net_admin inet 577 disabled 578 oneshot 579 580service mtpd /system/bin/mtpd 581 class main 582 socket mtpd stream 600 system system 583 user vpn 584 group vpn net_admin inet net_raw 585 disabled 586 oneshot 587 588service keystore /system/bin/keystore /data/misc/keystore 589 class main 590 user keystore 591 group keystore drmrpc 592 593service dumpstate /system/bin/dumpstate -s 594 class main 595 socket dumpstate stream 0660 shell log 596 disabled 597 oneshot 598 599service sshd /system/bin/start-ssh 600 class main 601 disabled 602 603service mdnsd /system/bin/mdnsd 604 class main 605 user mdnsr 606 group inet net_raw 607 socket mdnsd stream 0660 mdnsr inet 608 disabled 609 oneshot 610 611service pre-recovery /system/bin/uncrypt 612 class main 613 disabled 614 oneshot 615